From c1218a541b24cb5a1a53a7c36266a415b8fe7874 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Wed, 18 Dec 2019 17:57:48 +1000 Subject: [PATCH] Check name hash after matching AKID RFC 5280, Section 4.1.2.6: If the subject is a CA (e.g., the basic constraints extension, as discussed in Section 4.2.1.9, is present and the value of cA is TRUE), then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field (Section 4.1.2.4) in all certificates issued by the subject CA. The subject name must match - even when the AKID matches. --- wolfcrypt/src/asn.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index b2101559f..a2c85e322 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8666,12 +8666,17 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } else { cert->ca = NULL; #ifndef NO_SKID - if (cert->extAuthKeyIdSet) + if (cert->extAuthKeyIdSet) { cert->ca = GetCA(cm, cert->extAuthKeyId); + } if (cert->ca == NULL && cert->extSubjKeyIdSet \ && verify != VERIFY_OCSP) { cert->ca = GetCA(cm, cert->extSubjKeyId); } + if (cert->ca != NULL && XMEMCMP(cert->issuerHash, + cert->ca->subjectNameHash, KEYID_SIZE) != 0) { + cert->ca = NULL; + } if (cert->ca == NULL) cert->ca = GetCAByName(cm, cert->issuerHash); @@ -8766,6 +8771,10 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) && verify != VERIFY_OCSP) { cert->ca = GetCA(cm, cert->extSubjKeyId); } + if (cert->ca != NULL && XMEMCMP(cert->issuerHash, + cert->ca->subjectNameHash, KEYID_SIZE) != 0) { + cert->ca = NULL; + } if (cert->ca == NULL) cert->ca = GetCAByName(cm, cert->issuerHash);