Skip to content

Commit d842c21

Browse files
ejohnstownJacobBarthelmeh
ejohnstown
authored and
JacobBarthelmeh
committed
Certificate checks
1. Fix the logic on the CheckPolicy() checks. If any pass, it should be a pass. 2. Fix the check for the key usage extensions. The check should be that the usages are present to be valid. 3. Remove the redundant check for the optional key usages.
1 parent 0af8043 commit d842c21

1 file changed

Lines changed: 6 additions & 19 deletions

File tree

src/certman.c

Lines changed: 6 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -248,12 +248,13 @@ int wolfSSH_CERTMAN_VerifyCert_buffer(WOLFSSH_CERTMAN* cm,
248248
CheckProfile(&decoded, PROFILE_FPKI_WORKSHEET_10) ||
249249
CheckProfile(&decoded, PROFILE_FPKI_WORKSHEET_16);
250250

251-
if (ret != 0) {
251+
if (ret == 0) {
252252
WLOG(WS_LOG_CERTMAN, "certificate didn't match profile");
253253
ret = WS_CERT_PROFILE_E;
254254
}
255-
else
255+
else {
256256
ret = WS_SUCCESS;
257+
}
257258
}
258259

259260
FreeDecodedCert(&decoded);
@@ -268,32 +269,22 @@ static int CheckProfile(DecodedCert* cert, int profile)
268269
{
269270
int valid = (cert != NULL);
270271
const char* certPolicies[2] = {NULL, NULL};
271-
byte extKeyUsage = 0, extKeyUsageSsh = 0, extKeyUsageSshAllowed = 0;
272+
byte extKeyUsage = 0, extKeyUsageSsh = 0;
272273

273274
if (profile == PROFILE_FPKI_WORKSHEET_6) {
274275
certPolicies[0] = "2.16.840.1.101.3.2.1.3.13";
275276
extKeyUsage = EXTKEYUSE_CLIENT_AUTH;
276277
extKeyUsageSsh = EXTKEYUSE_SSH_MSCL;
277-
extKeyUsageSshAllowed =
278-
EXTKEYUSE_SSH_KP_CLIENT_AUTH |
279-
EXTKEYUSE_SSH_CLIENT_AUTH;
280278
}
281279
else if (profile == PROFILE_FPKI_WORKSHEET_10) {
282280
certPolicies[0] = "2.16.840.1.101.3.2.1.3.40";
283281
certPolicies[1] = "2.16.840.1.101.3.2.1.3.41";
284282
extKeyUsage = EXTKEYUSE_CLIENT_AUTH;
285-
extKeyUsageSshAllowed =
286-
EXTKEYUSE_SSH_MSCL |
287-
EXTKEYUSE_SSH_KP_CLIENT_AUTH |
288-
EXTKEYUSE_SSH_CLIENT_AUTH;
289283
}
290284
else if (profile == PROFILE_FPKI_WORKSHEET_16) {
291285
certPolicies[0] = "2.16.840.1.101.3.2.1.3.45";
292286
extKeyUsage = EXTKEYUSE_CLIENT_AUTH;
293287
extKeyUsageSsh = EXTKEYUSE_SSH_MSCL;
294-
extKeyUsageSshAllowed =
295-
EXTKEYUSE_SSH_KP_CLIENT_AUTH |
296-
EXTKEYUSE_SSH_CLIENT_AUTH;
297288
}
298289
else {
299290
valid = 0;
@@ -359,15 +350,11 @@ static int CheckProfile(DecodedCert* cert, int profile)
359350
valid =
360351
/* Must include all in extKeyUsage */
361352
((extKeyUsage == 0) ||
362-
((cert->extExtKeyUsage & extKeyUsage) != extKeyUsage)) &&
353+
((cert->extExtKeyUsage & extKeyUsage) == extKeyUsage)) &&
363354
/* Must include all in extKeyUsageSsh */
364355
((extKeyUsageSsh == 0) ||
365356
((cert->extExtKeyUsageSsh & extKeyUsageSsh)
366-
!= extKeyUsageSsh)) &&
367-
/* Must include at least one in extKeyUsageSshAllowed */
368-
((extKeyUsageSshAllowed == 0) ||
369-
((cert->extExtKeyUsageSsh & extKeyUsageSshAllowed) != 0));
370-
357+
== extKeyUsageSsh));
371358
}
372359

373360
return valid;

0 commit comments

Comments
 (0)