Certificate: add authentication usage check.

leshan-core-cf/src/main/java/org/eclipse/leshan/core/californium/security/LwM2mCertificateVerifier.java

@@ -36,6 +36,7 @@
 import org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier;
 import org.eclipse.californium.scandium.util.ServerNames;
 import org.eclipse.leshan.core.security.certificate.verifier.X509CertificateVerifier;
+import org.eclipse.leshan.core.security.certificate.verifier.X509CertificateVerifier.Role;
 
 public class LwM2mCertificateVerifier implements NewAdvancedCertificateVerifier {
 
@@ -69,7 +70,8 @@ public CertificateVerificationResult verifyCertificate(ConnectionId cid, ServerN
         try {
             // verifyDestination is currently not used.
             // The DTLS_VERIFY_SERVER_CERTIFICATES_SUBJECT is therefore set to transient.
-            certificateVerifier.verifyCertificate(message.getCertificateChain(), remotePeer);
+            certificateVerifier.verifyCertificate(message.getCertificateChain(), remotePeer,
+                    clientUsage ? Role.CLIENT : Role.SERVER);
             return new CertificateVerificationResult(cid, message.getCertificateChain(), null);
         } catch (CertificateException exception) {
             return new CertificateVerificationResult(cid, new HandshakeException("Unable to verify Certificate",

leshan-core/src/main/java/org/eclipse/leshan/core/security/certificate/verifier/BaseCertificateVerifier.java

@@ -66,4 +66,18 @@ protected void validateSubject(InetSocketAddress peerSocket, X509Certificate rec
         throw new CertificateException(
                 "Certificate chain could not be validated - server identity does not match certificate");
     }
+
+    protected void validateCertificateCanBeUsedForAuthentication(X509Certificate certificate,
+            Role certificateOwnerRole) {
+        switch (certificateOwnerRole) {
+        case CLIENT:
+            X509CertUtil.canBeUsedForAuthentication(certificate, true);
+            break;
+        case SERVER:
+            X509CertUtil.canBeUsedForAuthentication(certificate, false);
+            break;
+        default:
+            throw new IllegalStateException("Unsupported role " + certificateOwnerRole);
+        }
+    }
 }

leshan-core/src/main/java/org/eclipse/leshan/core/security/certificate/verifier/CaConstraintCertificateVerifier.java

@@ -70,12 +70,13 @@ public CaConstraintCertificateVerifier(Certificate caCertificate, X509Certificat
     }
 
     @Override
-    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress)
-            throws CertificateException {
+    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress,
+            Role remotePeerRole) throws CertificateException {
 
         validateCertificateChainNotEmpty(remotePeerCertChain);
         X509Certificate receivedServerCertificate = validateReceivedCertificateIsSupported(remotePeerCertChain);
         validateNotDirectTrust(remotePeerCertChain);
+        validateCertificateCanBeUsedForAuthentication(receivedServerCertificate, remotePeerRole);
 
         // - must do PKIX validation with trustStore
         CertPath certPath;

leshan-core/src/main/java/org/eclipse/leshan/core/security/certificate/verifier/DefaultCertificateVerifier.java

@@ -44,22 +44,29 @@ public DefaultCertificateVerifier(List<X509Certificate> trustedCertificates) {
     }
 
     @Override
-    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress)
-            throws CertificateException {
+    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress,
+            Role remotePeerRole) throws CertificateException {
 
         if (trustedCertificates.isEmpty()) {
             // In this case we trust anything.
             return remotePeerCertChain;
         }
 
         validateCertificateChainNotEmpty(remotePeerCertChain);
+        X509Certificate receivedServerCertificate = validateReceivedCertificateIsSupported(remotePeerCertChain);
+        validateCertificateCanBeUsedForAuthentication(receivedServerCertificate, remotePeerRole);
 
         // - must do PKIX validation with trustStore
+        CertPath certPath;
         try {
-            return PKIValidator.applyPKIXValidation(remotePeerCertChain,
+            certPath = PKIValidator.applyPKIXValidation(remotePeerCertChain,
                     trustedCertificates.toArray(new X509Certificate[trustedCertificates.size()]));
         } catch (GeneralSecurityException e) {
             throw new CertificateException("Certificate chain could not be validated");
         }
+
+        validateSubject(remotePeerAddress, receivedServerCertificate);
+
+        return certPath;
     }
 }

leshan-core/src/main/java/org/eclipse/leshan/core/security/certificate/verifier/DomainIssuerCertificateVerifier.java

@@ -53,8 +53,8 @@ public DomainIssuerCertificateVerifier(Certificate domainIssuerCertificate) {
     }
 
     @Override
-    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress)
-            throws CertificateException {
+    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress,
+            Role remotePeerRole) throws CertificateException {
 
         validateCertificateChainNotEmpty(remotePeerCertChain);
 

leshan-core/src/main/java/org/eclipse/leshan/core/security/certificate/verifier/ServiceCertificateConstraintCertificateVerifier.java

@@ -61,12 +61,13 @@ public ServiceCertificateConstraintCertificateVerifier(Certificate serviceCertif
     }
 
     @Override
-    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress)
-            throws CertificateException {
+    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress,
+            Role remotePeerRole) throws CertificateException {
 
         validateCertificateChainNotEmpty(remotePeerCertChain);
 
         X509Certificate receivedServerCertificate = validateReceivedCertificateIsSupported(remotePeerCertChain);
+        validateCertificateCanBeUsedForAuthentication(receivedServerCertificate, remotePeerRole);
 
         // - must do PKIX validation with trustStore
         CertPath certPath;

leshan-core/src/main/java/org/eclipse/leshan/core/security/certificate/verifier/TrustAnchorAssertionCertificateVerifier.java

@@ -58,11 +58,12 @@ public TrustAnchorAssertionCertificateVerifier(X509Certificate trustAnchor, Stri
     }
 
     @Override
-    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress)
-            throws CertificateException {
+    public CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress,
+            Role remotePeerRole) throws CertificateException {
 
         validateCertificateChainNotEmpty(remotePeerCertChain);
         X509Certificate receivedServerCertificate = validateReceivedCertificateIsSupported(remotePeerCertChain);
+        validateCertificateCanBeUsedForAuthentication(receivedServerCertificate, remotePeerRole);
 
         // - must do PKIX validation with trustStore
         CertPath certPath;

leshan-core/src/main/java/org/eclipse/leshan/core/security/certificate/verifier/X509CertificateVerifier.java

@@ -21,6 +21,13 @@
 
 public interface X509CertificateVerifier {
 
-    CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress)
+    public enum Role {
+        // used for client certificate
+        CLIENT,
+        // used for server certificate
+        SERVER;
+    }
+
+    CertPath verifyCertificate(CertPath remotePeerCertChain, InetSocketAddress remotePeerAddress, Role remotePeerRole)
             throws CertificateException;
 }