[fix] request attributes internal reset

Author: kares

src/main/java/org/jruby/ext/openssl/impl/PKCS10Request.java

@@ -49,6 +49,7 @@
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1Set;
 import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.DERSet;
 import org.bouncycastle.asn1.DLSequence;
 import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
@@ -119,12 +120,17 @@ private void resetSignedRequest() {
         if ( signedRequest == null ) return;
 
         CertificationRequest req = signedRequest.toASN1Structure();
-        CertificationRequestInfo reqInfo = new CertificationRequestInfo(subject, publicKeyInfo, req.getCertificationRequestInfo().getAttributes());
+        CertificationRequestInfo reqInfo = new CertificationRequestInfo(subject, publicKeyInfo, toAttributesSet());
         ASN1Sequence seq = (ASN1Sequence) req.toASN1Primitive();
         req = new CertificationRequest(reqInfo, (AlgorithmIdentifier) seq.getObjectAt(1), (DERBitString) seq.getObjectAt(2));
         signedRequest = new PKCS10CertificationRequest(req); // valid = true;
     }
 
+    private ASN1Set toAttributesSet() {
+        if ( attributes == null || attributes.isEmpty() ) return null;
+        return new DERSet( attributes.toArray(new Attribute[ attributes.size() ]) );
+    }
+
     // sign
 
     public PKCS10CertificationRequest sign(final PrivateKey privateKey, final AlgorithmIdentifier signatureAlg)
@@ -279,12 +285,12 @@ else if ( keyParams instanceof ECPublicKeyParameters ) {
     }
 
     public Attribute[] getAttributes() {
-        return signedRequest != null ? signedRequest.getAttributes() :
-                    attributes.toArray(new Attribute[ attributes.size() ]);
+        return attributes.toArray(new Attribute[ attributes.size() ]);
     }
 
     public void setAttributes(final List<Attribute> attrs) {
         this.attributes = attrs;
+        resetSignedRequest();
     }
 
     private void setAttributes(final ASN1Set attrs) {
@@ -297,6 +303,7 @@ private void setAttributes(final ASN1Set attrs) {
 
     public void addAttribute(final Attribute attribute) {
         this.attributes.add( attribute );
+        resetSignedRequest();
     }
 
     public BigInteger getVersion() {

src/test/ruby/x509/test_x509req.rb

@@ -109,6 +109,51 @@ def test_version
     assert_equal 1, req.version
   end
 
+  def create_ext_req(exts)
+    ef = OpenSSL::X509::ExtensionFactory.new
+    exts = exts.collect { |e| ef.create_extension(*e) }
+    OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
+  end
+
+  def get_ext_req(ext_req_value)
+    set = OpenSSL::ASN1.decode(ext_req_value)
+    seq = set.value[0]
+    seq.value.collect { |asn1ext| OpenSSL::X509::Extension.new(asn1ext).to_a }
+  end
+
+  def test_attr; setup!
+    exts = [
+      ['keyUsage', 'Digital Signature, Key Encipherment', true],
+      ['subjectAltName', 'email:gotoyuzo@ruby-lang.org', false],
+    ]
+    attrval = create_ext_req(exts)
+    attrs = [
+      OpenSSL::X509::Attribute.new('extReq', attrval),
+      OpenSSL::X509::Attribute.new('msExtReq', attrval),
+    ]
+
+    req0 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+    attrs.each { |attr| req0.add_attribute(attr) }
+    req1 = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
+    req1.attributes = attrs
+    assert_equal req0.to_der, req1.to_der
+
+    attrs = req0.attributes
+    assert_equal 2, attrs.size
+    assert_equal 'extReq', attrs[0].oid
+    assert_equal 'msExtReq', attrs[1].oid
+    assert_equal exts, get_ext_req(attrs[0].value)
+    assert_equal exts, get_ext_req(attrs[1].value)
+
+    req = OpenSSL::X509::Request.new(req0.to_der)
+    attrs = req.attributes
+    assert_equal 2, attrs.size
+    assert_equal 'extReq', attrs[0].oid
+    assert_equal 'msExtReq', attrs[1].oid
+    assert_equal exts, get_ext_req(attrs[0].value)
+    assert_equal exts, get_ext_req(attrs[1].value)
+  end
+
   def test_dup; setup!
     req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     assert_equal req.to_der, req.dup.to_der