commit 99d4f1911173d75092cbde580f531639d92bfd9b
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Apr 08 15:10:07 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Wed Apr 09 15:50:58 2014 +0200
tree ea83bc5a73618fd2c46f8f602698b6d4e12eb6d8
parent 3fed0b3264c96826a8298d3334fc8d60e6dcd5e2

Add keyUsage checking for CAs

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index be2e526..47745a7 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1425,6 +1425,17 @@
         }
 
         /*
+         * Check if the CA is configured to sign CRLs
+         */
+#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
+        if( x509_crt_check_key_usage( ca, KU_CRL_SIGN ) != 0 )
+        {
+            flags |= BADCRL_NOT_TRUSTED;
+            break;
+        }
+#endif
+
+        /*
          * Check if CRL is correctly signed by the trusted CA
          */
         md_info = md_info_from_type( crl_list->sig_md );
@@ -1548,6 +1559,11 @@
             continue;
         }
 
+#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
+        if( x509_crt_check_key_usage( parent, KU_KEY_CERT_SIGN ) != 0 )
+            continue;
+#endif
+
         /* If we get there, we found a suitable parent */
         break;
     }
@@ -1599,6 +1615,14 @@
             continue;
         }
 
+#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
+        if( x509_crt_check_key_usage( trust_ca, KU_KEY_CERT_SIGN ) != 0 )
+        {
+            trust_ca = trust_ca->next;
+            continue;
+        }
+#endif
+
         /*
          * Reduce path_len to check against if top of the chain is
          * the same as the trusted CA