@@ -611,189 +611,183 @@ impl CertificateParams {
611611 || matches ! ( self . is_ca, IsCa :: ExplicitNoCa )
612612 || matches ! ( self . is_ca, IsCa :: Ca ( _) )
613613 || !self . custom_extensions . is_empty ( ) ;
614- if should_write_exts {
615- writer. next ( ) . write_tagged ( Tag :: context ( 3 ) , |writer| {
616- writer. write_sequence ( |writer| {
617- if self . use_authority_key_identifier_extension {
618- write_x509_authority_key_identifier (
619- writer. next ( ) ,
620- self . key_identifier_method . derive ( issuer. public_key_der ( ) ) ,
621- ) ;
622- }
623- // Write subject_alt_names
624- if !self . subject_alt_names . is_empty ( ) {
625- self . write_subject_alt_names ( writer. next ( ) ) ;
626- }
627-
628- // Write standard key usage
629- if !self . key_usages . is_empty ( ) {
630- write_x509_extension (
631- writer. next ( ) ,
632- oid:: KEY_USAGE ,
633- true ,
634- |writer| {
635- let mut bits: u16 = 0 ;
636-
637- for entry in self . key_usages . iter ( ) {
638- // Map the index to a value
639- let index = match entry {
640- KeyUsagePurpose :: DigitalSignature => 0 ,
641- KeyUsagePurpose :: ContentCommitment => 1 ,
642- KeyUsagePurpose :: KeyEncipherment => 2 ,
643- KeyUsagePurpose :: DataEncipherment => 3 ,
644- KeyUsagePurpose :: KeyAgreement => 4 ,
645- KeyUsagePurpose :: KeyCertSign => 5 ,
646- KeyUsagePurpose :: CrlSign => 6 ,
647- KeyUsagePurpose :: EncipherOnly => 7 ,
648- KeyUsagePurpose :: DecipherOnly => 8 ,
649- } ;
650-
651- bits |= 1 << index;
652- }
614+ if !should_write_exts {
615+ return Ok ( ( ) ) ;
616+ }
653617
654- // Compute the 1-based most significant bit
655- let msb = 16 - bits. leading_zeros ( ) ;
656- let nb = if msb <= 8 { 1 } else { 2 } ;
618+ writer. next ( ) . write_tagged ( Tag :: context ( 3 ) , |writer| {
619+ writer. write_sequence ( |writer| {
620+ if self . use_authority_key_identifier_extension {
621+ write_x509_authority_key_identifier (
622+ writer. next ( ) ,
623+ self . key_identifier_method . derive ( issuer. public_key_der ( ) ) ,
624+ ) ;
625+ }
626+ // Write subject_alt_names
627+ if !self . subject_alt_names . is_empty ( ) {
628+ self . write_subject_alt_names ( writer. next ( ) ) ;
629+ }
630+
631+ // Write standard key usage
632+ if !self . key_usages . is_empty ( ) {
633+ write_x509_extension ( writer. next ( ) , oid:: KEY_USAGE , true , |writer| {
634+ let mut bits: u16 = 0 ;
635+
636+ for entry in self . key_usages . iter ( ) {
637+ // Map the index to a value
638+ let index = match entry {
639+ KeyUsagePurpose :: DigitalSignature => 0 ,
640+ KeyUsagePurpose :: ContentCommitment => 1 ,
641+ KeyUsagePurpose :: KeyEncipherment => 2 ,
642+ KeyUsagePurpose :: DataEncipherment => 3 ,
643+ KeyUsagePurpose :: KeyAgreement => 4 ,
644+ KeyUsagePurpose :: KeyCertSign => 5 ,
645+ KeyUsagePurpose :: CrlSign => 6 ,
646+ KeyUsagePurpose :: EncipherOnly => 7 ,
647+ KeyUsagePurpose :: DecipherOnly => 8 ,
648+ } ;
649+
650+ bits |= 1 << index;
651+ }
657652
658- let bits = bits. reverse_bits ( ) . to_be_bytes ( ) ;
653+ // Compute the 1-based most significant bit
654+ let msb = 16 - bits. leading_zeros ( ) ;
655+ let nb = if msb <= 8 { 1 } else { 2 } ;
659656
660- // Finally take only the bytes != 0
661- let bits = & bits[ ..nb] ;
657+ let bits = bits. reverse_bits ( ) . to_be_bytes ( ) ;
662658
663- writer. write_bitvec_bytes ( bits, msb as usize )
664- } ,
665- ) ;
666- }
659+ // Finally take only the bytes != 0
660+ let bits = & bits[ ..nb] ;
667661
668- // Write extended key usage
669- if !self . extended_key_usages . is_empty ( ) {
662+ writer. write_bitvec_bytes ( bits, msb as usize )
663+ } ) ;
664+ }
665+
666+ // Write extended key usage
667+ if !self . extended_key_usages . is_empty ( ) {
668+ write_x509_extension (
669+ writer. next ( ) ,
670+ oid:: EXT_KEY_USAGE ,
671+ false ,
672+ |writer| {
673+ writer. write_sequence ( |writer| {
674+ for usage in self . extended_key_usages . iter ( ) {
675+ let oid = ObjectIdentifier :: from_slice ( usage. oid ( ) ) ;
676+ writer. next ( ) . write_oid ( & oid) ;
677+ }
678+ } ) ;
679+ } ,
680+ ) ;
681+ }
682+ if let Some ( name_constraints) = & self . name_constraints {
683+ // If both trees are empty, the extension must be omitted.
