Skip to content

Commit

Permalink
Simplify KU, EKU, and SKID fields of issued certs
Browse files Browse the repository at this point in the history
  • Loading branch information
aarongable committed Aug 21, 2024
1 parent 9d3a771 commit 4406bef
Showing 1 changed file with 7 additions and 12 deletions.
19 changes: 7 additions & 12 deletions ca/ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ func makeKey() (*rsa.PrivateKey, []byte, error) {
return key, ski, nil
}

func (ca *CAImpl) makeRootCert(
func (ca *CAImpl) makeCACert(
subjectKey crypto.Signer,
subject pkix.Name,
subjectKeyID []byte,
Expand All @@ -122,7 +122,7 @@ func (ca *CAImpl) makeRootCert(
NotAfter: time.Now().AddDate(30, 0, 0),

KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
SubjectKeyId: subjectKeyID,
BasicConstraintsValid: true,
IsCA: true,
Expand Down Expand Up @@ -175,7 +175,7 @@ func (ca *CAImpl) newRootIssuer(name string) (*issuer, error) {
subject := pkix.Name{
CommonName: rootCAPrefix + name,
}
rc, err := ca.makeRootCert(rk, subject, subjectKeyID, nil)
rc, err := ca.makeCACert(rk, subject, subjectKeyID, nil)
if err != nil {
return nil, err
}
Expand All @@ -192,7 +192,7 @@ func (ca *CAImpl) newIntermediateIssuer(root *issuer, intermediateKey crypto.Sig
return nil, errors.New("internal error: root must not be nil")
}
// Make an intermediate certificate with the root issuer
ic, err := ca.makeRootCert(intermediateKey, subject, subjectKeyID, root)
ic, err := ca.makeCACert(intermediateKey, subject, subjectKeyID, root)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -257,18 +257,14 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
if len(domains) == 0 && len(ips) == 0 {
return nil, errors.New("must specify at least one domain name or IP address")
}
var err error

defaultChain := ca.chains[0].intermediates
if len(defaultChain) == 0 || defaultChain[0].cert == nil {
return nil, errors.New("cannot sign certificate - nil issuer")
}
issuer := defaultChain[0]

subjectKeyID, err := makeSubjectKeyID(key)
if err != nil {
return nil, fmt.Errorf("cannot create subject key ID: %s", err.Error())
}

certNotBefore := time.Now()
if notBefore != "" {
certNotBefore, err = time.Parse(time.RFC3339, notBefore)
Expand Down Expand Up @@ -297,9 +293,8 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ
NotBefore: certNotBefore,
NotAfter: certNotAfter,

KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
SubjectKeyId: subjectKeyID,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
ExtraExtensions: extensions,
BasicConstraintsValid: true,
IsCA: false,
Expand Down

0 comments on commit 4406bef

Please sign in to comment.