x509-cert: builder: make keyEncipherment usage optional

ECDSA keys can not be used for keyEncipherment. Make this keyUsage bit
optional.

Signed-off-by: Dmitry Baryshkov <[email protected]>

Author: lumag

x509-cert/src/builder.rs

@@ -90,6 +90,8 @@ pub enum Profile {
         issuer: Name,
         /// should the key agreement flag of KeyUsage be enabled
         enable_key_agreement: bool,
+        /// should the key encipherment flag of KeyUsage be enabled
+        enable_key_encipherment: bool,
     },
     #[cfg(feature = "hazmat")]
     /// Opt-out of the default extensions
@@ -169,11 +171,13 @@ impl Profile {
             }
             Profile::Leaf {
                 enable_key_agreement,
+                enable_key_encipherment,
                 ..
             } => {
-                let mut key_usage = KeyUsages::DigitalSignature
-                    | KeyUsages::NonRepudiation
-                    | KeyUsages::KeyEncipherment;
+                let mut key_usage = KeyUsages::DigitalSignature | KeyUsages::NonRepudiation;
+                if *enable_key_encipherment {
+                    key_usage |= KeyUsages::KeyEncipherment;
+                }
                 if *enable_key_agreement {
                     key_usage |= KeyUsages::KeyAgreement;
                 }

x509-cert/tests/builder.rs

@@ -116,6 +116,7 @@ fn leaf_certificate() {
     let profile = Profile::Leaf {
         issuer,
         enable_key_agreement: false,
+        enable_key_encipherment: false,
     };
 
     let subject = Name::from_str("CN=service.domination.world")