Extract write_extensions() method, reducing rightward drift

djc · djc · commit 32c4cdc4da8e · 2025-04-27T13:30:32.000Z
diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
@@ -6,7 +6,7 @@ use pem::Pem;
 use pki_types::{CertificateDer, CertificateSigningRequestDer};
 use time::{Date, Month, OffsetDateTime, PrimitiveDateTime, Time};
 use yasna::models::ObjectIdentifier;
-use yasna::{DERWriter, Tag};
+use yasna::{DERWriter, DERWriterSeq, Tag};
 
 use crate::crl::CrlDistributionPoint;
 use crate::csr::CertificateSigningRequest;
@@ -667,150 +667,141 @@ impl CertificateParams {
 			}
 
 			writer.next().write_tagged(Tag::context(3), |writer| {
-				writer.write_sequence(|writer| {
-					if self.use_authority_key_identifier_extension {
-						write_x509_authority_key_identifier(
-							writer.next(),
-							match issuer.key_identifier_method {
-								KeyIdMethod::PreSpecified(aki) => aki.clone(),
-								#[cfg(feature = "crypto")]
-								_ => issuer
-									.key_identifier_method
-									.derive(issuer.key_pair.subject_public_key_info()),
-							},
-						);
-					}
-					// Write subject_alt_names
-					if !self.subject_alt_names.is_empty() {
-						self.write_subject_alt_names(writer.next());
-					}
+				writer
+					.write_sequence(|writer| self.write_extensions(writer, &pub_key_spki, &issuer))
+			})?;
 
-					// Write standard key usage
-					self.write_key_usage(writer.next());
+			Ok(())
+		})?;
 
-					// Write extended key usage
-					if !self.extended_key_usages.is_empty() {
-						write_x509_extension(writer.next(), oid::EXT_KEY_USAGE, false, |writer| {
-							writer.write_sequence(|writer| {
-								for usage in self.extended_key_usages.iter() {
-									let oid = ObjectIdentifier::from_slice(usage.oid());
-									writer.next().write_oid(&oid);
-								}
-							});
-						});
+		Ok(der.into())
+	}
+
+	fn write_extensions(
+		&self,
+		writer: &mut DERWriterSeq,
+		pub_key_spki: &[u8],
+		issuer: &Issuer<'_, impl SigningKey>,
+	) -> Result<(), Error> {
+		if self.use_authority_key_identifier_extension {
+			write_x509_authority_key_identifier(
+				writer.next(),
+				match issuer.key_identifier_method {
+					KeyIdMethod::PreSpecified(aki) => aki.clone(),
+					#[cfg(feature = "crypto")]
+					_ => issuer
+						.key_identifier_method
+						.derive(issuer.key_pair.subject_public_key_info()),
+				},
+			);
+		}
+
+		// Write subject_alt_names
+		self.write_subject_alt_names(writer.next());
+
+		// Write standard key usage
+		self.write_key_usage(writer.next());
+
+		// Write extended key usage
+		if !self.extended_key_usages.is_empty() {
+			write_x509_extension(writer.next(), oid::EXT_KEY_USAGE, false, |writer| {
+				writer.write_sequence(|writer| {
+					for usage in self.extended_key_usages.iter() {
+						let oid = ObjectIdentifier::from_slice(usage.oid());
+						writer.next().write_oid(&oid);
 					}
-					if let Some(name_constraints) = &self.name_constraints {
-						// If both trees are empty, the extension must be omitted.
-						if !name_constraints.is_empty() {
-							write_x509_extension(
+				});
+			});
+		}
+
+		if let Some(name_constraints) = &self.name_constraints {
+			// If both trees are empty, the extension must be omitted.
+			if !name_constraints.is_empty() {
+				write_x509_extension(writer.next(), oid::NAME_CONSTRAINTS, true, |writer| {
+					writer.write_sequence(|writer| {
+						if !name_constraints.permitted_subtrees.is_empty() {
+							write_general_subtrees(
 								writer.next(),
-								oid::NAME_CONSTRAINTS,
-								true,
-								|writer| {
-									writer.write_sequence(|writer| {
-										if !name_constraints.permitted_subtrees.is_empty() {
-											write_general_subtrees(
-												writer.next(),
-												0,
-												&name_constraints.permitted_subtrees,
-											);
-										}
-										if !name_constraints.excluded_subtrees.is_empty() {
-											write_general_subtrees(
-												writer.next(),
-												1,
-												&name_constraints.excluded_subtrees,
-											);
-										}
-									});
-								},
+								0,
+								&name_constraints.permitted_subtrees,
 							);
 						}
-					}
-					if !self.crl_distribution_points.is_empty() {
-						write_x509_extension(
-							writer.next(),
-							oid::CRL_DISTRIBUTION_POINTS,
-							false,
-							|writer| {
-								writer.write_sequence(|writer| {
-									for distribution_point in &self.crl_distribution_points {
-										distribution_point.write_der(writer.next());
-									}
-								})
-							},
-						);
-					}
-					match self.is_ca {
-						IsCa::Ca(ref constraint) => {
-							// Write subject_key_identifier
-							write_x509_extension(
-								writer.next(),
-								oid::SUBJECT_KEY_IDENTIFIER,
-								false,
-								|writer| {
-									writer.write_bytes(
-										&self.key_identifier_method.derive(pub_key_spki),
-									);
-								},
-							);
-							// Write basic_constraints
-							write_x509_extension(
-								writer.next(),
-								oid::BASIC_CONSTRAINTS,
-								true,
-								|writer| {
-									writer.write_sequence(|writer| {
-										writer.next().write_bool(true); // cA flag
-										if let BasicConstraints::Constrained(path_len_constraint) =
-											constraint
-										{
-											writer.next().write_u8(*path_len_constraint);
-										}
-									});
-								},
-							);
-						},
-						IsCa::ExplicitNoCa => {
-							// Write subject_key_identifier
-							write_x509_extension(
-								writer.next(),
-								oid::SUBJECT_KEY_IDENTIFIER,
-								false,
-								|writer| {
-									writer.write_bytes(
-										&self.key_identifier_method.derive(pub_key_spki),
-									);
-								},
-							);
-							// Write basic_constraints
-							write_x509_extension(
+						if !name_constraints.excluded_subtrees.is_empty() {
+							write_general_subtrees(
 								writer.next(),
-								oid::BASIC_CONSTRAINTS,
-								true,
-								|writer| {
-									writer.write_sequence(|writer| {
-										writer.next().write_bool(false); // cA flag
-									});
-								},
+								1,
+								&name_constraints.excluded_subtrees,
 							);
-						},
-						IsCa::NoCa => {},
-					}
+						}
+					});
+				});
+			}
+		}
 
