commit 32e20919aca51ea348ad50c863c56320e59aa5aa
author Przemek Stekiel <przemyslaw.stekiel@mobica.com> Wed Jan 25 14:26:15 2023 +0100
committer Przemek Stekiel <przemyslaw.stekiel@mobica.com> Wed Jan 25 16:20:25 2023 +0100
tree 0e04e71a3c247e1e711bd499c348b829433eb0c6
parent d7992df5297b2c30c90b0310883f34a83bab2e56

Remove redundant check and add comment to inform about processing of empty extensions

Netscape Certificate Management System Administrator's Guide: Extension-Specific Policy Modules, Chapter 18: Extension-Specific Policy Modules, Netscape Certificate Type Extension Policy:
> The extension has no default value.

A bitstring with no flags set is still technically valid, as it will mean that the certificate has no designated purpose at the time of creation.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

library/x509.c

diff --git a/library/x509.c b/library/x509.c
index 9869b05..81e30e4 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1328,6 +1328,8 @@
         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
     }
 
+    /* A bitstring with no flags set is still technically valid, as it will mean
+       that the certificate has no designated purpose at the time of creation. */
     if (bs.len == 0) {
         *ns_cert_type = 0;
         return 0;
@@ -1355,16 +1357,13 @@
         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
     }
 
+    /* A bitstring with no flags set is still technically valid, as it will mean
+       that the certificate has no designated purpose at the time of creation. */
     if (bs.len == 0) {
         *key_usage = 0;
         return 0;
     }
 
-    if (bs.len < 1) {
-        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
-                                 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
-    }
-
     /* Get actual bitstring */
     *key_usage = 0;
     for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {