From 1a04d458ae8c4cf0a381d8d164579b27b0893712 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Thu, 16 Jul 2020 12:24:57 -0700
Subject: [PATCH] Leverage key usage options to template.

---
 x509util/certificate.go | 10 ----------
 x509util/templates.go   | 26 ++++++++++++++++----------
 2 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/x509util/certificate.go b/x509util/certificate.go
index c6af8459..17fcecea 100644
--- a/x509util/certificate.go
+++ b/x509util/certificate.go
@@ -3,7 +3,6 @@ package x509util
 import (
 	"crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
@@ -128,15 +127,6 @@ func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey,
 		}
 	}
 
-	// Remove KeyEncipherment and DataEncipherment for non-rsa keys.
-	// See:
-	// https://github.com/golang/go/issues/36499
-	// https://tools.ietf.org/html/draft-ietf-lamps-5480-ku-clarifications-02
-	if _, ok := pub.(*rsa.PublicKey); !ok {
-		template.KeyUsage &= ^x509.KeyUsageKeyEncipherment
-		template.KeyUsage &= ^x509.KeyUsageDataEncipherment
-	}
-
 	// Sign certificate
 	asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer)
 	if err != nil {
diff --git a/x509util/templates.go b/x509util/templates.go
index a6548c14..33b05c10 100644
--- a/x509util/templates.go
+++ b/x509util/templates.go
@@ -1,6 +1,8 @@
 package x509util
 
-import "crypto/x509"
+import (
+	"crypto/x509"
+)
 
 const (
 	SubjectKey            = "Subject"
@@ -68,13 +70,16 @@ func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
 	t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
 }
 
-// DefaultLeafTemplate is the default templated used to generate a leaf
-// certificate. The keyUsage "keyEncipherment" is special and it will be only
-// used for RSA keys.
+// DefaultLeafTemplate is the default template used to generate a leaf
+// certificate.
 const DefaultLeafTemplate = `{
 	"subject": {{ toJson .Subject }},
 	"sans": {{ toJson .SANs }},
+{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
 	"keyUsage": ["keyEncipherment", "digitalSignature"],
+{{- else }}
+	"keyUsage": ["digitalSignature"],
+{{- end }}
 	"extKeyUsage": ["serverAuth", "clientAuth"]
 }`
 
@@ -83,20 +88,21 @@ const DefaultLeafTemplate = `{
 // SANs provided in the certificate request, but the option `DisableCustomSANs`
 // can be provided to force only the verified domains, if the option is true
 // `.SANs` will be set with the verified domains.
-//
-// The keyUsage "keyEncipherment" is special and it will be only used for RSA
-// keys.
 const DefaultIIDLeafTemplate = `{
 	"subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"},
-	{{- if .SANs }}
+{{- if .SANs }}
 	"sans": {{ toJson .SANs }},
-	{{- else }}
+{{- else }}
 	"dnsNames": {{ toJson .Insecure.CR.DNSNames }},
 	"emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }},
 	"ipAddresses": {{ toJson .Insecure.CR.IPAddresses }},
 	"uris": {{ toJson .Insecure.CR.URIs }},
-	{{- end }}
+{{- end }}
+{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
 	"keyUsage": ["keyEncipherment", "digitalSignature"],
+{{- else }}
+	"keyUsage": ["digitalSignature"],
+{{- end }}
 	"extKeyUsage": ["serverAuth", "clientAuth"]
 }`