weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

make KeyUsage and BasicConstraints Critical extensions

Browse Source 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
This commit is contained in:
Tim Ramlot 2023-05-11 10:28:26 +02:00
parent bf5a482ab7
commit 9606f4d5fe
No known key found for this signature in database
GPG Key ID: 47428728E0C2878D
3 changed files with 32 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/util/pki/basicconstraints.go
View File

@ -35,7 +35,7 @@ type basicConstraints struct {
// Adapted from x509.go
func MarshalBasicConstraints(isCA bool, maxPathLen *int) (pkix.Extension, error) {
ext := pkix.Extension{Id: OIDExtensionBasicConstraints}
ext := pkix.Extension{Id: OIDExtensionBasicConstraints, Critical: true}
// A value of -1 causes encoding/asn1 to omit the value as desired.
maxPathLenValue := -1

50
pkg/util/pki/csr_test.go
View File

@ -410,8 +410,9 @@ func TestGenerateCSR(t *testing.T) {
}
defaultExtraExtensions := []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsage,
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsage,
Critical: true,
},
}
@ -421,8 +422,9 @@ func TestGenerateCSR(t *testing.T) {
}
ipsecExtraExtensions := []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsage,
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsage,
Critical: true,
},
{
Id: OIDExtensionExtendedKeyUsage,
@ -506,8 +508,9 @@ func TestGenerateCSR(t *testing.T) {
Subject: pkix.Name{CommonName: "example.org"},
ExtraExtensions: []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsageWithCa,
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsageWithCa,
Critical: true,
},
},
},
@ -522,12 +525,14 @@ func TestGenerateCSR(t *testing.T) {
Subject: pkix.Name{CommonName: "example.org"},
ExtraExtensions: []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsage,
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsage,
Critical: true,
},
{
Id: OIDExtensionBasicConstraints,
Value: basicConstraintsWithoutCA,
Id: OIDExtensionBasicConstraints,
Value: basicConstraintsWithoutCA,
Critical: true,
},
},
},
@ -543,12 +548,14 @@ func TestGenerateCSR(t *testing.T) {
Subject: pkix.Name{CommonName: "example.org"},
ExtraExtensions: []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsageWithCa,
Id: OIDExtensionKeyUsage,
Value: asn1KeyUsageWithCa,
Critical: true,
},
{
Id: OIDExtensionBasicConstraints,
Value: basicConstraintsWithCA,
Id: OIDExtensionBasicConstraints,
Value: basicConstraintsWithCA,
Critical: true,
},
},
},
@ -658,8 +665,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
crt: &cmapi.Certificate{},
want: []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1DefaultKeyUsage,
Id: OIDExtensionKeyUsage,
Value: asn1DefaultKeyUsage,
Critical: true,
},
},
wantErr: false,
@ -673,8 +681,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
},
want: []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1DefaultKeyUsage,
Id: OIDExtensionKeyUsage,
Value: asn1DefaultKeyUsage,
Critical: true,
},
{
Id: OIDExtensionExtendedKeyUsage,
@ -692,8 +701,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
},
want: []pkix.Extension{
{
Id: OIDExtensionKeyUsage,
Value: asn1DefaultKeyUsage,
Id: OIDExtensionKeyUsage,
Value: asn1DefaultKeyUsage,
Critical: true,
},
{
Id: OIDExtensionExtendedKeyUsage,

2
pkg/util/pki/keyusage.go
View File

@ -128,7 +128,7 @@ func reverseBitsInAByte(in byte) byte {
// Adapted from x509.go
func MarshalKeyUsage(usage x509.KeyUsage) (pkix.Extension, error) {
ext := pkix.Extension{Id: OIDExtensionKeyUsage}
ext := pkix.Extension{Id: OIDExtensionKeyUsage, Critical: true}
var a [2]byte
a[0] = reverseBitsInAByte(byte(usage))