From 7afb8a0dca4036a118b62eac170575415d2350c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Apr 2014 17:53:56 +0200 Subject: [PATCH 1/4] Add x509_crt_check_extended_key_usage() --- include/polarssl/config.h | 13 +++++++++ include/polarssl/x509_crt.h | 18 ++++++++++++ library/x509_crt.c | 32 ++++++++++++++++++++++ tests/data_files/server5.eku-cli.crt | 13 +++++++++ tests/data_files/server5.eku-cs.crt | 13 +++++++++ tests/data_files/server5.eku-cs_any.crt | 13 +++++++++ tests/data_files/server5.eku-srv.crt | 13 +++++++++ tests/data_files/server5.eku-srv_cli.crt | 13 +++++++++ tests/suites/test_suite_x509parse.data | 21 ++++++++++++++ tests/suites/test_suite_x509parse.function | 19 +++++++++++++ 10 files changed, 168 insertions(+) create mode 100644 tests/data_files/server5.eku-cli.crt create mode 100644 tests/data_files/server5.eku-cs.crt create mode 100644 tests/data_files/server5.eku-cs_any.crt create mode 100644 tests/data_files/server5.eku-srv.crt create mode 100644 tests/data_files/server5.eku-srv_cli.crt diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 2def1ee96..6d7bd86c0 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -971,6 +971,19 @@ */ #define POLARSSL_X509_CHECK_KEY_USAGE +/** + * \def POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE + * + * Enable verification of the extendedKeyUsage extension (leaf certificates). + * + * Disabling this avoids problems with mis-issued and/or misused certificates. + * + * \warning Depending on your PKI use, disabling this can be a security risk! + * + * Comment to skip extendedKeyUsage checking for certificates. + */ +#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE + /** * \def POLARSSL_ZLIB_SUPPORT * diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h index 93340eccd..8e6338197 100644 --- a/include/polarssl/x509_crt.h +++ b/include/polarssl/x509_crt.h @@ -264,6 +264,24 @@ int x509_crt_verify( x509_crt *crt, int x509_crt_check_key_usage( const x509_crt *crt, int usage ); #endif /* POLARSSL_X509_CHECK_KEY_USAGE) */ +#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) +/** + * \brief Check usage of certificate against extentedJeyUsage. + * + * \param crt Leaf certificate used. + * \param usage_oid Intended usage (eg OID_SERVER_AUTH or OID_CLIENT_AUTH). + * \param usage_len Length of usage_oid (eg given by OID_SIZE()). + * + * \return 0 is this use of the certificate is allowed, + * POLARSSL_ERR_X509_BAD_INPUT_DATA if not. + * + * \note Usually only makes sense on leaf certificates. + */ +int x509_crt_check_extended_key_usage( const x509_crt *crt, + const char *usage_oid, + size_t usage_len ); +#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) */ + #if defined(POLARSSL_X509_CRL_PARSE_C) /** * \brief Verify the certificate revocation status diff --git a/library/x509_crt.c b/library/x509_crt.c index 42fbfab20..2c32122d3 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1371,6 +1371,38 @@ int x509_crt_check_key_usage( const x509_crt *crt, int usage ) } #endif +#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) +int x509_crt_check_extended_key_usage( const x509_crt *crt, + const char *usage_oid, + size_t usage_len ) +{ + const x509_sequence *cur; + + /* Extension is not mandatory, absent means no restriction */ + if( ( crt->ext_types & EXT_EXTENDED_KEY_USAGE ) == 0 ) + return( 0 ); + + /* + * Look for the requested usage (or wildcard ANY) in our list + */ + for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next ) + { + const x509_buf *cur_oid = &cur->buf; + + if( cur_oid->len == usage_len && + memcmp( cur_oid->p, usage_oid, usage_len ) == 0 ) + { + return( 0 ); + } + + if( OID_CMP( OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) ) + return( 0 ); + } + + return( POLARSSL_ERR_X509_BAD_INPUT_DATA ); +} +#endif + #if defined(POLARSSL_X509_CRL_PARSE_C) /* * Return 1 if the certificate is revoked, or 0 otherwise. diff --git a/tests/data_files/server5.eku-cli.crt b/tests/data_files/server5.eku-cli.crt new file mode 100644 index 000000000..8aa2e44a0 --- /dev/null +++ b/tests/data_files/server5.eku-cli.