From 62a593e72e7446864cbcbb85ff0d182483e31597 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Thu, 19 Mar 2020 12:18:05 +1000
Subject: [PATCH] Recognise Netscape Certificate Type extension

Checks the bit string is valid but doesn't store or use value.
(Some certificates have this extension as critical)
---
 certs/test/cert-ext-nct.cfg |  18 ++++++++++++++++++
 certs/test/cert-ext-nct.der | Bin 0 -> 1054 bytes
 certs/test/gen-ext-certs.sh |  25 +++++++++++++++++++++++++
 certs/test/include.am       |   2 ++
 wolfcrypt/src/asn.c         |  11 +++++++++++
 wolfcrypt/test/test.c       |  25 +++++++++++++++++++++++++
 wolfssl/wolfcrypt/asn.h     |   3 ++-
 7 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 certs/test/cert-ext-nct.cfg
 create mode 100644 certs/test/cert-ext-nct.der

diff --git a/certs/test/cert-ext-nct.cfg b/certs/test/cert-ext-nct.cfg
new file mode 100644
index 000000000..fde389bf4
--- /dev/null
+++ b/certs/test/cert-ext-nct.cfg
@@ -0,0 +1,18 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfsssl.com
+
+[ v3_ca ]
+nsCertType       = critical,server
+nsComment        = "Testing Netscape Certificate Type"
+
diff --git a/certs/test/cert-ext-nct.der b/certs/test/cert-ext-nct.der
new file mode 100644
index 0000000000000000000000000000000000000000..febf458ba67b2a4833a91db415bbeba712c45d24
GIT binary patch
literal 1054
zcmXqLVv#avVrE*v%*4pVBvPcjI4(5%#OI7ZESH?kR?Ln+(`#nH%f_kI=F#?@mywa1
zmBFBKfg!g6CmVAp3!5;LW2m99fgp&(!NV0;nwpwdoRgTBVkl_94-#bO;czO-EKW+y
zOEnZR5CREt@o<;t=cEM(`zUzkCBsCydAMEk(lhf?Q;Rb5(hVgH#6W79dHBoA%k@C&
zi;HvglJj#7l?@c(&f#Pf6Dck&D9A4=ae%0SC^C=}=QT1gFgCO_Ffy_<HH-psjSP(p
zO`zPN;DsheCFFo-WMyD(V&rEqXkz4IYGPz$I53stVYuU`!rbkbTpiUJQ;)f>`?N>J
zV8_&R`hM5G$#m?gng4r5di}qcIf13$yH2q`H`VWdxVQR%e$DEX72<zR#a8cnp!l>%
zFJG_i#?<0lYovpB#@k<)<W=>5n4BEg&7ESu)_KQLnHZDJ>lhX!AN^L(9hp&4ysSrJ
zB~$MD!;*}8I|LpdJL9k=bFrIoW_#X|-QvqWzqq@$cu%#y;?}=ufjoOdHb2abm)WCS
ze36s6Q{<As&XmJi7Zy(Q+Vk*=RP^x$2M#7z@Vl5B7)@(1Ql7f7e3$U0>BWy?RZnK|
z9=1$avSmZ2lN0C58ytI#6*fmGEnoHe$irue%||ayyMOb7|Jv(J%!~|-i@gjy3`E#C
z6WTl&+kQAP0>OV47G@?k2Ll6yC@+h$m|{q3aS1SGDfp$96elMZq$)V47L{bCWhN(<
zq$-3|7NjDFHZYk3Lz|I-SyGat>x<;|qbi2C*EGD+V(n5(v*cM6b*Ni$*^}K;FBJEC
zPTXeMzx}1n%#1{R!&_xL{?8Df<Z*_1?P;ffGUB%{9}*Uy=XCRChi~owS?R)o&Zj%}
zeNJpsUr|%HW$UIc#x#wHhs9UFv%Ft_c8A%~cTvH-2Wt!NFTd#Z;IAe3i|?6rs(VzP
z*DZXpw?kv<uJb<*ab{dSBo`XAQEH($xB4M79eXoTKl%DrO)qgl1<ln}|9;%p-so_B
zzBT`vStsTmnx=5JY+38NTPzPI%~#(sNpx=d-@czl+Lv<mf5fn?Vp+B?F_+c&a$Cg2
e1q%D;>nxtm##g|jR{mmhUTqj(*0W0O)2sj?r-MTP

