X509ExtensionFactory generates incorrect extension for subjectAltName

[roadrunner2]

Environment

JRuby 9.1.9

Expected Behavior

extensions = OpenSSL::X509::ExtensionFactory.new
ext = extensions.create_extension("subjectAltName", "email:[email protected],DNS:a.b.com")
File.open("/tmp/san.ext", "w") { |f| f.print(ext.to_der) }

The DER of this extension should look like (and does so under MRI)

   0 30   31: SEQUENCE {
   2 06    3:   OBJECT IDENTIFIER subjectAltName (2 5 29 17)
   7 04   24:   OCTET STRING, encapsulates {
   9 30   22:       SEQUENCE {
  11 81   11:         [1] '[email protected]'
  24 82    7:         [2] 'a.b.com'
            :         }
            :       }
            :   }

Actual Behaviour

But the actual DER of the created extension is

   0 30   32: SEQUENCE {
   2 06    3:   OBJECT IDENTIFIER subjectAltName (2 5 29 17)
   7 04   25:   OCTET STRING, encapsulates {
   9 81   23:       [1] '[email protected],DNS:a.b.com'
            :       }
            :   }

(note the missing sequence, and the fact that both values are in one string)

The core issue is that X509ExtensionFactory.parseSubjectAltName() returns a GeneralName instead of a GeneralNames (sequence of GeneralName), as well as fails to parse multiple names properly.

Due to the missing sequence, it's currently completely impossible to generate a (valid) certificate with a subject-alt-name extension.

[roadrunner2]

Apologies, it appears this code is actually part of the jruby-openssl project - opened ticket jruby/jruby-openssl#134 there instead.