From 205ee9f2e81b5c9fbb0ede705c43c31c57c86789 Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Thu, 28 Jan 2021 17:05:58 -0500
Subject: [PATCH] op.DidSign(op) was broken when strict sk usage was enforced

Signed-off-by: Matthias Hanel <mh@synadia.com>
---
 v2/operator_claims.go      | 6 +++++-
 v2/operator_claims_test.go | 6 ++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/v2/operator_claims.go b/v2/operator_claims.go
index 61d474e..f806002 100644
--- a/v2/operator_claims.go
+++ b/v2/operator_claims.go
@@ -166,6 +166,7 @@ func NewOperatorClaims(subject string) *OperatorClaims {
 	}
 	c := &OperatorClaims{}
 	c.Subject = subject
+	c.Issuer = subject
 	return c
 }
 
@@ -176,7 +177,10 @@ func (oc *OperatorClaims) DidSign(op Claims) bool {
 	}
 	issuer := op.Claims().Issuer
 	if issuer == oc.Subject {
-		return !oc.StrictSigningKeyUsage
+		if !oc.StrictSigningKeyUsage {
+			return true
+		}
+		return op.Claims().Subject == oc.Subject
 	}
 	return oc.SigningKeys.Contains(issuer)
 }
diff --git a/v2/operator_claims_test.go b/v2/operator_claims_test.go
index 31dac22..9b97c86 100644
--- a/v2/operator_claims_test.go
+++ b/v2/operator_claims_test.go
@@ -195,6 +195,12 @@ func TestSignedBy(t *testing.T) {
 	AssertEquals(uc2.DidSign(ac), true, t) // actual key
 	uc.SigningKeys.Add(publicKey(ckp2, t))
 	AssertEquals(uc.DidSign(ac), true, t) // signing key
+	uc.StrictSigningKeyUsage = true
+	AssertEquals(uc.DidSign(uc), true, t)
+	AssertEquals(uc.DidSign(ac), true, t)
+	uc2.StrictSigningKeyUsage = true
+	AssertEquals(uc2.DidSign(uc2), true, t)
+	AssertEquals(uc2.DidSign(ac), false, t)
 }
 
 func testAccountWithAccountServerURL(t *testing.T, u string) error {