csr: support reading crl dps from CSR

rustls · Oct 10, 2023 · 9d2c80b · 9d2c80b
1 parent 8258f2e
commit 9d2c80b
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/src/csr.rs b/src/csr.rs
@@ -1,11 +1,13 @@
 #[cfg(feature = "x509-parser")]
 use crate::{
-	BasicConstraints, CustomExtension, DistinguishedName, ExtendedKeyUsagePurpose, GeneralSubtree,
-	IsCa, KeyUsagePurpose, NameConstraints, SanType,
+	BasicConstraints, CrlDistributionPoint, CustomExtension, DistinguishedName,
+	ExtendedKeyUsagePurpose, GeneralSubtree, IsCa, KeyUsagePurpose, NameConstraints, SanType,
 };
 #[cfg(feature = "pem")]
 use pem::Pem;
 use std::hash::Hash;
+#[cfg(feature = "x509-parser")]
+use x509_parser::extensions::{DistributionPointName, GeneralName};
 
 use crate::{Certificate, CertificateParams, Error, PublicKeyData, SignatureAlgorithm};
 
@@ -201,6 +203,38 @@ impl CertificateSigningRequest {
 						}
 						true
 					},
+					x509_parser::extensions::ParsedExtension::CRLDistributionPoints(crl_dps) => {
+						let dps = crl_dps
+							.points
+							.iter()
+							.map(|dp| {
+								// Rcgen does not support CRL DPs with specific reasons, or an indirect issuer.
+								if dp.reasons.is_some() || dp.crl_issuer.is_some() {
+									return Err(Error::UnsupportedCrlDistributionPoint);
+								}
+								let general_names = match &dp.distribution_point {
+									Some(DistributionPointName::FullName(general_names)) => {
+										Ok(general_names)
+									},
+									// Rcgen does not support CRL DPs missing a distribution point,
+									// or that specific a distribution point with a name relative
+									// to an issuer.
+									_ => Err(Error::UnsupportedCrlDistributionPoint),
+								}?;
+								let uris = general_names
+									.iter()
+									.map(|general_name| match general_name {
+										GeneralName::URI(uri) => Ok(uri.to_string()),
+										// Rcgen does not support CRL DP general names other than URI.
+										_ => Err(Error::UnsupportedGeneralName),
+									})
+									.collect::<Result<Vec<_>, _>>()?;
+								Ok(CrlDistributionPoint { uris })
+							})
+							.collect::<Result<Vec<_>, _>>()?;
+						params.crl_distribution_points = dps;
+						true
+					},
 					_ => false,
 				};
 				if !supported {

diff --git a/src/error.rs b/src/error.rs
@@ -41,6 +41,9 @@ pub enum Error {
 	/// Unsupported basic constraints extension path length in CSR
 	#[cfg(feature = "x509-parser")]
 	UnsupportedBasicConstraintsPathLen,
+	/// Unsupported CRL distribution point extension in CSR
+	#[cfg(feature = "x509-parser")]
+	UnsupportedCrlDistributionPoint,
 	/// Unsupported extension requested in CSR
 	#[cfg(feature = "x509-parser")]
 	UnsupportedExtension,
@@ -109,6 +112,8 @@ impl fmt::Display for Error {
 			)?,
 			#[cfg(feature = "x509-parser")]
 			UnsupportedGeneralName => write!(f, "Unsupported general name in CSR",)?,
+			#[cfg(feature = "x509-parser")]
+			UnsupportedCrlDistributionPoint => write!(f, "Unsupported CRL distribution point in CSR",)?,
 		};
 		Ok(())
 	}