3 files changed, 58 insertions, 9 deletions

diff --git a/src/lib/cert/x509/ocsp.cpp b/src/lib/cert/x509/ocsp.cpp
index 4f4a3aece..df8df3b39 100644
--- a/src/lib/cert/x509/ocsp.cpp
+++ b/src/lib/cert/x509/ocsp.cpp
@@ -81,7 +81,7 @@ void check_signature(const std::vector<byte>& tbs_response,
 
    // Otherwise attempt to chain the signing cert to a trust root
 
-   if(!certs[0].allowed_usage("PKIX.OCSPSigning"))
+   if(!certs[0].allowed_extended_usage("PKIX.OCSPSigning"))
       throw Exception("OCSP response cert does not allow OCSP signing");
 
    auto result = x509_path_validate(certs, Path_Validation_Restrictions(), trusted_roots);
diff --git a/src/lib/cert/x509/x509cert.cpp b/src/lib/cert/x509/x509cert.cpp
index d7da00af0..bd3aff6d5 100644
--- a/src/lib/cert/x509/x509cert.cpp
+++ b/src/lib/cert/x509/x509cert.cpp
@@ -260,7 +260,7 @@ bool X509_Certificate::allowed_usage(Key_Constraints usage) const
    return ((constraints() & usage) != 0);
    }
 
-bool X509_Certificate::allowed_usage(const std::string& usage) const
+bool X509_Certificate::allowed_extended_usage(const std::string& usage) const
    {
    const std::vector<std::string> ex = ex_constraints();
 
@@ -281,13 +281,13 @@ bool X509_Certificate::allowed_usage(Usage_Type usage) const
          return true;
 
       case Usage_Type::TLS_SERVER_AUTH:
-         return allowed_usage(Key_Constraints(DATA_ENCIPHERMENT | KEY_ENCIPHERMENT | DIGITAL_SIGNATURE)) && allowed_usage("PKIX.ServerAuth");
+         return allowed_usage(Key_Constraints(DATA_ENCIPHERMENT | KEY_ENCIPHERMENT | DIGITAL_SIGNATURE)) && allowed_extended_usage("PKIX.ServerAuth");
 
       case Usage_Type::TLS_CLIENT_AUTH:
-         return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.ClientAuth");
+         return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_extended_usage("PKIX.ClientAuth");
 
       case Usage_Type::OCSP_RESPONDER:
-         return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_usage("PKIX.OCSPSigning");
+         return allowed_usage(Key_Constraints(DIGITAL_SIGNATURE | NON_REPUDIATION)) && allowed_extended_usage("PKIX.OCSPSigning");
 
       case Usage_Type::CERTIFICATE_AUTHORITY:
          return is_CA_cert();
@@ -296,6 +296,33 @@ bool X509_Certificate::allowed_usage(Usage_Type usage) const
    return false;
    }
 
+bool X509_Certificate::has_constraints(Key_Constraints constraints) const
+   {
+   if(this->constraints() == NO_CONSTRAINTS)
+      {
+      return false;
+      }
+
+   return ((this->constraints() & constraints) != 0);
+   }
+
+bool X509_Certificate::has_ex_constraint(const std::string& ex_constraint) const
+   {
+   const std::vector<std::string> ex = ex_constraints();
+
+   if(ex.empty())
+      {
+      return false;
+      }
+
+   if(std::find(ex.begin(), ex.end(), ex_constraint) != ex.end())
+      {
+      return true;
+      }
+
+   return false;
+   }
+
 /*
 * Return the path length constraint
 */
diff --git a/src/lib/cert/x509/x509cert.h b/src/lib/cert/x509/x509cert.h
index 2875c8159..eb98f9c3d 100644
--- a/src/lib/cert/x509/x509cert.h
+++ b/src/lib/cert/x509/x509cert.h
@@ -140,17 +140,39 @@ class BOTAN_DLL X509_Certificate : public X509_Object
       */
       bool is_CA_cert() const;
 
+      /**
+      * Returns true if the specified @param usage is set in the key usage extension 
+      * or if no key usage constraints are set at all.
+      * To check if a certain key constraint is set in the certificate 
+      * use @see X509_Certificate#has_constraints.
+      */
       bool allowed_usage(Key_Constraints usage) const;
 
       /**
-      * Returns true if and only if name (referring to an extended key
-      * constraint, eg "PKIX.ServerAuth") is included in the extended
-      * key extension.
+      * Returns true if the specified @param usage is set in the extended key usage extension
+      * or if no extended key usage constraints are set at all.
+      * To check if a certain extended key constraint is set in the certificate
+      * use @see X509_Certificate#has_ex_constraint.
       */
-      bool allowed_usage(const std::string& usage) const;
+      bool allowed_extended_usage(const std::string& usage) const;
 
+      /**
+      * Returns true if the required key and extended key constraints are set in the certificate
+      * for the specified @param usage or if no key constraints are set in both the key usage
+      * and extended key usage extension.
+      */
       bool allowed_usage(Usage_Type usage) const;
 
+      /// Returns true if the specified @param constraints are included in the key usage extension.
+      bool has_constraints(Key_Constraints constraints) const;
+      
+      /**
+      * Returns true if and only if @param ex_constraint (referring to an extended key
+      * constraint, eg "PKIX.ServerAuth") is included in the extended
+      * key extension.
+      */
+      bool has_ex_constraint(const std::string& ex_constraint) const;
+
       /**
       * Get the path limit as defined in the BasicConstraints extension of
       * this certificate.