Fix: Don't forget to write EKUs in CSRs

rustls · Nov 9, 2024 · 2d924af · 2d924af
1 parent cafc9fd
commit 2d924af
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
@@ -546,6 +546,12 @@ impl CertificateParams {
 			return Err(Error::UnsupportedInCsr);
 		}
 
+		// Whether or not to write an extension request attribute
+		let write_extension_request = !key_usages.is_empty()
+			|| !subject_alt_names.is_empty()
+			|| !extended_key_usages.is_empty()
+			|| !custom_extensions.is_empty();
+
 		let der = subject_key.sign_der(|writer| {
 			// Write version
 			writer.next().write_u8(0);
@@ -556,10 +562,7 @@ impl CertificateParams {
 			// Write extensions
 			// According to the spec in RFC 2986, even if attributes are empty we need the empty attribute tag
 			writer.next().write_tagged(Tag::context(0), |writer| {
-				if !key_usages.is_empty()
-					|| !subject_alt_names.is_empty()
-					|| !custom_extensions.is_empty()
-				{
+				if write_extension_request {
 					writer.write_sequence(|writer| {
 						let oid = ObjectIdentifier::from_slice(oid::PKCS_9_AT_EXTENSION_REQUEST);
 						writer.next().write_oid(&oid);

diff --git a/rcgen/tests/generic.rs b/rcgen/tests/generic.rs
@@ -360,7 +360,7 @@ mod test_parse_other_name_alt_name {
 
 #[cfg(feature = "x509-parser")]
 mod test_csr_extension_request {
-	use rcgen::{CertificateParams, KeyPair, KeyUsagePurpose};
+	use rcgen::{CertificateParams, ExtendedKeyUsagePurpose, KeyPair, KeyUsagePurpose};
 	use x509_parser::prelude::{FromDer, ParsedExtension};
 
 	#[test]
@@ -379,6 +379,27 @@ mod test_csr_extension_request {
 				assert!(!(matches!(requested_ext, ParsedExtension::SubjectAlternativeName(_))));
 			});
 	}
+
+	#[test]
+	fn write_extension_request_if_ekus_are_present() {
+		let mut params = CertificateParams::default();
+		params
+			.extended_key_usages
+			.push(ExtendedKeyUsagePurpose::ClientAuth);
+		let key_pair = KeyPair::generate().unwrap();
+		let csr = params.serialize_request(&key_pair).unwrap();
+		let (_, parsed_csr) =
+			x509_parser::certification_request::X509CertificationRequest::from_der(csr.der())
+				.unwrap();
+		let requested_extensions = parsed_csr
+			.requested_extensions()
+			.unwrap()
+			.collect::<Vec<_>>();
+		assert!(matches!(
+			requested_extensions.first().unwrap(),
+			ParsedExtension::ExtendedKeyUsage(_)
+		));
+	}
 }
 
 #[cfg(feature = "x509-parser")]