aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKishen Maloor <kishen.maloor@intel.com>2018-12-11 16:59:55 -0800
committerKishen Maloor <kishen.maloor@intel.com>2018-12-14 04:04:08 +0000
commitdfa5f32566050dda041aca4b4c70737b64e27441 (patch)
tree5b4a3d4484f4138ebc827ca0184bb682c680d511
parentbdc830788c454f1e8f52bc61d6af8f95e122da19 (diff)
Update certificate path validation logic
This change adds "Digital Signature" as a required "critical Key Usage" bit in root and intermediate CA certificates. Change-Id: I95052e9b2625b79edfc158aee9e0681c151b521b Signed-off-by: Kishen Maloor <kishen.maloor@intel.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/27759
-rw-r--r--security/oc_certs.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/security/oc_certs.c b/security/oc_certs.c
index faac624..5d00ffb 100644
--- a/security/oc_certs.c
+++ b/security/oc_certs.c
@@ -246,7 +246,7 @@ oc_certs_validate_root_cert(mbedtls_x509_crt *cert)
/* keyCertSign (5) & cRLSign (6) bits SHALL be the only bits enabled */
unsigned int key_usage =
- (MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN);
+ (MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN);
if ((cert->key_usage & key_usage) != key_usage) {
OC_WRN("key_usage constraints not met");
return -1;
@@ -291,7 +291,7 @@ oc_certs_validate_intermediate_cert(mbedtls_x509_crt *cert)
/* keyCertSign (5) & cRLSign (6) bits SHALL be the only bits enabled */
unsigned int key_usage =
- (MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN);
+ (MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN | MBEDTLS_X509_KU_CRL_SIGN);
if ((cert->key_usage & key_usage) != key_usage) {
OC_WRN("key_usage constraints not met");
return -1;