x509-cert: builder: disable DigitalSignature usage on Root and SubCA keys

Per RFC5280, DigitalSignature 'is asserted when the subject public key
is used for verifying digital signatures, other than signatures on
certificates (bit 5) and CRLs (bit 6)'.
Using CA keys to sign random data would definitely be a bad practice and
should be avoided. Thus remove the DigitalSignature keyUsage from these
certificates.

Signed-off-by: Dmitry Baryshkov <[email protected]>

Author: lumag

x509-cert/src/builder.rs

@@ -164,12 +164,8 @@ impl Profile {
         // Build Key Usage extension
         match self {
             Profile::Root | Profile::SubCA { .. } => {
-                extensions.push(
-                    KeyUsage(
-                        KeyUsages::DigitalSignature | KeyUsages::KeyCertSign | KeyUsages::CRLSign,
-                    )
-                    .to_extension(tbs)?,
-                );
+                extensions
+                    .push(KeyUsage(KeyUsages::KeyCertSign | KeyUsages::CRLSign).to_extension(tbs)?);
             }
             Profile::Leaf {
                 enable_key_agreement,