aboutsummaryrefslogtreecommitdiff
path: root/openssl/src/x509/tests.rs
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/src/x509/tests.rs')
-rw-r--r--openssl/src/x509/tests.rs24
1 files changed, 24 insertions, 0 deletions
diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs
index 43ad0dec..35690e05 100644
--- a/openssl/src/x509/tests.rs
+++ b/openssl/src/x509/tests.rs
@@ -39,6 +39,30 @@ fn test_cert_gen() {
assert_eq!(pkey.save_pub(), cert.public_key().save_pub());
}
+/// SubjectKeyIdentifier must be added before AuthorityKeyIdentifier or OpenSSL
+/// is "unable to get issuer keyid." This test ensures the order of insertion
+/// for extensions is preserved when the cert is signed.
+#[test]
+fn test_cert_gen_extension_ordering() {
+ get_generator()
+ .add_extension(OtherNid(Nid::SubjectKeyIdentifier, "hash".to_owned()))
+ .add_extension(OtherNid(Nid::AuthorityKeyIdentifier, "keyid:always".to_owned()))
+ .generate()
+ .expect("Failed to generate cert with order-dependent extensions");
+}
+
+/// Proves that a passing result from `test_cert_gen_extension_ordering` is
+/// deterministic by reversing the order of extensions and asserting failure.
+#[test]
+fn test_cert_gen_extension_bad_ordering() {
+ let result = get_generator()
+ .add_extension(OtherNid(Nid::AuthorityKeyIdentifier, "keyid:always".to_owned()))
+ .add_extension(OtherNid(Nid::SubjectKeyIdentifier, "hash".to_owned()))
+ .generate();
+
+ assert!(result.is_err());
+}
+
#[test]
fn test_req_gen() {
let mut pkey = PKey::new();
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-23 08:06:11 +0000