Forbid repeated X.509 extensions

2025-01-07 06:15:37 +00:00 · 2014-11-17 11:00:23 +01:00 · 2014-11-17 11:00:23 +01:00 · 017bf57daa
parent 360eb91d02
commit 017bf57daa
3 changed files with 87 additions and 46 deletions
--- a/1
+++ b/1
@ -15,6 +15,7 @@ Security

 Changes
   * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
+   * Forbid repeated extensions in X.509 certificates.

 = Version 1.2.12 released 2014-10-24

--- a/library/x509parse.c
+++ b/library/x509parse.c
@ -894,6 +894,37 @@ static int x509_get_subject_alt_name( unsigned char **p,
    return( 0 );
 }

+static int x509_get_crt_ext_type( const x509_buf *oid )
+{
+    if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == oid->len ) &&
+          memcmp( oid->p, OID_BASIC_CONSTRAINTS, oid->len ) == 0 )
+    {
+        return( EXT_BASIC_CONSTRAINTS );
+    }
+    else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == oid->len ) &&
+               memcmp( oid->p, OID_NS_CERT_TYPE, oid->len ) == 0 )
+    {
+        return( EXT_NS_CERT_TYPE );
+    }
+    else if( ( OID_SIZE( OID_KEY_USAGE ) == oid->len ) &&
+               memcmp( oid->p, OID_KEY_USAGE, oid->len ) == 0 )
+    {
+        return( EXT_KEY_USAGE );
+    }
+    else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == oid->len ) &&
+               memcmp( oid->p, OID_EXTENDED_KEY_USAGE, oid->len ) == 0 )
+    {
+        return( EXT_EXTENDED_KEY_USAGE );
+    }
+    else if( ( OID_SIZE( OID_SUBJECT_ALT_NAME ) == oid->len ) &&
+               memcmp( oid->p, OID_SUBJECT_ALT_NAME, oid->len ) == 0 )
+    {
+        return( EXT_SUBJECT_ALT_NAME );
+    }
+
+    return( -1 );
+}
+
 /*
 * X.509 v3 extensions
 *
@ -927,6 +958,7 @@ static int x509_get_crt_ext( unsigned char **p,
         */
        x509_buf extn_oid = {0, 0, NULL};
        int is_critical = 0; /* DEFAULT FALSE */
+        int ext_type = 0;

        if( ( ret = asn1_get_tag( p, end, &len,
                ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
@ -966,52 +998,9 @@ static int x509_get_crt_ext( unsigned char **p,
        /*
         * Detect supported extensions
         */
-        if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_BASIC_CONSTRAINTS, extn_oid.len ) == 0 )
-        {
-            /* Parse basic constraints */
-            if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
-                    &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_BASIC_CONSTRAINTS;
-        }
-        else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_NS_CERT_TYPE, extn_oid.len ) == 0 )
-        {
-            /* Parse netscape certificate type */
-            if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
-                    &crt->ns_cert_type ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_NS_CERT_TYPE;
-        }
-        else if( ( OID_SIZE( OID_KEY_USAGE ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_KEY_USAGE, extn_oid.len ) == 0 )
-        {
-            /* Parse key usage */
-            if( ( ret = x509_get_key_usage( p, end_ext_octet,
-                    &crt->key_usage ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_KEY_USAGE;
-        }
-        else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_EXTENDED_KEY_USAGE, extn_oid.len ) == 0 )
-        {
-            /* Parse extended key usage */
-            if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
-                    &crt->ext_key_usage ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_EXTENDED_KEY_USAGE;
-        }
-        else if( ( OID_SIZE( OID_SUBJECT_ALT_NAME ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_SUBJECT_ALT_NAME, extn_oid.len ) == 0 )
-        {
-            /* Parse extended key usage */
-            if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
-                    &crt->subject_alt_names ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_SUBJECT_ALT_NAME;
-        }
-        else
+        ext_type = x509_get_crt_ext_type( &extn_oid );
+
+        if( ext_type < 0 )
        {
            /* No parser found, skip extension */
            *p = end_ext_octet;
@ -1024,6 +1013,54 @@ static int x509_get_crt_ext( unsigned char **p,
                        POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
            }
 #endif
+            continue;
+        }
+
+        /* Forbid repeated extensions */
+        if( ( crt->ext_types & ext_type ) != 0 )
+            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS );
+
+        crt->ext_types |= ext_type;
+
+        switch( ext_type )
+        {
+        case EXT_BASIC_CONSTRAINTS:
+            /* Parse basic constraints */
+            if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
+                    &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
+                return( ret );
+            break;
+
+        case EXT_KEY_USAGE:
+            /* Parse key usage */
+            if( ( ret = x509_get_key_usage( p, end_ext_octet,
+                    &crt->key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case EXT_EXTENDED_KEY_USAGE:
+            /* Parse extended key usage */
+            if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
+                    &crt->ext_key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case EXT_SUBJECT_ALT_NAME:
+            /* Parse subject alt name */
+            if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
+                    &crt->subject_alt_names ) ) != 0 )
+                return( ret );
+            break;
+
+        case EXT_NS_CERT_TYPE:
+            /* Parse netscape certificate type */
+            if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
+                    &crt->ns_cert_type ) ) != 0 )
+                return( ret );
+            break;
+
+        default:
+            return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
        }
    }

--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@ -563,6 +563,9 @@ x509parse_crt:"308201ae308201aaa003020102020900a287596575d722e1300d06092a864886f
 X509 Certificate ASN1 (SubjectAltName repeated)
 x509parse_crt:"308201cd308201c9a003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS

+X509 Certificate ASN1 (ExtKeyUsage repeated)
+x509parse_crt:"308201cd308201c9a003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a340303e301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d250416301406082b0601050507030106082b06010505070302":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS
+
 X509 Certificate ASN1 (correct pubkey, no sig_alg)
 x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":POLARSSL_ERR_X509_CERT_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA