forked from TrueCloudLab/certificates
Leverage key usage options to template.
This commit is contained in:
parent
a7fe0104c4
commit
1a04d458ae
2 changed files with 16 additions and 20 deletions
|
@ -3,7 +3,6 @@ package x509util
|
||||||
import (
|
import (
|
||||||
"crypto"
|
"crypto"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
@ -128,15 +127,6 @@ func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Remove KeyEncipherment and DataEncipherment for non-rsa keys.
|
|
||||||
// See:
|
|
||||||
// https://github.com/golang/go/issues/36499
|
|
||||||
// https://tools.ietf.org/html/draft-ietf-lamps-5480-ku-clarifications-02
|
|
||||||
if _, ok := pub.(*rsa.PublicKey); !ok {
|
|
||||||
template.KeyUsage &= ^x509.KeyUsageKeyEncipherment
|
|
||||||
template.KeyUsage &= ^x509.KeyUsageDataEncipherment
|
|
||||||
}
|
|
||||||
|
|
||||||
// Sign certificate
|
// Sign certificate
|
||||||
asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer)
|
asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
package x509util
|
package x509util
|
||||||
|
|
||||||
import "crypto/x509"
|
import (
|
||||||
|
"crypto/x509"
|
||||||
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
SubjectKey = "Subject"
|
SubjectKey = "Subject"
|
||||||
|
@ -68,13 +70,16 @@ func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
|
||||||
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
|
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
|
||||||
}
|
}
|
||||||
|
|
||||||
// DefaultLeafTemplate is the default templated used to generate a leaf
|
// DefaultLeafTemplate is the default template used to generate a leaf
|
||||||
// certificate. The keyUsage "keyEncipherment" is special and it will be only
|
// certificate.
|
||||||
// used for RSA keys.
|
|
||||||
const DefaultLeafTemplate = `{
|
const DefaultLeafTemplate = `{
|
||||||
"subject": {{ toJson .Subject }},
|
"subject": {{ toJson .Subject }},
|
||||||
"sans": {{ toJson .SANs }},
|
"sans": {{ toJson .SANs }},
|
||||||
|
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
|
||||||
"keyUsage": ["keyEncipherment", "digitalSignature"],
|
"keyUsage": ["keyEncipherment", "digitalSignature"],
|
||||||
|
{{- else }}
|
||||||
|
"keyUsage": ["digitalSignature"],
|
||||||
|
{{- end }}
|
||||||
"extKeyUsage": ["serverAuth", "clientAuth"]
|
"extKeyUsage": ["serverAuth", "clientAuth"]
|
||||||
}`
|
}`
|
||||||
|
|
||||||
|
@ -83,20 +88,21 @@ const DefaultLeafTemplate = `{
|
||||||
// SANs provided in the certificate request, but the option `DisableCustomSANs`
|
// SANs provided in the certificate request, but the option `DisableCustomSANs`
|
||||||
// can be provided to force only the verified domains, if the option is true
|
// can be provided to force only the verified domains, if the option is true
|
||||||
// `.SANs` will be set with the verified domains.
|
// `.SANs` will be set with the verified domains.
|
||||||
//
|
|
||||||
// The keyUsage "keyEncipherment" is special and it will be only used for RSA
|
|
||||||
// keys.
|
|
||||||
const DefaultIIDLeafTemplate = `{
|
const DefaultIIDLeafTemplate = `{
|
||||||
"subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"},
|
"subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"},
|
||||||
{{- if .SANs }}
|
{{- if .SANs }}
|
||||||
"sans": {{ toJson .SANs }},
|
"sans": {{ toJson .SANs }},
|
||||||
{{- else }}
|
{{- else }}
|
||||||
"dnsNames": {{ toJson .Insecure.CR.DNSNames }},
|
"dnsNames": {{ toJson .Insecure.CR.DNSNames }},
|
||||||
"emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }},
|
"emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }},
|
||||||
"ipAddresses": {{ toJson .Insecure.CR.IPAddresses }},
|
"ipAddresses": {{ toJson .Insecure.CR.IPAddresses }},
|
||||||
"uris": {{ toJson .Insecure.CR.URIs }},
|
"uris": {{ toJson .Insecure.CR.URIs }},
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
|
||||||
"keyUsage": ["keyEncipherment", "digitalSignature"],
|
"keyUsage": ["keyEncipherment", "digitalSignature"],
|
||||||
|
{{- else }}
|
||||||
|
"keyUsage": ["digitalSignature"],
|
||||||
|
{{- end }}
|
||||||
"extKeyUsage": ["serverAuth", "clientAuth"]
|
"extKeyUsage": ["serverAuth", "clientAuth"]
|
||||||
}`
|
}`
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue