briansmith · janimo · Sep 21, 2021 · Sep 25, 2021 · Dec 11, 2021
diff --git a/src/cert.rs b/src/cert.rs
@@ -95,12 +95,14 @@ pub(crate) fn parse_cert_internal<'a>(
             subject_alt_name: None,
         };
 
-        // mozilla::pkix allows the extensions to be omitted. However, since
-        // the subjectAltName extension is mandatory, the extensions are
-        // mandatory too, and we enforce that. Also, mozilla::pkix includes
+        // mozilla::pkix allows the extensions to be omitted. It also includes
         // special logic for handling critical Netscape Cert Type extensions.
         // That has been intentionally omitted.
 
+        if tbs.at_end() {
+            return Ok(cert)
+        }
+
         der::nested(
             tbs,
             der::Tag::ContextSpecificConstructed3,

diff --git a/tests/cert_without_extensions.rs b/tests/cert_without_extensions.rs
@@ -20,8 +20,7 @@ fn cert_without_extensions_test() {
     // `openssl x509 -in cert_without_extensions.der -inform DER -text -noout`
     const CERT_WITHOUT_EXTENSIONS_DER: &[u8] = include_bytes!("cert_without_extensions.der");
 
-    assert_eq!(
-        Some(webpki::Error::MissingOrMalformedExtensions),
-        webpki::EndEntityCert::try_from(CERT_WITHOUT_EXTENSIONS_DER).err()
+    assert!(
+        webpki::EndEntityCert::try_from(CERT_WITHOUT_EXTENSIONS_DER).is_ok()
     );
 }