Pass "certificate policies" extension to callback
Pass the "certificate policies" extension to the callback supplied to
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
policies. This allows the callback to fully replicate the behaviour
of the deprecated MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
configuration.
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
diff --git a/library/x509_crt.c b/library/x509_crt.c
index ee3b48d..04822e8 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -894,7 +894,7 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
- unsigned char *end_ext_data, *end_ext_octet;
+ unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
if( *p == end )
return( 0 );
@@ -940,6 +940,7 @@
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ start_ext_octet = *p;
end_ext_octet = *p + len;
if( end_ext_octet != end_ext_data )
@@ -1025,6 +1026,13 @@
if( ( ret = x509_get_certificate_policies( p, end_ext_octet,
&crt->certificate_policies ) ) != 0 )
{
+ /* Give the callback (if any) a chance to handle the extension
+ * if it contains unsupported policies */
+ if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
+ cb( p_ctx, crt, &extn_oid, is_critical,
+ start_ext_octet, end_ext_octet ) == 0 )
+ break;
+
#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
if( is_critical )
return( ret );