Merge pull request #783 from JacobBarthelmeh/Cert-Report1

Add error case for critical Subject Key ID extension
This commit is contained in:
toddouska 2017-03-09 15:39:23 -08:00 committed by GitHub
commit 2b5dba798f
2 changed files with 13 additions and 1 deletions

View File

@ -5300,6 +5300,18 @@ static int DecodeCertExtensions(DecodedCert* cert)
#ifdef OPENSSL_EXTRA
cert->extSubjKeyIdCrit = critical;
#endif
#ifndef WOLFSSL_ALLOW_CRIT_SKID
/* This check is added due to RFC 5280 section 4.2.1.2
* stating that conforming CA's must mark this extension
* as non-critical. When parsing extensions check that
* certificate was made in compliance with this. */
if (critical) {
WOLFSSL_MSG("Critical Subject Key ID is not allowed");
WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
return ASN_CRIT_EXT_E;
}
#endif
if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
return ASN_PARSE_E;
break;

View File

@ -204,7 +204,7 @@ const char* wc_GetErrorString(int error)
return "ASN NTRU key decode error, invalid input";
case ASN_CRIT_EXT_E:
return "X.509 Critical extension ignored";
return "X.509 Critical extension ignored or invalid";
case ECC_BAD_ARG_E :
return "ECC input argument wrong type, invalid input";