Make mbedtls_ssl_check_cert_usage() work for 1.3
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 651a17b..8d8af2b 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -631,8 +631,6 @@
int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
- const char *ext_oid;
- size_t ext_len;
uint32_t verify_result = 0;
/* If SNI was used, overwrite authentication mode
@@ -714,34 +712,15 @@
/*
* Secondary checks: always done, but change 'ret' only if it was 0
*/
- /* keyUsage */
- if ((mbedtls_x509_crt_check_key_usage(
- ssl->session_negotiate->peer_cert,
- MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0)) {
+ if (mbedtls_ssl_check_cert_usage(ssl->session_negotiate->peer_cert,
+ NULL,
+ ssl->conf->endpoint,
+ MBEDTLS_SSL_VERSION_TLS1_3,
+ &verify_result) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
if (ret == 0) {
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
- verify_result |= MBEDTLS_X509_BADCERT_KEY_USAGE;
- }
-
- /* extKeyUsage */
- if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
- ext_oid = MBEDTLS_OID_SERVER_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
- } else {
- ext_oid = MBEDTLS_OID_CLIENT_AUTH;
- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
- }
-
- if ((mbedtls_x509_crt_check_extended_key_usage(
- ssl->session_negotiate->peer_cert,
- ext_oid, ext_len) != 0)) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
- if (ret == 0) {
- ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
- }
- verify_result |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
}
/* mbedtls_x509_crt_verify_with_profile is supposed to report a