Privatize CertificateParams::from_ca_cert_der()

Author: djc

rcgen/src/certificate.rs

@@ -165,38 +165,8 @@ impl CertificateParams {
 			.derive(key.subject_public_key_info())
 	}
 
-	/// Parses an existing ca certificate from the ASCII PEM format.
-	///
-	/// See [`from_ca_cert_der`](Self::from_ca_cert_der) for more details.
-	#[cfg(all(feature = "pem", feature = "x509-parser"))]
-	pub fn from_ca_cert_pem(pem_str: &str) -> Result<Self, Error> {
-		let certificate = pem::parse(pem_str).map_err(|_| Error::CouldNotParseCertificate)?;
-		Self::from_ca_cert_der(&certificate.contents().into())
-	}
-
-	/// Parses an existing ca certificate from the DER format.
-	///
-	/// This function is only of use if you have an existing CA certificate
-	/// you would like to use to sign a certificate generated by `rcgen`.
-	/// By providing the constructed [`CertificateParams`] and the [`SigningKey`]
-	/// associated with your existing `ca_cert` you can use [`CertificateParams::signed_by()`]
-	/// or [`crate::CertificateSigningRequestParams::signed_by()`] to issue new certificates
-	/// using the CA cert.
-	///
-	/// In general this function only extracts the information needed for signing.
-	/// Other attributes of the [`Certificate`] may be left as defaults.
-	///
-	/// This function assumes the provided certificate is a CA. It will not check
-	/// for the presence of the `BasicConstraints` extension, or perform any other
-	/// validation.
-	///
-	/// [`rustls_pemfile::certs()`] is often used to obtain a [`CertificateDer`] from PEM input.
-	/// If you already have a byte slice containing DER, it can trivially be converted into
-	/// [`CertificateDer`] using the [`Into`] trait.
-	///
-	/// [`rustls_pemfile::certs()`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.certs.html
-	#[cfg(feature = "x509-parser")]
-	pub fn from_ca_cert_der(ca_cert: &CertificateDer<'_>) -> Result<Self, Error> {
+	#[cfg(all(test, feature = "x509-parser"))]
+	pub(crate) fn from_ca_cert_der(ca_cert: &CertificateDer<'_>) -> Result<Self, Error> {
 		let (_remainder, x509) = x509_parser::parse_x509_certificate(ca_cert)
 			.map_err(|_| Error::CouldNotParseCertificate)?;
 
@@ -801,7 +771,7 @@ pub enum ExtendedKeyUsagePurpose {
 }
 
 impl ExtendedKeyUsagePurpose {
-	#[cfg(feature = "x509-parser")]
+	#[cfg(all(test, feature = "x509-parser"))]
 	fn from_x509(x509: &x509_parser::certificate::X509Certificate<'_>) -> Result<Vec<Self>, Error> {
 		let extended_key_usage = x509
 			.extended_key_usage()
@@ -866,7 +836,7 @@ pub struct NameConstraints {
 }
 
 impl NameConstraints {
-	#[cfg(feature = "x509-parser")]
+	#[cfg(all(test, feature = "x509-parser"))]
 	fn from_x509(
 		x509: &x509_parser::certificate::X509Certificate<'_>,
 	) -> Result<Option<Self>, Error> {
@@ -919,7 +889,7 @@ pub enum GeneralSubtree {
 }
 
 impl GeneralSubtree {
-	#[cfg(feature = "x509-parser")]
+	#[cfg(all(test, feature = "x509-parser"))]
 	fn from_x509(
 		subtrees: &[x509_parser::extensions::GeneralSubtree<'_>],
 	) -> Result<Vec<Self>, Error> {
@@ -1091,7 +1061,7 @@ pub enum IsCa {
 }
 
 impl IsCa {
-	#[cfg(feature = "x509-parser")]
+	#[cfg(all(test, feature = "x509-parser"))]
 	fn from_x509(x509: &x509_parser::certificate::X509Certificate<'_>) -> Result<Self, Error> {
 		use x509_parser::extensions::BasicConstraints as B;
 
@@ -1133,11 +1103,16 @@ pub enum BasicConstraints {
 
 #[cfg(test)]
 mod tests {
+	#[cfg(feature = "x509-parser")]
+	use std::net::Ipv4Addr;
+
 	#[cfg(feature = "x509-parser")]
 	use pki_types::pem::PemObject;
 
 	#[cfg(feature = "pem")]
 	use super::*;
+	#[cfg(feature = "x509-parser")]
+	use crate::DnValue;
 	#[cfg(feature = "crypto")]
 	use crate::KeyPair;
 
