Skip to content

Commit

Permalink
Add support for Extended Key Usage (#45)
Browse files Browse the repository at this point in the history
  • Loading branch information
facutuesca authored Oct 19, 2023
1 parent 762e0b5 commit c2248e4
Show file tree
Hide file tree
Showing 4 changed files with 232 additions and 142 deletions.
19 changes: 16 additions & 3 deletions harness/gocryptox509/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,22 @@ func evaluateTestcase(testcase Testcase) (testcaseResult, error) {
return testcaseSkipped, fmt.Errorf("key usage checks not supported yet")
}

// TODO: Support testcases that constrain extended key usages.
var ekus []x509.ExtKeyUsage
if len(testcase.ExtendedKeyUsage) != 0 {
return testcaseSkipped, fmt.Errorf("extended key usage checks not supported yet")
extKeyUsagesMap := map[KnownEKUs]x509.ExtKeyUsage{
KnownEKUsAnyExtendedKeyUsage: x509.ExtKeyUsageAny,
KnownEKUsClientAuth: x509.ExtKeyUsageClientAuth,
KnownEKUsCodeSigning: x509.ExtKeyUsageCodeSigning,
KnownEKUsEmailProtection: x509.ExtKeyUsageEmailProtection,
KnownEKUsOCSPSigning: x509.ExtKeyUsageOCSPSigning,
KnownEKUsServerAuth: x509.ExtKeyUsageServerAuth,
KnownEKUsTimeStamping: x509.ExtKeyUsageTimeStamping,
}

for _, elem := range testcase.ExtendedKeyUsage {
expected_eku := KnownEKUs(elem.(string))
ekus = append(ekus, extKeyUsagesMap[expected_eku])
}
}

switch testcase.ValidationKind {
Expand Down Expand Up @@ -187,7 +200,7 @@ func evaluateTestcase(testcase Testcase) (testcaseResult, error) {
Intermediates: intermediates,
Roots: roots,
CurrentTime: ts,
KeyUsages: nil,
KeyUsages: ekus,
}
chain, err := peer.Verify(opts)
_ = chain
Expand Down
30 changes: 25 additions & 5 deletions harness/openssl/main.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,14 @@ using X509_STORE_CTX_ptr = std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_
std::exit(1);
}

std::map<std::string, int> create_eku_map() {
std::map<std::string, int> m;
m["anyExtendedKeyUsage"] = X509_PURPOSE_ANY;
m["serverAuth"] = X509_PURPOSE_SSL_SERVER;
m["clientAuth"] = X509_PURPOSE_SSL_CLIENT;
return m;
}

X509_ptr pem_to_x509(const std::string &pem)
{
X509 *cert = nullptr;
Expand Down Expand Up @@ -100,11 +108,6 @@ json evaluate_testcase(const json &testcase)
return skip(id, "key_usage not supported yet");
}

if (!testcase["extended_key_usage"].is_null())
{
return skip(id, "extended_key_usage not supported yet");
}

if (!testcase["expected_peer_names"].is_null())
{
return skip(id, "expected_peer_names not supported yet");
Expand Down Expand Up @@ -179,6 +182,23 @@ json evaluate_testcase(const json &testcase)
}
}

if (testcase["extended_key_usage"].is_array())
{
if (testcase["extended_key_usage"].size() > 1) {
return skip(id, "multiple extended key usage values not yet supported");
}
const auto eku_name_to_id = create_eku_map();
for (auto &eku : testcase["extended_key_usage"])
{
const auto expected_eku_name = eku.template get<std::string>();
if (eku_name_to_id.count(expected_eku_name) == 0) {
return skip(id, "extended key usage value not yet supported: " + expected_eku_name);
}
const auto expected_eku_id = eku_name_to_id.at(expected_eku_name);
X509_STORE_CTX_set_purpose(ctx.get(), expected_eku_id);
}
}

auto should_pass = testcase["expected_result"] == "SUCCESS";
auto does_pass = X509_verify_cert(ctx.get());
if (should_pass ^ does_pass)
Expand Down
Loading

0 comments on commit c2248e4

Please sign in to comment.