Added parameters to add callback function to handle unsupported extensions. Similar to how the callback functions work when parsing certificates. Also added new test cases.
Signed-off-by: Matthias Schulz <mschulz@hilscher.com>
diff --git a/library/x509_csr.c b/library/x509_csr.c
index baf2606..9e4a01a 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -73,11 +73,13 @@
* Parse CSR extension requests in DER format
*/
static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
- unsigned char **p, const unsigned char *end)
+ unsigned char **p, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
- unsigned char *end_ext_data;
+ unsigned char *end_ext_data, *end_ext_octet;
while (*p < end) {
mbedtls_x509_buf extn_oid = { 0, 0, NULL };
@@ -114,7 +116,9 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
- if (*p + len != end_ext_data) {
+ end_ext_octet = *p + len;
+
+ if (end_ext_octet != end_ext_data) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
@@ -124,50 +128,72 @@
*/
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
- if (ret == 0) {
- /* Forbid repeated extensions */
- if ((csr->ext_types & ext_type) != 0) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
- MBEDTLS_ERR_ASN1_INVALID_DATA);
+ if (ret != 0) {
+ /* Give the callback (if any) a chance to handle the extension */
+ if (cb != NULL) {
+ ret = cb(p_ctx, csr, &extn_oid, is_critical, *p, end_ext_octet);
+ if (ret != 0 && is_critical) {
+ return ret;
+ }
+ *p = end_ext_octet;
+ continue;
}
- csr->ext_types |= ext_type;
+ /* No parser found, skip extension */
+ *p = end_ext_octet;
- switch (ext_type) {
- case MBEDTLS_X509_EXT_KEY_USAGE:
- /* Parse key usage */
- if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
- &csr->key_usage)) != 0) {
- return ret;
- }
- break;
-
- case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
- /* Parse subject alt name */
- if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
- &csr->subject_alt_names)) != 0) {
- return ret;
- }
- break;
-
- case MBEDTLS_X509_EXT_NS_CERT_TYPE:
- /* Parse netscape certificate type */
- if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
- &csr->ns_cert_type)) != 0) {
- return ret;
- }
- break;
- default:
- break;
- }
- } else {
if (is_critical) {
/* Data is marked as critical: fail */
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
}
+ continue;
}
- *p = end_ext_data;
+
+ /* Forbid repeated extensions */
+ if ((csr->ext_types & ext_type) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_DATA);
+ }
+
+ csr->ext_types |= ext_type;
+
+ switch (ext_type) {
+ case MBEDTLS_X509_EXT_KEY_USAGE:
+ /* Parse key usage */
+ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
+ &csr->key_usage)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+ /* Parse subject alt name */
+ if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
+ &csr->subject_alt_names)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+ /* Parse netscape certificate type */
+ if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
+ &csr->ns_cert_type)) != 0) {
+ return ret;
+ }
+ break;
+ default:
+ /*
+ * If this is a non-critical extension, which the oid layer
+ * supports, but there isn't an x509 parser for it,
+ * skip the extension.
+ */
+ if (is_critical) {
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ } else {
+ *p = end_ext_octet;
+ }
+ }
}
if (*p != end) {
@@ -182,7 +208,9 @@
* Parse CSR attributes in DER format
*/
static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
- const unsigned char *start, const unsigned char *end)
+ const unsigned char *start, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
{
int ret;
size_t len;
@@ -221,7 +249,7 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
- if ((ret = x509_csr_parse_extensions(csr, p, *p + len)) != 0) {
+ if ((ret = x509_csr_parse_extensions(csr, p, *p + len, cb, p_ctx)) != 0) {
return ret;
}
@@ -245,8 +273,10 @@
/*
* Parse a CSR in DER format
*/
-int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
- const unsigned char *buf, size_t buflen)
+static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
@@ -370,7 +400,7 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
}
- if ((ret = x509_csr_parse_attributes(csr, p, p + len)) != 0) {
+ if ((ret = x509_csr_parse_attributes(csr, p, p + len, cb, p_ctx)) != 0) {
mbedtls_x509_csr_free(csr);
return ret;
}
@@ -410,6 +440,26 @@
}
/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, NULL, NULL);
+}
+
+/*
+ * Parse a CSR in DER format with callback for unknown extensions
+ */
+int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, cb, p_ctx);
+}
+
+/*
* Parse a CSR, allowing for PEM or raw DER encoding
*/
int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)