Prefer specific KeyUsage for RSA certs

jpstotz · Jul 7, 2020 · 8042341 · 8042341
1 parent ea7837f
commit 8042341
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvX509KeyManager.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvX509KeyManager.java
@@ -530,6 +530,19 @@ private static Match.Quality getCertificateQuality(X509Certificate certificate,
             }
         }
 
+        /*
+         * Prefer RSA certificates with more specific KeyUsage over "multi-use" ones.
+         */
+        if ("RSA".equalsIgnoreCase(JsseUtils.getPublicKeyAlgorithm(certificate.getPublicKey())))
+        {
+            boolean[] keyUsage = certificate.getKeyUsage();
+            if (ProvAlgorithmChecker.supportsKeyUsage(keyUsage, ProvAlgorithmChecker.KU_DIGITAL_SIGNATURE) &&
+                ProvAlgorithmChecker.supportsKeyUsage(keyUsage, ProvAlgorithmChecker.KU_KEY_ENCIPHERMENT))
+            {
+                return Match.Quality.RSA_MULTI_USE; 
+            }
+        }
+
         return Match.Quality.OK;
     }
 
@@ -654,6 +667,7 @@ private static final class Match
         static enum Quality
         {
             OK,
+            RSA_MULTI_USE,
             MISMATCH_SNI,
             EXPIRED,
             // TODO[jsse] Consider allowing certificates with invalid ExtendedKeyUsage and/or KeyUsage (as SunJSSE does)