Require ClientAuth when verifying an X5cInsecure certificate

The X5cInsecure certificate is used by step-ca to renew certificates
without using mTLS, usually expired certificates. Certificate.Verify
defaults to require ServerAuth if no KeyUsages is set as an option. But
due to how these tokens are used, it makes more sense to require only
ClientAuth.

Related to smallstep/certificates#1843

Author: maraino

jose/parse.go

@@ -267,6 +267,9 @@ func ParseX5cInsecure(tok string, roots []*x509.Certificate) (*JSONWebToken, [][
 		Intermediates: interPool,
 		// A hack so we skip validity period validation.
 		CurrentTime: leaf.NotAfter.Add(-1 * time.Minute),
+		KeyUsages: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+		},
 	})
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "error verifying x5cInsecure certificate chain")