feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Add error case for critical Auth Key ID extension

Browse Source
This commit is contained in:
John Safranek
2018-06-28 13:03:16 -07:00
parent ac3eb470f9
commit 6fa92fdd71
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
wolfcrypt/src/asn.c
View File

@ -6649,6 +6649,17 @@ static int DecodeCertExtensions(DecodedCert* cert)
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
cert->extAuthKeyIdCrit = critical; cert->extAuthKeyIdCrit = critical;
#endif #endif
#ifndef WOLFSSL_ALLOW_CRIT_SKID
/* This check is added due to RFC 5280 section 4.2.1.1
* stating that conforming CA's must mark this extension
* as non-critical. When parsing extensions check that
* certificate was made in compliance with this. */
if (critical) {
WOLFSSL_MSG("Critical Auth Key ID is not allowed");
WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
return ASN_CRIT_EXT_E;
}
#endif
if (DecodeAuthKeyId(&input[idx], length, cert) < 0) if (DecodeAuthKeyId(&input[idx], length, cert) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
break; break;