From f1819222828999a2322dec01bff56a85db3618af Mon Sep 17 00:00:00 2001
From: Julius Pfrommer <julius.pfrommer@web.de>
Date: Fri, 27 Sep 2024 22:54:10 +0200
Subject: [PATCH] fix(plugins): Check for both MBEDTLS_X509_KU_KEY_CERT_SIGN
 and MBEDTLS_X509_KU_CRL_SIGN to check certificate usage

---
 plugins/crypto/mbedtls/ua_pki_mbedtls.c | 7 ++++---
 plugins/crypto/openssl/ua_pki_openssl.c | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/plugins/crypto/mbedtls/ua_pki_mbedtls.c b/plugins/crypto/mbedtls/ua_pki_mbedtls.c
index ac3bf38814e..9161ff30a8d 100644
--- a/plugins/crypto/mbedtls/ua_pki_mbedtls.c
+++ b/plugins/crypto/mbedtls/ua_pki_mbedtls.c
@@ -408,12 +408,13 @@ certificateVerification_verify(void *verificationContext,
 
     /* Verification Step: Certificate Usage
      * Check whether the certificate is a User certificate or a CA certificate.
-     * If the KU_KEY_CERT_SIGN and KU_CRL_SIGN of key_usage are set, then the
+     * If the KU_KEY_CERT_SIGN or KU_CRL_SIGN of key_usage are set, then the
      * certificate shall be condidered as CA Certificate and cannot be used to
      * establish a connection. Refer the test case CTT/Security/Security
      * Certificate Validation/029.js for more details */
-    unsigned int ca_flags = MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN;
-    if(mbedtls_x509_crt_check_key_usage(&cert, ca_flags)) {
+    if(mbedtls_x509_crt_check_key_usage(&cert, MBEDTLS_X509_KU_KEY_CERT_SIGN) ||
+       mbedtls_x509_crt_check_key_usage(&cert, MBEDTLS_X509_KU_CRL_SIGN) ||
+       cert.MBEDTLS_PRIVATE(ca_istrue)) {
         mbedtls_x509_crt_free(&cert);
         return UA_STATUSCODE_BADCERTIFICATEUSENOTALLOWED;
     }
diff --git a/plugins/crypto/openssl/ua_pki_openssl.c b/plugins/crypto/openssl/ua_pki_openssl.c
index 3c05aaa2777..a088b0666d3 100644
--- a/plugins/crypto/openssl/ua_pki_openssl.c
+++ b/plugins/crypto/openssl/ua_pki_openssl.c
@@ -589,12 +589,12 @@ UA_CertificateVerification_Verify(void *verificationContext,
 
     /* Verification Step: Certificate Usage
      * Check whether the certificate is a User certificate or a CA certificate.
-     * If the KU_KEY_CERT_SIGN and KU_CRL_SIGN of key_usage are set, then the
+     * If the KU_KEY_CERT_SIGN or KU_CRL_SIGN of key_usage are set, then the
      * certificate shall be condidered as CA Certificate and cannot be used to
      * establish a connection. Refer the test case CTT/Security/Security
      * Certificate Validation/029.js for more details */
     X509 *leaf = sk_X509_value(stack, 0);
-    if(X509_check_purpose(leaf, X509_PURPOSE_CRL_SIGN, 0) && X509_check_ca(leaf)) {
+    if(X509_check_purpose(leaf, X509_PURPOSE_CRL_SIGN, 0) || X509_check_ca(leaf)) {
         sk_X509_pop_free(stack, X509_free);
         return UA_STATUSCODE_BADCERTIFICATEUSENOTALLOWED;
     }