Default SSL_set_enforce_rsa_key_usage to enabled. Update-Note: Clients will now require RSA server certificates used in TLS 1.2 and earlier to include the keyEncipherment or digitalSignature bit. keyEncipherment is required if using RSA key exchange. digitalSignature is required if using ECDHE_RSA key exchange. We already required this for each of ECDSA, TLS 1.3, and servers verifying client certificates, so this just fills in the remaining hole. Chrome has also enforced this for some time with publicly-trusted certificates. For now, the SSL_set_enforce_rsa_key_usage API still exists where we need to turn this off. Fixed: 519 Change-Id: Ia440b00b60a224fa608702439aa120d633d81ddc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/54606 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>

commit: 64393b57e8734b92a6ba784bcfc02b1aa01e5ff2 [log] [tgz]
author: David Benjamin <davidben@google.com> Mon Oct 03 11:26:39 2022 -0400
committer: Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Oct 03 20:42:56 2022 +0000
tree: b40e43f2afac858f26ad8a629060d5a928ddb0fc
parent: d8090a173b7e2050a75a0c1a6fcd32b4198069e7 [diff]
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 4d56d37..a6ca0ab 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc

@@ -687,7 +687,7 @@
       signed_cert_timestamps_enabled(false),
       ocsp_stapling_enabled(false),
       channel_id_enabled(false),
-      enforce_rsa_key_usage(false),
+      enforce_rsa_key_usage(true),
       retain_only_sha256_of_client_certs(false),
       handoff(false),
       shed_handshake_config(false),

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 5c6ef4f..655226c 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -15613,9 +15613,6 @@
 			},
 			shouldFail:    true,
 			expectedError: ":KEY_USAGE_BIT_INCORRECT:",
-			flags: []string{
-				"-enforce-rsa-key-usage",
-			},
 		})
 
 		testCases = append(testCases, testCase{
@@ -15627,9 +15624,6 @@
 				Certificates: []Certificate{dsCert},
 				CipherSuites: dsSuites,
 			},
-			flags: []string{
-				"-enforce-rsa-key-usage",
-			},
 		})
 
 		// TLS 1.3 removes the encipherment suites.
@@ -15643,9 +15637,6 @@
 					Certificates: []Certificate{encCert},
 					CipherSuites: encSuites,
 				},
-				flags: []string{
-					"-enforce-rsa-key-usage",
-				},
 			})
 
 			testCases = append(testCases, testCase{
@@ -15659,9 +15650,6 @@
 				},
 				shouldFail:    true,
 				expectedError: ":KEY_USAGE_BIT_INCORRECT:",
-				flags: []string{
-					"-enforce-rsa-key-usage",
-				},
 			})
 
 			// In 1.2 and below, we should not enforce without the enforce-rsa-key-usage flag.
@@ -15674,6 +15662,7 @@
 					Certificates: []Certificate{dsCert},
 					CipherSuites: encSuites,
 				},
+				flags: []string{"-no-enforce-rsa-key-usage"},
 			})
 
 			testCases = append(testCases, testCase{
@@ -15685,20 +15674,22 @@
 					Certificates: []Certificate{encCert},
 					CipherSuites: dsSuites,
 				},
+				flags: []string{"-no-enforce-rsa-key-usage"},
 			})
 		}
 
 		if ver.version >= VersionTLS13 {
-			// In 1.3 and above, we enforce keyUsage even without the flag.
+			// In 1.3 and above, we enforce keyUsage even when disabled.
 			testCases = append(testCases, testCase{
 				testType: clientTest,
-				name:     "RSAKeyUsage-Client-WantSignature-GotEncipherment-Enforced" + ver.name,
+				name:     "RSAKeyUsage-Client-WantSignature-GotEncipherment-AlwaysEnforced" + ver.name,
 				config: Config{
 					MinVersion:   ver.version,
 					MaxVersion:   ver.version,
 					Certificates: []Certificate{encCert},
 					CipherSuites: dsSuites,
 				},
+				flags:         []string{"-no-enforce-rsa-key-usage"},
 				shouldFail:    true,
 				expectedError: ":KEY_USAGE_BIT_INCORRECT:",
 			})

diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 2c7fa08..0230bdb 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc

@@ -364,7 +364,8 @@
       IntFlag("-install-one-cert-compression-alg",
               &TestConfig::install_one_cert_compression_alg),
       BoolFlag("-reverify-on-resume", &TestConfig::reverify_on_resume),
-      BoolFlag("-enforce-rsa-key-usage", &TestConfig::enforce_rsa_key_usage),
+      BoolFlag("-no-enforce-rsa-key-usage",
+               &TestConfig::no_enforce_rsa_key_usage),
       BoolFlag("-is-handshaker-supported",
                &TestConfig::is_handshaker_supported),
       BoolFlag("-handshaker-resume", &TestConfig::handshaker_resume),
@@ -1742,8 +1743,8 @@
   if (reverify_on_resume) {
     SSL_CTX_set_reverify_on_resume(ssl_ctx, 1);
   }
-  if (enforce_rsa_key_usage) {
-    SSL_set_enforce_rsa_key_usage(ssl.get(), 1);
+  if (no_enforce_rsa_key_usage) {
+    SSL_set_enforce_rsa_key_usage(ssl.get(), 0);
   }
   if (no_tls13) {
     SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_3);

diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 1a21ac1..6b15891 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h

@@ -177,7 +177,7 @@
   bool install_cert_compression_algs = false;
   int install_one_cert_compression_alg = 0;
   bool reverify_on_resume = false;
-  bool enforce_rsa_key_usage = false;
+  bool no_enforce_rsa_key_usage = false;
   bool is_handshaker_supported = false;
   bool handshaker_resume = false;
   std::string handshaker_path;
commit	64393b57e8734b92a6ba784bcfc02b1aa01e5ff2	[log] [tgz]
author	David Benjamin <davidben@google.com>	Mon Oct 03 11:26:39 2022 -0400
committer	Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>	Mon Oct 03 20:42:56 2022 +0000
tree	b40e43f2afac858f26ad8a629060d5a928ddb0fc
parent	d8090a173b7e2050a75a0c1a6fcd32b4198069e7 [diff]