Add an X509_Certificate::allowed_usage for extended constraints.

Check that whatever certificate we got is allowed to sign OCSP
responses. Add another helper function BER_Decoder to try to handle
the ASN.1 mess.

2 files changed, 19 insertions, 3 deletions

diff --git a/src/cert/x509/x509cert.cpp b/src/cert/x509/x509cert.cpp
index 176604b63..e1aa2075f 100644
--- a/src/cert/x509/x509cert.cpp
+++ b/src/cert/x509/x509cert.cpp
@@ -227,11 +227,20 @@ bool X509_Certificate::is_CA_cert() const
    return allowed_usage(KEY_CERT_SIGN);
    }
 
-bool X509_Certificate::allowed_usage(Key_Constraints restriction) const
+bool X509_Certificate::allowed_usage(Key_Constraints usage) const
    {
    if(constraints() == NO_CONSTRAINTS)
       return true;
-   return (constraints() & restriction);
+   return (constraints() & usage);
+   }
+
+bool X509_Certificate::allowed_usage(const std::string& usage) const
+   {
+   for(auto constraint : ex_constraints())
+      if(constraint == usage)
+         return true;
+
+   return false;
    }
 
 /*
diff --git a/src/cert/x509/x509cert.h b/src/cert/x509/x509cert.h
index 0accf7113..9df9eba0a 100644
--- a/src/cert/x509/x509cert.h
+++ b/src/cert/x509/x509cert.h
@@ -127,7 +127,14 @@ class BOTAN_DLL X509_Certificate : public X509_Object
       */
       bool is_CA_cert() const;
 
-      bool allowed_usage(Key_Constraints restriction) const;
+      bool allowed_usage(Key_Constraints usage) const;
+
+      /**
+      * Returns true if and only if name (referring to an extended key
+      * constraint, eg "PKIX.ServerAuth") is included in the extended
+      * key extension.
+      */
+      bool allowed_usage(const std::string& usage) const;
 
       /**
       * Get the path limit as defined in the BasicConstraints extension of