Update prototype of x509write_set_key_usage()

Allow for future support of decipherOnly and encipherOnly. Some work will be required to ensure we still write only one byte when only one is needed.
2024-10-18 10:21:06 +00:00 · 2015-06-23 11:07:37 +02:00 · 2015-06-23 11:07:37 +02:00 · 1cd10adc7c
parent 655a964539
commit 1cd10adc7c
3 changed files with 14 additions and 6 deletions
--- a/3
+++ b/3
@ -73,7 +73,8 @@ API Changes
   * ecdsa_write_signature() gained an addtional md_alg argument and
     ecdsa_write_signature_det() was deprecated.
   * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
-   * Last argument of x509_crt_check_key_usage() changed from int to unsigned.
+   * Last argument of x509_crt_check_key_usage() and
+     mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
   * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
     available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
   * Test certificates in certs.c are no longer guaranteed to be nul-terminated
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -570,7 +570,8 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
 *
 * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
 */
-int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned char key_usage );
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage );

 /**
 * \brief           Set the Netscape Cert Type flags
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@ -217,15 +217,21 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
 }
 #endif /* MBEDTLS_SHA1_C */

-int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned char key_usage )
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage )
 {
-    unsigned char buf[4];
+    unsigned char buf[4], ku;
    unsigned char *c;
    int ret;

-    c = buf + 4;
+    /* We currently only support 7 bits, from 0x80 to 0x02 */
+    if( ( key_usage & ~0xfe ) != 0 )
+        return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );

-    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
+    c = buf + 4;
+    ku = (unsigned char) key_usage;
+
+    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 )
        return( ret );

    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,