From 1a04d458ae8c4cf0a381d8d164579b27b0893712 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 16 Jul 2020 12:24:57 -0700 Subject: [PATCH] Leverage key usage options to template. --- x509util/certificate.go | 10 ---------- x509util/templates.go | 26 ++++++++++++++++---------- 2 files changed, 16 insertions(+), 20 deletions(-) diff --git a/x509util/certificate.go b/x509util/certificate.go index c6af8459..17fcecea 100644 --- a/x509util/certificate.go +++ b/x509util/certificate.go @@ -3,7 +3,6 @@ package x509util import ( "crypto" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/json" @@ -128,15 +127,6 @@ func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey, } } - // Remove KeyEncipherment and DataEncipherment for non-rsa keys. - // See: - // https://github.com/golang/go/issues/36499 - // https://tools.ietf.org/html/draft-ietf-lamps-5480-ku-clarifications-02 - if _, ok := pub.(*rsa.PublicKey); !ok { - template.KeyUsage &= ^x509.KeyUsageKeyEncipherment - template.KeyUsage &= ^x509.KeyUsageDataEncipherment - } - // Sign certificate asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer) if err != nil { diff --git a/x509util/templates.go b/x509util/templates.go index a6548c14..33b05c10 100644 --- a/x509util/templates.go +++ b/x509util/templates.go @@ -1,6 +1,8 @@ package x509util -import "crypto/x509" +import ( + "crypto/x509" +) const ( SubjectKey = "Subject" @@ -68,13 +70,16 @@ func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) { t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr)) } -// DefaultLeafTemplate is the default templated used to generate a leaf -// certificate. The keyUsage "keyEncipherment" is special and it will be only -// used for RSA keys. +// DefaultLeafTemplate is the default template used to generate a leaf +// certificate. const DefaultLeafTemplate = `{ "subject": {{ toJson .Subject }}, "sans": {{ toJson .SANs }}, +{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }} "keyUsage": ["keyEncipherment", "digitalSignature"], +{{- else }} + "keyUsage": ["digitalSignature"], +{{- end }} "extKeyUsage": ["serverAuth", "clientAuth"] }` @@ -83,20 +88,21 @@ const DefaultLeafTemplate = `{ // SANs provided in the certificate request, but the option `DisableCustomSANs` // can be provided to force only the verified domains, if the option is true // `.SANs` will be set with the verified domains. -// -// The keyUsage "keyEncipherment" is special and it will be only used for RSA -// keys. const DefaultIIDLeafTemplate = `{ "subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"}, - {{- if .SANs }} +{{- if .SANs }} "sans": {{ toJson .SANs }}, - {{- else }} +{{- else }} "dnsNames": {{ toJson .Insecure.CR.DNSNames }}, "emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }}, "ipAddresses": {{ toJson .Insecure.CR.IPAddresses }}, "uris": {{ toJson .Insecure.CR.URIs }}, - {{- end }} +{{- end }} +{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }} "keyUsage": ["keyEncipherment", "digitalSignature"], +{{- else }} + "keyUsage": ["digitalSignature"], +{{- end }} "extKeyUsage": ["serverAuth", "clientAuth"] }`