From f4ad808d12443216f6355135b29a4fea01578004 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 5 Feb 2018 16:39:24 -0800 Subject: [PATCH 1/5] Added check to enforce RFC 5280 Sec 4.2.1.10 rule: "The name constraints extension, which MUST be used only in a CA certificate". Added new define `WOLFSSL_NO_ASN_STRICT` to restore old behavior for compatability. Fix wc_port time `HAVE_RTP_SYS` (noticed it was missed during ASN time move to wc_port). --- wolfcrypt/src/asn.c | 13 ++++++++----- wolfcrypt/src/wc_port.c | 6 +++--- wolfssl/wolfcrypt/wc_port.h | 3 +++ 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index f5870169a..15b550bcc 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -34,6 +34,8 @@ ASN Options: * ASN_DUMP_OID: Allows dump of OID information for debugging. * RSA_DECODE_EXTRA: Decodes extra information in RSA public key. * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. + * WOLFSSL_NO_ASN_STRICT: Disable strict RFC compliance checks to + restore 3.13.0 behavior. * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer must still be trusted) * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert @@ -48,11 +50,6 @@ ASN Options: #ifndef NO_ASN -#ifdef HAVE_RTP_SYS - #include "os.h" /* dc_rtc_api needs */ - #include "dc_rtc_api.h" /* to get current time */ -#endif - #include #include #include @@ -6337,6 +6334,12 @@ static int DecodeCertExtensions(DecodedCert* cert) #ifndef IGNORE_NAME_CONSTRAINTS case NAME_CONS_OID: + #ifndef WOLFSSL_NO_ASN_STRICT + if (!cert->ca) { + WOLFSSL_MSG("Name constraints allowed only for CA certs"); + return ASN_NAME_INVALID_E; + } + #endif cert->extNameConstraintSet = 1; #ifdef OPENSSL_EXTRA cert->extNameConstraintCrit = critical; diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index c9bf6d87b..acbd675db 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -38,11 +38,11 @@ /* IPP header files for library initialization */ #ifdef HAVE_FAST_RSA -#include -#include + #include + #include #endif -#if defined(FREESCALE_LTC_TFM) +#ifdef FREESCALE_LTC_TFM #include #endif diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 2445f91c3..4924517be 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -357,6 +357,9 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #define NEED_TMP_TIME #elif defined(HAVE_RTP_SYS) + #include "os.h" /* dc_rtc_api needs */ + #include "dc_rtc_api.h" /* to get current time */ + /* uses parital structures */ #define XTIME(tl) (0) #define XGMTIME(c, t) rtpsys_gmtime((c)) From d9002bb0720a34bc54826396b08c489b2f7d7ccf Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 5 Feb 2018 17:04:50 -0800 Subject: [PATCH 2/5] Fix to enforce RFC 5280 Sec 4.2.1.6: "The name MUST NOT be a relative URI". Verifies the URI contains "://". Can be disabled using `WOLFSSL_NO_ASN_STRICT`. --- wolfcrypt/src/asn.c | 18 ++++++++++++++++-- wolfcrypt/src/error.c | 3 +++ wolfssl/wolfcrypt/error-crypt.h | 1 + 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 15b550bcc..4164bcadf 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5433,6 +5433,16 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) } length -= (idx - lenStartIdx); + #ifndef WOLFSSL_NO_ASN_STRICT + /* Verify RFC 5280 Sec 4.2.1.6 rule: + "The name MUST NOT be a relative URI" */ + + if (XSTRNCMP((const char*)&input[idx], "://", strLen + 1) != 0) { + WOLFSSL_MSG("\tAlt Name must be absolute URI"); + return ASN_ALT_NAME_E; + } + #endif + uriEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, DYNAMIC_TYPE_ALTNAME); if (uriEntry == NULL) { @@ -6264,8 +6274,9 @@ static int DecodeCertExtensions(DecodedCert* cert) cert->extSubjAltNameSet = 1; cert->extSubjAltNameCrit = critical; #endif - if (DecodeAltNames(&input[idx], length, cert) < 0) - return ASN_PARSE_E; + ret = DecodeAltNames(&input[idx], length, cert); + if (ret < 0) + return ret; break; case AUTH_KEY_OID: @@ -6335,6 +6346,9 @@ static int DecodeCertExtensions(DecodedCert* cert) #ifndef IGNORE_NAME_CONSTRAINTS case NAME_CONS_OID: #ifndef WOLFSSL_NO_ASN_STRICT + /* Verify RFC 5280 Sec 4.2.1.10 rule: + "The name constraints extension, + which MUST be used only in a CA certificate" */ if (!cert->ca) { WOLFSSL_MSG("Name constraints allowed only for CA certs"); return ASN_NAME_INVALID_E; diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index add4f6458..7b52791c9 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -206,6 +206,9 @@ const char* wc_GetErrorString(int error) case ASN_CRIT_EXT_E: return "X.509 Critical extension ignored or invalid"; + case ASN_ALT_NAME_E: + return "ASN alternate name error"; + case ECC_BAD_ARG_E : return "ECC input argument wrong type, invalid input"; diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 9ca0c1a2b..c047dfec9 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -97,6 +97,7 @@ enum { ASN_DH_KEY_E = -158, /* ASN key init error, invalid input */ ASN_NTRU_KEY_E = -159, /* ASN ntru key decode error, invalid input */ ASN_CRIT_EXT_E = -160, /* ASN unsupported critical extension */ + ASN_ALT_NAME_E = -161, /* ASN alternate name error */ ECC_BAD_ARG_E = -170, /* ECC input argument of wrong type */ ASN_ECC_KEY_E = -171, /* ASN ECC bad input */ From d78e45dbb6cc0570217036750b225b87a67dbd10 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 6 Feb 2018 14:33:03 -0800 Subject: [PATCH 3/5] Added check to enforce RFC 5280 Sec 4.2: "A certificate MUST NOT include more than one instance of a particular extension". Refactor of the `DecodedCert` struct to combine bit type options into bit-fields. Fix for wolfCrypt test for error codes to allow `-161`. --- wolfcrypt/src/asn.c | 56 ++++++++++++++++++++++++++------ wolfcrypt/test/test.c | 2 +- wolfssl/wolfcrypt/asn.h | 72 +++++++++++++++++++++++------------------ 3 files changed, 88 insertions(+), 42 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 4164bcadf..066e21ab8 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -6175,6 +6175,30 @@ int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz) } #endif /* WOLFSSL_SEP */ +/* Macro to check if bit is set, if not sets and return success. + Otherwise returns failure */ +#ifndef WOLFSSL_NO_ASN_STRICT + #define VERIFY_AND_SET_OID(bit) \ + ({ \ + int bitvalid; \ + if (bit == 0) { \ + bit = 1; \ + bitvalid = 0; /* success */ \ + } \ + else { \ + bitvalid = -1; /* fail */ \ + } \ + bitvalid; \ + }) +#else + /* With no strict defined, the verify is skipped */ + #define VERIFY_AND_SET_OID(bit) \ + ({ \ + bit = 1; \ + 0; /* success */ \ + }) +#endif + static int DecodeCertExtensions(DecodedCert* cert) /* * Processing the Certificate Extensions. This does not modify the current @@ -6243,8 +6267,9 @@ static int DecodeCertExtensions(DecodedCert* cert) switch (oid) { case BASIC_CA_OID: + if (VERIFY_AND_SET_OID(cert->extBasicConstSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA - cert->extBasicConstSet = 1; cert->extBasicConstCrit = critical; #endif if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0) @@ -6252,8 +6277,9 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case CRL_DIST_OID: + if (VERIFY_AND_SET_OID(cert->extCRLdistSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA - cert->extCRLdistSet = 1; cert->extCRLdistCrit = critical; #endif if (DecodeCrlDist(&input[idx], length, cert) < 0) @@ -6261,8 +6287,9 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case AUTH_INFO_OID: + if (VERIFY_AND_SET_OID(cert->extAuthInfoSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA - cert->extAuthInfoSet = 1; cert->extAuthInfoCrit = critical; #endif if (DecodeAuthInfo(&input[idx], length, cert) < 0) @@ -6270,8 +6297,9 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case ALT_NAMES_OID: + if (VERIFY_AND_SET_OID(cert->extSubjAltNameSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA - cert->extSubjAltNameSet = 1; cert->extSubjAltNameCrit = critical; #endif ret = DecodeAltNames(&input[idx], length, cert); @@ -6280,7 +6308,8 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case AUTH_KEY_OID: - cert->extAuthKeyIdSet = 1; + if (VERIFY_AND_SET_OID(cert->extAuthKeyIdSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA cert->extAuthKeyIdCrit = critical; #endif @@ -6289,7 +6318,8 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case SUBJ_KEY_OID: - cert->extSubjKeyIdSet = 1; + if (VERIFY_AND_SET_OID(cert->extSubjKeyIdSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA cert->extSubjKeyIdCrit = critical; #endif @@ -6311,8 +6341,9 @@ static int DecodeCertExtensions(DecodedCert* cert) case CERT_POLICY_OID: #ifdef WOLFSSL_SEP + if (VERIFY_AND_SET_OID(cert->extCertPolicySet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA - cert->extCertPolicySet = 1; cert->extCertPolicyCrit = critical; #endif #endif @@ -6326,7 +6357,8 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case KEY_USAGE_OID: - cert->extKeyUsageSet = 1; + if (VERIFY_AND_SET_OID(cert->extKeyUsageSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA cert->extKeyUsageCrit = critical; #endif @@ -6335,7 +6367,8 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case EXT_KEY_USAGE_OID: - cert->extExtKeyUsageSet = 1; + if (VERIFY_AND_SET_OID(cert->extExtKeyUsageSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA cert->extExtKeyUsageCrit = critical; #endif @@ -6354,7 +6387,8 @@ static int DecodeCertExtensions(DecodedCert* cert) return ASN_NAME_INVALID_E; } #endif - cert->extNameConstraintSet = 1; + if (VERIFY_AND_SET_OID(cert->extNameConstraintSet)) + return ASN_OBJECT_ID_E; #ifdef OPENSSL_EXTRA cert->extNameConstraintCrit = critical; #endif @@ -6364,6 +6398,8 @@ static int DecodeCertExtensions(DecodedCert* cert) #endif /* IGNORE_NAME_CONSTRAINTS */ case INHIBIT_ANY_OID: + if (VERIFY_AND_SET_OID(cert->inhibitAnyOidSet)) + return ASN_OBJECT_ID_E; WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); break; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 9728f8193..61c531ef4 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1026,7 +1026,7 @@ int error_test(void) int j = 0; /* Values that are not or no longer error codes. */ int missing[] = { -122, -123, -124, -127, -128, -129, - -161, -162, -163, -164, -165, -166, -167, -168, -169, + -162, -163, -164, -165, -166, -167, -168, -169, -179, -233, 0 }; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 7496c463b..1b3017221 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -549,7 +549,6 @@ struct DecodedCert { char* subjectCN; /* CommonName */ int subjectCNLen; /* CommonName Length */ char subjectCNEnc; /* CommonName Encoding */ - int subjectCNStored; /* have we saved a copy we own */ char issuer[ASN_NAME_MAX]; /* full name including common name */ char