Enforce the keyUsage extension in TLS 1.2 client certs.
I've left this independent of SSL_set_enforce_rsa_key_usage because
client certificates in TLS always use the digitalSignature bit, RSA or
otherwise, so it's less likely that someone has messed it up, unlike
TLS 1.2 RSA server certificates.
Update-Note: Client certificates which do not support the
digitalSignature key usage will be rejected. They should either include
that bit or omit the keyUsage extension.
Bug: 349
Change-Id: I97bbf0c8e394f219ff75b686e0c14019f6d8c9a8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41664
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 9625b8e..670e476 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -1268,10 +1268,10 @@
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
- CRYPTO_BUFFER *leaf =
+ const CRYPTO_BUFFER *leaf =
sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
CBS leaf_cbs;
- CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
+ CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
// Check the key usage matches the cipher suite. We do this unconditionally
// for non-RSA certificates. In particular, it's needed to distinguish ECDH
