Update prototype of x509write_set_key_usage()

Allow for future support of decipherOnly and encipherOnly. Some work will be required to ensure we still write only one byte when only one is needed.

Update prototype of x509write_set_key_usage()
Allow for future support of decipherOnly and encipherOnly. Some work will be required to ensure we still write only one byte when only one is needed.
1cd10adc · Manuel Pégourié-Gonnard · 655a9645 · 1cd10adc · 1cd10adc · 1cd10adc
Commit 1cd10adc authored Jun 23, 2015 by Manuel Pégourié-Gonnard
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 5 deletions

ChangeLog ChangeLog +2 -1

include/mbedtls/x509_crt.h include/mbedtls/x509_crt.h +2 -1

library/x509write_crt.c library/x509write_crt.c +9 -3

No files found.
--- a/ChangeLog
+++ b/ChangeLog
@@ -73,7 +73,8 @@ API Changes
   * ecdsa_write_signature() gained an addtional md_alg argument and
     ecdsa_write_signature_det() was deprecated.
   * pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
-   * Last argument of x509_crt_check_key_usage() changed from int to unsigned.
+   * Last argument of x509_crt_check_key_usage() and
+     mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
   * test_ca_list (from certs.h) is renamed to test_cas_pem and is only
     available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
   * Test certificates in certs.c are no longer guaranteed to be nul-terminated

--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -570,7 +570,8 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
 *
 * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
 */
-int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned char key_usage );
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage );

 /**
 * \brief           Set the Netscape Cert Type flags

--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -217,15 +217,21 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
 }
 #endif /* MBEDTLS_SHA1_C */

-int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, unsigned char key_usage )
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage )
 {
-    unsigned char buf[4];
+    unsigned char buf[4], ku;
    unsigned char *c;
    int ret;

+    /* We currently only support 7 bits, from 0x80 to 0x02 */
+    if( ( key_usage & ~0xfe ) != 0 )
+        return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+
    c = buf + 4;
+    ku = (unsigned char) key_usage;

-    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
+    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 )
        return( ret );

    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,