Google Git
Sign in
boringssl/boringssl.git/be9a86f459f8e785bac42abcea5d13bd4ded251e^!/.
commit
be9a86f459f8e785bac42abcea5d13bd4ded251e
[log]
author
Adam Langley <alangley@gmail.com>
Thu Feb 18 09:04:34 2021 -0800
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Thu Feb 18 18:32:41 2021 +0000
tree
3189a61796053afc744cd996cb530c02a0ddba6d
parent
bbd1742f6176c5eadb44ccf36c78a86ce0543bc2 [diff]
Revert "Revert "Disable check that X.509 extensions implies v3.""

This reverts commit 4251d0d3f66a182e1b1ff22e9d0085613a1253ec, except
that the reland dates have been updated to not be in the past.

Change-Id: I7812c0e36d87ed1e049ec0a7d92a23efec881a81
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45704
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 0debb8a..3a6740f 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc

@@ -2576,6 +2576,11 @@
 -----END CERTIFICATE-----
 )";
 
+/*
+
+Test cases disabled. TODO re-enable in April 2021.
+https://crbug.com/boringssl/375
+
 // kV1WithExtensionsPEM is an X.509v1 certificate with extensions.
 static const char kV1WithExtensionsPEM[] = R"(
 -----BEGIN CERTIFICATE-----
@@ -2607,6 +2612,7 @@
 BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=
 -----END CERTIFICATE-----
 )";
+*/
 
 // kV1WithIssuerUniqueIDPEM is an X.509v1 certificate with an issuerUniqueID.
 static const char kV1WithIssuerUniqueIDPEM[] = R"(
@@ -2648,8 +2654,10 @@
   EXPECT_FALSE(CertFromPEM(kNegativeVersionPEM));
   EXPECT_FALSE(CertFromPEM(kFutureVersionPEM));
   EXPECT_FALSE(CertFromPEM(kOverflowVersionPEM));
-  EXPECT_FALSE(CertFromPEM(kV1WithExtensionsPEM));
-  EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
+  // Test cases disabled. TODO re-enable in April 2021.
+  // https://crbug.com/boringssl/375
+  //EXPECT_FALSE(CertFromPEM(kV1WithExtensionsPEM));
+  //EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
   EXPECT_FALSE(CertFromPEM(kV1WithIssuerUniqueIDPEM));
   EXPECT_FALSE(CertFromPEM(kV1WithSubjectUniqueIDPEM));
 }

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index ff0bff8..f6b63b6 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c

@@ -136,10 +136,12 @@
         }
 
         /* Per RFC5280, section 4.1.2.9, extensions require v3. */
+        /* Check disabled. TODO re-enable in April 2021.
+           https://crbug.com/boringssl/375
         if (version != 2 && ret->cert_info->extensions != NULL) {
             OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
             return 0;
-        }
+        }*/
 
         break;
     }