aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDemi Marie Obenour <demiobenour@gmail.com>2022-12-08 15:23:58 -0500
committerDemi Marie Obenour <demiobenour@gmail.com>2022-12-29 18:41:10 -0500
commit72460f50e2437a85ce5229c430931aab8f4a0d5b (patch)
tree565578d9cdd43e8a702e5473d707599e3f1b54e9
parentfd37982a19a4a2911912ce321b9468993a0919ad (diff)
downloadtrusted-firmware-a-72460f50e2437a85.tar.gz
fix(auth): require at least one extension to be present
X.509 and RFC5280 allow omitting the extensions entirely, but require that if the extensions field is present at all, it must contain at least one certificate. TF-A already requires the extensions to be present, but allows them to be empty. However, a certificate with an empty extensions field will always fail later on, as the extensions contain the information needed to validate the next stage in the boot chain. Therefore, it is simpler to require the extension field to be present and contain at least one extension. Also add a comment explaining why the extensions field is required, even though it is OPTIONAL in the ASN.1 syntax. Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
-rw-r--r--drivers/auth/mbedtls/mbedtls_x509_parser.c22
1 files changed, 18 insertions, 4 deletions
diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 8c78003bb2..9cccd964d4 100644
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -304,7 +304,18 @@ static int cert_parse(void *img, unsigned int img_len)
/*
* extensions [3] EXPLICIT Extensions OPTIONAL
- * -- must use all remaining bytes in TBSCertificate
+ * }
+ *
+ * X.509 and RFC5280 allow omitting the extensions entirely.
+ * However, in TF-A, a certificate with no extensions would
+ * always fail later on, as the extensions contain the
+ * information needed to authenticate the next stage in the
+ * boot chain. Furthermore, get_ext() assumes that the
+ * extensions have been parsed into v3_ext, and allowing
+ * there to be no extensions would pointlessly complicate
+ * the code. Therefore, just reject certificates without
+ * extensions. This is also why version 1 and 2 certificates
+ * are rejected above.
*/
ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
@@ -326,9 +337,12 @@ static int cert_parse(void *img, unsigned int img_len)
v3_ext.len = end - v3_ext.p;
/*
- * Check extensions integrity
+ * Check extensions integrity. At least one extension is
+ * required: the ASN.1 specifies a minimum size of 1, and at
+ * least one extension is needed to authenticate the next stage
+ * in the boot chain.
*/
- while (p < end) {
+ do {
ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
@@ -356,7 +370,7 @@ static int cert_parse(void *img, unsigned int img_len)
return IMG_PARSER_ERR_FORMAT;
}
p += len;
- }
+ } while (p < end);
if (p != end) {
return IMG_PARSER_ERR_FORMAT;