@@ -632,185 +632,182 @@ impl CertificateParams {
632632 || matches ! ( self . is_ca, IsCa :: ExplicitNoCa )
633633 || matches ! ( self . is_ca, IsCa :: Ca ( _) )
634634 || !self . custom_extensions . is_empty ( ) ;
635- if should_write_exts {
636- writer. next ( ) . write_tagged ( Tag :: context ( 3 ) , |writer| {
637- writer. write_sequence ( |writer| {
638- if self . use_authority_key_identifier_extension {
639- write_x509_authority_key_identifier (
640- writer. next ( ) ,
641- self . key_identifier_method . derive ( issuer. public_key_der ( ) ) ,
642- ) ;
643- }
644- // Write subject_alt_names
645- if !self . subject_alt_names . is_empty ( ) {
646- self . write_subject_alt_names ( writer. next ( ) ) ;
647- }
635+ if !should_write_exts {
636+ return Ok ( ( ) ) ;
637+ }
648638
649- // Write standard key usage
650- if !self . key_usages . is_empty ( ) {
651- write_x509_extension (
652- writer. next ( ) ,
653- oid:: OID_KEY_USAGE ,
654- true ,
655- |writer| {
656- let mut bits: u16 = 0 ;
657-
658- for entry in self . key_usages . iter ( ) {
659- // Map the index to a value
660- let index = match entry {
661- KeyUsagePurpose :: DigitalSignature => 0 ,
662- KeyUsagePurpose :: ContentCommitment => 1 ,
663- KeyUsagePurpose :: KeyEncipherment => 2 ,
664- KeyUsagePurpose :: DataEncipherment => 3 ,
665- KeyUsagePurpose :: KeyAgreement => 4 ,
666- KeyUsagePurpose :: KeyCertSign => 5 ,
667- KeyUsagePurpose :: CrlSign => 6 ,
668- KeyUsagePurpose :: EncipherOnly => 7 ,
669- KeyUsagePurpose :: DecipherOnly => 8 ,
670- } ;
671-
672- bits |= 1 << index;
673- }
639+ writer. next ( ) . write_tagged ( Tag :: context ( 3 ) , |writer| {
640+ writer. write_sequence ( |writer| {
641+ if self . use_authority_key_identifier_extension {
642+ write_x509_authority_key_identifier (
643+ writer. next ( ) ,
644+ self . key_identifier_method . derive ( issuer. public_key_der ( ) ) ,
645+ ) ;
646+ }
647+ // Write subject_alt_names
648+ if !self . subject_alt_names . is_empty ( ) {
649+ self . write_subject_alt_names ( writer. next ( ) ) ;
650+ }
651+
652+ // Write standard key usage
653+ if !self . key_usages . is_empty ( ) {
654+ write_x509_extension ( writer. next ( ) , oid:: OID_KEY_USAGE , true , |writer| {
655+ let mut bits: u16 = 0 ;
656+
657+ for entry in self . key_usages . iter ( ) {
658+ // Map the index to a value
659+ let index = match entry {
660+ KeyUsagePurpose :: DigitalSignature => 0 ,
661+ KeyUsagePurpose :: ContentCommitment => 1 ,
662+ KeyUsagePurpose :: KeyEncipherment => 2 ,
663+ KeyUsagePurpose :: DataEncipherment => 3 ,
664+ KeyUsagePurpose :: KeyAgreement => 4 ,
665+ KeyUsagePurpose :: KeyCertSign => 5 ,
666+ KeyUsagePurpose :: CrlSign => 6 ,
667+ KeyUsagePurpose :: EncipherOnly => 7 ,
668+ KeyUsagePurpose :: DecipherOnly => 8 ,
669+ } ;
670+
671+ bits |= 1 << index;
672+ }
674673
675- // Compute the 1-based most significant bit
676- let msb = 16 - bits. leading_zeros ( ) ;
677- let nb = if msb <= 8 { 1 } else { 2 } ;
674+ // Compute the 1-based most significant bit
675+ let msb = 16 - bits. leading_zeros ( ) ;
676+ let nb = if msb <= 8 { 1 } else { 2 } ;
678677
679- let bits = bits. reverse_bits ( ) . to_be_bytes ( ) ;
678+ let bits = bits. reverse_bits ( ) . to_be_bytes ( ) ;
680679
681- // Finally take only the bytes != 0
682- let bits = & bits[ ..nb] ;
680+ // Finally take only the bytes != 0
681+ let bits = & bits[ ..nb] ;
683682
684- writer. write_bitvec_bytes ( & bits, msb as usize )
683+ writer. write_bitvec_bytes ( & bits, msb as usize )
684+ } ) ;
685+ }
686+
687+ // Write extended key usage
688+ if !self . extended_key_usages . is_empty ( ) {
689+ write_x509_extension (
690+ writer. next ( ) ,
691+ oid:: OID_EXT_KEY_USAGE ,
692+ false ,
693+ |writer| {
694+ writer. write_sequence ( |writer| {
695+ for usage in self . extended_key_usages . iter ( ) {
696+ let oid = ObjectIdentifier :: from_slice ( usage. oid ( ) ) ;
697+ writer. next ( ) . write_oid ( & oid) ;
698+ }
699+ } ) ;
700+ } ,
701+ ) ;
702+ }
703+ if let Some ( name_constraints) = & self . name_constraints {
704+ // If both trees are empty, the extension must be omitted.
