From a22e1eb55722ecd78d206a7a00a0f1408e796470 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Thu, 13 Apr 2017 15:12:56 +0000
Subject: [PATCH] Fix server certificate extensions for StrongSwan

---
 certidude/signer.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/certidude/signer.py b/certidude/signer.py
index cd8f479..65cd653 100644
--- a/certidude/signer.py
+++ b/certidude/signer.py
@@ -79,7 +79,7 @@ class SignHandler(asynchat.async_chat):
                 extended_key_usage_flags.append( # OpenVPN client
                     ExtendedKeyUsageOID.CLIENT_AUTH)
 
-            cert = x509.CertificateBuilder(
+            builder = x509.CertificateBuilder(
                 ).subject_name(
                     x509.Name([common_name])
                 ).serial_number(random.randint(
@@ -145,7 +145,18 @@ class SignHandler(asynchat.async_chat):
                     x509.AuthorityKeyIdentifier.from_issuer_public_key(
                         self.server.certificate.public_key()),
                     critical=False
-                ).sign(self.server.private_key, hashes.SHA512(), default_backend())
+                )
+
+            # OpenVPN uses CN while StrongSwan uses SAN
+            if server_flags:
+                builder = builder.add_extension(
+                    x509.SubjectAlternativeName(
+                        [x509.DNSName(common_name.value)]
+                    ),
+                    critical=False
+                )
+
+            cert = builder.sign(self.server.private_key, hashes.SHA512(), default_backend())
 
             self.send(cert.public_bytes(serialization.Encoding.PEM))
         else: