cert-helper 0.4.8

A helper library for managing certificates using OpenSSL, including support for generating CSRs and CRLs.
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
use super::builder::{BuilderFields, UseesBuilderFields, select_hash};
use super::common::{X509Common, X509Parts, create_asn1_time_from_date};
use super::enforce_path_len;
#[cfg(feature = "pqc")]
use super::key::reject_mlkem_signing;
use super::key::{
    is_digestless_key, select_key, sign_certificate_digestless, sign_x509_req_digestless,
};
use super::policy::append_certificate_policies;
use super::usage::get_key_usage;
#[cfg(feature = "pqc")]
use super::usage::validate_pqc_key_usage;
use super::{Certificate, CertificatePolicy, Usage, ca_basic_constraints, can_sign_cert};
use openssl::asn1::{Asn1Object, Asn1OctetString, Asn1Time};
use openssl::bn::BigNum;
use openssl::hash::{MessageDigest, hash};
use openssl::nid::Nid;
use openssl::pkey::{PKey, Private};
use openssl::stack::Stack;
use openssl::x509::extension::{
    AuthorityKeyIdentifier, BasicConstraints, KeyUsage, SubjectAlternativeName,
};
use openssl::x509::{X509, X509Builder, X509Extension, X509NameBuilder, X509Req, X509ReqBuilder};
use std::collections::HashSet;
use std::path::Path;
use x509_parser::certification_request::X509CertificationRequest;
use x509_parser::extensions::ParsedExtension;
use x509_parser::prelude::FromDer;

/// Holds the generated Certificate Signing Request (CSR) and its associated private key.
pub struct Csr {
    /// The X.509 certificate signing request.
    pub csr: X509Req,
    /// The private key used to generate the CSR.
    ///
    /// This is optional to allow flexibility in cases where the key is managed or stored separately.
    pub pkey: Option<PKey<Private>>,
}

impl X509Parts for Csr {
    fn get_pem(&self) -> Result<Vec<u8>, Box<dyn std::error::Error>> {
        Ok(self.csr.to_pem()?)
    }

    fn get_private_key(&self) -> Result<Vec<u8>, Box<dyn std::error::Error>> {
        match self.pkey {
            Some(ref pkey) => Ok(pkey.private_key_to_pem_pkcs8()?),
            _ => Err("No private key found".into()),
        }
    }
    fn pem_extension(&self) -> &'static str {
        "_csr.pem"
    }
}
/// Helper trait to document that Csr implements X509Common
pub trait CsrX509Common: X509Common {}
impl CsrX509Common for Csr {}

/// Holds configuration options for creating a certificate from a Certificate Signing Request (CSR).
pub struct CsrOptions {
    valid_to: Asn1Time,
    valid_from: Asn1Time,
    ca: bool,
    policies: Vec<CertificatePolicy>,
    path_len: Option<u32>,
    chain: Vec<Certificate>,
}
impl Default for CsrOptions {
    fn default() -> Self {
        Self::new()
    }
}

impl CsrOptions {
    /// Creates a default `CsrOptions` instance:
    /// - `valid_from` is set to today.
    /// - `valid_to` is set to one year from today.
    /// - `ca` is set to `false`.
    pub fn new() -> Self {
        Self {
            ca: false,
            valid_from: Asn1Time::days_from_now(0).unwrap(), // today
            valid_to: Asn1Time::days_from_now(365).unwrap(), // one year from now
            policies: Default::default(),
            path_len: None,
            chain: Vec::new(),
        }
    }

    /// Sets the start date from which the certificate should be valid.
    ///
    /// # Arguments
    /// * `valid_from` - A string in the format `yyyy-mm-dd`.
    pub fn valid_from(mut self, valid_from: &str) -> Self {
        self.valid_from =
            create_asn1_time_from_date(valid_from).expect("Failed to parse valid_from date");
        self
    }

