fix(plugins): Check for both MBEDTLS_X509_KU_KEY_CERT_SIGN and MBEDTL…

…S_X509_KU_CRL_SIGN to check certificate usage
jpfr · Sep 27, 2024 · b05c32f · b05c32f
1 parent c63520c
commit b05c32f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/plugins/crypto/mbedtls/ua_pki_mbedtls.c b/plugins/crypto/mbedtls/ua_pki_mbedtls.c
@@ -412,8 +412,8 @@ certificateVerification_verify(void *verificationContext,
      * certificate shall be condidered as CA Certificate and cannot be used to
      * establish a connection. Refer the test case CTT/Security/Security
      * Certificate Validation/029.js for more details */
-    unsigned int ca_flags = MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN;
-    if(mbedtls_x509_crt_check_key_usage(&cert, ca_flags)) {
+    if(mbedtls_x509_crt_check_key_usage(&cert, MBEDTLS_X509_KU_KEY_CERT_SIGN) &&
+       mbedtls_x509_crt_check_key_usage(&cert, MBEDTLS_X509_KU_CRL_SIGN)) {
         mbedtls_x509_crt_free(&cert);
         return UA_STATUSCODE_BADCERTIFICATEUSENOTALLOWED;
     }