Restore error code from DecodeGeneralName

This commit is contained in:
Eric Blankenhorn
2026-06-26 11:11:22 -05:00
parent 0cecccdf6e
commit e1a2ba3b02
6 changed files with 112 additions and 53 deletions
+7 -26
View File
@@ -18900,31 +18900,20 @@ static int DecodeOtherName(DecodedCert* cert, const byte* input,
* @return ASN_UNKNOWN_OID_E when the OID cannot be verified.
* @return MEMORY_E when dynamic memory allocation fails.
*/
/* Reject IA5String SAN content that cannot legally appear in
* dNSName / rfc822Name / URI per RFC 5280 4.2.1.6. Currently just NUL. */
static int DecodeGeneralNameCheckChars(const byte* input, int len)
{
int i;
for (i = 0; i < len; i++) {
if (input[i] == 0) {
return ASN_PARSE_E;
}
}
return 0;
}
static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
int len, DecodedCert* cert)
{
int ret = 0;
word32 idx = *inOutIdx;
/* GeneralName choice: dnsName */
/* GeneralName choice: dnsName.
* An embedded NUL makes a dNSName an invalid presented identifier
* (RFC 6125 Sec. 6.3 / RFC 9525 Sec. 6.3), not a malformed certificate.
* Store it so its presence still suppresses Subject CN fallback, but
* length-based matching in MatchDomainName never matches a NUL-free
* reference hostname. The result is DOMAIN_NAME_MISMATCH at verification
* time rather than ASN_PARSE_E at parse time. */
if (tag == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE)) {
ret = DecodeGeneralNameCheckChars(input + idx, len);
if (ret != 0) {
return ret;
}
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
ASN_DNS_TYPE, &cert->altNames);
if (ret == 0) {
@@ -18952,10 +18941,6 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
}
/* GeneralName choice: rfc822Name */
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
ret = DecodeGeneralNameCheckChars(input + idx, len);
if (ret != 0) {
return ret;
}
ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
ASN_RFC822_TYPE, &cert->altEmailNames);
if (ret == 0) {
@@ -18964,10 +18949,6 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
}
/* GeneralName choice: uniformResourceIdentifier */
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_URI_TYPE)) {
ret = DecodeGeneralNameCheckChars(input + idx, len);
if (ret != 0) {
return ret;
}
WOLFSSL_MSG("\tPutting URI into list but not using");
#ifndef WOLFSSL_NO_ASN_STRICT
+6 -23
View File
@@ -3125,19 +3125,6 @@ static int DecodeConstructedOtherName(DecodedCert* cert, const byte* input,
return ret;
}
/* Reject IA5String SAN content that cannot legally appear in
* dNSName / rfc822Name / URI per RFC 5280 4.2.1.6. Currently just NUL. */
static int DecodeGeneralNameCheckChars(const byte* input, int len)
{
int i;
for (i = 0; i < len; i++) {
if (input[i] == 0) {
return ASN_PARSE_E;
}
}
return 0;
}
static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
{
word32 idx = 0;
@@ -3200,9 +3187,12 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
if ((word32)strLen + idx > sz) {
return BUFFER_E;
}
if (DecodeGeneralNameCheckChars(&input[idx], strLen) != 0) {
return ASN_PARSE_E;
}
/* An embedded NUL makes a dNSName an invalid presented identifier
* (RFC 6125 Sec. 6.3), not a malformed certificate. Store it so
* its presence still suppresses Subject CN fallback; length-based
* matching in MatchDomainName never matches a NUL-free hostname,
* giving DOMAIN_NAME_MISMATCH at verification rather than
* ASN_PARSE_E at parse time. */
dnsEntry = AltNameNew(cert->heap);
if (dnsEntry == NULL) {
@@ -3292,9 +3282,6 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
if ((word32)strLen + idx > sz) {
return BUFFER_E;
}
if (DecodeGeneralNameCheckChars(&input[idx], strLen) != 0) {
return ASN_PARSE_E;
}
emailEntry = AltNameNew(cert->heap);
if (emailEntry == NULL) {
@@ -3341,10 +3328,6 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
return BUFFER_E;
}
if (DecodeGeneralNameCheckChars(&input[idx], strLen) != 0) {
return ASN_PARSE_E;
}
#ifndef WOLFSSL_NO_ASN_STRICT
/* Verify RFC 5280 Sec 4.2.1.6 rule:
"The name MUST NOT be a relative URI"