rcgen icon indicating copy to clipboard operation
rcgen copied to clipboard
verified publisher icon rustls

Enforce extension uniqueness

Open cpu opened this issue 2 years ago • 0 comments

As a breaking API change rcgen should refuse to generate certificates with duplicate extensions.

RFC 5280 §4.2 says:

A certificate MUST NOT include more than one instance of a particular extension.

This can occur with the current API in two ways:

  1. Specifying duplicate extensions within CertificateParams.custom_extensions
  2. Specifying an extension in CertificateParams.custom_extensions that has the same OID as an extension rcgen emits natively (e.g. id-ce-subjectAltName, id-ce-authorityKeyIdentifier, etc).

cpu avatar Sep 10 '23 15:09 cpu