@@ -258,7 +258,7 @@ fn check_issuer_independent_properties(
258258 untrusted:: read_all_optional ( cert. basic_constraints , Error :: BadDer , |value| {
259259 check_basic_constraints ( value, used_as_ca, sub_ca_count)
260260 } ) ?;
261- untrusted:: read_all_optional ( cert. eku , Error :: BadDer , |value| check_eku ( value, eku ) ) ?;
261+ untrusted:: read_all_optional ( cert. eku , Error :: BadDer , |value| eku . check ( value) ) ?;
262262
263263 Ok ( ( ) )
264264}
@@ -345,6 +345,44 @@ pub enum ExtendedKeyUsage {
345345}
346346
347347impl ExtendedKeyUsage {
348+ // https://tools.ietf.org/html/rfc5280#section-4.2.1.12
349+ fn check ( & self , input : Option < & mut untrusted:: Reader > ) -> Result < ( ) , Error > {
350+ match input {
351+ Some ( input) => {
352+ loop {
353+ let value = der:: expect_tag_and_get_value ( input, der:: Tag :: OID ) ?;
354+ if self . key_purpose_id_equals ( value) {
355+ input. skip_to_end ( ) ;
356+ break ;
357+ }
358+ if input. at_end ( ) {
359+ return Err ( Error :: RequiredEkuNotFound ) ;
360+ }
361+ }
362+ Ok ( ( ) )
363+ }
364+ None => {
365+ if matches ! ( self , Self :: Required ( _) ) {
366+ return Err ( Error :: RequiredEkuNotFound ) ;
367+ }
368+ // http://tools.ietf.org/html/rfc6960#section-4.2.2.2:
369+ // "OCSP signing delegation SHALL be designated by the inclusion of
370+ // id-kp-OCSPSigning in an extended key usage certificate extension
371+ // included in the OCSP response signer's certificate."
372+ //
373+ // A missing EKU extension generally means "any EKU", but it is
374+ // important that id-kp-OCSPSigning is explicit so that a normal
375+ // end-entity certificate isn't able to sign trusted OCSP responses
376+ // for itself or for other certificates issued by its issuing CA.
377+ if self . key_purpose_id_equals ( EKU_OCSP_SIGNING . oid_value ) {
378+ return Err ( Error :: RequiredEkuNotFound ) ;
379+ }
380+
381+ Ok ( ( ) )
382+ }
383+ }
384+ }
385+
348386 fn key_purpose_id_equals ( & self , value : untrusted:: Input < ' _ > ) -> bool {
349387 match self {
350388 ExtendedKeyUsage :: Required ( eku) => * eku,
@@ -390,44 +428,6 @@ pub(crate) static EKU_CLIENT_AUTH: KeyPurposeId =
390428pub ( crate ) static EKU_OCSP_SIGNING : KeyPurposeId =
391429 KeyPurposeId :: new ( & [ ( 40 * 1 ) + 3 , 6 , 1 , 5 , 5 , 7 , 3 , 9 ] ) ;
392430
393- // https://tools.ietf.org/html/rfc5280#section-4.2.1.12
394- fn check_eku ( input : Option < & mut untrusted:: Reader > , eku : ExtendedKeyUsage ) -> Result < ( ) , Error > {
395- match input {
396- Some ( input) => {
397- loop {
398- let value = der:: expect_tag_and_get_value ( input, der:: Tag :: OID ) ?;
399- if eku. key_purpose_id_equals ( value) {
400- input. skip_to_end ( ) ;
401- break ;
402- }
403- if input. at_end ( ) {
404- return Err ( Error :: RequiredEkuNotFound ) ;
405- }
406- }
407- Ok ( ( ) )
408- }
409- None => {
410- if matches ! ( eku, ExtendedKeyUsage :: Required ( _) ) {
411- return Err ( Error :: RequiredEkuNotFound ) ;
412- }
413- // http://tools.ietf.org/html/rfc6960#section-4.2.2.2:
414- // "OCSP signing delegation SHALL be designated by the inclusion of
415- // id-kp-OCSPSigning in an extended key usage certificate extension
416- // included in the OCSP response signer's certificate."
417- //
418- // A missing EKU extension generally means "any EKU", but it is
419- // important that id-kp-OCSPSigning is explicit so that a normal
420- // end-entity certificate isn't able to sign trusted OCSP responses
421- // for itself or for other certificates issued by its issuing CA.
422- if eku. key_purpose_id_equals ( EKU_OCSP_SIGNING . oid_value ) {
423- return Err ( Error :: RequiredEkuNotFound ) ;
424- }
425-
426- Ok ( ( ) )
427- }
428- }
429- }
430-
431431// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
432432#[ repr( u8 ) ]
433433enum KeyUsageMode {
0 commit comments