Skip to content

Commit

Permalink
fix(plugins): Check for both MBEDTLS_X509_KU_KEY_CERT_SIGN and MBEDTL…
Browse files Browse the repository at this point in the history 
…S_X509_KU_CRL_SIGN to check certificate usage
  • Loading branch information
@jpfr
jpfr committed Sep 27, 2024
1 parent 2008fc2 commit 0750cac
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 5 deletions.
7 changes: 4 additions & 3 deletions plugins/crypto/mbedtls/ua_pki_mbedtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -412,12 +412,13 @@ certificateVerification_verify(const UA_CertificateVerification *cv,

/* Verification Step: Certificate Usage
* Check whether the certificate is a User certificate or a CA certificate.
* If the KU_KEY_CERT_SIGN and KU_CRL_SIGN of key_usage are set, then the
* If the KU_KEY_CERT_SIGN or KU_CRL_SIGN of key_usage are set, then the
* certificate shall be condidered as CA Certificate and cannot be used to
* establish a connection. Refer the test case CTT/Security/Security
* Certificate Validation/029.js for more details */
unsigned int ca_flags = MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN;
if(mbedtls_x509_crt_check_key_usage(&cert, ca_flags)) {
if(mbedtls_x509_crt_check_key_usage(&cert, MBEDTLS_X509_KU_KEY_CERT_SIGN) ||
mbedtls_x509_crt_check_key_usage(&cert, MBEDTLS_X509_KU_CRL_SIGN) ||
cert.MBEDTLS_PRIVATE(ca_istrue)) {
mbedtls_x509_crt_free(&cert);
return UA_STATUSCODE_BADCERTIFICATEUSENOTALLOWED;
}
Expand Down
4 changes: 2 additions & 2 deletions plugins/crypto/openssl/ua_pki_openssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -602,12 +602,12 @@ UA_CertificateVerification_Verify(const UA_CertificateVerification *cv,

/* Verification Step: Certificate Usage
* Check whether the certificate is a User certificate or a CA certificate.
* If the KU_KEY_CERT_SIGN and KU_CRL_SIGN of key_usage are set, then the
* If the KU_KEY_CERT_SIGN or KU_CRL_SIGN of key_usage are set, then the
* certificate shall be condidered as CA Certificate and cannot be used to
* establish a connection. Refer the test case CTT/Security/Security
* Certificate Validation/029.js for more details */
X509 *leaf = sk_X509_value(stack, 0);
if(X509_check_purpose(leaf, X509_PURPOSE_CRL_SIGN, 0) && X509_check_ca(leaf)) {
if(X509_check_purpose(leaf, X509_PURPOSE_CRL_SIGN, 0) || X509_check_ca(leaf)) {
sk_X509_pop_free(stack, X509_free);
return UA_STATUSCODE_BADCERTIFICATEUSENOTALLOWED;
}
Expand Down

0 comments on commit 0750cac

Please sign in to comment.