[IOT-3203] keyUsage digitalSignature bit 61/27261/1
authorNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Wed, 17 Oct 2018 12:26:49 +0000 (05:26 -0700)
committerNathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
Wed, 17 Oct 2018 12:29:08 +0000 (05:29 -0700)
Per CR 2611, CA and SubCA Certificates may (or may not) include
the keyUsage "digitalSignature" bit.  This change removes that
bit from the list of disallowed bits.

Change-Id: Ib70b838518bf2375be7b4ade9b5ab9d98cb397e9
Signed-off-by: Nathan Heldt-Sheller <nathan.heldt-sheller@intel.com>
resource/csdk/connectivity/src/adapter_util/cacertprofile.c

index 3cebfc7..305afdf 100644 (file)
@@ -58,8 +58,7 @@ static const unsigned int s_eeNonKeyUsage = MBEDTLS_X509_KU_NON_REPUDIATION |
 static const unsigned int s_caKeyUsage = MBEDTLS_X509_KU_KEY_CERT_SIGN |
                                          MBEDTLS_X509_KU_CRL_SIGN;
 
-static const unsigned int s_caNonKeyUsage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
-                                            MBEDTLS_X509_KU_NON_REPUDIATION  |
+static const unsigned int s_caNonKeyUsage = MBEDTLS_X509_KU_NON_REPUDIATION  |
                                             MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
                                             MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
                                             MBEDTLS_X509_KU_KEY_AGREEMENT |
@@ -200,7 +199,7 @@ CertProfileViolations ValidateEndEntityCertProfile(const mbedtls_x509_crt *cert)
 
     // OCF requirements exist for the following extensions, but w/o mbedTLS support
     // * check for certificate policies, if present must be 1.3.6.1.4.1.51414.0.1.1
-    // * cRL Distributiojn Points
+    // * cRL Distribution Points
 
     if (NULL == cert)
     {