14 #ifdef USE_CERTIFICATES
70 #define USAGE_MASK_NONRELEVANT ( CRYPT_KEYUSAGE_NONREPUDIATION | \
71 CRYPT_KEYUSAGE_KEYCERTSIGN | \
72 CRYPT_KEYUSAGE_CRLSIGN )
76 #define ALGO_TYPE_NONE 0
77 #define ALGO_TYPE_SIGN 1
78 #define ALGO_TYPE_CRYPT 2
79 #define ALGO_TYPE_KEYAGREEMENT 4
80 #define ALGO_TYPE_FLAG_NONE 0
81 #define ALGO_TYPE_FLAG_MAX 0x07
87 const int keyUsageFlags;
90 static const EXT_USAGE_INFO
FAR_BSS extendedUsageInfo[] = {
130 #ifdef USE_CERT_OBSOLETE
137 const int keyUsageFlags;
140 static const NS_CERT_TYPE_INFO
FAR_BSS nsCertTypeInfo[] = {
177 REQUIRES( algorithmType > ALGO_TYPE_FLAG_NONE && \
178 algorithmType < ALGO_TYPE_FLAG_MAX );
193 int extendedUsage = 0;
197 extendedUsageInfo[ i ].usageType ) )
201 if( algorithmType & ALGO_TYPE_SIGN )
207 if( algorithmType & ALGO_TYPE_CRYPT )
212 if( algorithmType & ALGO_TYPE_KEYAGREEMENT )
220 if( extendedUsage == 0 && extendedUsageInfo[ i ].keyUsageFlags != 0 )
222 *errorLocus = extendedUsageInfo[ i ].usageType;
226 keyUsage |= extendedUsage;
233 #ifdef USE_CERT_OBSOLETE
244 int nsCertType, keyUsage = 0, i,
status;
249 REQUIRES( algorithmType > ALGO_TYPE_FLAG_NONE && \
250 algorithmType < ALGO_TYPE_FLAG_MAX );
261 for( i = 0; nsCertTypeInfo[ i ].certType && \
267 if( !( nsCertType & nsCertTypeInfo[ i ].
certType ) )
271 if( algorithmType & ALGO_TYPE_SIGN )
272 nsUsage |= nsCertTypeInfo[ i ].keyUsageFlags & (
KEYUSAGE_SIGN | \
274 if( algorithmType & ALGO_TYPE_CRYPT )
276 if( algorithmType & ALGO_TYPE_KEYAGREEMENT )
307 int algorithmType = ALGO_TYPE_NONE, localKeyUsage;
322 algorithmType |= ALGO_TYPE_CRYPT;
324 algorithmType |= ALGO_TYPE_SIGN;
326 algorithmType |= ALGO_TYPE_KEYAGREEMENT;
327 ENSURES( algorithmType != ALGO_TYPE_NONE );
331 localKeyUsage = getExtendedKeyUsageFlags( certInfoPtr->
attributes,
332 algorithmType, errorLocus );
333 #ifdef USE_CERT_OBSOLETE
334 localKeyUsage |= getNetscapeCertTypeFlags( certInfoPtr->
attributes,
335 algorithmType, errorLocus );
344 *keyUsage = localKeyUsage;
374 int checkKeyUsage(
const CERT_INFO *certInfoPtr,
376 IN_FLAGS_Z( CRYPT_KEYUSAGE )
const int specificUsage,
379 const int complianceLevel,
389 const int trustedUsage = \
393 int keyUsage, rawKeyUsage, extKeyUsage, rawExtKeyUsage, caKeyUsage;
402 REQUIRES( specificUsage >= CRYPT_KEYUSAGE_FLAG_NONE && \
403 specificUsage < CRYPT_KEYUSAGE_FLAG_MAX );
409 ( !( flags & CHECKKEY_FLAG_CA ) && \
422 trustedUsage !=
CRYPT_UNUSED && !( trustedUsage & specificUsage ) )
438 status = getAttributeFieldValue( certInfoPtr->
attributes,
443 status = getKeyUsageFromExtKeyUsage( certInfoPtr, &extKeyUsage,
444 errorLocus, errorType );
450 if( certInfoPtr->
version == 1 && \
460 if( isGeneralCheck && \
484 if( attributePtr != NULL )
486 status = getAttributeDataValue( attributePtr, &keyUsage );
495 ( keyUsage & specificUsage &
KEYUSAGE_CA ) && !isCA )
535 rawKeyUsage = keyUsage;
536 rawExtKeyUsage = extKeyUsage;
539 keyUsage &= trustedUsage;
540 extKeyUsage &= trustedUsage;
551 if( flags & CHECKKEY_FLAG_CA )
558 if( !( caKeyUsage & specificUsage ) )
570 trustedUsage !=
CRYPT_UNUSED && !( specificUsage & keyUsage ) )
583 if( !isGeneralCheck )
600 if( !( caKeyUsage | extKeyUsage ) )
610 if( ( caKeyUsage | extKeyUsage ) & KEYUSAGE_CA )
631 const int excludedUsage = \
635 if( ( keyUsage & specificUsage ) && !( keyUsage & excludedUsage ) )
641 if( keyUsage & specificUsage )
657 keyUsage = rawKeyUsage;
658 extKeyUsage = rawExtKeyUsage;
688 keyUsage &= ~USAGE_MASK_NONRELEVANT;
689 extKeyUsage &= ~USAGE_MASK_NONRELEVANT;
691 #ifdef USE_CERTLEVEL_PKIX_PARTIAL
698 const time_t currentTime =
getTime();
708 status = getAttributeFieldTime( certInfoPtr->
attributes,
717 status = getAttributeFieldTime( certInfoPtr->
attributes,
736 if( isCA && ( keyUsage & extKeyUsage & KEYUSAGE_CRYPT ) )
763 if( certInfoPtr->certificate != NULL )
769 if( !keyUsageCritical )
780 if( attributePtr != NULL && \
781 !checkAttributeProperty( attributePtr,
789 if( ( keyUsage & extKeyUsage ) != extKeyUsage )
803 if( ( keyUsage & ( CRYPT_KEYUSAGE_ENCIPHERONLY | \
804 CRYPT_KEYUSAGE_DECIPHERONLY ) ) && \