Google Git
Sign in
boringssl / boringssl / 5850a016b212407708a963f4f94e4217ae18dd0e^! / .
commit5850a016b212407708a963f4f94e4217ae18dd0e[log] [tgz]
authorAdam Langley <alangley@gmail.com>Thu Sep 24 14:48:29 2020 -0700
committerAdam Langley <agl@google.com>Fri Sep 25 20:34:21 2020 +0000
tree7fa4f0d508b41e4d98471bd874632c9afbc1c94a
parentb13e7b5fdca961b6f91af5d62bd080a22087f470 [diff]
Disable check that X.509 extensions implies v3.

Expect to reenable in January 2021.

Change-Id: I364ffcf235901398196c60c45ff1c07fcac3f801
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43024
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 599abf5..07bf2cb 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc

@@ -2372,6 +2372,11 @@
     "xAcCIHweeRRqIYPwenRoeV8UmZpotPHLnhVe5h8yUmFedckU\n"
     "-----END CERTIFICATE-----\n";
 
+/*
+
+Test cases disabled. TODO re-enable in Jan 2021.
+https://crbug.com/boringssl/375
+
 // kV1WithExtensionsPEM is an X.509v1 certificate with extensions.
 static const char kV1WithExtensionsPEM[] =
     "-----BEGIN CERTIFICATE-----\n"
@@ -2401,6 +2406,7 @@
     "BgcqhkjOPQQBA0gAMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E\n"
     "BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=\n"
     "-----END CERTIFICATE-----\n";
+*/
 
 // kV1WithIssuerUniqueIDPEM is an X.509v1 certificate with an issuerUniqueID.
 static const char kV1WithIssuerUniqueIDPEM[] =
@@ -2440,8 +2446,10 @@
   EXPECT_FALSE(CertFromPEM(kNegativeVersionPEM));
   EXPECT_FALSE(CertFromPEM(kFutureVersionPEM));
   EXPECT_FALSE(CertFromPEM(kOverflowVersionPEM));
-  EXPECT_FALSE(CertFromPEM(kV1WithExtensionsPEM));
-  EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
+  // Test cases disabled. TODO re-enable in Jan 2021.
+  // https://crbug.com/boringssl/375
+  //EXPECT_FALSE(CertFromPEM(kV1WithExtensionsPEM));
+  //EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
   EXPECT_FALSE(CertFromPEM(kV1WithIssuerUniqueIDPEM));
   EXPECT_FALSE(CertFromPEM(kV1WithSubjectUniqueIDPEM));
 }

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index cddceb8..ab24651 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c

@@ -136,10 +136,12 @@
         }
 
         /* Per RFC5280, section 4.1.2.9, extensions require v3. */
+        /* Check disabled. TODO re-enable in Jan 2021.
+           https://crbug.com/boringssl/375
         if (version != 2 && ret->cert_info->extensions != NULL) {
             OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
             return 0;
-        }
+        }*/
 
         break;
     }