From 1f3bc9263d2b3f91c9a475a5a3a8b592cd8b4424 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 28 Mar 2014 11:25:05 -0700
Subject: [PATCH] error to have v1 or v2 certificates with extensions

---
 ctaocrypt/src/asn.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c
index 7610152e0..8597fa238 100644
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -3594,13 +3594,18 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
 
     CYASSL_MSG("Parsed Past Key");
 
-    if (cert->srcIdx != cert->sigIndex) {
-        if (cert->srcIdx < cert->sigIndex) {
-            /* save extensions */
-            cert->extensions    = &cert->source[cert->srcIdx];
-            cert->extensionsSz  =  cert->sigIndex - cert->srcIdx;
-            cert->extensionsIdx = cert->srcIdx;   /* for potential later use */
-        }
+    if (cert->srcIdx < cert->sigIndex) {
+        #ifndef ALLOW_V1_EXTENSIONS
+            if (cert->version < 2) {
+                CYASSL_MSG("    v1 and v2 certs not allowed extensions");
+                return ASN_VERSION_E;
+            }
+        #endif
+        /* save extensions */
+        cert->extensions    = &cert->source[cert->srcIdx];
+        cert->extensionsSz  =  cert->sigIndex - cert->srcIdx;
+        cert->extensionsIdx = cert->srcIdx;   /* for potential later use */
+
         if ((ret = DecodeCertExtensions(cert)) < 0) {
             if (ret == ASN_CRIT_EXT_E)
                 criticalExt = ret;