Changeset 91982 in vbox for trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp

Timestamp:

Oct 21, 2021 8:43:38 PM (3 years ago)

Author:

vboxsync

Message:

IPRT/RTCrX509CertPaths: Only ignore critical subject key IDs on end entities. Extended comment. Logging. bugref:10130

File:

• trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp (modified) (3 diffs)

trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp

@@ -685 +685 @@
         pNew->uDepth   = pParent->uDepth + 1;
         RTListAppend(&pParent->ChildListOrLeafEntry, &pNew->SiblingEntry);
+        Log2Func(("pNew=%p uSrc=%u uDepth=%u\n", pNew, uSrc, pNew->uDepth));
     }
     else
@@ -725 +726 @@
 
     PCRTCRX509NAME const pIssuer = &pNode->pCert->TbsCertificate.Issuer;
+#if defined(LOG_ENABLED) && defined(IN_RING3)
+    if (LogIs2Enabled())
+    {
+        char szIssuer[128] = {0};
+        RTCrX509Name_FormatAsString(pIssuer, szIssuer, sizeof(szIssuer), NULL);
+        char szSubject[128] = {0};
+        RTCrX509Name_FormatAsString(&pNode->pCert->TbsCertificate.Subject, szSubject, sizeof(szSubject), NULL);
+        Log2Func(("pNode=%p uSrc=%u uDepth=%u Issuer='%s' (Subject='%s')\n", pNode, pNode->uSrc, pNode->uDepth, szIssuer, szSubject));
+    }
+#endif
 
     /*
@@ -2585 +2596 @@
                 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_IPHONE_SW_DEV_OID) != 0
                 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) != 0
-                && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) != 0     /* Occurred in an Intel cert. Violates RFC5280. */
                )
-                return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,
-                                         "Node #%u has an unknown critical extension: %s", pThis->v.iNode, pCur->ExtnId.szObjId);
+            {
+                /* @bugref{10130}: An IntelGraphicsPE2021 cert issued by iKG_AZSKGFDCS has a critical subjectKeyIdentifier
+                                   which we quietly ignore here. RFC-5280 conforming CAs should not mark this as critical.
+                                   On an end entity this extension can have relevance to path construction. */
+                if (   pNode->uSrc == RTCRX509CERTPATHNODE_SRC_TARGET
+                    && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
+                    LogFunc(("Ignoring non-standard subjectKeyIdentifier on target certificate.\n"));
+                else
+                    return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,
+                                             "Node #%u has an unknown critical extension: %s",
+                                             pThis->v.iNode, pCur->ExtnId.szObjId);
+            }
         }