From 9a702255f4f5cbbd742afc956813d96cb45ea750 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 23 Jun 2015 10:14:36 +0200 Subject: [PATCH] Add parsing/printing for new X.509 keyUsage flags --- include/mbedtls/x509.h | 3 +++ library/x509_crt.c | 12 ++++++++++-- tests/data_files/Readme-x509.txt | 1 + tests/data_files/keyUsage.decipherOnly.crt | 14 ++++++++++++++ tests/suites/test_suite_x509parse.data | 4 ++++ 5 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 tests/data_files/keyUsage.decipherOnly.crt diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index de184156e..e82f1c653 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -110,6 +110,7 @@ /* * X.509 v3 Key Usage Extension flags + * Reminder: update x509_info_key_usage() when adding new flags. */ #define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ #define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */ @@ -118,6 +119,8 @@ #define MBEDTLS_X509_KU_KEY_AGREEMENT (0x08) /* bit 4 */ #define MBEDTLS_X509_KU_KEY_CERT_SIGN (0x04) /* bit 5 */ #define MBEDTLS_X509_KU_CRL_SIGN (0x02) /* bit 6 */ +#define MBEDTLS_X509_KU_ENCIPHER_ONLY (0x01) /* bit 7 */ +#define MBEDTLS_X509_KU_DECIPHER_ONLY (0x8000) /* bit 8 */ /* * Netscape certificate types diff --git a/library/x509_crt.c b/library/x509_crt.c index 4fddf6524..2285e1db6 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -371,6 +371,7 @@ static int x509_get_key_usage( unsigned char **p, unsigned int *key_usage) { int ret; + size_t i; mbedtls_x509_bitstring bs = { 0, 0, NULL }; if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 ) @@ -381,7 +382,12 @@ static int x509_get_key_usage( unsigned char **p, MBEDTLS_ERR_ASN1_INVALID_LENGTH ); /* Get actual bitstring */ - *key_usage = *bs.p; + *key_usage = 0; + for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ ) + { + *key_usage |= (unsigned int) bs.p[i] << (8*i); + } + return( 0 ); } @@ -1274,7 +1280,7 @@ static int x509_info_cert_type( char **buf, size_t *size, PRINT_ITEM( name ); static int x509_info_key_usage( char **buf, size_t *size, - unsigned char key_usage ) + unsigned int key_usage ) { int ret; size_t n = *size; @@ -1288,6 +1294,8 @@ static int x509_info_key_usage( char **buf, size_t *size, KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement" ); KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign" ); KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign" ); + KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only" ); + KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only" ); *size = n; *buf = p; diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt index b68ae5135..2cf0c66e9 100644 --- a/tests/data_files/Readme-x509.txt +++ b/tests/data_files/Readme-x509.txt @@ -23,6 +23,7 @@ Finally, other CAs for specific purposes: - test-ca-v1.crt: v1 "CA", signs server1-v1.crt: v1 "intermediate CA", signs server2-v1*.crt: EE cert (without of with chain in same file) +- keyUsage.decipherOnly.crt: has the decipherOnly keyUsage bit set End-entity certificates ----------------------- diff --git a/tests/data_files/keyUsage.decipherOnly.crt b/tests/data_files/keyUsage.decipherOnly.crt new file mode 100644 index 000000000..7c379787a --- /dev/null +++ b/tests/data_files/keyUsage.decipherOnly.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFzCCAYCgAwIBAgIJAJsTzkylb95SMA0GCSqGSIb3DQEBBQUAMD8xCzAJBgNV +BAYTAkdCMRIwEAYDVQQHDAlDYW1icmlkZ2UxHDAaBgNVBAoME0RlZmF1bHQgQ29t +cGFueSBMdGQwHhcNMTUwNTEyMTAzNjU1WhcNMTgwNTExMTAzNjU1WjA/MQswCQYD +VQQGEwJHQjESMBAGA1UEBwwJQ2FtYnJpZGdlMRwwGgYDVQQKDBNEZWZhdWx0IENv +bXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9nxYOSbha/Ap4 +6rACrOMH7zfDD+0ZEHhbO0bgGRjc5ElvOaNuD321y9TnyAx+JrqPp/lFrAgNiVo1 +HPurPHfcJ+tNBUgBHboWGNENNaf9ovwFPawsBzEZraGnDaqVPEFcIsUQPVqO1lrQ +CHLUjtqo1hMZDqe/Web0Mw9cZrqOaQIDAQABoxswGTAJBgNVHRMEAjAAMAwGA1Ud +DwQFAwMH4IAwDQYJKoZIhvcNAQEFBQADgYEAJ0NS2wUbgRelK0qKxrR2Ts6jVYEH +bmykx3GHjFyKpscDIn2vNyyB7ygfFglZPcw+2mn3xuVIwOV/mWxFvKHk+j2WrTQL +tDqSC5BhFoR01veFu07JdEYvz+I+NCL5z0IGWXkUrk235Wl4w4WMZDnXTqncMNEk +fLtpo9y79XD00QY= +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 3e1393ab7..0be6c712a 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -90,6 +90,10 @@ X509 Certificate information, Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C x509_cert_info:"data_files/server1.key_usage.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +X509 Certificate information, Key Usage with decipherOnly +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C +x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n" + X509 Certificate information, Subject Alt Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: example.com, example.net, *.example.org\n"