Skip to content

Commit

Permalink
x509-cert: builder: make keyEncipherment usage optional
Browse files Browse the repository at this point in the history 
ECDSA keys can not be used for keyEncipherment. Make this keyUsage bit
optional.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
  • Loading branch information
@lumag
lumag committed Apr 16, 2023
1 parent ff1274d commit 3346519
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 3 deletions.
10 changes: 7 additions & 3 deletions x509-cert/src/builder.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ pub enum Profile {
issuer: Name,
/// should the key agreement flag of KeyUsage be enabled
enable_key_agreement: bool,
/// should the key encipherment flag of KeyUsage be enabled
enable_key_encipherment: bool,
},
#[cfg(feature = "hazmat")]
/// Opt-out of the default extensions
Expand Down Expand Up @@ -169,11 +171,13 @@ impl Profile {
}
Profile::Leaf {
enable_key_agreement,
enable_key_encipherment,
..
} => {
let mut key_usage = KeyUsages::DigitalSignature
| KeyUsages::NonRepudiation
| KeyUsages::KeyEncipherment;
let mut key_usage = KeyUsages::DigitalSignature | KeyUsages::NonRepudiation;
if *enable_key_encipherment {
key_usage |= KeyUsages::KeyEncipherment;
}
if *enable_key_agreement {
key_usage |= KeyUsages::KeyAgreement;
}
Expand Down
1 change: 1 addition & 0 deletions x509-cert/tests/builder.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ fn leaf_certificate() {
let profile = Profile::Leaf {
issuer,
enable_key_agreement: false,
enable_key_encipherment: false,
};

let subject = Name::from_str("CN=service.domination.world")
Expand Down

0 comments on commit 3346519

Please sign in to comment.