Fix KeyUsage on x509 template

x509.KeyUsageKeyEncipherment is only valid for RSA. It's probably harmless to have it on other things, but it really shouldn't be there.
pion · May 24, 2022 · 2d27879 · 2d27879
1 parent 74571b5
commit 2d27879
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/pkg/crypto/selfsign/selfsign.go b/pkg/crypto/selfsign/selfsign.go
@@ -72,14 +72,19 @@ func WithDNS(key crypto.PrivateKey, cn string, sans ...string) (tls.Certificate,
 	names := []string{cn}
 	names = append(names, sans...)
 
+	keyUsage := x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign
+	if _, isRSA := key.(*rsa.PrivateKey); isRSA {
+		keyUsage |= x509.KeyUsageKeyEncipherment
+	}
+
 	template := x509.Certificate{
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
 			x509.ExtKeyUsageServerAuth,
 		},
 		BasicConstraintsValid: true,
 		NotBefore:             time.Now(),
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		KeyUsage:              keyUsage,
 		NotAfter:              time.Now().AddDate(0, 1, 0),
 		SerialNumber:          serialNumber,
 		Version:               2,