From 8b7e1be6945d935863b0c36ad7b7c29594afce9e Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Thu, 3 Apr 2025 20:59:04 +0200
Subject: [PATCH] Maintain backwards compatible order of SAN

Maintain previous order in X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL). Tested for in Python osp port (test_ssl.py:test_parse_all_sans).
---
 src/x509.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/x509.c b/src/x509.c
index 2a79e39a3..a063f5899 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -2359,7 +2359,11 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
                     }
 
                     dns = dns->next;
-                    if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) <= 0) {
+                    /* Using wolfSSL_sk_insert to maintain backwards
+                     * compatiblity with earlier versions of _push API that
+                     * pushed items to the start of the list instead of the
+                     * end. */
+                    if (wolfSSL_sk_insert(sk, gn, 0) <= 0) {
                         WOLFSSL_MSG("Error pushing ASN1 object onto stack");
                         goto err;
                     }