Signed certificates missing SAN names from CSR

[yonah-codefresh]

Hi,

I've generated a CSR with r509 which includes several ip addresses as SAN names.
When I use r509 to sign the CSR with our CA cert, I get a certificate but the SAN names are missing. I have no idea why :?

Here is the code:

csr=R509::CSR.load_from_file(ARGF)
cert_pem = File.read("ca.pem")
key_pem = File.read("ca-key.pem")
cert = R509::Cert.new(
  :cert => cert_pem
  :key => key_pem,
  :password => "passphrase"
)
config = R509::Config::CAConfig.new(
  :ca_cert => cert
)
ca = R509::CertificateAuthority::Signer.new(config)
ext = []
ext << R509::Cert::Extensions::BasicConstraints.new(:ca => false)
cert = ca.sign(
  :csr => csr,
  :extensions => ext
)

[yonah-codefresh]

Managed to fix this as follows:

ext = []
ext << R509::Cert::Extensions::BasicConstraints.new(:ca => false)
ext << R509::Cert::Extensions::SubjectAlternativeName.new(:value => csr.san)
cert = ca.sign(
  :csr => csr,
  :extensions => ext
)

It seems counter-intuitive to need to pull information manually out of the csr when signing the same csr. Is this expected behavior?

[reaperhulk]

For security reasons the signer requires you to pass the set of extensions you want to sign as an argument. All extensions in the CSR are dropped if you don't explicitly copy them. Maybe we should document that more clearly?