aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2020-05-21 16:59:04 -0400
committerJack Lloyd <[email protected]>2020-05-25 08:21:47 -0400
commit3ee5a2e990ada59490d29e115c68e77a53199ca8 (patch)
treef7309c9ecbcf3a3a3a1bb02feb747bfd23cd6830 /src/lib
parentaad38c0304085c388977a65970715d757caf5277 (diff)
Check that a v1 certificate does not include the v2 identifier fields
As with other such conformance issues we allow the certificate to parse but signal the problem during verification. Bug reported by Mario Korth of Ruhr-Universität Bochum
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/x509/cert_status.cpp4
-rw-r--r--src/lib/x509/cert_status.h2
-rw-r--r--src/lib/x509/x509path.cpp10
3 files changed, 14 insertions, 2 deletions
diff --git a/src/lib/x509/cert_status.cpp b/src/lib/x509/cert_status.cpp
index bd27a6d5b..eab196c26 100644
--- a/src/lib/x509/cert_status.cpp
+++ b/src/lib/x509/cert_status.cpp
@@ -91,7 +91,9 @@ const char* to_string(Certificate_Status_Code code)
case Certificate_Status_Code::DUPLICATE_CERT_EXTENSION:
return "Duplicate certificate extension encountered";
case Certificate_Status_Code::EXT_IN_V1_V2_CERT:
- return "Encountered extension in certificate with version < 3";
+ return "Encountered extension in certificate with version that does not allow it";
+ case Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT:
+ return "Encountered v2 identifiers in v1 certificate";
case Certificate_Status_Code::OCSP_SIGNATURE_ERROR:
return "OCSP signature error";
case Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND:
diff --git a/src/lib/x509/cert_status.h b/src/lib/x509/cert_status.h
index 33d6b6b65..2f869c1ec 100644
--- a/src/lib/x509/cert_status.h
+++ b/src/lib/x509/cert_status.h
@@ -14,7 +14,6 @@ namespace Botan {
/**
* Certificate validation status code
-* Warning: reflect any changes to this in botan_cert_status_code in ffi.h
*/
enum class Certificate_Status_Code {
OK = 0,
@@ -83,6 +82,7 @@ enum class Certificate_Status_Code {
OCSP_RESPONSE_INVALID = 4504,
EXT_IN_V1_V2_CERT = 4505,
DUPLICATE_CERT_POLICY = 4506,
+ V2_IDENTIFIERS_IN_V1_CERT = 4507,
// Hard failures
CERT_IS_REVOKED = 5000,
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index a2cfbbb1c..b5cdc27c2 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -148,6 +148,16 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce
}
// Check cert extensions
+
+ if(subject->x509_version() == 1)
+ {
+ if(subject->v2_issuer_key_id().empty() == false ||
+ subject->v2_subject_key_id().empty() == false)
+ {
+ status.insert(Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT);
+ }
+ }
+
Extensions extensions = subject->v3_extensions();
const auto& extensions_vec = extensions.extensions();
if(subject->x509_version() < 3 && !extensions_vec.empty())