Add support for turning off extKeyUsage check in PKCS11 modules

mrts · mrts · commit 6b9be5da23dc · 2024-12-13T13:23:58.000+02:00
WE2-1041

Signed-off-by: Mart Somermaa &lt;mrts@users.noreply.github.com&gt;
diff --git a/src/electronic-ids/x509.hpp b/src/electronic-ids/x509.hpp
@@ -52,10 +52,14 @@ inline CertificateType certificateType(const pcsc_cpp::byte_vector& cert)
 
     static const int KEY_USAGE_DIGITAL_SIGNATURE = 0;
     if (ASN1_BIT_STRING_get_bit(keyUsage.get(), KEY_USAGE_DIGITAL_SIGNATURE)) {
-        if (auto extKeyUsage = extension(x509.get(), NID_ext_key_usage, EXTENDED_KEY_USAGE_free);
-            extKeyUsage && hasClientAuthExtendedKeyUsage(extKeyUsage.get())) {
-            return CertificateType::AUTHENTICATION;
+        if (auto extKeyUsage = extension(x509.get(), NID_ext_key_usage, EXTENDED_KEY_USAGE_free)) {
+            return hasClientAuthExtendedKeyUsage(extKeyUsage.get())
+                ? CertificateType::AUTHENTICATION
+                : CertificateType::NONE;
         }
+        // Digital Signature extension present, but Extended Key Usage extension not present,
+        // assume it is an authentication certificate.
+        return CertificateType::AUTHENTICATION;
     }
 
     return CertificateType::NONE;
diff --git a/tests/mock/test-pkcs11-token.cpp b/tests/mock/test-pkcs11-token.cpp
@@ -88,11 +88,13 @@ TEST(electronic_id_test, pkcs11TokenHasAuthenticationCert)
     PKCS11CardManager::Token token;
     token.cert = base64Decode(AUTH_CERT);
     EXPECT_TRUE(certificateType(token.cert).isAuthentication());
+    EXPECT_FALSE(certificateType(token.cert).isSigning());
 }
 
 TEST(electronic_id_test, pkcs11TokenHasSigningCert)
 {
     PKCS11CardManager::Token token;
     token.cert = base64Decode(SIGNING_CERT);
     EXPECT_FALSE(certificateType(token.cert).isAuthentication());
+    EXPECT_TRUE(certificateType(token.cert).isSigning());
 }

Original file line number	Diff line number	Diff line change
`@@ -88,11 +88,13 @@ TEST(electronic_id_test, pkcs11TokenHasAuthenticationCert)`
`88`	`88`	`PKCS11CardManager::Token token;`
`89`	`89`	`token.cert = base64Decode(AUTH_CERT);`
`90`	`90`	`EXPECT_TRUE(certificateType(token.cert).isAuthentication());`
	`91`	`+ EXPECT_FALSE(certificateType(token.cert).isSigning());`
`91`	`92`	`}`
`92`	`93`
`93`	`94`	`TEST(electronic_id_test, pkcs11TokenHasSigningCert)`
`94`	`95`	`{`
`95`	`96`	`PKCS11CardManager::Token token;`
`96`	`97`	`token.cert = base64Decode(SIGNING_CERT);`
`97`	`98`	`EXPECT_FALSE(certificateType(token.cert).isAuthentication());`
	`99`	`+ EXPECT_TRUE(certificateType(token.cert).isSigning());`
`98`	`100`	`}`