From 155ef2943d33b31f8f8297996be440a4abc2e074 Mon Sep 17 00:00:00 2001
From: Emman <emman.sun@cargosmart.com>
Date: Fri, 15 Apr 2022 11:05:14 +0800
Subject: [PATCH] #44, crypto/x509: omit empty extensions SEQUENCE

---
 smx509/x509.go      |  2 +-
 smx509/x509_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/smx509/x509.go b/smx509/x509.go
index 6ae11fc..c57c13d 100644
--- a/smx509/x509.go
+++ b/smx509/x509.go
@@ -146,7 +146,7 @@ type tbsCertificate struct {
 	PublicKey          publicKeyInfo
 	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
 	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
-	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
+	Extensions         []pkix.Extension `asn1:"omitempty,optional,explicit,tag:3"`
 }
 
 type dsaAlgorithmParameters struct {
diff --git a/smx509/x509_test.go b/smx509/x509_test.go
index 7f0defa..bd3ccd4 100644
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@@ -2430,6 +2430,30 @@ func TestDisableSHA1ForCertOnly(t *testing.T) {
 	}
 }
 
+func TestOmitEmptyExtensions(t *testing.T) {
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmpl := &Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: ":)",
+		},
+		NotAfter:  time.Now().Add(time.Hour),
+		NotBefore: time.Now().Add(-time.Hour),
+	}
+	der, err := CreateCertificate(rand.Reader, tmpl.asX509(), tmpl.asX509(), k.Public(), k)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	emptyExtSeq := []byte{0xA3, 0x02, 0x30, 0x00}
+	if bytes.Contains(der, emptyExtSeq) {
+		t.Error("DER encoding contains the an empty extensions SEQUENCE")
+	}
+}
+
 func TestCreateCertificateLongSerial(t *testing.T) {
 	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {