wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 12:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug with ASN.1 X509V3 Certificate Policy extension parsing. Bug had to do with parsing when OID contains multiple items such as example 2 below. The wolfssl.com server key now contains a URL in the certificate policy "https://secure.comodo.com/CPS0", which wasn't being parsed over correctly. Also cleanup to use loop instead of duplicate code.

Browse Source 
Example 1:
30 12
30 06 06 04 55 1D 20 00
30 08 06 06 67 81 0C 01 02 01

Result:
2.5.29.32.0
2.23.140.1.2.1

Example 2:
30 46
30 3A 06 0B 2B 06 01 04 01 B2 31 01 02 02 07
   30 2B 30 29 06 08 2B 06 01 05 05 07 02 01 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53
30 08 06 06 67 81 0C 01 02 01

Result:
1.3.6.1.4.1.6449.1.2.2.7
2.23.140.1.2.1
This commit is contained in:
David Garske
2016-03-07 13:40:25 -08:00
parent 98a72a3f9d
commit dee3645c4e
1 changed files with 43 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
wolfcrypt/src/asn.c
View File

@@ -4596,38 +4596,40 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
#endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */ #endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
/* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert) static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
{ {
word32 idx = 0; word32 idx = 0;
int total_length = 0, length = 0; int total_length = 0, policy_length = 0, length = 0;
WOLFSSL_ENTER("DecodeCertPolicy"); WOLFSSL_ENTER("DecodeCertPolicy");
/* Unwrap certificatePolicies */
if (GetSequence(input, &idx, &total_length, sz) < 0) { if (GetSequence(input, &idx, &total_length, sz) < 0) {
WOLFSSL_MSG("\tdeviceType isn't OID"); WOLFSSL_MSG("\tGet CertPolicy total seq failed");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
if (GetSequence(input, &idx, &length, sz) < 0) { /* Unwrap certificatePolicies */
WOLFSSL_MSG("\tdeviceType isn't OID"); do {
if (GetSequence(input, &idx, &policy_length, sz) < 0) {
WOLFSSL_MSG("\tGet CertPolicy seq failed");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
total_length -= (length+1);
if (input[idx++] != ASN_OBJECT_ID) { if (input[idx++] != ASN_OBJECT_ID) {
WOLFSSL_MSG("\tdeviceType isn't OID"); WOLFSSL_MSG("\tCertPolicy isn't OID");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
total_length--; policy_length--;
if (GetLength(input, &idx, &length, sz) < 0) { if (GetLength(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tCouldn't read length of deviceType"); WOLFSSL_MSG("\tGet CertPolicy length failed");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
policy_length--;
if (length > 0) { if (length > 0) {
#if defined(WOLFSSL_SEP) #if defined(WOLFSSL_SEP)
cert->deviceType = (byte*)XMALLOC(length, cert->heap, cert->deviceType = (byte*)XMALLOC(length, cert->heap,
DYNAMIC_TYPE_X509_EXT); DYNAMIC_TYPE_X509_EXT);
if (cert->deviceType == NULL) { if (cert->deviceType == NULL) {
@@ -4636,47 +4638,22 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
} }
cert->deviceTypeSz = length; cert->deviceTypeSz = length;
XMEMCPY(cert->deviceType, input + idx, length); XMEMCPY(cert->deviceType, input + idx, length);
#elif defined(WOLFSSL_CERT_EXT) break;
#elif defined(WOLFSSL_CERT_EXT)
/* decode cert policy */ /* decode cert policy */
if (DecodePolicyOID(cert->extCertPolicies[0], MAX_CERTPOL_SZ, if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
input+idx, length) != 0) { input + idx, length) != 0) {
WOLFSSL_MSG("\tCouldn't read Policy OID 1"); WOLFSSL_MSG("\tCouldn't decode CertPolicy");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
cert->extCertPoliciesNb++; cert->extCertPoliciesNb++;
#else
/* check if we have a second value */
if (total_length) {
idx += length;
if (GetSequence(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tdeviceType isn't OID");
return ASN_PARSE_E;
}
if (input[idx++] != ASN_OBJECT_ID) {
WOLFSSL_MSG("\tdeviceType isn't OID");
return ASN_PARSE_E;
}
if (GetLength(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tCouldn't read length of deviceType");
return ASN_PARSE_E;
}
/* decode cert policy */
if (DecodePolicyOID(cert->extCertPolicies[1], MAX_CERTPOL_SZ,
input+idx, length) != 0) {
WOLFSSL_MSG("\tCouldn't read Policy OID 2");
return ASN_PARSE_E;
}
cert->extCertPoliciesNb++;
}
#else
WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0); WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
return 0; return 0;
#endif #endif
} }
idx += policy_length;
} while((int)idx < total_length && cert->extCertPoliciesNb < MAX_CERTPOL_NB);
WOLFSSL_LEAVE("DecodeCertPolicy", 0); WOLFSSL_LEAVE("DecodeCertPolicy", 0);
return 0; return 0;
@@ -4802,7 +4779,6 @@ static int DecodeCertExtensions(DecodedCert* cert)
break; break;
case CERT_POLICY_OID: case CERT_POLICY_OID:
WOLFSSL_MSG("Certificate Policy extension not supported yet.");
#ifdef WOLFSSL_SEP #ifdef WOLFSSL_SEP
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
cert->extCertPolicySet = 1; cert->extCertPolicySet = 1;
@@ -4810,8 +4786,11 @@ static int DecodeCertExtensions(DecodedCert* cert)
#endif #endif
#endif #endif
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
if (DecodeCertPolicy(&input[idx], length, cert) < 0) if (DecodeCertPolicy(&input[idx], length, cert) < 0) {
return ASN_PARSE_E; return ASN_PARSE_E;
}
#else
WOLFSSL_MSG("Certificate Policy extension not supported yet.");
#endif #endif
break; break;