diff options
| author | René Meusel <[email protected]> | 2019-09-18 13:18:06 +0200 |
|---|---|---|
| committer | René Meusel <[email protected]> | 2019-09-18 13:18:06 +0200 |
| commit | b31e0b3f2656fda9d46b7693b1f14b1b84b3d9d0 (patch) | |
| tree | 0b821bc4fa17bf468005932826ec8bc2d1a22400 | |
| parent | 7c3122ec4275630d78fbdcb03882b7e1fee45c81 (diff) | |
add X.509 Usage_Type::ENCRYPTION
| -rw-r--r-- | src/lib/x509/x509cert.cpp | 3 | ||||
| -rw-r--r-- | src/lib/x509/x509cert.h | 3 | ||||
| -rw-r--r-- | src/tests/unit_x509.cpp | 22 |
3 files changed, 27 insertions, 1 deletions
diff --git a/src/lib/x509/x509cert.cpp b/src/lib/x509/x509cert.cpp index 96e66a5e0..130eaf5e2 100644 --- a/src/lib/x509/x509cert.cpp +++ b/src/lib/x509/x509cert.cpp @@ -535,6 +535,9 @@ bool X509_Certificate::allowed_usage(Usage_Type usage) const case Usage_Type::CERTIFICATE_AUTHORITY: return is_CA_cert(); + + case Usage_Type::ENCRYPTION: + return (allowed_usage(KEY_ENCIPHERMENT) || allowed_usage(DATA_ENCIPHERMENT)); } return false; diff --git a/src/lib/x509/x509cert.h b/src/lib/x509/x509cert.h index 34be10e68..f65d76d23 100644 --- a/src/lib/x509/x509cert.h +++ b/src/lib/x509/x509cert.h @@ -28,7 +28,8 @@ enum class Usage_Type TLS_SERVER_AUTH, TLS_CLIENT_AUTH, CERTIFICATE_AUTHORITY, - OCSP_RESPONDER + OCSP_RESPONDER, + ENCRYPTION }; struct X509_Certificate_Data; diff --git a/src/tests/unit_x509.cpp b/src/tests/unit_x509.cpp index 482b26531..d983fd7db 100644 --- a/src/tests/unit_x509.cpp +++ b/src/tests/unit_x509.cpp @@ -955,6 +955,7 @@ Test::Result test_usage(const Botan::Private_Key& ca_key, const std::string& hash_fn = "SHA-256") { using Botan::Key_Constraints; + using Botan::Usage_Type; Test::Result result("X509 Usage"); @@ -1027,6 +1028,27 @@ Test::Result test_usage(const Botan::Private_Key& ca_key, result.confirm("key usage digitalSignature allowed", no_usage_cert.allowed_usage(Key_Constraints::DIGITAL_SIGNATURE)); result.confirm("key usage cRLSign allowed", no_usage_cert.allowed_usage(Key_Constraints::CRL_SIGN)); + if (sig_algo == "RSA") + { + // cert allows data encryption + opts.constraints = Key_Constraints(Key_Constraints::KEY_ENCIPHERMENT | Key_Constraints::DATA_ENCIPHERMENT); + + const Botan::PKCS10_Request enc_req = Botan::X509::create_cert_req( + opts, + *user1_key, + hash_fn, + Test::rng()); + + const Botan::X509_Certificate enc_cert = ca.sign_request( + enc_req, + Test::rng(), + from_date(-1, 01, 01), + from_date(2, 01, 01)); + + result.confirm("cert allows encryption", enc_cert.allowed_usage(Usage_Type::ENCRYPTION)); + result.confirm("cert does not allow TLS client auth", !enc_cert.allowed_usage(Usage_Type::TLS_CLIENT_AUTH)); + } + return result; } |