Skip to content

Commit

Permalink
New mbedtls_x509_crt_parse_der_ext() routine
Browse files Browse the repository at this point in the history 
This routine is functionally equivalent to mbedtls_x509_crt_parse_der(),
but it accepts an additional callback function which it calls with
every unsupported certificate extension.

Proposed solution to Mbed-TLS#3241

Signed-off-by: Nicola Di Lieto <[email protected]>
  • Loading branch information
@ndilieto
ndilieto committed Apr 25, 2020
1 parent b1c8e41 commit 502d4b4
Show file tree
Hide file tree
Showing 2 changed files with 79 additions and 7 deletions.
56 changes: 56 additions & 0 deletions include/mbedtls/x509_crt.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,62 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen );

/**
* \brief The type of certificate extension callbacks.
*
* Callbacks of this type are passed to and used by the
* mbedtls_x509_crt_parse_der_ext() routine when it encounters
* an unsupported extension.
*
* \param crt Pointer to the certificate being parsed
* \param oid Extension's OID
* \param critical If the extension is critical (per the RFC's definition)
* \param p On entry \c *p points to the start of the extension ASN.1
* data. On successful completion \c *p must point to the
* first byte after it.
* On error, the value of \c *p is undefined.
* \param end End of extension data.
*
* \note The callback must fail and return a negative error code if
* it can not parse or does not support the extension.
*
* \return \c 0 on success.
* \return A negative error code on failure.
*/
typedef int (*mbedtls_x509_crt_ext_cb_t)( mbedtls_x509_crt const *crt,
mbedtls_x509_buf const *oid,
int critical,
unsigned char **p,
const unsigned char *end );

/**
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list.
*
* \param chain The pointer to the start of the CRT chain to attach to.
* When parsing the first CRT in a chain, this should point
* to an instance of ::mbedtls_x509_crt initialized through
* mbedtls_x509_crt_init().
* \param buf The buffer holding the DER encoded certificate.
* \param buflen The size in Bytes of \p buf.
* \param cb A callback invoked for every unsupported certificate
* extension.
*
* \note This call is functionally equivalent to
* mbedtls_x509_crt_parse_der(), but it calls the callback
* with every unsupported certificate extension.
* The callback must return a negative error code if it
* does not know how to handle such an extension.
*
* \return \c 0 if successful.
* \return A negative error code on failure.
*/
int mbedtls_x509_crt_parse_der_ext( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen,
mbedtls_x509_crt_ext_cb_t cb
);

/**
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list. This is a
Expand Down
30 changes: 23 additions & 7 deletions library/x509_crt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -892,7 +892,8 @@ static int x509_get_certificate_policies( unsigned char **p,
*/
static int x509_get_crt_ext( unsigned char **p,
const unsigned char *end,
mbedtls_x509_crt *crt )
mbedtls_x509_crt *crt,
mbedtls_x509_crt_ext_cb_t cb )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
Expand Down Expand Up @@ -955,6 +956,10 @@ static int x509_get_crt_ext( unsigned char **p,

if( ret != 0 )
{
/* Give the callback (if any) a chance to handle the extension */
if (cb && cb(crt, &extn_oid, is_critical, p, end_ext_octet) == 0)
continue;

/* No parser found, skip extension */
*p = end_ext_octet;

Expand Down Expand Up @@ -1061,7 +1066,8 @@ static int x509_get_crt_ext( unsigned char **p,
static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
const unsigned char *buf,
size_t buflen,
int make_copy )
int make_copy,
mbedtls_x509_crt_ext_cb_t cb )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
Expand Down Expand Up @@ -1260,7 +1266,7 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
if( crt->version == 3 )
#endif
{
ret = x509_get_crt_ext( &p, end, crt );
ret = x509_get_crt_ext( &p, end, crt, cb );
if( ret != 0 )
{
mbedtls_x509_crt_free( crt );
Expand Down Expand Up @@ -1323,7 +1329,8 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
static int mbedtls_x509_crt_parse_der_internal( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen,
int make_copy )
int make_copy,
mbedtls_x509_crt_ext_cb_t cb )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *crt = chain, *prev = NULL;
Expand Down Expand Up @@ -1355,7 +1362,8 @@ static int mbedtls_x509_crt_parse_der_internal( mbedtls_x509_crt *chain,
crt = crt->next;
}

if( ( ret = x509_crt_parse_der_core( crt, buf, buflen, make_copy ) ) != 0 )
ret = x509_crt_parse_der_core( crt, buf, buflen, make_copy, cb );
if( ret != 0 )
{
if( prev )
prev->next = NULL;
Expand All @@ -1373,14 +1381,22 @@ int mbedtls_x509_crt_parse_der_nocopy( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen )
{
return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 0 ) );
return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 0, NULL ) );
}

int mbedtls_x509_crt_parse_der_ext( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen,
mbedtls_x509_crt_ext_cb_t cb )
{
return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 1, cb ) );
}

int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen )
{
return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 1 ) );
return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 1, NULL ) );
}

/*
Expand Down

0 comments on commit 502d4b4

Please sign in to comment.