lib: add cert CRL distribution points ext. support.

This branch extends rcgen to allow generating certificates that contain
an RFC 5280 certificate revocation list (CRL) distribution points
extension. This is a useful mechanism for helping ensure CRL coverage
when performing revocation checks, and is newly supported by
rustls/webpki. See this upstream webpki issue[0] and RFC 5280
§4.2.1.13[1] for more background.

Using the new `crl_distribution_points` field of the `CertificateParams`
struct it's possible to encode one or more distribution points
specifying URI general names where up-to-date CRL information for the
certificate can be found.

Similar to existing rcgen CRL generation, the support for this extension
is not extensive, but instead tailored towards usage in the web PKI with
a RFC 5280 profile.

Notably this means:
* There's no support for specifying the 'reasons' flag - RFC 5280
  "RECOMMENDS against segmenting CRLs by reason code".
* There's no support for specifying a 'cRLIssuer' in the DP - this is
  specific to indirect CRLs, and neither rcgen's CRL generation code or
  webpki's parsing/validation support these.
* There's no support for specifying a 'nameRelativeToCrlIssuer' in the
  DP name instead of a sequence of general names for similar reasons as
  above: 5280 says: "Conforming CAs SHOULD NOT use
  nameRelativeToCRLIssuer to specify distribution point names."
* There's no support for specifying general names of type other than URI
  within a DP name's full name. Other name types either don't make sense
  in the context of this extension, or are rarely useful in practice
  (e.g. directory name).

Test coverage is mixed based on the support of the relevant third party
libraries. OpenSSL and openssl-rs parse this extension well, and so the
`openssl.rs` test coverage is the most extensive. The `x509-parser`
crate can pull out the extension, but doesn't decompose the value (I may
attempt to land code for this upstream in the future, stay tuned).
Webpki recognizes this extension for use during revocation checking, but
doesn't expose it externally so a simple parse test is added. Botan's
rust bindings do not recognize the extension or offer a way to pull out
arbitrary extensions, so no test coverage is added there.

[0] rustls/webpki#121
[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13

Author: cpu

src/lib.rs

@@ -140,9 +140,13 @@ const OID_AUTHORITY_KEY_IDENTIFIER :&[u64] = &[2, 5, 29, 35];
 const OID_EXT_KEY_USAGE :&[u64] = &[2, 5, 29, 37];
 
 // id-ce-nameConstraints in
-/// https://tools.ietf.org/html/rfc5280#section-4.2.1.10
+// https://tools.ietf.org/html/rfc5280#section-4.2.1.10
 const OID_NAME_CONSTRAINTS :&[u64] = &[2, 5, 29, 30];
 
+// id-ce-cRLDistributionPoints in
+// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13
+const OID_CRL_DISTRIBUTION_POINTS :&[u64] = &[2, 5, 29, 31];
+
 // id-pe-acmeIdentifier in
 // https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1
 const OID_PE_ACME :&[u64] = &[1, 3, 6, 1, 5, 5, 7, 1, 31];
@@ -733,6 +737,12 @@ pub struct CertificateParams {
 	pub key_usages :Vec<KeyUsagePurpose>,
 	pub extended_key_usages :Vec<ExtendedKeyUsagePurpose>,
 	pub name_constraints :Option<NameConstraints>,
+	/// An optional list of certificate revocation list (CRL) distribution points as described
+	/// in RFC 5280 Section 4.2.1.13[^1]. Each distribution point contains one or more URIs where
+	/// an up-to-date CRL with scope including this certificate can be retrieved.
+	///
+	/// [^1]: <https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13>
+	pub crl_distribution_points :Vec<CrlDistributionPoint>,
 	pub custom_extensions :Vec<CustomExtension>,
 	/// The certificate's key pair, a new random key pair will be generated if this is `None`
 	pub key_pair :Option<KeyPair>,
@@ -762,6 +772,7 @@ impl Default for CertificateParams {
 			key_usages : Vec::new(),
 			extended_key_usages : Vec::new(),
 			name_constraints : None,
+			crl_distribution_points : Vec::new(),
 			custom_extensions : Vec::new(),
 			key_pair : None,
 			use_authority_key_identifier_extension : false,
@@ -1020,6 +1031,7 @@ impl CertificateParams {
 			key_usages,
 			extended_key_usages,
 			name_constraints,
+			crl_distribution_points,
 			custom_extensions,
 			key_pair,
 			use_authority_key_identifier_extension,
@@ -1037,6 +1049,7 @@ impl CertificateParams {
 			|| !key_usages.is_empty()
 			|| !extended_key_usages.is_empty()
 			|| name_constraints.is_some()
+			|| !crl_distribution_points.is_empty()
 			|| *use_authority_key_identifier_extension
 		{
 			return Err(RcgenError::UnsupportedInCsr);
@@ -1230,6 +1243,15 @@ impl CertificateParams {
 								});
 							}
 						}
+						if !self.crl_distribution_points.is_empty() {
+							write_x509_extension(writer.next(), OID_CRL_DISTRIBUTION_POINTS, false, |writer| {
+								writer.write_sequence(|writer| {
+									for distribution_point in &self.crl_distribution_points {
+										write_crl_distribution_point(writer.next(), distribution_point);
+									}
+								})
+							});
+						}
 						match self.is_ca {
 							IsCa::Ca(ref constraint) => {
 								// Write subject_key_identifier
@@ -1381,6 +1403,15 @@ impl NameConstraints {
 	}
 }
 
