lib: fix custom exts for CSR w/o SANs.

cpu · cpu · commit 6cdcd7bc18a0 · 2023-09-11T08:38:58.000-04:00
Previously when writing CSR DER from `CertificateParams` that specified
custom extensions, but did not specify any SANs, the serialization code
would skip over writing the PKCS9 extension request attribute.

This commit updates the serialization logic to ensure the attribute is
written when either SANs are provided, or custom extensions are present.

Prior to this update, the modified `test_x509_custom_ext` test fails,
reproducing the problem reported in the issue tracker:

```
'test_x509_custom_ext::custom_ext' panicked at 'missing requested extensions'
```

With the update, it passes again.
diff --git a/src/lib.rs b/src/lib.rs
@@ -911,7 +911,7 @@ impl CertificateParams {
 			// Write extensions
 			// According to the spec in RFC 2986, even if attributes are empty we need the empty attribute tag
 			writer.next().write_tagged(Tag::context(0), |writer| {
-				if !subject_alt_names.is_empty() {
+				if !subject_alt_names.is_empty() || !custom_extensions.is_empty() {
 					writer.write_sequence(|writer| {
 						let oid = ObjectIdentifier::from_slice(OID_PKCS_9_AT_EXTENSION_REQUEST);
 						writer.next().write_oid(&oid);
diff --git a/tests/generic.rs b/tests/generic.rs
@@ -111,6 +111,9 @@ mod test_x509_custom_ext {
 		// Generate a certificate with the custom extension, parse it with x509-parser.
 		let mut params = util::default_params();
 		params.custom_extensions = vec![custom_ext];
+		// Ensure the custom exts. being omitted into a CSR doesn't require SAN ext being present.
+		// See https://github.com/rustls/rcgen/issues/122
+		params.subject_alt_names = Vec::default();
 		let test_cert = Certificate::from_params(params).unwrap();
 		let test_cert_der = test_cert.serialize_der().unwrap();
 		let (_, x509_test_cert) = X509Certificate::from_der(&test_cert_der).unwrap();
