From 72c7b4b528fae4dff9b857644d180c3db606c9d7 Mon Sep 17 00:00:00 2001
From: Lukas Velikov <velikovlukas@gmail.com>
Date: Tue, 6 Aug 2024 21:40:03 -0400
Subject: [PATCH] Add KeyUsage support for CSR generation

---
 rcgen/src/certificate.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
index d080abf0..6763a02d 100644
--- a/rcgen/src/certificate.rs
+++ b/rcgen/src/certificate.rs
@@ -563,7 +563,6 @@ impl CertificateParams {
 		);
 		if serial_number.is_some()
 			|| *is_ca != IsCa::NoCa
-			|| !key_usages.is_empty()
 			|| name_constraints.is_some()
 			|| !crl_distribution_points.is_empty()
 			|| *use_authority_key_identifier_extension
@@ -581,12 +580,17 @@ impl CertificateParams {
 			// Write extensions
 			// According to the spec in RFC 2986, even if attributes are empty we need the empty attribute tag
 			writer.next().write_tagged(Tag::context(0), |writer| {
-				if !subject_alt_names.is_empty() || !custom_extensions.is_empty() {
+				if !key_usages.is_empty()
+					|| !subject_alt_names.is_empty()
+					|| !custom_extensions.is_empty()
+				{
 					writer.write_sequence(|writer| {
 						let oid = ObjectIdentifier::from_slice(oid::PKCS_9_AT_EXTENSION_REQUEST);
 						writer.next().write_oid(&oid);
 						writer.next().write_set(|writer| {
 							writer.next().write_sequence(|writer| {
+								// Write key_usage
+								self.write_key_usage(writer.next());
 								// Write subject_alt_names
 								self.write_subject_alt_names(writer.next());
 								self.write_extended_key_usage(writer.next());
@@ -613,6 +617,7 @@ impl CertificateParams {
 			der: CertificateSigningRequestDer::from(der),
 		})
 	}
+
 	pub(crate) fn serialize_der_with_signer<K: PublicKeyData>(
 		&self,
 		pub_key: &K,