+/// A certificate revocation list (CRL) distribution point, to be included in a certificate's
+/// [distribution points extension](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13).
+#[derive(Debug, PartialEq, Eq, Clone)]
+pub struct CrlDistributionPoint {
+	/// One or more URI distribution point names, indicating a place the current CRL can
+	/// be retrieved. When present, SHOULD include at least one LDAP or HTTP URI.
+	pub uris :Vec<String>,
+}
+
 /// One of the purposes contained in the [key usage](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) extension
 #[derive(Debug, PartialEq, Eq, Hash, Clone)]
 pub enum KeyUsagePurpose {
@@ -1797,6 +1828,29 @@ fn write_general_subtrees(writer :DERWriter, tag :u64, general_subtrees :&[Gener
 	});
 }
 
+fn write_crl_distribution_point(writer :DERWriter, dp :&CrlDistributionPoint) {
+	// DistributionPoint SEQUENCE
+	writer.write_sequence(|writer| {
+		// distributionPoint DistributionPointName
+		writer.next().write_tagged_implicit(Tag::context(0), |writer| {
+			writer.write_sequence(|writer| {
+				// fullName GeneralNames
+				writer.next().write_tagged_implicit(Tag::context(0), | writer| {
+					// GeneralNames
+					writer.write_sequence(|writer| {
+						for uri in dp.uris.iter() {
+							// uniformResourceIdentifier [6] IA5String,
+							writer.next().write_tagged_implicit(Tag::context(6), |writer| {
+								writer.write_ia5_string(uri)
+							});
+						}
+					})
+				});
+			});
+		});
+	});
+}
+
 impl Certificate {
 	/// Generates a new certificate from the given parameters.
 	/// 

tests/generic.rs

@@ -123,4 +123,27 @@ mod test_x509_parser_crl {
 		// We should be able to verify the CRL signature with the issuer.
 		assert!(x509_crl.verify_signature(&x509_issuer.public_key()).is_ok());
 	}
-}
+}
+
+#[cfg(feature = "x509-parser")]
+mod test_parse_crl_dps {
+	use crate::util;
+
+	#[test]
+	fn parse_crl_dps() {
+		// Generate and parse a certificate that includes two CRL distribution points.
+		let der = util::cert_with_crl_dps();
+		let (_, parsed_cert) = x509_parser::parse_x509_certificate(&der).unwrap();
+
+		// We should find a CRL DP extension was parsed.
+		let crl_dps = parsed_cert.get_extension_unique(&x509_parser::oid_registry::OID_X509_EXT_CRL_DISTRIBUTION_POINTS)
+			.expect("malformed CRL distribution points extension")
+			.expect("missing CRL distribution points extension");
+
+		// The extension should not be critical.
+		assert!(!crl_dps.critical);
+
+		// TODO(XXX): x509-parser does not parse this extension yet, limiting what we can test from
+		// 	here. See `openssl.rs` for more thorough coverage.
+	}
+}

