moved extended key usage to log parameters

2 files changed, 3 insertions, 1 deletions

diff --git a/instance.go b/instance.go
index d5c47c9..843e9f8 100644
--- a/instance.go
+++ b/instance.go
@@ -30,6 +30,7 @@ type LogParameters struct {
 	MaxChain   int64               // max submitter certificate chain length
 	AnchorPool *x509.CertPool      // for chain verification
 	AnchorList []*x509.Certificate // for access to the raw certificates
+	KeyUsage   []x509.ExtKeyUsage  // which extended key usages are accepted
 	Signer     crypto.Signer
 	HashType   crypto.Hash // hash function used by Trillian
 }
@@ -81,6 +82,7 @@ func NewLogParameters(treeId int64, prefix string, anchorPath, keyPath string, m
 		MaxChain:   maxChain,
 		AnchorPool: anchorPool,
 		AnchorList: anchorList,
+		KeyUsage:   []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 		Signer:     key,
 		HashType:   crypto.SHA256,
 	}, nil
diff --git a/x509.go b/x509.go
index 16cc8c6..e0fa3bc 100644
--- a/x509.go
+++ b/x509.go
@@ -172,7 +172,7 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif
 	opts := x509.VerifyOptions{
 		Roots:         lp.AnchorPool,
 		Intermediates: intermediatePool,
-		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, // TODO: move to ld
+		KeyUsages:     lp.KeyUsage, // no extended key usage passes by default
 	}
 
 	chains, err := certificate.Verify(opts)