Revert 1.32

jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

1 files changed, 2 insertions, 27 deletions

diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c
index 87b714877f9..df66153c455 100644
--- a/lib/libcrypto/asn1/x_x509.c
+++ b/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509.c,v 1.32 2023/04/23 21:31:16 job Exp $ */
+/* $OpenBSD: x_x509.c,v 1.33 2023/04/24 08:09:29 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,7 +61,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -195,34 +194,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
 		CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
 		break;
 
-	case ASN1_OP_D2I_POST: {
-		const ASN1_BIT_STRING *issuerUID = NULL, *subjectUID = NULL;
-		long version;
-
-		version = X509_get_version(ret);
-		/* accept 0 despite DER requiring omission of default values */
-		if (version < 0 || version > 2) {
-			X509error(X509_R_INVALID_VERSION);
-			return 0;
-		}
-
-		/* RFC 5280 section 4.1.2.8, these fields require v2 or v3 */
-		X509_get0_uids(ret, &issuerUID, &subjectUID);
-		if ((issuerUID != NULL || subjectUID != NULL) && version == 0) {
-			X509error(X509_R_INVALID_VERSION);
-			return 0;
-		}
-
-		/* RFC 5280 section 4.1.2.9, extensions require v3. */
-		if (X509_get_ext_count(ret) != 0 && version != 2) {
-			X509error(X509_R_INVALID_VERSION);
-			return 0;
-		}
-
+	case ASN1_OP_D2I_POST:
 		free(ret->name);
 		ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0);
 		break;
-	}
 
 	case ASN1_OP_FREE_POST:
 		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);