From 089b62aa30ed5a0747af459d49af916d4ee87568 Mon Sep 17 00:00:00 2001
From: kaleb-himes <kaleb@wolfssl.com>
Date: Fri, 17 Jan 2020 10:27:10 -0700
Subject: [PATCH] Add example for checking key usage in a cert

---
 certfields/keyUsage/Makefile              |  12 ++
 certfields/keyUsage/README.md             |  20 +++
 certfields/keyUsage/test-intermediate.pem | 186 ++++++++++++++++++++++
 certfields/keyUsage/test.c                |  50 ++++++
 4 files changed, 268 insertions(+)
 create mode 100644 certfields/keyUsage/Makefile
 create mode 100644 certfields/keyUsage/README.md
 create mode 100644 certfields/keyUsage/test-intermediate.pem
 create mode 100644 certfields/keyUsage/test.c

diff --git a/certfields/keyUsage/Makefile b/certfields/keyUsage/Makefile
new file mode 100644
index 00000000..4fbd0166
--- /dev/null
+++ b/certfields/keyUsage/Makefile
@@ -0,0 +1,12 @@
+CC=gcc
+WOLFSSL_DIR=/usr/local
+CFLAGS=-Wall -I$(WOLFSSL_DIR)/include
+LIBS= -L$(WOLFSSL_DIR)/lib -lwolfssl
+
+run: test.o
+	$(CC) -o $@ $^ $(CFLAGS) $(LIBS)
+
+.PHONY: clean
+
+clean:
+	rm -f *.o run
diff --git a/certfields/keyUsage/README.md b/certfields/keyUsage/README.md
new file mode 100644
index 00000000..b82ef9ff
--- /dev/null
+++ b/certfields/keyUsage/README.md
@@ -0,0 +1,20 @@
+An app for checking the keyUsage Extensions in a cert.
+
+Assumptions:
+wolfSSL Library must be configured with --enable-opensslextra
+wolfSSL lib installed to /usr/local
+
+NOTE: If wolfSSL is installed to custom directory edit Makefile variable
+      WOLFSSL_DIR accordingly for example if you configured wolfSSL with
+      "--enable-prefix=/home/me/wolf-install-dir" then set WOLFSSL_DIR to
+      "/home/me/wolf-install-dir" before running "make"
+
+Building:
+make
+
+Cleaning:
+make clean
+
+If there are any questions please do not hesitate to reach out to wolfSSL
+support staff via support [at] wolfssl [dot] com or through the zendesk channel
+at https://wolfssl [dot] zendesk [dot] com anytime.
diff --git a/certfields/keyUsage/test-intermediate.pem b/certfields/keyUsage/test-intermediate.pem
new file mode 100644
index 00000000..7305fe0e
--- /dev/null
+++ b/certfields/keyUsage/test-intermediate.pem
@@ -0,0 +1,186 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Apr 13 15:23:10 2018 GMT
+            Not After : Jan  7 15:23:10 2021 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4:
+                    6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7:
+                    11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6:
+                    56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77:
+                    2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db:
+                    0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb:
+                    ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98:
+                    78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1:
+                    31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a:
+                    8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52:
+                    52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d:
+                    f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35:
+                    cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36:
+                    a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f:
+                    12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55:
+                    f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96:
+                    aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff:
+                    d9:99
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17
+            X509v3 Authority Key Identifier: 
+                keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+                DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+                serial:63
+
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:22220
+
+    Signature Algorithm: sha256WithRSAEncryption
+         92:6e:c1:af:88:af:46:f2:6e:8a:8c:27:06:8e:b4:38:35:9b:
+         47:92:24:20:e5:a5:13:d8:35:d3:2e:37:ca:74:47:e5:16:a3:
+         03:63:16:b4:28:2b:d9:04:ab:ee:e4:0a:e5:87:da:d4:00:3a:
+         53:c6:c9:25:6a:8f:49:d2:2e:34:f2:40:65:6e:02:fc:b9:42:
+         3f:ef:cb:8c:79:84:03:84:dc:a0:68:1e:c7:c7:36:8c:60:14:
+         55:f2:5f:f9:c1:3f:2b:f6:a2:1e:34:1f:83:ba:73:bc:b7:62:
+         bc:97:66:84:09:b9:2d:76:71:c8:91:fd:e2:e1:39:cf:dd:ec:
+         98:a8:49:69:89:a8:18:2a:42:e7:fc:ab:2c:cf:13:ab:63:fe:
+         b0:19:ea:1a:38:22:16:11:31:34:43:fc:50:c6:ec:19:97:03:
+         db:e8:07:28:48:88:3a:e5:35:a2:fd:83:12:df:55:70:72:61:
+         0d:f8:66:18:52:58:c9:46:97:86:31:9e:a2:43:0c:b9:0f:d3:
+         eb:35:c9:e5:19:4e:b4:8b:d2:ac:ea:bf:83:2a:48:9d:20:a0:
+         08:45:60:92:8a:27:06:93:77:74:bb:0e:22:8e:54:17:f2:d4:
+         e7:7f:f3:90:4d:cc:75:e7:16:c5:9c:4a:cf:dc:f2:19:18:12:
+         f5:72:8e:2e
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTgw
+NDEzMTUyMzEwWhcNMjEwMTA3MTUyMzEwWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj
+hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj
+K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl
+uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B
+nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S
+4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR
+rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAJJuwa+Ir0byboqMJwaOtDg1m0eSJCDlpRPYNdMuN8p0R+UWowNjFrQoK9kE
+q+7kCuWH2tQAOlPGySVqj0nSLjTyQGVuAvy5Qj/vy4x5hAOE3KBoHsfHNoxgFFXy
+X/nBPyv2oh40H4O6c7y3YryXZoQJuS12cciR/eLhOc/d7JioSWmJqBgqQuf8qyzP
+E6tj/rAZ6ho4IhYRMTRD/FDG7BmXA9voByhIiDrlNaL9gxLfVXByYQ34ZhhSWMlG
+l4YxnqJDDLkP0+s1yeUZTrSL0qzqv4MqSJ0goAhFYJKKJwaTd3S7DiKOVBfy1Od/
+85BNzHXnFsWcSs/c8hkYEvVyji4=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 99 (0x63)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Validity
+            Not Before: Apr 13 15:23:10 2018 GMT
+            Not After : Jan  7 15:23:10 2021 GMT
+        Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+                    bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+                    48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+                    27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+                    ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+                    71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+                    f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+                    b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+                    09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+                    06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+                    96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+                    b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+                    44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+                    94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+                    75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+                    b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+                    90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+                    99:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+            X509v3 Authority Key Identifier: 