    /// Sets the end date after which the certificate should no longer be valid.
    ///
    /// # Arguments
    /// * `valid_to` - A string in the format `yyyy-mm-dd`.
    pub fn valid_to(mut self, valid_to: &str) -> Self {
        self.valid_to =
            create_asn1_time_from_date(valid_to).expect("Failed to parse valid_to date");
        self
    }

    /// Specifies whether the certificate should be a Certificate Authority (CA).
    ///
    /// # Arguments
    /// * `ca` - `true` if the certificate should be a CA, `false` otherwise.
    pub fn is_ca(mut self, ca: bool) -> Self {
        self.ca = ca;
        self
    }
    /// Add optional certificate policies
    ///
    /// # Arguments
    /// * `policies` - A list of certificate policies
    pub fn certificate_policies(mut self, policies: Vec<CertificatePolicy>) -> Self {
        self.policies = policies;
        self
    }
    /// Add optional path length, it is the max number of **non-self-issued
    /// intermediate CA certs** that may follow this cert in a chain
    ///
    /// # Arguments
    /// * `path_len`- u32
    pub fn pathlen(mut self, path_len: u32, chain: Vec<Certificate>) -> Self {
        self.path_len = Some(path_len);
        self.chain = chain;
        self
    }
}

impl Csr {
    /// Read a certificate signing request from file
    pub fn load_csr<C: AsRef<Path>>(csr_pem_file: C) -> Result<Self, Box<dyn std::error::Error>> {
        let cert_pem = std::fs::read(csr_pem_file)?;
        let cs_req = X509Req::from_pem(&cert_pem)?;
        Ok(Self {
            csr: cs_req,
            pkey: None,
        })
    }
    /// Create a signed certificate from a certificate signing request(csr)
    pub fn build_signed_certificate(
        &self,
        signer: &Certificate,
        options: CsrOptions,
    ) -> Result<Certificate, Box<dyn std::error::Error>> {
        // Proof-of-possession: refuse to issue from a CSR whose self-signature
        // does not verify against its own public key.
        verify_csr_proof_of_possession(&self.csr)?;

        let can_sign = can_sign_cert(signer)?;
        if !can_sign {
            let err = format!(
                "Cannot sign with signer certificate {:?}: it must be a valid CA \
                 (BasicConstraints CA flag set, KeyUsage keyCertSign, within its validity \
                 period) and have an associated private key",
                signer.x509.subject_name()
            );
            return Err(err.into());
        }
        let chain_refs: Vec<&X509> = options.chain.iter().map(|c| &c.x509).collect();
        enforce_path_len(options.ca, options.path_len, signer, &chain_refs)?;
        let signer_key = signer
            .pkey
            .as_ref()
            .ok_or("signer certificate has no associated private key; cannot sign")?;
        let mut builder = X509Builder::new()?;
        builder.set_version(2)?;
        builder.set_subject_name(self.csr.subject_name())?;
        builder.set_issuer_name(signer.x509.subject_name())?;
        let csr_public_key = self.csr.public_key()?;
        builder.set_pubkey(&csr_public_key)?;

        let der = self.csr.to_der()?;
        let parsed_csr = X509CertificationRequest::from_der(&der)?;

        let req_ext = parsed_csr.1.requested_extensions();
        let mut any_key_used = false;
        let mut requested: HashSet<Usage> = HashSet::new();
        if let Some(exts) = req_ext {
            for ext in exts {
                match ext {
                    ParsedExtension::KeyUsage(ku) => {
                        any_key_used = true;
                        let mut cert_sign_added = false;
                        let mut crl_sign_added = false;
                        let mut usage = openssl::x509::extension::KeyUsage::new();
                        if ku.digital_signature() {
                            usage.digital_signature();
                            requested.insert(Usage::signature);
                        }
                        if ku.key_encipherment() {
                            usage.key_encipherment();
                            requested.insert(Usage::encipherment);
                        }
                        if ku.key_cert_sign() {
                            cert_sign_added = true;
                            usage.key_cert_sign();
                            requested.insert(Usage::certsign);
                        }
                        if ku.non_repudiation() {
                            usage.non_repudiation();
                            requested.insert(Usage::contentcommitment);
                        }
                        if ku.crl_sign() {
                            crl_sign_added = true;
                            usage.crl_sign();
                            requested.insert(Usage::crlsign);
                        }

