Accept invalid "v3" CSRs.
Although not defined, older versions of certbot use numeric value 2,
which would be a hypothetical v3(2). See
https://github.com/certbot/certbot/pull/9334. Accept these for
compatibility.
Bug: 467
Change-Id: I47cc64503569992595bdb42baa6333058d560242
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53229
Reviewed-by: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index fe4a775..425d745 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -2936,6 +2936,17 @@
-----END CERTIFICATE REQUEST-----
)";
+// kV3CSRPEM is a v3 CSR. CSR versions only go up to v1.
+static const char kV3CSRPEM[] = R"(
+-----BEGIN CERTIFICATE REQUEST-----
+MIHJMHECAQIwDzENMAsGA1UEAwwEVGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABJjsayyAQod1J7UJYNT8AH4WWxLdKV0ozhrIz6hCzBAze7AqXWOSH8G+1EWC
+pSfL3oMQNtBdJS0kpXXaUqEAgTSgADAKBggqhkjOPQQDAgNIADBFAiAUXVaEYATg
+4Cc917T73KBImxh6xyhsA5pKuYpq1S4m9wIhAK+G93HR4ur7Ghel6+zUTvIAsj9e
+rsn4lSYsqI4OI4ei
+-----END CERTIFICATE REQUEST-----
+)";
+
// Test that the library enforces versions are valid and match the fields
// present.
TEST(X509Test, InvalidVersion) {
@@ -2955,6 +2966,10 @@
EXPECT_FALSE(CRLFromPEM(kV3CRLPEM));
EXPECT_FALSE(CSRFromPEM(kV2CSRPEM));
+ // kV3CSRPEM is invalid but, for now, we accept it. See
+ // https://github.com/certbot/certbot/pull/9334
+ EXPECT_TRUE(CSRFromPEM(kV3CSRPEM));
+
bssl::UniquePtr<X509> x509(X509_new());
ASSERT_TRUE(x509);
EXPECT_FALSE(X509_set_version(x509.get(), -1));
