From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 20 Mar 2023 08:29:50 +0000 (+0300)
Subject: No need in digitalSignature KeyUsage for CA certificate
X-Git-Tag: v5.10.0~9
X-Git-Url: http://www.git.cypherpunks.ru/?p=gogost.git;a=commitdiff_plain;h=9252439816bb983e9754a011cd9fe19f737df04d

No need in digitalSignature KeyUsage for CA certificate
---

diff --git a/cmd/cer-selfsigned-example/main.go b/cmd/cer-selfsigned-example/main.go
index 942de48..8b79359 100644
--- a/cmd/cer-selfsigned-example/main.go
+++ b/cmd/cer-selfsigned-example/main.go
@@ -191,7 +191,6 @@ func main() {
 	spki = spki[:20]
 
 	cerTmpl := x509.Certificate{
-		KeyUsage:           x509.KeyUsageDigitalSignature,
 		NotBefore:          notBefore,
 		NotAfter:           notAfter,
 		SerialNumber:       sn,
@@ -202,9 +201,10 @@ func main() {
 	if *ca {
 		cerTmpl.BasicConstraintsValid = true
 		cerTmpl.IsCA = true
-		cerTmpl.KeyUsage |= x509.KeyUsageCertSign
+		cerTmpl.KeyUsage = x509.KeyUsageCertSign
 	} else {
 		cerTmpl.DNSNames = []string{*cn}
+		cerTmpl.KeyUsage = x509.KeyUsageDigitalSignature
 	}
 
 	if caCer == nil {