diff --git a/ChangeLog b/ChangeLog index efd0e032a..0edbd1605 100644 --- a/ChangeLog +++ b/ChangeLog @@ -73,7 +73,8 @@ API Changes * ecdsa_write_signature() gained an addtional md_alg argument and ecdsa_write_signature_det() was deprecated. * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA. - * Last argument of x509_crt_check_key_usage() changed from int to unsigned. + * Last argument of x509_crt_check_key_usage() and + mbedtls_x509write_crt_set_key_usage() changed from int to unsigned. * test_ca_list (from certs.h) is renamed to test_cas_pem and is only available if POLARSSL_PEM_PARSE_C is defined (it never worked without). * Test certificates in certs.c are no longer guaranteed to be nul-terminated diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 622746045..fb86d4c25 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -570,7 +570,8 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * * * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED */ -int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned char key_usage ); +int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, + unsigned int key_usage ); /** * \brief Set the Netscape Cert Type flags diff --git a/library/x509write_crt.c b/library/x509write_crt.c index e8bb70908..2e43084a6 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -217,15 +217,21 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * } #endif /* MBEDTLS_SHA1_C */ -int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned char key_usage ) +int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, + unsigned int key_usage ) { - unsigned char buf[4]; + unsigned char buf[4], ku; unsigned char *c; int ret; - c = buf + 4; + /* We currently only support 7 bits, from 0x80 to 0x02 */ + if( ( key_usage & ~0xfe ) != 0 ) + return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); - if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 ) + c = buf + 4; + ku = (unsigned char) key_usage; + + if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 ) return( ret ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,