684+ if !name_constraints. is_empty ( ) {
670685 write_x509_extension (
671686 writer. next ( ) ,
672- oid:: EXT_KEY_USAGE ,
673- false ,
687+ oid:: NAME_CONSTRAINTS ,
688+ true ,
674689 |writer| {
675690 writer. write_sequence ( |writer| {
676- for usage in self . extended_key_usages . iter ( ) {
677- let oid = ObjectIdentifier :: from_slice ( usage. oid ( ) ) ;
678- writer. next ( ) . write_oid ( & oid) ;
691+ if !name_constraints. permitted_subtrees . is_empty ( ) {
692+ write_general_subtrees (
693+ writer. next ( ) ,
694+ 0 ,
695+ & name_constraints. permitted_subtrees ,
696+ ) ;
697+ }
698+ if !name_constraints. excluded_subtrees . is_empty ( ) {
699+ write_general_subtrees (
700+ writer. next ( ) ,
701+ 1 ,
702+ & name_constraints. excluded_subtrees ,
703+ ) ;
679704 }
680705 } ) ;
681706 } ,
682707 ) ;
683708 }
684- if let Some ( name_constraints) = & self . name_constraints {
685- // If both trees are empty, the extension must be omitted.
686- if !name_constraints. is_empty ( ) {
687- write_x509_extension (
688- writer. next ( ) ,
689- oid:: NAME_CONSTRAINTS ,
690- true ,
691- |writer| {
692- writer. write_sequence ( |writer| {
693- if !name_constraints. permitted_subtrees . is_empty ( ) {
694- write_general_subtrees (
695- writer. next ( ) ,
696- 0 ,
697- & name_constraints. permitted_subtrees ,
698- ) ;
699- }
700- if !name_constraints. excluded_subtrees . is_empty ( ) {
701- write_general_subtrees (
702- writer. next ( ) ,
703- 1 ,
704- & name_constraints. excluded_subtrees ,
705- ) ;
706- }
707- } ) ;
708- } ,
709- ) ;
710- }
711- }
712- if !self . crl_distribution_points . is_empty ( ) {
709+ }
710+ if !self . crl_distribution_points . is_empty ( ) {
711+ write_x509_extension (
712+ writer. next ( ) ,
713+ oid:: CRL_DISTRIBUTION_POINTS ,
714+ false ,
715+ |writer| {
716+ writer. write_sequence ( |writer| {
717+ for distribution_point in & self . crl_distribution_points {
718+ distribution_point. write_der ( writer. next ( ) ) ;
719+ }
720+ } )
721+ } ,
722+ ) ;
723+ }
724+ match self . is_ca {
725+ IsCa :: Ca ( ref constraint) => {
726+ // Write subject_key_identifier
713727 write_x509_extension (
714728 writer. next ( ) ,
715- oid:: CRL_DISTRIBUTION_POINTS ,
729+ oid:: SUBJECT_KEY_IDENTIFIER ,
716730 false ,
731+ |writer| {
732+ writer. write_bytes (
733+ & self . key_identifier_method . derive ( pub_key_spki) ,
734+ ) ;
735+ } ,
736+ ) ;
737+ // Write basic_constraints
738+ write_x509_extension (
739+ writer. next ( ) ,
740+ oid:: BASIC_CONSTRAINTS ,
741+ true ,
717742 |writer| {
718743 writer. write_sequence ( |writer| {
719- for distribution_point in & self . crl_distribution_points
744+ writer. next ( ) . write_bool ( true ) ; // cA flag
745+ if let BasicConstraints :: Constrained (
746+ path_len_constraint,
