mirror of https://github.com/wolfSSL/wolfssl
Fix to enforce RFC 5280 Sec 4.2.1.6: "The name MUST NOT be a relative URI". Verifies the URI contains "://". Can be disabled using `WOLFSSL_NO_ASN_STRICT`.
This commit is contained in:
David Garske
parent
f4ad808d12
commit
d9002bb072
|
|
@ -5433,6 +5433,16 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
|
||||||
}
|
}
|
||||||
length -= (idx - lenStartIdx);
|
length -= (idx - lenStartIdx);
|
||||||
|
|
||||||
|
#ifndef WOLFSSL_NO_ASN_STRICT
|
||||||
|
/* Verify RFC 5280 Sec 4.2.1.6 rule:
|
||||||
|
"The name MUST NOT be a relative URI" */
|
||||||
|
|
||||||
|
if (XSTRNCMP((const char*)&input[idx], "://", strLen + 1) != 0) {
|
||||||
|
WOLFSSL_MSG("\tAlt Name must be absolute URI");
|
||||||
|
return ASN_ALT_NAME_E;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
uriEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
|
uriEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
|
||||||
DYNAMIC_TYPE_ALTNAME);
|
DYNAMIC_TYPE_ALTNAME);
|
||||||
if (uriEntry == NULL) {
|
if (uriEntry == NULL) {
|
||||||
|
|
@ -6264,8 +6274,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||||
cert->extSubjAltNameSet = 1;
|
cert->extSubjAltNameSet = 1;
|
||||||
cert->extSubjAltNameCrit = critical;
|
cert->extSubjAltNameCrit = critical;
|
||||||
#endif
|
#endif
|
||||||
if (DecodeAltNames(&input[idx], length, cert) < 0)
|
ret = DecodeAltNames(&input[idx], length, cert);
|
||||||
return ASN_PARSE_E;
|
if (ret < 0)
|
||||||
|
return ret;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case AUTH_KEY_OID:
|
case AUTH_KEY_OID:
|
||||||
|
|
@ -6335,6 +6346,9 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||||
#ifndef IGNORE_NAME_CONSTRAINTS
|
#ifndef IGNORE_NAME_CONSTRAINTS
|
||||||
case NAME_CONS_OID:
|
case NAME_CONS_OID:
|
||||||
#ifndef WOLFSSL_NO_ASN_STRICT
|
#ifndef WOLFSSL_NO_ASN_STRICT
|
||||||
|
/* Verify RFC 5280 Sec 4.2.1.10 rule:
|
||||||
|
"The name constraints extension,
|
||||||
|
which MUST be used only in a CA certificate" */
|
||||||
if (!cert->ca) {
|
if (!cert->ca) {
|
||||||
WOLFSSL_MSG("Name constraints allowed only for CA certs");
|
WOLFSSL_MSG("Name constraints allowed only for CA certs");
|
||||||
return ASN_NAME_INVALID_E;
|
return ASN_NAME_INVALID_E;
|
||||||
|
|
|
||||||
|
|
@ -206,6 +206,9 @@ const char* wc_GetErrorString(int error)
|
||||||
case ASN_CRIT_EXT_E:
|
case ASN_CRIT_EXT_E:
|
||||||
return "X.509 Critical extension ignored or invalid";
|
return "X.509 Critical extension ignored or invalid";
|
||||||
|
|
||||||
|
case ASN_ALT_NAME_E:
|
||||||
|
return "ASN alternate name error";
|
||||||
|
|
||||||
case ECC_BAD_ARG_E :
|
case ECC_BAD_ARG_E :
|
||||||
return "ECC input argument wrong type, invalid input";
|
return "ECC input argument wrong type, invalid input";
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -97,6 +97,7 @@ enum {
|
||||||
ASN_DH_KEY_E = -158, /* ASN key init error, invalid input */
|
ASN_DH_KEY_E = -158, /* ASN key init error, invalid input */
|
||||||
ASN_NTRU_KEY_E = -159, /* ASN ntru key decode error, invalid input */
|
ASN_NTRU_KEY_E = -159, /* ASN ntru key decode error, invalid input */
|
||||||
ASN_CRIT_EXT_E = -160, /* ASN unsupported critical extension */
|
ASN_CRIT_EXT_E = -160, /* ASN unsupported critical extension */
|
||||||
|
ASN_ALT_NAME_E = -161, /* ASN alternate name error */
|
||||||
|
|
||||||
ECC_BAD_ARG_E = -170, /* ECC input argument of wrong type */
|
ECC_BAD_ARG_E = -170, /* ECC input argument of wrong type */
|
||||||
ASN_ECC_KEY_E = -171, /* ASN ECC bad input */
|
ASN_ECC_KEY_E = -171, /* ASN ECC bad input */
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue