diff --git a/src/crypto_wrappers/openssl/gen_cert.c b/src/crypto_wrappers/openssl/gen_cert.c index 4ed0664..04adaa4 100644 --- a/src/crypto_wrappers/openssl/gen_cert.c +++ b/src/crypto_wrappers/openssl/gen_cert.c @@ -195,7 +195,7 @@ crypto_wrapper_err_t openssl_gen_cert(crypto_wrapper_ctx_t *ctx, rats_tls_cert_a /* Add evidence extension */ if (cert_info->evidence_buffer_size) { /* The DiceTaggedEvidence extension criticality flag SHOULD be marked critical. */ - if (!x509_extension_add(cert, TCG_DICE_TAGGED_EVIDENCE_OID, true, + if (!x509_extension_add(cert, TCG_DICE_TAGGED_EVIDENCE_OID, false, cert_info->evidence_buffer, cert_info->evidence_buffer_size) != RATS_TLS_ERR_NONE) goto err; @@ -203,7 +203,7 @@ crypto_wrapper_err_t openssl_gen_cert(crypto_wrapper_ctx_t *ctx, rats_tls_cert_a /* Add endorsements extension */ if (cert_info->endorsements_buffer_size) { - if (!x509_extension_add(cert, TCG_DICE_ENDORSEMENT_MANIFEST_OID, true, + if (!x509_extension_add(cert, TCG_DICE_ENDORSEMENT_MANIFEST_OID, false, cert_info->endorsements_buffer, cert_info->endorsements_buffer_size) != RATS_TLS_ERR_NONE) goto err; diff --git a/src/tls_wrappers/openssl/un_negotiate.c b/src/tls_wrappers/openssl/un_negotiate.c index 6ca0aee..daf2814 100644 --- a/src/tls_wrappers/openssl/un_negotiate.c +++ b/src/tls_wrappers/openssl/un_negotiate.c @@ -178,16 +178,16 @@ int verify_certificate(int preverify_ok, X509_STORE_CTX *ctx) if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) return SSL_SUCCESS; - /* According to the dice standard, the DiceTaggedEvidence extension should be set to critical=true. - * However, there is no way via the openssl api to know directly which extension is causing - * X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, so we have to tolerate all this cases here. - * This may be a security issue if there are other critical extensions that neither we nor openssl can handle. - * See: - * - https://github.com/openssl/openssl/blob/a63fa5f711f1f97e623348656b42717d6904ee3e/crypto/x509/x509_vfy.c#L490 - * - https://github.com/openssl/openssl/blob/a63fa5f711f1f97e623348656b42717d6904ee3e/crypto/x509/v3_purp.c#LL596C34-L596C34 - */ - if (err == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) - return SSL_SUCCESS; + // /* According to the dice standard, the DiceTaggedEvidence extension should be set to critical=true. + // * However, there is no way via the openssl api to know directly which extension is causing + // * X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, so we have to tolerate all this cases here. + // * This may be a security issue if there are other critical extensions that neither we nor openssl can handle. + // * See: + // * - https://github.com/openssl/openssl/blob/a63fa5f711f1f97e623348656b42717d6904ee3e/crypto/x509/x509_vfy.c#L490 + // * - https://github.com/openssl/openssl/blob/a63fa5f711f1f97e623348656b42717d6904ee3e/crypto/x509/v3_purp.c#LL596C34-L596C34 + // */ + // if (err == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) + // return SSL_SUCCESS; /* * A typical and unrecoverable error code is