CORDA-2216 Restrict extended key usage of certificate types (#5294)

* CORDA-2216 Restrict extended key usage of certificate types

- Remove `anyExtendedKeyUsage` from all certificates
- Restrict to server and client auth for all certificates except
  `ROOT_CA` which has had all extended key usages removed

* CORDA-2216 Update certificate types

- Remove server authentication from all certificates except for TLS
- Add client authentication to all certificates except for ROOT

node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt

@@ -2,7 +2,6 @@ package net.corda.nodeapi.internal.crypto
 
 import net.corda.core.CordaOID
 import net.corda.core.crypto.Crypto
-import net.corda.core.crypto.SignatureScheme
 import net.corda.core.crypto.random63BitValue
 import net.corda.core.internal.*
 import net.corda.core.utilities.days
@@ -396,45 +395,34 @@ class X509CertificateFactory {
 enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurposeId, val isCA: Boolean, val role: CertRole?) {
     ROOT_CA(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign),
-            KeyPurposeId.id_kp_serverAuth,
-            KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = null
     ),
 
     INTERMEDIATE_CA(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = CertRole.DOORMAN_CA
     ),
 
     NETWORK_MAP(
             KeyUsage(KeyUsage.digitalSignature),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.NETWORK_MAP
     ),
 
     SERVICE_IDENTITY(
             KeyUsage(KeyUsage.digitalSignature),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.SERVICE_IDENTITY
     ),
 
     NODE_CA(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = CertRole.NODE_CA
     ),
@@ -443,7 +431,6 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyEncipherment or KeyUsage.keyAgreement),
             KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.TLS
     ),
@@ -451,24 +438,21 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo
     // TODO: Identity certs should have tight name constraints on child certificates
     LEGAL_IDENTITY(
             KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = true,
             role = CertRole.LEGAL_IDENTITY
     ),
 
     CONFIDENTIAL_LEGAL_IDENTITY(
             KeyUsage(KeyUsage.digitalSignature),
-            KeyPurposeId.id_kp_serverAuth,
             KeyPurposeId.id_kp_clientAuth,
-            KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.CONFIDENTIAL_LEGAL_IDENTITY
     ),
 
     NETWORK_PARAMETERS(
             KeyUsage(KeyUsage.digitalSignature),
+            KeyPurposeId.id_kp_clientAuth,
             isCA = false,
             role = CertRole.NETWORK_PARAMETERS
     )