Add extendedKeyUsage checking in SSL modules

This commit is contained in:
Manuel Pégourié-Gonnard 2014-04-11 11:06:22 +02:00
parent 7afb8a0dca
commit 0408fd1fbb
2 changed files with 140 additions and 6 deletions

View File

@ -38,6 +38,11 @@
#include "polarssl/debug.h"
#include "polarssl/ssl.h"
#if defined(POLARSSL_X509_CRT_PARSE_C) && \
defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
#include "polarssl/oid.h"
#endif
#if defined(POLARSSL_PLATFORM_C)
#include "polarssl/platform.h"
#else
@ -4770,15 +4775,19 @@ int ssl_check_cert_usage( const x509_crt *cert,
const ssl_ciphersuite_t *ciphersuite,
int cert_endpoint )
{
#if !defined(POLARSSL_X509_CHECK_KEY_USAGE)
((void) cert);
((void) ciphersuite);
((void) cert_endpoint);
#endif
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
int usage = 0;
#endif
#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
const char *ext_oid;
size_t ext_len;
#endif
#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
!defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
((void) cert);
((void) cert_endpoint);
#endif
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
if( cert_endpoint == SSL_IS_SERVER )
@ -4818,8 +4827,26 @@ int ssl_check_cert_usage( const x509_crt *cert,
if( x509_crt_check_key_usage( cert, usage ) != 0 )
return( -1 );
#else
((void) ciphersuite);
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
if( cert_endpoint == SSL_IS_SERVER )
{
ext_oid = OID_SERVER_AUTH;
ext_len = OID_SIZE( OID_SERVER_AUTH );
}
else
{
ext_oid = OID_CLIENT_AUTH;
ext_len = OID_SIZE( OID_CLIENT_AUTH );
}
if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
return( -1 );
#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
return( 0 );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */

View File

@ -1136,6 +1136,113 @@ run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \
-s "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
run_test "extKeyUsage srv #1 (serverAuth -> OK)" \
"$P_SRV key_file=data_files/server5.key \
crt_file=data_files/server5.eku-srv.crt" \
"$P_CLI" \
0
run_test "extKeyUsage srv #2 (serverAuth,clientAuth -> OK)" \
"$P_SRV key_file=data_files/server5.key \
crt_file=data_files/server5.eku-srv.crt" \
"$P_CLI" \
0
run_test "extKeyUsage srv #3 (codeSign,anyEKU -> OK)" \
"$P_SRV key_file=data_files/server5.key \
crt_file=data_files/server5.eku-cs_any.crt" \
"$P_CLI" \
0
# add psk to leave an option for client to send SERVERQUIT
run_test "extKeyUsage srv #4 (codeSign -> fail)" \
"$P_SRV psk=abc123 key_file=data_files/server5.key \
crt_file=data_files/server5.eku-cli.crt" \
"$P_CLI psk=badbad" \
1
# Tests for extendedKeyUsage, part 2: client-side checking of server cert
run_test "extKeyUsage cli #1 (serverAuth -> OK)" \
"$O_SRV -key data_files/server5.key \
-cert data_files/server5.eku-srv.crt" \
"$P_CLI debug_level=2" \
0 \
-C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
run_test "extKeyUsage cli #2 (serverAuth,clientAuth -> OK)" \
"$O_SRV -key data_files/server5.key \
-cert data_files/server5.eku-srv_cli.crt" \
"$P_CLI debug_level=2" \
0 \
-C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
run_test "extKeyUsage cli #3 (codeSign,anyEKU -> OK)" \
"$O_SRV -key data_files/server5.key \
-cert data_files/server5.eku-cs_any.crt" \
"$P_CLI debug_level=2" \
0 \
-C "bad certificate (usage extensions)" \
-C "Processing of the Certificate handshake message failed" \
-c "Ciphersuite is TLS-"
run_test "extKeyUsage cli #4 (codeSign -> fail)" \
"$O_SRV -key data_files/server5.key \
-cert data_files/server5.eku-cs.crt" \
"$P_CLI debug_level=2" \
1 \
-c "bad certificate (usage extensions)" \
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-"
# Tests for extendedKeyUsage, part 3: server-side checking of client cert
run_test "extKeyUsage cli-auth #1 (clientAuth -> OK)" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.eku-cli.crt" \
0 \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
run_test "extKeyUsage cli-auth #2 (serverAuth,clientAuth -> OK)" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.eku-srv_cli.crt" \
0 \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
run_test "extKeyUsage cli-auth #3 (codeSign,anyEKU -> OK)" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.eku-cs_any.crt" \
0 \
-S "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
run_test "extKeyUsage cli-auth #4 (codeSign -> fail (soft))" \
"$P_SRV debug_level=2 auth_mode=optional" \
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.eku-cs.crt" \
0 \
-s "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
run_test "extKeyUsage cli-auth #4b (codeSign -> fail (hard))" \
"$P_SRV debug_level=2 auth_mode=required" \
"$O_CLI -key data_files/server5.key \
-cert data_files/server5.eku-cs.crt" \
1 \
-s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed"
# Final report
echo "------------------------------------------------------------------------"