747+ ) = constraint
720748 {
721- distribution_point . write_der ( writer. next ( ) ) ;
749+ writer. next ( ) . write_u8 ( * path_len_constraint ) ;
722750 }
723- } )
751+ } ) ;
724752 } ,
725753 ) ;
726- }
727- match self . is_ca {
728- IsCa :: Ca ( ref constraint) => {
729- // Write subject_key_identifier
730- write_x509_extension (
731- writer. next ( ) ,
732- oid:: SUBJECT_KEY_IDENTIFIER ,
733- false ,
734- |writer| {
735- writer. write_bytes (
736- & self . key_identifier_method . derive ( pub_key_spki) ,
737- ) ;
738- } ,
739- ) ;
740- // Write basic_constraints
741- write_x509_extension (
742- writer. next ( ) ,
743- oid:: BASIC_CONSTRAINTS ,
744- true ,
745- |writer| {
746- writer. write_sequence ( |writer| {
747- writer. next ( ) . write_bool ( true ) ; // cA flag
748- if let BasicConstraints :: Constrained (
749- path_len_constraint,
750- ) = constraint
751- {
752- writer. next ( ) . write_u8 ( * path_len_constraint) ;
753- }
754- } ) ;
755- } ,
756- ) ;
757- } ,
758- IsCa :: ExplicitNoCa => {
759- // Write subject_key_identifier
760- write_x509_extension (
761- writer. next ( ) ,
762- oid:: SUBJECT_KEY_IDENTIFIER ,
763- false ,
764- |writer| {
765- writer. write_bytes (
766- & self . key_identifier_method . derive ( pub_key_spki) ,
767- ) ;
768- } ,
769- ) ;
770- // Write basic_constraints
771- write_x509_extension (
772- writer. next ( ) ,
773- oid:: BASIC_CONSTRAINTS ,
774- true ,
775- |writer| {
776- writer. write_sequence ( |writer| {
777- writer. next ( ) . write_bool ( false ) ; // cA flag
778- } ) ;
779- } ,
780- ) ;
781- } ,
782- IsCa :: NoCa => { } ,
783- }
784-
785- // Write the custom extensions
786- for ext in & self . custom_extensions {
754+ } ,
755+ IsCa :: ExplicitNoCa => {
756+ // Write subject_key_identifier
787757 write_x509_extension (
788758 writer. next ( ) ,
789- & ext. oid ,
790- ext. critical ,
791- |writer| writer. write_der ( ext. content ( ) ) ,
759+ oid:: SUBJECT_KEY_IDENTIFIER ,
760+ false ,
761+ |writer| {
762+ writer. write_bytes (
763+ & self . key_identifier_method . derive ( pub_key_spki) ,
764+ ) ;
765+ } ,
792766 ) ;
793- }
794- } ) ;
767+ // Write basic_constraints
768+ write_x509_extension (
769+ writer. next ( ) ,
770+ oid:: BASIC_CONSTRAINTS ,
771+ true ,
772+ |writer| {
773+ writer. write_sequence ( |writer| {
774+ writer. next ( ) . write_bool ( false ) ; // cA flag
775+ } ) ;
776+ } ,
777+ ) ;
778+ } ,
779+ IsCa :: NoCa => { } ,
780+ }
781+
782+ // Write the custom extensions
783+ for ext in & self . custom_extensions {
784+ write_x509_extension ( writer. next ( ) , & ext. oid , ext. critical , |writer| {
785+ writer. write_der ( ext. content ( ) )
786+ } ) ;
787+ }
795788 } ) ;
796- }
789+ } ) ;
790+
797791 Ok ( ( ) )
798792 } )
799793 . map ( CertificateDer :: from)
0 commit comments