@@ -579,6 +579,28 @@ int x509_process_extension(void *context, size_t hdrlen,
return 0;
}
+ if (ctx->last_oid == OID_keyUsage) {
+ /*
+ * Get hold of the keyUsage bit string to validate keyCertSign
+ * v[1] is the encoding size
+ * (Expect either 0x02 or 0x03, making it 1 or 2 bytes)
+ * v[2] is the number of unused bits in the bit string
+ * (If >= 3 keyCertSign is missing)
+ * v[3] and possibly v[4] contain the bit string
+ * 0x04 is where KeyCertSign lands in this bit string (from
+ * RFC 5280 4.2.1.3)
+ */
+ if (v[0] != ASN1_BTS)
+ return -EBADMSG;
+ if (vlen < 4)
+ return -EBADMSG;
+ if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04))
+ ctx->cert->kcs_set = true;
+ else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04))
+ ctx->cert->kcs_set = true;
+ return 0;
+ }
+
if (ctx->last_oid == OID_authorityKeyIdentifier) {
/* Get hold of the CA key fingerprint */
ctx->raw_akid = v;
@@ -39,6 +39,7 @@ struct x509_certificate {
bool unsupported_sig; /* T if signature uses unsupported crypto */
bool blacklisted;
bool root_ca; /* T if basic constraints CA is set */
+ bool kcs_set; /* T if keyCertSign is set */
};
/*
Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign is set, store it in the x509_certificate structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 23 insertions(+)