forked from wolfSSL/wolfssl
Added checking of the key usage and extended key usage extensions in the
certificates.
This commit is contained in:
John Safranek
@@ -6493,6 +6493,12 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
|
|||||||
if (ca) {
|
if (ca) {
|
||||||
CYASSL_MSG("Found CRL issuer CA");
|
CYASSL_MSG("Found CRL issuer CA");
|
||||||
/* try to confirm/verify signature */
|
/* try to confirm/verify signature */
|
||||||
|
#ifndef IGNORE_KEY_EXTENSIONS
|
||||||
|
if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) {
|
||||||
|
CYASSL_MSG("CA cannot sign CRLs");
|
||||||
|
return ASN_CRL_NO_SIGNER_E;
|
||||||
|
}
|
||||||
|
#endif /* IGNORE_KEY_EXTENSIONS */
|
||||||
if (!ConfirmSignature(buff + dcrl->certBegin,
|
if (!ConfirmSignature(buff + dcrl->certBegin,
|
||||||
dcrl->sigIndex - dcrl->certBegin,
|
dcrl->sigIndex - dcrl->certBegin,
|
||||||
ca->publicKey, ca->pubKeySize, ca->keyOID,
|
ca->publicKey, ca->pubKeySize, ca->keyOID,
|
||||||
|
|||||||
@@ -426,6 +426,7 @@ struct DecodedCert {
|
|||||||
struct Signer {
|
struct Signer {
|
||||||
word32 pubKeySize;
|
word32 pubKeySize;
|
||||||
word32 keyOID; /* key type */
|
word32 keyOID; /* key type */
|
||||||
|
word16 keyUsage;
|
||||||
byte* publicKey;
|
byte* publicKey;
|
||||||
int nameLen;
|
int nameLen;
|
||||||
char* name; /* common name */
|
char* name; /* common name */
|
||||||
|
|||||||
@@ -115,6 +115,10 @@ enum CyaSSL_ErrorCodes {
|
|||||||
UNKNOWN_SNI_HOST_NAME_E = -281, /* Unrecognized host name Error */
|
UNKNOWN_SNI_HOST_NAME_E = -281, /* Unrecognized host name Error */
|
||||||
UNKNOWN_MAX_FRAG_LEN_E = -282, /* Unrecognized max frag len Error */
|
UNKNOWN_MAX_FRAG_LEN_E = -282, /* Unrecognized max frag len Error */
|
||||||
/* add strings to SetErrorString !!!!! */
|
/* add strings to SetErrorString !!!!! */
|
||||||
|
KEYUSE_SIGNATURE_E = -283, /* KeyUse digSignature error */
|
||||||
|
KEYUSE_AGREEMENT_E = -284, /* KeyUse keyAgreement error */
|
||||||
|
KEYUSE_ENCIPHER_E = -285, /* KeyUse keyEncipher error */
|
||||||
|
EXTKEYUSE_AUTH_E = -286, /* ExtKeyUse server|client_auth */
|
||||||
|
|
||||||
/* begin negotiation parameter errors */
|
/* begin negotiation parameter errors */
|
||||||
UNSUPPORTED_SUITE = -290, /* unsupported cipher suite */
|
UNSUPPORTED_SUITE = -290, /* unsupported cipher suite */
|
||||||
|
|||||||
@@ -3465,6 +3465,49 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifndef IGNORE_KEY_EXTENSIONS
|
||||||
|
if (dCert.extKeyUsageSet) {
|
||||||
|
if ((ssl->specs.kea == rsa_kea) &&
|
||||||
|
(dCert.extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) {
|
||||||
|
fatal = 1;
|
||||||
|
ret = KEYUSE_ENCIPHER_E;
|
||||||
|
}
|
||||||
|
if ((ssl->specs.kea == diffie_hellman_kea ||
|
||||||
|
ssl->specs.kea == ecc_diffie_hellman_kea ||
|
||||||
|
ssl->specs.kea == ecc_static_diffie_hellman_kea) &&
|
||||||
|
(dCert.extKeyUsage & KEYUSE_KEY_AGREE) == 0) {
|
