JNI/JCE: add getExtendedKeyUsage() to X509Certificate (WolfSSLX509), wrap wolfSSL_X509_get_extended_key_usage() in WolfSSLCertificate.getExtendedKeyUsage()

Author: cconlon

native/com_wolfssl_WolfSSLCertificate.c

@@ -1565,6 +1565,107 @@ JNIEXPORT jbooleanArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1k
     return ret;
 }
 
+/* Helper function to add an Extended Key Usage (EKU) OID string to the
+ * jobjectArray array if the flag is set. Returns updated index in array. */
+static int addEkuOid(JNIEnv* jenv, jobjectArray ret, int idx,
+    unsigned int ekuBits, unsigned int flag, int nid)
+{
+    WOLFSSL_ASN1_OBJECT* obj = NULL;
+    jstring ekuStr = NULL;
+    char oidBuf[128];
+    int oidLen = 0;
+
+    if (ekuBits & flag) {
+
+        /* Convert NID to WOLFSSL_ASN1_OBJECT */
+        obj = wolfSSL_OBJ_nid2obj(nid);
+        if (obj != NULL) {
+
+            /* Convert WOLFSSL_ASN1_OBJECT to OID string */
+            oidLen = wolfSSL_OBJ_obj2txt(oidBuf, sizeof(oidBuf), obj, 1);
+            if (oidLen > 0) {
+
+                /* Create Java String and add to array */
+                ekuStr = (*jenv)->NewStringUTF(jenv, oidBuf);
+                if (ekuStr != NULL) {
+                    (*jenv)->SetObjectArrayElement(jenv, ret, idx, ekuStr);
+                    (*jenv)->DeleteLocalRef(jenv, ekuStr);
+                    idx++;
+                }
+            }
+
+            /* Free WOLFSSL_ASN1_OBJECT */
+            wolfSSL_ASN1_OBJECT_free(obj);
+        }
+    }
+
+    return idx;
+}
+
+JNIEXPORT jobjectArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1extended_1key_1usage
+  (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
+{
+    jobjectArray ret = NULL;
+    jclass stringClass = NULL;
+    unsigned int ekuBits = 0;
+    int ekuCount = 0;
+    int idx = 0;
+    WOLFSSL_X509* x509 = (WOLFSSL_X509*)(uintptr_t)x509Ptr;
+    (void)jcl;
+
+    if (jenv == NULL || x509 == NULL) {
+        return NULL;
+    }
+
+    /* Get extended key usage bitmask from wolfSSL */
+    ekuBits = wolfSSL_X509_get_extended_key_usage(x509);
+    if (ekuBits == 0) {
+        return NULL;
+    }
+
+    /* Count how many EKU bits are set */
+    if (ekuBits & XKU_SSL_SERVER) ekuCount++;
+    if (ekuBits & XKU_SSL_CLIENT) ekuCount++;
+    if (ekuBits & XKU_CODE_SIGN)  ekuCount++;
+    if (ekuBits & XKU_SMIME)      ekuCount++;
+    if (ekuBits & XKU_TIMESTAMP)  ekuCount++;
+    if (ekuBits & XKU_OCSP_SIGN)  ekuCount++;
+
+    if (ekuCount == 0) {
+        return NULL;
+    }
+
+    /* Create String[] array to return */
+    stringClass = (*jenv)->FindClass(jenv, "java/lang/String");
+    if (stringClass == NULL) {
+        return NULL;
+    }
+
+    ret = (*jenv)->NewObjectArray(jenv, ekuCount, stringClass, NULL);
+    if (ret == NULL) {
+        (*jenv)->DeleteLocalRef(jenv, stringClass);
+        return NULL;
+    }
+
+    /* Add each EKU OID string to array */
+    idx = addEkuOid(jenv, ret, idx, ekuBits, XKU_SSL_SERVER,
+        EKU_SERVER_AUTH_OID);
+    idx = addEkuOid(jenv, ret, idx, ekuBits, XKU_SSL_CLIENT,
+        EKU_CLIENT_AUTH_OID);
+    idx = addEkuOid(jenv, ret, idx, ekuBits, XKU_CODE_SIGN,
+        EKU_CODESIGNING_OID);
+    idx = addEkuOid(jenv, ret, idx, ekuBits, XKU_SMIME,
+        EKU_EMAILPROTECT_OID);
+    idx = addEkuOid(jenv, ret, idx, ekuBits, XKU_TIMESTAMP,
+        EKU_TIMESTAMP_OID);
+    idx = addEkuOid(jenv, ret, idx, ekuBits, XKU_OCSP_SIGN,
+        EKU_OCSP_SIGN_OID);
+
+    (*jenv)->DeleteLocalRef(jenv, stringClass);
+
+    return ret;
+}
+
 JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1extension
   (JNIEnv* jenv, jclass jcl, jlong x509Ptr, jstring oidIn)
 {

