Merge support for verifying the extendedKeyUsage extension in X.509
diff --git a/ChangeLog b/ChangeLog
index 71e2494..83f1528 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,8 +7,10 @@
Features
* Support for the ALPN SSL extension
* Add option 'use_dev_random' to gen_key application
- * Enable verification of the keyUsage extension with for CA and leaf
+ * Enable verification of the keyUsage extension for CA and leaf
certificates (POLARSSL_X509_CHECK_KEY_USAGE)
+ * Enable verification of the extendedKeyUsage extension
+ (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
Changes
* x509_crt_info() now prints information about parsed extensions as well
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 2def1ee..6d7bd86 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -972,6 +972,19 @@
#define POLARSSL_X509_CHECK_KEY_USAGE
/**
+ * \def POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE
+ *
+ * Enable verification of the extendedKeyUsage extension (leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip extendedKeyUsage checking for certificates.
+ */
+#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE
+
+/**
* \def POLARSSL_ZLIB_SUPPORT
*
* If set, the SSL/TLS module uses ZLIB to support compression and
diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h
index 93340ec..8e63381 100644
--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@@ -264,6 +264,24 @@
int x509_crt_check_key_usage( const x509_crt *crt, int usage );
#endif /* POLARSSL_X509_CHECK_KEY_USAGE) */
+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+/**
+ * \brief Check usage of certificate against extentedJeyUsage.
+ *
+ * \param crt Leaf certificate used.
+ * \param usage_oid Intended usage (eg OID_SERVER_AUTH or OID_CLIENT_AUTH).
+ * \param usage_len Length of usage_oid (eg given by OID_SIZE()).
+ *
+ * \return 0 is this use of the certificate is allowed,
+ * POLARSSL_ERR_X509_BAD_INPUT_DATA if not.
+ *
+ * \note Usually only makes sense on leaf certificates.
+ */
+int x509_crt_check_extended_key_usage( const x509_crt *crt,
+ const char *usage_oid,
+ size_t usage_len );
+#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE) */
+
#if defined(POLARSSL_X509_CRL_PARSE_C)
/**
* \brief Verify the certificate revocation status
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8575181..3f0cd6d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -38,6 +38,11 @@
#include "polarssl/debug.h"
#include "polarssl/ssl.h"
+#if defined(POLARSSL_X509_CRT_PARSE_C) && \
+ defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+#include "polarssl/oid.h"
+#endif
+
#if defined(POLARSSL_PLATFORM_C)
#include "polarssl/platform.h"
#else
@@ -4770,15 +4775,19 @@
const ssl_ciphersuite_t *ciphersuite,
int cert_endpoint )
{
-#if !defined(POLARSSL_X509_CHECK_KEY_USAGE)
- ((void) cert);
- ((void) ciphersuite);
- ((void) cert_endpoint);
-#endif
-
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
int usage = 0;
#endif
+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+ const char *ext_oid;
+ size_t ext_len;
+#endif
+
+#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
+ !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+ ((void) cert);
+ ((void) cert_endpoint);
+#endif
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
if( cert_endpoint == SSL_IS_SERVER )
@@ -4818,8 +4827,26 @@
if( x509_crt_check_key_usage( cert, usage ) != 0 )
return( -1 );
+#else
+ ((void) ciphersuite);
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+ if( cert_endpoint == SSL_IS_SERVER )
+ {
+ ext_oid = OID_SERVER_AUTH;
+ ext_len = OID_SIZE( OID_SERVER_AUTH );
+ }
+ else
+ {
+ ext_oid = OID_CLIENT_AUTH;
+ ext_len = OID_SIZE( OID_CLIENT_AUTH );
+ }
+
+ if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
+ return( -1 );
+#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
+
return( 0 );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 42fbfab..2c32122 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1371,6 +1371,38 @@
}
#endif
+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+int x509_crt_check_extended_key_usage( const x509_crt *crt,
+ const char *usage_oid,
+ size_t usage_len )
+{
+ const x509_sequence *cur;
+
+ /* Extension is not mandatory, absent means no restriction */
+ if( ( crt->ext_types & EXT_EXTENDED_KEY_USAGE ) == 0 )
+ return( 0 );
+
+ /*
+ * Look for the requested usage (or wildcard ANY) in our list
+ */
+ for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
+ {
+ const x509_buf *cur_oid = &cur->buf;
+
+ if( cur_oid->len == usage_len &&
+ memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
+ {
+ return( 0 );
+ }
+
+ if( OID_CMP( OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) )
+ return( 0 );
+ }
+
+ return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
+}
+#endif
+
#if defined(POLARSSL_X509_CRL_PARSE_C)
/*
* Return 1 if the certificate is revoked, or 0 otherwise.
