feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix RFC references and add WOLFSSL_ALLOW_CRIT_AIA

Browse Source
This commit is contained in:
Eric Blankenhorn
2023-07-24 09:20:30 -05:00
parent d3202600a4
commit a19a0537ee
1 changed files with 55 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
wolfcrypt/src/asn.c
View File

@ -18974,9 +18974,9 @@ enum {
#define authKeyIdASN_Length (sizeof(authKeyIdASN) / sizeof(ASNItem))
#endif
/* Decode authority information access extension in a certificate.
/* Decode authority key identifier extension in a certificate.
*
* X.509: RFC 5280, 4.2.2.1 - Authority Information Access.
* X.509: RFC 5280, 4.2.1.1 - Authority Key Identifier.
*
* @param [in] input Buffer holding data.
* @param [in] sz Size of data in buffer.
@ -19098,7 +19098,7 @@ static int DecodeAuthKeyId(const byte* input, word32 sz, DecodedCert* cert)
/* Decode subject key id extension in a certificate.
*
* X.509: RFC 5280, 4.2.2.1 - Authority Information Access.
* X.509: RFC 5280, 4.2.1.2 - Subject Key Identifier.
*
* @param [in] input Buffer holding data.
* @param [in] sz Size of data in buffer.
@ -19148,7 +19148,7 @@ enum {
/* Decode key usage extension in a certificate.
*
* X.509: RFC 5280, 4.2.2.1 - Authority Information Access.
* X.509: RFC 5280, 4.2.1.3 - Key Usage.
*
* @param [in] input Buffer holding data.
* @param [in] sz Size of data in buffer.
@ -19880,7 +19880,7 @@ exit:
return ASN_PARSE_E;
}
#ifndef WOLFSSL_DUP_CERTPOL
/* From RFC 5280 section 4.2.1.3 "A certificate policy OID MUST
/* From RFC 5280 section 4.2.1.4 "A certificate policy OID MUST
* NOT appear more than once in a certificate policies
* extension". This is a sanity check for duplicates.
* extCertPolicies should only have OID values, additional
@ -19989,7 +19989,7 @@ exit:
}
}
#ifndef WOLFSSL_DUP_CERTPOL
/* From RFC 5280 section 4.2.1.3 "A certificate policy OID MUST
/* From RFC 5280 section 4.2.1.4 "A certificate policy OID MUST
* NOT appear more than once in a certificate policies
* extension". This is a sanity check for duplicates.
* extCertPolicies should only have OID values, additional
@ -20327,7 +20327,19 @@ static int DecodeExtensionType(const byte* input, word32 length, word32 oid,
case AUTH_INFO_OID:
VERIFY_AND_SET_OID(cert->extAuthInfoSet);
cert->extAuthInfoCrit = critical ? 1 : 0;
if (DecodeAuthInfo(input, length, cert) < 0) {
#ifndef WOLFSSL_ALLOW_CRIT_AIA
/* This check is added due to RFC 5280 section 4.2.2.1
* stating that conforming CA's must mark this extension
* as non-critical. When parsing extensions check that
* certificate was made in compliance with this. */
if (critical) {
WOLFSSL_MSG("Critical Authority Information Access is not"
"allowed");
WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_AIA if wanted");
ret = ASN_CRIT_EXT_E;
}
#endif
if ((ret == 0) && (DecodeAuthInfo(input, length, cert) < 0)) {
ret = ASN_PARSE_E;
}
break;
@ -20343,14 +20355,14 @@ static int DecodeExtensionType(const byte* input, word32 length, word32 oid,
case AUTH_KEY_OID:
VERIFY_AND_SET_OID(cert->extAuthKeyIdSet);
cert->extAuthKeyIdCrit = critical ? 1 : 0;
#ifndef WOLFSSL_ALLOW_CRIT_SKID
#ifndef WOLFSSL_ALLOW_CRIT_AKID
/* This check is added due to RFC 5280 section 4.2.1.1
* stating that conforming CA's must mark this extension
* as non-critical. When parsing extensions check that
* certificate was made in compliance with this. */
if (critical) {
WOLFSSL_MSG("Critical Auth Key ID is not allowed");
WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_AKID if wanted");
ret = ASN_CRIT_EXT_E;
}
#endif