@@ -1293,7 +1268,84 @@ mod tests {
 		}
 	}
 
-	#[cfg(all(feature = "x509-parser"))]
+	#[cfg(feature = "x509-parser")]
+	#[test]
+	fn parse_other_name_alt_name() {
+		// Create and serialize a certificate with an alternative name containing an "OtherName".
+		let mut params = CertificateParams::default();
+		let other_name = SanType::OtherName((vec![1, 2, 3, 4], "Foo".into()));
+		params.subject_alt_names.push(other_name.clone());
+		let key_pair = KeyPair::generate().unwrap();
+		let cert = params.self_signed(&key_pair).unwrap();
+
+		// We should be able to parse the certificate with x509-parser.
+		assert!(x509_parser::parse_x509_certificate(cert.der()).is_ok());
+
+		// We should be able to reconstitute params from the DER using x509-parser.
+		let params_from_cert = CertificateParams::from_ca_cert_der(cert.der()).unwrap();
+
+		// We should find the expected distinguished name in the reconstituted params.
+		let expected_alt_names = &[&other_name];
+		let subject_alt_names = params_from_cert
+			.subject_alt_names
+			.iter()
+			.collect::<Vec<_>>();
+		assert_eq!(subject_alt_names, expected_alt_names);
+	}
+
+	#[cfg(feature = "x509-parser")]
+	#[test]
+	fn parse_ia5string_subject() {
+		// Create and serialize a certificate with a subject containing an IA5String email address.
+		let email_address_dn_type = DnType::CustomDnType(vec![1, 2, 840, 113549, 1, 9, 1]); // id-emailAddress
+		let email_address_dn_value = DnValue::Ia5String("foo@bar.com".try_into().unwrap());
+		let mut params = CertificateParams::new(vec!["crabs".to_owned()]).unwrap();
+		params.distinguished_name = DistinguishedName::new();
+		params.distinguished_name.push(
+			email_address_dn_type.clone(),
+			email_address_dn_value.clone(),
+		);
+		let key_pair = KeyPair::generate().unwrap();
+		let cert = params.self_signed(&key_pair).unwrap();
+
+		// We should be able to parse the certificate with x509-parser.
+		assert!(x509_parser::parse_x509_certificate(cert.der()).is_ok());
+
+		// We should be able to reconstitute params from the DER using x509-parser.
+		let params_from_cert = CertificateParams::from_ca_cert_der(cert.der()).unwrap();
+
+		// We should find the expected distinguished name in the reconstituted params.
+		let expected_names = &[(&email_address_dn_type, &email_address_dn_value)];
+		let names = params_from_cert
+			.distinguished_name
+			.iter()
+			.collect::<Vec<(_, _)>>();
+		assert_eq!(names, expected_names);
+	}
+
+	#[cfg(feature = "x509-parser")]
+	#[test]
+	fn converts_from_ip() {
+		let ip = Ipv4Addr::new(2, 4, 6, 8);
+		let ip_san = SanType::IpAddress(IpAddr::V4(ip));
+
+		let mut params = CertificateParams::new(vec!["crabs".to_owned()]).unwrap();
+		let ca_key = KeyPair::generate().unwrap();
+
+		// Add the SAN we want to test the parsing for
+		params.subject_alt_names.push(ip_san.clone());
+
+		// Because we're using a function for CA certificates
+		params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+
+		// Serialize our cert that has our chosen san, so we can testing parsing/deserializing it.
+		let cert = params.self_signed(&ca_key).unwrap();
+
+		let actual = CertificateParams::from_ca_cert_der(cert.der()).unwrap();
+		assert!(actual.subject_alt_names.contains(&ip_san));
+	}
+
+	#[cfg(feature = "x509-parser")]
 	mod test_key_identifier_from_ca {
 		use super::*;
 

rcgen/src/csr.rs

@@ -208,3 +208,42 @@ impl CertificateSigningRequestParams {
 		})
 	}
 }
+
+#[cfg(all(test, feature = "x509-parser"))]
+mod tests {
+	use crate::{CertificateParams, ExtendedKeyUsagePurpose, KeyPair, KeyUsagePurpose};
+	use x509_parser::certification_request::X509CertificationRequest;
+	use x509_parser::prelude::{FromDer, ParsedExtension};
+
+	#[test]
+	fn dont_write_sans_extension_if_no_sans_are_present() {
+		let mut params = CertificateParams::default();
+		params.key_usages.push(KeyUsagePurpose::DigitalSignature);
+		let key_pair = KeyPair::generate().unwrap();
+		let csr = params.serialize_request(&key_pair).unwrap();
+		let (_, parsed_csr) = X509CertificationRequest::from_der(csr.der()).unwrap();
+		assert!(!parsed_csr
+			.requested_extensions()
+			.unwrap()
+			.any(|ext| matches!(ext, ParsedExtension::SubjectAlternativeName(_))));
+	}
+
+	#[test]
+	fn write_extension_request_if_ekus_are_present() {
+		let mut params = CertificateParams::default();
+		params
+			.extended_key_usages
+			.push(ExtendedKeyUsagePurpose::ClientAuth);
+		let key_pair = KeyPair::generate().unwrap();
+		let csr = params.serialize_request(&key_pair).unwrap();
+		let (_, parsed_csr) = X509CertificationRequest::from_der(csr.der()).unwrap();
+		let requested_extensions = parsed_csr
+			.requested_extensions()
+			.unwrap()
+			.collect::<Vec<_>>();
+		assert!(matches!(
+			requested_extensions.first().unwrap(),
+			ParsedExtension::ExtendedKeyUsage(_)
+		));
+	}
+}

