@@ -124,28 +124,44 @@ impl CsrOptions {
124124#[ cfg( test) ]
125125mod tests {
126126 use crate :: tls;
127+ use itertools:: Itertools ;
127128
128129 #[ test]
129130 fn test_csr ( ) {
130- use x509_parser:: prelude:: FromDer ;
131+ use x509_parser:: prelude:: * ;
131132 let csr = tls:: csr:: CsrOptions {
132133 san : "spiffe://td/ns/ns1/sa/sa1" . to_string ( ) ,
133134 }
134135 . generate ( )
135136 . unwrap ( ) ;
137+
136138 let ( _, der) = x509_parser:: pem:: parse_x509_pem ( csr. csr . as_bytes ( ) ) . unwrap ( ) ;
137139
138140 let ( _, cert) =
139141 x509_parser:: certification_request:: X509CertificationRequest :: from_der ( & der. contents )
140142 . unwrap ( ) ;
141143 cert. verify_signature ( ) . unwrap ( ) ;
144+ let subject = cert. certification_request_info . subject . iter ( ) . collect_vec ( ) ;
145+ assert_eq ! ( subject. len( ) , 0 ) ;
142146 let attr = cert
143147 . certification_request_info
144148 . iter_attributes ( )
145149 . next ( )
146150 . unwrap ( ) ;
147- // SAN is encoded in some format I don't understand how to parse; this could be improved.
148- // but make sure it's there in a hacky manner
149- assert ! ( attr. value. ends_with( b"spiffe://td/ns/ns1/sa/sa1" ) ) ;
151+
152+ let ParsedCriAttribute :: ExtensionRequest ( parsed) = attr. parsed_attribute ( ) else {
153+ panic ! ( "not a ExtensionRequest" )
154+ } ;
155+ let ext = parsed. clone ( ) . extensions ;
156+ assert_eq ! ( ext. len( ) , 1 ) ;
157+ let ext = ext. into_iter ( ) . next ( ) . unwrap ( ) ;
158+ assert ! ( ext. critical) ;
159+ let ParsedExtension :: SubjectAlternativeName ( san) = ext. parsed_extension ( ) else {
160+ panic ! ( "not a SubjectAlternativeName" )
161+ } ;
162+ assert_eq ! (
163+ & format!( "{san:?}" ) ,
164+ "SubjectAlternativeName { general_names: [URI(\" spiffe://td/ns/ns1/sa/sa1\" )] }"
165+ )
150166 }
151167}
0 commit comments