adds OCSP Responder extKeyUsage validation

wolfcrypt/src/asn.c

@@ -10757,6 +10757,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
             return ASN_PARSE_E;
 
         InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
+
         /* Don't verify if we don't have access to Cert Manager. */
         ret = ParseCertRelative(&cert, CERT_TYPE,
                                 noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
@@ -10766,6 +10767,13 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
             return ret;
         }
 
+        if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
+            WOLFSSL_MSG("\tOCSP Responder key usage check failed");
+
+            FreeDecodedCert(&cert);
+            return BAD_OCSP_RESPONDER;
+        }
+
         /* ConfirmSignature is blocking here */
         ret = ConfirmSignature(&cert.sigCtx,
             resp->response, resp->responseSz,

wolfcrypt/src/error.c

@@ -425,6 +425,9 @@ const char* wc_GetErrorString(int error)
     case ASYNC_OP_E:
         return "Async operation error";
 
+    case BAD_OCSP_RESPONDER:
+        return "Invalid OCSP Responder, missing specific key usage extensions";
+
     default:
         return "unknown error number";
 

wolfssl/wolfcrypt/error-crypt.h

@@ -106,6 +106,7 @@ enum {
     UNICODE_SIZE_E     = -175,  /* Unicode password too big */
     NO_PASSWORD        = -176,  /* no password provided by user */
     ALT_NAME_E         = -177,  /* alt name size problem, too big */
+    BAD_OCSP_RESPONDER = -178,  /* missing key usage extensions */
 
     AES_GCM_AUTH_E     = -180,  /* AES-GCM Authentication check failure */
     AES_CCM_AUTH_E     = -181,  /* AES-CCM Authentication check failure */