lib: fix custom exts for CSR w/o SANs.

Previously when writing CSR DER from `CertificateParams` that specified custom extensions, but did not specify any SANs, the serialization code would skip over writing the PKCS9 extension request attribute. This commit updates the serialization logic to ensure the attribute is written when either SANs are provided, or custom extensions are present. Prior to this update, the modified `test_x509_custom_ext` test fails, reproducing the problem reported in the issue tracker: ``` 'test_x509_custom_ext::custom_ext' panicked at 'missing requested extensions' ``` With the update, it passes again.
cpu · Sep 11, 2023 · 6cdcd7b · 6cdcd7b
1 parent 4a47e30
commit 6cdcd7b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/src/lib.rs b/src/lib.rs
@@ -911,7 +911,7 @@ impl CertificateParams {
 			// Write extensions
 			// According to the spec in RFC 2986, even if attributes are empty we need the empty attribute tag
 			writer.next().write_tagged(Tag::context(0), |writer| {
-				if !subject_alt_names.is_empty() {
+				if !subject_alt_names.is_empty() || !custom_extensions.is_empty() {
 					writer.write_sequence(|writer| {
 						let oid = ObjectIdentifier::from_slice(OID_PKCS_9_AT_EXTENSION_REQUEST);
 						writer.next().write_oid(&oid);

diff --git a/tests/generic.rs b/tests/generic.rs
@@ -111,6 +111,9 @@ mod test_x509_custom_ext {
 		// Generate a certificate with the custom extension, parse it with x509-parser.
 		let mut params = util::default_params();
 		params.custom_extensions = vec![custom_ext];
+		// Ensure the custom exts. being omitted into a CSR doesn't require SAN ext being present.
+		// See https://github.com/rustls/rcgen/issues/122
+		params.subject_alt_names = Vec::default();
 		let test_cert = Certificate::from_params(params).unwrap();
 		let test_cert_der = test_cert.serialize_der().unwrap();
 		let (_, x509_test_cert) = X509Certificate::from_der(&test_cert_der).unwrap();