                        if options.ca {
                            if !cert_sign_added {
                                usage.key_cert_sign();
                            }
                            if !crl_sign_added {
                                usage.crl_sign();
                            }
                        }
                        builder.append_extension(usage.build()?)?;
                    }
                    ParsedExtension::ExtendedKeyUsage(eku) => {
                        let mut ext = openssl::x509::extension::ExtendedKeyUsage::new();
                        if eku.server_auth {
                            ext.server_auth();
                        }
                        if eku.client_auth {
                            ext.client_auth();
                        }
                        if eku.code_signing {
                            ext.code_signing();
                        }
                        if eku.email_protection {
                            ext.email_protection();
                        }
                        builder.append_extension(ext.build()?)?;
                    }
                    ParsedExtension::SubjectAlternativeName(san) => {
                        let mut openssl_san =
                            openssl::x509::extension::SubjectAlternativeName::new();
                        for name in &san.general_names {
                            if let x509_parser::extensions::GeneralName::DNSName(dns) = name {
                                openssl_san.dns(dns);
                            }
                        }
                        builder.append_extension(
                            openssl_san.build(&builder.x509v3_context(None, None))?,
                        )?;
                    }
                    _ => {
                        println!("Unsupported extension: {:?}", ext);
                    }
                }
            }
        }
        #[cfg(feature = "pqc")]
        validate_pqc_key_usage(&csr_public_key, &requested)?;

        if options.ca {
            let result = ca_basic_constraints(options.path_len)?;
            builder.append_extension(result)?;
            if !any_key_used {
                let key_usage = KeyUsage::new().key_cert_sign().crl_sign().build().unwrap();
                builder.append_extension(key_usage)?;
            }
        } else {
            builder.append_extension(BasicConstraints::new().build()?)?;
        }
        builder.set_not_before(&options.valid_from)?;
        builder.set_not_after(&options.valid_to)?;
        let serial_number = {
            let mut serial = BigNum::new()?;
            serial.rand(159, openssl::bn::MsbOption::MAYBE_ZERO, false)?;
            serial.to_asn1_integer()?
        };
        builder.set_serial_number(&serial_number)?;
        if signer.x509.subject_key_id().is_some() {
            let aki = AuthorityKeyIdentifier::new()
                .keyid(true)
                .issuer(false)
                .build(&builder.x509v3_context(Some(&signer.x509), None))?;
            builder.append_extension(aki)?;
        }
        let oid = Asn1Object::from_str("2.5.29.14")?; // OID för Subject Key Identifier (SKI)
        let pubkey_der = self.csr.public_key().unwrap().public_key_to_der()?;
        let ski_hash = hash(MessageDigest::sha1(), &pubkey_der)?;
        let der_encoded = yasna::construct_der(|writer| {
            writer.write_bytes(ski_hash.as_ref());
        });
        let ski_asn1 = Asn1OctetString::new_from_bytes(&der_encoded)?;
        let ext = X509Extension::new_from_der(oid.as_ref(), false, &ski_asn1)?;
        builder.append_extension(ext)?;
        append_certificate_policies(&mut builder, &options.policies)?;
        let cert: X509 = if is_digestless_key(signer_key) {
            let builder_cert = builder.build();
            sign_certificate_digestless(&builder_cert, signer_key)
                .map_err(|e| format!("Failed to sign certificate with digestless key: {}", e))?;
            builder_cert
        } else {
            builder.sign(signer_key, MessageDigest::sha256())?;
            builder.build()
        };

        Ok(Certificate {
            x509: cert,
            pkey: None,
        })
    }
}

