Fix creation of certificate without templates.

2024-11-19 09:25:37 +00:00 · 2020-07-09 15:17:59 -07:00 · 2020-07-09 15:17:59 -07:00 · a7e2ebb7d2
commit a7e2ebb7d2
parent 3c84453cf4
3 changed files with 36 additions and 4 deletions
--- a/x509util/certificate.go
+++ b/x509util/certificate.go
@ -48,9 +48,10 @@ func NewCertificate(cr *x509.CertificateRequest, opts ...Option) (*Certificate,
 		return nil, err
 	}

-	// If no template use only the certificate request.
+	// If no template use only the certificate request with the default leaf key
+	// usages.
 	if o.CertBuffer == nil {
-		return newCertificateRequest(cr).GetCertificate(), nil
+		return newCertificateRequest(cr).GetLeafCertificate(), nil
 	}

 	// With templates
--- a/x509util/certificate_request.go
+++ b/x509util/certificate_request.go
@ -1,6 +1,9 @@
 package x509util

-import "crypto/x509"
+import (
+	"crypto/rsa"
+	"crypto/x509"
+)

 type CertificateRequest struct {
 	Version            int                     `json:"version"`
@ -17,6 +20,10 @@ type CertificateRequest struct {
 }

 func newCertificateRequest(cr *x509.CertificateRequest) *CertificateRequest {
+	extensions := make([]Extension, len(cr.Extensions))
+	for i, e := range cr.Extensions {
+		extensions[i] = newExtension(e)
+	}
 	return &CertificateRequest{
 		Version:            cr.Version,
 		Subject:            newSubject(cr.Subject),
@ -24,7 +31,7 @@ func newCertificateRequest(cr *x509.CertificateRequest) *CertificateRequest {
 		EmailAddresses:     cr.EmailAddresses,
 		IPAddresses:        cr.IPAddresses,
 		URIs:               cr.URIs,
-		Extensions:         nil,
+		Extensions:         extensions,
 		PublicKey:          cr.PublicKey,
 		PublicKeyAlgorithm: cr.PublicKeyAlgorithm,
 		Signature:          cr.Signature,
@ -44,3 +51,18 @@ func (c *CertificateRequest) GetCertificate() *Certificate {
 		PublicKeyAlgorithm: c.PublicKeyAlgorithm,
 	}
 }
+
+func (c *CertificateRequest) GetLeafCertificate() *Certificate {
+	keyUsage := x509.KeyUsageDigitalSignature
+	if _, ok := c.PublicKey.(*rsa.PublicKey); ok {
+		keyUsage |= x509.KeyUsageKeyEncipherment
+	}
+
+	cert := c.GetCertificate()
+	cert.KeyUsage = KeyUsage(keyUsage)
+	cert.ExtKeyUsage = ExtKeyUsage([]x509.ExtKeyUsage{
+		x509.ExtKeyUsageServerAuth,
+		x509.ExtKeyUsageClientAuth,
+	}
+	return cert
+}
--- a/x509util/extensions.go
+++ b/x509util/extensions.go
@ -54,6 +54,15 @@ type Extension struct {
 	Value    []byte           `json:"value"`
 }

+// newExtensions creates an Extension from a standard pkix.Extension.
+func newExtension(e pkix.Extension) Extension {
+	return Extension{
+		ID:       ObjectIdentifier(e.Id),
+		Critical: e.Critical,
+		Value:    e.Value,
+	}
+}
+
 // Set adds the extension to the given X509 certificate.
 func (e Extension) Set(c *x509.Certificate) {
 	c.ExtraExtensions = append(c.ExtraExtensions, pkix.Extension{