[crypto] Parse X.509 extended key usage extension

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/include/ipxe/asn1.h

@@ -140,6 +140,18 @@ struct asn1_cursor {
 	ASN1_OID_INITIAL ( 2, 5 ), ASN1_OID_SINGLE ( 29 ),	\
 	ASN1_OID_SINGLE ( 19 )
 
+/** ASN.1 OID for id-ce-extKeyUsage (2.5.29.37) */
+#define ASN1_OID_EXTKEYUSAGE					\
+	ASN1_OID_INITIAL ( 2, 5 ), ASN1_OID_SINGLE ( 29 ),	\
+	ASN1_OID_SINGLE ( 37 )
+
+/** ASN.1 OID for id-kp-codeSigning (1.3.6.1.5.5.7.3.3) */
+#define ASN1_OID_CODESIGNING					\
+	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 5 ),		\
+	ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 3 )
+
 /** Define an ASN.1 cursor containing an OID */
 #define ASN1_OID_CURSOR( oid_value ) {				\
 		.data = oid_value,				\

src/include/ipxe/x509.h

@@ -113,12 +113,29 @@ enum x509_key_usage_bits {
 	X509_DECIPHER_ONLY = 0x8000,
 };
 
+/** An X.509 certificate extended key usage */
+struct x509_extended_key_usage {
+	/** Usage bits */
+	unsigned int bits;
+};
+
+/** X.509 certificate extended key usage bits
+ *
+ * Extended key usages are identified by OID; these bits are purely an
+ * internal definition.
+ */
+enum x509_extended_key_usage_bits {
+	X509_CODE_SIGNING = 0x0001,
+};
+
 /** An X.509 certificate extensions set */
 struct x509_extensions {
 	/** Basic constraints */
 	struct x509_basic_constraints basic;
 	/** Key usage */
 	struct x509_key_usage usage;
+	/** Extended key usage */
+	struct x509_extended_key_usage ext_usage;
 };
 
 /** An X.509 certificate */
@@ -161,6 +178,16 @@ struct x509_extension {
 			  const struct asn1_cursor *raw );
 };
 
+/** An X.509 key purpose */
+struct x509_key_purpose {
+	/** Name */
+	const char *name;
+	/** Object identifier */
+	struct asn1_cursor oid;
+	/** Extended key usage bits */
+	unsigned int bits;
+};
+
 /** An X.509 root certificate store */
 struct x509_root {
 	/** Fingerprint digest algorithm */