/// Builder for creating a new certificate signing request and private key
pub struct CsrBuilder {
    fields: BuilderFields,
}
impl UseesBuilderFields for CsrBuilder {
    fn fields_mut(&mut self) -> &mut BuilderFields {
        &mut self.fields
    }
}
impl Default for CsrBuilder {
    fn default() -> Self {
        Self::new()
    }
}

impl CsrBuilder {
    /// Create a new CsrBuilder with defaults
    pub fn new() -> Self {
        Self {
            fields: BuilderFields::default(),
        }
    }

    /// Builds and returns a Certificate Signing Request (CSR) based on the configured builder fields.
    ///
    /// This function constructs the subject name, sets the public key, and adds relevant X.509 extensions
    /// such as Key Usage, Extended Key Usage, and Subject Alternative Names (SAN).
    /// It supports signing with both traditional algorithms and Ed25519.
    ///
    /// # Returns
    /// - `Ok(Csr)` if the CSR was successfully built and signed.
    /// - `Err(Box<dyn std::error::Error>)` if any step in the CSR creation process fails.
    ///
    /// # Errors
    /// This function may return errors in the following cases:
    /// - Failure to initialize or build the X509 name or request.
    /// - Failure to select or use the appropriate key type.
    /// - Failure to build or add X.509 extensions.
    /// - Failure to sign the CSR, especially with Ed25519.
    ///
    /// # Extensions Added
    /// - **Key Usage** and **Extended Key Usage**: Based on the builder's `usage` field.
    /// - **Subject Alternative Names (SAN)**: Includes all entries from `alternative_names`.
    ///
    /// # Signing Behavior
    /// - If the key type is Ed25519, uses a custom signing function.
    /// - Otherwise, signs using the selected hash algorithm.
    ///
    /// # Example
    /// ```rust
    /// use cert_helper::certificate::CsrBuilder;
    /// use crate::cert_helper::certificate::UseesBuilderFields;
    /// let builder = CsrBuilder::new().common_name("example.com");
    /// let csr = builder.certificate_signing_request().unwrap();
    /// ```
    pub fn certificate_signing_request(self) -> Result<Csr, Box<dyn std::error::Error>> {
        let mut name_builder = X509NameBuilder::new()?;
        name_builder.append_entry_by_nid(Nid::COMMONNAME, &self.fields.common_name)?;
        if !self.fields.country_name.trim().is_empty() {
            name_builder.append_entry_by_nid(Nid::COUNTRYNAME, &self.fields.country_name)?;
        }
        if !self.fields.state_province.trim().is_empty() {
            name_builder
                .append_entry_by_nid(Nid::STATEORPROVINCENAME, &self.fields.state_province)?;
        }
        if !self.fields.locality_time.trim().is_empty() {
            name_builder.append_entry_by_nid(Nid::LOCALITYNAME, &self.fields.locality_time)?;
        }
        if !self.fields.organization.trim().is_empty() {
            name_builder.append_entry_by_nid(Nid::ORGANIZATIONNAME, &self.fields.organization)?;
        }
        let name = name_builder.build();
        let mut builder = X509ReqBuilder::new()?;
        builder.set_version(0)?;
        builder.set_subject_name(&name)?;
        let pkey = select_key(&self.fields.key_type).unwrap();
        builder.set_pubkey(&pkey)?;
        let key_usage = self.fields.usage.clone().unwrap_or_default();

        // Enforce post-quantum KeyUsage rules. Run before the can't-sign guard
        // below so a contradictory KeyUsage is reported precisely.
        #[cfg(feature = "pqc")]
        validate_pqc_key_usage(&pkey, &key_usage)?;

        // ML-KEM cannot sign, and a PKCS#10 CSR requires a self-signature for
        // proof-of-possession — so an ML-KEM CSR cannot be produced here.
        #[cfg(feature = "pqc")]
        reject_mlkem_signing(
            &pkey,
            "ML-KEM (FIPS 203) is a key-encapsulation key and cannot sign a CSR \
             (PKCS#10 requires a self-signature for proof-of-possession). Issue the \
             ML-KEM certificate directly with CertBuilder::build_and_sign() using a \
             signing CA instead.",
        )?;

        let mut extensions = Stack::new()?;

