Refactored key usage verification code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
author: Adriaan de Jong <dejong@fox-it.com> 2011-06-29 14:20:43 +0200
committer: David Sommerseth <davids@redhat.com> 2011-10-21 14:51:45 +0200
commit: 876752aed66a143295d9d0d4e61dc9a8beca2f5e (patch)
tree: 8e189e7bed3ded23b11903aac8798d309fc05d7b /ssl_verify_openssl.c
parent: 06d22777e9172efe3b3dc15c1bc2c6ef5d292cfa (diff)
download: openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.tar.gz
openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.tar.xz
openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.zip
1 files changed, 54 insertions, 0 deletions
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c
index 033af1d..1a6bb2d 100644
--- a/ssl_verify_openssl.c
+++ b/ssl_verify_openssl.c
@@ -392,3 +392,57 @@ verify_nsCertType(const x509_cert_t *peer_cert, const int usage)
 
   return false;
 }
+
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+
+bool
+verify_cert_ku (X509 *x509, const unsigned * const expected_ku,
+    int expected_len)
+{
+  ASN1_BIT_STRING *ku = NULL;
+  bool fFound = false;
+
+  if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i (x509, NID_key_usage, NULL,
+      NULL)) == NULL)
+    {
+      msg (D_HANDSHAKE, "Certificate does not have key usage extension");
+    }
+  else
+    {
+      unsigned nku = 0;
+      int i;
+      for (i = 0; i < 8; i++)
+	{
+	  if (ASN1_BIT_STRING_get_bit (ku, i))
+	    nku |= 1 << (7 - i);
+	}
+
+      /*
+       * Fixup if no LSB bits
+       */
+      if ((nku & 0xff) == 0)
+	{
+	  nku >>= 8;
+	}
+
+      msg (D_HANDSHAKE, "Validating certificate key usage");
+      for (i = 0; !fFound && i < expected_len; i++)
+	{
+	  if (expected_ku[i] != 0)
+	    {
+	      msg (D_HANDSHAKE, "++ Certificate has key usage  %04x, expects "
+		  "%04x", nku, expected_ku[i]);
+
+	      if (nku == expected_ku[i])
+		fFound = true;
+	    }
+	}
+    }
+
+  if (ku != NULL)
+    ASN1_BIT_STRING_free (ku);
+
+  return fFound;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */
author	Adriaan de Jong <dejong@fox-it.com>	2011-06-29 14:20:43 +0200
committer	David Sommerseth <davids@redhat.com>	2011-10-21 14:51:45 +0200
commit	876752aed66a143295d9d0d4e61dc9a8beca2f5e (patch)
tree	8e189e7bed3ded23b11903aac8798d309fc05d7b /ssl_verify_openssl.c
parent	06d22777e9172efe3b3dc15c1bc2c6ef5d292cfa (diff)
download	openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.tar.gz openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.tar.xz openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.zip