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5DCCAWmgAwIBAgIBPDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTQwNDEwMTcyMTIxWhcNMjQwNDA3MTcyMTIxWjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD +VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r +y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAoGCCqGSM49BAMCA2kA +MGYCMQCzHyEvd56zm1AzfDBi3psz3rDL/m0RN2WnbRBQJxIJqjwEXOrKazko9m9q +owgau88CMQDuI0fsq5tnyiHPaDSAE21/6hlrCR6deNbwzB94OuPIbx1wIas9D1jc +//iSmKtbl8Y= +-----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-cs.crt b/tests/data_files/server5.eku-cs.crt new file mode 100644 index 000000000..db97b403e --- /dev/null +++ b/tests/data_files/server5.eku-cs.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4zCCAWmgAwIBAgIBOjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTQwNDEwMTcyMDQxWhcNMjQwNDA3MTcyMDQxWjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD +VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r +y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAoGCCqGSM49BAMCA2gA +MGUCMQC294oVK6fUjH/abI1xzytTusi8dl7518L0Y19q8zi9K19OtxzPK09h7xyy +gaJRvpUCMFS6hYhrht38yqwwhSVlnmTMVtira58mEUhL6v7Qzw1sz/Dm4aXkW3s6 +JQV1kqqbRw== +-----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-cs_any.crt b/tests/data_files/server5.eku-cs_any.crt new file mode 100644 index 000000000..8fa8632dd --- /dev/null +++ b/tests/data_files/server5.eku-cs_any.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB6TCCAW+gAwIBAgIBOzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTQwNDEwMTcyMDU4WhcNMjQwNDA3MTcyMDU4WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jaDBmMAkGA1UdEwQCMAAwHQYD +VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r +y3i1Gbx+JMnb+zZ8MBkGA1UdJQQSMBAGCCsGAQUFBwMDBgRVHSUAMAoGCCqGSM49 +BAMCA2gAMGUCMQCSYaq/9IKOTkzIrU/eOtpha/3af3JwT6vKh4N3cSX62ksMz0GT +Uxmq4UGMBt4VmBkCMBGpYqof6hS1o92ltNRpDSHuVQ+nke1lOsoQ1plZp4SI+bY1 +bUD/WrUSLlwikZAeng== +-----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-srv.crt b/tests/data_files/server5.eku-srv.crt new file mode 100644 index 000000000..64312f6c4 --- /dev/null +++ b/tests/data_files/server5.eku-srv.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5DCCAWmgAwIBAgIBPjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTQwNDEwMTcyMTU0WhcNMjQwNDA3MTcyMTU0WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD +VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r +y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoGCCqGSM49BAMCA2kA +MGYCMQDQzjWB0xZs/8IsqJb7owYYtCiT17939Uuc/1yBF69pJRy7KV/qJlHNvlVu +qwWVTx0CMQDNW/0dlX1gU6ashrZv5Ly4sijg/g645fFpfMKCNXysEb9xiBeEj5de +2x5sX/0OSx4= +-----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-srv_cli.crt b/tests/data_files/server5.eku-srv_cli.crt new file mode 100644 index 000000000..9f58fedd2 --- /dev/null +++ b/tests/data_files/server5.eku-srv_cli.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7DCCAXOgAwIBAgIBPTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTQwNDEwMTcyMTQyWhcNMjQwNDA3MTcyMTQyWjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA +2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jbDBqMAkGA1UdEwQCMAAwHQYD +VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r +y3i1Gbx+JMnb+zZ8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggq +hkjOPQQDAgNnADBkAjAmQjJxxC82ZhBpH/GQkOQXDmaaV/JHRHGok1cWn3j3Xj8A +fqRZkp8JihpGIMse208CMFCMdNAfNd1tv+oPuynoK5Oh6/YlASX/otJT68voEIAN +SmsT1m9VPQMIyUo/3RtYjg== +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 8b1df44a4..fe3c6aa56 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -871,3 +871,24 @@ x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_CERT_SIGN|KU_CRL_ X509 crt keyUsage #8 (extension present, combined KU one absent) x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT:POLARSSL_ERR_X509_BAD_INPUT_DATA +X509 crt extendedKeyUsage #1 (no extension, serverAuth) +x509_check_extended_key_usage:"data_files/server5.crt":"2B06010505070301":0 + +X509 crt extendedKeyUsage #2 (single value, present) +x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2B06010505070301":0 + +X509 crt extendedKeyUsage #3 (single value, absent) +x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2B06010505070301":POLARSSL_ERR_X509_BAD_INPUT_DATA + +X509 crt extendedKeyUsage #4 (two values, first) +x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070301":0 + +X509 crt extendedKeyUsage #5 (two values, second) +x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070302":0 + +X509 crt extendedKeyUsage #6 (two