From 7ec9c368f1552dcdff474af2bb4ba7ded314c4d8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 21 Feb 2019 14:24:05 +0000 Subject: [PATCH] Add buffer holding raw ExtKeyUsage extension data to CRT struct The previous commits replace the use of dynamically allocated linked lists for X.509 name inspection. This commit is the first in a series which attempts the same for the `ExtendedKeyUsage` extension. So far, when a CRT is parsed, the extension is traversed and converted into a dynamically allocated linked list, which is then search through whenever the usage of a CRT needs to be checked through `mbedtls_x509_check_extended_key_usage()`. As a first step, this commit introduces a raw buffer holding the bounds of the `ExtendedKeyUsage` extension to the `mbedtls_x509_crt` structure. --- include/mbedtls/x509_crt.h | 3 ++- library/x509_crt.c | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 6e07ac6f2..0c71dae18 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -87,7 +87,8 @@ typedef struct mbedtls_x509_crt unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ - mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ + mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ + mbedtls_x509_buf_raw ext_key_usage_raw; /**< Raw data of ExtendedKeyUsage extensions. */ unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ diff --git a/library/x509_crt.c b/library/x509_crt.c index 1d5bedc78..afc707bb6 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -697,6 +697,8 @@ static int x509_get_crt_ext( unsigned char **p, case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE: /* Parse extended key usage */ + crt->ext_key_usage_raw.p = *p; + crt->ext_key_usage_raw.len = end_ext_octet - *p; if( ( ret = x509_get_ext_key_usage( p, end_ext_octet, &crt->ext_key_usage ) ) != 0 ) return( ret );