Merge pull request #343 from jimmycuadra/ordered-extensions

Preserve X.509 extension insertion order

1 files changed, 24 insertions, 0 deletions

diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs
index 43ad0dec..35690e05 100644
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@@ -39,6 +39,30 @@ fn test_cert_gen() {
     assert_eq!(pkey.save_pub(), cert.public_key().save_pub());
 }
 
+/// SubjectKeyIdentifier must be added before AuthorityKeyIdentifier or OpenSSL
+/// is "unable to get issuer keyid." This test ensures the order of insertion
+/// for extensions is preserved when the cert is signed.
+#[test]
+fn test_cert_gen_extension_ordering() {
+    get_generator()
+        .add_extension(OtherNid(Nid::SubjectKeyIdentifier, "hash".to_owned()))
+        .add_extension(OtherNid(Nid::AuthorityKeyIdentifier, "keyid:always".to_owned()))
+        .generate()
+        .expect("Failed to generate cert with order-dependent extensions");
+}
+
+/// Proves that a passing result from `test_cert_gen_extension_ordering` is
+/// deterministic by reversing the order of extensions and asserting failure.
+#[test]
+fn test_cert_gen_extension_bad_ordering() {
+    let result = get_generator()
+        .add_extension(OtherNid(Nid::AuthorityKeyIdentifier, "keyid:always".to_owned()))
+        .add_extension(OtherNid(Nid::SubjectKeyIdentifier, "hash".to_owned()))
+        .generate();
+
+    assert!(result.is_err());
+}
+
 #[test]
 fn test_req_gen() {
     let mut pkey = PKey::new();