If cert extension parsing fails, replace the object with Unknown

Allows the parse to complete and even allows examining the extension.

GH #1652

2 files changed, 8 insertions, 2 deletions

diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp
index 5a5ffa177..841adac57 100644
--- a/src/lib/x509/x509_ext.cpp
+++ b/src/lib/x509/x509_ext.cpp
@@ -101,7 +101,8 @@ Extensions::create_extn_obj(const OID& oid,
       }
    catch(Decoding_Error& e)
       {
-      throw Decoding_Error("Decoding X.509 extension " + oid.as_string(), e);
+      extn.reset(new Cert_Extension::Unknown_Extension(oid, critical));
+      extn->decode_inner(body);
       }
    return extn;
    }
diff --git a/src/lib/x509/x509_ext.h b/src/lib/x509/x509_ext.h
index 6e71fb879..687c58b0c 100644
--- a/src/lib/x509/x509_ext.h
+++ b/src/lib/x509/x509_ext.h
@@ -104,7 +104,12 @@ class BOTAN_PUBLIC_API(2,0) Extensions final : public ASN1_Object
          {
          if(const Certificate_Extension* extn = get_extension_object(oid))
             {
-            if(const T* extn_as_T = dynamic_cast<const T*>(extn))
+            // Unknown_Extension oid_name is empty
+            if(extn->oid_name().empty())
+               {
+               return nullptr;
+               }
+            else if(const T* extn_as_T = dynamic_cast<const T*>(extn))
                {
                return extn_as_T;
                }