Expose custom critical extension API

CarolYeh910 · CarolYeh910 · commit c1d6fcd29396 · 2025-05-29T18:17:06.000Z
diff --git a/bindings/rust/extended/s2n-tls/Cargo.toml b/bindings/rust/extended/s2n-tls/Cargo.toml
@@ -14,6 +14,7 @@ unstable-fingerprint = ["s2n-tls-sys/unstable-fingerprint"]
 unstable-ktls = ["s2n-tls-sys/unstable-ktls"]
 unstable-renegotiate = ["s2n-tls-sys/unstable-renegotiate"]
 unstable-cert_authorities = ["s2n-tls-sys/unstable-cert_authorities"]
+unstable-custom_x509_extensions = ["s2n-tls-sys/unstable-custom_x509_extensions"]
 quic = ["s2n-tls-sys/quic"]
 fips = ["s2n-tls-sys/fips"]
 pq = ["s2n-tls-sys/pq"]
diff --git a/bindings/rust/extended/s2n-tls/src/config.rs b/bindings/rust/extended/s2n-tls/src/config.rs
@@ -604,6 +604,18 @@ impl Builder {
         Ok(self)
     }
 
+    /// Corresponds to [s2n_config_add_custom_x509_extension].
+    #[cfg(feature = "unstable-custom_x509_extensions")]
+    pub fn add_custom_x509_extension(&mut self, extension_oid: &str) -> Result<&mut Self, Error> {
+        let extension_oid_len: u32 = extension_oid
+            .len()
+            .try_into()
+            .map_err(|_| Error::INVALID_INPUT)?;
+        let extension_oid = extension_oid.as_ptr() as *mut u8;
+        unsafe { s2n_config_add_custom_x509_extension(self.as_mut_ptr(), extension_oid, extension_oid_len).into_result() }?;
+        Ok(self)
+    }
+
     /// Set a custom callback function which is run after parsing the client hello.
     ///
     /// Corresponds to [s2n_config_set_client_hello_cb].
diff --git a/bindings/rust/extended/s2n-tls/src/testing/s2n_tls.rs b/bindings/rust/extended/s2n-tls/src/testing/s2n_tls.rs
@@ -580,6 +580,44 @@ mod tests {
         Ok(())
     }
 
+    #[cfg(feature = "unstable-custom_x509_extensions")]
+    #[test]
+    fn custom_critical_extensions() -> Result<(), Error> {
+        let certs = CertKeyPair::from_path(
+            "custom_oids/",
+            "single_oid_cert_chain",
+            "single_oid_key",
+            "ca-cert",
+        );
+        let single_oid = "1.3.187.25240.2";
+
+        for add_oid in [true, false] {
+            let config = {
+                let mut config = Builder::new();
+                config.set_security_policy(&security::DEFAULT_TLS13)?;
+                config.set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})?;
+
+                if add_oid {
+                    config.add_custom_x509_extension(single_oid)?;
+                }
+
+                config.load_pem(certs.cert(), certs.key())?;
+                config.trust_pem(certs.cert())?;
+                config.build()?
+            };
+            let mut pair = TestPair::from_config(&config);
+
+            if add_oid {
+                pair.handshake()?;
+            } else {
+                let s2n_err = pair.handshake().unwrap_err();
+                assert_eq!(s2n_err.name(), "S2N_ERR_CERT_UNHANDLED_CRITICAL_EXTENSION");
+            }
+        }
+
+        Ok(())
+    }
+
     #[cfg(feature = "unstable-ktls")]
     #[test]
     fn key_updates() -> Result<(), Error> {
