From 9d2c80b0315461293c9eca1e425bf84518ef68a8 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Tue, 10 Oct 2023 17:08:38 -0400 Subject: [PATCH] csr: support reading crl dps from CSR --- src/csr.rs | 38 ++++++++++++++++++++++++++++++++++++-- src/error.rs | 5 +++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/src/csr.rs b/src/csr.rs index ba9fb27f..a648e17c 100644 --- a/src/csr.rs +++ b/src/csr.rs @@ -1,11 +1,13 @@ #[cfg(feature = "x509-parser")] use crate::{ - BasicConstraints, CustomExtension, DistinguishedName, ExtendedKeyUsagePurpose, GeneralSubtree, - IsCa, KeyUsagePurpose, NameConstraints, SanType, + BasicConstraints, CrlDistributionPoint, CustomExtension, DistinguishedName, + ExtendedKeyUsagePurpose, GeneralSubtree, IsCa, KeyUsagePurpose, NameConstraints, SanType, }; #[cfg(feature = "pem")] use pem::Pem; use std::hash::Hash; +#[cfg(feature = "x509-parser")] +use x509_parser::extensions::{DistributionPointName, GeneralName}; use crate::{Certificate, CertificateParams, Error, PublicKeyData, SignatureAlgorithm}; @@ -201,6 +203,38 @@ impl CertificateSigningRequest { } true }, + x509_parser::extensions::ParsedExtension::CRLDistributionPoints(crl_dps) => { + let dps = crl_dps + .points + .iter() + .map(|dp| { + // Rcgen does not support CRL DPs with specific reasons, or an indirect issuer. + if dp.reasons.is_some() || dp.crl_issuer.is_some() { + return Err(Error::UnsupportedCrlDistributionPoint); + } + let general_names = match &dp.distribution_point { + Some(DistributionPointName::FullName(general_names)) => { + Ok(general_names) + }, + // Rcgen does not support CRL DPs missing a distribution point, + // or that specific a distribution point with a name relative + // to an issuer. + _ => Err(Error::UnsupportedCrlDistributionPoint), + }?; + let uris = general_names + .iter() + .map(|general_name| match general_name { + GeneralName::URI(uri) => Ok(uri.to_string()), + // Rcgen does not support CRL DP general names other than URI. + _ => Err(Error::UnsupportedGeneralName), + }) + .collect::, _>>()?; + Ok(CrlDistributionPoint { uris }) + }) + .collect::, _>>()?; + params.crl_distribution_points = dps; + true + }, _ => false, }; if !supported { diff --git a/src/error.rs b/src/error.rs index 07833723..92aab7d7 100644 --- a/src/error.rs +++ b/src/error.rs @@ -41,6 +41,9 @@ pub enum Error { /// Unsupported basic constraints extension path length in CSR #[cfg(feature = "x509-parser")] UnsupportedBasicConstraintsPathLen, + /// Unsupported CRL distribution point extension in CSR + #[cfg(feature = "x509-parser")] + UnsupportedCrlDistributionPoint, /// Unsupported extension requested in CSR #[cfg(feature = "x509-parser")] UnsupportedExtension, @@ -109,6 +112,8 @@ impl fmt::Display for Error { )?, #[cfg(feature = "x509-parser")] UnsupportedGeneralName => write!(f, "Unsupported general name in CSR",)?, + #[cfg(feature = "x509-parser")] + UnsupportedCrlDistributionPoint => write!(f, "Unsupported CRL distribution point in CSR",)?, }; Ok(()) }