From 168124cd0903678a604e738ff592b63c2378d03b Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Mon, 19 Dec 2022 16:21:39 -0600
Subject: [PATCH] hx509: Add hx509_cert_is_{ca,root,self_signed}()

These are convenient utility functions.
---
 lib/hx509/cert.c               | 59 ++++++++++++++++++++++++++++++++++
 lib/hx509/libhx509-exports.def |  3 ++
 lib/hx509/version-script.map   |  3 ++
 3 files changed, 65 insertions(+)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 3dda886ed..3f612411e 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1213,6 +1213,65 @@ certificate_is_self_signed(hx509_context context,
     return ret;
 }
 
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_self_signed(hx509_context context,
+                          hx509_cert c,
+                          int *self_signed)
+{
+    return certificate_is_self_signed(context, c->data, self_signed);
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_ca(hx509_context context,
+                 hx509_cert c,
+                 int *is_ca)
+{
+    BasicConstraints bc;
+    const Extension *e;
+    size_t size;
+    size_t i = 0;
+    int ret = 0;
+
+    *is_ca = 0;
+    if (_hx509_cert_get_version(c->data) < 3)
+        return certificate_is_self_signed(context, c->data, is_ca);
+
+    e = find_extension(c->data, &asn1_oid_id_x509_ce_basicConstraints, &i);
+    if (e == NULL) {
+        *is_ca = 0;
+        return 0;
+    }
+
+    ret = decode_BasicConstraints(e->extnValue.data,
+				  e->extnValue.length, &bc,
+				  &size);
+    if (ret)
+        return ret;
+
+    *is_ca = bc.cA;
+    free_BasicConstraints(&bc);
+    return 0;
+}
+
+HX509_LIB_FUNCTION int HX509_LIB_CALL
+hx509_cert_is_root(hx509_context context,
+                   hx509_cert c,
+                   int *is_root)
+{
+    int ret;
+
+    *is_root = 0;
+    ret = hx509_cert_is_ca(context, c, is_root);
+    if (ret)
+        return ret;
+    if (*is_root == 0)
+        /* Not a CA certificate -> not a root certificate */
+        return 0;
+
+    /* A CA certificate.  If it's self-signed, it's a root certificate. */
+    return hx509_cert_is_self_signed(context, c, is_root);
+}
+
 /*
  * The subjectName is "null" when it's empty set of relative DBs.
  */
diff --git a/lib/hx509/libhx509-exports.def b/lib/hx509/libhx509-exports.def
index 6b9d9f8b6..81783ff7c 100644
--- a/lib/hx509/libhx509-exports.def
+++ b/lib/hx509/libhx509-exports.def
@@ -131,6 +131,9 @@ EXPORTS
 	hx509_cert_init
 	hx509_cert_init_data
 	hx509_cert_init_private_key
+	hx509_cert_is_ca
+	hx509_cert_is_root
+	hx509_cert_is_self_signed
 	hx509_cert_keyusage_print
 	hx509_cert_ref
 	hx509_cert_set_friendly_name
diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map
index 44f593e96..8f46b0ac0 100644
--- a/lib/hx509/version-script.map
+++ b/lib/hx509/version-script.map
@@ -113,6 +113,9 @@ HEIMDAL_X509_1.2 {
 		hx509_cert_init;
 		hx509_cert_init_data;
 		hx509_cert_init_private_key;
+		hx509_cert_is_ca;
+		hx509_cert_is_root;
+		hx509_cert_is_self_signed;
 		hx509_cert_keyusage_print;
 		hx509_cert_public_encrypt;
 		hx509_cert_ref;