square · aebruno · Nov 19, 2019 · Nov 19, 2019
@@ -18,6 +18,7 @@
 package cmd
 
 import (
+	"crypto/x509"
 	"fmt"
 	"os"
 	"strings"
@@ -67,6 +68,10 @@ func NewSignCommand() cli.Command {
 				Name:  "intermediate",
 				Usage: "Whether generated certificate should be a intermediate",
 			},
+			cli.BoolFlag{
+				Name:  "codesigning",
+				Usage: "Whether generated certificate should include the codeSigning extended key usage extension",
+			},
 		},
 		Action: newSignAction,
 	}
@@ -141,6 +146,12 @@ func newSignAction(c *cli.Context) {
 	if c.Bool("intermediate") {
 		fmt.Fprintln(os.Stderr, "Building intermediate")
 		crtOut, err = pkix.CreateIntermediateCertificateAuthority(crt, key, csr, expiresTime)
+	} else if c.Bool("codesigning") {
+		fmt.Fprintln(os.Stderr, "Including codeSigning extended key usage")
+		extKeyUsage := []x509.ExtKeyUsage{
+			x509.ExtKeyUsageCodeSigning,
+		}
+		crtOut, err = pkix.CreateCertificateHostWithExtUsage(crt, key, csr, expiresTime, extKeyUsage)
 	} else {
 		crtOut, err = pkix.CreateCertificateHost(crt, key, csr, expiresTime)
 	}

@@ -28,6 +28,12 @@ import (
 // CreateCertificateHost creates certificate for host.
 // The arguments include CA certificate, CA key, certificate request.
 func CreateCertificateHost(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time) (*Certificate, error) {
+	return CreateCertificateHostWithExtUsage(crtAuth, keyAuth, csr, proposedExpiry, nil)
+}
+
+// CreateCertificateHostWithExtUsage creates certificate for host with optional key usage extensions.
+// The arguments include CA certificate, CA key, certificate request, and any key usage extensions.
+func CreateCertificateHostWithExtUsage(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time, extKeyUsage []x509.ExtKeyUsage) (*Certificate, error) {
 	// Build CA based on RFC5280
 	hostTemplate := x509.Certificate{
 		// **SHOULD** be filled in a unique number
@@ -61,6 +67,10 @@ func CreateCertificateHost(crtAuth *Certificate, keyAuth *Key, csr *CertificateS
 		PermittedDNSDomains:         nil,
 	}
 
+	if extKeyUsage != nil {
+		hostTemplate.ExtKeyUsage = append(hostTemplate.ExtKeyUsage, extKeyUsage...)
+	}
+
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {

@@ -18,6 +18,8 @@
 package pkix
 
 import (
+	"crypto/x509"
+
 	"bytes"
 	"testing"
 	"time"
@@ -66,4 +68,29 @@ func TestCreateCertificateHost(t *testing.T) {
 	if err = rawCrt.CheckSignatureFrom(rawCrtAuth); err != nil {
 		t.Fatal("Failed to check signature:", err)
 	}
+
+	extKeyUsage := []x509.ExtKeyUsage{
+		x509.ExtKeyUsageCodeSigning,
+	}
+	cscrt, err := CreateCertificateHostWithExtUsage(crtAuth, key, csr, time.Now().AddDate(5000, 0, 0), extKeyUsage)
+	if err != nil {
+		t.Fatal("Failed creating certificate with codesigning for host:", err)
+	}
+
+	csrawCrt, err := cscrt.GetRawCertificate()
+	if err != nil {
+		t.Fatal("Failed to get x509.Certificate with codesigning:", err)
+	}
+
+	hasCodeSigning := false
+	for _, eku := range csrawCrt.ExtKeyUsage {
+		if eku == x509.ExtKeyUsageCodeSigning {
+			hasCodeSigning = true
+		}
+	}
+
+	if !hasCodeSigning {
+		t.Fatal("x509.Certificate does not include codesigning extra key usage")
+	}
+
 }