Skip to content

Commit c970a81

Browse files
committed
asn/settings: document X509_VERIFY_ONLY/X509_TINY options and fail-closed on critical stripped extensions under TINY
1 parent 34ad7de commit c970a81

2 files changed

Lines changed: 11 additions & 5 deletions

File tree

wolfcrypt/src/asn.c

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,12 @@ ASN Options:
156156
* WOLFSSL_ALLOW_CRIT_AKID: Allow critical Auth Key Identifier
157157
* WOLFSSL_ALLOW_CRIT_SKID: Allow critical Subject Key Identifier
158158
* WC_ASN_UNKNOWN_EXT_CB: Callback for unknown extensions
159+
* WOLFSSL_X509_VERIFY_ONLY: Verify-only profile. Drops cert/key generation and
160+
forces WOLFSSL_NO_PEM unless a gen add-back (WOLFSSL_X509_CERT_GEN /
161+
WOLFSSL_X509_KEY_GEN) or WOLFSSL_X509_PEM is set.
162+
* WOLFSSL_X509_TINY: Minimal-extension profile. Compiles out optional
163+
X.509 extension decoders behind per-feature WOLFSSL_X509_TINY_<F> add-back
164+
macros. Requires WOLFSSL_ASN_TEMPLATE (enforced with #error).
159165
*
160166
* ASN.1 Parsing:
161167
* WOLFSSL_ASN_ALL: Enable all ASN.1 features
@@ -21354,7 +21360,9 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2135421360
default:
2135521361
if (isUnknownExt != NULL)
2135621362
*isUnknownExt = 1;
21357-
#ifndef WOLFSSL_NO_ASN_STRICT
21363+
/* TINY reaches default: for stripped extensions too, so reject a
21364+
* critical one even under NO_ASN_STRICT to stay fail-closed. */
21365+
#if !defined(WOLFSSL_NO_ASN_STRICT) || defined(WOLFSSL_X509_TINY)
2135821366
/* While it is a failure to not support critical extensions,
2135921367
* still parse the certificate ignoring the unsupported
2136021368
* extension to allow caller to accept it with the verify

wolfssl/wolfcrypt/settings.h

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4344,11 +4344,9 @@ blinding by defining WC_BLINDING_NO_RNG_ACKNOWLEDGE_WEAKNESS."
43444344
#define OPENSSL_EXTRA_X509_SMALL
43454345
#endif /* OPENSSL_EXTRA */
43464346

4347-
/* X.509 verify-only profile (placed before DER_TO_PEM/OCSP derivations so they
4348-
* observe it). Drives existing switches so defs and callers stay consistent;
4349-
* WOLFSSL_X509_<f> adds a feature back. */
4347+
/* X.509 verify-only profile. Define WOLFSSL_X509_PEM (or a gen add-back) to keep
4348+
* PEM parsing, else WOLFSSL_NO_PEM below also disables PEM-to-DER trust anchors. */
43504349
#ifdef WOLFSSL_X509_VERIFY_ONLY
4351-
/* Cert/key generation add-backs need the PEM helpers, so don't strip PEM. */
43524350
#if !defined(WOLFSSL_X509_PEM) && !defined(WOLFSSL_NO_PEM) && \
43534351
!defined(WOLFSSL_X509_CERT_GEN) && !defined(WOLFSSL_X509_KEY_GEN)
43544352
#define WOLFSSL_NO_PEM

0 commit comments

Comments
 (0)