diff --git a/ChangeLog b/ChangeLog index 8b33ff925..4c3b715c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,8 @@ Changes * X509 core refactored * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4) * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME) + * Support faulty X509 v1 certificates with extensions + (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3) Bugfix * Fixed parse error in ssl_parse_certificate_request() diff --git a/include/polarssl/config.h b/include/polarssl/config.h index aa35af283..737e5b489 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -660,6 +660,17 @@ */ #define POLARSSL_SSL_TRUNCATED_HMAC +/** + * \def POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 + * + * If set, the X509 parser will not break-off when parsing an X509 certificate + * and encountering an extension in a v1 or v2 certificate. + * + * Uncomment to prevent an error. + * +#define POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 + */ + /** * \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION * diff --git a/library/x509_crt.c b/library/x509_crt.c index 49cda666c..1fa779cb9 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -697,15 +697,19 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf, } } +#if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3) if( crt->version == 3 ) { +#endif ret = x509_get_crt_ext( &p, end, crt); if( ret != 0 ) { x509_crt_free( crt ); return( ret ); } +#if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3) } +#endif if( p != end ) { diff --git a/tests/data_files/cert_v1_with_ext.crt b/tests/data_files/cert_v1_with_ext.crt new file mode 100644 index 000000000..4f0704885 --- /dev/null +++ b/tests/data_files/cert_v1_with_ext.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDzTCCArUCCQC97UTH0j7CpDANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC +WFgxCzAJBgNVBAgTAlhYMQswCQYDVQQHEwJYWDELMAkGA1UEChMCWFgxCzAJBgNV +BAsTAlhYMScwJQYJKoZIhvcNAQkBFhhhZG1pbkBpZGVudGl0eS1jaGVjay5vcmcx +GzAZBgNVBAMTEmlkZW50aXR5LWNoZWNrLm9yZzAeFw0xMzA3MDQxNjE3MDJaFw0x +NDA3MDQxNjE3MDJaMIGHMQswCQYDVQQGEwJYWDELMAkGA1UECBMCWFgxCzAJBgNV +BAcTAlhYMQswCQYDVQQKEwJYWDELMAkGA1UECxMCWFgxJzAlBgkqhkiG9w0BCQEW +GGFkbWluQGlkZW50aXR5LWNoZWNrLm9yZzEbMBkGA1UEAxMSaWRlbnRpdHktY2hl +Y2sub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1v8FswMughO8 +mwkHWAf+XRpK33kYR0ifBnObvk2R9ZTEUk/TfFEEFVlen5xhiE0g8lbCj8Y5Mzsg +wZsJv5in/KnraYb7VC0ah0jx4sMkhKRcyUWfjyH8r7FNH1j1jd08ZpWJGotYxxaL +evqom1rzLN99JPObwyCCgGcQjlRV7cMfIgwlwHb/JPXOy/hYAgjrCjqvBu3nL5/b +HF0PyVGiKCEQiHhMBKNjAxzQrCUGy7Vp+3QlIYrs6/m5A96vohX/j+wzwIp3QgiK +Yhj5E4Zo/iQLf6Rwl7pL4RTdT+crcy143mYiShNY+ayl9snfVJNnuHaMe15fVEsP +X9lDvdBvXwIDAQABoz8wPTA7BgNVHREENDAyghJpZGVudGl0eS1jaGVjay5vcmeC +Fnd3dy5pZGVudGl0eS1jaGVjay5vcmeHBCU7/jAwDQYJKoZIhvcNAQEFBQADggEB +AAXUXoWlQxKvSCVWhes8x03MCude0nDqDFH1DPGIKeVeWOw87nVni+hIvy8II6hj +5ZfGSHuZci2AgElA3tXk2qDcZ/uBXe2VV4IwsgXKUYSlpz1xoU55InT4e7KdssEP +HOyrU03Dzm8Jk0PhgEJpV48tkWYoJvZvOiwG0e43UPDv9xp8C8EbvJmmuWkUWnNW +o0yDnoAOxGfUGSUQ1guTpWCoQEKj3DS4v4lI0kNmJm+oRE2vv1XealWEHSuMpRZO +Qhy8WImX3muw99MP579tY44D5Z7p3kpiC1bwV3tzkHdf5mkrAbFJIfliPvjMrPMw +2eyXXijDsebpT0w3ruMxjHg= +-----END CERTIFICATE----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index b6ccd1bbe..b853e2674 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -70,6 +70,10 @@ X509 Certificate information EC signed by RSA depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\n" +X509 certificate v1 with extension +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C:POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 +x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" + X509 CRL information #1 depends_on:POLARSSL_PEM_PARSE_C x509_crl_info:"data_files/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n"