subject[ASN_NAME_MAX]; /* full name including common name */ int verify; /* Default to yes, but could be off */ @@ -567,36 +566,12 @@ struct DecodedCert { byte* extCrlInfo; /* CRL Distribution Points */ int extCrlInfoSz; /* length of the URI */ byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ - byte extSubjKeyIdSet; /* Set when the SKID was read from cert */ byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */ - byte extAuthKeyIdSet; /* Set when the AKID was read from cert */ -#ifndef IGNORE_NAME_CONSTRAINTS - byte extNameConstraintSet; -#endif /* IGNORE_NAME_CONSTRAINTS */ - byte isCA; /* CA basic constraint true */ - byte pathLengthSet; /* CA basic const path length set */ byte pathLength; /* CA basic constraint path length */ - byte weOwnAltNames; /* altNames haven't been given to copy */ - byte extKeyUsageSet; word16 extKeyUsage; /* Key usage bitfield */ - byte extExtKeyUsageSet; /* Extended Key Usage */ byte extExtKeyUsage; /* Extended Key usage bitfield */ + #ifdef OPENSSL_EXTRA - byte extCRLdistSet; - byte extCRLdistCrit; - byte extAuthInfoSet; - byte extAuthInfoCrit; - byte extBasicConstSet; - byte extBasicConstCrit; - byte extSubjAltNameSet; - byte extSubjAltNameCrit; - byte extAuthKeyIdCrit; -#ifndef IGNORE_NAME_CONSTRAINTS - byte extNameConstraintCrit; -#endif /* IGNORE_NAME_CONSTRAINTS */ - byte extSubjKeyIdCrit; - byte extKeyUsageCrit; - byte extExtKeyUsageCrit; byte* extExtKeyUsageSrc; word32 extExtKeyUsageSz; word32 extExtKeyUsageCount; @@ -605,6 +580,7 @@ struct DecodedCert { byte* extSubjKeyIdSrc; word32 extSubjKeyIdSz; #endif + #if defined(HAVE_ECC) || defined(HAVE_ED25519) word32 pkCurveOID; /* Public Key's curve OID */ #endif /* HAVE_ECC */ @@ -620,7 +596,7 @@ struct DecodedCert { byte* subjectRaw; /* pointer to subject inside source */ int subjectRawLen; #endif -#if defined(WOLFSSL_CERT_GEN) +#ifdef WOLFSSL_CERT_GEN /* easy access to subject info for other sign */ char* subjectSN; int subjectSNLen; @@ -654,10 +630,6 @@ struct DecodedCert { byte* hwType; int hwSerialNumSz; byte* hwSerialNum; - #ifdef OPENSSL_EXTRA - byte extCertPolicySet; - byte extCertPolicyCrit; - #endif /* OPENSSL_EXTRA */ #endif /* WOLFSSL_SEP */ #ifdef WOLFSSL_CERT_EXT char extCertPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; @@ -666,6 +638,44 @@ struct DecodedCert { Signer* ca; SignatureCtx sigCtx; + + /* Option Bits */ + byte subjectCNStored : 1; /* have we saved a copy we own */ + byte extSubjKeyIdSet : 1; /* Set when the SKID was read from cert */ + byte extAuthKeyIdSet : 1; /* Set when the AKID was read from cert */ +#ifndef IGNORE_NAME_CONSTRAINTS + byte extNameConstraintSet : 1; +#endif + byte isCA : 1; /* CA basic constraint true */ + byte pathLengthSet : 1; /* CA basic const path length set */ + byte weOwnAltNames : 1; /* altNames haven't been given to copy */ + byte extKeyUsageSet : 1; + byte extExtKeyUsageSet : 1; /* Extended Key Usage set */ + byte extCRLdistSet : 1; + byte extAuthInfoSet : 1; + byte extBasicConstSet : 1; + byte extSubjAltNameSet : 1; + byte inhibitAnyOidSet : 1; +#ifdef WOLFSSL_SEP + byte extCertPolicySet : 1; +#endif +#ifdef OPENSSL_EXTRA + byte extCRLdistCrit : 1; + byte extAuthInfoCrit : 1; + byte extBasicConstCrit : 1; + byte extSubjAltNameCrit : 1; + byte extAuthKeyIdCrit : 1; + #ifndef IGNORE_NAME_CONSTRAINTS + byte extNameConstraintCrit : 1; + #endif + byte extSubjKeyIdCrit : 1; + byte extKeyUsageCrit : 1; + byte extExtKeyUsageCrit : 1; +#endif /* OPENSSL_EXTRA */ +#ifdef WOLFSSL_SEP + byte extCertPolicyCrit : 1; +#endif + }; From 