        let (tracked_key_usage, tracked_extended_key_usage) = get_key_usage(&Some(key_usage));
        if tracked_key_usage.is_used() {
            extensions.push(tracked_key_usage.into_inner().build()?)?;
        }
        if tracked_extended_key_usage.is_used() {
            extensions.push(tracked_extended_key_usage.into_inner().build()?)?;
        }

        let mut san = SubjectAlternativeName::new();
        for s in &self.fields.alternative_names {
            san.dns(s);
        }
        extensions.push(san.build(&builder.x509v3_context(None))?)?;

        builder.add_extensions(&extensions)?;
        let csr: X509Req = if is_digestless_key(&pkey) {
            let builder_csr = builder.build();
            sign_x509_req_digestless(&builder_csr, &pkey)
                .map_err(|e| format!("Failed to sign certificate with digestless key: {}", e))?;
            builder_csr
        } else {
            builder.sign(&pkey, select_hash(&self.fields.signature_alg))?;
            builder.build()
        };
        Ok(Csr {
            csr,
            pkey: Some(pkey),
        })
    }
}

/// Verify a CSR's proof-of-possession.
///
/// A PKCS#10 request is self-signed with the private key matching its own public
/// key; a valid signature proves the requester possesses that private key. We
/// verify the request signature against its embedded public key and refuse to
/// issue a certificate from a request that fails
fn verify_csr_proof_of_possession(csr: &X509Req) -> Result<(), Box<dyn std::error::Error>> {
    let public_key = csr.public_key()?;
    if !csr.verify(&public_key)? {
        return Err(
            "CSR proof-of-possession check failed: the request signature does \
            not verify against its own public key"
                .into(),
        );
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::certificate::CertBuilder;
    #[cfg(feature = "pqc")]
    use crate::certificate::key::generate_pqc_key;
    #[cfg(feature = "pqc")]
    use crate::certificate::key::sign_x509_req_digestless;
    use openssl::x509::X509Req;
    #[cfg(feature = "pqc")]
    use openssl::x509::X509ReqBuilder;
    #[cfg(feature = "pqc")]
    use openssl::x509::extension::KeyUsage;
    use std::io::Write;
    use tempfile::NamedTempFile;

    #[test]
    fn create_ca_cert_from_csr_with_path_len() {
        let ca = CertBuilder::new()
            .common_name("My Test Ca")
            .is_ca(true)
            .pathlen(2)
            .build_and_self_sign()
            .unwrap();

        let csr = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();
        let cert = csr
            .build_signed_certificate(&ca, CsrOptions::new().pathlen(1, vec![]).is_ca(true))
            .unwrap();
        assert_eq!(cert.x509.pathlen(), Some(1));
    }

    #[test]
    fn create_non_ca_cert_from_csr_with_path_len() {
        let ca = CertBuilder::new()
            .common_name("My Test Ca")
            .is_ca(true)
            .pathlen(2)
            .build_and_self_sign()
            .unwrap();

        let csr = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();
        let cert = csr
            .build_signed_certificate(&ca, CsrOptions::new().pathlen(1, vec![]))
            .unwrap();
        assert_eq!(cert.x509.pathlen(), None);
    }

    #[test]
    fn create_ca_cert_with_chain_from_csr_with_path_len() {
        let ca = CertBuilder::new()
            .common_name("My Test root Ca")
            .is_ca(true)
            .pathlen(3)
            .build_and_self_sign()
            .unwrap();
        let interca1 = CertBuilder::new()
            .common_name("My Test Ca1")
            .is_ca(true)
            .pathlen(2)
            .build_and_sign_with_chain(&ca, &[])
            .unwrap();
        let interca2 = CertBuilder::new()
            .common_name("My Test Ca2")
            .is_ca(true)
            .pathlen(1)
            .build_and_sign_with_chain(&interca1, &[&ca])
            .unwrap();
        let csr = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();
        let cert = csr
            .build_signed_certificate(
                &interca2,
                CsrOptions::new().pathlen(0, vec![ca, interca1]).is_ca(true),
            )
            .unwrap();
        assert_eq!(cert.x509.pathlen(), Some(0));
    }

