Adapt check_key_usage to new weird bits

This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-23 10:48:44 +02:00
parent 9a702255f4
commit 655a964539
3 changed files with 37 additions and 8 deletions

View File

@ -335,19 +335,25 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
* \brief Check usage of certificate against keyUsage extension.
*
* \param crt Leaf certificate used.
* \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT before using the
* certificate to perform an RSA key exchange).
* \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
* before using the certificate to perform an RSA key
* exchange).
*
* \note Except for decipherOnly and encipherOnly, a bit set in the
* usage argument means this bit MUST be set in the
* certificate. For decipherOnly and encipherOnly, it means
* that bit MAY be set.
*
* \return 0 is these uses of the certificate are allowed,
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
* is present but does not contain all the bits set in the
* usage argument.
* is present but does not match the usage argument.
*
* \note You should only call this function on leaf certificates, on
* (intermediate) CAs the keyUsage extension is automatically
* checked by \c mbedtls_x509_crt_verify().
*/
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, unsigned int usage );
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
unsigned int usage );
#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)

View File

@ -1519,10 +1519,24 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
}
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, unsigned int usage )
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
unsigned int usage )
{
if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) != 0 &&
( crt->key_usage & usage ) != usage )
unsigned int usage_must, usage_may;
unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
| MBEDTLS_X509_KU_DECIPHER_ONLY;
if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
return( 0 );
usage_must = usage & ~may_mask;
if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
usage_may = usage & may_mask;
if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may )
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
return( 0 );

View File

@ -1128,6 +1128,15 @@ x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT
X509 crt keyUsage #8 (extension present, combined KU one absent)
x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_KEY_AGREEMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA
X509 crt keyUsage #9 (extension present, decOnly allowed absent)
x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0
X509 crt keyUsage #10 (extension present, decOnly non-allowed present)
x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA
X509 crt keyUsage #11 (extension present, decOnly allowed present)
x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0
X509 crt extendedKeyUsage #1 (no extension, serverAuth)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
x509_check_extended_key_usage:"data_files/server5.crt":"2B06010505070301":0