Merge support for verifying the extendedKeyUsage extension in X.509

2025-07-30 22:43:08 +03:00 · 2014-04-11 13:58:57 +02:00
parent 78848375c0 b7fff0f9c6
commit 52c5af7d2d
13 changed files with 314 additions and 10 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -38,6 +38,11 @@
 #include "polarssl/debug.h"
 #include "polarssl/ssl.h"

+#if defined(POLARSSL_X509_CRT_PARSE_C) && \
+    defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+#include "polarssl/oid.h"
+#endif
+
 #if defined(POLARSSL_PLATFORM_C)
 #include "polarssl/platform.h"
 #else
@ -4770,15 +4775,19 @@ int ssl_check_cert_usage( const x509_crt *cert,
                          const ssl_ciphersuite_t *ciphersuite,
                          int cert_endpoint )
 {
-#if !defined(POLARSSL_X509_CHECK_KEY_USAGE)
-    ((void) cert);
-    ((void) ciphersuite);
-    ((void) cert_endpoint);
-#endif
-
 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
    int usage = 0;
 #endif
+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+    const char *ext_oid;
+    size_t ext_len;
+#endif
+
+#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) &&          \
+    !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+    ((void) cert);
+    ((void) cert_endpoint);
+#endif

 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
    if( cert_endpoint == SSL_IS_SERVER )
@ -4818,8 +4827,26 @@ int ssl_check_cert_usage( const x509_crt *cert,

    if( x509_crt_check_key_usage( cert, usage ) != 0 )
        return( -1 );
+#else
+    ((void) ciphersuite);
 #endif /* POLARSSL_X509_CHECK_KEY_USAGE */

+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+    if( cert_endpoint == SSL_IS_SERVER )
+    {
+        ext_oid = OID_SERVER_AUTH;
+        ext_len = OID_SIZE( OID_SERVER_AUTH );
+    }
+    else
+    {
+        ext_oid = OID_CLIENT_AUTH;
+        ext_len = OID_SIZE( OID_CLIENT_AUTH );
+    }
+
+    if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
+        return( -1 );
+#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
+
    return( 0 );
 }
 #endif /* POLARSSL_X509_CRT_PARSE_C */
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1371,6 +1371,38 @@ int x509_crt_check_key_usage( const x509_crt *crt, int usage )
 }
 #endif

+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+int x509_crt_check_extended_key_usage( const x509_crt *crt,
+                                       const char *usage_oid,
+                                       size_t usage_len )
+{
+    const x509_sequence *cur;
+
+    /* Extension is not mandatory, absent means no restriction */
+    if( ( crt->ext_types & EXT_EXTENDED_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    /*
+     * Look for the requested usage (or wildcard ANY) in our list
+     */
+    for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
+    {
+        const x509_buf *cur_oid = &cur->buf;
+
+        if( cur_oid->len == usage_len &&
+            memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
+        {
+            return( 0 );
+        }
+
+        if( OID_CMP( OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) )
+            return( 0 );
+    }
+
+    return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
+}
+#endif
+
 #if defined(POLARSSL_X509_CRL_PARSE_C)
 /*
 * Return 1 if the certificate is revoked, or 0 otherwise.