commit cd8f3d36fe294b4896f26bf3add6a6a954218bfd
author David Benjamin <davidben@google.com> Mon Jun 15 11:16:06 2020 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Mon Jun 15 16:34:03 2020 +0000
tree 938ba126e2c3dde7e6d7f4ef6a41e64fbb37c87b
parent 72b095d0d483e6b9df002427054a0b150ee76f49

Enforce the keyUsage extension in TLS 1.2 client certs.

I've left this independent of SSL_set_enforce_rsa_key_usage because
client certificates in TLS always use the digitalSignature bit, RSA or
otherwise, so it's less likely that someone has messed it up, unlike
TLS 1.2 RSA server certificates.

Update-Note: Client certificates which do not support the
digitalSignature key usage will be rejected. They should either include
that bit or omit the keyUsage extension.

Bug: 349
Change-Id: I97bbf0c8e394f219ff75b686e0c14019f6d8c9a8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41664
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

ssl/handshake_server.cc

diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index 924701f..2489428 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -1436,6 +1436,15 @@
     return ssl_hs_error;
   }
 
+  // The peer certificate must be valid for signing.
+  const CRYPTO_BUFFER *leaf =
+      sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
+  CBS leaf_cbs;
+  CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
+  if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) {
+    return ssl_hs_error;
+  }
+
   CBS certificate_verify = msg.body, signature;
 
   // Determine the signature algorithm.