diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs index 40269451..e69cd2de 100644 --- a/rcgen/src/certificate.rs +++ b/rcgen/src/certificate.rs @@ -156,6 +156,7 @@ impl CertificateParams { let issuer = Issuer { distinguished_name: &issuer.params.distinguished_name, key_identifier_method: &issuer.params.key_identifier_method, + key_usages: &issuer.params.key_usages, key_pair: issuer_key, }; @@ -176,6 +177,7 @@ impl CertificateParams { let issuer = Issuer { distinguished_name: &self.distinguished_name, key_identifier_method: &self.key_identifier_method, + key_usages: &self.key_usages, key_pair, }; diff --git a/rcgen/src/crl.rs b/rcgen/src/crl.rs index 95b27802..8250b88a 100644 --- a/rcgen/src/crl.rs +++ b/rcgen/src/crl.rs @@ -191,12 +191,6 @@ impl CertificateRevocationListParams { issuer: &Certificate, issuer_key: &KeyPair, ) -> Result { - if !issuer.params.key_usages.is_empty() - && !issuer.params.key_usages.contains(&KeyUsagePurpose::CrlSign) - { - return Err(Error::IssuerNotCrlSigner); - } - if self.next_update.le(&self.this_update) { return Err(Error::InvalidCrlNextUpdate); } @@ -204,9 +198,14 @@ impl CertificateRevocationListParams { let issuer = Issuer { distinguished_name: &issuer.params.distinguished_name, key_identifier_method: &issuer.params.key_identifier_method, + key_usages: &issuer.params.key_usages, key_pair: issuer_key, }; + if !issuer.key_usages.is_empty() && !issuer.key_usages.contains(&KeyUsagePurpose::CrlSign) { + return Err(Error::IssuerNotCrlSigner); + } + Ok(CertificateRevocationList { der: self.serialize_der(issuer)?.into(), params: self, diff --git a/rcgen/src/csr.rs b/rcgen/src/csr.rs index 58b450df..5eb85c29 100644 --- a/rcgen/src/csr.rs +++ b/rcgen/src/csr.rs @@ -154,6 +154,7 @@ impl CertificateSigningRequestParams { let issuer = Issuer { distinguished_name: &issuer.params.distinguished_name, key_identifier_method: &issuer.params.key_identifier_method, + key_usages: &issuer.params.key_usages, key_pair: issuer_key, }; diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs index 796e9570..912e9d91 100644 --- a/rcgen/src/lib.rs +++ b/rcgen/src/lib.rs @@ -133,6 +133,7 @@ pub fn generate_simple_self_signed( struct Issuer<'a> { distinguished_name: &'a DistinguishedName, key_identifier_method: &'a KeyIdMethod, + key_usages: &'a [KeyUsagePurpose], key_pair: &'a KeyPair, }