]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
do not allow importing X.509 certificates with version < 3 and extensions present
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 13 Oct 2014 13:05:47 +0000 (15:05 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 13 Oct 2014 13:18:20 +0000 (15:18 +0200)
lib/x509/x509.c

index a1387df3d8d816f696bda39f7b824d2416fa56cc..5ecb8bcf85354d3a9027ab477ef9513a3d5def41 100644 (file)
@@ -186,6 +186,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
                       gnutls_x509_crt_fmt_t format)
 {
        int result = 0;
+       int version;
 
        if (cert == NULL) {
                gnutls_assert();
@@ -270,6 +271,20 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
                goto cleanup;
        }
 
+       /* enforce the rule that only version 3 certificates carry extensions */
+       version = gnutls_x509_crt_get_version(cert);
+       if (version < 3) {
+               gnutls_datum_t exts;
+               result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der,
+                       "tbsCertificate.extensions", &exts);
+               if (result >= 0 && exts.size > 0) {
+                       gnutls_assert();
+                       _gnutls_debug_log("error: extensions present in certificate with version %d\n", version);
+                       result = GNUTLS_E_X509_CERTIFICATE_ERROR;
+                       goto cleanup;
+               }
+       }
+
        /* Since we do not want to disable any extension
         */
        cert->use_extensions = 1;