Fixed bug with ASN.1 X509V3 Certificate Policy extension parsing. Bug had to do with parsing when OID contains multiple items such as example 2 below. The wolfssl.com server key now contains a URL in the certificate policy "https://secure.comodo.com/CPS0", which wasn't being parsed over correctly. Also cleanup to use loop instead of duplicate code.
Example 1: 30 12 30 06 06 04 55 1D 20 00 30 08 06 06 67 81 0C 01 02 01 Result: 2.5.29.32.0 2.23.140.1.2.1 Example 2: 30 46 30 3A 06 0B 2B 06 01 04 01 B2 31 01 02 02 07 30 2B 30 29 06 08 2B 06 01 05 05 07 02 01 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 30 08 06 06 67 81 0C 01 02 01 Result: 1.3.6.1.4.1.6449.1.2.2.7 2.23.140.1.2.1
This commit is contained in:
David Garske
parent
98a72a3f9d
commit
dee3645c4e
@ -4596,87 +4596,64 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
|
||||
#endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */
|
||||
|
||||
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
|
||||
/* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
|
||||
static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
|
||||
{
|
||||
word32 idx = 0;
|
||||
int total_length = 0, length = 0;
|
||||
int total_length = 0, policy_length = 0, length = 0;
|
||||
|
||||
WOLFSSL_ENTER("DecodeCertPolicy");
|
||||
|
||||
/* Unwrap certificatePolicies */
|
||||
if (GetSequence(input, &idx, &total_length, sz) < 0) {
|
||||
WOLFSSL_MSG("\tdeviceType isn't OID");
|
||||
WOLFSSL_MSG("\tGet CertPolicy total seq failed");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (GetSequence(input, &idx, &length, sz) < 0) {
|
||||
WOLFSSL_MSG("\tdeviceType isn't OID");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
total_length -= (length+1);
|
||||
|
||||
if (input[idx++] != ASN_OBJECT_ID) {
|
||||
WOLFSSL_MSG("\tdeviceType isn't OID");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
total_length--;
|
||||
|
||||
if (GetLength(input, &idx, &length, sz) < 0) {
|
||||
WOLFSSL_MSG("\tCouldn't read length of deviceType");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (length > 0) {
|
||||
#if defined(WOLFSSL_SEP)
|
||||
cert->deviceType = (byte*)XMALLOC(length, cert->heap,
|
||||
DYNAMIC_TYPE_X509_EXT);
|
||||
if (cert->deviceType == NULL) {
|
||||
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
|
||||
return MEMORY_E;
|
||||
}
|
||||
cert->deviceTypeSz = length;
|
||||
XMEMCPY(cert->deviceType, input + idx, length);
|
||||
#elif defined(WOLFSSL_CERT_EXT)
|
||||
/* decode cert policy */
|
||||
if (DecodePolicyOID(cert->extCertPolicies[0], MAX_CERTPOL_SZ,
|
||||
input+idx, length) != 0) {
|
||||
WOLFSSL_MSG("\tCouldn't read Policy OID 1");
|
||||
/* Unwrap certificatePolicies */
|
||||
do {
|
||||
if (GetSequence(input, &idx, &policy_length, sz) < 0) {
|
||||
WOLFSSL_MSG("\tGet CertPolicy seq failed");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
cert->extCertPoliciesNb++;
|
||||
|
||||
/* check if we have a second value */
|
||||
if (total_length) {
|
||||
idx += length;
|
||||
if (input[idx++] != ASN_OBJECT_ID) {
|
||||
WOLFSSL_MSG("\tCertPolicy isn't OID");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
policy_length--;
|
||||
|
||||
if (GetSequence(input, &idx, &length, sz) < 0) {
|
||||
WOLFSSL_MSG("\tdeviceType isn't OID");
|
||||
return ASN_PARSE_E;
|
||||
if (GetLength(input, &idx, &length, sz) < 0) {
|
||||
WOLFSSL_MSG("\tGet CertPolicy length failed");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
policy_length--;
|
||||
|
||||
if (length > 0) {
|
||||
#if defined(WOLFSSL_SEP)
|
||||
cert->deviceType = (byte*)XMALLOC(length, cert->heap,
|
||||
DYNAMIC_TYPE_X509_EXT);
|
||||
if (cert->deviceType == NULL) {
|
||||
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
|
||||
return MEMORY_E;
|
||||
}
|
||||
|
||||
if (input[idx++] != ASN_OBJECT_ID) {
|
||||
WOLFSSL_MSG("\tdeviceType isn't OID");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (GetLength(input, &idx, &length, sz) < 0) {
|
||||
WOLFSSL_MSG("\tCouldn't read length of deviceType");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
cert->deviceTypeSz = length;
|
||||
XMEMCPY(cert->deviceType, input + idx, length);
|
||||
break;
|
||||
#elif defined(WOLFSSL_CERT_EXT)
|
||||
/* decode cert policy */
|
||||
if (DecodePolicyOID(cert->extCertPolicies[1], MAX_CERTPOL_SZ,
|
||||
input+idx, length) != 0) {
|
||||
WOLFSSL_MSG("\tCouldn't read Policy OID 2");
|
||||
if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
|
||||
input + idx, length) != 0) {
|
||||
WOLFSSL_MSG("\tCouldn't decode CertPolicy");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
cert->extCertPoliciesNb++;
|
||||
#else
|
||||
WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
#else
|
||||
WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
idx += policy_length;
|
||||
} while((int)idx < total_length && cert->extCertPoliciesNb < MAX_CERTPOL_NB);
|
||||
|
||||
WOLFSSL_LEAVE("DecodeCertPolicy", 0);
|
||||
return 0;
|
||||
@ -4802,7 +4779,6 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
break;
|
||||
|
||||
case CERT_POLICY_OID:
|
||||
WOLFSSL_MSG("Certificate Policy extension not supported yet.");
|
||||
#ifdef WOLFSSL_SEP
|
||||
#ifdef OPENSSL_EXTRA
|
||||
cert->extCertPolicySet = 1;
|
||||
@ -4810,8 +4786,11 @@ static int DecodeCertExtensions(DecodedCert* cert)
|
||||
#endif
|
||||
#endif
|
||||
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
|
||||
if (DecodeCertPolicy(&input[idx], length, cert) < 0)
|
||||
return ASN_PARSE_E;
|
||||
if (DecodeCertPolicy(&input[idx], length, cert) < 0) {
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
#else
|
||||
WOLFSSL_MSG("Certificate Policy extension not supported yet.");
|
||||
#endif
|
||||
break;
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user