Merge pull request cert-manager#6053 from inteon/critical_change

Make KeyUsage and BasicConstraints Critical extensions in the CSR blob

pkg/util/pki/basicconstraints.go

@@ -35,7 +35,7 @@ type basicConstraints struct {
 
 // Adapted from x509.go
 func MarshalBasicConstraints(isCA bool, maxPathLen *int) (pkix.Extension, error) {
-	ext := pkix.Extension{Id: OIDExtensionBasicConstraints}
+	ext := pkix.Extension{Id: OIDExtensionBasicConstraints, Critical: true}
 
 	// A value of -1 causes encoding/asn1 to omit the value as desired.
 	maxPathLenValue := -1

pkg/util/pki/csr_test.go

@@ -407,8 +407,9 @@ func TestGenerateCSR(t *testing.T) {
 	}
 	defaultExtraExtensions := []pkix.Extension{
 		{
-			Id:    OIDExtensionKeyUsage,
-			Value: asn1KeyUsage,
+			Id:       OIDExtensionKeyUsage,
+			Value:    asn1KeyUsage,
+			Critical: true,
 		},
 	}
 
@@ -418,8 +419,9 @@ func TestGenerateCSR(t *testing.T) {
 	}
 	ipsecExtraExtensions := []pkix.Extension{
 		{
-			Id:    OIDExtensionKeyUsage,
-			Value: asn1KeyUsage,
+			Id:       OIDExtensionKeyUsage,
+			Value:    asn1KeyUsage,
+			Critical: true,
 		},
 		{
 			Id:    OIDExtensionExtendedKeyUsage,
@@ -503,8 +505,9 @@ func TestGenerateCSR(t *testing.T) {
 				Subject:            pkix.Name{CommonName: "example.org"},
 				ExtraExtensions: []pkix.Extension{
 					{
-						Id:    OIDExtensionKeyUsage,
-						Value: asn1KeyUsageWithCa,
+						Id:       OIDExtensionKeyUsage,
+						Value:    asn1KeyUsageWithCa,
+						Critical: true,
 					},
 				},
 			},
@@ -519,12 +522,14 @@ func TestGenerateCSR(t *testing.T) {
 				Subject:            pkix.Name{CommonName: "example.org"},
 				ExtraExtensions: []pkix.Extension{
 					{
-						Id:    OIDExtensionKeyUsage,
-						Value: asn1KeyUsage,
+						Id:       OIDExtensionKeyUsage,
+						Value:    asn1KeyUsage,
+						Critical: true,
 					},
 					{
-						Id:    OIDExtensionBasicConstraints,
-						Value: basicConstraintsWithoutCA,
+						Id:       OIDExtensionBasicConstraints,
+						Value:    basicConstraintsWithoutCA,
+						Critical: true,
 					},
 				},
 			},
@@ -540,12 +545,14 @@ func TestGenerateCSR(t *testing.T) {
 				Subject:            pkix.Name{CommonName: "example.org"},
 				ExtraExtensions: []pkix.Extension{
 					{
-						Id:    OIDExtensionKeyUsage,
-						Value: asn1KeyUsageWithCa,
+						Id:       OIDExtensionKeyUsage,
+						Value:    asn1KeyUsageWithCa,
+						Critical: true,
 					},
 					{
-						Id:    OIDExtensionBasicConstraints,
-						Value: basicConstraintsWithCA,
+						Id:       OIDExtensionBasicConstraints,
+						Value:    basicConstraintsWithCA,
+						Critical: true,
 					},
 				},
 			},
@@ -655,8 +662,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
 			crt:  &cmapi.Certificate{},
 			want: []pkix.Extension{
 				{
-					Id:    OIDExtensionKeyUsage,
-					Value: asn1DefaultKeyUsage,
+					Id:       OIDExtensionKeyUsage,
+					Value:    asn1DefaultKeyUsage,
+					Critical: true,
 				},
 			},
 			wantErr: false,
@@ -670,8 +678,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
 			},
 			want: []pkix.Extension{
 				{
-					Id:    OIDExtensionKeyUsage,
-					Value: asn1DefaultKeyUsage,
+					Id:       OIDExtensionKeyUsage,
+					Value:    asn1DefaultKeyUsage,
+					Critical: true,
 				},
 				{
 					Id:    OIDExtensionExtendedKeyUsage,
@@ -689,8 +698,9 @@ func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
 			},
 			want: []pkix.Extension{
 				{
-					Id:    OIDExtensionKeyUsage,
-					Value: asn1DefaultKeyUsage,
+					Id:       OIDExtensionKeyUsage,
+					Value:    asn1DefaultKeyUsage,
+					Critical: true,
 				},
 				{
 					Id:    OIDExtensionExtendedKeyUsage,

pkg/util/pki/keyusage.go

@@ -128,7 +128,7 @@ func reverseBitsInAByte(in byte) byte {
 
 // Adapted from x509.go
 func MarshalKeyUsage(usage x509.KeyUsage) (pkix.Extension, error) {
-	ext := pkix.Extension{Id: OIDExtensionKeyUsage}
+	ext := pkix.Extension{Id: OIDExtensionKeyUsage, Critical: true}
 
 	var a [2]byte
 	a[0] = reverseBitsInAByte(byte(usage))