Merge pull request #783 from JacobBarthelmeh/Cert-Report1

Add error case for critical Subject Key ID extension
2017-03-09 15:39:23 -08:00 · 2017-03-09 15:39:23 -08:00 · 2b5dba798f
commit 2b5dba798f
parent 2444a55afe fd50fd8a3e
2 changed files with 13 additions and 1 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -5300,6 +5300,18 @@ static int DecodeCertExtensions(DecodedCert* cert)
                #ifdef OPENSSL_EXTRA
                    cert->extSubjKeyIdCrit = critical;
                #endif
+                #ifndef WOLFSSL_ALLOW_CRIT_SKID
+                    /* This check is added due to RFC 5280 section 4.2.1.2
+                     * stating that conforming CA's must mark this extension
+                     * as non-critical. When parsing extensions check that
+                     * certificate was made in compliance with this. */
+                    if (critical) {
+                        WOLFSSL_MSG("Critical Subject Key ID is not allowed");
+                        WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
+                        return ASN_CRIT_EXT_E;
+                    }
+                #endif
+
                if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
                    return ASN_PARSE_E;
                break;
--- a/wolfcrypt/src/error.c
+++ b/wolfcrypt/src/error.c
@ -204,7 +204,7 @@ const char* wc_GetErrorString(int error)
        return "ASN NTRU key decode error, invalid input";

    case ASN_CRIT_EXT_E:
-        return "X.509 Critical extension ignored";
+        return "X.509 Critical extension ignored or invalid";

    case ECC_BAD_ARG_E :
        return "ECC input argument wrong type, invalid input";