crypto: make Certificate::isCA() more restrictive

93c5ad7c · Adrien Béraud · 03d52e42 · 93c5ad7c · 93c5ad7c
Commit 93c5ad7c authored 8 years ago by Adrien Béraud
--- a/include/opendht/crypto.h
+++ b/include/opendht/crypto.h
@@ -373,7 +373,8 @@ struct OPENDHT_PUBLIC Certificate {
    std::chrono::system_clock::time_point getExpiration() const;
    /**
-     * Returns true if the certificate is marked as a Certificate Authority.
+     * Returns true if the certificate is marked as a Certificate Authority
+     * and has necessary key usage flags to sign certificates.
     */
    bool isCA() const;

--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -722,7 +722,20 @@ bool
 Certificate::isCA() const
 {
    unsigned critical;
-    return gnutls_x509_crt_get_ca_status(cert, &critical) > 0;
+    bool ca_flag = gnutls_x509_crt_get_ca_status(cert, &critical) > 0;
+    if (ca_flag) {
+        unsigned usage;
+        auto ret = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
+        /* Conforming CAs MUST include this extension in certificates that
+           contain public keys that are used to validate digital signatures on
+           other public key certificates or CRLs. */
+        if (ret < 0)
+            return false;
+        if (not critical)
+            return true;
+        return usage & GNUTLS_KEY_KEY_CERT_SIGN;
+    }
+    return false;
 }
 std::string