From 144147d854eafffecf317d934bcb3bd624a5e1b8 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Thu, 15 Mar 2018 15:58:40 +0000
Subject: [PATCH] Certs: Sort alt names in generated certs

---
 core/java/src/net/i2p/crypto/SelfSignedGenerator.java | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/core/java/src/net/i2p/crypto/SelfSignedGenerator.java b/core/java/src/net/i2p/crypto/SelfSignedGenerator.java
index 47982ae71..1f7e8b37b 100644
--- a/core/java/src/net/i2p/crypto/SelfSignedGenerator.java
+++ b/core/java/src/net/i2p/crypto/SelfSignedGenerator.java
@@ -23,6 +23,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.TimeZone;
+import java.util.TreeSet;
 
 import javax.crypto.interfaces.DHPublicKey;
 import javax.crypto.spec.DHParameterSpec;
@@ -617,10 +618,14 @@ public final class SelfSignedGenerator {
         int ext3len = oid3.length + TRUE.length + spaceFor(wrap3len);
 
         int wrap41len = 0;
-        if (altNames == null)
-            altNames = new HashSet<String>(4);
-        else
+        // SEQUENCE doesn't have to be sorted, but let's do it for consistency,
+        // so it's platform-independent and the same after renewal
+        if (altNames == null) {
+            altNames = new TreeSet<String>();
+        } else {
+            altNames = new TreeSet<String>(altNames);
             altNames.remove("0:0:0:0:0:0:0:1");  // We don't want dup of "::1"
+        }
         altNames.add(cname);
         final boolean isCA = !cname.contains("@") && !cname.endsWith(".family.i2p.net");
         if (isCA) {