Require ClientAuth when verifying an X5cInsecure certificate

The X5cInsecure certificate is used by step-ca to renew certificates without using mTLS, usually expired certificates. Certificate.Verify defaults to require ServerAuth if no KeyUsages is set as an option. But due to how these tokens are used, it makes more sense to require only ClientAuth. Related to smallstep/certificates#1843
smallstep · May 14, 2024 · 47190f3 · 47190f3
1 parent d694da8
commit 47190f3
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/jose/parse.go b/jose/parse.go
@@ -267,6 +267,9 @@ func ParseX5cInsecure(tok string, roots []*x509.Certificate) (*JSONWebToken, [][
 		Intermediates: interPool,
 		// A hack so we skip validity period validation.
 		CurrentTime: leaf.NotAfter.Add(-1 * time.Minute),
+		KeyUsages: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+		},
 	})
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "error verifying x5cInsecure certificate chain")