ext: implement invalidity date extension

This commit lifts the CRL entry invalidity date extension into the `ext` module.

There are no longer any references to the lib.rs `write_x509_extension`
helper, so it is also removed.

src/crl.rs

@@ -5,9 +5,8 @@ use yasna::DERWriter;
 use yasna::Tag;
 
 use crate::ext::Extensions;
-use crate::oid::*;
 use crate::{ext, ENCODE_CONFIG};
-use crate::{write_distinguished_name, write_dt_utc_or_generalized, write_x509_extension};
+use crate::{write_distinguished_name, write_dt_utc_or_generalized};
 use crate::{
 	Certificate, KeyIdMethod, KeyUsagePurpose, RcgenError, SerialNumber, SignatureAlgorithm,
 };
@@ -365,18 +364,6 @@ impl RevokedCertParams {
 					for ext in self.extensions().iter() {
 						ext.write_der(writer.next());
 					}
-
-					// Write invalidity date if present.
-					self.invalidity_date.map(|invalidity_date| {
-						write_x509_extension(
-							writer.next(),
-							OID_CRL_INVALIDITY_DATE,
-							false,
-							|writer| {
-								write_dt_utc_or_generalized(writer, invalidity_date);
-							},
-						)
-					});
 				});
 			}
 		})
@@ -389,7 +376,9 @@ impl RevokedCertParams {
 			exts.add_extension(ext::reason_code(code));
 		}
 
-		// TODO: invalidity date.
+		if let Some(invalidity_date) = self.invalidity_date {
+			exts.add_extension(ext::invalidity_date(invalidity_date));
+		}
 
 		exts
 	}

src/ext.rs

@@ -1,18 +1,20 @@
 use std::net::IpAddr;
+use time::OffsetDateTime;
 use yasna::models::ObjectIdentifier;
 use yasna::{DERWriter, Tag};
 
 use crate::key_pair::PublicKeyData;
 use crate::oid::{
 	OID_AUTHORITY_KEY_IDENTIFIER, OID_BASIC_CONSTRAINTS, OID_CRL_DISTRIBUTION_POINTS,
-	OID_CRL_ISSUING_DISTRIBUTION_POINT, OID_CRL_NUMBER, OID_CRL_REASONS, OID_EXT_KEY_USAGE,
-	OID_KEY_USAGE, OID_NAME_CONSTRAINTS, OID_SUBJECT_ALT_NAME, OID_SUBJECT_KEY_IDENTIFIER,
+	OID_CRL_INVALIDITY_DATE, OID_CRL_ISSUING_DISTRIBUTION_POINT, OID_CRL_NUMBER, OID_CRL_REASONS,
+	OID_EXT_KEY_USAGE, OID_KEY_USAGE, OID_NAME_CONSTRAINTS, OID_SUBJECT_ALT_NAME,
+	OID_SUBJECT_KEY_IDENTIFIER,
 };
 use crate::{
-	write_distinguished_name, BasicConstraints, Certificate, CertificateParams,
-	CrlDistributionPoint, CrlIssuingDistributionPoint, CustomExtension, ExtendedKeyUsagePurpose,
-	GeneralSubtree, IsCa, KeyUsagePurpose, NameConstraints, RevocationReason, SanType,
-	SerialNumber,
+	write_distinguished_name, write_dt_utc_or_generalized, BasicConstraints, Certificate,
+	CertificateParams, CrlDistributionPoint, CrlIssuingDistributionPoint, CustomExtension,
+	ExtendedKeyUsagePurpose, GeneralSubtree, IsCa, KeyUsagePurpose, NameConstraints,
+	RevocationReason, SanType, SerialNumber,
 };
 
 #[derive(Copy, Clone, Debug, PartialEq, Eq)]
@@ -398,3 +400,16 @@ pub(crate) fn reason_code(code: RevocationReason) -> Extension {
 		}),
 	}
 }
+
+/// An X.509v3 invalidity date extension according to
+/// [RFC 5280 5.3.2](https://www.rfc-editor.org/rfc/rfc5280#section-5.3.2).
+pub(crate) fn invalidity_date(date: OffsetDateTime) -> Extension {
+	Extension {
+		oid: ObjectIdentifier::from_slice(OID_CRL_INVALIDITY_DATE),
+		criticality: Criticality::NonCritical,
+		der_value: yasna::construct_der(|writer| {
+			// InvalidityDate ::=  GeneralizedTime
+			write_dt_utc_or_generalized(writer, date);
+		}),
+	}
+}

src/lib.rs

@@ -1405,34 +1405,6 @@ impl Certificate {
 	}
 }
 
-/// Serializes an X.509v3 extension according to RFC 5280
-fn write_x509_extension(
-	writer: DERWriter,
-	extension_oid: &[u64],
-	is_critical: bool,
-	value_serializer: impl FnOnce(DERWriter),
-) {
-	// Extension specification:
-	//    Extension  ::=  SEQUENCE  {
-	//         extnID      OBJECT IDENTIFIER,
-	//         critical    BOOLEAN DEFAULT FALSE,
-	//         extnValue   OCTET STRING
-	//                     -- contains the DER encoding of an ASN.1 value
-	//                     -- corresponding to the extension type identified
-	//                     -- by extnID
-	//         }
-
-	writer.write_sequence(|writer| {
-		let oid = ObjectIdentifier::from_slice(extension_oid);
-		writer.next().write_oid(&oid);
-		if is_critical {
-			writer.next().write_bool(true);
-		}
-		let bytes = yasna::construct_der(value_serializer);
-		writer.next().write_bytes(&bytes);
-	})
-}
-
 #[cfg(feature = "zeroize")]
 impl zeroize::Zeroize for KeyPair {
 	fn zeroize(&mut self) {