4a6bb20ba6bc3e2c1d0695c3de5da814f1393b88 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 7 Feb 2018 12:17:03 -0800 Subject: [PATCH 4/5] Refactor the `VERIFY_AND_SET_OID` macro to simplify so it works on older C compilers like Visual Studio. --- wolfcrypt/src/asn.c | 55 ++++++++++++++------------------------------- 1 file changed, 17 insertions(+), 38 deletions(-) mode change 100644 => 100755 wolfcrypt/src/asn.c diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c old mode 100644 new mode 100755 index 066e21ab8..de81d3f35 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -6177,26 +6177,16 @@ int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz) /* Macro to check if bit is set, if not sets and return success. Otherwise returns failure */ +/* Macro required here because bit-field operation */ #ifndef WOLFSSL_NO_ASN_STRICT #define VERIFY_AND_SET_OID(bit) \ - ({ \ - int bitvalid; \ - if (bit == 0) { \ + if (bit == 0) \ bit = 1; \ - bitvalid = 0; /* success */ \ - } \ - else { \ - bitvalid = -1; /* fail */ \ - } \ - bitvalid; \ - }) + else \ + return ASN_OBJECT_ID_E; #else /* With no strict defined, the verify is skipped */ - #define VERIFY_AND_SET_OID(bit) \ - ({ \ - bit = 1; \ - 0; /* success */ \ - }) +#define VERIFY_AND_SET_OID(bit) bit = 1; #endif static int DecodeCertExtensions(DecodedCert* cert) @@ -6205,7 +6195,7 @@ static int DecodeCertExtensions(DecodedCert* cert) * index. It is works starting with the recorded extensions pointer. */ { - int ret; + int ret = 0; word32 idx = 0; int sz = cert->extensionsSz; byte* input = cert->extensions; @@ -6267,8 +6257,7 @@ static int DecodeCertExtensions(DecodedCert* cert) switch (oid) { case BASIC_CA_OID: - if (VERIFY_AND_SET_OID(cert->extBasicConstSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extBasicConstSet); #ifdef OPENSSL_EXTRA cert->extBasicConstCrit = critical; #endif @@ -6277,8 +6266,7 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case CRL_DIST_OID: - if (VERIFY_AND_SET_OID(cert->extCRLdistSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extCRLdistSet); #ifdef OPENSSL_EXTRA cert->extCRLdistCrit = critical; #endif @@ -6287,8 +6275,7 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case AUTH_INFO_OID: - if (VERIFY_AND_SET_OID(cert->extAuthInfoSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extAuthInfoSet); #ifdef OPENSSL_EXTRA cert->extAuthInfoCrit = critical; #endif @@ -6297,8 +6284,7 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case ALT_NAMES_OID: - if (VERIFY_AND_SET_OID(cert->extSubjAltNameSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extSubjAltNameSet); #ifdef OPENSSL_EXTRA cert->extSubjAltNameCrit = critical; #endif @@ -6308,8 +6294,7 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case AUTH_KEY_OID: - if (VERIFY_AND_SET_OID(cert->extAuthKeyIdSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extAuthKeyIdSet); #ifdef OPENSSL_EXTRA cert->extAuthKeyIdCrit = critical; #endif @@ -6318,8 +6303,7 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case SUBJ_KEY_OID: - if (VERIFY_AND_SET_OID(cert->extSubjKeyIdSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extSubjKeyIdSet); #ifdef OPENSSL_EXTRA cert->extSubjKeyIdCrit = critical; #endif @@ -6341,8 +6325,7 @@ static int DecodeCertExtensions(DecodedCert* cert) case CERT_POLICY_OID: #ifdef WOLFSSL_SEP - if (VERIFY_AND_SET_OID(cert->extCertPolicySet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extCertPolicySet); #ifdef OPENSSL_EXTRA cert->extCertPolicyCrit = critical; #endif @@ -6357,8 +6340,7 