From cfab64b1b90b5a89d59b85942d6ef9ae1536adab Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Fri, 29 May 2026 21:54:43 +0000
Subject: [PATCH] fix: set root cert MaxPathLen=0 to refuse intermediate CAs
 (PILOT-332)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The root CA is architecture root->leaf with no intermediate.
MaxPathLen=1 was over-permissive — allowed one intermediate CA
which could produce forged leaf certs if the root key is exfiltrated.
Tighten to MaxPathLenZero=true as defense in depth.
---
 main.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.go b/main.go
index 29ba524..329a635 100644
--- a/main.go
+++ b/main.go
@@ -165,8 +165,8 @@ func initRoot(outDir string) error {
 		IsCA:                  true,
 		BasicConstraintsValid: true,
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		MaxPathLen:            1,
-		MaxPathLenZero:        false,
+		MaxPathLen:            0,
+		MaxPathLenZero:        true,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, priv)
 	if err != nil {