Fix 1.3 failure to update flags for (ext)KeyUsage

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-30 22:43:08 +03:00 · 2024-08-08 10:28:56 +02:00
parent 36d1b4a80f
commit ef41d8ccbe
2 changed files with 35 additions and 27 deletions
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -714,6 +714,18 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
    /*
     * Secondary checks: always done, but change 'ret' only if it was 0
     */
+    /* keyUsage */
+    if ((mbedtls_x509_crt_check_key_usage(
+             ssl->session_negotiate->peer_cert,
+             MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0)) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
+        if (ret == 0) {
+            ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+        }
+        verify_result |= MBEDTLS_X509_BADCERT_KEY_USAGE;
+    }
+
+    /* extKeyUsage */
    if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
        ext_oid = MBEDTLS_OID_SERVER_AUTH;
        ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
@ -722,16 +734,14 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
        ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
    }

-    if ((mbedtls_x509_crt_check_key_usage(
-             ssl->session_negotiate->peer_cert,
-             MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) ||
-        (mbedtls_x509_crt_check_extended_key_usage(
+    if ((mbedtls_x509_crt_check_extended_key_usage(
             ssl->session_negotiate->peer_cert,
             ext_oid, ext_len) != 0)) {
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
        if (ret == 0) {
            ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
        }
+        verify_result |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
    }

    /* mbedtls_x509_crt_verify_with_profile is supposed to report a