x509-cert: builder: follow rules from RFC5280 to set certificate's ve…

…rsion Follow the rules from RFC 5280 Section 4.1.2.1 to set the certificate's version depending on the presence of the extensions and identifiers. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
RustCrypto · Apr 16, 2023 · 712d6b2 · 712d6b2
1 parent c20c098
commit 712d6b2
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 25 deletions.
diff --git a/x509-cert/src/builder.rs b/x509-cert/src/builder.rs
@@ -248,7 +248,6 @@ where
     /// Creates a new certificate builder
     pub fn new<Signature>(
         profile: Profile,
-        version: Version,
         serial_number: SerialNumber,
         mut validity: Validity,
         subject: Name,
@@ -270,7 +269,7 @@ where
         validity.not_after.rfc5280_adjust_utc_time()?;
 
         let mut tbs = TbsCertificate {
-            version,
+            version: Version::V3,
             serial_number,
             signature: signature_alg,
             issuer,
@@ -288,15 +287,13 @@ where
             subject_unique_id: None,
         };
 
-        if tbs.version == Version::V3 {
-            let extensions = profile.build_extensions(
-                tbs.subject_public_key_info.owned_to_ref(),
-                signer_pub.owned_to_ref(),
-                &tbs,
-            )?;
-            if !extensions.is_empty() {
-                tbs.extensions = Some(extensions);
-            }
+        let extensions = profile.build_extensions(
+            tbs.subject_public_key_info.owned_to_ref(),
+            signer_pub.owned_to_ref(),
+            &tbs,
+        )?;
+        if !extensions.is_empty() {
+            tbs.extensions = Some(extensions);
         }
 
         Ok(Self { tbs, signer })
@@ -319,11 +316,18 @@ where
     }
 
     /// Run the certificate through the signer and build the end certificate.
-    pub fn build<Signature>(self) -> Result<Certificate>
+    pub fn build<Signature>(mut self) -> Result<Certificate>
     where
         S: Signer<Signature>,
         Signature: SignatureEncoding,
     {
+        if self.tbs.extensions.is_none() {
+            if self.tbs.issuer_unique_id.is_some() || self.tbs.subject_unique_id.is_some() {
+                self.tbs.version = Version::V2;
+            } else {
+                self.tbs.version = Version::V1;
+            }
+        }
         let signature = self.signer.try_sign(&self.tbs.to_der()?)?;
         let signature = BitString::from_bytes(signature.to_bytes().as_ref())?;
 

diff --git a/x509-cert/tests/builder.rs b/x509-cert/tests/builder.rs
@@ -9,7 +9,6 @@ use spki::SubjectPublicKeyInfoOwned;
 use std::{str::FromStr, time::Duration};
 use x509_cert::{
     builder::{CertificateBuilder, Profile},
-    certificate::Version,
     name::Name,
     serial_number::SerialNumber,
     time::Validity,
@@ -32,16 +31,9 @@ fn root_ca_certificate() {
         SubjectPublicKeyInfoOwned::try_from(RSA_2048_DER_EXAMPLE).expect("get rsa pub key");
 
     let signer = rsa_signer();
-    let builder = CertificateBuilder::new(
-        profile,
-        Version::V3,
-        serial_number,
-        validity,
-        subject,
-        pub_key,
-        &signer,
-    )
-    .expect("Create certificate");
+    let builder =
+        CertificateBuilder::new(profile, serial_number, validity, subject, pub_key, &signer)
+            .expect("Create certificate");
 
     let certificate = builder.build().unwrap();
 
@@ -78,7 +70,6 @@ fn sub_ca_certificate() {
     let signer = ecdsa_signer();
     let builder = CertificateBuilder::new::<ecdsa::Signature<NistP256>>(
         profile,
-        Version::V3,
         serial_number,
         validity,
         subject,
@@ -130,7 +121,6 @@ fn leaf_certificate() {
     let signer = ecdsa_signer();
     let builder = CertificateBuilder::new::<ecdsa::Signature<NistP256>>(
         profile,
-        Version::V3,
         serial_number,
         validity,
         subject,