Add support for turning off extKeyUsage check in PKCS11 modules

mrts · mrts · commit 0ecf20fe925a · 2024-12-06T21:11:54.000+02:00
WE2-1041

Signed-off-by: Mart Somermaa &lt;mrts@users.noreply.github.com&gt;
diff --git a/src/electronic-ids/pkcs11/Pkcs11ElectronicID.cpp b/src/electronic-ids/pkcs11/Pkcs11ElectronicID.cpp
@@ -180,7 +180,7 @@ Pkcs11ElectronicID::Pkcs11ElectronicID(ElectronicID::Type type) :
     bool seenSigningToken = false;
 
     for (const auto& token : manager->tokens()) {
-        const auto certType = certificateType(token.cert);
+        const auto certType = certificateType(token.cert, module.checkExtKeyUsage);
         if (certType.isAuthentication()) {
             authToken = token;
             seenAuthToken = true;
diff --git a/src/electronic-ids/pkcs11/Pkcs11ElectronicID.hpp b/src/electronic-ids/pkcs11/Pkcs11ElectronicID.hpp
@@ -38,6 +38,7 @@ struct Pkcs11ElectronicIDModule
     const int8_t retryMax;
     const bool allowsUsingLettersAndSpecialCharactersInPin;
     const bool providesExternalPinDialog;
+    const bool checkExtKeyUsage = true;
 };
 
 class Pkcs11ElectronicID : public ElectronicID
diff --git a/src/electronic-ids/x509.hpp b/src/electronic-ids/x509.hpp
@@ -37,7 +37,7 @@ inline bool hasClientAuthExtendedKeyUsage(EXTENDED_KEY_USAGE* usage) noexcept
     return false;
 }
 
-inline CertificateType certificateType(const pcsc_cpp::byte_vector& cert)
+inline CertificateType certificateType(const pcsc_cpp::byte_vector& cert, bool checkExtKeyUsage)
 {
     auto x509 = make_x509(cert);
     auto keyUsage = extension(x509.get(), NID_key_usage, ASN1_BIT_STRING_free);
@@ -52,6 +52,9 @@ inline CertificateType certificateType(const pcsc_cpp::byte_vector& cert)
 
     static const int KEY_USAGE_DIGITAL_SIGNATURE = 0;
     if (ASN1_BIT_STRING_get_bit(keyUsage.get(), KEY_USAGE_DIGITAL_SIGNATURE)) {
+        if (!checkExtKeyUsage) {
+            return CertificateType::AUTHENTICATION;
+        }
         if (auto extKeyUsage = extension(x509.get(), NID_ext_key_usage, EXTENDED_KEY_USAGE_free);
             extKeyUsage && hasClientAuthExtendedKeyUsage(extKeyUsage.get())) {
             return CertificateType::AUTHENTICATION;
diff --git a/tests/mock/test-pkcs11-token.cpp b/tests/mock/test-pkcs11-token.cpp
@@ -87,12 +87,14 @@ TEST(electronic_id_test, pkcs11TokenHasAuthenticationCert)
 {
     PKCS11CardManager::Token token;
     token.cert = base64Decode(AUTH_CERT);
-    EXPECT_TRUE(certificateType(token.cert).isAuthentication());
+    EXPECT_TRUE(certificateType(token.cert, true).isAuthentication());
+    EXPECT_FALSE(certificateType(token.cert, true).isSigning());
 }
 
 TEST(electronic_id_test, pkcs11TokenHasSigningCert)
 {
     PKCS11CardManager::Token token;
     token.cert = base64Decode(SIGNING_CERT);
-    EXPECT_FALSE(certificateType(token.cert).isAuthentication());
+    EXPECT_FALSE(certificateType(token.cert, true).isAuthentication());
+    EXPECT_TRUE(certificateType(token.cert, true).isSigning());
 }

Original file line number	Diff line number	Diff line change
`@@ -87,12 +87,14 @@ TEST(electronic_id_test, pkcs11TokenHasAuthenticationCert)`
`87`	`87`	`{`
`88`	`88`	`PKCS11CardManager::Token token;`
`89`	`89`	`token.cert = base64Decode(AUTH_CERT);`
`90`		`- EXPECT_TRUE(certificateType(token.cert).isAuthentication());`
	`90`	`+ EXPECT_TRUE(certificateType(token.cert, true).isAuthentication());`
	`91`	`+ EXPECT_FALSE(certificateType(token.cert, true).isSigning());`
`91`	`92`	`}`
`92`	`93`
`93`	`94`	`TEST(electronic_id_test, pkcs11TokenHasSigningCert)`
`94`	`95`	`{`
`95`	`96`	`PKCS11CardManager::Token token;`
`96`	`97`	`token.cert = base64Decode(SIGNING_CERT);`
`97`		`- EXPECT_FALSE(certificateType(token.cert).isAuthentication());`
	`98`	`+ EXPECT_FALSE(certificateType(token.cert, true).isAuthentication());`
	`99`	`+ EXPECT_TRUE(certificateType(token.cert, true).isSigning());`
`98`	`100`	`}`