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case KEY_USAGE_OID: - if (VERIFY_AND_SET_OID(cert->extKeyUsageSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extKeyUsageSet); #ifdef OPENSSL_EXTRA cert->extKeyUsageCrit = critical; #endif @@ -6367,8 +6349,7 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case EXT_KEY_USAGE_OID: - if (VERIFY_AND_SET_OID(cert->extExtKeyUsageSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extExtKeyUsageSet); #ifdef OPENSSL_EXTRA cert->extExtKeyUsageCrit = critical; #endif @@ -6387,8 +6368,7 @@ static int DecodeCertExtensions(DecodedCert* cert) return ASN_NAME_INVALID_E; } #endif - if (VERIFY_AND_SET_OID(cert->extNameConstraintSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->extNameConstraintSet); #ifdef OPENSSL_EXTRA cert->extNameConstraintCrit = critical; #endif @@ -6398,8 +6378,7 @@ static int DecodeCertExtensions(DecodedCert* cert) #endif /* IGNORE_NAME_CONSTRAINTS */ case INHIBIT_ANY_OID: - if (VERIFY_AND_SET_OID(cert->inhibitAnyOidSet)) - return ASN_OBJECT_ID_E; + VERIFY_AND_SET_OID(cert->inhibitAnyOidSet); WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); break; From c2a0de93b839c8a854f3b481cc1643789d01ed96 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 7 Feb 2018 12:48:33 -0800 Subject: [PATCH 5/5] Fix to resolve wolfCrypt test for `cert_test nameConstraints test. Fixed ASN check to properly determine if certificate is CA type. --- certs/test/cert-ext-ia.cfg | 2 +- certs/test/cert-ext-ia.der | Bin 1030 -> 1022 bytes certs/test/cert-ext-nc.cfg | 6 +++++- certs/test/cert-ext-nc.der | Bin 1052 -> 1146 bytes certs/test/gen-ext-certs.sh | 8 ++++++-- wolfcrypt/src/asn.c | 2 +- 6 files changed, 13 insertions(+), 5 deletions(-) mode change 100644 => 100755 certs/test/gen-ext-certs.sh diff --git a/certs/test/cert-ext-ia.cfg b/certs/test/cert-ext-ia.cfg index 8721916b3..44be1126a 100644 --- a/certs/test/cert-ext-ia.cfg +++ b/certs/test/cert-ext-ia.cfg @@ -10,7 +10,7 @@ L = Brisbane O = wolfSSL Inc OU = Engineering CN = www.wolfssl.com -emailAddress = support@www.wolfsssl.com +emailAddress = support@wolfsssl.com [ v3_ca ] inhibitAnyPolicy = critical,1 diff --git a/certs/test/cert-ext-ia.der b/certs/test/cert-ext-ia.der index 73ea7c0a86f18a8789a72c2caa3c83bed8189f9e..1099fa986450321bf14e993280d5923725e0ff56 100644 GIT binary patch delta 414 zcmZqU_{Xkg(8T=9po!_x0%j&gCMHgXvjX2|uK2X6+JKjhQ>)FR?K>|cBR4C9LF0mn zA8Xu|4HV(RoQz^3#ia!W`9&oT<@q^j#l^)rddc~@26E!Oh86}!2IfWvCZ+~PQDCmI zfhCj+F-iiLQJXs%YZ>dO?q0b+p=OtwHRI}hyR(%W4o#X=rxeS7+hxwZ#cU6AEyNR= zuJLmR?NYGS?_!<1dG$xlzbAO!^M8$>d!T5iZp*ByufnP7vu>Y%yZha;#>-2xCf)tR zBfIwCedcsaS&x)+?e;#Jsa|(8C-8>(AD_=x!hYKC%zE#l$F(ZYk`K2nSW(~WkmDnB z@$s3or5k;R4S3l&wc0$|zVk9Na z86c*vJ|Xtpg14S0@7FDoTcugOP}(N2AotM0#U2a43Lf9j8}h58=)Kux{T+vMYRYxB zPcCJOdKY#c*Eag4oc-arPQCt` z91iVrj^8GU8SkRvCzWu$ogQLh%wgDh1H_1Y_b)AKkS;IxmSQ{Ly)bcdzqKNbt>gUhQ+<BdEOadB~uUUGh}ft)z6p@o5wfw_@^iK&566qsvl zUW@P-&!ePM1$oQX$k->luB*qUCV_{}uY@58FDYkyq%(
k|oCVYKmh%RVxQ3FS??aY97+Ewi$bi-L&9|KnZtE{R(b zyt_ZQ>a|DT*mlXcS!o|9W8Lza{2z_UidnWn!i}@9gk4T8S$K4c?WFUMtDk>3^EJTu JO9s=qYXGL^#p?h7 delta 430 zcmeyxF^5CTpovAopoy7b0W%XL6B8%HuEJ#BY5Z@y40zc%wc0$|zVk9Na+=U?K6!R9jE@r_G~zCC%~V# zU3f_jyKB*%!pxdG&s%w=<}A>-`@=qX8(+iWDt+#KPQPaE%+5~dcUdt%qgl`5>813A z8|T@%Z!Uup@NP7CZX>V&|xC@&9zkHJO_2%t+7O!OTBi|G}Uuu5meDj5NpX^Z1 zALrLh^sk>b{kFEpLHm#yk>$Vi+E+Z)y7ZJ~(WROGyM(@%6qv;*t61EdlD%WzHcwLq zHg|7h&DlqnF-q`HnNsT6eR-8j$6t**w;dyy>duQ5MV#)r_{TJLVUy#7vqc$ca) { + if (!cert->isCA) { WOLFSSL_MSG("Name constraints allowed only for CA certs"); return ASN_NAME_INVALID_E; }