From 017bf57daa6831a37521c07bfb9e8f84fb07c6cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 17 Nov 2014 11:00:23 +0100 Subject: [PATCH] Forbid repeated X.509 extensions --- ChangeLog | 1 + library/x509parse.c | 129 ++++++++++++++++--------- tests/suites/test_suite_x509parse.data | 3 + 3 files changed, 87 insertions(+), 46 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8b5848a75..70e6ed5a2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,7 @@ Security Changes * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. + * Forbid repeated extensions in X.509 certificates. = Version 1.2.12 released 2014-10-24 diff --git a/library/x509parse.c b/library/x509parse.c index 4a9b7c19f..9d62e9e4b 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -894,6 +894,37 @@ static int x509_get_subject_alt_name( unsigned char **p, return( 0 ); } +static int x509_get_crt_ext_type( const x509_buf *oid ) +{ + if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == oid->len ) && + memcmp( oid->p, OID_BASIC_CONSTRAINTS, oid->len ) == 0 ) + { + return( EXT_BASIC_CONSTRAINTS ); + } + else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == oid->len ) && + memcmp( oid->p, OID_NS_CERT_TYPE, oid->len ) == 0 ) + { + return( EXT_NS_CERT_TYPE ); + } + else if( ( OID_SIZE( OID_KEY_USAGE ) == oid->len ) && + memcmp( oid->p, OID_KEY_USAGE, oid->len ) == 0 ) + { + return( EXT_KEY_USAGE ); + } + else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == oid->len ) && + memcmp( oid->p, OID_EXTENDED_KEY_USAGE, oid->len ) == 0 ) + { + return( EXT_EXTENDED_KEY_USAGE ); + } + else if( ( OID_SIZE( OID_SUBJECT_ALT_NAME ) == oid->len ) && + memcmp( oid->p, OID_SUBJECT_ALT_NAME, oid->len ) == 0 ) + { + return( EXT_SUBJECT_ALT_NAME ); + } + + return( -1 ); +} + /* * X.509 v3 extensions * @@ -927,6 +958,7 @@ static int x509_get_crt_ext( unsigned char **p, */ x509_buf extn_oid = {0, 0, NULL}; int is_critical = 0; /* DEFAULT FALSE */ + int ext_type = 0; if( ( ret = asn1_get_tag( p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) @@ -966,52 +998,9 @@ static int x509_get_crt_ext( unsigned char **p, /* * Detect supported extensions */ - if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == extn_oid.len ) && - memcmp( extn_oid.p, OID_BASIC_CONSTRAINTS, extn_oid.len ) == 0 ) - { - /* Parse basic constraints */ - if( ( ret = x509_get_basic_constraints( p, end_ext_octet, - &crt->ca_istrue, &crt->max_pathlen ) ) != 0 ) - return ( ret ); - crt->ext_types |= EXT_BASIC_CONSTRAINTS; - } - else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == extn_oid.len ) && - memcmp( extn_oid.p, OID_NS_CERT_TYPE, extn_oid.len ) == 0 ) - { - /* Parse netscape certificate type */ - if( ( ret = x509_get_ns_cert_type( p, end_ext_octet, - &crt->ns_cert_type ) ) != 0 ) - return ( ret ); - crt->ext_types |= EXT_NS_CERT_TYPE; - } - else if( ( OID_SIZE( OID_KEY_USAGE ) == extn_oid.len ) && - memcmp( extn_oid.p, OID_KEY_USAGE, extn_oid.len ) == 0 ) - { - /* Parse key usage */ - if( ( ret = x509_get_key_usage( p, end_ext_octet, - &crt->key_usage ) ) != 0 ) - return ( ret ); - crt->ext_types |= EXT_KEY_USAGE; - } - else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == extn_oid.len ) && - memcmp( extn_oid.p, OID_EXTENDED_KEY_USAGE, extn_oid.len ) == 0 ) - { - /* Parse extended key usage */ - if( ( ret = x509_get_ext_key_usage( p, end_ext_octet, - &crt->ext_key_usage ) ) != 0 ) - return ( ret ); - crt->ext_types |= EXT_EXTENDED_KEY_USAGE; - } - else if( ( OID_SIZE( OID_SUBJECT_ALT_NAME ) == extn_oid.len ) && - memcmp( extn_oid.p, OID_SUBJECT_ALT_NAME, extn_oid.len ) == 0 ) - { - /* Parse extended key usage */ - if( ( ret = x509_get_subject_alt_name( p, end_ext_octet, - &crt->subject_alt_names ) ) != 0 ) - return ( ret ); - crt->ext_types |= EXT_SUBJECT_ALT_NAME; - } - else + ext_type = x509_get_crt_ext_type( &extn_oid ); + + if( ext_type < 0 ) { /* No parser found, skip extension */ *p = end_ext_octet; @@ -1024,6 +1013,54 @@ static int x509_get_crt_ext( unsigned char **p, POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); } #endif + continue; + } + + /* Forbid repeated extensions */ + if( ( crt->ext_types & ext_type ) != 0 ) + return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS ); + + crt->ext_types |= ext_type; + + switch( ext_type ) + { + case EXT_BASIC_CONSTRAINTS: + /* Parse basic constraints */ + if( ( ret = x509_get_basic_constraints( p, end_ext_octet, + &crt->ca_istrue, &crt->max_pathlen ) ) != 0 ) + return( ret ); + break; + + case EXT_KEY_USAGE: + /* Parse key usage */ + if( ( ret = x509_get_key_usage( p, end_ext_octet, + &crt->key_usage ) ) != 0 ) + return( ret ); + break; + + case EXT_EXTENDED_KEY_USAGE: + /* Parse extended key usage */ + if( ( ret = x509_get_ext_key_usage( p, end_ext_octet, + &crt->ext_key_usage ) ) != 0 ) + return( ret ); + break; + + case EXT_SUBJECT_ALT_NAME: + /* Parse subject alt name */ + if( ( ret = x509_get_subject_alt_name( p, end_ext_octet, + &crt->subject_alt_names ) ) != 0 ) + return( ret ); + break; + + case EXT_NS_CERT_TYPE: + /* Parse netscape certificate type */ + if( ( ret = x509_get_ns_cert_type( p, end_ext_octet, + &crt->ns_cert_type ) ) != 0 ) + return( ret ); + break; + + default: + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); } } diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 539b03a4b..6fbc91644 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -563,6 +563,9 @@ x509parse_crt:"308201ae308201aaa003020102020900a287596575d722e1300d06092a864886f X509 Certificate ASN1 (SubjectAltName repeated) x509parse_crt:"308201cd308201c9a003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +X509 Certificate ASN1 (ExtKeyUsage repeated) +x509parse_crt:"308201cd308201c9a003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a340303e301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d250416301406082b0601050507030106082b06010505070302":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + X509 Certificate ASN1 (correct pubkey, no sig_alg) x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":POLARSSL_ERR_X509_CERT_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA