From e76ae2b8ac28d42900f4a3cb57ddd4ff9dea289b Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Mon, 7 Jun 2021 12:02:23 +1000
Subject: [PATCH] Certs: fix leak when multiple hardware names in SAN

Can only be one hardware name in SAN as this indicates the certificate
is for verifying signatures created by hardware module.
---
 wolfcrypt/src/asn.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 9df7aaa3d..5795d66c3 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8310,6 +8310,14 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
                 return ASN_PARSE_E;
             }
 
+            /* Certiciates issued with this OID in the subject alt name are for
+             * verifying signatures created on a module.
+             * RFC 4108 Section 5. */
+            if (cert->hwType != NULL) {
+                WOLFSSL_MSG("\tAlready seen Hardware Module Name");
+                return ASN_PARSE_E;
+            }
+
             if (GetASNTag(input, &idx, &tag, sz) < 0) {
                 return ASN_PARSE_E;
             }