From 9606f4d5feda30e59aaba994381145d93be24161 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Thu, 11 May 2023 10:28:26 +0200 Subject: [PATCH] make KeyUsage and BasicConstraints Critical extensions Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- pkg/util/pki/basicconstraints.go | 2 +- pkg/util/pki/csr_test.go | 50 +++++++++++++++++++------------- pkg/util/pki/keyusage.go | 2 +- 3 files changed, 32 insertions(+), 22 deletions(-) diff --git a/pkg/util/pki/basicconstraints.go b/pkg/util/pki/basicconstraints.go index e356c3bf5..916469ebe 100644 --- a/pkg/util/pki/basicconstraints.go +++ b/pkg/util/pki/basicconstraints.go @@ -35,7 +35,7 @@ type basicConstraints struct { // Adapted from x509.go func MarshalBasicConstraints(isCA bool, maxPathLen *int) (pkix.Extension, error) { - ext := pkix.Extension{Id: OIDExtensionBasicConstraints} + ext := pkix.Extension{Id: OIDExtensionBasicConstraints, Critical: true} // A value of -1 causes encoding/asn1 to omit the value as desired. maxPathLenValue := -1 diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go index 1b0e5fd24..d5c78b673 100644 --- a/pkg/util/pki/csr_test.go +++ b/pkg/util/pki/csr_test.go @@ -410,8 +410,9 @@ func TestGenerateCSR(t *testing.T) { } defaultExtraExtensions := []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1KeyUsage, + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsage, + Critical: true, }, } @@ -421,8 +422,9 @@ func TestGenerateCSR(t *testing.T) { } ipsecExtraExtensions := []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1KeyUsage, + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsage, + Critical: true, }, { Id: OIDExtensionExtendedKeyUsage, @@ -506,8 +508,9 @@ func TestGenerateCSR(t *testing.T) { Subject: pkix.Name{CommonName: "example.org"}, ExtraExtensions: []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1KeyUsageWithCa, + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsageWithCa, + Critical: true, }, }, }, @@ -522,12 +525,14 @@ func TestGenerateCSR(t *testing.T) { Subject: pkix.Name{CommonName: "example.org"}, ExtraExtensions: []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1KeyUsage, + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsage, + Critical: true, }, { - Id: OIDExtensionBasicConstraints, - Value: basicConstraintsWithoutCA, + Id: OIDExtensionBasicConstraints, + Value: basicConstraintsWithoutCA, + Critical: true, }, }, }, @@ -543,12 +548,14 @@ func TestGenerateCSR(t *testing.T) { Subject: pkix.Name{CommonName: "example.org"}, ExtraExtensions: []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1KeyUsageWithCa, + Id: OIDExtensionKeyUsage, + Value: asn1KeyUsageWithCa, + Critical: true, }, { - Id: OIDExtensionBasicConstraints, - Value: basicConstraintsWithCA, + Id: OIDExtensionBasicConstraints, + Value: basicConstraintsWithCA, + Critical: true, }, }, }, @@ -658,8 +665,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) { crt: &cmapi.Certificate{}, want: []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1DefaultKeyUsage, + Id: OIDExtensionKeyUsage, + Value: asn1DefaultKeyUsage, + Critical: true, }, }, wantErr: false, @@ -673,8 +681,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) { }, want: []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1DefaultKeyUsage, + Id: OIDExtensionKeyUsage, + Value: asn1DefaultKeyUsage, + Critical: true, }, { Id: OIDExtensionExtendedKeyUsage, @@ -692,8 +701,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) { }, want: []pkix.Extension{ { - Id: OIDExtensionKeyUsage, - Value: asn1DefaultKeyUsage, + Id: OIDExtensionKeyUsage, + Value: asn1DefaultKeyUsage, + Critical: true, }, { Id: OIDExtensionExtendedKeyUsage, diff --git a/pkg/util/pki/keyusage.go b/pkg/util/pki/keyusage.go index 4cc3dc24d..8134be0c5 100644 --- a/pkg/util/pki/keyusage.go +++ b/pkg/util/pki/keyusage.go @@ -128,7 +128,7 @@ func reverseBitsInAByte(in byte) byte { // Adapted from x509.go func MarshalKeyUsage(usage x509.KeyUsage) (pkix.Extension, error) { - ext := pkix.Extension{Id: OIDExtensionKeyUsage} + ext := pkix.Extension{Id: OIDExtensionKeyUsage, Critical: true} var a [2]byte a[0] = reverseBitsInAByte(byte(usage))