Add a key purpose parameter to Certificate PathBuilder.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "net/cert/internal/cert_error_params.h"
 #include "net/cert/internal/cert_errors.h"
+#include "net/cert/internal/extended_key_usage.h"
 #include "net/cert/internal/name_constraints.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/internal/signature_policy.h"
 #include "net/cert/internal/trust_store.h"
 #include "net/cert/internal/verify_signed_data.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 
 namespace net {
@@ skipping 25 matching lines @@
 DEFINE_CERT_ERROR_ID(kMissingBasicConstraints,
                      "Does not have Basic Constraints");
 DEFINE_CERT_ERROR_ID(kNotPermittedByNameConstraints,
                      "Not permitted by name constraints");
 DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer,
                      "subject does not match issuer");
 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed");
 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding,
                      "Certificate.signatureAlgorithm is encoded differently "
                      "than TBSCertificate.signature");
+DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth,
+                     "The extended key usage does not include server auth");
+DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth,
+                     "The extended key usage does not include client auth");
 
 bool IsHandledCriticalExtensionOid(const der::Input& oid) {
   if (oid == BasicConstraintsOid())
     return true;
   if (oid == KeyUsageOid())
     return true;
+  if (oid == ExtKeyUsageOid())
+    return true;
   if (oid == NameConstraintsOid())
     return true;
   // TODO(eroman): SubjectAltName isn't actually used here, but rather is being
   // checked by a higher layer.
   if (oid == SubjectAltNameOid())
     return true;
 
   // TODO(eroman): Make this more complete.
   return false;
 }
@@ skipping 84 matching lines @@
                                   "TBSCertificate.signature", alg2_tlv));
     return;
   }
 
   errors->AddError(
       kSignatureAlgorithmMismatch,
       CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv,
                                 "TBSCertificate.signature", alg2_tlv));
 }
 
+// Verify that |cert| can be used for |required_key_purpose|.
+void VerifyExtendedKeyUsage(const ParsedCertificate& cert,
+                            KeyPurpose required_key_purpose,
+                            CertErrors* errors) {
+  switch (required_key_purpose) {
+    case KeyPurpose::ANY_EKU:
+      return;
+    case KeyPurpose::SERVER_AUTH: {
+      // TODO(eroman): Is it OK for the target certificate to omit the EKU?
+      if (!cert.has_extended_key_usage())
+        return;
+
+      for (const auto& key_purpose_oid : cert.extended_key_usage()) {
+        if (key_purpose_oid == AnyEKU())
+          return;
+        if (key_purpose_oid == ServerAuth())
+          return;
+      }
+
+      errors->AddError(kEkuLacksServerAuth);
+      break;
+    }
+    case KeyPurpose::CLIENT_AUTH: {
+      // TODO(eroman): Is it OK for the target certificate to omit the EKU?
+      if (!cert.has_extended_key_usage())
+        return;
+
+      for (const auto& key_purpose_oid : cert.extended_key_usage()) {
+        if (key_purpose_oid == AnyEKU())
+          return;
+        if (key_purpose_oid == ClientAuth())
+          return;
+      }
+
+      errors->AddError(kEkuLacksClientAuth);
+      break;
+    }
+  }
+}
+
 // This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
 // Processing" procedure.
 void BasicCertificateProcessing(
     const ParsedCertificate& cert,
     bool is_target_cert,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
     const der::Input& working_spki,
     const der::Input& working_normalized_issuer_name,
     const std::vector<const NameConstraints*>& name_constraints_list,
@@ skipping 210 matching lines @@
 
   // The following check is NOT part of RFC 5280 6.1.5's "Wrap-Up Procedure",
   // however is implied by RFC 5280 section 4.2.1.9.
   VerifyTargetCertHasConsistentCaBits(cert, errors);
 }
 
 // Initializes the path validation algorithm given anchor constraints. This
 // follows the description in RFC 5937
 void ProcessTrustAnchorConstraints(
     const TrustAnchor& trust_anchor,
+    KeyPurpose required_key_purpose,
     size_t* max_path_length_ptr,
     std::vector<const NameConstraints*>* name_constraints_list,
     CertErrors* errors) {
   // In RFC 5937 the enforcement of anchor constraints is governed by the input
   // enforceTrustAnchorConstraints to path validation. In our implementation
   // this is always on, and enforcement is controlled solely by whether or not
   // the trust anchor specified constraints.
   if (!trust_anchor.enforces_constraints())
     return;
 
   // Anchor constraints are encoded via the attached certificate.
   const ParsedCertificate& cert = *trust_anchor.cert();
 
+  // This is not part of RFC 5937 nor RFC 5280, but matches the EKU handling
+  // done for intermediates (described in Web PKI's Baseline Requirements).
+  VerifyExtendedKeyUsage(cert, required_key_purpose, errors);
+
   // The following enforcements follow from RFC 5937 (primarily section 3.2):
 
   // Initialize name constraints initial-permitted/excluded-subtrees.
   if (cert.has_name_constraints())
     name_constraints_list->push_back(&cert.name_constraints());
 
   // TODO(eroman): Initialize user-initial-policy-set based on anchor
   // constraints.
 
