mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-03 17:15:46 +00:00
Make results of (ext)KeyUsage accessible
This commit is contained in:
parent
0c6ce2f536
commit
9f98251e72
|
@ -3,6 +3,9 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
= mbed TLS 1.3 branch
|
= mbed TLS 1.3 branch
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
||||||
|
extendedKeyUsage on the leaf certificate was lost (results not accessible
|
||||||
|
via ssl_get_verify_results()).
|
||||||
|
|
||||||
Features
|
Features
|
||||||
* Add x509_crt_verify_info() to display certificate verification results.
|
* Add x509_crt_verify_info() to display certificate verification results.
|
||||||
|
|
|
@ -1980,7 +1980,8 @@ static inline x509_crt *ssl_own_cert( ssl_context *ssl )
|
||||||
*/
|
*/
|
||||||
int ssl_check_cert_usage( const x509_crt *cert,
|
int ssl_check_cert_usage( const x509_crt *cert,
|
||||||
const ssl_ciphersuite_t *ciphersuite,
|
const ssl_ciphersuite_t *ciphersuite,
|
||||||
int cert_endpoint );
|
int cert_endpoint,
|
||||||
|
int *flags );
|
||||||
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
/* constant-time buffer comparison */
|
/* constant-time buffer comparison */
|
||||||
|
|
|
@ -829,6 +829,7 @@ static int ssl_pick_cert( ssl_context *ssl,
|
||||||
{
|
{
|
||||||
ssl_key_cert *cur, *list, *fallback = NULL;
|
ssl_key_cert *cur, *list, *fallback = NULL;
|
||||||
pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||||
|
int flags;
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
||||||
if( ssl->handshake->sni_key_cert != NULL )
|
if( ssl->handshake->sni_key_cert != NULL )
|
||||||
|
@ -862,7 +863,7 @@ static int ssl_pick_cert( ssl_context *ssl,
|
||||||
* and decrypting with the same RSA key.
|
* and decrypting with the same RSA key.
|
||||||
*/
|
*/
|
||||||
if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
|
if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
|
||||||
SSL_IS_SERVER ) != 0 )
|
SSL_IS_SERVER, &flags ) != 0 )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
|
SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
|
||||||
"(extended) key usage extension" ) );
|
"(extended) key usage extension" ) );
|
||||||
|
|
|
@ -2859,7 +2859,8 @@ int ssl_parse_certificate( ssl_context *ssl )
|
||||||
|
|
||||||
if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
|
if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
|
||||||
ciphersuite_info,
|
ciphersuite_info,
|
||||||
! ssl->endpoint ) != 0 )
|
! ssl->endpoint,
|
||||||
|
&ssl->session_negotiate->verify_result ) != 0 )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
|
SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
|
||||||
if( ret == 0 )
|
if( ret == 0 )
|
||||||
|
@ -5199,8 +5200,10 @@ int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
|
||||||
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
||||||
int ssl_check_cert_usage( const x509_crt *cert,
|
int ssl_check_cert_usage( const x509_crt *cert,
|
||||||
const ssl_ciphersuite_t *ciphersuite,
|
const ssl_ciphersuite_t *ciphersuite,
|
||||||
int cert_endpoint )
|
int cert_endpoint,
|
||||||
|
int *flags )
|
||||||
{
|
{
|
||||||
|
int ret = 0;
|
||||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
int usage = 0;
|
int usage = 0;
|
||||||
#endif
|
#endif
|
||||||
|
@ -5213,6 +5216,7 @@ int ssl_check_cert_usage( const x509_crt *cert,
|
||||||
!defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
!defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
((void) cert);
|
((void) cert);
|
||||||
((void) cert_endpoint);
|
((void) cert_endpoint);
|
||||||
|
((void) flags);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
|
||||||
|
@ -5252,7 +5256,10 @@ int ssl_check_cert_usage( const x509_crt *cert,
|
||||||
}
|
}
|
||||||
|
|
||||||
if( x509_crt_check_key_usage( cert, usage ) != 0 )
|
if( x509_crt_check_key_usage( cert, usage ) != 0 )
|
||||||
return( -1 );
|
{
|
||||||
|
*flags |= BADCERT_KEY_USAGE;
|
||||||
|
ret = -1;
|
||||||
|
}
|
||||||
#else
|
#else
|
||||||
((void) ciphersuite);
|
((void) ciphersuite);
|
||||||
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
|
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
|
||||||
|
@ -5270,10 +5277,13 @@ int ssl_check_cert_usage( const x509_crt *cert,
|
||||||
}
|
}
|
||||||
|
|
||||||
if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
|
if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
|
||||||
return( -1 );
|
{
|
||||||
|
*flags |= BADCERT_EXT_KEY_USAGE;
|
||||||
|
ret = -1;
|
||||||
|
}
|
||||||
#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
|
#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
|
||||||
|
|
||||||
return( 0 );
|
return( ret );
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
|
|
@ -1878,6 +1878,17 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
|
||||||
-c "Processing of the Certificate handshake message failed" \
|
-c "Processing of the Certificate handshake message failed" \
|
||||||
-C "Ciphersuite is TLS-"
|
-C "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ke.crt" \
|
||||||
|
"$P_CLI debug_level=1 auth_mode=optional \
|
||||||
|
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
0 \
|
||||||
|
-c "bad certificate (usage extensions)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-" \
|
||||||
|
-c "! Usage does not match the keyUsage extension"
|
||||||
|
|
||||||
run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
|
run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
|
||||||
"$O_SRV -key data_files/server2.key \
|
"$O_SRV -key data_files/server2.key \
|
||||||
-cert data_files/server2.ku-ds.crt" \
|
-cert data_files/server2.ku-ds.crt" \
|
||||||
|
@ -1898,6 +1909,17 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail" \
|
||||||
-c "Processing of the Certificate handshake message failed" \
|
-c "Processing of the Certificate handshake message failed" \
|
||||||
-C "Ciphersuite is TLS-"
|
-C "Ciphersuite is TLS-"
|
||||||
|
|
||||||
|
run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
|
||||||
|
"$O_SRV -key data_files/server2.key \
|
||||||
|
-cert data_files/server2.ku-ds.crt" \
|
||||||
|
"$P_CLI debug_level=1 auth_mode=optional \
|
||||||
|
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
|
0 \
|
||||||
|
-c "bad certificate (usage extensions)" \
|
||||||
|
-C "Processing of the Certificate handshake message failed" \
|
||||||
|
-c "Ciphersuite is TLS-" \
|
||||||
|
-c "! Usage does not match the keyUsage extension"
|
||||||
|
|
||||||
# Tests for keyUsage in leaf certificates, part 3:
|
# Tests for keyUsage in leaf certificates, part 3:
|
||||||
# server-side checking of client cert
|
# server-side checking of client cert
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue