forked from TrueCloudLab/certificates
Leverage key usage options to template.
This commit is contained in:
Mariano Cano
parent
a7fe0104c4
commit
1a04d458ae
2 changed files with 16 additions and 20 deletions
|
|
@ -3,7 +3,6 @@ package x509util
|
|||
import (
|
||||
"crypto"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/json"
|
||||
|
|
@ -128,15 +127,6 @@ func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey,
|
|||
}
|
||||
}
|
||||
|
||||
// Remove KeyEncipherment and DataEncipherment for non-rsa keys.
|
||||
// See:
|
||||
// https://github.com/golang/go/issues/36499
|
||||
// https://tools.ietf.org/html/draft-ietf-lamps-5480-ku-clarifications-02
|
||||
if _, ok := pub.(*rsa.PublicKey); !ok {
|
||||
template.KeyUsage &= ^x509.KeyUsageKeyEncipherment
|
||||
template.KeyUsage &= ^x509.KeyUsageDataEncipherment
|
||||
}
|
||||
|
||||
// Sign certificate
|
||||
asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
package x509util
|
||||
|
||||
import "crypto/x509"
|
||||
import (
|
||||
"crypto/x509"
|
||||
)
|
||||
|
||||
const (
|
||||
SubjectKey = "Subject"
|
||||
|
|
@ -68,13 +70,16 @@ func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
|
|||
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
|
||||
}
|
||||
|
||||
// DefaultLeafTemplate is the default templated used to generate a leaf
|
||||
// certificate. The keyUsage "keyEncipherment" is special and it will be only
|
||||
// used for RSA keys.
|
||||
// DefaultLeafTemplate is the default template used to generate a leaf
|
||||
// certificate.
|
||||
const DefaultLeafTemplate = `{
|
||||
"subject": {{ toJson .Subject }},
|
||||
"sans": {{ toJson .SANs }},
|
||||
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
|
||||
"keyUsage": ["keyEncipherment", "digitalSignature"],
|
||||
{{- else }}
|
||||
"keyUsage": ["digitalSignature"],
|
||||
{{- end }}
|
||||
"extKeyUsage": ["serverAuth", "clientAuth"]
|
||||
}`
|
||||
|
||||
|
|
@ -83,20 +88,21 @@ const DefaultLeafTemplate = `{
|
|||
// SANs provided in the certificate request, but the option `DisableCustomSANs`
|
||||
// can be provided to force only the verified domains, if the option is true
|
||||
// `.SANs` will be set with the verified domains.
|
||||
//
|
||||
// The keyUsage "keyEncipherment" is special and it will be only used for RSA
|
||||
// keys.
|
||||
const DefaultIIDLeafTemplate = `{
|
||||
"subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"},
|
||||
{{- if .SANs }}
|
||||
{{- if .SANs }}
|
||||
"sans": {{ toJson .SANs }},
|
||||
{{- else }}
|
||||
{{- else }}
|
||||
"dnsNames": {{ toJson .Insecure.CR.DNSNames }},
|
||||
"emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }},
|
||||
"ipAddresses": {{ toJson .Insecure.CR.IPAddresses }},
|
||||
"uris": {{ toJson .Insecure.CR.URIs }},
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
|
||||
"keyUsage": ["keyEncipherment", "digitalSignature"],
|
||||
{{- else }}
|
||||
"keyUsage": ["digitalSignature"],
|
||||
{{- end }}
|
||||
"extKeyUsage": ["serverAuth", "clientAuth"]
|
||||
}`
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue