From fd50fd8a3e82f6afa8a23e30d6614d4beb7ffc88 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 8 Mar 2017 16:40:07 -0700 Subject: [PATCH] Add error case for critical Subject Key ID extension --- wolfcrypt/src/asn.c | 12 ++++++++++++ wolfcrypt/src/error.c | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 509364825..c46c1512a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5300,6 +5300,18 @@ static int DecodeCertExtensions(DecodedCert* cert) #ifdef OPENSSL_EXTRA cert->extSubjKeyIdCrit = critical; #endif + #ifndef WOLFSSL_ALLOW_CRIT_SKID + /* This check is added due to RFC 5280 section 4.2.1.2 + * stating that conforming CA's must mark this extension + * as non-critical. When parsing extensions check that + * certificate was made in compliance with this. */ + if (critical) { + WOLFSSL_MSG("Critical Subject Key ID is not allowed"); + WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted"); + return ASN_CRIT_EXT_E; + } + #endif + if (DecodeSubjKeyId(&input[idx], length, cert) < 0) return ASN_PARSE_E; break; diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index d49734474..78ed8e45e 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -204,7 +204,7 @@ const char* wc_GetErrorString(int error) return "ASN NTRU key decode error, invalid input"; case ASN_CRIT_EXT_E: - return "X.509 Critical extension ignored"; + return "X.509 Critical extension ignored or invalid"; case ECC_BAD_ARG_E : return "ECC input argument wrong type, invalid input";