+                keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+                DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+                serial:63
+
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:22220
+
+    Signature Algorithm: sha256WithRSAEncryption
+         6b:10:b1:f8:cb:77:ef:72:f5:f8:fc:70:6d:18:dc:34:fe:d7:
+         95:d8:fd:85:8e:ca:4b:f3:be:1f:eb:14:08:dc:23:34:78:98:
+         39:d7:9f:c3:52:f6:14:3d:e9:de:5c:c2:d8:b1:4b:a8:4c:5b:
+         91:42:66:da:7f:3c:e9:03:20:5e:08:0f:76:79:b9:21:10:89:
+         b7:73:46:44:7e:6e:28:0c:00:e4:f4:3e:65:aa:f5:c6:27:57:
+         2c:bb:1d:ae:e5:94:57:a3:73:9e:6b:44:00:35:4a:f3:c7:34:
+         9c:a2:a7:aa:62:9f:1d:ef:a8:6c:be:07:ad:ef:ae:ee:93:0b:
+         ba:c3:59:4e:90:40:2d:00:5e:f0:0f:0a:de:18:2a:b3:97:31:
+         63:84:ff:18:1c:b6:d8:7d:ee:33:ed:99:f0:f5:7f:88:58:b3:
+         0d:90:db:eb:44:7e:06:37:61:d4:34:b9:f6:fd:3e:8d:07:e4:
+         b5:b0:ae:09:ce:98:e4:b0:1b:d5:7b:53:94:dd:8a:b2:20:d6:
+         b0:72:f8:b1:bc:76:df:16:86:39:7b:e4:a9:15:47:57:ae:ca:
+         41:d6:3a:ba:15:d1:c0:b5:38:66:0b:0f:80:8b:a2:07:b4:fc:
+         80:1f:a3:4c:1f:d2:65:97:c1:2c:ae:46:31:61:49:0d:d7:5f:
+         ac:d2:a6:05
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTgw
+NDEzMTUyMzEwWhcNMjEwMTA3MTUyMzEwWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAaxCx+Mt3
+73L1+PxwbRjcNP7Xldj9hY7KS/O+H+sUCNwjNHiYOdefw1L2FD3p3lzC2LFLqExb
+kUJm2n886QMgXggPdnm5IRCJt3NGRH5uKAwA5PQ+Zar1xidXLLsdruWUV6NznmtE
+ADVK88c0nKKnqmKfHe+obL4Hre+u7pMLusNZTpBALQBe8A8K3hgqs5cxY4T/GBy2
+2H3uM+2Z8PV/iFizDZDb60R+Bjdh1DS59v0+jQfktbCuCc6Y5LAb1XtTlN2KsiDW
+sHL4sbx23xaGOXvkqRVHV67KQdY6uhXRwLU4ZgsPgIuiB7T8gB+jTB/SZZfBLK5G
+MWFJDddfrNKmBQ==
+-----END CERTIFICATE-----
diff --git a/certfields/keyUsage/test.c b/certfields/keyUsage/test.c
new file mode 100644
index 00000000..048e65e3
--- /dev/null
+++ b/certfields/keyUsage/test.c
@@ -0,0 +1,50 @@
+#include <stdio.h>
+
+#include <wolfssl/options.h>
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/ssl.h>
+
+#ifdef OPENSSL_EXTRA
+void print_use(unsigned int usageMask, char* usage);
+
+void print_use(unsigned int usageMask, char* usage)
+{
+    if (usageMask)
+        printf("cert can be used for %s\n", usage);
+}
+#endif
+
+int main(int argc, char** argv)
+{
+#ifdef OPENSSL_EXTRA
+    char certFName[] = "./test-intermediate.pem";
+    WOLFSSL_X509* x509 = NULL;
+    unsigned int keyUsage = 0;
+
+    x509 = wolfSSL_X509_load_certificate_file(certFName, WOLFSSL_FILETYPE_PEM);
+    if (x509 == NULL) {
+        printf("Failed to load file %s\n", certFName);
+        return -999;
+    }
+
+    keyUsage = wolfSSL_X509_get_keyUsage(x509);
+
+    print_use((keyUsage & KEYUSE_DIGITAL_SIG), "DIGITAL SIGNATURE");
+    print_use((keyUsage & KEYUSE_CONTENT_COMMIT), "CONTENT COMMIT");
+    print_use((keyUsage & KEYUSE_KEY_ENCIPHER),"KEY ENCRYPTION");
+    print_use((keyUsage & KEYUSE_DATA_ENCIPHER), "DATA ENCRYPTION");
+    print_use((keyUsage & KEYUSE_KEY_AGREE), "KEY AGREEMENT");
+    print_use((keyUsage & KEYUSE_KEY_CERT_SIGN), "CERTIFICATE SIGNING");
+    print_use((keyUsage & KEYUSE_CRL_SIGN), "CRL SIGNING");
+    print_use((keyUsage & KEYUSE_ENCIPHER_ONLY), "ENCRYPT ONLY");
+    print_use((keyUsage & KEYUSE_DECIPHER_ONLY), "DECRYPT ONLY");
+
+    printf("keyUsage = %d\n", keyUsage);
+#else
+    printf("Please configure wolfSSL with --enable-opensslextra and try"
+           " again\n");
+#endif
+    return 0;
+}
+
+