Add keyUsage checking for CAs
This commit is contained in:
parent
3fed0b3264
commit
99d4f19111
6 changed files with 92 additions and 0 deletions
|
@ -1424,6 +1424,17 @@ static int x509_crt_verifycrl( x509_crt *crt, x509_crt *ca,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if the CA is configured to sign CRLs
|
||||||
|
*/
|
||||||
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
if( x509_crt_check_key_usage( ca, KU_CRL_SIGN ) != 0 )
|
||||||
|
{
|
||||||
|
flags |= BADCRL_NOT_TRUSTED;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check if CRL is correctly signed by the trusted CA
|
* Check if CRL is correctly signed by the trusted CA
|
||||||
*/
|
*/
|
||||||
|
@ -1548,6 +1559,11 @@ static x509_crt *x509_crt_find_parent( x509_crt *crt )
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
if( x509_crt_check_key_usage( parent, KU_KEY_CERT_SIGN ) != 0 )
|
||||||
|
continue;
|
||||||
|
#endif
|
||||||
|
|
||||||
/* If we get there, we found a suitable parent */
|
/* If we get there, we found a suitable parent */
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -1599,6 +1615,14 @@ static int x509_crt_verify_top(
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
if( x509_crt_check_key_usage( trust_ca, KU_KEY_CERT_SIGN ) != 0 )
|
||||||
|
{
|
||||||
|
trust_ca = trust_ca->next;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Reduce path_len to check against if top of the chain is
|
* Reduce path_len to check against if top of the chain is
|
||||||
* the same as the trusted CA
|
* the same as the trusted CA
|
||||||
|
|
12
tests/data_files/test-ca2.ku-crl.crt
Normal file
12
tests/data_files/test-ca2.ku-crl.crt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBzDCCAVOgAwIBAgIJAP6mZLzh0IPSMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTAeFw0xNDA0MDkxMTIzMzhaFw0yNDA0MDYxMTIzMzhaMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||||
|
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||||
|
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||||
|
BgNVHQ8EBAMCAQIwCgYIKoZIzj0EAwIDZwAwZAIwZOCKY0EHXYzI4cQsFnfOrxm1
|
||||||
|
ufvNeZ4ZcSZWrkTBazW2OBCuCP9SLznec3SFOUvvAjAKe/qycfxkHivjieCEG1Kt
|
||||||
|
m2D4QKSJELUhTHr4zdkeqbzgui0y3iouaoyWsKvetNg=
|
||||||
|
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca2.ku-crt.crt
Normal file
12
tests/data_files/test-ca2.ku-crt.crt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBzTCCAVOgAwIBAgIJAODh6PAeD9/vMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTAeFw0xNDA0MDkxMTIzNTRaFw0yNDA0MDYxMTIzNTRaMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||||
|
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||||
|
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||||
|
BgNVHQ8EBAMCAgQwCgYIKoZIzj0EAwIDaAAwZQIwGGlbynd1jU3WkUx6Irhk9Lob
|
||||||
|
z2B+1eIO6+eu3En8B3rh8Ipfxo0e0hpfaRFYP1MUAjEAjxxBchRWJAzZ6/47Wg/7
|
||||||
|
UoasRINgP5B/uJhTnftS1bqyuWHastb4LW5/YLOvPbMQ
|
||||||
|
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca2.ku-crt_crl.crt
Normal file
12
tests/data_files/test-ca2.ku-crt_crl.crt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBzDCCAVOgAwIBAgIJAPejOupCJS65MAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTAeFw0xNDA0MDkxMTIyMjVaFw0yNDA0MDYxMTIyMjVaMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||||
|
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||||
|
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||||
|
BgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDZwAwZAIwMKLVXB4YBQ0Ha4dEvFPcJtau
|
||||||
|
TS5Vd4UqG3xQ10YcJogweuqaGHSFgdnEUfoX+4p5AjApMnYXFfUjSmlyfJmTaswO
|
||||||
|
gaR5sUnnw33NA9j1ercem3asCYz6a8T0zo8/rR33XVU=
|
||||||
|
-----END CERTIFICATE-----
|
12
tests/data_files/test-ca2.ku-ds.crt
Normal file
12
tests/data_files/test-ca2.ku-ds.crt
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBzDCCAVOgAwIBAgIJAPOkPR3wsvm5MAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTAeFw0xNDA0MDkxMTI0MTNaFw0yNDA0MDYxMTI0MTNaMD4xCzAJBgNVBAYT
|
||||||
|
Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF
|
||||||
|
QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu
|
||||||
|
ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy
|
||||||
|
aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL
|
||||||
|
BgNVHQ8EBAMCB4AwCgYIKoZIzj0EAwIDZwAwZAIwGRCmU/rWNjW13g8ITuq3pMXb
|
||||||
|
jgwTFJHVlbMDiFJwUrRvytPV9doJOfzJ8nAQ0cZ1AjAbJ8QAV2e+DmYZpWc/p6Ug
|
||||||
|
nQdac59ev+lH+ju6wET3jNDjUthUPrdgqa54+UWQ5r4=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -442,6 +442,26 @@ X509 Certificate verification #51 (Valid, multiple CAs, reverse order)
|
||||||
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_RSA_C:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_PKCS1_V15
|
||||||
x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||||
|
|
||||||
|
X509 Certificate verification #52 (CA keyUsage valid)
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||||
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
|
||||||
|
|
||||||
|
X509 Certificate verification #53 (CA keyUsage missing cRLSign)
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||||
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
|
||||||
|
|
||||||
|
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL)
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||||
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
|
||||||
|
|
||||||
|
X509 Certificate verification #55 (CA keyUsage missing keyCertSign)
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||||
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||||
|
|
||||||
|
X509 Certificate verification #55 (CA keyUsage plain wrong)
|
||||||
|
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
|
||||||
|
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
|
||||||
|
|
||||||
X509 Parse Selftest
|
X509 Parse Selftest
|
||||||
depends_on:POLARSSL_MD5_C:POLARSSL_PEM_PARSE_C
|
depends_on:POLARSSL_MD5_C:POLARSSL_PEM_PARSE_C
|
||||||
x509_selftest:
|
x509_selftest:
|
||||||
|
|
Loading…
Reference in a new issue