Skip to content

Commit

Permalink
Allow digitalSignature key usage on signing certs (#4352)
Browse files Browse the repository at this point in the history 
Turns out `aws_pca` sets digitalSignature on subordinate certificates.

The browser forum also has digitalSignature as a minimum requirement for
CAs that sign OCSP responses.

Fixes: #4351

Signed-off-by: Andrew Harding <azdagron@gmail.com>
Co-authored-by: Evan Gilman <evan@spirl.com>
  • Loading branch information
@azdagron @evan2645
azdagron and evan2645 authored Jul 26, 2023
1 parent a5050ef commit 3f553e3
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 4 deletions.
4 changes: 2 additions & 2 deletions pkg/server/credvalidator/validator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ func (v *Validator) ValidateX509CA(ca *x509.Certificate) error {
if ca.KeyUsage&x509.KeyUsageCertSign == 0 {
return errors.New("invalid X509 CA: keyCertSign key usage must be set")
}
if ca.KeyUsage&^(x509.KeyUsageCertSign|x509.KeyUsageCRLSign) > 0 {
return errors.New("invalid X509 CA: only keyCertSign and cRLSign key usage can be set")
if ca.KeyUsage&^(x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature) > 0 {
return errors.New("invalid X509 CA: only keyCertSign, cRLSign, or digitalSignature key usage can be set")
}
if err := checkURISAN(ca, true, v.x509CAID); err != nil {
return fmt.Errorf("invalid X509 CA: %w", err)
Expand Down
10 changes: 8 additions & 2 deletions pkg/server/credvalidator/validator_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,17 @@ func TestValidateX509CA(t *testing.T) {
},
},
{
desc: "key usage other than certSign and cRLSign",
desc: "digitalSignature key usage",
setup: func(ca *x509.Certificate) {
ca.KeyUsage |= x509.KeyUsageDigitalSignature
},
expectErr: "invalid X509 CA: only keyCertSign and cRLSign key usage can be set",
},
{
desc: "key usage other than certSign, cRLSign, and digitalSignature",
setup: func(ca *x509.Certificate) {
ca.KeyUsage |= x509.KeyUsageKeyAgreement
},
expectErr: "invalid X509 CA: only keyCertSign, cRLSign, or digitalSignature key usage can be set",
},
{
desc: "no URI SAN",
Expand Down

0 comments on commit 3f553e3

Please sign in to comment.