diff --git a/tests/data_files/server5.eku-cli.crt b/tests/data_files/server5.eku-cli.crt
new file mode 100644
index 0000000..8aa2e44
--- /dev/null
+++ b/tests/data_files/server5.eku-cli.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5DCCAWmgAwIBAgIBPDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTQwNDEwMTcyMTIxWhcNMjQwNDA3MTcyMTIxWjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD
+VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
+y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAoGCCqGSM49BAMCA2kA
+MGYCMQCzHyEvd56zm1AzfDBi3psz3rDL/m0RN2WnbRBQJxIJqjwEXOrKazko9m9q
+owgau88CMQDuI0fsq5tnyiHPaDSAE21/6hlrCR6deNbwzB94OuPIbx1wIas9D1jc
+//iSmKtbl8Y=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-cs.crt b/tests/data_files/server5.eku-cs.crt
new file mode 100644
index 0000000..db97b40
--- /dev/null
+++ b/tests/data_files/server5.eku-cs.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4zCCAWmgAwIBAgIBOjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTQwNDEwMTcyMDQxWhcNMjQwNDA3MTcyMDQxWjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD
+VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
+y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAoGCCqGSM49BAMCA2gA
+MGUCMQC294oVK6fUjH/abI1xzytTusi8dl7518L0Y19q8zi9K19OtxzPK09h7xyy
+gaJRvpUCMFS6hYhrht38yqwwhSVlnmTMVtira58mEUhL6v7Qzw1sz/Dm4aXkW3s6
+JQV1kqqbRw==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-cs_any.crt b/tests/data_files/server5.eku-cs_any.crt
new file mode 100644
index 0000000..8fa8632
--- /dev/null
+++ b/tests/data_files/server5.eku-cs_any.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB6TCCAW+gAwIBAgIBOzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTQwNDEwMTcyMDU4WhcNMjQwNDA3MTcyMDU4WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jaDBmMAkGA1UdEwQCMAAwHQYD
+VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
+y3i1Gbx+JMnb+zZ8MBkGA1UdJQQSMBAGCCsGAQUFBwMDBgRVHSUAMAoGCCqGSM49
+BAMCA2gAMGUCMQCSYaq/9IKOTkzIrU/eOtpha/3af3JwT6vKh4N3cSX62ksMz0GT
+Uxmq4UGMBt4VmBkCMBGpYqof6hS1o92ltNRpDSHuVQ+nke1lOsoQ1plZp4SI+bY1
+bUD/WrUSLlwikZAeng==
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-srv.crt b/tests/data_files/server5.eku-srv.crt
new file mode 100644
index 0000000..64312f6
--- /dev/null
+++ b/tests/data_files/server5.eku-srv.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5DCCAWmgAwIBAgIBPjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTQwNDEwMTcyMTU0WhcNMjQwNDA3MTcyMTU0WjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD
+VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
+y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoGCCqGSM49BAMCA2kA
+MGYCMQDQzjWB0xZs/8IsqJb7owYYtCiT17939Uuc/1yBF69pJRy7KV/qJlHNvlVu
+qwWVTx0CMQDNW/0dlX1gU6ashrZv5Ly4sijg/g645fFpfMKCNXysEb9xiBeEj5de
+2x5sX/0OSx4=
+-----END CERTIFICATE-----
diff --git a/tests/data_files/server5.eku-srv_cli.crt b/tests/data_files/server5.eku-srv_cli.crt
new file mode 100644
index 0000000..9f58fed
--- /dev/null
+++ b/tests/data_files/server5.eku-srv_cli.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7DCCAXOgAwIBAgIBPTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
+MTQwNDEwMTcyMTQyWhcNMjQwNDA3MTcyMTQyWjA0MQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA
+2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jbDBqMAkGA1UdEwQCMAAwHQYD
+VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r
+y3i1Gbx+JMnb+zZ8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggq
+hkjOPQQDAgNnADBkAjAmQjJxxC82ZhBpH/GQkOQXDmaaV/JHRHGok1cWn3j3Xj8A
+fqRZkp8JihpGIMse208CMFCMdNAfNd1tv+oPuynoK5Oh6/YlASX/otJT68voEIAN
+SmsT1m9VPQMIyUo/3RtYjg==
+-----END CERTIFICATE-----
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 16748b0..27718e8 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1136,6 +1136,113 @@
-s "bad certificate (usage extensions)" \
-S "Processing of the Certificate handshake message failed"
+# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
+
+run_test "extKeyUsage srv #1 (serverAuth -> OK)" \
+ "$P_SRV key_file=data_files/server5.key \
+ crt_file=data_files/server5.eku-srv.crt" \
+ "$P_CLI" \
+ 0
+
+run_test "extKeyUsage srv #2 (serverAuth,clientAuth -> OK)" \
+ "$P_SRV key_file=data_files/server5.key \
+ crt_file=data_files/server5.eku-srv.crt" \
+ "$P_CLI" \
+ 0
+
+run_test "extKeyUsage srv #3 (codeSign,anyEKU -> OK)" \
+ "$P_SRV key_file=data_files/server5.key \
+ crt_file=data_files/server5.eku-cs_any.crt" \
+ "$P_CLI" \
+ 0
+
+# add psk to leave an option for client to send SERVERQUIT
+run_test "extKeyUsage srv #4 (codeSign -> fail)" \
+ "$P_SRV psk=abc123 key_file=data_files/server5.key \
+ crt_file=data_files/server5.eku-cli.crt" \
+ "$P_CLI psk=badbad" \
+ 1
+
+# Tests for extendedKeyUsage, part 2: client-side checking of server cert
+
+run_test "extKeyUsage cli #1 (serverAuth -> OK)" \
+ "$O_SRV -key data_files/server5.key \
+ -cert data_files/server5.eku-srv.crt" \
