c6c7617851
Add three new keys to the CA's ProfileConfig: - OmitKeyEncipherment causes the keyEncipherment Key Usage to be omitted from certificates with RSA public keys. We currently include it for backwards compatibility with TLS 1.1 servers that don't support modern cipher suites, but this KU is completely useless as of TLS 1.3. - OmitClientAuth causes the tlsClientAuthentication Extended Key Usage to be omitted from all certificates. We currently include it to support any subscribers who may be relying on it, but Root Programs are moving towards single-purpose hierarchies and its inclusion is being discouraged. - OmitSKID causes the Subject Key Identifier extension to be omitted from all certificates. We currently include this extension because it is recommended by RFC 5280, but it serves little to no practical purpose and consumes a large number of bytes, so it is now NOT RECOMMENDED by the Baseline Requirements. Make substantive changes to issuer.requestValid and issuer.Prepare to implement the desired behavior for each of these options. Make a very slight change to ra.matchesCSR to generally allow for serverAuth-only EKUs. Improve the unit tests of both the //ca and //issuance packages to cover the new behavior. Part of https://github.com/letsencrypt/boulder/issues/7610 |
||
|---|---|---|
| .. | ||
| proto | ||
| ra.go | ||
| ra_test.go | ||