    #[test]
    fn create_ca_cert_with_chain_from_csr_with_budget_exhausted() {
        let ca = CertBuilder::new()
            .common_name("My Test root Ca")
            .is_ca(true)
            .pathlen(3)
            .build_and_self_sign()
            .unwrap();
        let interca1 = CertBuilder::new()
            .common_name("My Test Ca1")
            .is_ca(true)
            .pathlen(2)
            .build_and_sign_with_chain(&ca, &[])
            .unwrap();
        let interca2 = CertBuilder::new()
            .common_name("My Test Ca2")
            .is_ca(true)
            .pathlen(0)
            .build_and_sign_with_chain(&interca1, &[&ca])
            .unwrap();
        let csr = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();
        let err = csr
            .build_signed_certificate(
                &interca2,
                CsrOptions::new().pathlen(0, vec![ca, interca1]).is_ca(true),
            )
            .err()
            .expect("");
        assert!(
            err.to_string()
                .contains("signer's path length budget is exhausted; cannot issue a CA"),
            "signer's path length budget is exhausted; cannot issue a CA got: {err}"
        );
    }
    #[test]
    fn csr_inflated_pathlen_is_rejected() {
        let ca = CertBuilder::new()
            .common_name("root")
            .is_ca(true)
            .pathlen(1)
            .build_and_self_sign()
            .unwrap();
        let csr = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();
        let err = csr
            .build_signed_certificate(
                &ca,
                CsrOptions::new().is_ca(true).pathlen(1, vec![]), // budget=1, m=1 → 1>=1
            )
            .err()
            .expect("inflated pathLen must be rejected");
        assert!(
            err.to_string()
                .contains("requested pathLen exceeds what the signer's chain permits"),
            "got: {err}"
        );
    }

    #[test]
    fn csr_incomplete_chain_is_rejected() {
        let ca = CertBuilder::new()
            .common_name("root")
            .is_ca(true)
            .pathlen(2)
            .build_and_self_sign()
            .unwrap();
        let inter = CertBuilder::new()
            .common_name("inter")
            .is_ca(true)
            .pathlen(1)
            .build_and_sign_with_chain(&ca, &[])
            .unwrap();
        let csr = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();
        let err = csr
            .build_signed_certificate(
                &inter,
                CsrOptions::new().is_ca(true).pathlen(0, vec![]), // root omitted
            )
            .err()
            .expect("incomplete chain must be rejected");
        assert!(
            err.to_string().contains("Could not find self signed root"),
            "got: {err}"
        );
    }

    #[test]
    fn csr_unlimited_signer_allows_ca_issuance() {
        let ca = CertBuilder::new()
            .common_name("root")
            .is_ca(true) // no .pathlen() → None
            .build_and_self_sign()
            .unwrap();
        let csr = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();
        let cert = csr
            .build_signed_certificate(
                &ca,
                CsrOptions::new().is_ca(true).pathlen(5, vec![]), // unlimited → any m ok
            )
            .unwrap();
        assert_eq!(cert.x509.pathlen(), Some(5));
    }
    #[test]
    fn build_signed_certificate_rejects_csr_with_bad_proof_of_possession() {
        // A CSR whose self-signature does not match its public key (proof-of-
        // possession failure) must be refused, not turned into a certificate.
        let ca = CertBuilder::new()
            .common_name("My Test Ca")
            .is_ca(true)
            .build_and_self_sign()
            .unwrap();

        let good = CsrBuilder::new()
            .common_name("leaf")
            .certificate_signing_request()
            .unwrap();

        // Flip the last byte of the DER — the tail of the signature BIT STRING —
        // so the request no longer verifies against its own public key while
        // staying structurally parseable.
        let mut der = good.csr.to_der().unwrap();
        let last = der.len() - 1;
        der[last] ^= 0xFF;
        let tampered = Csr {
            csr: X509Req::from_der(&der).unwrap(),
            pkey: None,
        };

        let err = tampered
            .build_signed_certificate(&ca, CsrOptions::new())
            .err()
            .expect("CSR with broken proof-of-possession must be rejected");
        assert!(
            err.to_string().contains("proof-of-possession"),
            "expected a proof-of-possession error, got: {err}"
        );
    }

