From 75d24d8e35ab7d0faf0861709b26cb0c7e7d8072 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 15 Mar 2018 21:52:46 +0000 Subject: [PATCH] Fail when ExtendedKeyUsage extension not present The existing Mbed TLS API to check whether the ExtendedKeyUsage extension allows an operation. However, this API succeeds when the extension is not present in the certificate. In the case of authorised signers for OCSP responses, the certificate MUST have the extension AND the OCSPSigning field set to be accepted. This commit creates the new function mbedtls_x509_crt_check_extended_key_usage_ext() which is a version of mbedtls_x509_crt_check_extended_key_usage() that returns an error code if the extension is not present in the certificate in question. --- include/mbedtls/x509_crt.h | 22 ++++++++++++++++++++-- library/x509_crt.c | 12 ++++++++++++ library/x509_ocsp.c | 2 +- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index f37aeccf0d..f212cd29f1 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -382,14 +382,32 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * - * \return 0 if this use of the certificate is allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. + * \return 0 if this use of the certificate is allowed or the extension + * is not present, otherwise MBEDTLS_ERR_X509_BAD_INPUT_DATA. * * \note Usually only makes sense on leaf certificates. */ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len ); + +/** + * \brief Check usage of certificate against extentedKeyUsage. + * + * \param crt Leaf certificate used. + * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or + * MBEDTLS_OID_CLIENT_AUTH). + * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). + * + * \return 0 if this use of the certificate is allowed, or + * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the extension is not + * present or the usage is not allowed. + * + * \note Usually only makes sense on leaf certificates. + */ +int mbedtls_x509_crt_check_extended_key_usage_ext( const mbedtls_x509_crt *crt, + const char *usage_oid, + size_t usage_len ); #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ #if defined(MBEDTLS_X509_CRL_PARSE_C) diff --git a/library/x509_crt.c b/library/x509_crt.c index 1136ff7712..c52cc5a90f 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1799,6 +1799,18 @@ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); } + +int mbedtls_x509_crt_check_extended_key_usage_ext( const mbedtls_x509_crt *crt, + const char *usage_oid, + size_t usage_len ) +{ + /* Extension is not mandatory, absent means no restriction */ + if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 ) + return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); + + return( mbedtls_x509_crt_check_extended_key_usage( crt, usage_oid, + usage_len ) ); +} #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c index 866244f668..99c7902478 100644 --- a/library/x509_ocsp.c +++ b/library/x509_ocsp.c @@ -1548,7 +1548,7 @@ static int x509_ocsp_verify_response_issuer( #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) /* Check that the issuer includes the value of id-kp-OCSPSigning */ - if( ( ret = mbedtls_x509_crt_check_extended_key_usage( issuer, + if( ( ret = mbedtls_x509_crt_check_extended_key_usage_ext( issuer, MBEDTLS_OID_OCSP_SIGNING, MBEDTLS_OID_SIZE( MBEDTLS_OID_OCSP_SIGNING ) ) ) != 0 ) {