Fix: Don't forget to write EKUs in CSRs

Author: lvkv

rcgen/src/certificate.rs

@@ -546,6 +546,12 @@ impl CertificateParams {
 			return Err(Error::UnsupportedInCsr);
 		}
 
+		// Whether or not to write an extension request attribute
+		let write_extension_request = !key_usages.is_empty()
+			|| !subject_alt_names.is_empty()
+			|| !extended_key_usages.is_empty()
+			|| !custom_extensions.is_empty();
+
 		let der = subject_key.sign_der(|writer| {
 			// Write version
 			writer.next().write_u8(0);
@@ -556,10 +562,7 @@ impl CertificateParams {
 			// Write extensions
 			// According to the spec in RFC 2986, even if attributes are empty we need the empty attribute tag
 			writer.next().write_tagged(Tag::context(0), |writer| {
-				if !key_usages.is_empty()
-					|| !subject_alt_names.is_empty()
-					|| !custom_extensions.is_empty()
-				{
+				if write_extension_request {
 					writer.write_sequence(|writer| {
 						let oid = ObjectIdentifier::from_slice(oid::PKCS_9_AT_EXTENSION_REQUEST);
 						writer.next().write_oid(&oid);

rcgen/tests/generic.rs

@@ -375,6 +375,25 @@ mod test_csr_extension_request {
 			.unwrap()
 			.any(|ext| matches!(ext, ParsedExtension::SubjectAlternativeName(_))));
 	}
+
+	#[test]
+	fn write_extension_request_if_ekus_are_present() {
+		let mut params = CertificateParams::default();
+		params
+			.extended_key_usages
+			.push(ExtendedKeyUsagePurpose::ClientAuth);
+		let key_pair = KeyPair::generate().unwrap();
+		let csr = params.serialize_request(&key_pair).unwrap();
+		let (_, parsed_csr) = X509CertificationRequest::from_der(csr.der()).unwrap();
+		let requested_extensions = parsed_csr
+			.requested_extensions()
+			.unwrap()
+			.collect::<Vec<_>>();
+		assert!(matches!(
+			requested_extensions.first().unwrap(),
+			ParsedExtension::ExtendedKeyUsage(_)
+		));
+	}
 }
 
 #[cfg(feature = "x509-parser")]