From: Nikos Mavrogiannopoulos Date: Mon, 13 Oct 2014 13:05:47 +0000 (+0200) Subject: do not allow importing X.509 certificates with version < 3 and extensions present X-Git-Tag: gnutls_3_4_0~793 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f6f7b3cf3e1979801cf48a1ab221fa56f2a2ea0d;p=thirdparty%2Fgnutls.git do not allow importing X.509 certificates with version < 3 and extensions present --- diff --git a/lib/x509/x509.c b/lib/x509/x509.c index a1387df3d8..5ecb8bcf85 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -186,6 +186,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, gnutls_x509_crt_fmt_t format) { int result = 0; + int version; if (cert == NULL) { gnutls_assert(); @@ -270,6 +271,20 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert, goto cleanup; } + /* enforce the rule that only version 3 certificates carry extensions */ + version = gnutls_x509_crt_get_version(cert); + if (version < 3) { + gnutls_datum_t exts; + result = _gnutls_x509_get_raw_field2(cert->cert, &cert->der, + "tbsCertificate.extensions", &exts); + if (result >= 0 && exts.size > 0) { + gnutls_assert(); + _gnutls_debug_log("error: extensions present in certificate with version %d\n", version); + result = GNUTLS_E_X509_CERTIFICATE_ERROR; + goto cleanup; + } + } + /* Since we do not want to disable any extension */ cert->use_extensions = 1;