v2i_AUTHORITY_KEYID(): Improve error reporting on parsing config values/options

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16345)

3 files changed, 28 insertions, 11 deletions

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 6e75af9b8b..3c59fce96c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1585,6 +1585,8 @@ UI_R_UNKNOWN_TTYGET_ERRNO_VALUE:108:unknown ttyget errno value
 UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported
 X509V3_R_BAD_IP_ADDRESS:118:bad ip address
 X509V3_R_BAD_OBJECT:119:bad object
+X509V3_R_BAD_OPTION:170:bad option
+X509V3_R_BAD_VALUE:171:bad value
 X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error
 X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error
 X509V3_R_DIRNAME_ERROR:149:dirname error
@@ -1651,6 +1653,7 @@ X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT:111:unknown bit string argument
 X509V3_R_UNKNOWN_EXTENSION:129:unknown extension
 X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name
 X509V3_R_UNKNOWN_OPTION:120:unknown option
+X509V3_R_UNKNOWN_VALUE:172:unknown value
 X509V3_R_UNSUPPORTED_OPTION:117:unsupported option
 X509V3_R_UNSUPPORTED_TYPE:167:unsupported type
 X509V3_R_USER_TOO_LONG:132:user too long
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 2a993dd5bc..209f32cbf7 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -85,14 +85,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 }
 
 /*-
- * Currently two options:
- * keyid: use the issuers subject keyid, the value 'always' means its is
- * an error if the issuer certificate doesn't have a key id.
- * issuer: use the issuers cert issuer and serial number. The default is
- * to only use this if keyid is not present. With the option 'always'
+ * Three explicit tags may be given, where 'keyid' and 'issuer' may be combined:
+ * 'none': do not add any authority key identifier.
+ * 'keyid': use the issuer's subject keyid; the option 'always' means its is
+ * an error if the issuer certificate doesn't have a subject key id.
+ * 'issuer': use the issuer's cert issuer and serial number. The default is
+ * to only use this if 'keyid' is not present. With the option 'always'
  * this is always included.
  */
-
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                                             X509V3_CTX *ctx,
                                             STACK_OF(CONF_VALUE) *values)
@@ -119,16 +119,27 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 
     for (i = 0; i < n; i++) {
         cnf = sk_CONF_VALUE_value(values, i);
-        if (strcmp(cnf->name, "keyid") == 0) {
+        if (cnf->value != NULL && strcmp(cnf->value, "always") != 0) {
+            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+                           "name=%s option=%s", cnf->name, cnf->value);
+            goto err;
+        }
+        if (strcmp(cnf->name, "keyid") == 0 && keyid == 0) {
             keyid = 1;
-            if (cnf->value && strcmp(cnf->value, "always") == 0)
+            if (cnf->value != NULL)
                 keyid = 2;
-        } else if (strcmp(cnf->name, "issuer") == 0) {
+        } else if (strcmp(cnf->name, "issuer") == 0 && issuer == 0) {
             issuer = 1;
-            if (cnf->value && strcmp(cnf->value, "always") == 0)
+            if (cnf->value != NULL)
                 issuer = 2;
+        } else if (strcmp(cnf->name, "none") == 0
+                   || strcmp(cnf->name, "keyid") == 0
+                   || strcmp(cnf->name, "issuer") == 0) {
+            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_BAD_VALUE,
+                           "name=%s", cnf->name);
+            goto err;
         } else {
-            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION,
+            ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_VALUE,
                            "name=%s", cnf->name);
             goto err;
         }
diff --git a/crypto/x509/v3err.c b/crypto/x509/v3err.c
index 6f38034c1a..b52f16f597 100644
--- a/crypto/x509/v3err.c
+++ b/crypto/x509/v3err.c
@@ -17,6 +17,8 @@
 static const ERR_STRING_DATA X509V3_str_reasons[] = {
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "bad ip address"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "bad object"},
+    {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OPTION), "bad option"},
+    {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_VALUE), "bad value"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR),
     "bn to asn1 integer error"},
@@ -127,6 +129,7 @@ static const ERR_STRING_DATA X509V3_str_reasons[] = {
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME),
     "unknown extension name"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "unknown option"},
+    {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_VALUE), "unknown value"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION),
     "unsupported option"},
     {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE),