diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 296b472a7..9a9b397d9 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -317,9 +317,14 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, * \param p Pointer to the start of the extension value * (the content of the OCTET STRING). * \param end End of extension value. - * - * \note The callback must fail and return a negative error code if - * it can not parse or does not support the extension. + * + * \note The callback must fail and return a negative error code + * if it can not parse or does not support the extension. + * When the callback fails to parse a critical extension + * mbedtls_x509_crt_parse_der_with_ext_cb() also fails. + * When the callback fails to parse a non critical extension + * mbedtls_x509_crt_parse_der_with_ext_cb() simply skips + * the extension and continues parsing. * * \return \c 0 on success. * \return A negative error code on failure. @@ -358,6 +363,11 @@ typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx, * certificate extension. * The callback must return a negative error code if it * does not know how to handle such an extension. + * When the callback fails to parse a critical extension + * mbedtls_x509_crt_parse_der_with_ext_cb() also fails. + * When the callback fails to parse a non critical extension + * mbedtls_x509_crt_parse_der_with_ext_cb() simply skips + * the extension and continues parsing. * * \return \c 0 if successful. * \return A negative error code on failure. diff --git a/library/x509_crt.c b/library/x509_crt.c index 99d3be200..490b52454 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -961,8 +961,8 @@ static int x509_get_crt_ext( unsigned char **p, if( cb != NULL ) { ret = cb( p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet ); - if( ret != 0 ) - return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); + if( ret != 0 && is_critical ) + return( ret ); *p = end_ext_octet; continue; }