Skip to content

Certificates with an empty extensions sequence are rejected #335

@main--

Description

@main--

Example:

-----BEGIN CERTIFICATE-----
MIICVjCCAT6gAwIBAgIBQjANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQGEwJVUzEM
MAoGA1UECgwDT3JnMQ8wDQYDVQQDDAZyb290Q0EwHhcNMjUwMzI2MjIxODI1WhcN
MjYwMzI2MjIxODI1WjAxMQswCQYDVQQGEwJVUzEMMAoGA1UECgwDT3JnMRQwEgYD
VQQDDAtleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsHpY
Glfbynn6DNH+k4JIBP1B/ZZmwP63K2R2zplArmWo/aEmYJ27VPsU65VGkWARWSiU
n6Ja22sP0I5Y3Q0ueFe0UMTTk+pk4uu6Hakfp+Pf23WgIdGUPFb3upW1S7sGa1BU
C3/Ud+4TAR8F98Ro8/yWZxqJU3JehHGNs4C1dCsCAwEAAaMCMAAwDQYJKoZIhvcN
AQELBQADggEBAF2fRBByoDts9hE1hGcVN5x0BTu5aQDhxFC3wy6gm31PBOLQYI9z
fOzaOMoh9bf2aCOGRIBBXQEhAwbEFDbuO6PiN0WPrgTo4nB3aBh6VVFEuHtYJhmY
A1YDs5ELG20fHRxIpKkBtd6uUPHBjFuWBI7uZkoiCyT4EQYqQcJPk6QYcPpu2hq1
tBbhJV/BDapKAWt3TB088h60S72MmJCErsjkOVl6XLzl08gJBWtntyXvsS1B0K1X
1mH3u0UxALL484R9wUZ6Ja6U+WDxbkczps6UctOKbIzJHaC8ElPZfdmRtftL2Arn
cHgliXZb6lQCN5EmD9hohd+b/iSP2TXIj/U=
-----END CERTIFICATE-----

The certificate has an empty extensions sequence (A3 02 30 00). This is different from a certificate where the extensions sequence is missing altogether, which was fixed in #34. The certificate is rejected because of the way the loop in nested_of_mut is written: the inner loop first attempts to decode an item, and only then checks outer.at_end(). If there are no items, decoding the first item fails, so the certificate is rejected.

webpki/src/der.rs

Lines 309 to 325 in ab50614

pub(crate) fn nested_of_mut<'a>(
input: &mut untrusted::Reader<'a>,
outer_tag: Tag,
inner_tag: Tag,
error: Error,
mut decoder: impl FnMut(&mut untrusted::Reader<'a>) -> Result<(), Error>,
) -> Result<(), Error> {
nested(input, outer_tag, error.clone(), |outer| {
loop {
nested(outer, inner_tag, error.clone(), |inner| decoder(inner))?;
if outer.at_end() {
break;
}
}
Ok(())
})
}

See also openssl/openssl#20877 for a real-world example of such certificates (and a possible explanation for why they are quite rare).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions