@@ -610,180 +610,177 @@ impl CertificateParams {
610610 || matches ! ( self . is_ca, IsCa :: ExplicitNoCa )
611611 || matches ! ( self . is_ca, IsCa :: Ca ( _) )
612612 || !self . custom_extensions . is_empty ( ) ;
613- if should_write_exts {
614- writer. next ( ) . write_tagged ( Tag :: context ( 3 ) , |writer| {
615- writer. write_sequence ( |writer| {
616- if self . use_authority_key_identifier_extension {
617- write_x509_authority_key_identifier (
618- writer. next ( ) ,
619- self . key_identifier_method . derive ( issuer. public_key_der ( ) ) ,
620- ) ;
621- }
622- // Write subject_alt_names
623- if !self . subject_alt_names . is_empty ( ) {
624- self . write_subject_alt_names ( writer. next ( ) ) ;
625- }
613+ if !should_write_exts {
614+ return Ok ( ( ) ) ;
615+ }
626616
627- // Write standard key usage
628- if !self . key_usages . is_empty ( ) {
629- write_x509_extension ( writer. next ( ) , oid:: KEY_USAGE , true , |writer| {
630- let mut bits: u16 = 0 ;
631-
632- for entry in self . key_usages . iter ( ) {
633- // Map the index to a value
634- let index = match entry {
635- KeyUsagePurpose :: DigitalSignature => 0 ,
636- KeyUsagePurpose :: ContentCommitment => 1 ,
637- KeyUsagePurpose :: KeyEncipherment => 2 ,
638- KeyUsagePurpose :: DataEncipherment => 3 ,
639- KeyUsagePurpose :: KeyAgreement => 4 ,
640- KeyUsagePurpose :: KeyCertSign => 5 ,
641- KeyUsagePurpose :: CrlSign => 6 ,
642- KeyUsagePurpose :: EncipherOnly => 7 ,
643- KeyUsagePurpose :: DecipherOnly => 8 ,
644- } ;
645-
646- bits |= 1 << index;
647- }
617+ writer. next ( ) . write_tagged ( Tag :: context ( 3 ) , |writer| {
618+ writer. write_sequence ( |writer| {
619+ if self . use_authority_key_identifier_extension {
620+ write_x509_authority_key_identifier (
621+ writer. next ( ) ,
622+ self . key_identifier_method . derive ( issuer. public_key_der ( ) ) ,
623+ ) ;
624+ }
625+ // Write subject_alt_names
626+ if !self . subject_alt_names . is_empty ( ) {
627+ self . write_subject_alt_names ( writer. next ( ) ) ;
628+ }
629+
630+ // Write standard key usage
631+ if !self . key_usages . is_empty ( ) {
632+ write_x509_extension ( writer. next ( ) , oid:: KEY_USAGE , true , |writer| {
633+ let mut bits: u16 = 0 ;
634+
635+ for entry in self . key_usages . iter ( ) {
636+ // Map the index to a value
637+ let index = match entry {
638+ KeyUsagePurpose :: DigitalSignature => 0 ,
639+ KeyUsagePurpose :: ContentCommitment => 1 ,
640+ KeyUsagePurpose :: KeyEncipherment => 2 ,
641+ KeyUsagePurpose :: DataEncipherment => 3 ,
642+ KeyUsagePurpose :: KeyAgreement => 4 ,
643+ KeyUsagePurpose :: KeyCertSign => 5 ,
644+ KeyUsagePurpose :: CrlSign => 6 ,
645+ KeyUsagePurpose :: EncipherOnly => 7 ,
646+ KeyUsagePurpose :: DecipherOnly => 8 ,
647+ } ;
648+
649+ bits |= 1 << index;
650+ }
648651
649- // Compute the 1-based most significant bit
650- let msb = 16 - bits. leading_zeros ( ) ;
651- let nb = if msb <= 8 { 1 } else { 2 } ;
652+ // Compute the 1-based most significant bit
653+ let msb = 16 - bits. leading_zeros ( ) ;
654+ let nb = if msb <= 8 { 1 } else { 2 } ;
652655
653- let bits = bits. reverse_bits ( ) . to_be_bytes ( ) ;
656+ let bits = bits. reverse_bits ( ) . to_be_bytes ( ) ;
654657
655- // Finally take only the bytes != 0
656- let bits = & bits[ ..nb] ;
658+ // Finally take only the bytes != 0
659+ let bits = & bits[ ..nb] ;
657660
658- writer. write_bitvec_bytes ( bits, msb as usize )
661+ writer. write_bitvec_bytes ( bits, msb as usize )
662+ } ) ;
663+ }
664+
665+ // Write extended key usage
666+ if !self . extended_key_usages . is_empty ( ) {
667+ write_x509_extension ( writer. next ( ) , oid:: EXT_KEY_USAGE , false , |writer| {
668+ writer. write_sequence ( |writer| {
669+ for usage in self . extended_key_usages . iter ( ) {
670+ let oid = ObjectIdentifier :: from_slice ( usage. oid ( ) ) ;
671+ writer. next ( ) . write_oid ( & oid) ;
672+ }
659673 } ) ;
660- }
661-
662- // Write extended key usage
663- if !self . extended_key_usages . is_empty ( ) {
674+ } ) ;
675+ }
676+ if let Some ( name_constraints) = & self . name_constraints {
677+ // If both trees are empty, the extension must be omitted.
678+ if !name_constraints. is_empty ( ) {
664679 write_x509_extension (
665680 writer. next ( ) ,
666- oid:: EXT_KEY_USAGE ,
667- false ,
681+ oid:: NAME_CONSTRAINTS ,
682+ true ,
668683 |writer| {
669684 writer. write_sequence ( |writer| {
670- for usage in self . extended_key_usages . iter ( ) {
671- let oid = ObjectIdentifier :: from_slice ( usage. oid ( ) ) ;
672- writer. next ( ) . write_oid ( & oid) ;
685+ if !name_constraints. permitted_subtrees . is_empty ( ) {
686+ write_general_subtrees (
687+ writer. next ( ) ,
688+ 0 ,
689+ & name_constraints. permitted_subtrees ,
690+ ) ;
691+ }
692+ if !name_constraints. excluded_subtrees . is_empty ( ) {
693+ write_general_subtrees (
694+ writer. next ( ) ,
695+ 1 ,
696+ & name_constraints. excluded_subtrees ,
697+ ) ;
673698 }
674699 } ) ;
675700 } ,
676701 ) ;
677702 }
678- if let Some ( name_constraints) = & self . name_constraints {
679- // If both trees are empty, the extension must be omitted.
680- if !name_constraints. is_empty ( ) {
681- write_x509_extension (
682- writer. next ( ) ,
683- oid:: NAME_CONSTRAINTS ,
684- true ,
685- |writer| {
686- writer. write_sequence ( |writer| {
687- if !name_constraints. permitted_subtrees . is_empty ( ) {
688- write_general_subtrees (
689- writer. next ( ) ,
690- 0 ,
691- & name_constraints. permitted_subtrees ,
692- ) ;
693- }
694- if !name_constraints. excluded_subtrees . is_empty ( ) {
695- write_general_subtrees (
696- writer. next ( ) ,
697- 1 ,
698- & name_constraints. excluded_subtrees ,
699- ) ;
700- }
701- } ) ;
702- } ,
703- ) ;
704- }
705- }
706- if !self . crl_distribution_points . is_empty ( ) {
703+ }
704+ if !self . crl_distribution_points . is_empty ( ) {
705+ write_x509_extension (
706+ writer. next ( ) ,
707+ oid:: CRL_DISTRIBUTION_POINTS ,
708+ false ,
709+ |writer| {
710+ writer. write_sequence ( |writer| {
711+ for distribution_point in & self . crl_distribution_points {
712+ distribution_point. write_der ( writer. next ( ) ) ;
713+ }
714+ } )
715+ } ,
716+ ) ;
717+ }
718+ match self . is_ca {
719+ IsCa :: Ca ( ref constraint) => {
720+ // Write subject_key_identifier
707721 write_x509_extension (
708722 writer. next ( ) ,
709- oid:: CRL_DISTRIBUTION_POINTS ,
723+ oid:: SUBJECT_KEY_IDENTIFIER ,
710724 false ,
725+ |writer| {
726+ writer. write_bytes (
727+ & self . key_identifier_method . derive ( pub_key_spki) ,
728+ ) ;
729+ } ,
730+ ) ;
731+ // Write basic_constraints
732+ write_x509_extension (
733+ writer. next ( ) ,
734+ oid:: BASIC_CONSTRAINTS ,
735+ true ,
711736 |writer| {
712737 writer. write_sequence ( |writer| {
713- for distribution_point in & self . crl_distribution_points {
714- distribution_point. write_der ( writer. next ( ) ) ;
738+ writer. next ( ) . write_bool ( true ) ; // cA flag
739+ if let BasicConstraints :: Constrained ( path_len_constraint) =
740+ constraint
741+ {
742+ writer. next ( ) . write_u8 ( * path_len_constraint) ;
715743 }
716- } )
744+ } ) ;
717745 } ,
718746 ) ;
719- }
720- match self . is_ca {
721- IsCa :: Ca ( ref constraint) => {
722- // Write subject_key_identifier
723- write_x509_extension (
724- writer. next ( ) ,
725- oid:: SUBJECT_KEY_IDENTIFIER ,
726- false ,
727- |writer| {
728- writer. write_bytes (
729- & self . key_identifier_method . derive ( pub_key_spki) ,
730- ) ;
731- } ,
732- ) ;
733- // Write basic_constraints
734- write_x509_extension (
735- writer. next ( ) ,
736- oid:: BASIC_CONSTRAINTS ,
737- true ,
738- |writer| {
739- writer. write_sequence ( |writer| {
740- writer. next ( ) . write_bool ( true ) ; // cA flag
741- if let BasicConstraints :: Constrained (
742- path_len_constraint,
743- ) = constraint
744- {
745- writer. next ( ) . write_u8 ( * path_len_constraint) ;
746- }
747- } ) ;
748- } ,
749- ) ;
750- } ,
751- IsCa :: ExplicitNoCa => {
752- // Write subject_key_identifier
753- write_x509_extension (
754- writer. next ( ) ,
755- oid:: SUBJECT_KEY_IDENTIFIER ,
756- false ,
757- |writer| {
758- writer. write_bytes (
759- & self . key_identifier_method . derive ( pub_key_spki) ,
760- ) ;
761- } ,
762- ) ;
763- // Write basic_constraints
764- write_x509_extension (
765- writer. next ( ) ,
766- oid:: BASIC_CONSTRAINTS ,
767- true ,
768- |writer| {
769- writer. write_sequence ( |writer| {
770- writer. next ( ) . write_bool ( false ) ; // cA flag
771- } ) ;
772- } ,
773- ) ;
774- } ,
775- IsCa :: NoCa => { } ,
776- }
747+ } ,
748+ IsCa :: ExplicitNoCa => {
749+ // Write subject_key_identifier
750+ write_x509_extension (
751+ writer. next ( ) ,
752+ oid:: SUBJECT_KEY_IDENTIFIER ,
753+ false ,
754+ |writer| {
755+ writer. write_bytes (
756+ & self . key_identifier_method . derive ( pub_key_spki) ,
757+ ) ;
758+ } ,
759+ ) ;
760+ // Write basic_constraints
761+ write_x509_extension (
762+ writer. next ( ) ,
763+ oid:: BASIC_CONSTRAINTS ,
764+ true ,
765+ |writer| {
766+ writer. write_sequence ( |writer| {
767+ writer. next ( ) . write_bool ( false ) ; // cA flag
768+ } ) ;
769+ } ,
770+ ) ;
771+ } ,
772+ IsCa :: NoCa => { } ,
773+ }
777774
778- // Write the custom extensions
779- for ext in & self . custom_extensions {
780- write_x509_extension ( writer. next ( ) , & ext. oid , ext. critical , |writer| {
781- writer. write_der ( ext. content ( ) )
782- } ) ;
783- }
784- } ) ;
775+ // Write the custom extensions
776+ for ext in & self . custom_extensions {
777+ write_x509_extension ( writer. next ( ) , & ext. oid , ext. critical , |writer| {
778+ writer. write_der ( ext. content ( ) )
779+ } ) ;
780+ }
785781 } ) ;
786- }
782+ } ) ;
783+
787784 Ok ( ( ) )
788785 } ) ?;
789786
0 commit comments