Skip unsupported extensions
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 3b3aa1c..baa0618 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -112,52 +112,47 @@
}
/*
- * Detect supported extensions
+ * Detect supported extensions and skip unsupported extensions
*/
ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
- if (ret != 0) {
- *p = end_ext_data;
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
- ret);
+ if (ret == 0) {
+ /* Forbid repeated extensions */
+ if ((csr->ext_types & ext_type) != 0) {
+ return (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_DATA));
+ }
+
+ csr->ext_types |= ext_type;
+
+ switch (ext_type) {
+ case MBEDTLS_X509_EXT_KEY_USAGE:
+ /* Parse key usage */
+ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
+ &csr->key_usage)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+ /* Parse subject alt name */
+ if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
+ &csr->subject_alt_names)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+ /* Parse netscape certificate type */
+ if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
+ &csr->ns_cert_type)) != 0) {
+ return ret;
+ }
+ break;
+ default:
+ break;
+ }
}
-
- /* Forbid repeated extensions */
- if ((csr->ext_types & ext_type) != 0) {
- return (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
- MBEDTLS_ERR_ASN1_INVALID_DATA));
- }
-
- csr->ext_types |= ext_type;
-
- switch (ext_type) {
- case MBEDTLS_X509_EXT_KEY_USAGE:
- /* Parse key usage */
- if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
- &csr->key_usage)) != 0) {
- return ret;
- }
- break;
-
- case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
- /* Parse subject alt name */
- if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
- &csr->subject_alt_names)) != 0) {
- return ret;
- }
- break;
-
- case MBEDTLS_X509_EXT_NS_CERT_TYPE:
- /* Parse netscape certificate type */
- if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
- &csr->ns_cert_type)) != 0) {
- return ret;
- }
- break;
- default:
- break;
- }
-
*p = end_ext_data;
}
@@ -201,7 +196,6 @@
/* Check that this is an extension-request attribute */
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) {
-
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index e809498..39aab7c 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -2756,7 +2756,7 @@
X509 CSR ASN.1 (extensions: invalid extension type data)
depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
-mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551DFF04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_OID_NOT_FOUND
+mbedtls_x509_csr_parse:"308201B13082011A020100300F310D300B06035504030C046574636430819F300D06092A864886F70D010101050003818D0030818902818100C73892C5C3F47010086BF81335ECF3011C8A250F9582361EAA1E9612551AACF87B75330B7057339CD995F14D4C4437C8BEC4A03FE4643CD3F3C902433DC37C5B8E79AA0984AE8213370ABF8569BD2A35626CB1FEE4ACE042B2417C7BE49D27149B2C076B8E433D3F6C763A469A1C700D259DBC08C740FCD8023762FF7DEBFC2D0203010001A062306006092A864886F70D01090E31533051300B0603551D0F040403020102302F0603551DFF04283026A02406082B06010505070804A018301606072B060104011103040B3132338081008180333231301106096086480186F8420101040403020780300D06092A864886F70D01010B05000381810093D6BEE3D49597074924A061BDF0D0D08EA9A81F94825B20EE3BE8008808430639C11CB8636C13E023EEDF31B247142582A3C7FC92F766688BF4DA185CCACC6C9E12CBCDB2DA2C96DF542AF2D6A867A8C97E6BAC994454EEE40F38AD60FC8A36AF2BA6B86465B082B569AFDAA9E606D71B37E3E174517DE91B17FE9C87905EE3":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0
X509 File parse (no issues)
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C