boulder

History

Aaron Gable 7672d9bc99 CA: Verify digitalSignature and certSign key usages (#5091 ) When the CA loads new issuers (both their certificates and their private keys), it performs a variety of sanity checks, such as ensuring that the profile's signature algorithm matches the key type. With this change, we also check that the issuer's certificate has the appropriate key usage bits set: `certSign`, if it is going to be issuing end-entity certs; and `digitalSignature`, because it will be signing OCSP responses for previously-issued certificates. Fixes #5068	2020-09-18 16:10:12 -07:00
..
issuance.go	CA: Verify digitalSignature and certSign key usages (#5091 )	2020-09-18 16:10:12 -07:00
issuance_test.go	CA: Verify digitalSignature and certSign key usages (#5091 )	2020-09-18 16:10:12 -07:00

CA: Verify digitalSignature and certSign key usages (#5091 )

When the CA loads new issuers (both their certificates and their
private keys), it performs a variety of sanity checks, such as
ensuring that the profile's signature algorithm matches the key
type.

With this change, we also check that the issuer's certificate has
the appropriate key usage bits set:
`certSign`, if it is going to be issuing end-entity certs; and
`digitalSignature`, because it will be signing OCSP responses for
previously-issued certificates.

Fixes #5068

2020-09-18 16:10:12 -07:00

issuance.go

CA: Verify digitalSignature and certSign key usages (#5091 )

2020-09-18 16:10:12 -07:00

issuance_test.go

CA: Verify digitalSignature and certSign key usages (#5091 )

2020-09-18 16:10:12 -07:00