mbedtls_x509_crt_parse_der_with_ext_cb improvement

Continue parsing when the callback fails to parse a non critical exception. Also document the behaviour more extensively and pass the callback error code to the caller unaltered. See https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432630548 and https://github.com/ARMmbed/mbedtls/pull/3243#discussion_r432630968 Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2025-10-30 19:20:40 -04:00 · 2020-05-29 22:46:56 +02:00 · 2020-05-29 22:46:56 +02:00 · 565b52bb72
commit 565b52bb72
parent 5659e7e889
2 changed files with 15 additions and 5 deletions
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -317,9 +317,14 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
 * \param p        Pointer to the start of the extension value
 *                 (the content of the OCTET STRING).
 * \param end      End of extension value.
-  *
- * \note           The callback must fail and return a negative error code if
- *                 it can not parse or does not support the extension.
+ *
+ * \note           The callback must fail and return a negative error code
+ *                 if it can not parse or does not support the extension.
+ *                 When the callback fails to parse a critical extension
+ *                 mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ *                 When the callback fails to parse a non critical extension
+ *                 mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ *                 the extension and continues parsing.
 *
 * \return         \c 0 on success.
 * \return         A negative error code on failure.
@ -358,6 +363,11 @@ typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
 *                   certificate extension.
 *                   The callback must return a negative error code if it
 *                   does not know how to handle such an extension.
+ *                   When the callback fails to parse a critical extension
+ *                   mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ *                   When the callback fails to parse a non critical extension
+ *                   mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ *                   the extension and continues parsing.
 *
 * \return           \c 0 if successful.
 * \return           A negative error code on failure.
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -961,8 +961,8 @@ static int x509_get_crt_ext( unsigned char **p,
            if( cb != NULL )
            {
                ret = cb( p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet );
-                if( ret != 0 )
-                    return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+                if( ret != 0 && is_critical )
+                    return( ret );
                *p = end_ext_octet;
                continue;
            }