add checks for KeyUsage

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15727 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-07-25 11:44:35 +00:00
parent 9c1bb470a3
commit 36d90c324b
1 changed files with 11 additions and 6 deletions
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -166,7 +166,8 @@ hx509_cms_unenvelope(hx509_certs certs,
 	 */

 	ret = find_CMSIdentifier(&ri->rid, certs, &cert, 
-				 HX509_QUERY_PRIVATE_KEY);
+				 HX509_QUERY_PRIVATE_KEY|
+				 HX509_QUERY_KU_ENCIPHERMENT);
 	if (ret) {
 	    ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
 	    continue;
@@ -245,11 +246,12 @@ hx509_cms_envelope_1(hx509_cert cert,
 		     heim_octet_string *content)
 {
    KeyTransRecipientInfo *ri;
-    EnvelopedData ed;
    heim_octet_string ivec;
    heim_octet_string key;
-    int ret;
+    hx509_crypto crypto;
+    EnvelopedData ed;
    size_t size;
+    int ret;

    memset(&ivec, 0, sizeof(ivec));
    memset(&key, 0, sizeof(key));
@@ -259,7 +261,9 @@ hx509_cms_envelope_1(hx509_cert cert,
    if (encryption_type == NULL)
 	encryption_type = oid_id_aes_256_cbc();

-    hx509_crypto crypto;
+    ret = _hx509_check_key_usage(cert, 1 << 2, TRUE);
+    if (ret)
+	goto out;

    ret = hx509_crypto_init(NULL, encryption_type, &crypto);
    if (ret)
@@ -454,7 +458,8 @@ hx509_cms_verify_signed(hx509_verify_ctx ctx,
 	    continue;
 	}

-	ret = find_CMSIdentifier(&signer_info->sid, certs, &cert, 0);
+	ret = find_CMSIdentifier(&signer_info->sid, certs, &cert,
+				 HX509_QUERY_KU_DIGITALSIGNATURE);
 	if (ret)
 	    continue;

@@ -519,7 +524,7 @@ hx509_cms_verify_signed(hx509_verify_ctx ctx,
 		match_oid = &decode_oid;
 	    }

-	    signed_data = calloc(1, sizeof(*signed_data));
+	    ALLOC(signed_data, 1);
 	    if (signed_data == NULL) {
 		if (match_oid == &decode_oid)
 		    free_oid(&decode_oid);