From f0459eb1cf10a486e5c6fd7d906656ba4c4d8798 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Jun 2025 15:19:43 -0700 Subject: [PATCH 1/3] Allow larger pathLen values in Basic Constraints. --- wolfcrypt/src/asn.c | 7 +------ wolfssl/wolfcrypt/asn.h | 6 +++--- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index eff679df5..6abeb22a7 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -20631,7 +20631,7 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert) if (ret == 0) { /* Get the CA boolean and path length when present. */ GetASN_Boolean(&dataASN[BASICCONSASN_IDX_CA], &isCA); - GetASN_Int8Bit(&dataASN[BASICCONSASN_IDX_PLEN], &cert->pathLength); + GetASN_Int16Bit(&dataASN[BASICCONSASN_IDX_PLEN], &cert->pathLength); ret = GetASN_Items(basicConsASN, dataASN, basicConsASN_Length, 1, input, &idx, (word32)sz); @@ -20648,11 +20648,6 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert) ret = ASN_PARSE_E; } #endif - /* Path length must be a 7-bit value. */ - if ((ret == 0) && (cert->pathLength >= (1 << 7))) { - WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E); - ret = ASN_PARSE_E; - } if ((ret == 0) && cert->pathLength > WOLFSSL_MAX_PATH_LEN) { WOLFSSL_ERROR_VERBOSE(ASN_PATHLEN_SIZE_E); ret = ASN_PATHLEN_SIZE_E; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 7937351a9..5aab67207 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1642,8 +1642,8 @@ struct DecodedCert { const byte* extAuthKeyIdIssuerSN; /* Authority Key ID authorityCertSerialNumber */ word32 extAuthKeyIdIssuerSNSz; /* Authority Key ID authorityCertSerialNumber length */ #endif - byte pathLength; /* CA basic constraint path length */ - byte maxPathLen; /* max_path_len see RFC 5280 section + word16 pathLength; /* CA basic constraint path length */ + word16 maxPathLen; /* max_path_len see RFC 5280 section * 6.1.2 "Initialization" - (k) for * description of max_path_len */ byte policyConstSkip; /* Policy Constraints skip certs value */ @@ -1943,7 +1943,7 @@ struct Signer { word32 pubKeySize; word32 keyOID; /* key type */ word16 keyUsage; - byte maxPathLen; + word16 maxPathLen; WC_BITFIELD selfSigned:1; const byte* publicKey; int nameLen; From bfacbf9764ff9cb4b94e302eeb6cde682e9e5f9b Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 10 Jul 2025 11:47:47 -0700 Subject: [PATCH 2/3] Update ASN original to also allow larger pathLen values in Basic Constraints. --- wolfcrypt/src/asn.c | 6 +++--- wolfssl/wolfcrypt/asn.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6abeb22a7..bf859b1e6 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2744,7 +2744,7 @@ int GetASNInt(const byte* input, word32* inOutIdx, int* len, } #ifndef WOLFSSL_ASN_TEMPLATE -#ifndef NO_CERTS +#if !defined(NO_CERTS) && defined(WOLFSSL_CUSTOM_CURVES) /* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than * 7 bits. * @@ -2776,7 +2776,7 @@ static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx) } #endif /* !NO_CERTS */ -#if defined(WC_RSA_PSS) && !defined(NO_RSA) +#if ((defined(WC_RSA_PSS) && !defined(NO_RSA)) || !defined(NO_CERTS)) /* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than * 16 bits. * @@ -20611,7 +20611,7 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert) return 0; } - ret = GetInteger7Bit(input, &idx, (word32)sz); + ret = GetInteger16Bit(input, &idx, (word32)sz); if (ret < 0) return ret; cert->pathLength = (byte)ret; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 5aab67207..a2e63e5c5 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1943,7 +1943,7 @@ struct Signer { word32 pubKeySize; word32 keyOID; /* key type */ word16 keyUsage; - word16 maxPathLen; + word16 maxPathLen; WC_BITFIELD selfSigned:1; const byte* publicKey; int nameLen; From 9fa1d2e75fbecfb3aaf0d5453f5ac3d3c0349f3e Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 11 Jul 2025 11:53:33 -0700 Subject: [PATCH 3/3] Enforce WOLFSSL_MAX_PATH_LEN for ASN original as well. --- wolfcrypt/src/asn.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index bf859b1e6..34fdf8e3c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -20614,7 +20614,12 @@ static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert) ret = GetInteger16Bit(input, &idx, (word32)sz); if (ret < 0) return ret; - cert->pathLength = (byte)ret; + else if (ret > WOLFSSL_MAX_PATH_LEN) { + WOLFSSL_ERROR_VERBOSE(ASN_PATHLEN_SIZE_E); + return ASN_PATHLEN_SIZE_E; + } + + cert->pathLength = (word16)ret; cert->pathLengthSet = 1; return 0;