Add check for KeyUsage bit

Signed-off-by: Jiewen Yao <[email protected]>

library/spdm_requester_lib/libspdm_req_encap_challenge_auth.c

@@ -84,6 +84,16 @@ libspdm_return_t libspdm_get_encap_response_challenge_auth(
             response_size, response);
     }
 
+    if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
+        context->connection_info.multi_key_conn_req) {
+        if ((context->local_context.local_key_usage_bit_mask[slot_id] &
+             SPDM_KEY_USAGE_BIT_MASK_CHALLENGE_USE) == 0) {
+            return libspdm_generate_encap_error_response(
+                context, SPDM_ERROR_CODE_INVALID_REQUEST, 0,
+                response_size, response);
+        }
+    }
+
     libspdm_reset_message_buffer_via_request_code(context, NULL,
                                                   spdm_request->header.request_response_code);
 

library/spdm_responder_lib/libspdm_rsp_challenge_auth.c

@@ -113,6 +113,16 @@ libspdm_return_t libspdm_get_response_challenge_auth(libspdm_context_t *spdm_con
         }
     }
 
+    if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
+        spdm_context->connection_info.multi_key_conn_rsp) {
+        if ((spdm_context->local_context.local_key_usage_bit_mask[slot_id] &
+             SPDM_KEY_USAGE_BIT_MASK_CHALLENGE_USE) == 0) {
+            return libspdm_generate_error_response(
+                spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
+                0, response_size, response);
+        }
+    }
+
     signature_size = libspdm_get_asym_signature_size(
         spdm_context->connection_info.algorithm.base_asym_algo);
     hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);

library/spdm_responder_lib/libspdm_rsp_key_exchange.c

@@ -280,6 +280,16 @@ libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_conte
         }
     }
 
+    if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
+        spdm_context->connection_info.multi_key_conn_rsp) {
+        if ((spdm_context->local_context.local_key_usage_bit_mask[slot_id] &
+             SPDM_KEY_USAGE_BIT_MASK_KEY_EX_USE) == 0) {
+            return libspdm_generate_error_response(
+                spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
+                0, response_size, response);
+        }
+    }
+
     spdm_context->connection_info.local_used_cert_chain_slot_id = slot_id;
 
     signature_size = libspdm_get_asym_signature_size(

library/spdm_responder_lib/libspdm_rsp_measurements.c

@@ -383,6 +383,17 @@ libspdm_return_t libspdm_get_response_measurements(libspdm_context_t *spdm_conte
                         0, response_size, response);
                 }
             }
+
+            if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
+                spdm_context->connection_info.multi_key_conn_rsp) {
+                if ((spdm_context->local_context.local_key_usage_bit_mask[slot_id_param] &
+                    SPDM_KEY_USAGE_BIT_MASK_MEASUREMENT_USE) == 0) {
+                    return libspdm_generate_error_response(
+                        spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
+                        0, response_size, response);
+                }
+            }
+
             spdm_response->header.param2 = slot_id_param;
             if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
                 spdm_response->header.param2 = slot_id_param |