From c27c4e2efb0656e27103a7f59c819a2cdbdc5588 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Mon, 23 Sep 2013 15:01:36 +0200
Subject: [PATCH] Support faulty X509 v1 certificates with extensions
 (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)

---
 ChangeLog                              |  2 ++
 include/polarssl/config.h              | 11 +++++++++++
 library/x509_crt.c                     |  4 ++++
 tests/data_files/cert_v1_with_ext.crt  | 23 +++++++++++++++++++++++
 tests/suites/test_suite_x509parse.data |  4 ++++
 5 files changed, 44 insertions(+)
 create mode 100644 tests/data_files/cert_v1_with_ext.crt

diff --git a/ChangeLog b/ChangeLog
index 8b33ff925..4c3b715c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -46,6 +46,8 @@ Changes
    * X509 core refactored
    * x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
    * Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
+   * Support faulty X509 v1 certificates with extensions
+     (POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
 
 Bugfix
    * Fixed parse error in ssl_parse_certificate_request()
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index aa35af283..737e5b489 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -660,6 +660,17 @@
  */
 #define POLARSSL_SSL_TRUNCATED_HMAC
 
+/**
+ * \def POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an extension in a v1 or v2 certificate.
+ *
+ * Uncomment to prevent an error.
+ *
+#define POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3
+ */
+
 /**
  * \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
  *
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 49cda666c..1fa779cb9 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -697,15 +697,19 @@ static int x509_crt_parse_der_core( x509_crt *crt, const unsigned char *buf,
         }
     }
 
+#if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
     if( crt->version == 3 )
     {
+#endif
         ret = x509_get_crt_ext( &p, end, crt);
         if( ret != 0 )
         {
             x509_crt_free( crt );
             return( ret );
         }
+#if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
     }
+#endif
 
     if( p != end )
     {
diff --git a/tests/data_files/cert_v1_with_ext.crt b/tests/data_files/cert_v1_with_ext.crt
new file mode 100644
index 000000000..4f0704885
--- /dev/null
+++ b/tests/data_files/cert_v1_with_ext.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzTCCArUCCQC97UTH0j7CpDANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC
+WFgxCzAJBgNVBAgTAlhYMQswCQYDVQQHEwJYWDELMAkGA1UEChMCWFgxCzAJBgNV
+BAsTAlhYMScwJQYJKoZIhvcNAQkBFhhhZG1pbkBpZGVudGl0eS1jaGVjay5vcmcx
+GzAZBgNVBAMTEmlkZW50aXR5LWNoZWNrLm9yZzAeFw0xMzA3MDQxNjE3MDJaFw0x
+NDA3MDQxNjE3MDJaMIGHMQswCQYDVQQGEwJYWDELMAkGA1UECBMCWFgxCzAJBgNV
+BAcTAlhYMQswCQYDVQQKEwJYWDELMAkGA1UECxMCWFgxJzAlBgkqhkiG9w0BCQEW
+GGFkbWluQGlkZW50aXR5LWNoZWNrLm9yZzEbMBkGA1UEAxMSaWRlbnRpdHktY2hl
+Y2sub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1v8FswMughO8
+mwkHWAf+XRpK33kYR0ifBnObvk2R9ZTEUk/TfFEEFVlen5xhiE0g8lbCj8Y5Mzsg
+wZsJv5in/KnraYb7VC0ah0jx4sMkhKRcyUWfjyH8r7FNH1j1jd08ZpWJGotYxxaL
+evqom1rzLN99JPObwyCCgGcQjlRV7cMfIgwlwHb/JPXOy/hYAgjrCjqvBu3nL5/b
+HF0PyVGiKCEQiHhMBKNjAxzQrCUGy7Vp+3QlIYrs6/m5A96vohX/j+wzwIp3QgiK
+Yhj5E4Zo/iQLf6Rwl7pL4RTdT+crcy143mYiShNY+ayl9snfVJNnuHaMe15fVEsP
+X9lDvdBvXwIDAQABoz8wPTA7BgNVHREENDAyghJpZGVudGl0eS1jaGVjay5vcmeC
+Fnd3dy5pZGVudGl0eS1jaGVjay5vcmeHBCU7/jAwDQYJKoZIhvcNAQEFBQADggEB
+AAXUXoWlQxKvSCVWhes8x03MCude0nDqDFH1DPGIKeVeWOw87nVni+hIvy8II6hj
+5ZfGSHuZci2AgElA3tXk2qDcZ/uBXe2VV4IwsgXKUYSlpz1xoU55InT4e7KdssEP
+HOyrU03Dzm8Jk0PhgEJpV48tkWYoJvZvOiwG0e43UPDv9xp8C8EbvJmmuWkUWnNW
+o0yDnoAOxGfUGSUQ1guTpWCoQEKj3DS4v4lI0kNmJm+oRE2vv1XealWEHSuMpRZO
+Qhy8WImX3muw99MP579tY44D5Z7p3kpiC1bwV3tzkHdf5mkrAbFJIfliPvjMrPMw
+2eyXXijDsebpT0w3ruMxjHg=
+-----END CERTIFICATE-----
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index b6ccd1bbe..b853e2674 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -70,6 +70,10 @@ X509 Certificate information EC signed by RSA
 depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C
 x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nissued  on    \: 2013-08-09 09\:17\:03\nexpires on    \: 2023-08-07 09\:17\:03\nsigned using  \: RSA with SHA1\nEC key size   \: 192 bits\n"
 
+X509 certificate v1 with extension
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_RSA_C:POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3
+x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name   \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name  \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued  on    \: 2013-07-04 16\:17\:02\nexpires on    \: 2014-07-04 16\:17\:02\nsigned using  \: RSA with SHA1\nRSA key size  \: 2048 bits\n"
+
 X509 CRL information #1
 depends_on:POLARSSL_PEM_PARSE_C
 x509_crl_info:"data_files/crl_expired.pem":"CRL version   \: 1\nissuer name   \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update   \: 2011-02-20 10\:24\:19\nnext update   \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using  \: RSA with SHA1\n"