literal 0
HcmV?d00001

diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh
index c71e6a8d7..10b887133 100755
--- a/certs/test/gen-ext-certs.sh
+++ b/certs/test/gen-ext-certs.sh
@@ -71,3 +71,28 @@ nsComment        = "Testing inhibit any"
 EOF
 gen_cert
 
+OUT=certs/test/cert-ext-nct.der
+KEYFILE=certs/test/cert-ext-mct-key.der
+CONFIG=certs/test/cert-ext-nct.cfg
+tee >$CONFIG <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+emailAddress  = support@wolfsssl.com
+
+[ v3_ca ]
+nsCertType       = critical,server
+nsComment        = "Testing Netscape Certificate Type"
+
+EOF
+gen_cert
+
diff --git a/certs/test/include.am b/certs/test/include.am
index 52fcba6bc..6f37df6d2 100644
--- a/certs/test/include.am
+++ b/certs/test/include.am
@@ -7,6 +7,8 @@ EXTRA_DIST += \
          certs/test/cert-ext-ia.der \
          certs/test/cert-ext-nc.cfg \
          certs/test/cert-ext-nc.der \
+         certs/test/cert-ext-nct.cfg \
+         certs/test/cert-ext-nct.der \
          certs/test/cert-ext-ns.der \
          certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem \
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 58a726fe3..3cfe5ee80 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8917,6 +8917,17 @@ static int DecodeCertExtensions(DecodedCert* cert)
                 WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
                 break;
 
+       #ifndef IGNORE_NETSCAPE_CERT_TYPE
+            case NETSCAPE_CT_OID:
+                WOLFSSL_MSG("Netscape certificate type extension not supported "
+                            "yet.");
+                if (CheckBitString(input, &idx, &length, idx + length, 0,
+                                                                    NULL) < 0) {
+                    return ASN_PARSE_E;
+                }
+                break;
+        #endif
+
             default:
             #ifndef WOLFSSL_NO_ASN_STRICT
                 /* While it is a failure to not support critical extensions,
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 9371b8d45..cfdd79cbb 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -10630,6 +10630,31 @@ int cert_test(void)
     if (ret != 0) {
         ERROR_OUT(-7204, done);
     }
+    FreeDecodedCert(&cert);
+
+    /* Certificate with Netscape Certificate Type extension. */
+#ifdef FREESCALE_MQX
+    file = XFOPEN(".\\certs\\test\\cert-ext-nct.der", "rb");
+#else
+    file = XFOPEN("./certs/test/cert-ext-nct.der", "rb");
+#endif
+    if (!file) {
+        ERROR_OUT(-7203, done);
+    }
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    if (ret != 0) {
+        ERROR_OUT(-7204, done);
+    }
+#else
+    if (ret != ASN_CRIT_EXT_E) {
+        ERROR_OUT(-7205, done);
+    }
+    ret = 0;
+#endif
 
 done:
     FreeDecodedCert(&cert);
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index bef803dd3..393da3cdb 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -502,7 +502,8 @@ enum Extensions_Sum {
     POLICY_MAP_OID            = 147,
     POLICY_CONST_OID          = 150,
     ISSUE_ALT_NAMES_OID       = 132,
-    TLS_FEATURE_OID           = 92   /* id-pe 24 */
+    TLS_FEATURE_OID           = 92,  /* id-pe 24 */
+    NETSCAPE_CT_OID           = 753  /* 2.16.840.1.113730.1.1 */
 };
 
 enum CertificatePolicy_Sum {