rework AsExtension trait?

Author: baloo

x509-cert/src/ext/pkix.rs

@@ -65,6 +65,17 @@ impl AssociatedOid for SubjectAltName {
 }
 
 impl_newtype!(SubjectAltName, name::GeneralNames);
+// TODO(baloo): apply that?
+//   Further, if the only subject identity included in the certificate is
+//   an alternative name form (e.g., an electronic mail address), then the
+//   subject distinguished name MUST be empty (an empty sequence), and the
+//   subjectAltName extension MUST be present.  If the subject field
+//   contains an empty sequence, then the issuing CA MUST include a
+//   subjectAltName extension that is marked as critical.  When including
+//   the subjectAltName extension in a certificate that has a non-empty
+//   subject distinguished name, conforming CAs SHOULD mark the
+//   subjectAltName extension as non-critical.
+impl_extension!(SubjectAltName);
 
 /// IssuerAltName as defined in [RFC 5280 Section 4.2.1.7].
 ///

x509-cert/src/ext/pkix/certpolicy.rs

@@ -22,6 +22,12 @@ impl AssociatedOid for CertificatePolicies {
 }
 
 impl_newtype!(CertificatePolicies, Vec<PolicyInformation>);
+// TODO
+//   If this extension is
+//   critical, the path validation software MUST be able to interpret this
+//   extension (including the optional qualifier), or MUST reject the
+//   certificate.
+impl_extension!(CertificatePolicies);
 
 /// PolicyInformation as defined in [RFC 5280 Section 4.2.1.4].
 ///

x509-cert/src/ext/pkix/constraints/basic.rs

@@ -22,3 +22,17 @@ pub struct BasicConstraints {
 impl AssociatedOid for BasicConstraints {
     const OID: ObjectIdentifier = ID_CE_BASIC_CONSTRAINTS;
 }
+
+// TODO
+//   Conforming CAs MUST include this extension in all CA certificates
+//   that contain public keys used to validate digital signatures on
+//   certificates and MUST mark the extension as critical in such
+//   certificates.  This extension MAY appear as a critical or non-
+//   critical extension in CA certificates that contain public keys used
+//   exclusively for purposes other than validating digital signatures on
+//   certificates.  Such CA certificates include ones that contain public
+//   keys used exclusively for validating digital signatures on CRLs and
+//   ones that contain key management public keys used with certificate
+//   enrollment protocols.  This extension MAY appear as a critical or
+//   non-critical extension in end entity certificates.
+impl_extension!(BasicConstraints, critical = true);

x509-cert/src/ext/pkix/constraints/name.rs

@@ -30,6 +30,17 @@ pub struct NameConstraints {
 impl AssociatedOid for NameConstraints {
     const OID: ObjectIdentifier = ID_CE_NAME_CONSTRAINTS;
 }
+// TODO: whatever that means:
+//   Restrictions are defined in terms of permitted or excluded name
+//   subtrees.  Any name matching a restriction in the excludedSubtrees
+//   field is invalid regardless of information appearing in the
+//   permittedSubtrees.  Conforming CAs MUST mark this extension as
+//   critical and SHOULD NOT impose name constraints on the x400Address,
+//   ediPartyName, or registeredID name forms.  Conforming CAs MUST NOT
+//   issue certificates where name constraints is an empty sequence.  That
+//   is, either the permittedSubtrees field or the excludedSubtrees MUST
+//   be present.
+impl_extension!(NameConstraints);
 
 /// GeneralSubtrees as defined in [RFC 5280 Section 4.2.1.10].
 ///

x509-cert/src/ext/pkix/keyusage.rs

@@ -78,6 +78,20 @@ impl AssociatedOid for ExtendedKeyUsage {
 }
 
 impl_newtype!(ExtendedKeyUsage, Vec<ObjectIdentifier>);
+// TODO
+//   This extension MAY, at the option of the certificate issuer, be
+//   either critical or non-critical.
+//
+//   If a CA includes extended key usages to satisfy such applications,
+//   but does not wish to restrict usages of the key, the CA can include
+//   the special KeyPurposeId anyExtendedKeyUsage in addition to the
+//   particular key purposes required by the applications.  Conforming CAs
+//   SHOULD NOT mark this extension as critical if the anyExtendedKeyUsage
+//   KeyPurposeId is present.  Applications that require the presence of a
+//   particular purpose MAY reject certificates that include the
+//   anyExtendedKeyUsage OID but not the particular OID expected for the
+//   application.
+impl_extension!(ExtendedKeyUsage, critical = true);
 
 /// PrivateKeyUsagePeriod as defined in [RFC 3280 Section 4.2.1.4].
 ///