commit d422d2c4aada2218b12916d6989424ee0bee7907
author David Benjamin <davidben@google.com> Tue Jul 27 20:11:14 2021 -0400
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Jul 28 00:47:05 2021 +0000
tree 1c2fdad7bc1f9b4e63249b57d399dd87a36378a2
parent c1571feb5faf5cce844354c63d0f3e842464bea3

Revert "Revert "Revert "Disable check that X.509 extensions implies v3."""

This reverts commit be9a86f459f8e785bac42abcea5d13bd4ded251e. Let's try
this again.

Bug: 375
Change-Id: Ie01cced8017835b2cc6d80e5e81a4508a37fbbaf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48625
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

crypto/x509/x509_test.cc

diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index fde8bd5..d2813fa 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -2566,11 +2566,6 @@
 -----END CERTIFICATE-----
 )";
 
-/*
-
-Test cases disabled. TODO re-enable in April 2021.
-https://crbug.com/boringssl/375
-
 // kV1WithExtensionsPEM is an X.509v1 certificate with extensions.
 static const char kV1WithExtensionsPEM[] = R"(
 -----BEGIN CERTIFICATE-----
@@ -2602,7 +2597,6 @@
 BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQ=
 -----END CERTIFICATE-----
 )";
-*/
 
 // kV1WithIssuerUniqueIDPEM is an X.509v1 certificate with an issuerUniqueID.
 static const char kV1WithIssuerUniqueIDPEM[] = R"(
@@ -2644,10 +2638,8 @@
   EXPECT_FALSE(CertFromPEM(kNegativeVersionPEM));
   EXPECT_FALSE(CertFromPEM(kFutureVersionPEM));
   EXPECT_FALSE(CertFromPEM(kOverflowVersionPEM));
-  // Test cases disabled. TODO re-enable in April 2021.
-  // https://crbug.com/boringssl/375
-  //EXPECT_FALSE(CertFromPEM(kV1WithExtensionsPEM));
-  //EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
+  EXPECT_FALSE(CertFromPEM(kV1WithExtensionsPEM));
+  EXPECT_FALSE(CertFromPEM(kV2WithExtensionsPEM));
   EXPECT_FALSE(CertFromPEM(kV1WithIssuerUniqueIDPEM));
   EXPECT_FALSE(CertFromPEM(kV1WithSubjectUniqueIDPEM));
 }

crypto/x509/x_x509.c

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index f6b63b6..ff0bff8 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -136,12 +136,10 @@
         }
 
         /* Per RFC5280, section 4.1.2.9, extensions require v3. */
-        /* Check disabled. TODO re-enable in April 2021.
-           https://crbug.com/boringssl/375
         if (version != 2 && ret->cert_info->extensions != NULL) {
             OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
             return 0;
-        }*/
+        }
 
         break;
     }