Merge pull request #2858 from SparkiDev/netscape_cert_ext

Recognise Netscape Certificate Type extension

certs/test/cert-ext-nct.cfg

@@ -0,0 +1,18 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfsssl.com
+
+[ v3_ca ]
+nsCertType       = critical,server
+nsComment        = "Testing Netscape Certificate Type"
+

certs/test/gen-ext-certs.sh

@@ -71,3 +71,28 @@ nsComment        = "Testing inhibit any"
 EOF
 gen_cert
 
+OUT=certs/test/cert-ext-nct.der
+KEYFILE=certs/test/cert-ext-mct-key.der
+CONFIG=certs/test/cert-ext-nct.cfg
+tee >$CONFIG <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfsssl.com
+
+[ v3_ca ]
+nsCertType       = critical,server
+nsComment        = "Testing Netscape Certificate Type"
+
+EOF
+gen_cert
+

certs/test/include.am

@@ -7,6 +7,8 @@ EXTRA_DIST += \
          certs/test/cert-ext-ia.der \
          certs/test/cert-ext-nc.cfg \
          certs/test/cert-ext-nc.der \
+         certs/test/cert-ext-nct.cfg \
+         certs/test/cert-ext-nct.der \
          certs/test/cert-ext-ns.der \
          certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem \

wolfcrypt/src/asn.c

@@ -8917,6 +8917,17 @@ static int DecodeCertExtensions(DecodedCert* cert)
                 WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
                 break;
 
+       #ifndef IGNORE_NETSCAPE_CERT_TYPE
+            case NETSCAPE_CT_OID:
+                WOLFSSL_MSG("Netscape certificate type extension not supported "
+                            "yet.");
+                if (CheckBitString(input, &idx, &length, idx + length, 0,
+                                                                    NULL) < 0) {
+                    return ASN_PARSE_E;
+                }
+                break;
+        #endif
+
             default:
             #ifndef WOLFSSL_NO_ASN_STRICT
                 /* While it is a failure to not support critical extensions,

wolfcrypt/test/test.c

@@ -10630,6 +10630,31 @@ int cert_test(void)
     if (ret != 0) {
         ERROR_OUT(-7204, done);
     }
+    FreeDecodedCert(&cert);
+
+    /* Certificate with Netscape Certificate Type extension. */
+#ifdef FREESCALE_MQX
+    file = XFOPEN(".\\certs\\test\\cert-ext-nct.der", "rb");
+#else
+    file = XFOPEN("./certs/test/cert-ext-nct.der", "rb");
+#endif
+    if (!file) {
+        ERROR_OUT(-7203, done);
+    }
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    if (ret != 0) {
+        ERROR_OUT(-7204, done);
+    }
+#else
+    if (ret != ASN_CRIT_EXT_E) {
+        ERROR_OUT(-7205, done);
+    }
+    ret = 0;
+#endif
 
 done:
     FreeDecodedCert(&cert);

wolfssl/wolfcrypt/asn.h

@@ -502,7 +502,8 @@ enum Extensions_Sum {
     POLICY_MAP_OID            = 147,
     POLICY_CONST_OID          = 150,
     ISSUE_ALT_NAMES_OID       = 132,
-    TLS_FEATURE_OID           = 92   /* id-pe 24 */
+    TLS_FEATURE_OID           = 92,  /* id-pe 24 */
+    NETSCAPE_CT_OID           = 753  /* 2.16.840.1.113730.1.1 */
 };
 
 enum CertificatePolicy_Sum {