tests/openssl.rs

@@ -1,5 +1,4 @@
-use rcgen::{Certificate, NameConstraints, GeneralSubtree, IsCa,
-	BasicConstraints, CertificateParams, DnType, DnValue};
+use rcgen::{Certificate, NameConstraints, GeneralSubtree, IsCa, BasicConstraints, CertificateParams, DnType, DnValue};
 use openssl::pkey::PKey;
 use openssl::x509::{CrlStatus, X509, X509Crl, X509Req, X509StoreContext};
 use openssl::x509::store::{X509StoreBuilder, X509Store};
@@ -426,4 +425,35 @@ fn test_openssl_crl_parse() {
 	// We should be able to verify the CRL signature with the issuer's public key.
 	let issuer_pkey = openssl_issuer.public_key().unwrap();
 	assert!(openssl_crl.verify(&issuer_pkey).expect("failed to verify CRL signature"));
-}
+}
+
+#[test]
+fn test_openssl_crl_dps_parse() {
+	// Generate and parse a certificate that includes two CRL distribution points.
+	let der = util::cert_with_crl_dps();
+	let cert = X509::from_der(&der).expect("failed to parse cert DER");
+
+	// We should find the CRL DPs extension.
+	let dps = cert.crl_distribution_points().expect("missing crl distribution points extension");
+	assert!(!dps.is_empty());
+
+	// We should find two distribution points, each with a distribution point name containing
+	// a full name sequence of general names.
+	let general_names = dps.iter().flat_map(|dp|
+		dp.distpoint()
+			.expect("distribution point missing distribution point name")
+			.fullname()
+			.expect("distribution point name missing general names")
+			.iter()
+	)
+	.collect::<Vec<_>>();
+
+	// Each general name should be a URI name.
+	let uris = general_names.iter().map(|general_name|
+		general_name.uri().expect("general name is not a directory name")
+	)
+	.collect::<Vec<_>>();
+
+	// We should find the expected URIs.
+	assert_eq!(uris, &["http://example.com/crl.der", "http://crls.example.com/1234", "ldap://example.com/crl.der"]);
+}

tests/util.rs

@@ -1,5 +1,5 @@
 use time::{Duration, OffsetDateTime};
-use rcgen::{BasicConstraints, Certificate, CertificateParams, CertificateRevocationList};
+use rcgen::{BasicConstraints, Certificate, CertificateParams, CertificateRevocationList, CrlDistributionPoint};
 use rcgen::{CertificateRevocationListParams, DnType, IsCa, KeyIdMethod};
 use rcgen::{KeyUsagePurpose, PKCS_ECDSA_P256_SHA256, RevocationReason, RevokedCertParams, SerialNumber};
 
@@ -99,3 +99,19 @@ pub fn test_crl() -> (CertificateRevocationList, Certificate) {
 
 	(crl, issuer)
 }
+
+#[allow(unused)] // Used by openssl + x509-parser features.
+pub fn cert_with_crl_dps() -> Vec<u8> {
+	let mut params = default_params();
+	params.crl_distribution_points = vec![
+		CrlDistributionPoint{
+			uris: vec!["http://example.com/crl.der".to_string(), "http://crls.example.com/1234".to_string()],
+		},
+		CrlDistributionPoint{
+			uris: vec!["ldap://example.com/crl.der".to_string()],
+		}
+	];
+
+	let cert = Certificate::from_params(params).unwrap();
+	cert.serialize_der().unwrap()
+}

tests/webpki.rs

@@ -526,3 +526,11 @@ fn test_webpki_crl_revoke() {
 	);
 	assert!(matches!(result, Err(webpki::Error::CertRevoked)));
 }
+
+#[test]
+fn test_webpki_cert_crl_dps() {
+	let der = util::cert_with_crl_dps();
+	webpki::EndEntityCert::try_from(der.as_ref()).expect("failed to parse cert with CRL DPs ext");
+	// Webpki doesn't expose the parsed CRL distribution extension, so we can't interrogate that
+	// it matches the expected form. See `openssl.rs` for more extensive coverage.
+}