SUPPORT-8924. Добавлена проверка KeyUsage сертификата для подписи

2025-02-14 16:26:36 +03:00 · 2025-02-14 16:26:36 +03:00 · 6d835c0958
commit 6d835c0958
parent 43fe9be6fa
3 changed files with 61 additions and 16 deletions
--- a/src/utils/cryptopro.c
+++ b/src/utils/cryptopro.c
@ -210,26 +210,34 @@ exit:
    return is_verified;
 }

-static void
-log_sign_hash_data_last_error()
+static bool
+check_cert_key_usage(PCCERT_CONTEXT certificate)
 {
-    DWORD error = cp_function_list.GetLastError();
+    bool is_digital_signature_key_usage = false;
+    BYTE key_usage;

-    switch (error) {
-    case ERROR_FUNCTION_FAILED:
-        LOG_ERROR("sign_hash_data exit with error. Last error code: "
-                    "license is expired or not yet valid (0x%08x)", error);
-        break;
+    LOG_TRACE("check_cert_key_usage enter");

-    case SCARD_W_WRONG_CHV:
-        LOG_ERROR("sign_hash_data exit with error. Last error code: "
-                    "the wrong PIN was presented (0x%08x)", error);
-        break;
-        
-    default:
-        LOG_ERROR("sign_hash_data exit with error. Last error code: 0x%08x", error);
-        break;
+    if (cp_function_list.CertGetIntendedKeyUsage(
+                            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
+                            certificate->pCertInfo,
+                            &key_usage, 
+                            sizeof(key_usage))) {
+        if (key_usage & CERT_DIGITAL_SIGNATURE_KEY_USAGE) {
+            is_digital_signature_key_usage = true;
+        } 
+    } else {
+        LOG_ERROR("CertGetIntendedKeyUsage failed: 0x%08x", cp_function_list.GetLastError());
    }
+
+    if (is_digital_signature_key_usage) {
+        LOG_DEBUG("Certificate KeyUsage contains digitalSignature");
+    } else {
+        LOG_ERROR("Certificate KeyUsage does not contain digitalSignature");
+    }
+
+    LOG_TRACE("check_cert_key_usage exit");
+    return is_digital_signature_key_usage;
 }

 int 
@ -247,6 +255,11 @@ open_signer_cert(cryptopro_context_t *ctx)
        goto error;
    }

+    if (!check_cert_key_usage(ctx->signer_cert)) {
+        goto error;
+    }
+
+
    LOG_TRACE("open_signer_cert exit");

    return 0;
@ -274,6 +287,28 @@ close_signer_cert(cryptopro_context_t *ctx)
    LOG_TRACE("close_signer_cert exit");
 }

+static void
+log_sign_hash_data_last_error()
+{
+    DWORD error = cp_function_list.GetLastError();
+
+    switch (error) {
+    case ERROR_FUNCTION_FAILED:
+        LOG_ERROR("sign_hash_data exit with error. Last error code: "
+                    "license is expired or not yet valid (0x%08x)", error);
+        break;
+
+    case SCARD_W_WRONG_CHV:
+        LOG_ERROR("sign_hash_data exit with error. Last error code: "
+                    "the wrong PIN was presented (0x%08x)", error);
+        break;
+        
+    default:
+        LOG_ERROR("sign_hash_data exit with error. Last error code: 0x%08x", error);
+        break;
+    }
+}
+
 static int 
 sign_hash_data(const cryptopro_context_t *ctx, const str_t *data, /*out*/ str_t *sign)
 {