values, other) +x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070303":POLARSSL_ERR_X509_BAD_INPUT_DATA + +X509 crt extendedKeyUsage #7 (any, random) +x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2B060105050703FF":0 + diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 4f6448439..f3da1fc0f 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -331,6 +331,25 @@ void x509_check_key_usage( char *crt_file, int usage, int ret ) } /* END_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */ +void x509_check_extended_key_usage( char *crt_file, char *usage_hex, int ret ) +{ + x509_crt crt; + char oid[50]; + size_t len; + + x509_crt_init( &crt ); + + len = unhexify( (unsigned char *) oid, usage_hex ); + + TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 ); + + TEST_ASSERT( x509_crt_check_extended_key_usage( &crt, oid, len ) == ret ); + + x509_crt_free( &crt ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */ void x509_selftest() { From 0408fd1fbb1f843a9a94c29473bf3acfc69cd467 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 11 Apr 2014 11:06:22 +0200 Subject: [PATCH 2/4] Add extendedKeyUsage checking in SSL modules --- library/ssl_tls.c | 39 ++++++++++++++--- tests/ssl-opt.sh | 107 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 140 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 857518126..3f0cd6da0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -38,6 +38,11 @@ #include "polarssl/debug.h" #include "polarssl/ssl.h" +#if defined(POLARSSL_X509_CRT_PARSE_C) && \ + defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) +#include "polarssl/oid.h" +#endif + #if defined(POLARSSL_PLATFORM_C) #include "polarssl/platform.h" #else @@ -4770,15 +4775,19 @@ int ssl_check_cert_usage( const x509_crt *cert, const ssl_ciphersuite_t *ciphersuite, int cert_endpoint ) { -#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) - ((void) cert); - ((void) ciphersuite); - ((void) cert_endpoint); -#endif - #if defined(POLARSSL_X509_CHECK_KEY_USAGE) int usage = 0; #endif +#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) + const char *ext_oid; + size_t ext_len; +#endif + +#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \ + !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) + ((void) cert); + ((void) cert_endpoint); +#endif #if defined(POLARSSL_X509_CHECK_KEY_USAGE) if( cert_endpoint == SSL_IS_SERVER ) @@ -4818,8 +4827,26 @@ int ssl_check_cert_usage( const x509_crt *cert, if( x509_crt_check_key_usage( cert, usage ) != 0 ) return( -1 ); +#else + ((void) ciphersuite); #endif /* POLARSSL_X509_CHECK_KEY_USAGE */ +#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) + if( cert_endpoint == SSL_IS_SERVER ) + { + ext_oid = OID_SERVER_AUTH; + ext_len = OID_SIZE( OID_SERVER_AUTH ); + } + else + { + ext_oid = OID_CLIENT_AUTH; + ext_len = OID_SIZE( OID_CLIENT_AUTH ); + } + + if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 ) + return( -1 ); +#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */ + return( 0 ); } #endif /* POLARSSL_X509_CRT_PARSE_C */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 16748b07c..27718e859 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1136,6 +1136,113 @@ run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \ -s "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" +# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection + +run_test "extKeyUsage srv #1 (serverAuth -> OK)" \ + "$P_SRV key_file=data_files/server5.key \ + crt_file=data_files/server5.eku-srv.crt" \ + "$P_CLI" \ + 0 + +run_test "extKeyUsage srv #2 (serverAuth,clientAuth -> OK)" \ + "$P_SRV key_file=data_files/server5.key \ + crt_file=data_files/server5.eku-srv.crt" \ + "$P_CLI" \ + 0 + +run_test "extKeyUsage srv #3 (codeSign,anyEKU -> OK)" \ + "$P_SRV key_file=data_files/server5.key \ + crt_file=data_files/server5.eku-cs_any.crt" \ + "$P_CLI" \ + 0 + +# add psk to leave an option for client to send SERVERQUIT +run_test "extKeyUsage srv #4 (codeSign -> fail)" \ + "$P_SRV psk=abc123 key_file=data_files/server5.key \ + crt_file=data_files/server5.eku-cli.crt" \ + "$P_CLI psk=badbad" \ + 1 + +# Tests for extendedKeyUsage, part 2: client-side checking of server cert + +run_test "extKeyUsage cli #1 (serverAuth -> OK)" \ + "$O_SRV -key data_files/server5.key \ + -cert data_files/server5.eku-srv.crt" \ + "$P_CLI debug_level=2" \ + 0 \ + -C "bad certificate (usage extensions)" \ + -C "Processing of the Certificate handshake message failed" \ + -c "Ciphersuite is TLS-" + +run_test "extKeyUsage cli #2 (serverAuth,clientAuth -> OK)" \ + "$O_SRV -key data_files/server5.key \ + -cert data_files/server5.eku-srv_cli.crt" \ + "$P_CLI debug_level=2" \ + 0 \ + -C "bad certificate (usage extensions)" \ + -C "Processing of the Certificate handshake message failed" \ + -c "Ciphersuite is TLS-" + +run_test "extKeyUsage cli #3 (codeSign,anyEKU -> OK)" \ + "$O_SRV -key data_files/server5.key \ + -cert data_files/server5.eku-cs_any.crt" \ + "$P_CLI debug_level=2" \ + 0 \ + -C "bad certificate (usage extensions)" \ + -C "Processing of the Certificate handshake message failed" \ + -c "Ciphersuite is TLS-" + +run_test "extKeyUsage cli #4 (codeSign -> fail)" \ + "$O_SRV -key data_files/server5.key \ + -cert data_files/server5.eku-cs.crt" \ + "$P_CLI debug_level=2" \ + 1 \ + -c "bad certificate (usage extensions)" \ + -c "Processing of the Certificate handshake message failed" \ + -C "Ciphersuite is TLS-" + +# Tests for extendedKeyUsage, part 3: server-side checking of client cert + +run_test "extKeyUsage cli-auth #1 (clientAuth -> OK)" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server5.key \ + -cert data_files/server5.eku-cli.crt" \ + 0 \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +run_test "extKeyUsage cli-auth #2 (serverAuth,clientAuth -> OK)" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server5.key \ + -cert data_files/server5.eku-srv_cli.crt" \ + 0 \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +run_test "extKeyUsage cli-auth #3 (codeSign,anyEKU -> OK)" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server5.key \ + -cert data_files/server5.eku-cs_any.crt" \ + 0 \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +run_test "extKeyUsage cli-auth #4 (codeSign -> fail (soft))" \ + "$P_SRV debug_level=2 auth_mode=optional" \ + "$O_CLI -key data_files/server5.key \ + -cert data_files/server5.eku-cs.crt" \ + 0 \ + -s "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +run_test "extKeyUsage cli-auth #4b (codeSign -> fail (hard))" \ + "$P_SRV debug_level=2 auth_mode=required" \ + "$O_CLI -key data_files/server5.key \ + -cert data_files/server5.eku-cs.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "Processing of the Certificate handshake message failed" + # Final report echo "------------------------------------------------------------------------" From add05d71250c47822ab189935365056dcb06992f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 11 Apr 2014 11:12:40 +0200 Subject: [PATCH 3/4] Fix some dependency declarations in X.509 tests --- tests/suites/test_suite_x509parse.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index fe3c6aa56..0bb784ea3 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -447,7 +447,7 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL" X509 Certificate verification #53 (CA keyUsage missing cRLSign) -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL" X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL) @@ -455,11 +455,11 @@ depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL" X509 Certificate verification #55 (CA keyUsage missing keyCertSign) -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Certificate verification #55 (CA keyUsage plain wrong) -depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL" X509 Parse Selftest From b7fff0f9c6843a53c15360506694d1918b52de4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 11 Apr 2014 11:32:39 +0200 Subject: [PATCH 4/4] Update Changelog for extendedKeyUsage --- ChangeLog | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 381988af9..b7a49be45 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,8 +7,10 @@ ABI Alert: ALPN changes the ABI for the next release. Features * Support for the ALPN SSL extension * Add option 'use_dev_random' to gen_key application - * Enable verification of the keyUsage extension with for CA and leaf + * Enable verification of the keyUsage extension for CA and leaf certificates (POLARSSL_X509_CHECK_KEY_USAGE) + * Enable verification of the extendedKeyUsage extension + (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) Changes * x509_crt_info() now prints information about parsed extensions as well