aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--instance.go2
-rw-r--r--x509.go2
2 files changed, 3 insertions, 1 deletions
diff --git a/instance.go b/instance.go
index d5c47c9..843e9f8 100644
--- a/instance.go
+++ b/instance.go
@@ -30,6 +30,7 @@ type LogParameters struct {
MaxChain int64 // max submitter certificate chain length
AnchorPool *x509.CertPool // for chain verification
AnchorList []*x509.Certificate // for access to the raw certificates
+ KeyUsage []x509.ExtKeyUsage // which extended key usages are accepted
Signer crypto.Signer
HashType crypto.Hash // hash function used by Trillian
}
@@ -81,6 +82,7 @@ func NewLogParameters(treeId int64, prefix string, anchorPath, keyPath string, m
MaxChain: maxChain,
AnchorPool: anchorPool,
AnchorList: anchorList,
+ KeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
Signer: key,
HashType: crypto.SHA256,
}, nil
diff --git a/x509.go b/x509.go
index 16cc8c6..e0fa3bc 100644
--- a/x509.go
+++ b/x509.go
@@ -172,7 +172,7 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif
opts := x509.VerifyOptions{
Roots: lp.AnchorPool,
Intermediates: intermediatePool,
- KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, // TODO: move to ld
+ KeyUsages: lp.KeyUsage, // no extended key usage passes by default
}
chains, err := certificate.Verify(opts)