native/com_wolfssl_WolfSSLCertificate.h

@@ -98,6 +98,7 @@ public class WolfSSLCertificate implements Serializable {
     static native int X509_get_pathLength(long x509);
     static native int X509_verify(long x509, byte[] pubKey, int pubKeySz);
     static native boolean[] X509_get_key_usage(long x509);
+    static native String[] X509_get_extended_key_usage(long x509);
     static native byte[] X509_get_extension(long x509, String oid);
     static native int X509_is_extension_set(long x509, String oid);
     static native String X509_get_next_altname(long x509);
@@ -1550,6 +1551,34 @@ public boolean[] getKeyUsage() throws IllegalStateException {
         }
     }
 
+    /**
+     * Get extended key usage OIDs from X.509 certificate.
+     *
+     * Returns an array of OID strings representing the extended key usage
+     * values present in the certificate. Common OIDs include:
+     *   - 1.3.6.1.5.5.7.3.1 (TLS Web Server Authentication / serverAuth)
+     *   - 1.3.6.1.5.5.7.3.2 (TLS Web Client Authentication / clientAuth)
+     *   - 1.3.6.1.5.5.7.3.3 (Code Signing / codeSigning)
+     *   - 1.3.6.1.5.5.7.3.4 (Email Protection / emailProtection)
+     *
+     * @return Array of OID strings, or null if Extended Key Usage extension
+     *         is not present in certificate
+     *
+     * @throws IllegalStateException if WolfSSLCertificate has been freed
+     */
+    public String[] getExtendedKeyUsage() throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        synchronized (x509Lock) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, this.x509Ptr,
+                () -> "entering getExtendedKeyUsage()");
+
+            return X509_get_extended_key_usage(this.x509Ptr);
+        }
+    }
+
     /**
      * Get DER encoded extension value from a specified OID
      *

src/java/com/wolfssl/WolfSSLCertificate.java

@@ -40,6 +40,7 @@
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Date;
 import java.util.Set;
 import java.util.TreeSet;
@@ -319,6 +320,34 @@ public boolean[] getKeyUsage() {
         return this.cert.getKeyUsage();
     }
 
+    @Override
+    public List<String> getExtendedKeyUsage()
+        throws CertificateParsingException {
+
+        String[] ekuArray;
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+            () -> "entered getExtendedKeyUsage()");
+
+        if (this.cert == null) {
+            return null;
+        }
+
+        ekuArray = this.cert.getExtendedKeyUsage();
+        if (ekuArray == null) {
+            return null;
+        }
+
+        /* Convert String[] to List<String> as required by
+         * X509Certificate.getExtendedKeyUsage() API */
+        List<String> ekuList = new ArrayList<String>();
+        for (String oid : ekuArray) {
+            ekuList.add(oid);
+        }
+
+        return Collections.unmodifiableList(ekuList);
+    }
+
     @Override
     public int getBasicConstraints() {
 

src/java/com/wolfssl/provider/jsse/WolfSSLX509.java

@@ -94,7 +94,6 @@ public static void testProviderInstallationAtRuntime()
         try {
             tf = new WolfSSLTestFactory();
         } catch (WolfSSLException e) {
-            // TODO Auto-generated catch block
             e.printStackTrace();
         }
     }
@@ -804,6 +803,70 @@ public void testWolfSSLPrincipalInterfaceImplementation() {
         pass("\t... passed");
     }
 
