Track issuer key usages

rcgen/src/certificate.rs

@@ -156,6 +156,7 @@ impl CertificateParams {
 		let issuer = Issuer {
 			distinguished_name: &issuer.params.distinguished_name,
 			key_identifier_method: &issuer.params.key_identifier_method,
+			key_usages: &issuer.params.key_usages,
 			key_pair: issuer_key,
 		};
 
@@ -176,6 +177,7 @@ impl CertificateParams {
 		let issuer = Issuer {
 			distinguished_name: &self.distinguished_name,
 			key_identifier_method: &self.key_identifier_method,
+			key_usages: &self.key_usages,
 			key_pair,
 		};
 

rcgen/src/crl.rs

@@ -191,22 +191,21 @@ impl CertificateRevocationListParams {
 		issuer: &Certificate,
 		issuer_key: &KeyPair,
 	) -> Result<CertificateRevocationList, Error> {
-		if !issuer.params.key_usages.is_empty()
-			&& !issuer.params.key_usages.contains(&KeyUsagePurpose::CrlSign)
-		{
-			return Err(Error::IssuerNotCrlSigner);
-		}
-
 		if self.next_update.le(&self.this_update) {
 			return Err(Error::InvalidCrlNextUpdate);
 		}
 
 		let issuer = Issuer {
 			distinguished_name: &issuer.params.distinguished_name,
 			key_identifier_method: &issuer.params.key_identifier_method,
+			key_usages: &issuer.params.key_usages,
 			key_pair: issuer_key,
 		};
 
+		if !issuer.key_usages.is_empty() && !issuer.key_usages.contains(&KeyUsagePurpose::CrlSign) {
+			return Err(Error::IssuerNotCrlSigner);
+		}
+
 		Ok(CertificateRevocationList {
 			der: self.serialize_der(issuer)?.into(),
 			params: self,

rcgen/src/csr.rs

@@ -154,6 +154,7 @@ impl CertificateSigningRequestParams {
 		let issuer = Issuer {
 			distinguished_name: &issuer.params.distinguished_name,
 			key_identifier_method: &issuer.params.key_identifier_method,
+			key_usages: &issuer.params.key_usages,
 			key_pair: issuer_key,
 		};
 

rcgen/src/lib.rs

@@ -133,6 +133,7 @@ pub fn generate_simple_self_signed(
 struct Issuer<'a> {
 	distinguished_name: &'a DistinguishedName,
 	key_identifier_method: &'a KeyIdMethod,
+	key_usages: &'a [KeyUsagePurpose],
 	key_pair: &'a KeyPair,
 }