be more strict on CSR version number allowed

wolfSSL · Jun 18, 2024 · 07967ba · 07967ba
1 parent eef20ce
commit 07967ba
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -31162,6 +31162,13 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     DerCert der[1];
 #endif
 
+    /* check that the cert. req. version matches rfc2986 sect. 4.1 */
+    if (cert->version != 0) {
+        WOLFSSL_MSG("Only version 0 for CSR supported");
+        WOLFSSL_ERROR_VERBOSE(ASN_VERSION_E);
+        return ASN_VERSION_E;
+    }
+
     if (eccKey)
         cert->keyType = ECC_KEY;
     else if (rsaKey)
@@ -31249,6 +31256,13 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     (void)dilithiumKey;
     (void)sphincsKey;
 
+    /* check that the cert. req. version matches rfc2986 sect. 4.1 */
+    if (cert->version != 0) {
+        WOLFSSL_MSG("Only version 0 for CSR supported");
+        WOLFSSL_ERROR_VERBOSE(ASN_VERSION_E);
+        return ASN_VERSION_E;
+    }
+
     CALLOC_ASNSETDATA(dataASN, certReqBodyASN_Length, ret, cert->heap);
 
     if (ret == 0) {

diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -21820,6 +21820,13 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
     #endif /* WOLFSSL_EKU_OID */
     #endif /* WOLFSSL_CERT_EXT */
 
+        req->version = 2; /* test bad version fails */
+        derSz = wc_MakeCertReq(req, der, FOURK_BUF, key, NULL);
+        if (derSz >= 0) {
+            ERROR_OUT(-7976, exit_rsa);
+        }
+
+        req->version = 0;
         derSz = wc_MakeCertReq(req, der, FOURK_BUF, key, NULL);
         if (derSz < 0) {
             ERROR_OUT(WC_TEST_RET_ENC_EC(derSz), exit_rsa);