From 32e20919aca51ea348ad50c863c56320e59aa5aa Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 25 Jan 2023 14:26:15 +0100 Subject: [PATCH] Remove redundant check and add comment to inform about processing of empty extensions Netscape Certificate Management System Administrator's Guide: Extension-Specific Policy Modules, Chapter 18: Extension-Specific Policy Modules, Netscape Certificate Type Extension Policy: > The extension has no default value. A bitstring with no flags set is still technically valid, as it will mean that the certificate has no designated purpose at the time of creation. Signed-off-by: Przemek Stekiel --- library/x509.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/library/x509.c b/library/x509.c index 9869b05e5..81e30e4ac 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1328,6 +1328,8 @@ int mbedtls_x509_get_ns_cert_type(unsigned char **p, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + /* A bitstring with no flags set is still technically valid, as it will mean + that the certificate has no designated purpose at the time of creation. */ if (bs.len == 0) { *ns_cert_type = 0; return 0; @@ -1355,16 +1357,13 @@ int mbedtls_x509_get_key_usage(unsigned char **p, return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); } + /* A bitstring with no flags set is still technically valid, as it will mean + that the certificate has no designated purpose at the time of creation. */ if (bs.len == 0) { *key_usage = 0; return 0; } - if (bs.len < 1) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, - MBEDTLS_ERR_ASN1_INVALID_LENGTH); - } - /* Get actual bitstring */ *key_usage = 0; for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {