From 62a593e72e7446864cbcbb85ff0d182483e31597 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Thu, 19 Mar 2020 12:18:05 +1000
Subject: [PATCH] Recognise Netscape Certificate Type extension

Checks the bit string is valid but doesn't store or use value.
(Some certificates have this extension as critical)
---
 certs/test/cert-ext-nct.cfg |  18 ++++++++++++++++++
 certs/test/cert-ext-nct.der | Bin 0 -> 1054 bytes
 certs/test/gen-ext-certs.sh |  25 +++++++++++++++++++++++++
 certs/test/include.am       |   2 ++
 wolfcrypt/src/asn.c         |  11 +++++++++++
 wolfcrypt/test/test.c       |  25 +++++++++++++++++++++++++
 wolfssl/wolfcrypt/asn.h     |   3 ++-
 7 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 certs/test/cert-ext-nct.cfg
 create mode 100644 certs/test/cert-ext-nct.der

diff --git a/certs/test/cert-ext-nct.cfg b/certs/test/cert-ext-nct.cfg
new file mode 100644
index 000000000..fde389bf4
--- /dev/null
+++ b/certs/test/cert-ext-nct.cfg
@@ -0,0 +1,18 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfsssl.com
+
+[ v3_ca ]
+nsCertType       = critical,server
+nsComment        = "Testing Netscape Certificate Type"
+
diff --git a/certs/test/cert-ext-nct.der b/certs/test/cert-ext-nct.der
new file mode 100644
index 0000000000000000000000000000000000000000..febf458ba67b2a4833a91db415bbeba712c45d24
GIT binary patch
literal 1054
zcmXqLVv#avVrE*v%*4pVBvPcjI4(5%#OI7ZESH?kR?Ln+(`#nH%f_kI=F#?@mywa1
zmBFBKfg!g6CmVAp3!5;LW2m99fgp&(!NV0;nwpwdoRgTBVkl_94-#bO;czO-EKW+y
zOEnZR5CREt@o<;t=cEM(`zUzkCBsCydAMEk(lhf?Q;Rb5(hVgH#6W79dHBoA%k@C&
zi;HvglJj#7l?@c(&f#Pf6Dck&D9A4=ae%0SC^C=}=QT1gFgCO_Ffy_<HH;GHH8L_Z
zGBkm5hk_TH7?qF%o{^P-xrvdV!Jvtei>Zl`k>S8pj)&onp9*ugUvhO+XG}fjy6)2+
z6@wj9&*}SJ`zF(|r)K`|73uZ=V&(*ve(yTP{@hf*|KZ;11Nt?qQ&x!oITc&I>w)6a
zBE5XQwi{E6Z>^CI-WhLyU6NPT|6y`+U^jP){aWW8OJ!nAHm_q?kbLx8J$GbAMe(v8
ziIq&b>kmsZ>g^DCeC&+FmdwR&#+mJTM|O)Z`~2eW+TuOc`ifisrUmls4cYuKH(q9s
za`8n@=1!4I0y|R<Yh744&1=uYD^k(N7aTa4T*2>RZeTR6!AN=P!t!0hm!=m#id8+C
z#e3K?Vab*anNCieFK=+{F;>_dp|pI}>mv`JB{m<uH0}P)3;t`bGchwVFfR5o@GuZz
z<4kDtU~K#0#K_3V_@9M^nTgH8zyKl2%c3l%7?N6Cl9`vT;FnrboSayYs^FYjRFavN
znVeXXst{6Hkcu4I+~Ck=WMGz*<mmb$dHtx0;q5gIue4aZ)Y2?@7DXNER$TUEx6}*8
z{hkxIS@v&#X)`k;QQz=Z*^d7+#3y;2VP1RM>7R`F?aPOR#pgNQyxHMf`+rutaG>+)
zj(wjK+tgRo)NR?isf#g9BjRE4)$c6t*Pq>CcJy6TFz><Ig8R!adOi4S$^GJcW}WID
zmFIN}U+nGBn7Zryk3*apR}aaB25ppDD9){Z$V|uHOw>=lzE#spTu?!Cb=AKg_q8`V
zT%T{vzh>5nxre4HoGn|{y6zUsgGuw%cT5tUoBp@&r;+xhT>T$0EUQ?S?MuvMHNM;y
gF>!&y{`oqKr?c@D@Tir)*qm1z#+UW1Qu{P303oM?LjV8(

literal 0
HcmV?d00001

diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh
index c71e6a8d7..10b887133 100755
--- a/certs/test/gen-ext-certs.sh
+++ b/certs/test/gen-ext-certs.sh
@@ -71,3 +71,28 @@ nsComment        = "Testing inhibit any"
 EOF
 gen_cert
 
+OUT=certs/test/cert-ext-nct.der
+KEYFILE=certs/test/cert-ext-mct-key.der
+CONFIG=certs/test/cert-ext-nct.cfg
+tee >$CONFIG <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfsssl.com
+
+[ v3_ca ]
+nsCertType       = critical,server
+nsComment        = "Testing Netscape Certificate Type"
+
+EOF
+gen_cert
+
diff --git a/certs/test/include.am b/certs/test/include.am
index 52fcba6bc..6f37df6d2 100644
--- a/certs/test/include.am
+++ b/certs/test/include.am
@@ -7,6 +7,8 @@ EXTRA_DIST += \
          certs/test/cert-ext-ia.der \
          certs/test/cert-ext-nc.cfg \
          certs/test/cert-ext-nc.der \
+         certs/test/cert-ext-nct.cfg \
+         certs/test/cert-ext-nct.der \
          certs/test/cert-ext-ns.der \
          certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem \
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 58a726fe3..3cfe5ee80 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8917,6 +8917,17 @@ static int DecodeCertExtensions(DecodedCert* cert)
                 WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
                 break;
 
+       #ifndef IGNORE_NETSCAPE_CERT_TYPE
+            case NETSCAPE_CT_OID:
+                WOLFSSL_MSG("Netscape certificate type extension not supported "
+                            "yet.");
+                if (CheckBitString(input, &idx, &length, idx + length, 0,
+                                                                    NULL) < 0) {
+                    return ASN_PARSE_E;
+                }
+                break;
+        #endif
+
             default:
             #ifndef WOLFSSL_NO_ASN_STRICT
                 /* While it is a failure to not support critical extensions,
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 9371b8d45..cfdd79cbb 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -10630,6 +10630,31 @@ int cert_test(void)
     if (ret != 0) {
         ERROR_OUT(-7204, done);
     }
+    FreeDecodedCert(&cert);
+
+    /* Certificate with Netscape Certificate Type extension. */
+#ifdef FREESCALE_MQX
+    file = XFOPEN(".\\certs\\test\\cert-ext-nct.der", "rb");
+#else
+    file = XFOPEN("./certs/test/cert-ext-nct.der", "rb");
+#endif
+    if (!file) {
+        ERROR_OUT(-7203, done);
+    }
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    if (ret != 0) {
+        ERROR_OUT(-7204, done);
+    }
+#else
+    if (ret != ASN_CRIT_EXT_E) {
+        ERROR_OUT(-7205, done);
+    }
+    ret = 0;
+#endif
 
 done:
     FreeDecodedCert(&cert);
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index bef803dd3..393da3cdb 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -502,7 +502,8 @@ enum Extensions_Sum {
     POLICY_MAP_OID            = 147,
     POLICY_CONST_OID          = 150,
     ISSUE_ALT_NAMES_OID       = 132,
-    TLS_FEATURE_OID           = 92   /* id-pe 24 */
+    TLS_FEATURE_OID           = 92,  /* id-pe 24 */
+    NETSCAPE_CT_OID           = 753  /* 2.16.840.1.113730.1.1 */
 };
 
 enum CertificatePolicy_Sum {