705+ if !name_constraints. is_empty ( ) {
706+ write_x509_extension (
707+ writer. next ( ) ,
708+ oid:: OID_NAME_CONSTRAINTS ,
709+ true ,
710+ |writer| {
711+ writer. write_sequence ( |writer| {
712+ if !name_constraints. permitted_subtrees . is_empty ( ) {
713+ write_general_subtrees (
714+ writer. next ( ) ,
715+ 0 ,
716+ & name_constraints. permitted_subtrees ,
717+ ) ;
718+ }
719+ if !name_constraints. excluded_subtrees . is_empty ( ) {
720+ write_general_subtrees (
721+ writer. next ( ) ,
722+ 1 ,
723+ & name_constraints. excluded_subtrees ,
724+ ) ;
725+ }
726+ } ) ;
685727 } ,
686728 ) ;
687729 }
688-
689- // Write extended key usage
690- if !self . extended_key_usages . is_empty ( ) {
730+ }
731+ if !self . crl_distribution_points . is_empty ( ) {
732+ write_x509_extension (
733+ writer. next ( ) ,
734+ oid:: OID_CRL_DISTRIBUTION_POINTS ,
735+ false ,
736+ |writer| {
737+ writer. write_sequence ( |writer| {
738+ for distribution_point in & self . crl_distribution_points {
739+ distribution_point. write_der ( writer. next ( ) ) ;
740+ }
741+ } )
742+ } ,
743+ ) ;
744+ }
745+ match self . is_ca {
746+ IsCa :: Ca ( ref constraint) => {
747+ // Write subject_key_identifier
691748 write_x509_extension (
692749 writer. next ( ) ,
693- oid:: OID_EXT_KEY_USAGE ,
750+ oid:: OID_SUBJECT_KEY_IDENTIFIER ,
694751 false ,
752+ |writer| {
753+ writer. write_bytes (
754+ & self . key_identifier_method . derive ( pub_key_spki) ,
755+ ) ;
756+ } ,
757+ ) ;
758+ // Write basic_constraints
759+ write_x509_extension (
760+ writer. next ( ) ,
761+ oid:: OID_BASIC_CONSTRAINTS ,
762+ true ,
695763 |writer| {
696764 writer. write_sequence ( |writer| {
697- for usage in self . extended_key_usages . iter ( ) {
698- let oid = ObjectIdentifier :: from_slice ( usage. oid ( ) ) ;
699- writer. next ( ) . write_oid ( & oid) ;
765+ writer. next ( ) . write_bool ( true ) ; // cA flag
766+ if let BasicConstraints :: Constrained ( path_len_constraint) =
767+ constraint
768+ {
769+ writer. next ( ) . write_u8 ( * path_len_constraint) ;
700770 }
701771 } ) ;
702772 } ,
703773 ) ;
704- }
705- if let Some ( name_constraints) = & self . name_constraints {
706- // If both trees are empty, the extension must be omitted.
