Allow digitalSignature key usage on signing certs

Turns out `aws_pca` sets digitalSignature on subordinate certificates. The browser forum also has digitalSignature as a minimum requirement for CAs that sign OCSP responses. Fixes: spiffe#4351 Signed-off-by: Andrew Harding <azdagron@gmail.com>
azdagron · Jul 20, 2023 · 6ea90e7 · 6ea90e7
1 parent 00909f2
commit 6ea90e7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/pkg/server/credvalidator/validator.go b/pkg/server/credvalidator/validator.go
@@ -52,8 +52,8 @@ func (v *Validator) ValidateX509CA(ca *x509.Certificate) error {
 	if ca.KeyUsage&x509.KeyUsageCertSign == 0 {
 		return errors.New("invalid X509 CA: keyCertSign key usage must be set")
 	}
-	if ca.KeyUsage&^(x509.KeyUsageCertSign|x509.KeyUsageCRLSign) > 0 {
-		return errors.New("invalid X509 CA: only keyCertSign and cRLSign key usage can be set")
+	if ca.KeyUsage&^(x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature) > 0 {
+		return errors.New("invalid X509 CA: only keyCertSign, cRLSign, or digitalSignature key usage can be set")
 	}
 	if err := checkURISAN(ca, true, v.x509CAID); err != nil {
 		return fmt.Errorf("invalid X509 CA: %w", err)

diff --git a/pkg/server/credvalidator/validator_test.go b/pkg/server/credvalidator/validator_test.go
@@ -63,11 +63,17 @@ func TestValidateX509CA(t *testing.T) {
 			},
 		},
 		{
-			desc: "key usage other than certSign and cRLSign",
+			desc: "digitalSignature key usage",
 			setup: func(ca *x509.Certificate) {
 				ca.KeyUsage |= x509.KeyUsageDigitalSignature
 			},
-			expectErr: "invalid X509 CA: only keyCertSign and cRLSign key usage can be set",
+		},
+		{
+			desc: "key usage other than certSign, cRLSign, and digitalSignature",
+			setup: func(ca *x509.Certificate) {
+				ca.KeyUsage |= x509.KeyUsageKeyAgreement
+			},
+			expectErr: "invalid X509 CA: only keyCertSign, cRLSign, or digitalSignature key usage can be set",
 		},
 		{
 			desc: "no URI SAN",