diff --git a/src/csr.rs b/src/csr.rs index 0fc36d21..f0ee3913 100644 --- a/src/csr.rs +++ b/src/csr.rs @@ -4,7 +4,10 @@ use crate::{CustomExtension, DistinguishedName, SanType}; use pem::Pem; use std::hash::Hash; -use crate::{Certificate, CertificateParams, PublicKeyData, RcgenError, SignatureAlgorithm}; +use crate::{ + BasicConstraints, Certificate, CertificateParams, IsCa, PublicKeyData, RcgenError, + SignatureAlgorithm, +}; /// A public key, extracted from a CSR #[derive(Debug, PartialEq, Eq, Hash)] @@ -101,6 +104,20 @@ impl CertificateSigningRequest { params.key_identifier = ski.0.to_vec(); true }, + x509_parser::extensions::ParsedExtension::BasicConstraints(bc) => { + params.is_ca = match (bc.ca, bc.path_len_constraint) { + (false, _) => IsCa::ExplicitNoCa, + (true, None) => IsCa::Ca(BasicConstraints::Unconstrained), + (true, Some(len_constraint)) => { + IsCa::Ca(BasicConstraints::Constrained( + len_constraint.try_into().map_err(|_| { + RcgenError::UnsupportedBasicConstraintsPathLen + })?, + )) + }, + }; + true + }, _ => false, }; if !supported { @@ -114,7 +131,6 @@ impl CertificateSigningRequest { } // Not yet handled: - // * is_ca // * extended_key_usages // * name_constraints // and any other extensions. diff --git a/src/error.rs b/src/error.rs index 9f8d6bac..bef3231e 100644 --- a/src/error.rs +++ b/src/error.rs @@ -39,6 +39,9 @@ pub enum RcgenError { RingUnspecified, /// Time conversion related errors Time, + /// Unsupported basic constraints extension path length in CSR + #[cfg(feature = "x509-parser")] + UnsupportedBasicConstraintsPathLen, /// Unsupported extension requested in CSR #[cfg(feature = "x509-parser")] UnsupportedExtension, @@ -97,6 +100,11 @@ impl fmt::Display for RcgenError { DuplicateExtension(oid) => { write!(f, "Extension with OID {oid} present multiple times")? }, + #[cfg(feature = "x509-parser")] + UnsupportedBasicConstraintsPathLen => write!( + f, + "Unsupported basic constraints extension path length constraint in CSR" + )?, }; Ok(()) }