+ "$P_CLI debug_level=2" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is TLS-"
+
+run_test "extKeyUsage cli #2 (serverAuth,clientAuth -> OK)" \
+ "$O_SRV -key data_files/server5.key \
+ -cert data_files/server5.eku-srv_cli.crt" \
+ "$P_CLI debug_level=2" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is TLS-"
+
+run_test "extKeyUsage cli #3 (codeSign,anyEKU -> OK)" \
+ "$O_SRV -key data_files/server5.key \
+ -cert data_files/server5.eku-cs_any.crt" \
+ "$P_CLI debug_level=2" \
+ 0 \
+ -C "bad certificate (usage extensions)" \
+ -C "Processing of the Certificate handshake message failed" \
+ -c "Ciphersuite is TLS-"
+
+run_test "extKeyUsage cli #4 (codeSign -> fail)" \
+ "$O_SRV -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+ "$P_CLI debug_level=2" \
+ 1 \
+ -c "bad certificate (usage extensions)" \
+ -c "Processing of the Certificate handshake message failed" \
+ -C "Ciphersuite is TLS-"
+
+# Tests for extendedKeyUsage, part 3: server-side checking of client cert
+
+run_test "extKeyUsage cli-auth #1 (clientAuth -> OK)" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server5.key \
+ -cert data_files/server5.eku-cli.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+run_test "extKeyUsage cli-auth #2 (serverAuth,clientAuth -> OK)" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server5.key \
+ -cert data_files/server5.eku-srv_cli.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+run_test "extKeyUsage cli-auth #3 (codeSign,anyEKU -> OK)" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server5.key \
+ -cert data_files/server5.eku-cs_any.crt" \
+ 0 \
+ -S "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+run_test "extKeyUsage cli-auth #4 (codeSign -> fail (soft))" \
+ "$P_SRV debug_level=2 auth_mode=optional" \
+ "$O_CLI -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+ 0 \
+ -s "bad certificate (usage extensions)" \
+ -S "Processing of the Certificate handshake message failed"
+
+run_test "extKeyUsage cli-auth #4b (codeSign -> fail (hard))" \
+ "$P_SRV debug_level=2 auth_mode=required" \
+ "$O_CLI -key data_files/server5.key \
+ -cert data_files/server5.eku-cs.crt" \
+ 1 \
+ -s "bad certificate (usage extensions)" \
+ -s "Processing of the Certificate handshake message failed"
+
# Final report
echo "------------------------------------------------------------------------"
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 8b1df44..0bb784e 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -447,7 +447,7 @@
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"NULL"
X509 Certificate verification #53 (CA keyUsage missing cRLSign)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL)
@@ -455,11 +455,11 @@
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
X509 Certificate verification #55 (CA keyUsage missing keyCertSign)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Certificate verification #55 (CA keyUsage plain wrong)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_X509_CHECK_KEY_USAGE
x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Parse Selftest
@@ -871,3 +871,24 @@
X509 crt keyUsage #8 (extension present, combined KU one absent)
x509_check_key_usage:"data_files/server1.key_usage.crt":KU_KEY_ENCIPHERMENT|KU_KEY_AGREEMENT:POLARSSL_ERR_X509_BAD_INPUT_DATA
+X509 crt extendedKeyUsage #1 (no extension, serverAuth)
+x509_check_extended_key_usage:"data_files/server5.crt":"2B06010505070301":0
+
+X509 crt extendedKeyUsage #2 (single value, present)
+x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2B06010505070301":0
+
+X509 crt extendedKeyUsage #3 (single value, absent)
+x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2B06010505070301":POLARSSL_ERR_X509_BAD_INPUT_DATA
+
+X509 crt extendedKeyUsage #4 (two values, first)
+x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070301":0
+
+X509 crt extendedKeyUsage #5 (two values, second)
+x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070302":0
+
+X509 crt extendedKeyUsage #6 (two values, other)
+x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070303":POLARSSL_ERR_X509_BAD_INPUT_DATA
+
+X509 crt extendedKeyUsage #7 (any, random)
+x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2B060105050703FF":0
+
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 4f64484..f3da1fc 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -331,6 +331,25 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
+void x509_check_extended_key_usage( char *crt_file, char *usage_hex, int ret )
+{
+ x509_crt crt;
+ char oid[50];
+ size_t len;
+
+ x509_crt_init( &crt );
+
+ len = unhexify( (unsigned char *) oid, usage_hex );
+
+ TEST_ASSERT( x509_crt_parse_file( &crt, crt_file ) == 0 );
+
+ TEST_ASSERT( x509_crt_check_extended_key_usage( &crt, oid, len ) == ret );
+
+ x509_crt_free( &crt );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */
void x509_selftest()
{