diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-17 10:04:52 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-17 10:40:59 +0100 |
commit | c7e029cbffcfe061e6dd75fd76d9d4970cd6a521 (patch) | |
tree | db2f0f990658c594626e3fd8d079b029db756895 | |
parent | 1fe366c28e1d26a10630bafe207a0cf56bb8a276 (diff) | |
download | gnutls-c7e029cbffcfe061e6dd75fd76d9d4970cd6a521.tar.gz |
gnutls_x509_crt_import: reject X.509v1 certificates with invalid fields
Refuse to import X.509v1 certificates which have fields that didn't
exist in X.509v1 specification. That is the issuerUniqueID and
subjectUniqueID fields.
Resolves: #168
Resolves: #167
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/x509.c | 70 |
1 files changed, 53 insertions, 17 deletions
diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 3f2e0b1a57..6462ebb3d0 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -393,6 +393,57 @@ static int cache_alt_names(gnutls_x509_crt_t cert) return 0; } + +static int check_cert_sanity(gnutls_x509_crt_t cert) +{ + int result = 0, version; + gnutls_datum_t exts; + + /* enforce the rule that only version 3 certificates carry extensions */ + result = gnutls_x509_crt_get_version(cert); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + version = result; + if (version < 3) { + result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der, + "tbsCertificate.extensions", &exts); + if (result >= 0 && exts.size > 0) { + gnutls_assert(); + _gnutls_debug_log("error: extensions present in certificate with version %d\n", version); + result = GNUTLS_E_X509_CERTIFICATE_ERROR; + goto cleanup; + } + } + + if (version < 2) { + result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der, + "tbsCertificate.subjectUniqueID", &exts); + if (result >= 0 && exts.size > 0) { + gnutls_assert(); + _gnutls_debug_log("error: subjectUniqueID present in certificate with version %d\n", version); + result = GNUTLS_E_X509_CERTIFICATE_ERROR; + goto cleanup; + } + + result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der, + "tbsCertificate.issuerUniqueID", &exts); + if (result >= 0 && exts.size > 0) { + gnutls_assert(); + _gnutls_debug_log("error: issuerUniqueID present in certificate with version %d\n", version); + result = GNUTLS_E_X509_CERTIFICATE_ERROR; + goto cleanup; + } + } + + result = 0; + + cleanup: + return result; +} + /** * gnutls_x509_crt_import: * @cert: The data to store the parsed certificate. @@ -414,8 +465,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format) { - int result = 0; - int version; + int result; if (cert == NULL) { gnutls_assert(); @@ -509,26 +559,12 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, goto cleanup; } - /* enforce the rule that only version 3 certificates carry extensions */ - result = gnutls_x509_crt_get_version(cert); + result = check_cert_sanity(cert); if (result < 0) { gnutls_assert(); goto cleanup; } - version = result; - if (version < 3) { - gnutls_datum_t exts; - result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der, - "tbsCertificate.extensions", &exts); - if (result >= 0 && exts.size > 0) { - gnutls_assert(); - _gnutls_debug_log("error: extensions present in certificate with version %d\n", version); - result = GNUTLS_E_X509_CERTIFICATE_ERROR; - goto cleanup; - } - } - /* Since we do not want to disable any extension */ cert->use_extensions = 1; |