From 8baf39310fabeeb5a23e3a016f8a85903d806744 Mon Sep 17 00:00:00 2001 From: gojimmypi Date: Thu, 22 Aug 2024 12:30:15 -0700 Subject: [PATCH] Introduce WOLFSSL_ASN_ALLOW_0_SERIAL --- wolfcrypt/src/asn.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 82751aff94..69aa1c1951 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -56,6 +56,8 @@ ASN Options: * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. * WOLFSSL_NO_ASN_STRICT: Disable strict RFC compliance checks to restore 3.13.0 behavior. + * WOLFSSL_ASN_ALLOW_0_SERIAL: Even if WOLFSSL_NO_ASN_STRICT is not defined, + allow a length=1, but zero value serial numnber. * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer must still be trusted) * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert @@ -13987,7 +13989,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, } #ifndef WOLFSSL_NO_ASN_STRICT - /* RFC 5280 section 4.1.2.4 lists a DirecotryString as being + /* RFC 5280 section 4.1.2.4 lists a DirectoryString as being * 1..MAX in length */ if (strLen < 1) { WOLFSSL_MSG("Non conforming DirectoryString of length 0 was" @@ -14629,7 +14631,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, GetASN_GetRef(&dataASN[RDNASN_IDX_ATTR_VAL], &str, &strLen); #ifndef WOLFSSL_NO_ASN_STRICT - /* RFC 5280 section 4.1.2.4 lists a DirecotryString as being + /* RFC 5280 section 4.1.2.4 lists a DirectoryString as being * 1..MAX in length */ if (ret == 0 && strLen < 1) { WOLFSSL_MSG("Non conforming DirectoryString of length 0 was" @@ -21895,8 +21897,8 @@ static int CheckDate(ASNGetData *dataASN, int dateType) * @param [in] verify Whether to verify dates before and after now. * @param [out] criticalExt Critical extension return code. * @param [out] badDateRet Bad date return code. - * @param [in] stopAtPubKey Stop parsing before subkectPublicKeyInfo. - * @param [in] stopAfterPubKey Stop parsing after subkectPublicKeyInfo. + * @param [in] stopAtPubKey Stop parsing before subjectPublicKeyInfo. + * @param [in] stopAfterPubKey Stop parsing after subjectPublicKeyInfo. * @return 0 on success. * @return ASN_CRIT_EXT_E when a critical extension was not recognized. * @return ASN_TIME_E when date BER tag is nor UTC or GENERALIZED time. @@ -22005,7 +22007,8 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, cert->version = version; cert->serialSz = (int)serialSz; - #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) + #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) /* RFC 5280 section 4.1.2.2 states that non-conforming CAs may issue * a negative or zero serial number and should be handled gracefully. * Since it is a non-conforming CA that issues a serial of 0 then we @@ -22016,6 +22019,11 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, ret = ASN_PARSE_E; } #endif + if (cert->serialSz == 0) { + WOLFSSL_MSG("Error serial size is zero. Should be at least one " + "even with no serial number."); + ret = ASN_PARSE_E; + } cert->signatureOID = dataASN[X509CERTASN_IDX_TBS_ALGOID_OID].data.oid.sum; cert->keyOID = dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID].data.oid.sum;