Forbid repeated X.509 extensions
diff --git a/ChangeLog b/ChangeLog
index 8b5848a..70e6ed5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,7 @@
Changes
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
+ * Forbid repeated extensions in X.509 certificates.
= Version 1.2.12 released 2014-10-24
diff --git a/library/x509parse.c b/library/x509parse.c
index 4a9b7c1..9d62e9e 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -894,6 +894,37 @@
return( 0 );
}
+static int x509_get_crt_ext_type( const x509_buf *oid )
+{
+ if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == oid->len ) &&
+ memcmp( oid->p, OID_BASIC_CONSTRAINTS, oid->len ) == 0 )
+ {
+ return( EXT_BASIC_CONSTRAINTS );
+ }
+ else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == oid->len ) &&
+ memcmp( oid->p, OID_NS_CERT_TYPE, oid->len ) == 0 )
+ {
+ return( EXT_NS_CERT_TYPE );
+ }
+ else if( ( OID_SIZE( OID_KEY_USAGE ) == oid->len ) &&
+ memcmp( oid->p, OID_KEY_USAGE, oid->len ) == 0 )
+ {
+ return( EXT_KEY_USAGE );
+ }
+ else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == oid->len ) &&
+ memcmp( oid->p, OID_EXTENDED_KEY_USAGE, oid->len ) == 0 )
+ {
+ return( EXT_EXTENDED_KEY_USAGE );
+ }
+ else if( ( OID_SIZE( OID_SUBJECT_ALT_NAME ) == oid->len ) &&
+ memcmp( oid->p, OID_SUBJECT_ALT_NAME, oid->len ) == 0 )
+ {
+ return( EXT_SUBJECT_ALT_NAME );
+ }
+
+ return( -1 );
+}
+
/*
* X.509 v3 extensions
*
@@ -927,6 +958,7 @@
*/
x509_buf extn_oid = {0, 0, NULL};
int is_critical = 0; /* DEFAULT FALSE */
+ int ext_type = 0;
if( ( ret = asn1_get_tag( p, end, &len,
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
@@ -966,52 +998,9 @@
/*
* Detect supported extensions
*/
- if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == extn_oid.len ) &&
- memcmp( extn_oid.p, OID_BASIC_CONSTRAINTS, extn_oid.len ) == 0 )
- {
- /* Parse basic constraints */
- if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
- &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
- return ( ret );
- crt->ext_types |= EXT_BASIC_CONSTRAINTS;
- }
- else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == extn_oid.len ) &&
- memcmp( extn_oid.p, OID_NS_CERT_TYPE, extn_oid.len ) == 0 )
- {
- /* Parse netscape certificate type */
- if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
- &crt->ns_cert_type ) ) != 0 )
- return ( ret );
- crt->ext_types |= EXT_NS_CERT_TYPE;
- }
- else if( ( OID_SIZE( OID_KEY_USAGE ) == extn_oid.len ) &&
- memcmp( extn_oid.p, OID_KEY_USAGE, extn_oid.len ) == 0 )
- {
- /* Parse key usage */
- if( ( ret = x509_get_key_usage( p, end_ext_octet,
- &crt->key_usage ) ) != 0 )
- return ( ret );
- crt->ext_types |= EXT_KEY_USAGE;
- }
- else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == extn_oid.len ) &&
- memcmp( extn_oid.p, OID_EXTENDED_KEY_USAGE, extn_oid.len ) == 0 )
- {
- /* Parse extended key usage */
- if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
- &crt->ext_key_usage ) ) != 0 )
- return ( ret );
- crt->ext_types |= EXT_EXTENDED_KEY_USAGE;
- }
- else if( ( OID_SIZE( OID_SUBJECT_ALT_NAME ) == extn_oid.len ) &&
- memcmp( extn_oid.p, OID_SUBJECT_ALT_NAME, extn_oid.len ) == 0 )
- {
- /* Parse extended key usage */
- if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
- &crt->subject_alt_names ) ) != 0 )
- return ( ret );
- crt->ext_types |= EXT_SUBJECT_ALT_NAME;
- }
- else
+ ext_type = x509_get_crt_ext_type( &extn_oid );
+
+ if( ext_type < 0 )
{
/* No parser found, skip extension */
*p = end_ext_octet;
@@ -1024,6 +1013,54 @@
POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
}
#endif
+ continue;
+ }
+
+ /* Forbid repeated extensions */
+ if( ( crt->ext_types & ext_type ) != 0 )
+ return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS );
+
+ crt->ext_types |= ext_type;
+
+ switch( ext_type )
+ {
+ case EXT_BASIC_CONSTRAINTS:
+ /* Parse basic constraints */
+ if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
+ &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
+ return( ret );
+ break;
+
+ case EXT_KEY_USAGE:
+ /* Parse key usage */
+ if( ( ret = x509_get_key_usage( p, end_ext_octet,
+ &crt->key_usage ) ) != 0 )
+ return( ret );
+ break;
+
+ case EXT_EXTENDED_KEY_USAGE:
+ /* Parse extended key usage */
+ if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
+ &crt->ext_key_usage ) ) != 0 )
+ return( ret );
+ break;
+
+ case EXT_SUBJECT_ALT_NAME:
+ /* Parse subject alt name */
+ if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
+ &crt->subject_alt_names ) ) != 0 )
+ return( ret );
+ break;
+
+ case EXT_NS_CERT_TYPE:
+ /* Parse netscape certificate type */
+ if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
+ &crt->ns_cert_type ) ) != 0 )
+ return( ret );
+ break;
+
+ default:
+ return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
}
}
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 539b03a..6fbc916 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -563,6 +563,9 @@
X509 Certificate ASN1 (SubjectAltName repeated)
x509parse_crt:"308201cd308201c9a003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS
+X509 Certificate ASN1 (ExtKeyUsage repeated)
+x509parse_crt:"308201cd308201c9a003020102020900a287596575d722e1300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3134313131373039323530345a170d3234313131343039323530345a300f310d300b060355040313045465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100c14da3dde7cd1dd104d74972b899ac0e78e43a3c4acf3a1316d05ae4cda30088a7ee1e6b96a752b490ef2d727a3e249afcb634ac24f577e026648c9cb0287da1daea8ce6c91c96bcfec10452b336d4a3fae1b176d890c161b4665236a22653aaab745e077d1982db2ad81fa0d90d1c2d4966f75b257346e80b8a4f690cb50090e1da8210667dae542b8b657991a1e261c3cd404908ee680cf18b86d246bfd0b8aa11031e7f56a81a1e44180f0f858bda8b445ee218c6622fc7668dfa5dd87df327892901c5900e3f27f130c84a0eefd6dec7c7276bc7053d7ac4023c9a1d3e0fe834985bcb734b5296d811a22c808869395ad30fb0de592f11c7f7ea120130970203010001a340303e301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d250416301406082b0601050507030106082b06010505070302":"":POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS
+
X509 Certificate ASN1 (correct pubkey, no sig_alg)
x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":POLARSSL_ERR_X509_CERT_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA