Bug #38604 for Crypt-X509: ExtKeyUsage is not supported

Crypt::X509 does not support the "extended key usage" extension. The attached patch adds support for this extension including documentation and tests. Feel free to include this in a future release, if you like it. Include documentation: ExtKeyUsage returns a pointer to an array of ExtKeyUsage strings (or OIDs for unknown OIDs) or "undef" if the exten- sion is not filled. OIDs of the following ExtKeyUsages are known: serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, OCSPSigning If the extension is marked critical, this is also reported. $decoded= Crypt::X509->new($cert); print "ExtKeyUsage extension of this Certificates is: ", join(", ", @{$decoded->ExtKeyUsage}), "\n"; Example Output: ExtKeyUsage extension of this Certificates is: critical, serverAuth

diff -ur Crypt-X509-0.32/lib/Crypt/X509.pm Crypt-X509/lib/Crypt/X509.pm --- Crypt-X509-0.32/lib/Crypt/X509.pm 2007-01-09 20:12:53.000000000 +0100 +++ Crypt-X509/lib/Crypt/X509.pm 2008-04-17 17:47:43.000000000 +0200 @@ -663,6 +663,52 @@ return undef; # keyusage extension not found } +=head2 ExtKeyUsage + +returns a pointer to an array of ExtKeyUsage strings (or OIDs for unknown OIDs) or +C<undef> if the extension is not filled. OIDs of the following ExtKeyUsages are known: +serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, OCSPSigning + +If the extension is marked critical, this is also reported. + + $decoded= Crypt::X509->new($cert); + print "ExtKeyUsage extension of this Certificates is: ", join(", ", @{$decoded->ExtKeyUsage}), "\n"; + + Example Output: ExtKeyUsage extension of this Certificates is: critical, serverAuth + +=cut back + +my %oid2extkeyusage = ( + '1.3.6.1.5.5.7.3.1' => 'serverAuth', + '1.3.6.1.5.5.7.3.2' => 'clientAuth', + '1.3.6.1.5.5.7.3.3' => 'codeSigning', + '1.3.6.1.5.5.7.3.4' => 'emailProtection', + '1.3.6.1.5.5.7.3.8' => 'timeStamping', + '1.3.6.1.5.5.7.3.9' => 'OCSPSigning', +); + +sub ExtKeyUsage { + my $self=shift; + my $ext; + my $exts=$self->{'tbsCertificate'}->{'extensions'}; + if (!defined $exts) {return undef;}; # no extensions in certificate + foreach $ext (@{$exts}) { + if ($ext->{'extnID'} eq '2.5.29.37') { #OID for ExtKeyUsage + return $ext->{'oids'} if defined $ext->{'oids'}; + my $parsExtKeyUsage=_init('ExtKeyUsageSyntax'); # get a parser for this + my $oids=$parsExtKeyUsage->decode($ext->{'extnValue'}); # decode the value + if ($parsExtKeyUsage->error) { + $self->{"_error"} = $parsExtKeyUsage->error; + return undef; + } + $ext->{'oids'} = [ map { $oid2extkeyusage{$_} || $_ } @$oids ]; + if ($ext->{'critical'}) { unshift @{$ext->{'oids'}}, "critical";} # mark as critical, if appropriate + return $ext->{'oids'}; + } + } + return undef; +} + =head2 SubjectAltName returns a pointer to an array of strings containing alternative Subjectnames or Only in Crypt-X509: Makefile.old diff -ur Crypt-X509-0.32/t/Crypt-X509.t Crypt-X509/t/Crypt-X509.t --- Crypt-X509-0.32/t/Crypt-X509.t 2007-01-09 19:38:15.000000000 +0100 +++ Crypt-X509/t/Crypt-X509.t 2008-04-17 15:10:10.000000000 +0200 @@ -1,6 +1,6 @@ # Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl Convert-ASN1-X509.t' -use Test::More tests => 56; +use Test::More tests => 58; BEGIN { use_ok('Crypt::X509') } $cert = loadcert('t/verisign.der'); is( length $cert, 774, 'certificate file loaded' ); @@ -17,6 +17,10 @@ # this has also to work twice is( join( ':', @{ $decoded2->KeyUsage } ), "critical:digitalSignature:keyEncipherment:dataEncipherment", 'Keyusagecheck again' ); +is( join( ':', @{ $decoded2->ExtKeyUsage } ), "clientAuth:emailProtection", 'Extkeyusagecheck' ); + +# this has also to work twice +is( join( ':', @{ $decoded2->ExtKeyUsage } ), "clientAuth:emailProtection", 'Extkeyusagecheck again' ); is( join( ',', @{ $decoded2->Subject } ), "E=alexander.jung\@allianz.de,C=DE,O=Allianz Group,CN=Alexander Jung", 'Subject parsed' ); is( $decoded2->subject_country, "DE", "Subject_country" ); is( $decoded2->subject_state, undef, "Subject_state" );