||||||
|
fatal = 1;
|
||||||
|
ret = KEYUSE_AGREEMENT_E;
|
||||||
|
}
|
||||||
|
if ((ssl->specs.sig_algo == rsa_sa_algo ||
|
||||||
|
ssl->specs.sig_algo == ecc_dsa_sa_algo) &&
|
||||||
|
(dCert.extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) {
|
||||||
|
CYASSL_MSG("KeyUse Digital Sig not set");
|
||||||
|
fatal = 1;
|
||||||
|
ret = KEYUSE_SIGNATURE_E;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (dCert.extExtKeyUsageSet) {
|
||||||
|
if (ssl->options.side == CYASSL_CLIENT_END) {
|
||||||
|
if ((dCert.extExtKeyUsage &
|
||||||
|
(EXTKEYUSE_ANY | EXTKEYUSE_SERVER_AUTH)) == 0) {
|
||||||
|
CYASSL_MSG("ExtKeyUse Server Auth not set");
|
||||||
|
fatal = 1;
|
||||||
|
ret = EXTKEYUSE_AUTH_E;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if ((dCert.extExtKeyUsage &
|
||||||
|
(EXTKEYUSE_ANY | EXTKEYUSE_CLIENT_AUTH)) == 0) {
|
||||||
|
CYASSL_MSG("ExtKeyUse Client Auth not set");
|
||||||
|
fatal = 1;
|
||||||
|
ret = EXTKEYUSE_AUTH_E;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* IGNORE_KEY_EXTENSIONS */
|
||||||
|
|
||||||
if (fatal) {
|
if (fatal) {
|
||||||
FreeDecodedCert(&dCert);
|
FreeDecodedCert(&dCert);
|
||||||
ssl->error = ret;
|
ssl->error = ret;
|
||||||
@@ -6451,6 +6494,22 @@ void SetErrorString(int error, char* str)
|
|||||||
XSTRNCPY(str, "Unrecognized host name Error", max);
|
XSTRNCPY(str, "Unrecognized host name Error", max);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case KEYUSE_SIGNATURE_E:
|
||||||
|
XSTRNCPY(str, "Key Use digitalSignature not set Error", max);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case KEYUSE_AGREEMENT_E:
|
||||||
|
XSTRNCPY(str, "Key Use keyAgreement not set Error", max);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case KEYUSE_ENCIPHER_E:
|
||||||
|
XSTRNCPY(str, "Key Use keyEncipherment not set Error", max);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case EXTKEYUSE_AUTH_E:
|
||||||
|
XSTRNCPY(str, "Ext Key Use server/client auth not set Error", max);
|
||||||
|
break;
|
||||||
|
|
||||||
default :
|
default :
|
||||||
XSTRNCPY(str, "unknown error number", max);
|
XSTRNCPY(str, "unknown error number", max);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1526,6 +1526,8 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
|
|||||||
cert.extSubjKeyId, SHA_DIGEST_SIZE);
|
cert.extSubjKeyId, SHA_DIGEST_SIZE);
|
||||||
#endif
|
#endif
|
||||||
XMEMCPY(signer->subjectNameHash, cert.subjectHash, SHA_DIGEST_SIZE);
|
XMEMCPY(signer->subjectNameHash, cert.subjectHash, SHA_DIGEST_SIZE);
|
||||||
|
signer->keyUsage = cert.extKeyUsageSet ? cert.extKeyUsage : 0xFFFF;
|
||||||
|
/* If Key Usage not set, all uses valid. */
|
||||||
signer->next = NULL; /* in case lock fails */
|
signer->next = NULL; /* in case lock fails */
|
||||||
|
|
||||||
cert.publicKey = 0; /* don't free here */
|
cert.publicKey = 0; /* don't free here */
|
||||||
|
|||||||
Reference in New Issue
Block a user