fix(auth): only accept v3 X.509 certificates
v1 and v2 are forbidden as at least one extension is required. Instead
of actually parsing the version number, just compare it with a
hard-coded string.
Change-Id: Ib8fd34304a0049787db77ec8c2359d0930cd4ba1
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 993ef12..49bc008 100644
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -146,6 +146,21 @@
size_t len;
unsigned char *p, *end, *crt_end;
mbedtls_asn1_buf sig_alg1, sig_alg2;
+ /*
+ * The unique ASN.1 DER encoding of [0] EXPLICIT INTEGER { v3(2} }.
+ */
+ static const char v3[] = {
+ /* The outer CONTEXT SPECIFIC 0 tag */
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0,
+ /* The number bytes used to encode the inner INTEGER */
+ 3,
+ /* The tag of the inner INTEGER */
+ MBEDTLS_ASN1_INTEGER,
+ /* The number of bytes needed to represent 2 */
+ 1,
+ /* The actual value 2 */
+ 2,
+ };
p = (unsigned char *)img;
len = img_len;
@@ -181,15 +196,14 @@
tbs.len = end - tbs.p;
/*
- * Version ::= INTEGER { v1(0), v2(1), v3(2) }
+ * Version ::= [0] EXPLICIT INTEGER { v1(0), v2(1), v3(2) }
+ * -- only v3 accepted
*/
- ret = mbedtls_asn1_get_tag(&p, end, &len,
- MBEDTLS_ASN1_CONTEXT_SPECIFIC |
- MBEDTLS_ASN1_CONSTRUCTED | 0);
- if (ret != 0) {
+ if (((end - p) <= (ptrdiff_t)sizeof(v3)) ||
+ (memcmp(p, v3, sizeof(v3)) != 0)) {
return IMG_PARSER_ERR_FORMAT;
}
- p += len;
+ p += sizeof(v3);
/*
* CertificateSerialNumber ::= INTEGER