Skip to content

session mbedtls, openssl UPDATE optionally enforce EKU and KU#619

Open
niklas-moser wants to merge 1 commit into
CESNET:develfrom
niklas-moser:tls_client_enforce_eku_and_ku_extensions
Open

session mbedtls, openssl UPDATE optionally enforce EKU and KU#619
niklas-moser wants to merge 1 commit into
CESNET:develfrom
niklas-moser:tls_client_enforce_eku_and_ku_extensions

Conversation

@niklas-moser

Copy link
Copy Markdown

Continuation of this PR, with devel as target branch.

@niklas-moser niklas-moser force-pushed the tls_client_enforce_eku_and_ku_extensions branch 2 times, most recently from 9b0567c to 8e7e05a Compare July 7, 2026 15:29

@Roytak Roytak left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but needs a bit of refactor.

Comment thread src/session_mbedtls.c Outdated
Comment on lines +793 to +820
/* WG11 6.9.3 / O-RAN: the end-entity (client) certificate MUST carry
* the clientAuth Extended Key Usage, so explicitly reject any leaf
* certificate lacking the clientAuth EKU extension. */
const mbedtls_x509_sequence *usage;
int has_client_auth = 0;

for (usage = &cert->ext_key_usage; usage && usage->buf.p; usage = usage->next) {
if (!MBEDTLS_OID_CMP(MBEDTLS_OID_CLIENT_AUTH, &usage->buf)) {
has_client_auth = 1;
break;
}
}
if (!has_client_auth) {
ERR(data->session, "Cert verify: fail (client certificate lacks the required clientAuth Extended Key Usage).");
*flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
return 0;
}

/* WG11 6.9.3 / O-RAN: the end-entity (client) certificate MUST also
* carry a Key Usage extension with the digitalSignature bit set (the
* client signs the CertificateVerify handshake message), so reject any
* leaf certificate missing the Key Usage extension or that bit. */
if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_KEY_USAGE) ||
mbedtls_x509_crt_check_key_usage(cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE)) {
ERR(data->session, "Cert verify: fail (client certificate lacks the required digitalSignature Key Usage).");
*flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
return 0;
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that extracting this code into a separate function would look much cleaner. If it fails, then just set the flags and return, also wrap the function in the ifdef.

Comment thread src/session_openssl.c Outdated
Comment on lines +467 to +506
/* WG11 6.9.3 / O-RAN: the end-entity (client) certificate MUST carry
* the clientAuth Extended Key Usage, so explicitly reject any leaf
* certificate lacking the clientAuth EKU extension. */
{
EXTENDED_KEY_USAGE *eku = X509_get_ext_d2i(cert, NID_ext_key_usage, NULL, NULL);
int has_client_auth = 0, i;

if (eku) {
for (i = 0; i < sk_ASN1_OBJECT_num(eku); ++i) {
if (OBJ_obj2nid(sk_ASN1_OBJECT_value(eku, i)) == NID_client_auth) {
has_client_auth = 1;
break;
}
}
EXTENDED_KEY_USAGE_free(eku);
}
if (!has_client_auth) {
ERR(data->session, "Cert verify: fail (client certificate lacks the required clientAuth Extended Key Usage).");
return 0;
}
}

/* WG11 6.9.3 / O-RAN: the end-entity (client) certificate MUST also
* carry a Key Usage extension with the digitalSignature bit set (the
* client signs the CertificateVerify handshake message), so reject any
* leaf certificate missing the Key Usage extension or that bit. */
{
ASN1_BIT_STRING *ku = X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL);
int has_digital_signature = 0;

if (ku) {
/* bit 0 of the Key Usage bit string is digitalSignature */
has_digital_signature = ASN1_BIT_STRING_get_bit(ku, 0);
ASN1_BIT_STRING_free(ku);
}
if (!has_digital_signature) {
ERR(data->session, "Cert verify: fail (client certificate lacks the required digitalSignature Key Usage).");
return 0;
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the same as for mbedTLS, we really always try to avoid inner code blocks in this codebase. Otherwise the code looks OK.

Comment thread CMakeLists.txt Outdated
option(ENABLE_PAM "Detect and use PAM" ON)
option(ENABLE_COMMON_TARGETS "Define common custom target names such as 'doc' or 'uninstall', may cause conflicts when using add_subdirectory() to build this project" ON)
option(ENABLE_IP_FREEBIND "Enable the IP_FREEBIND/IPV6_FREEBIND options on the listening TCP socket" OFF)
option(ENABLE_COMPLY_WITH_ORAN_WG11 "Comply with the O-RAN WG11 security spec (e.g. enforce the clientAuth Extended Key Usage and the digitalSignature Key Usage on client certificates), non-default behavior" OFF)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can omit the "non-default behavior" here.

@niklas-moser niklas-moser force-pushed the tls_client_enforce_eku_and_ku_extensions branch from 8e7e05a to 824a417 Compare July 8, 2026 10:57
@niklas-moser

niklas-moser commented Jul 8, 2026

Copy link
Copy Markdown
Author

Thank you! I updated the branch, let me know what you think

@niklas-moser niklas-moser requested a review from Roytak July 8, 2026 11:04

@Roytak Roytak left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last comment from me, otherwise LGTM. Will wait for Michal to look at it and merge it when he comes back next week.

Comment thread CMakeLists.txt Outdated

# comply with the O-RAN WG11 security spec (e.g. client cert Extended Key Usage and Key Usage checks)
if(ENABLE_COMPLY_WITH_ORAN_WG11)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCOMPLY_WITH_ORAN_WG11")

@Roytak Roytak Jul 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prepend NC_ to the compile def name, so it's NC_COMPLY_WITH_ORAN_WG11, similarly to NC_ENABLED_SSH_TLS.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

…Key Usage (KU) set by client, optional through compile-time flag

Signed-off-by: Niklas Moser <niklas.moser@srs.io>
@niklas-moser niklas-moser force-pushed the tls_client_enforce_eku_and_ku_extensions branch from 824a417 to e6f89fb Compare July 8, 2026 13:20
@niklas-moser

Copy link
Copy Markdown
Author

Okay, updated the PR. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants