Certificate ExtendedKeyUsages are not enforced when extension is absent from certificate

Description

Application certificates that have no ExtendtedKeyUsage are accepted at the ExtendedKeyUsage verification step whereas they should not.

Code version and environment identification

Current master of the date of the issue: 2f451358

Analysis

Part 6 v1.05 states for Application certificates extended keys usages:

Specifies additional limits on how the Certificate key may be used. For RSA keys, the extendedKeyUsage shall specify serverAuth and/or clientAuth. For ECC keys, the extendedKeyUsage may specify serverAuth and/or clientAuth. Other extendedKeyUsage bits are allowed.

The main S2OPC crypto implementation (which uses Mbedtls) checks if we have the good extendedKeyUsages this way:

image

But a closer look at the function mbedtls_x509_crt_check_extended_key_usage reveals that the presence of the ExtendedKeyUsage given in parameter is actually not verified if the certificate has not the extension ExtendedKeyUsage:

mbedtls_function

This was really not explicit regarding the documentation of the function:

image

and we reported that to Mbedtls: https://github.com/Mbed-TLS/mbedtls/issues/9924.

Security impact

We consequently authorize using certificates that should not be authorized.

Possible fixes

We need to manually check the extendedKeyUsages of the certificate.

Edited by Nathan Lebeau