diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-08-17 19:12:55 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2022-01-07 10:45:49 +0100 |
commit | 6e98b7f153fcf9dfad1053fbb3a592166837c6fc (patch) | |
tree | 39555030ab3f7c920e90b0dfb1f5c76a52e4f272 /crypto | |
parent | fd989c734dc3f9e15d700ff9ced15125a23d4359 (diff) |
v2i_AUTHORITY_KEYID(): Improve error reporting on parsing config values/options
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16345)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/err/openssl.txt | 3 | ||||
-rw-r--r-- | crypto/x509/v3_akid.c | 33 | ||||
-rw-r--r-- | crypto/x509/v3err.c | 3 |
3 files changed, 28 insertions, 11 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 6e75af9b8b..3c59fce96c 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1585,6 +1585,8 @@ UI_R_UNKNOWN_TTYGET_ERRNO_VALUE:108:unknown ttyget errno value UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported X509V3_R_BAD_IP_ADDRESS:118:bad ip address X509V3_R_BAD_OBJECT:119:bad object +X509V3_R_BAD_OPTION:170:bad option +X509V3_R_BAD_VALUE:171:bad value X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error X509V3_R_DIRNAME_ERROR:149:dirname error @@ -1651,6 +1653,7 @@ X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT:111:unknown bit string argument X509V3_R_UNKNOWN_EXTENSION:129:unknown extension X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name X509V3_R_UNKNOWN_OPTION:120:unknown option +X509V3_R_UNKNOWN_VALUE:172:unknown value X509V3_R_UNSUPPORTED_OPTION:117:unsupported option X509V3_R_UNSUPPORTED_TYPE:167:unsupported type X509V3_R_USER_TOO_LONG:132:user too long diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c index 2a993dd5bc..209f32cbf7 100644 --- a/crypto/x509/v3_akid.c +++ b/crypto/x509/v3_akid.c @@ -85,14 +85,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, } /*- - * Currently two options: - * keyid: use the issuers subject keyid, the value 'always' means its is - * an error if the issuer certificate doesn't have a key id. - * issuer: use the issuers cert issuer and serial number. The default is - * to only use this if keyid is not present. With the option 'always' + * Three explicit tags may be given, where 'keyid' and 'issuer' may be combined: + * 'none': do not add any authority key identifier. + * 'keyid': use the issuer's subject keyid; the option 'always' means its is + * an error if the issuer certificate doesn't have a subject key id. + * 'issuer': use the issuer's cert issuer and serial number. The default is + * to only use this if 'keyid' is not present. With the option 'always' * this is always included. */ - static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) @@ -119,16 +119,27 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, for (i = 0; i < n; i++) { cnf = sk_CONF_VALUE_value(values, i); - if (strcmp(cnf->name, "keyid") == 0) { + if (cnf->value != NULL && strcmp(cnf->value, "always") != 0) { + ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION, + "name=%s option=%s", cnf->name, cnf->value); + goto err; + } + if (strcmp(cnf->name, "keyid") == 0 && keyid == 0) { keyid = 1; - if (cnf->value && strcmp(cnf->value, "always") == 0) + if (cnf->value != NULL) keyid = 2; - } else if (strcmp(cnf->name, "issuer") == 0) { + } else if (strcmp(cnf->name, "issuer") == 0 && issuer == 0) { issuer = 1; - if (cnf->value && strcmp(cnf->value, "always") == 0) + if (cnf->value != NULL) issuer = 2; + } else if (strcmp(cnf->name, "none") == 0 + || strcmp(cnf->name, "keyid") == 0 + || strcmp(cnf->name, "issuer") == 0) { + ERR_raise_data(ERR_LIB_X509V3, X509V3_R_BAD_VALUE, + "name=%s", cnf->name); + goto err; } else { - ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_OPTION, + ERR_raise_data(ERR_LIB_X509V3, X509V3_R_UNKNOWN_VALUE, "name=%s", cnf->name); goto err; } diff --git a/crypto/x509/v3err.c b/crypto/x509/v3err.c index 6f38034c1a..b52f16f597 100644 --- a/crypto/x509/v3err.c +++ b/crypto/x509/v3err.c @@ -17,6 +17,8 @@ static const ERR_STRING_DATA X509V3_str_reasons[] = { {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "bad ip address"}, {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "bad object"}, + {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OPTION), "bad option"}, + {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_VALUE), "bad value"}, {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"}, {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"}, @@ -127,6 +129,7 @@ static const ERR_STRING_DATA X509V3_str_reasons[] = { {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"}, {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "unknown option"}, + {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_VALUE), "unknown value"}, {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION), "unsupported option"}, {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE), |