707- if !name_constraints. is_empty ( ) {
708- write_x509_extension (
709- writer. next ( ) ,
710- oid:: OID_NAME_CONSTRAINTS ,
711- true ,
712- |writer| {
713- writer. write_sequence ( |writer| {
714- if !name_constraints. permitted_subtrees . is_empty ( ) {
715- write_general_subtrees (
716- writer. next ( ) ,
717- 0 ,
718- & name_constraints. permitted_subtrees ,
719- ) ;
720- }
721- if !name_constraints. excluded_subtrees . is_empty ( ) {
722- write_general_subtrees (
723- writer. next ( ) ,
724- 1 ,
725- & name_constraints. excluded_subtrees ,
726- ) ;
727- }
728- } ) ;
729- } ,
730- ) ;
731- }
732- }
733- if !self . crl_distribution_points . is_empty ( ) {
774+ } ,
775+ IsCa :: ExplicitNoCa => {
776+ // Write subject_key_identifier
734777 write_x509_extension (
735778 writer. next ( ) ,
736- oid:: OID_CRL_DISTRIBUTION_POINTS ,
779+ oid:: OID_SUBJECT_KEY_IDENTIFIER ,
737780 false ,
781+ |writer| {
782+ writer. write_bytes (
783+ & self . key_identifier_method . derive ( pub_key_spki) ,
784+ ) ;
785+ } ,
786+ ) ;
787+ // Write basic_constraints
788+ write_x509_extension (
789+ writer. next ( ) ,
790+ oid:: OID_BASIC_CONSTRAINTS ,
791+ true ,
738792 |writer| {
739793 writer. write_sequence ( |writer| {
740- for distribution_point in & self . crl_distribution_points {
741- distribution_point. write_der ( writer. next ( ) ) ;
742- }
743- } )
794+ writer. next ( ) . write_bool ( false ) ; // cA flag
795+ } ) ;
744796 } ,
745797 ) ;
746- }
747- match self . is_ca {
748- IsCa :: Ca ( ref constraint) => {
749- // Write subject_key_identifier
750- write_x509_extension (
751- writer. next ( ) ,
752- oid:: OID_SUBJECT_KEY_IDENTIFIER ,
753- false ,
754- |writer| {
755- writer. write_bytes (
756- & self . key_identifier_method . derive ( pub_key_spki) ,
757- ) ;
758- } ,
759- ) ;
760- // Write basic_constraints
761- write_x509_extension (
762- writer. next ( ) ,
763- oid:: OID_BASIC_CONSTRAINTS ,
764- true ,
765- |writer| {
766- writer. write_sequence ( |writer| {
767- writer. next ( ) . write_bool ( true ) ; // cA flag
768- if let BasicConstraints :: Constrained (
769- path_len_constraint,
770- ) = constraint
771- {
772- writer. next ( ) . write_u8 ( * path_len_constraint) ;
773- }
774- } ) ;
775- } ,
776- ) ;
777- } ,
778- IsCa :: ExplicitNoCa => {
779- // Write subject_key_identifier
780- write_x509_extension (
781- writer. next ( ) ,
782- oid:: OID_SUBJECT_KEY_IDENTIFIER ,
783- false ,
784- |writer| {
785- writer. write_bytes (
786- & self . key_identifier_method . derive ( pub_key_spki) ,
787- ) ;
788- } ,
789- ) ;
790- // Write basic_constraints
791- write_x509_extension (
792- writer. next ( ) ,
793- oid:: OID_BASIC_CONSTRAINTS ,
794- true ,
795- |writer| {
796- writer. write_sequence ( |writer| {
797- writer. next ( ) . write_bool ( false ) ; // cA flag
798- } ) ;
799- } ,
800- ) ;
801- } ,
802- IsCa :: NoCa => { } ,
803- }
798+ } ,
799+ IsCa :: NoCa => { } ,
800+ }
804801
805- // Write the custom extensions
806- for ext in & self . custom_extensions {
807- write_x509_extension ( writer. next ( ) , & ext. oid , ext. critical , |writer| {
808- writer. write_der ( ext. content ( ) )
809- } ) ;
810- }
811- } ) ;
802+ // Write the custom extensions
803+ for ext in & self . custom_extensions {
804+ write_x509_extension ( writer. next ( ) , & ext. oid , ext. critical , |writer| {
805+ writer. write_der ( ext. content ( ) )
806+ } ) ;
807+ }
812808 } ) ;
813- }
809+ } ) ;
810+
814811 Ok ( ( ) )
815812 } )
816813 }
0 commit comments