Subject alternative name extension must be marked critical if the "subject" field is empty #310

howardjohn · 2025-01-17T23:21:32Z

Per https://tools.ietf.org/html/rfc5280#section-4.1.2.6 :

If subject
naming information is present only in the subjectAltName extension
(e.g., a key bound only to an email address or URI), then the subject
name MUST be an empty sequence and the subjectAltName extension MUST
be critical.

However, currently rcgen hardcodes SANs as non-critical:

rcgen/rcgen/src/certificate.rs

Line 502 in cd88a39

write_x509_extension(writer, oid::SUBJECT_ALT_NAME, false, |writer| {

It would be nice to have this either automatically detect empty subject and mark it as critical, or have a way to indicate the extension as critical.

If I understand right, the only way to do this currently would be with a custom extension which seems like a lot of work.

I am willing to work on a fix for this

Fixes rustls#310

howardjohn added a commit to howardjohn/rcgen that referenced this issue Jan 17, 2025

Fix: mark SAN as critical when subject is empty

be6da1f

Fixes rustls#310

howardjohn linked a pull request Jan 17, 2025 that will close this issue

Fix: mark SAN as critical when subject is empty #311

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Subject alternative name extension must be marked critical if the "subject" field is empty #310

Subject alternative name extension must be marked critical if the "subject" field is empty #310

howardjohn commented Jan 17, 2025

Subject alternative name extension must be marked critical if the "subject" field is empty #310

Subject alternative name extension must be marked critical if the "subject" field is empty #310

Comments

howardjohn commented Jan 17, 2025