+    @Test
+    public void testGetExtendedKeyUsage() {
+        X509Certificate x509;
+        List<String> eku;
+
+        System.out.print("\tTesting getExtendedKeyUsage");
+
+        /* skip if wolfSSL compiled with NO_FILESYSTEM */
+        if (WolfSSL.FileSystemEnabled() == false) {
+            pass("\t... skipped");
+            return;
+        }
+
+        try {
+            /* Test with server certificate which has Extended Key Usage
+             * extension with serverAuth and clientAuth */
+            byte[] der = tf.getCert("server");
+            x509 = new WolfSSLX509(der);
+            eku = x509.getExtendedKeyUsage();
+
+            /* Server cert should have EKU extension */
+            if (eku == null) {
+                error("\t... failed");
+                fail("getExtendedKeyUsage() returned null for server cert");
+            }
+
+            /* Server cert should have serverAuth (1.3.6.1.5.5.7.3.1) and
+             * clientAuth (1.3.6.1.5.5.7.3.2) */
+            if (eku.size() != 2) {
+                error("\t... failed");
+                fail("Expected 2 EKU OIDs, got: " + eku.size());
+            }
+
+            if (!eku.contains("1.3.6.1.5.5.7.3.1")) {
+                error("\t... failed");
+                fail("Missing serverAuth OID 1.3.6.1.5.5.7.3.1");
+            }
+
+            if (!eku.contains("1.3.6.1.5.5.7.3.2")) {
+                error("\t... failed");
+                fail("Missing clientAuth OID 1.3.6.1.5.5.7.3.2");
+            }
+
+            /* Verify all OIDs are properly formatted */
+            for (String oid : eku) {
+                if (oid == null || oid.isEmpty()) {
+                    error("\t... failed");
+                    fail("EKU OID is null or empty");
+                }
+                if (!oid.matches("^[0-9]+(\\.[0-9]+)*$")) {
+                    error("\t... failed");
+                    fail("Invalid OID format: " + oid);
+                }
+            }
+
+        } catch (Exception ex) {
+            error("\t... failed");
+            ex.printStackTrace();
+            fail("unexpected exception: " + ex.getMessage());
+        }
+
+        pass("\t... passed");
+    }
+
     @Test
     public void testWolfSSLPrincipalImplies() {
         Subject emptySubject, subjectWithPrincipals;

src/test/com/wolfssl/provider/jsse/test/WolfSSLX509Test.java

@@ -140,6 +140,7 @@ public void test_runCertTestsAfterConstructor() {
             /* Key Usage and Extended Key Usage only work with wolfSSL
              * later than 5.6.3 */
             test_getKeyUsage();
+            test_getExtendedKeyUsage();
         }
         test_getExtensionSet();
         test_toString();
@@ -600,6 +601,60 @@ public void test_getKeyUsage() {
         System.out.println("\t\t... passed");
     }
 
+    public void test_getExtendedKeyUsage() {
+        int i;
+        String[] eku;
+        String[] expected = {
+            "1.3.6.1.5.5.7.3.1",  /* TLS Web Server Authentication */
+            "1.3.6.1.5.5.7.3.2"   /* TLS Web Client Authentication */
+        };
+
+        System.out.print("\t\tgetExtendedKeyUsage");
+
+        /* Client cert has Extended Key Usage extension with serverAuth
+         * and clientAuth */
+        eku = this.cert.getExtendedKeyUsage();
+        if (eku == null) {
+            System.out.println("\t... failed");
+            fail("getExtendedKeyUsage() returned null for client cert");
+        }
+
+        if (eku.length != expected.length) {
+            System.out.println("\t... failed");
+            fail("Expected " + expected.length + " EKU OIDs, got: " +
+                 eku.length);
+        }
+
+        /* Verify expected OIDs are present */
+        for (i = 0; i < expected.length; i++) {
+            boolean found = false;
+            for (String oid : eku) {
+                if (oid.equals(expected[i])) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                System.out.println("\t... failed");
+                fail("Missing expected OID: " + expected[i]);
+            }
+        }
+
+        /* Verify all OIDs are properly formatted */
+        for (i = 0; i < eku.length; i++) {
+            if (eku[i] == null || eku[i].isEmpty()) {
+                System.out.println("\t... failed");
+                fail("Extended key usage OID is null or empty");
+            }
+            if (!eku[i].matches("^[0-9]+(\\.[0-9]+)*$")) {
+                System.out.println("\t... failed");
+                fail("Invalid OID format: " + eku[i]);
+            }
+        }
+
+        System.out.println("\t... passed");
+    }
+
     public void test_getExtensionSet() {
         System.out.print("\t\tgetExtensionSet");