From 4406bef0f47d3e8f4b5bc817704d262a57bc30e4 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Tue, 20 Aug 2024 15:30:23 -0700 Subject: [PATCH] Simplify KU, EKU, and SKID fields of issued certs --- ca/ca.go | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/ca/ca.go b/ca/ca.go index ae0175f0..d11d5897 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -108,7 +108,7 @@ func makeKey() (*rsa.PrivateKey, []byte, error) { return key, ski, nil } -func (ca *CAImpl) makeRootCert( +func (ca *CAImpl) makeCACert( subjectKey crypto.Signer, subject pkix.Name, subjectKeyID []byte, @@ -122,7 +122,7 @@ func (ca *CAImpl) makeRootCert( NotAfter: time.Now().AddDate(30, 0, 0), KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, SubjectKeyId: subjectKeyID, BasicConstraintsValid: true, IsCA: true, @@ -175,7 +175,7 @@ func (ca *CAImpl) newRootIssuer(name string) (*issuer, error) { subject := pkix.Name{ CommonName: rootCAPrefix + name, } - rc, err := ca.makeRootCert(rk, subject, subjectKeyID, nil) + rc, err := ca.makeCACert(rk, subject, subjectKeyID, nil) if err != nil { return nil, err } @@ -192,7 +192,7 @@ func (ca *CAImpl) newIntermediateIssuer(root *issuer, intermediateKey crypto.Sig return nil, errors.New("internal error: root must not be nil") } // Make an intermediate certificate with the root issuer - ic, err := ca.makeRootCert(intermediateKey, subject, subjectKeyID, root) + ic, err := ca.makeCACert(intermediateKey, subject, subjectKeyID, root) if err != nil { return nil, err } @@ -257,6 +257,7 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ if len(domains) == 0 && len(ips) == 0 { return nil, errors.New("must specify at least one domain name or IP address") } + var err error defaultChain := ca.chains[0].intermediates if len(defaultChain) == 0 || defaultChain[0].cert == nil { @@ -264,11 +265,6 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ } issuer := defaultChain[0] - subjectKeyID, err := makeSubjectKeyID(key) - if err != nil { - return nil, fmt.Errorf("cannot create subject key ID: %s", err.Error()) - } - certNotBefore := time.Now() if notBefore != "" { certNotBefore, err = time.Parse(time.RFC3339, notBefore) @@ -297,9 +293,8 @@ func (ca *CAImpl) newCertificate(domains []string, ips []net.IP, key crypto.Publ NotBefore: certNotBefore, NotAfter: certNotAfter, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - SubjectKeyId: subjectKeyID, + KeyUsage: x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, ExtraExtensions: extensions, BasicConstraintsValid: true, IsCA: false,