[tls12|tls13]_server: fix usage being checked on the certificate key

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2026-05-04 17:12:51 +02:00 · 2025-09-08 13:41:58 +02:00
parent 7b2d72aaf0
commit bc611fe44c
2 changed files with 3 additions and 2 deletions
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -694,7 +694,8 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
        key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
                             mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage)) &&
-                            mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg, pk_usage));
+                            mbedtls_pk_can_do_psa(&cur->cert->pk, pk_alg,
+                                                  PSA_KEY_USAGE_VERIFY_HASH));
 #else
        key_type_matches = (
            mbedtls_pk_can_do_psa(cur->key, pk_alg, pk_usage));
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1161,7 +1161,7 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
                    *sig_alg, &key_cert->cert->pk)
                && psa_alg != PSA_ALG_NONE &&
                mbedtls_pk_can_do_psa(&key_cert->cert->pk, psa_alg,
-                                      PSA_KEY_USAGE_SIGN_HASH) == 1
+                                      PSA_KEY_USAGE_VERIFY_HASH) == 1
                ) {
                ssl->handshake->key_cert = key_cert;
                MBEDTLS_SSL_DEBUG_MSG(3,