Check keyUsage in SSL client and server

2025-12-21 21:36:21 +01:00 · 2014-04-09 09:50:57 +02:00 · 2014-04-09 09:50:57 +02:00 · 7f2a07d7b2
commit 7f2a07d7b2
parent 603116c570
11 changed files with 347 additions and 4 deletions
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -797,6 +797,20 @@ static int ssl_pick_cert( ssl_context *ssl,
        if( ! pk_can_do( cur->key, pk_alg ) )
            continue;

+        /*
+         * This avoids sending the client a cert it'll reject based on
+         * keyUsage or other extensions.
+         *
+         * It also allows the user to provision different certificates for
+         * different uses based on keyUsage, eg if they want to avoid signing
+         * and decrypting with the same RSA key.
+         */
+        if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
+                                  SSL_IS_SERVER ) != 0 )
+        {
+            continue;
+        }
+
 #if defined(POLARSSL_ECDSA_C)
        if( pk_alg == POLARSSL_PK_ECDSA )
        {