Skip to content

Commit

Permalink
Fix: do not add keyEncipherment or keyAgreement to our TLS cert
Browse files Browse the repository at this point in the history 
These are not relevant for the EC key type.

Signed-off-by: Volodymyr Khoroz <[email protected]>
  • Loading branch information
@vkhoroz
vkhoroz committed Feb 13, 2024
1 parent b900e29 commit 36adcbe
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 4 deletions.
2 changes: 1 addition & 1 deletion x509/bash.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ dns=$(openssl req -text -noout -verify -in $csr | grep DNS:)
echo "signing with dns name: $dns" 1>&2
cat >server.ext <<EOF
keyUsage=critical, digitalSignature, keyEncipherment, keyAgreement
keyUsage=critical, digitalSignature
extendedKeyUsage=critical, serverAuth
subjectAltName=$dns
EOF
Expand Down
4 changes: 2 additions & 2 deletions x509/common_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ func runTest(t *testing.T, verifyFiles func(factoryCa, tlsCert, onlineCa, offlin
assert.Equal(t, tlsCertChain, tlsCertChain1)

assert.Equal(t, false, tlsCert.IsCA)
assert.Equal(t, x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment|x509.KeyUsageKeyAgreement, tlsCert.KeyUsage)
assert.Equal(t, x509.KeyUsageDigitalSignature, tlsCert.KeyUsage)
assert.Equal(t, testDnsBase, tlsCert.Subject.CommonName)
assert.Equal(t, []string{testDnsGateway, testDnsOstree}, tlsCert.DNSNames)
assert.Equal(t, [][]*x509.Certificate{{tlsCert, factoryCa}}, tlsCertChain)
Expand All @@ -129,7 +129,7 @@ func runTest(t *testing.T, verifyFiles func(factoryCa, tlsCert, onlineCa, offlin
assert.Nil(t, err)

assert.Equal(t, false, estCert.IsCA)
assert.Equal(t, x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment|x509.KeyUsageKeyAgreement, estCert.KeyUsage)
assert.Equal(t, x509.KeyUsageDigitalSignature, estCert.KeyUsage)
assert.Equal(t, testDnsBase, estCert.Subject.CommonName)
assert.Equal(t, []string{testDnsEst}, estCert.DNSNames)
assert.Equal(t, [][]*x509.Certificate{{estCert, factoryCa}}, estCertChain)
Expand Down
2 changes: 1 addition & 1 deletion x509/golang.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ func genTlsCert(subject pkix.Name, dnsNames []string, pubkey crypto.PublicKey) s
NotAfter: time.Now().AddDate(10, 0, 0),

IsCA: false,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
DNSNames: dnsNames,
}
Expand Down

0 comments on commit 36adcbe

Please sign in to comment.