Check if a certificate is a CA certificate by examining the Basic Constraints extension Returns `true` if the certificate has Basic Constraints with CA=true, `false` otherwise (including parse errors or missing extension). This matches OpenSSL's X509_check_ca() behavior.
(cert_der: &[u8])
| 269 | /// `false` otherwise (including parse errors or missing extension). |
| 270 | /// This matches OpenSSL's X509_check_ca() behavior. |
| 271 | pub fn is_ca_certificate(cert_der: &[u8]) -> bool { |
| 272 | // Parse the certificate |
| 273 | let Ok((_, cert)) = X509Certificate::from_der(cert_der) else { |
| 274 | return false; |
| 275 | }; |
| 276 | |
| 277 | // Check Basic Constraints extension |
| 278 | // If extension exists and CA=true, it's a CA certificate |
| 279 | // Otherwise (no extension or CA=false), it's NOT a CA certificate |
| 280 | if let Ok(Some(ext)) = cert.basic_constraints() { |
| 281 | return ext.value.ca; |
| 282 | } |
| 283 | |
| 284 | // No Basic Constraints extension -> NOT a CA certificate |
| 285 | // (matches OpenSSL X509_check_ca() behavior) |
| 286 | false |
| 287 | } |
| 288 | |
| 289 | /// Convert an X509Name to Python nested tuple format for SSL certificate dicts |
| 290 | /// |
no outgoing calls
no test coverage detected