Skip to content

Check for duplicate extensions in a CRL #8608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Check for duplicate extensions in a CRL #8608

wants to merge 1 commit into from

Conversation

anhu
Copy link
Member

@anhu anhu commented Mar 28, 2025
edited
Loading

Fixes #8591

@anhu anhu requested a review from wolfSSL-Bot March 28, 2025 22:58
@anhu anhu self-assigned this Mar 28, 2025
@anhu anhu assigned wolfSSL-Bot and unassigned anhu Mar 28, 2025
JacobBarthelmeh
JacobBarthelmeh requested changes Mar 31, 2025
View reviewed changes
wolfcrypt/src/asn.c
WOLFSSL_MSG("\tcouldn't parse AuthKeyId extension");
}
#endif
/* Check for duplicate extension */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please comment with the RFC for the reason this is enforced. Also should it be guarded by WOLFSSL_NO_ASN_STRICT? i.e does it differ in behavior for OpenSSL compatibility uses and with wolfCLU?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No guarding required. 2 extensions of the same type makes no sense as it there would be ambiguity as one would have to be ignored.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More what I'm concerned about is that our wolfCLU app after these changes can not parse the bad example CRL with duplicate extensions (which yes our library should not act on by default...) but OpenSSL command line utility can parse it.

@JacobBarthelmeh
Copy link
Contributor

The commented github issue fixed is an arduino build issue from Apr 2017. Was that a typo?

@JacobBarthelmeh JacobBarthelmeh assigned anhu and unassigned wolfSSL-Bot Mar 31, 2025
@anhu
Copy link
Member Author

anhu commented Apr 2, 2025

Yes. typo!! Hold on.

@anhu anhu assigned JacobBarthelmeh and unassigned anhu Apr 4, 2025
@anhu anhu requested a review from JacobBarthelmeh April 4, 2025 14:55
@anhu anhu assigned anhu and unassigned JacobBarthelmeh Apr 7, 2025
@anhu
Copy link
Member Author

anhu commented Apr 7, 2025

Jacob makes a valid point. If OpenSSL validates then we should make it possible for wolfCLU to validate as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfSSL-Bot wolfSSL-Bot Awaiting requested review from wolfSSL-Bot

@JacobBarthelmeh JacobBarthelmeh Awaiting requested review from JacobBarthelmeh

Requested changes must be addressed to merge this pull request.

Assignees

@anhu anhu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Two AKI extensions
3 participants
@anhu @JacobBarthelmeh @wolfSSL-Bot