make KeyUsage and BasicConstraints Critical extensions

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

pkg/util/pki/basicconstraints.go

@@ -35,7 +35,7 @@ type basicConstraints struct {
 
 // Adapted from x509.go
 func MarshalBasicConstraints(isCA bool, maxPathLen *int) (pkix.Extension, error) {
-	ext := pkix.Extension{Id: OIDExtensionBasicConstraints}
+	ext := pkix.Extension{Id: OIDExtensionBasicConstraints, Critical: true}
 
 	// A value of -1 causes encoding/asn1 to omit the value as desired.
 	maxPathLenValue := -1

pkg/util/pki/csr_test.go

@@ -410,8 +410,9 @@ func TestGenerateCSR(t *testing.T) {
 	}
 	defaultExtraExtensions := []pkix.Extension{
 		{
-			Id:    OIDExtensionKeyUsage,
+			Id:       OIDExtensionKeyUsage,
-			Value: asn1KeyUsage,
+			Value:    asn1KeyUsage,
+			Critical: true,
 		},
 	}
 
@@ -421,8 +422,9 @@ func TestGenerateCSR(t *testing.T) {
 	}
 	ipsecExtraExtensions := []pkix.Extension{
 		{
-			Id:    OIDExtensionKeyUsage,
+			Id:       OIDExtensionKeyUsage,
-			Value: asn1KeyUsage,
+			Value:    asn1KeyUsage,
+			Critical: true,
 		},
 		{
 			Id:    OIDExtensionExtendedKeyUsage,
@@ -506,8 +508,9 @@ func TestGenerateCSR(t *testing.T) {
 				Subject:            pkix.Name{CommonName: "example.org"},
 				ExtraExtensions: []pkix.Extension{
 					{
-						Id:    OIDExtensionKeyUsage,
+						Id:       OIDExtensionKeyUsage,
-						Value: asn1KeyUsageWithCa,
+						Value:    asn1KeyUsageWithCa,
+						Critical: true,
 					},
 				},
 			},
@@ -522,12 +525,14 @@ func TestGenerateCSR(t *testing.T) {
 				Subject:            pkix.Name{CommonName: "example.org"},
 				ExtraExtensions: []pkix.Extension{
 					{
-						Id:    OIDExtensionKeyUsage,
+						Id:       OIDExtensionKeyUsage,
-						Value: asn1KeyUsage,
+						Value:    asn1KeyUsage,
+						Critical: true,
 					},
 					{
-						Id:    OIDExtensionBasicConstraints,
+						Id:       OIDExtensionBasicConstraints,
-						Value: basicConstraintsWithoutCA,
+						Value:    basicConstraintsWithoutCA,
+						Critical: true,
 					},
 				},
 			},
@@ -543,12 +548,14 @@ func TestGenerateCSR(t *testing.T) {
 				Subject:            pkix.Name{CommonName: "example.org"},
 				ExtraExtensions: []pkix.Extension{
 					{
-						Id:    OIDExtensionKeyUsage,
+						Id:       OIDExtensionKeyUsage,
-						Value: asn1KeyUsageWithCa,
+						Value:    asn1KeyUsageWithCa,
+						Critical: true,
 					},
 					{
-						Id:    OIDExtensionBasicConstraints,
+						Id:       OIDExtensionBasicConstraints,
-						Value: basicConstraintsWithCA,
+						Value:    basicConstraintsWithCA,
+						Critical: true,
 					},
 				},
 			},
@@ -658,8 +665,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
 			crt:  &cmapi.Certificate{},
 			want: []pkix.Extension{
 				{
-					Id:    OIDExtensionKeyUsage,
+					Id:       OIDExtensionKeyUsage,
-					Value: asn1DefaultKeyUsage,
+					Value:    asn1DefaultKeyUsage,
+					Critical: true,
 				},
 			},
 			wantErr: false,
@@ -673,8 +681,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
 			},
 			want: []pkix.Extension{
 				{
-					Id:    OIDExtensionKeyUsage,
+					Id:       OIDExtensionKeyUsage,
-					Value: asn1DefaultKeyUsage,
+					Value:    asn1DefaultKeyUsage,
+					Critical: true,
 				},
 				{
 					Id:    OIDExtensionExtendedKeyUsage,
@@ -692,8 +701,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
 			},
 			want: []pkix.Extension{
 				{
-					Id:    OIDExtensionKeyUsage,
+					Id:       OIDExtensionKeyUsage,
-					Value: asn1DefaultKeyUsage,
+					Value:    asn1DefaultKeyUsage,
+					Critical: true,
 				},
 				{
 					Id:    OIDExtensionExtendedKeyUsage,

pkg/util/pki/keyusage.go

@@ -128,7 +128,7 @@ func reverseBitsInAByte(in byte) byte {
 
 // Adapted from x509.go
 func MarshalKeyUsage(usage x509.KeyUsage) (pkix.Extension, error) {
-	ext := pkix.Extension{Id: OIDExtensionKeyUsage}
+	ext := pkix.Extension{Id: OIDExtensionKeyUsage, Critical: true}
 
 	var a [2]byte
 	a[0] = reverseBitsInAByte(byte(usage))