From 6ea49d30b8282eff0153791a3c74848ba039edce Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <Andres.AmayaGarcia@arm.com>
Date: Sat, 11 Nov 2017 13:20:07 +0000
Subject: [PATCH] Check OCSPSigning ExtKeyUsage from response issuer

Ensure that when the OCSP response issuer is not the parent of the cert
whose status was requested the issuer has OCSPSigning enabled in the
extended key usage X.509 extension.
---
 library/x509_ocsp.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c
index e5034f6a52..53c4bac0dc 100644
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -1448,8 +1448,15 @@ static int x509_ocsp_verify_response_issuer(
         // TODO
     }
 
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
     /* Check that the issuer includes the value of id-kp-OCSPSigning */
-    // TODO
+    if( ( ret = mbedtls_x509_crt_check_extended_key_usage( issuer,
+                        MBEDTLS_OID_OCSP_SIGNING,
+                        MBEDTLS_OID_SIZE( MBEDTLS_OID_OCSP_SIGNING ) ) ) != 0 )
+    {
+        *flags |= MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED;
+        return( ret );
+    }
 
     /*
      * Try to find the parent of the requested certificate.
@@ -1486,6 +1493,7 @@ static int x509_ocsp_verify_response_issuer(
      * issuer upwards and verify that *parent is the parent of crt
      */
     // TODO
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */
 
     return( 0 );
 }