[Bug]: WolfSSL reject a critical Policy Mappings #8524
Description
Contact Details
Version
ubutun 5.7.6
Description
./configure
make
sudo make install
./testsuite/testsuite.test
wolfSSL is configured and built by default
Reproduction steps
Use this script for certificate verification
// gcc -g verify.c -o verify -lwolfssl
#include <wolfssl/options.h>
#include <stdlib.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/ssl.h>
int wolfSSL_Verify_PEM(char * cac, char * ec){
int ret = 0;
// to create a new wolfSSL cert manager
WOLFSSL_CERT_MANAGER* cm;
cm = wolfSSL_CertManagerNew();
if (cm == NULL){
printf("Creating a new wolfSSL_CertManager failed!\n");
exit(1);
}
// to load cac to the created wolfSSL_CertManager
ret = wolfSSL_CertManagerLoadCA(cm, cac, NULL);
if (ret != SSL_SUCCESS){
printf("Loading cac to the created wolfSSL_CertManager failed!\n");
exit(2);
}
// to verify the ec in the created wolfSSL_CertManager
ret = wolfSSL_CertManagerVerify(cm, ec, SSL_FILETYPE_PEM);
if (ret != SSL_SUCCESS){
printf("wolfSSL_CertManagerVerify filed and with return code %d and error message %s\n",
ret,
wolfSSL_ERR_reason_error_string(ret));
}
else{
printf("The target cert has passed through verification.\n");
}
// to free cm
wolfSSL_CertManagerFree(cm);
return ret;
}
int main(int argc, char ** argv){
char * cac = argv[1];
char * ec = argv[2];
wolfSSL_Verify_PEM(cac, ec);
return 0;
}
Actual result:
./verify RootCA.pem Cert17408146207.pem
wolfSSL_CertManagerVerify failed with return code -160 and error message X.509 Critical extension ignored or invalid.
Cert17408146207.pem failed verification.
Expected result:
Consistent verification result between wolfSSL and RFC 5280+other TLS(OpenSSL:Verifying Cert17408146207.pem: OK) implementations.
The target cert Cert17408146207.pem has passed verification.
RFC5280Section 4.2.1.5 mentions:Conforming CAs SHOULD mark this extension as critical.