Add x509_crt_check_key_usage()
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index c2c2708..2def1ee 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -958,6 +958,20 @@
//#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
/**
+ * \def POLARSSL_X509_CHECK_KEY_USAGE
+ *
+ * Enable verification of the keyUsage extension (CA and leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused
+ * (intermediate) CA and leaf certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip keyUsage checking for both CA and leaf certificates.
+ */
+#define POLARSSL_X509_CHECK_KEY_USAGE
+
+/**
* \def POLARSSL_ZLIB_SUPPORT
*
* If set, the SSL/TLS module uses ZLIB to support compression and
diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h
index e3c8b18..e3443d0 100644
--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@@ -244,6 +244,26 @@
int (*f_vrfy)(void *, x509_crt *, int, int *),
void *p_vrfy );
+#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
+/**
+ * \brief Check usage of certificate against keyUsage extension.
+ *
+ * \param crt Leaf certificate used.
+ * \param usage Intended usage(s) (eg KU_KEY_ENCIPHERMENT before using the
+ * certificate to perform an RSA key exchange).
+ *
+ * \return 0 is these uses of the certificate are allowed,
+ * POLARSSL_ERR_X509_BAD_INPUT_DATA if the keyUsage extenson
+ * is present but does not contain all the bits set in the
+ * usage argument.
+ *
+ * \note You should only call this function on leaf certificates, on
+ * (intermediate) CAs the keyUsage extension is automatically
+ * checked by \c x509_crt_verify().
+ */
+int x509_crt_check_key_usage( const x509_crt *crt, int usage );
+#endif /* POLARSSL_X509_CHECK_KEY_USAGE) */
+
#if defined(POLARSSL_X509_CRL_PARSE_C)
/**
* \brief Verify the certificate revocation status