Check smartcard certificates for correct EKU

To be used for login, smartcard certificates must have the Microsoft
Smart Card Logon EKU
This commit is contained in:
fifthdegree 2022-10-23 14:51:40 -04:00 committed by David Fort
parent 78ba60f50f
commit cbd310df52
3 changed files with 32 additions and 0 deletions

View File

@ -69,6 +69,7 @@ extern "C"
FREERDP_API char* crypto_cert_get_upn(X509* x509); FREERDP_API char* crypto_cert_get_upn(X509* x509);
FREERDP_API void crypto_cert_dns_names_free(int count, int* lengths, char** dns_names); FREERDP_API void crypto_cert_dns_names_free(int count, int* lengths, char** dns_names);
FREERDP_API char* crypto_cert_issuer(X509* xcert); FREERDP_API char* crypto_cert_issuer(X509* xcert);
FREERDP_API BOOL crypto_check_eku(X509* scert, int nid);
FREERDP_API void crypto_cert_print_info(X509* xcert); FREERDP_API void crypto_cert_print_info(X509* xcert);
FREERDP_API void crypto_cert_free(CryptoCert cert); FREERDP_API void crypto_cert_free(CryptoCert cert);

View File

@ -339,6 +339,13 @@ static BOOL list_provider_keys(const rdpSettings* settings, NCRYPT_PROV_HANDLE p
goto endofloop; goto endofloop;
} }
if (!crypto_check_eku(cert->certificate->px509, NID_ms_smartcard_login))
{
WLog_DBG(TAG, "discarding certificate without Smartcard Login EKU for key %s",
cert->keyName);
goto endofloop;
}
if (!treat_sc_cert(cert)) if (!treat_sc_cert(cert))
{ {
WLog_DBG(TAG, "error treating cert"); WLog_DBG(TAG, "error treating cert");

View File

@ -868,6 +868,30 @@ char* crypto_cert_issuer(X509* xcert)
return issuer; return issuer;
} }
BOOL crypto_check_eku(X509* xcert, int nid)
{
BOOL ret = FALSE;
STACK_OF(ASN1_OBJECT) * oid_stack;
ASN1_OBJECT* oid;
if (!xcert)
return FALSE;
oid = OBJ_nid2obj(nid);
if (!oid)
return FALSE;
oid_stack = X509_get_ext_d2i(xcert, NID_ext_key_usage, NULL, NULL);
if (!oid_stack)
return FALSE;
if (sk_ASN1_OBJECT_find(oid_stack, oid) >= 0)
ret = TRUE;
sk_ASN1_OBJECT_pop_free(oid_stack, ASN1_OBJECT_free);
return ret;
}
static int verify_cb(int ok, X509_STORE_CTX* csc) static int verify_cb(int ok, X509_STORE_CTX* csc)
{ {
if (ok != 1) if (ok != 1)