From e208c5c4fe5463a23fc6a9cfaacbe06fdfae3aae7cd6c37f33d591181599e8cd Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Tue, 11 Feb 2025 10:27:46 +0300 Subject: [PATCH] Do not require CA KU existence --- c/cmd/cer-verify/cer-verify.c | 7 ------- go/pki/cer.go | 5 ----- go/pki/cmd/certool/basic.t | 4 ++-- spec/format/cer-load.cddl | 2 +- spec/format/cer.texi | 3 +-- 5 files changed, 4 insertions(+), 17 deletions(-) diff --git a/c/cmd/cer-verify/cer-verify.c b/c/cmd/cer-verify/cer-verify.c index bb3f6ce..f303c0d 100644 --- a/c/cmd/cer-verify/cer-verify.c +++ b/c/cmd/cer-verify/cer-verify.c @@ -95,13 +95,6 @@ main(int argc, char **argv) fputs("ok\n", stdout); break; } - { - size_t ku = KEKSItemsGetByKey(&(verifier->items), verifier->load, "ku"); - if ((ku == 0) || KEKSItemsGetByKey(&(verifier->items), ku, "ca") == 0) { - fputs("no ca ku\n", stdout); - return EXIT_FAILURE; - } - } fputs("ok\n", stdout); toVerify = verifier; } diff --git a/go/pki/cer.go b/go/pki/cer.go index e6a3491..1bd90c7 100644 --- a/go/pki/cer.go +++ b/go/pki/cer.go @@ -31,7 +31,6 @@ import ( ) const ( - KUCA = "ca" // CA-capable key usage KUSig = "sig" // Signing-capable key usage KUKEM = "kem" // Key-encapsulation-mechanism key usage CerMagic = keks.Magic("pki/cer") @@ -307,10 +306,6 @@ func (signed *Signed) CerVerify(cers []*Signed, t time.Time) (err error) { err = errors.New("cer can not sign") return } - if !cerLoad.Can(KUCA) { - err = errors.New("cer can not ca") - return - } idToCer[cerLoad.Pub[0].Id] = cer } signer := idToCer[sid] diff --git a/go/pki/cmd/certool/basic.t b/go/pki/cmd/certool/basic.t index 20da835..705dd6e 100755 --- a/go/pki/cmd/certool/basic.t +++ b/go/pki/cmd/certool/basic.t @@ -11,7 +11,7 @@ ed25519-blake2b ed25519-blake2b" | while read caAlgo eeAlgo ; do subj="-subj CN=CA -subj C=RU" test_expect_success "$caAlgo: CA load generation" "certool \ -algo $caAlgo \ - -ku ca -ku sig $subj \ + -ku sig $subj \ -prv $TMPDIR/ca.prv -cer $TMPDIR/ca.cer" test_expect_success "$caAlgo: CA generation" "certool \ -cer $TMPDIR/ca.cer \ @@ -27,7 +27,7 @@ test_expect_success "$caAlgo: CA self-signature" "certool \ subj="-subj CN=SubCA -subj C=RU" test_expect_success "$eeAlgo: SubCA load generation" "certool \ -algo $eeAlgo \ - -ku ca -ku sig $subj \ + -ku sig $subj \ -prv $TMPDIR/subca.prv -cer $TMPDIR/subca.cer" test_expect_success "$eeAlgo: SubCA generation" "certool \ -cer $TMPDIR/subca.cer \ diff --git a/spec/format/cer-load.cddl b/spec/format/cer-load.cddl index 8e3e228..ea64836 100644 --- a/spec/format/cer-load.cddl +++ b/spec/format/cer-load.cddl @@ -9,5 +9,5 @@ cer-load = { * text => any } -ku = "ca" / "sig" / "kem" / "app-name" / text +ku = "sig" / "kem" / "app-name" / text crit-ext-type = text diff --git a/spec/format/cer.texi b/spec/format/cer.texi index d63ef01..a34f244 100644 --- a/spec/format/cer.texi +++ b/spec/format/cer.texi @@ -41,8 +41,7 @@ identifier, that @strong{should} be generated as an UUIDv4 based on the hash of the key. @item ku -Intended public key(s) usage. Certificate @strong{must} be signed with -the certificate having "ca" key usage, unless it is self-signed. +Intended public key(s) usage. Application-specific example with multiple public keys is described above. It @strong{must} be absent if empty. -- 2.48.1