Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow validating V3 certificates that have no extensions #241

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 27 additions & 29 deletions src/cert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -95,35 +95,33 @@ pub(crate) fn parse_cert_internal<'a>(
subject_alt_name: None,
};

// mozilla::pkix allows the extensions to be omitted. However, since
// the subjectAltName extension is mandatory, the extensions are
// mandatory too, and we enforce that. Also, mozilla::pkix includes
// special logic for handling critical Netscape Cert Type extensions.
// That has been intentionally omitted.

der::nested(
tbs,
der::Tag::ContextSpecificConstructed3,
Error::MissingOrMalformedExtensions,
|tagged| {
der::nested_of_mut(
tagged,
der::Tag::Sequence,
der::Tag::Sequence,
Error::BadDER,
|extension| {
let extn_id = der::expect_tag_and_get_value(extension, der::Tag::OID)?;
let critical = der::optional_boolean(extension)?;
let extn_value =
der::expect_tag_and_get_value(extension, der::Tag::OctetString)?;
match remember_extension(&mut cert, extn_id, extn_value)? {
Understood::No if critical => Err(Error::UnsupportedCriticalExtension),
_ => Ok(()),
}
},
)
},
)?;
if !tbs.at_end() {
der::nested(
tbs,
der::Tag::ContextSpecificConstructed3,
Error::MalformedExtensions,
|tagged| {
der::nested_of_mut(
tagged,
der::Tag::Sequence,
der::Tag::Sequence,
Error::BadDER,
|extension| {
let extn_id = der::expect_tag_and_get_value(extension, der::Tag::OID)?;
let critical = der::optional_boolean(extension)?;
let extn_value =
der::expect_tag_and_get_value(extension, der::Tag::OctetString)?;
match remember_extension(&mut cert, extn_id, extn_value)? {
Understood::No if critical => {
Err(Error::UnsupportedCriticalExtension)
}
_ => Ok(()),
}
},
)
},
)?;
}

Ok(cert)
})
Expand Down
4 changes: 2 additions & 2 deletions src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,12 @@ pub enum Error {
/// is malformed.
UnsupportedCertVersion,

/// The certificate extensions are missing or malformed.
/// The certificate extensions are malformed.
///
/// In particular, webpki requires the DNS name(s) be in the subjectAltName
/// extension as required by the CA/Browser Forum Baseline Requirements
/// and as recommended by RFC6125.
MissingOrMalformedExtensions,
MalformedExtensions,

/// The certificate contains an unsupported critical extension.
UnsupportedCriticalExtension,
Expand Down
5 changes: 1 addition & 4 deletions tests/cert_without_extensions.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,5 @@ fn cert_without_extensions_test() {
// `openssl x509 -in cert_without_extensions.der -inform DER -text -noout`
const CERT_WITHOUT_EXTENSIONS_DER: &[u8] = include_bytes!("cert_without_extensions.der");

assert_eq!(
Some(webpki::Error::MissingOrMalformedExtensions),
janimo marked this conversation as resolved.
Show resolved Hide resolved
webpki::EndEntityCert::try_from(CERT_WITHOUT_EXTENSIONS_DER).err()
);
assert!(webpki::EndEntityCert::try_from(CERT_WITHOUT_EXTENSIONS_DER).is_ok());
}