Suyu/mbedtls
1
0
Fork 0
mirror of https://git.suyu.dev/suyu/mbedtls.git synced 2025-12-24 08:16:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add keyUsage checking for CAs

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-04-08 15:10:07 +02:00 committed by Paul Bakker
parent 3fed0b3264
commit 99d4f19111
6 changed files with 92 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

24
library/x509_crt.c
View file

@ -1424,6 +1424,17 @@ static int x509_crt_verifycrl( x509_crt *crt, x509_crt *ca,
continue;
}
/*
* Check if the CA is configured to sign CRLs
*/
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
if( x509_crt_check_key_usage( ca, KU_CRL_SIGN ) != 0 )
{
flags |= BADCRL_NOT_TRUSTED;
break;
}
#endif
/*
* Check if CRL is correctly signed by the trusted CA
*/
@ -1548,6 +1559,11 @@ static x509_crt *x509_crt_find_parent( x509_crt *crt )
continue;
}
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
if( x509_crt_check_key_usage( parent, KU_KEY_CERT_SIGN ) != 0 )
continue;
#endif
/* If we get there, we found a suitable parent */
break;
}
@ -1599,6 +1615,14 @@ static int x509_crt_verify_top(
continue;
}
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
if( x509_crt_check_key_usage( trust_ca, KU_KEY_CERT_SIGN ) != 0 )
{
trust_ca = trust_ca->next;
continue;
}
#endif
/*
* Reduce path_len to check against if top of the chain is
* the same as the trusted CA