Merge pull request #783 from JacobBarthelmeh/Cert-Report1
Add error case for critical Subject Key ID extension
This commit is contained in:
commit
2b5dba798f
@ -5300,6 +5300,18 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extSubjKeyIdCrit = critical;
|
||||
#endif
|
||||
#ifndef WOLFSSL_ALLOW_CRIT_SKID
|
||||
/* This check is added due to RFC 5280 section 4.2.1.2
|
||||
* stating that conforming CA's must mark this extension
|
||||
* as non-critical. When parsing extensions check that
|
||||
* certificate was made in compliance with this. */
|
||||
if (critical) {
|
||||
WOLFSSL_MSG("Critical Subject Key ID is not allowed");
|
||||
WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
|
||||
return ASN_CRIT_EXT_E;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
|
||||
return ASN_PARSE_E;
|
||||
break;
|
||||
|
@ -204,7 +204,7 @@ const char* wc_GetErrorString(int error)
|
||||
return "ASN NTRU key decode error, invalid input";
|
||||
|
||||
case ASN_CRIT_EXT_E:
|
||||
return "X.509 Critical extension ignored";
|
||||
return "X.509 Critical extension ignored or invalid";
|
||||
|
||||
case ECC_BAD_ARG_E :
|
||||
return "ECC input argument wrong type, invalid input";
|
||||
|
Loading…
x
Reference in New Issue
Block a user