mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Merge verification of the keyUsage extension in X.509 certificates
This commit is contained in:
@ -957,6 +957,20 @@
|
||||
*/
|
||||
//#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||
|
||||
/**
|
||||
* \def POLARSSL_X509_CHECK_KEY_USAGE
|
||||
*
|
||||
* Enable verification of the keyUsage extension (CA and leaf certificates).
|
||||
*
|
||||
* Disabling this avoids problems with mis-issued and/or misused
|
||||
* (intermediate) CA and leaf certificates.
|
||||
*
|
||||
* \warning Depending on your PKI use, disabling this can be a security risk!
|
||||
*
|
||||
* Comment to skip keyUsage checking for both CA and leaf certificates.
|
||||
*/
|
||||
#define POLARSSL_X509_CHECK_KEY_USAGE
|
||||
|
||||
/**
|
||||
* \def POLARSSL_ZLIB_SUPPORT
|
||||
*
|
||||
|
@ -1657,6 +1657,19 @@ static inline x509_crt *ssl_own_cert( ssl_context *ssl )
|
||||
return( ssl->handshake->key_cert == NULL ? NULL
|
||||
: ssl->handshake->key_cert->cert );
|
||||
}
|
||||
|
||||
/*
|
||||
* Check usage of a certificate wrt extensions:
|
||||
* keyUsage, extendedKeyUsage (later), and nSCertType (later).
|
||||
*
|
||||
* Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
|
||||
* check a cert we received from them)!
|
||||
*
|
||||
* Return 0 if everything is OK, -1 if not.
|
||||
*/
|
||||
int ssl_check_cert_usage( const x509_crt *cert,
|
||||
const ssl_ciphersuite_t *ciphersuite,
|
||||
int cert_endpoint );
|
||||
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
||||
|
||||
/* constant-time buffer comparison */
|
||||
|
@ -244,6 +244,26 @@ int x509_crt_verify( x509_crt *crt,
|
||||
int (*f_vrfy)(void *, x509_crt *, int, int *),
|
||||
void *p_vrfy );
|
||||
|
||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||
/**
|
||||
* \brief Check usage of certificate against keyUsage extension.
|
||||
*
|
||||
* \param crt Leaf certificate used.
|
||||
* \param usage Intended usage(s) (eg KU_KEY_ENCIPHERMENT before using the
|
||||
* certificate to perform an RSA key exchange).
|
||||
*
|
||||
* \return 0 is these uses of the certificate are allowed,
|
||||
* POLARSSL_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
|
||||
* is present but does not contain all the bits set in the
|
||||
* usage argument.
|
||||
*
|
||||
* \note You should only call this function on leaf certificates, on
|
||||
* (intermediate) CAs the keyUsage extension is automatically
|
||||
* checked by \c x509_crt_verify().
|
||||
*/
|
||||
int x509_crt_check_key_usage( const x509_crt *crt, int usage );
|
||||
#endif /* POLARSSL_X509_CHECK_KEY_USAGE) */
|
||||
|
||||
#if defined(POLARSSL_X509_CRL_PARSE_C)
|
||||
/**
|
||||
* \brief Verify the certificate revocation status
|
||||
|
Reference in New Issue
Block a user