crypto/tls: allow the usage of other keyUsage when checking for the d…

…c extension #72
cloudflare · Mar 31, 2021 · ef2d2c1 · ef2d2c1
1 parent 5ef1b90
commit ef2d2c1
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
@@ -1787,13 +1787,15 @@ func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKe
 	}
 
 	// This extension is not critical
-	if template.KeyUsage == KeyUsageDigitalSignature && template.AllowDC && !template.IsCA && !oidInExtensions(oidExtensionDelegatedCredential, template.ExtraExtensions) {
-		ret[n].Id = oidExtensionDelegatedCredential
-		ret[n].Value, err = asn1.Marshal(asn1.NullRawValue)
-		if err != nil {
-			return
+	if template.AllowDC && !template.IsCA && !oidInExtensions(oidExtensionDelegatedCredential, template.ExtraExtensions) {
+		if template.KeyUsage&KeyUsageDigitalSignature != 0 {
+			ret[n].Id = oidExtensionDelegatedCredential
+			ret[n].Value, err = asn1.Marshal(asn1.NullRawValue)
+			if err != nil {
+				return
+			}
+			n++
 		}
-		n++
 	}
 
 	if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {