Add x509_crt_check_key_usage()
This commit is contained in:
parent
0f79babd4b
commit
603116c570
5 changed files with 85 additions and 0 deletions
|
@ -957,6 +957,20 @@
|
||||||
*/
|
*/
|
||||||
//#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
//#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \def POLARSSL_X509_CHECK_KEY_USAGE
|
||||||
|
*
|
||||||
|
* Enable verification of the keyUsage extension (CA and leaf certificates).
|
||||||
|
*
|
||||||
|
* Disabling this avoids problems with mis-issued and/or misused
|
||||||
|
* (intermediate) CA and leaf certificates.
|
||||||
|
*
|
||||||
|
* \warning Depending on your PKI use, disabling this can be a security risk!
|
||||||
|
*
|
||||||
|
* Comment to skip keyUsage checking for both CA and leaf certificates.
|
||||||
|
*/
|
||||||
|
#define POLARSSL_X509_CHECK_KEY_USAGE
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def POLARSSL_ZLIB_SUPPORT
|
* \def POLARSSL_ZLIB_SUPPORT
|
||||||
*
|
*
|
||||||
|
|
|
@ -244,6 +244,26 @@ int x509_crt_verify( x509_crt *crt,
|
||||||
int (*f_vrfy)(void *, x509_crt *, int, int *),
|
int (*f_vrfy)(void *, x509_crt *, int, int *),
|
||||||
void *p_vrfy );
|
void *p_vrfy );
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
/**
|
||||||
|
* \brief Check usage of certificate against keyUsage extension.
|
||||||
|
*
|
||||||
|
* \param crt Leaf certificate used.
|
||||||
|
* \param usage Intended usage(s) (eg KU_KEY_ENCIPHERMENT before using the
|
||||||
|
* certificate to perform an RSA key exchange).
|
||||||
|
*
|
||||||
|
* \return 0 is these uses of the certificate are allowed,
|
||||||
|
* POLARSSL_ERR_X509_BAD_INPUT_DATA if the keyUsage extenson
|
||||||
|
* is present but does not contain all the bits set in the
|
||||||
|
* usage argument.
|
||||||
|
*
|
||||||
|
* \note You should only call this function on leaf certificates, on
|
||||||
|
* (intermediate) CAs the keyUsage extension is automatically
|
||||||
|
* checked by \c x509_crt_verify().
|
||||||
|
*/
|
||||||
|
int x509_crt_check_key_usage( const x509_crt *crt, int usage );
|
||||||
|
#endif /* POLARSSL_X509_CHECK_KEY_USAGE) */
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
||||||
/**
|
/**
|
||||||
* \brief Verify the certificate revocation status
|
* \brief Verify the certificate revocation status
|
||||||
|
|
|
@ -1360,6 +1360,17 @@ int x509_crt_info( char *buf, size_t size, const char *prefix,
|
||||||
return( (int) ( size - n ) );
|
return( (int) ( size - n ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
int x509_crt_check_key_usage( const x509_crt *crt, int usage )
|
||||||
|
{
|
||||||
|
if( ( crt->ext_types & EXT_KEY_USAGE ) != 0 &&
|
||||||
|
( crt->key_usage & usage ) != usage )
|
||||||
|
return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
||||||
/*
|
/*
|
||||||
* Return 1 if the certificate is revoked, or 0 otherwise.
|
* Return 1 if the certificate is revoked, or 0 otherwise.
|
||||||
|
|
|
@ -826,3 +826,28 @@ x509_oid_numstr:"2A864886F70D":"1.2.840.113549":15:14
|
||||||
|
|
||||||
X509 OID numstring #5 (arithmetic overflow)
|
X509 OID numstring #5 (arithmetic overflow)
|
||||||
x509_oid_numstr:"2A8648F9F8F7F6F5F4F3F2F1F001":"":100:POLARSSL_ERR_OID_BUF_TOO_SMALL
|
x509_oid_numstr:"2A8648F9F8F7F6F5F4F3F2F1F001":"":100:POLARSSL_ERR_OID_BUF_TOO_SMALL
|
||||||
|
|
||||||
|
X509 crt keyUsage #1 (no extension, expected KU)
|
||||||
|
x509_check_key_usage:"data_files/server1.crt":KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT:0
|
||||||
|
|
||||||
|
X509 crt keyUsage #2 (no extension, suprising KU)
|
||||||
|
x509_check_key_usage:"data_files/server1.crt":KU_KEY_CERT_SIGN:0
|
||||||
|
|
||||||
|
X509 crt keyUsage #3 (extension present, no KU)
|
||||||
|
x509_check_key_usage:"data_files/server1.key_usage.crt":0:0
|
||||||
|
|
||||||
|
X509 crt keyUsage #4 (extension present, single KU present)
|
||||||
|
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_DIGITAL_SIGNATURE:0
|
||||||
|
|
||||||
|
X509 crt keyUsage #5 (extension present, single KU absent)
|
||||||
|
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_CERT_SIGN:POLARSSL_ERR_X509_BAD_INPUT_DATA
|
||||||
|
|
||||||
|
X509 crt keyUsage #6 (extension present, combined KU present)
|
||||||
|
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT:0
|
||||||
|
|
||||||
|
X509 crt keyUsage #7 (extension present, combined KU both absent)
|
||||||
|
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_CERT_SIGN|KU_CRL_SIGN:POLARSSL_ERR_X509_BAD_INPUT_DATA
|
||||||
|
|
||||||
|
X509 crt keyUsage #8 (extension present, combined KU one absent)
|
||||||
|
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT:POLARSSL_ERR_X509_BAD_INPUT_DATA
|
||||||
|
|
||||||
|
|
|
@ -316,6 +316,21 @@ void x509_oid_numstr( char *oid_str, char *numstr, int blen, int ret )
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C */
|
||||||
|
void x509_check_key_usage( char *crt_file, int usage, int ret )
|
||||||
|
{
|
||||||
|
x509_crt crt;
|
||||||
|
|
||||||
|
x509_crt_init( &crt );
|
||||||
|
|
||||||
|
TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
|
||||||
|
|
||||||
|
TEST_ASSERT( x509_crt_check_key_usage( &crt, usage ) == ret );
|
||||||
|
|
||||||
|
x509_crt_free( &crt );
|
||||||
|
}
|
||||||
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */
|
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */
|
||||||
void x509_selftest()
|
void x509_selftest()
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue