From 8b0c3c91e63fee5d62c965f10cc35a760d5fea7f Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 15 May 2019 12:20:00 +0300 Subject: [PATCH] Fail in case critical crt policy not supported In case the certificate policy is not of type `AnyPolicy` set the returned error code to `MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE` and continue parsing. If the extension is critical, return error anyway, unless `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` is configured. Fail parsing on any other error. --- library/x509_crt.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 9bc869652..3b68f01aa 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -743,7 +743,7 @@ static int x509_get_certificate_policies( unsigned char **p, const unsigned char *end, mbedtls_x509_sequence *certificate_policies ) { - int ret; + int ret, parse_ret = 0; size_t len; mbedtls_asn1_buf *buf; mbedtls_asn1_sequence *cur = certificate_policies; @@ -787,6 +787,19 @@ static int x509_get_certificate_policies( unsigned char **p, policy_oid.len = len; policy_oid.p = *p; + /* + * Only AnyPolicy is currently supported when enforcing policy. + */ + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_POLICY, &policy_oid ) != 0 ) + { + /* + * Set the parsing return code but continue parsing, in case this + * extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION + * is configured. + */ + parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; + } + /* Allocate and assign next pointer */ if( cur->buf.p != NULL ) { @@ -836,7 +849,7 @@ static int x509_get_certificate_policies( unsigned char **p, return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); - return( 0 ); + return( parse_ret ); } /* @@ -970,7 +983,21 @@ static int x509_get_crt_ext( unsigned char **p, /* Parse certificate policies type */ if( ( ret = x509_get_certificate_policies( p, end_ext_octet, &crt->certificate_policies ) ) != 0 ) - return( ret ); + { +#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) + if( is_critical ) + return( ret ); + else +#endif + /* + * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, the we cannot + * interpret or enforce the policy. However, it is up to the user + * to choose how to enforce the policies, + * unless the extension is critical. + */ + if( ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) + return( ret ); + } break; default: