diff options
author | Jack Lloyd <[email protected]> | 2020-05-21 16:59:04 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2020-05-25 08:21:47 -0400 |
commit | 3ee5a2e990ada59490d29e115c68e77a53199ca8 (patch) | |
tree | f7309c9ecbcf3a3a3a1bb02feb747bfd23cd6830 /src/lib | |
parent | aad38c0304085c388977a65970715d757caf5277 (diff) |
Check that a v1 certificate does not include the v2 identifier fields
As with other such conformance issues we allow the certificate to parse
but signal the problem during verification.
Bug reported by Mario Korth of Ruhr-Universität Bochum
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/x509/cert_status.cpp | 4 | ||||
-rw-r--r-- | src/lib/x509/cert_status.h | 2 | ||||
-rw-r--r-- | src/lib/x509/x509path.cpp | 10 |
3 files changed, 14 insertions, 2 deletions
diff --git a/src/lib/x509/cert_status.cpp b/src/lib/x509/cert_status.cpp index bd27a6d5b..eab196c26 100644 --- a/src/lib/x509/cert_status.cpp +++ b/src/lib/x509/cert_status.cpp @@ -91,7 +91,9 @@ const char* to_string(Certificate_Status_Code code) case Certificate_Status_Code::DUPLICATE_CERT_EXTENSION: return "Duplicate certificate extension encountered"; case Certificate_Status_Code::EXT_IN_V1_V2_CERT: - return "Encountered extension in certificate with version < 3"; + return "Encountered extension in certificate with version that does not allow it"; + case Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT: + return "Encountered v2 identifiers in v1 certificate"; case Certificate_Status_Code::OCSP_SIGNATURE_ERROR: return "OCSP signature error"; case Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND: diff --git a/src/lib/x509/cert_status.h b/src/lib/x509/cert_status.h index 33d6b6b65..2f869c1ec 100644 --- a/src/lib/x509/cert_status.h +++ b/src/lib/x509/cert_status.h @@ -14,7 +14,6 @@ namespace Botan { /** * Certificate validation status code -* Warning: reflect any changes to this in botan_cert_status_code in ffi.h */ enum class Certificate_Status_Code { OK = 0, @@ -83,6 +82,7 @@ enum class Certificate_Status_Code { OCSP_RESPONSE_INVALID = 4504, EXT_IN_V1_V2_CERT = 4505, DUPLICATE_CERT_POLICY = 4506, + V2_IDENTIFIERS_IN_V1_CERT = 4507, // Hard failures CERT_IS_REVOKED = 5000, diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp index a2cfbbb1c..b5cdc27c2 100644 --- a/src/lib/x509/x509path.cpp +++ b/src/lib/x509/x509path.cpp @@ -148,6 +148,16 @@ PKIX::check_chain(const std::vector<std::shared_ptr<const X509_Certificate>>& ce } // Check cert extensions + + if(subject->x509_version() == 1) + { + if(subject->v2_issuer_key_id().empty() == false || + subject->v2_subject_key_id().empty() == false) + { + status.insert(Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT); + } + } + Extensions extensions = subject->v3_extensions(); const auto& extensions_vec = extensions.extensions(); if(subject->x509_version() < 3 && !extensions_vec.empty()) |