Add support for Extended Key Usage

C2SP · Oct 19, 2023 · 7c6b43b · 7c6b43b
1 parent 762e0b5
commit 7c6b43b
Show file tree

Hide file tree

Showing 4 changed files with 232 additions and 142 deletions.
diff --git a/harness/gocryptox509/main.go b/harness/gocryptox509/main.go
@@ -145,9 +145,22 @@ func evaluateTestcase(testcase Testcase) (testcaseResult, error) {
 		return testcaseSkipped, fmt.Errorf("key usage checks not supported yet")
 	}
 
-	// TODO: Support testcases that constrain extended key usages.
+	var ekus []x509.ExtKeyUsage
 	if len(testcase.ExtendedKeyUsage) != 0 {
-		return testcaseSkipped, fmt.Errorf("extended key usage checks not supported yet")
+		extKeyUsagesMap := map[KnownEKUs]x509.ExtKeyUsage{
+			KnownEKUsAnyExtendedKeyUsage: x509.ExtKeyUsageAny,
+			KnownEKUsClientAuth:          x509.ExtKeyUsageClientAuth,
+			KnownEKUsCodeSigning:         x509.ExtKeyUsageCodeSigning,
+			KnownEKUsEmailProtection:     x509.ExtKeyUsageEmailProtection,
+			KnownEKUsOCSPSigning:         x509.ExtKeyUsageOCSPSigning,
+			KnownEKUsServerAuth:          x509.ExtKeyUsageServerAuth,
+			KnownEKUsTimeStamping:        x509.ExtKeyUsageTimeStamping,
+		}
+
+		for _, elem := range testcase.ExtendedKeyUsage {
+		    expected_eku := KnownEKUs(elem.(string))
+			ekus = append(ekus, extKeyUsagesMap[expected_eku])
+		}
 	}
 
 	switch testcase.ValidationKind {
@@ -187,7 +200,7 @@ func evaluateTestcase(testcase Testcase) (testcaseResult, error) {
 			Intermediates: intermediates,
 			Roots:         roots,
 			CurrentTime:   ts,
-			KeyUsages:     nil,
+			KeyUsages:     ekus,
 		}
 		chain, err := peer.Verify(opts)
 		_ = chain

diff --git a/harness/openssl/main.cpp b/harness/openssl/main.cpp
@@ -33,6 +33,14 @@ using X509_STORE_CTX_ptr = std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_
     std::exit(1);
 }
 
+std::map<std::string, int> create_eku_map() {
+    std::map<std::string, int> m;
+    m["anyExtendedKeyUsage"] = X509_PURPOSE_ANY;
+    m["serverAuth"] = X509_PURPOSE_SSL_SERVER;
+    m["clientAuth"] = X509_PURPOSE_SSL_CLIENT;
+    return m;
+}
+
 X509_ptr pem_to_x509(const std::string &pem)
 {
     X509 *cert = nullptr;
@@ -100,11 +108,6 @@ json evaluate_testcase(const json &testcase)
         return skip(id, "key_usage not supported yet");
     }
 
-    if (!testcase["extended_key_usage"].is_null())
-    {
-        return skip(id, "extended_key_usage not supported yet");
-    }
-
     if (!testcase["expected_peer_names"].is_null())
     {
         return skip(id, "expected_peer_names not supported yet");
@@ -179,6 +182,23 @@ json evaluate_testcase(const json &testcase)
         }
     }
 
+    if (testcase["extended_key_usage"].is_array())
+    {
+        if (testcase["extended_key_usage"].size() > 1) {
+            return skip(id, "multiple extended key usage values not yet supported");
+        }
+        const auto eku_name_to_id = create_eku_map();
+        for (auto &eku : testcase["extended_key_usage"])
+        {
+            const auto expected_eku_name = eku.template get<std::string>();
+            if (eku_name_to_id.count(expected_eku_name) == 0) {
+                return skip(id, "extended key usage value not yet supported: " + expected_eku_name);
+            }
+            const auto expected_eku_id = eku_name_to_id.at(expected_eku_name);
+            X509_STORE_CTX_set_purpose(ctx.get(), expected_eku_id);
+        }
+    }
+
     auto should_pass = testcase["expected_result"] == "SUCCESS";
     auto does_pass = X509_verify_cert(ctx.get());
     if (should_pass ^ does_pass)