   // TODO(eroman): Initialize inhibit any policy based on anchor constraints.
@@ skipping 24 matching lines @@
   VerifyNoUnconsumedCriticalExtensions(cert, errors);
 }
 
 // This implementation is structured to mimic the description of certificate
 // path verification given by RFC 5280 section 6.1.
 void VerifyCertificateChainNoReturnValue(
     const ParsedCertificateList& certs,
     const TrustAnchor* trust_anchor,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
+    KeyPurpose required_key_purpose,
     CertPathErrors* errors) {
   DCHECK(trust_anchor);
   DCHECK(signature_policy);
   DCHECK(errors);
 
   // An empty chain is necessarily invalid.
   if (certs.empty()) {
     errors->GetOtherErrors()->AddError(kChainIsEmpty);
     return;
   }
@@ skipping 35 matching lines @@
   //    and may be reduced to the value in the path length constraint
   //    field within the basic constraints extension of a CA
   //    certificate.
   size_t max_path_length = certs.size();
 
   // Apply any trust anchor constraints per RFC 5937.
   //
   // TODO(eroman): Errors on the trust anchor are put into a certificate bucket
   //               GetErrorsForCert(certs.size()). This is a bit magical, and
   //               has some integration issues.
-  ProcessTrustAnchorConstraints(*trust_anchor, &max_path_length,
-                                &name_constraints_list,
+  ProcessTrustAnchorConstraints(*trust_anchor, required_key_purpose,
+                                &max_path_length, &name_constraints_list,
                                 errors->GetErrorsForCert(certs.size()));
 
   // Iterate over all the certificates in the reverse direction: starting from
   // the certificate signed by trust anchor and progressing towards the target
   // certificate.
   //
   // Note that |i| uses 0-based indexing whereas in RFC 5280 it is 1-based.
   //
   //   * i=0    :  Certificated signed by trust anchor.
   //   * i=N-1  :  Target certificate.
@@ skipping 12 matching lines @@
     CertErrors* cert_errors = errors->GetErrorsForCert(index_into_certs);
 
     // Per RFC 5280 section 6.1:
     //  * Do basic processing for each certificate
     //  * If it is the last certificate in the path (target certificate)
     //     - Then run "Wrap up"
     //     - Otherwise run "Prepare for Next cert"
     BasicCertificateProcessing(cert, is_target_cert, signature_policy, time,
                                working_spki, working_normalized_issuer_name,
                                name_constraints_list, cert_errors);
+
+    // The key purpose is checked not just for the end-entity certificate, but
+    // also interpreted as a constraint when it appears in intermediates. This
+    // goes beyond what RFC 5280 describes, but is the de-facto standard. See
+    // https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
+    VerifyExtendedKeyUsage(cert, required_key_purpose, cert_errors);
+
     if (!is_target_cert) {
       PrepareForNextCertificate(cert, &max_path_length, &working_spki,
                                 &working_normalized_issuer_name,
                                 &name_constraints_list, cert_errors);
     } else {
       WrapUp(cert, cert_errors);
+      // TODO(eroman): Verify the Key Usage on target is consistent with
+      //               key_purpose.
     }
   }
 
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
 }
 
 }  // namespace
 
 bool VerifyCertificateChain(const ParsedCertificateList& certs,
                             const TrustAnchor* trust_anchor,
                             const SignaturePolicy* signature_policy,
                             const der::GeneralizedTime& time,
+                            KeyPurpose required_key_purpose,
                             CertPathErrors* errors) {
   // TODO(eroman): This function requires that |errors| is empty upon entry,
   // which is not part of the API contract.
   DCHECK(!errors->ContainsHighSeverityErrors());
   VerifyCertificateChainNoReturnValue(certs, trust_anchor, signature_policy,
-                                      time, errors);
+                                      time, required_key_purpose, errors);
   return !errors->ContainsHighSeverityErrors();
 }
 
 }  // namespace net