diff options
| -rw-r--r-- | instance.go | 2 | ||||
| -rw-r--r-- | x509.go | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/instance.go b/instance.go index d5c47c9..843e9f8 100644 --- a/instance.go +++ b/instance.go @@ -30,6 +30,7 @@ type LogParameters struct { MaxChain int64 // max submitter certificate chain length AnchorPool *x509.CertPool // for chain verification AnchorList []*x509.Certificate // for access to the raw certificates + KeyUsage []x509.ExtKeyUsage // which extended key usages are accepted Signer crypto.Signer HashType crypto.Hash // hash function used by Trillian } @@ -81,6 +82,7 @@ func NewLogParameters(treeId int64, prefix string, anchorPath, keyPath string, m MaxChain: maxChain, AnchorPool: anchorPool, AnchorList: anchorList, + KeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, Signer: key, HashType: crypto.SHA256, }, nil @@ -172,7 +172,7 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif opts := x509.VerifyOptions{ Roots: lp.AnchorPool, Intermediates: intermediatePool, - KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, // TODO: move to ld + KeyUsages: lp.KeyUsage, // no extended key usage passes by default } chains, err := certificate.Verify(opts) |