Mbed TLS is now part of TrustedFirmware.org.

x509 certificate parsing error


May 1, 2014 20:59
Sungjin Park

Hi,

I'm writing a program to verify a signature with PolarSSL. When I do testing, a certificate parsing error occurs. My program calls x509_crt_parse() function and returns -0x2562, which is a XOR value with POLARSSL_ERR_X509_INVALID_EXTENSION and POLARSSL_ERR_ASN1_UNEXPECTED_TAG.

Of course, OpenSSL works very well with this certificate.

I've pasted this certificate below. This certificate is issued by the Privacy CA whose URL is http://www.privacyca.com.

Regards,

Sungjin.

-----BEGIN CERTIFICATE-----
MIIEkTCCA3mgAwIBAgIQAbFLHOkC7z2y4luESO1HVjANBgkqhkiG9w0BAQUFADBQ
MRYwFAYDVQQKEw1wcml2YWN5Y2EuY29tMTYwNAYDVQQDEy1Qcml2YWN5IENBIElu
c2VjdXJlL1VuY2hlY2tlZCBBSUsgQ2VydGlmaWNhdGUwHhcNMTQwNDI1MjM1MjM5
WhcNMTUwNDI1MjM1MjM5WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAj7dzwStNIzo6XJZW1U0N8yj5OVK/TJnIq/f/0q9CArcOo60CXsklSUNVzSNB
0uxOJvInjQA+1FbJbHAwSdmXov0l/Pf/+MVi9Q8EsdYvHOSzZvw2gIQqFScby//a
KbYwipjveFOeuOAgtWi2u43OdBS72lOk6fdHIiwjbn9lzKiMEAwOTNL4JknYbsh2
Qpi2PnKqD6jPrvgAAWyKUUS66sXl2D9PlVkr/aL3HLbTmot06Z/4DSbtvO02NWoS
eHbDOfpkZf9M2PQPnpkBIwMTBZokcY6rSeLvYRo0tFh/Sai1UR9+WoGzfgU7wone
N3nPo27TPcFzPnZ6itj8Oosr/QIDAQABo4IBtTCCAbEwNwYDVR0JBDAwLjAWBgVn
gQUCEDENMAsMAzEuMQIBAgIBATAUBgVngQUCEjELMAmAAQCBAQCCAQIwZAYDVR0R
AQH/BFowWKRCMEAxFjAUBgVngQUCAQwLaWQ6MDAwMDAwMDAxEjAQBgVngQUCAgwH
VW5rbm93bjESMBAGBWeBBQIDDAdpZDowMDAwoBIGBWeBBQIPoAkMB1RERV9MSUIw
DAYDVR0TAQH/BAIwADCB4AYDVR0gAQH/BIHVMIHSMGcGCisGAQQBgeNCARAwWTAp
BggrBgEFBQcCARYdaHR0cDovL3d3dy5wcml2YWN5Y2EuY29tL2Nwcy8wLAYIKwYB
BQUHAgIwIAweVENQQSBUcnVzdGVkIFBsYXRmb3JtIElkZW50aXR5MGcGBFUdIAAw
XzAlBggrBgEFBQcCARYZaHR0cDovL3d3dy5wcml2YWN5Y2EuY29tLzA2BggrBgEF
BQcCAjAqDChUQ1BBIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIEVuZG9yc2VtZW50
MB8GA1UdIwQYMBaAFLDll+CbI3Wx/b8BXnK6NtRIMqAzMA0GCSqGSIb3DQEBBQUA
A4IBAQDqbZtd9A4UKONz+zXD3/Efxb6jBstYdG6cZopSiVeVQxt0bvsFanK9ysHz
tzKfzKmabOFl2sI++CjzRmS1iZIg8Ibtb4qNvms5x+aQqvI0vo6KWMVxl2EOqAYD
vALiszmanekNHupFDdrePY8uCePtDrs7R/9vz19cJVX7Qmx5LQm9gyPvd/RyCAK8
L0QYq/gc96ulQxj7SGaDUVvVL9QFC2SziO7QrgCZV6hKSXPOlXfrf/lL5jpgJrQa
yBg9YIZ6iToPZUtGQE51+e7HCbZlqoiw22ei0N7aQzPzWoUFAqkgb0XFOzCQbcS3
4OY9/0hHwCrSMK4sLtzEdIxUSfUL
-----END CERTIFICATE-----
 
May 2, 2014 08:47
Paul Bakker

It is because PolarSSL does not support enforcement of the Certificate Policies extension (yet).

As per RFC 5280, a library should deny any certificate with a critical extension it cannot enforce. So this is a sane default for PolarSSL.

You can make PolarSSL parse it anyway by defining POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION in config.h. This will make sure PolarSSL accepts even critical extensions it cannot enforce itself..