rcgen/src/lib.rs

@@ -274,7 +274,7 @@ pub enum SanType {
 }
 
 impl SanType {
-	#[cfg(feature = "x509-parser")]
+	#[cfg(all(test, feature = "x509-parser"))]
 	fn from_x509(x509: &x509_parser::certificate::X509Certificate<'_>) -> Result<Vec<Self>, Error> {
 		let sans = x509
 			.subject_alternative_name()

rcgen/tests/generic.rs

@@ -38,34 +38,6 @@ mod test_key_params_mismatch {
 	}
 }
 
-#[cfg(feature = "x509-parser")]
-mod test_convert_x509_subject_alternative_name {
-	use rcgen::{BasicConstraints, CertificateParams, IsCa, SanType};
-	use std::net::{IpAddr, Ipv4Addr};
-
-	#[test]
-	fn converts_from_ip() {
-		let ip = Ipv4Addr::new(2, 4, 6, 8);
-		let ip_san = SanType::IpAddress(IpAddr::V4(ip));
-
-		let (mut params, ca_key) = super::util::default_params();
-
-		// Add the SAN we want to test the parsing for
-		params.subject_alt_names.push(ip_san.clone());
-
-		// Because we're using a function for CA certificates
-		params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
-
-		let cert = params.self_signed(&ca_key).unwrap();
-
-		// Serialize our cert that has our chosen san, so we can testing parsing/deserializing it.
-		let ca_der = cert.der();
-
-		let actual = CertificateParams::from_ca_cert_der(ca_der).unwrap();
-		assert!(actual.subject_alt_names.contains(&ip_san));
-	}
-}
-
 #[cfg(feature = "x509-parser")]
 mod test_x509_custom_ext {
 	use crate::util;
@@ -347,74 +319,6 @@ mod test_parse_crl_dps {
 	}
 }
 
-#[cfg(feature = "x509-parser")]
-mod test_parse_ia5string_subject {
-	use crate::util;
-	use rcgen::DnType::CustomDnType;
-	use rcgen::{CertificateParams, DistinguishedName, DnValue};
-
-	#[test]
-	fn parse_ia5string_subject() {
-		// Create and serialize a certificate with a subject containing an IA5String email address.
-		let email_address_dn_type = CustomDnType(vec![1, 2, 840, 113549, 1, 9, 1]); // id-emailAddress
-		let email_address_dn_value = DnValue::Ia5String("foo@bar.com".try_into().unwrap());
-		let (mut params, key_pair) = util::default_params();
-		params.distinguished_name = DistinguishedName::new();
-		params.distinguished_name.push(
-			email_address_dn_type.clone(),
-			email_address_dn_value.clone(),
-		);
-		let cert = params.self_signed(&key_pair).unwrap();
-		let cert_der = cert.der();
-
-		// We should be able to parse the certificate with x509-parser.
-		assert!(x509_parser::parse_x509_certificate(cert_der).is_ok());
-
-		// We should be able to reconstitute params from the DER using x509-parser.
-		let params_from_cert = CertificateParams::from_ca_cert_der(cert_der).unwrap();
-
-		// We should find the expected distinguished name in the reconstituted params.
-		let expected_names = &[(&email_address_dn_type, &email_address_dn_value)];
-		let names = params_from_cert
-			.distinguished_name
-			.iter()
-			.collect::<Vec<(_, _)>>();
-		assert_eq!(names, expected_names);
-	}
-}
-
-#[cfg(feature = "x509-parser")]
-mod test_parse_other_name_alt_name {
-	use rcgen::{CertificateParams, KeyPair, SanType};
-
-	#[test]
-	fn parse_other_name_alt_name() {
-		// Create and serialize a certificate with an alternative name containing an "OtherName".
-		let mut params = CertificateParams::default();
-		let other_name = SanType::OtherName((vec![1, 2, 3, 4], "Foo".into()));
-		params.subject_alt_names.push(other_name.clone());
-		let key_pair = KeyPair::generate().unwrap();
-
-		let cert = params.self_signed(&key_pair).unwrap();
-
-		let cert_der = cert.der();
-
-		// We should be able to parse the certificate with x509-parser.
-		assert!(x509_parser::parse_x509_certificate(cert_der).is_ok());
-
-		// We should be able to reconstitute params from the DER using x509-parser.
-		let params_from_cert = CertificateParams::from_ca_cert_der(cert_der).unwrap();
-
-		// We should find the expected distinguished name in the reconstituted params.
-		let expected_alt_names = &[&other_name];
-		let subject_alt_names = params_from_cert
-			.subject_alt_names
-			.iter()
-			.collect::<Vec<_>>();
-		assert_eq!(subject_alt_names, expected_alt_names);
-	}
-}
-
 #[cfg(feature = "x509-parser")]
 mod test_csr_extension_request {
 	use rcgen::{CertificateParams, ExtendedKeyUsagePurpose, KeyPair, KeyUsagePurpose};