Google Git
Sign in
go / crypto / 420870623a70591d5e0b187c77c95455a1224ca6
commit420870623a70591d5e0b187c77c95455a1224ca6[log] [tgz]
authorFilippo Valsorda <hi@filippo.io>Thu Apr 06 22:44:21 2017 -0700
committerAlex Vaghin <ddos@google.com>Fri Apr 07 06:32:52 2017 +0000
tree9d23bc598cf2bd179ece2c9f7a4b7c98be4e6abc
parentc2303dcbe84172e0c0da4c9f083eeca54c06f298 [diff]
acme: set correct KeyUsage and ExtKeyUsage

A certificate must have the Server Auth Extended Key Usage to be used
for TLS, and an ECDSA certificate must have the Digital Signature Key
Usage to be used at all (you can't encrypt to an ECDSA key).

crypto/tls ignores (E)KUs when serving certificates, and most browsers
do as well, so it works, but OpenSSL would refuse to serve these
certificates, and clients would be allowed to reject them.

Change-Id: I699e58e613f01077e6b67fdb9e789d46e1672112
Reviewed-on: https://go-review.googlesource.com/39913
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Vaghin <ddos@google.com>
1 file changed
tree: 9d23bc598cf2bd179ece2c9f7a4b7c98be4e6abc
  1. acme/
  2. bcrypt/
  3. blake2b/
  4. blake2s/
  5. blowfish/
  6. bn256/
  7. cast5/
  8. chacha20poly1305/
  9. cryptobyte/
  10. curve25519/
  11. ed25519/
  12. hkdf/
  13. md4/
  14. nacl/
  15. ocsp/
  16. openpgp/
  17. otr/
  18. pbkdf2/
  19. pkcs12/
  20. poly1305/
  21. ripemd160/
  22. salsa20/
  23. scrypt/
  24. sha3/
  25. ssh/
  26. tea/
  27. twofish/
  28. xtea/
  29. xts/
  30. .gitattributes
  31. .gitignore
  32. AUTHORS
  33. codereview.cfg
  34. CONTRIBUTING.md
  35. CONTRIBUTORS
  36. LICENSE
  37. PATENTS
  38. README