Merge pull request #503 from smallstep/mariano/x5c-insecure

Require ClientAuth when verifying an X5cInsecure certificate
smallstep · May 15, 2024 · 6a28ca4 · 6a28ca4
2 parents d694da8 + 47190f3
commit 6a28ca4
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/jose/parse.go b/jose/parse.go
@@ -267,6 +267,9 @@ func ParseX5cInsecure(tok string, roots []*x509.Certificate) (*JSONWebToken, [][
 		Intermediates: interPool,
 		// A hack so we skip validity period validation.
 		CurrentTime: leaf.NotAfter.Add(-1 * time.Minute),
+		KeyUsages: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+		},
 	})
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "error verifying x5cInsecure certificate chain")