-					// Write the custom extensions
-					for ext in &self.custom_extensions {
-						write_x509_extension(writer.next(), &ext.oid, ext.critical, |writer| {
-							writer.write_der(ext.content())
-						});
-					}
+		if !self.crl_distribution_points.is_empty() {
+			write_x509_extension(
+				writer.next(),
+				oid::CRL_DISTRIBUTION_POINTS,
+				false,
+				|writer| {
+					writer.write_sequence(|writer| {
+						for distribution_point in &self.crl_distribution_points {
+							distribution_point.write_der(writer.next());
+						}
+					})
+				},
+			);
+		}
+
+		match self.is_ca {
+			IsCa::Ca(ref constraint) => {
+				// Write subject_key_identifier
+				write_x509_extension(
+					writer.next(),
+					oid::SUBJECT_KEY_IDENTIFIER,
+					false,
+					|writer| {
+						writer.write_bytes(&self.key_identifier_method.derive(pub_key_spki));
+					},
+				);
+				// Write basic_constraints
+				write_x509_extension(writer.next(), oid::BASIC_CONSTRAINTS, true, |writer| {
+					writer.write_sequence(|writer| {
+						writer.next().write_bool(true); // cA flag
+						if let BasicConstraints::Constrained(path_len_constraint) = constraint {
+							writer.next().write_u8(*path_len_constraint);
+						}
+					});
 				});
-			});
+			},
+			IsCa::ExplicitNoCa => {
+				// Write subject_key_identifier
+				write_x509_extension(
+					writer.next(),
+					oid::SUBJECT_KEY_IDENTIFIER,
+					false,
+					|writer| {
+						writer.write_bytes(&self.key_identifier_method.derive(pub_key_spki));
+					},
+				);
+				// Write basic_constraints
+				write_x509_extension(writer.next(), oid::BASIC_CONSTRAINTS, true, |writer| {
+					writer.write_sequence(|writer| {
+						writer.next().write_bool(false); // cA flag
+					});
+				});
+			},
+			IsCa::NoCa => {},
+		}
 
-			Ok(())
-		})?;
+		// Write the custom extensions
+		for ext in &self.custom_extensions {
+			write_x509_extension(writer.next(), &ext.oid, ext.critical, |writer| {
+				writer.write_der(ext.content())
+			});
+		}
 
-		Ok(der.into())
+		Ok(())
 	}
 
 	/// Insert an extended key usage (EKU) into the parameters if it does not already exist
