Leverage key usage options to template.

This commit is contained in:
Mariano Cano 2020-07-16 12:24:57 -07:00
parent a7fe0104c4
commit 1a04d458ae
2 changed files with 16 additions and 20 deletions

View file

@ -3,7 +3,6 @@ package x509util
import ( import (
"crypto" "crypto"
"crypto/rand" "crypto/rand"
"crypto/rsa"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/json" "encoding/json"
@ -128,15 +127,6 @@ func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey,
} }
} }
// Remove KeyEncipherment and DataEncipherment for non-rsa keys.
// See:
// https://github.com/golang/go/issues/36499
// https://tools.ietf.org/html/draft-ietf-lamps-5480-ku-clarifications-02
if _, ok := pub.(*rsa.PublicKey); !ok {
template.KeyUsage &= ^x509.KeyUsageKeyEncipherment
template.KeyUsage &= ^x509.KeyUsageDataEncipherment
}
// Sign certificate // Sign certificate
asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer) asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer)
if err != nil { if err != nil {

View file

@ -1,6 +1,8 @@
package x509util package x509util
import "crypto/x509" import (
"crypto/x509"
)
const ( const (
SubjectKey = "Subject" SubjectKey = "Subject"
@ -68,13 +70,16 @@ func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr)) t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
} }
// DefaultLeafTemplate is the default templated used to generate a leaf // DefaultLeafTemplate is the default template used to generate a leaf
// certificate. The keyUsage "keyEncipherment" is special and it will be only // certificate.
// used for RSA keys.
const DefaultLeafTemplate = `{ const DefaultLeafTemplate = `{
"subject": {{ toJson .Subject }}, "subject": {{ toJson .Subject }},
"sans": {{ toJson .SANs }}, "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"], "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"] "extKeyUsage": ["serverAuth", "clientAuth"]
}` }`
@ -83,20 +88,21 @@ const DefaultLeafTemplate = `{
// SANs provided in the certificate request, but the option `DisableCustomSANs` // SANs provided in the certificate request, but the option `DisableCustomSANs`
// can be provided to force only the verified domains, if the option is true // can be provided to force only the verified domains, if the option is true
// `.SANs` will be set with the verified domains. // `.SANs` will be set with the verified domains.
//
// The keyUsage "keyEncipherment" is special and it will be only used for RSA
// keys.
const DefaultIIDLeafTemplate = `{ const DefaultIIDLeafTemplate = `{
"subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"}, "subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"},
{{- if .SANs }} {{- if .SANs }}
"sans": {{ toJson .SANs }}, "sans": {{ toJson .SANs }},
{{- else }} {{- else }}
"dnsNames": {{ toJson .Insecure.CR.DNSNames }}, "dnsNames": {{ toJson .Insecure.CR.DNSNames }},
"emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }}, "emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }},
"ipAddresses": {{ toJson .Insecure.CR.IPAddresses }}, "ipAddresses": {{ toJson .Insecure.CR.IPAddresses }},
"uris": {{ toJson .Insecure.CR.URIs }}, "uris": {{ toJson .Insecure.CR.URIs }},
{{- end }} {{- end }}
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"], "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"] "extKeyUsage": ["serverAuth", "clientAuth"]
}` }`