Cert-checker: Don't require clientEKU (#7939)

mcpherrinm · jprenken · web-flow · commit 1b44b8acfd14 · 2025-01-13T13:08:26.000-08:00
This is required now that we're going to issue certificates with only the server EKU. Fixes #7938 --------- Co-authored-by: James Renken <jprenken@users.noreply.github.com>
diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
@@ -422,7 +422,9 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
 			}
 		}
 		// Check the cert has the correct key usage extensions
-		if !slices.Equal(parsedCert.ExtKeyUsage, []zX509.ExtKeyUsage{zX509.ExtKeyUsageServerAuth, zX509.ExtKeyUsageClientAuth}) {
+		serverAndClient := slices.Equal(parsedCert.ExtKeyUsage, []zX509.ExtKeyUsage{zX509.ExtKeyUsageServerAuth, zX509.ExtKeyUsageClientAuth})
+		serverOnly := slices.Equal(parsedCert.ExtKeyUsage, []zX509.ExtKeyUsage{zX509.ExtKeyUsageServerAuth})
+		if !(serverAndClient || serverOnly) {
 			problems = append(problems, "Certificate has incorrect key usage extensions")
 		}
 
diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go
@@ -291,7 +291,7 @@ func TestCheckCert(t *testing.T) {
 				delete(problemsMap, p)
 			}
 			for k := range problemsMap {
-				t.Errorf("Expected problem but didn't find it: '%s'.", k)
+				t.Errorf("Expected problem but didn't find '%s' in problems: %q.", k, problems)
 			}
 
 			// Same settings as above, but the stored serial number in the DB is invalid.

Original file line number	Diff line number	Diff line change
`@@ -422,7 +422,9 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno`
`422`	`422`	`}`
`423`	`423`	`}`
`424`	`424`	`// Check the cert has the correct key usage extensions`
`425`		`- if !slices.Equal(parsedCert.ExtKeyUsage, []zX509.ExtKeyUsage{zX509.ExtKeyUsageServerAuth, zX509.ExtKeyUsageClientAuth}) {`
	`425`	`+ serverAndClient := slices.Equal(parsedCert.ExtKeyUsage, []zX509.ExtKeyUsage{zX509.ExtKeyUsageServerAuth, zX509.ExtKeyUsageClientAuth})`
	`426`	`+ serverOnly := slices.Equal(parsedCert.ExtKeyUsage, []zX509.ExtKeyUsage{zX509.ExtKeyUsageServerAuth})`
	`427`	`+ if !(serverAndClient \|\| serverOnly) {`
`426`	`428`	`problems = append(problems, "Certificate has incorrect key usage extensions")`
`427`	`429`	`}`
`428`	`430`
Original file line number	Diff line number	Diff line change
`@@ -291,7 +291,7 @@ func TestCheckCert(t *testing.T) {`
`291`	`291`	`delete(problemsMap, p)`
`292`	`292`	`}`
`293`	`293`	`for k := range problemsMap {`
`294`		`- t.Errorf("Expected problem but didn't find it: '%s'.", k)`
	`294`	`+ t.Errorf("Expected problem but didn't find '%s' in problems: %q.", k, problems)`
`295`	`295`	`}`
`296`	`296`
`297`	`297`	`// Same settings as above, but the stored serial number in the DB is invalid.`