Improve certificate version checks in x509v3_cache_extensions()

Only allow version v1-v3, disallow issuerUID and subjectUID in v1 certs
and require that if X509v3 extensions are present that the cert be v3.

Initial diff from job

ok job jsing

1 files changed, 11 insertions, 4 deletions

diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c
index 85d9b77f68d..75d229b03bd 100644
--- a/lib/libcrypto/x509/x509_purp.c
+++ b/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.25 2023/04/23 21:49:15 job Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.26 2023/06/20 14:21:19 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -449,6 +449,7 @@ x509v3_cache_extensions_internal(X509 *x)
 	ASN1_BIT_STRING *ns;
 	EXTENDED_KEY_USAGE *extusage;
 	X509_EXTENSION *ex;
+	long version;
 	int i;
 
 	if (x->ex_flags & EXFLAG_SET)
@@ -456,12 +457,18 @@ x509v3_cache_extensions_internal(X509 *x)
 
 	X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL);
 
-	/* V1 should mean no extensions ... */
-	if (X509_get_version(x) == 0) {
+	version = X509_get_version(x);
+	if (version < 0 || version > 2)
+		x->ex_flags |= EXFLAG_INVALID;
+	if (version == 0) {
 		x->ex_flags |= EXFLAG_V1;
-		if (X509_get_ext_count(x) != 0)
+		/* UIDs may only appear in v2 or v3 certs */
+		if (x->cert_info->issuerUID != NULL ||
+		    x->cert_info->subjectUID != NULL)
 			x->ex_flags |= EXFLAG_INVALID;
 	}
+	if (version != 2 && X509_get_ext_count(x) != 0)
+		x->ex_flags |= EXFLAG_INVALID;
 
 	/* Handle basic constraints */
 	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) {