Allow email SANs for S/MIME certificates (#152)

2025-10-13 16:31:41 +08:00 · 2019-04-11 20:59:44 -06:00
parent c7c85b20ae
commit 0d4cf75db8
2 changed files with 16 additions and 3 deletions
--- a/cert.go
+++ b/cert.go
@@ -19,6 +19,7 @@ import (
 	"log"
 	"math/big"
 	"net"
+	"net/mail"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -61,18 +62,26 @@ func (m *mkcert) makeCert(hosts []string) {
 		NotBefore: time.Now(),

 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 	}
+
 	for _, h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			tpl.IPAddresses = append(tpl.IPAddresses, ip)
+		} else if email, err := mail.ParseAddress(h); err == nil && email.Address == h {
+			tpl.EmailAddresses = append(tpl.EmailAddresses, h)
 		} else {
 			tpl.DNSNames = append(tpl.DNSNames, h)
 		}
 	}
+
 	if m.client {
 		tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
+	} else if len(tpl.IPAddresses) > 0 || len(tpl.DNSNames) > 0 {
+		tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+	}
+	if len(tpl.EmailAddresses) > 0 {
+		tpl.ExtKeyUsage = append(tpl.ExtKeyUsage, x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageEmailProtection)
 	}

 	// IIS (the main target of PKCS #12 files), only shows the deprecated