From c761d98b82bd93c99861b3c4d040c0906862369d Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Thu, 22 Aug 2024 18:06:09 -0700
Subject: [PATCH] additional debugging for basic constraints

---
 cmd/certdump/certdump.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cmd/certdump/certdump.go b/cmd/certdump/certdump.go
index 237866d..de0c66e 100644
--- a/cmd/certdump/certdump.go
+++ b/cmd/certdump/certdump.go
@@ -110,6 +110,14 @@ func showBasicConstraints(cert *x509.Certificate) {
 
 	if cert.IsCA {
 		fmt.Printf(", is a CA certificate")
+		if !cert.BasicConstraintsValid {
+			fmt.Printf(" (basic constraint failure)")
+		}
+	} else {
+		fmt.Printf("is not a CA certificate")
+		if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
+			fmt.Printf(" (key encipherment usage enabled!)")
+		}
 	}
 
 	if (cert.MaxPathLen == 0 && cert.MaxPathLenZero) || (cert.MaxPathLen > 0) {