From 91d22ee81b8393a26415e5d297ad9329a04bc1d4 Mon Sep 17 00:00:00 2001
From: Tadeu Andrade <tadeu.andrade@gmail.com>
Date: Fri, 17 Mar 2023 12:45:24 -0300
Subject: [PATCH] feat: add option to exclude path length

Adds option to exclude path-length attribute critical key usage extension. Is analogous to excluding path length from root CA.
---
 cmd/sign.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/cmd/sign.go b/cmd/sign.go
index 05d4256..8f3ed14 100644
--- a/cmd/sign.go
+++ b/cmd/sign.go
@@ -72,6 +72,10 @@ func NewSignCommand() cli.Command {
 				Value: 0,
 				Usage: "Maximum number of non-self-issued intermediate certificates that may follow this CA certificate in a valid certification path",
 			},
+			cli.BoolFlag{
+				Name:  "exclude-path-length",
+				Usage: "Exclude 'Path Length Constraint' from this CA certificate",
+			},
 		},
 		Action: newSignAction,
 	}
@@ -142,12 +146,17 @@ func newSignAction(c *cli.Context) {
 		}
 	}
 
+	if c.IsSet("path-length") && c.IsSet("exclude-path-length") {
+		fmt.Fprintf(os.Stderr, "The \"path-length\" and \"exclude-path-length\" flags cannot be used together!\n")
+		os.Exit(1)
+	}
+
 	var crtOut *pkix.Certificate
 	if c.Bool("intermediate") {
 		fmt.Fprintln(os.Stderr, "Building intermediate")
 
 		opts := []pkix.Option{
-			pkix.WithPathlenOption(c.Int("path-length"), false),
+			pkix.WithPathlenOption(c.Int("path-length"), c.Bool("exclude-path-length")),
 		}
 
 		crtOut, err = pkix.CreateIntermediateCertificateAuthorityWithOptions(crt, key, csr, expiresTime, opts...)