    #[cfg(feature = "pqc")]
    #[test]
    fn do_not_allow_csr_with_pqc_key_and_encipherment_to_generate_certificate() {
        let ca = CertBuilder::new()
            .common_name("My Test Ca")
            .is_ca(true)
            .build_and_self_sign()
            .unwrap();

        let pkey = generate_pqc_key("ML-DSA-65").unwrap();
        let mut builder = X509ReqBuilder::new().unwrap();
        builder
            .set_pubkey(&pkey)
            .expect("failed to set public key in csr");
        let mut exts = Stack::new().unwrap();
        exts.push(KeyUsage::new().key_encipherment().build().unwrap())
            .unwrap();
        builder.set_version(0).unwrap();
        builder.add_extensions(&exts).unwrap();
        let req = builder.build();

        let _ = sign_x509_req_digestless(&req, &pkey);
        let csr = Csr {
            csr: req,
            pkey: None,
        };
        let err = csr
            .build_signed_certificate(&ca, CsrOptions::new())
            .err()
            .expect("a PQC signature key requesting keyEncipherment must be rejected");
        assert!(
            err.to_string().contains("keyEncipherment"),
            "expected a keyEncipherment error, got: {err}"
        );
    }

    #[test]
    fn test_reading_csr_from_file() {
        let csr_data = b"-----BEGIN CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwXTEVMBMGA1UEAwwMZXhhbXBsZTIuY29tMQswCQYDVQQGEwJT
RTESMBAGA1UECAwJU3RvY2tob2xtMRIwEAYDVQQHDAlTdG9ja2hvbG0xDzANBgNV
BAoMBk15IG9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIeAXpCG
hbIayESfdTzOO0DxIMsOAu4kUm0zF0W/+xDUHl6bGy3wlB9S9nzBG/qwqFZ27Om3
o4zrZ8K8DBx0ERWNuhMmr0Nx8QpAWBEyxOc08Gn4c3XVBBkRZSn4AIqr9DGtcUqW
tQZXvMGF6sRRljiEvOxO6zMzZKTGYwzIeQvH85cQ3uXsw0Kknsw/fcuywaAC8SS9
aqs4jiEIgzdhxdH2OVXBNGj4cjVhK309JiWFHS9XJLNV/PKC+F1nkaANQwbW5A4F
9vya4js9gk8f4SfF1u+qOJEvsDvAb+1xdjXPRzf77eGh3rC4KgGWQ6WrWfW8PItF
BDg/jskq3bJXNL8CAwEAAaAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIM
ZXhhbXBsZTIuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAHeeSW8C6SMVhWiMvPn7iz
FUHQedHRyPz6kTEfC01eNIbs0r4YghOAcm8PF67jncIXVrqgxo1uzq12qlV+0YYb
jps31IbQNOz0eFLYvij15ielmOYeQZZ/2vqaGi3geVobLc6Ki5tadnA/NhjTN33j
QcqDDic8riAOTbSQ6TH9KPTGJQOPk+taMpDGDHskIW0oME5iT2ewbhBHg6v/kSzy
tss2kBY5O7vo2COtbNcwX5Xp9S2LH9kVUKr0GIjuQjwbv5xl+GNdDey09W9EDACU
jcGV3++2wS4LN4h3CG4pWZ+LTXhm8ymhoWOapN95lfe3xLRAKFJwiLkGwS75++FW
-----END CERTIFICATE REQUEST-----";
        let mut csr_file = NamedTempFile::new().expect("Failed to create temp csr file");
        csr_file.write_all(csr_data).expect("Failed to write csr");
        let result = Csr::load_csr(csr_file.path());
        assert!(result.is_ok(), "Failed to load csr: {:?}", result.err());
    }
}