Add keyUsage checking for CAs
This commit is contained in:
parent
3fed0b3264
commit
99d4f19111
6 changed files with 92 additions and 0 deletions
|
@ -1424,6 +1424,17 @@ static int x509_crt_verifycrl( x509_crt *crt, x509_crt *ca,
|
|||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check if the CA is configured to sign CRLs
|
||||
*/
|
||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||
if( x509_crt_check_key_usage( ca, KU_CRL_SIGN ) != 0 )
|
||||
{
|
||||
flags |= BADCRL_NOT_TRUSTED;
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Check if CRL is correctly signed by the trusted CA
|
||||
*/
|
||||
|
@ -1548,6 +1559,11 @@ static x509_crt *x509_crt_find_parent( x509_crt *crt )
|
|||
continue;
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||
if( x509_crt_check_key_usage( parent, KU_KEY_CERT_SIGN ) != 0 )
|
||||
continue;
|
||||
#endif
|
||||
|
||||
/* If we get there, we found a suitable parent */
|
||||
break;
|
||||
}
|
||||
|
@ -1599,6 +1615,14 @@ static int x509_crt_verify_top(
|
|||
continue;
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||
if( x509_crt_check_key_usage( trust_ca, KU_KEY_CERT_SIGN ) != 0 )
|
||||
{
|
||||
trust_ca = trust_ca->next;
|
||||
continue;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Reduce path_len to check against if top of the chain is
|
||||
* the same as the trusted CA
|
||||
|
|
12
tests/data_files/test-ca2.ku-crl.crt
Normal file
12
tests/data_files/test-ca2.ku-crl.crt
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBzDCCAVOgAwIBAgIJAP6mZLzh0IPSMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTAeFw0xNDA0MDkxMTIzMzhaFw0yNDA0MDYxMTIzMzhaMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||
BgNVHQ8EBAMCAQIwCgYIKoZIzj0EAwIDZwAwZAIwZOCKY0EHXYzI4cQsFnfOrxm1
|
||||
ufvNeZ4ZcSZWrkTBazW2OBCuCP9SLznec3SFOUvvAjAKe/qycfxkHivjieCEG1Kt
|
||||
m2D4QKSJELUhTHr4zdkeqbzgui0y3iouaoyWsKvetNg=
|
||||
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca2.ku-crt.crt
Normal file
12
tests/data_files/test-ca2.ku-crt.crt
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBzTCCAVOgAwIBAgIJAODh6PAeD9/vMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTAeFw0xNDA0MDkxMTIzNTRaFw0yNDA0MDYxMTIzNTRaMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||
BgNVHQ8EBAMCAgQwCgYIKoZIzj0EAwIDaAAwZQIwGGlbynd1jU3WkUx6Irhk9Lob
|
||||
z2B+1eIO6+eu3En8B3rh8Ipfxo0e0hpfaRFYP1MUAjEAjxxBchRWJAzZ6/47Wg/7
|
||||
UoasRINgP5B/uJhTnftS1bqyuWHastb4LW5/YLOvPbMQ
|
||||
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca2.ku-crt_crl.crt
Normal file
12
tests/data_files/test-ca2.ku-crt_crl.crt
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBzDCCAVOgAwIBAgIJAPejOupCJS65MAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTAeFw0xNDA0MDkxMTIyMjVaFw0yNDA0MDYxMTIyMjVaMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||
BgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDZwAwZAIwMKLVXB4YBQ0Ha4dEvFPcJtau
|
||||
TS5Vd4UqG3xQ10YcJogweuqaGHSFgdnEUfoX+4p5AjApMnYXFfUjSmlyfJmTaswO
|
||||
gaR5sUnnw33NA9j1ercem3asCYz6a8T0zo8/rR33XVU=
|
||||
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca2.ku-ds.crt
Normal file
12
tests/data_files/test-ca2.ku-ds.crt
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBzDCCAVOgAwIBAgIJAPOkPR3wsvm5MAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTAeFw0xNDA0MDkxMTI0MTNaFw0yNDA0MDYxMTI0MTNaMD4xCzAJBgNVBAYT
|
||||
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||
BgNVHQ8EBAMCB4AwCgYIKoZIzj0EAwIDZwAwZAIwGRCmU/rWNjW13g8ITuq3pMXb
|
||||
jgwTFJHVlbMDiFJwUrRvytPV9doJOfzJ8nAQ0cZ1AjAbJ8QAV2e+DmYZpWc/p6Ug
|
||||
nQdac59ev+lH+ju6wET3jNDjUthUPrdgqa54+UWQ5r4=
|
||||
-----END CERTIFICATE-----
|
|
@ -442,6 +442,26 @@ X509 Certificate verification #51 (Valid, multiple CAs, reverse order)
|
|||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15
|
||||
x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #52 (CA keyUsage valid)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #53 (CA keyUsage missing cRLSign)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||
|
||||
X509 Certificate verification #55 (CA keyUsage missing keyCertSign)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Certificate verification #55 (CA keyUsage plain wrong)
|
||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||
|
||||
X509 Parse Selftest
|
||||
depends_on:POLARSSL_MD5_C:POLARSSL_PEM_PARSE_C
|
||||
x509_selftest:
|
||||
|
|
Loading…
Reference in a new issue