Check smartcard certificates for correct EKU

To be used for login, smartcard certificates must have the Microsoft
Smart Card Logon EKU

include/freerdp/crypto/crypto.h

@@ -69,6 +69,7 @@ extern "C"
 	FREERDP_API char* crypto_cert_get_upn(X509* x509);
 	FREERDP_API void crypto_cert_dns_names_free(int count, int* lengths, char** dns_names);
 	FREERDP_API char* crypto_cert_issuer(X509* xcert);
+	FREERDP_API BOOL crypto_check_eku(X509* scert, int nid);
 	FREERDP_API void crypto_cert_print_info(X509* xcert);
 	FREERDP_API void crypto_cert_free(CryptoCert cert);
 

libfreerdp/core/smartcardlogon.c

@@ -339,6 +339,13 @@ static BOOL list_provider_keys(const rdpSettings* settings, NCRYPT_PROV_HANDLE p
 			goto endofloop;
 		}
 
+		if (!crypto_check_eku(cert->certificate->px509, NID_ms_smartcard_login))
+		{
+			WLog_DBG(TAG, "discarding certificate without Smartcard Login EKU for key %s",
+			         cert->keyName);
+			goto endofloop;
+		}
+
 		if (!treat_sc_cert(cert))
 		{
 			WLog_DBG(TAG, "error treating cert");

libfreerdp/crypto/crypto.c

@@ -868,6 +868,30 @@ char* crypto_cert_issuer(X509* xcert)
 	return issuer;
 }
 
+BOOL crypto_check_eku(X509* xcert, int nid)
+{
+	BOOL ret = FALSE;
+	STACK_OF(ASN1_OBJECT) * oid_stack;
+	ASN1_OBJECT* oid;
+
+	if (!xcert)
+		return FALSE;
+
+	oid = OBJ_nid2obj(nid);
+	if (!oid)
+		return FALSE;
+
+	oid_stack = X509_get_ext_d2i(xcert, NID_ext_key_usage, NULL, NULL);
+	if (!oid_stack)
+		return FALSE;
+
+	if (sk_ASN1_OBJECT_find(oid_stack, oid) >= 0)
+		ret = TRUE;
+
+	sk_ASN1_OBJECT_pop_free(oid_stack, ASN1_OBJECT_free);
+	return ret;
+}
+
 static int verify_cb(int ok, X509_STORE_CTX* csc)
 {
 	if (ok != 1)