Default to validating bundles with x509.ExtKeyUsageAny

As of Go 1.10 Certificate.Verify will check the allowed key usages for the entire chain: https://golang.org/doc/go1.10#crypto/x509
cloudflare · Feb 23, 2018 · c68df53 · c68df53
1 parent e9bb1b2
commit c68df53
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 10 deletions.
diff --git a/bundler/bundler.go b/bundler/bundler.go
@@ -72,17 +72,15 @@ type options struct {
 
 var defaultOptions = options{
 	keyUsages: []x509.ExtKeyUsage{
-		x509.ExtKeyUsageServerAuth,
-		x509.ExtKeyUsageClientAuth,
-		x509.ExtKeyUsageMicrosoftServerGatedCrypto,
-		x509.ExtKeyUsageNetscapeServerGatedCrypto,
+		x509.ExtKeyUsageAny,
 	},
 }
 
 // An Option sets options such as allowed key usages, etc.
 type Option func(*options)
 
-// WithKeyUsages lets you set which Extended Key Usage values are acceptable.
+// WithKeyUsages lets you set which Extended Key Usage values are acceptable. By
+// default x509.ExtKeyUsageAny will be used.
 func WithKeyUsages(usages ...x509.ExtKeyUsage) Option {
 	return func(o *options) {
 		o.keyUsages = usages

diff --git a/bundler/bundler_test.go b/bundler/bundler_test.go
@@ -912,11 +912,7 @@ func TestBundlerWithEmptyRootInfo(t *testing.T) {
 }
 
 func TestBundlerClientAuth(t *testing.T) {
-	b, err := NewBundler(
-		"testdata/client-auth/root.pem",
-		"testdata/client-auth/int.pem",
-		WithKeyUsages(x509.ExtKeyUsageClientAuth),
-	)
+	b, err := NewBundler("testdata/client-auth/root.pem", "testdata/client-auth/int.pem")
 	if err != nil {
 		t.Fatal(err)
 	}