Skip to content

Fix ReqCertFromX509 to check bounds#10181

Open
embhorn wants to merge 4 commits intowolfSSL:masterfrom
embhorn:zd21567
Open

Fix ReqCertFromX509 to check bounds#10181
embhorn wants to merge 4 commits intowolfSSL:masterfrom
embhorn:zd21567

Conversation

@embhorn
Copy link
Copy Markdown
Member

@embhorn embhorn commented Apr 9, 2026
edited
Loading

Description

In ReqCertFromX509, add a check on SKID size

Fixes zd21567

Testing

Added test_x509_ReqCertFromX509_skid_overflow

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this Apr 9, 2026
Copilot AI review requested due to automatic review settings April 9, 2026 19:43
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR hardens CSR/certificate copying logic by adding a bounds check for SubjectKeyIdentifier (SKID) size in wolfSSL_sk_X509_OBJECT_deep_copy, and introduces a regression test to ensure oversized SKID data is rejected.

Changes:

  • Add CTC_MAX_SKID_SIZE bounds checking before copying SKID into cert->skid.
  • Add a new API test covering a crafted CSR with an oversized SKID extension.
  • Update wolfssl/version.h version macros (currently appears to be a downgrade).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
wolfssl/version.h Adjusts library version macros (doesn’t align with the stated purpose of this PR).
tests/api/test_x509.h Declares/registers the new SKID overflow regression test.
tests/api/test_x509.c Adds a crafted-DER regression test for oversized SKID handling.
src/x509.c Adds SKID size bounds checking to prevent buffer overflow during deep copy.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@embhorn
Copy link
Copy Markdown
Member Author

embhorn commented Apr 10, 2026

Jenkins retest this please

Copilot AI review requested due to automatic review settings April 10, 2026 20:52
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@embhorn embhorn changed the title Fix wolfSSL_sk_X509_OBJECT_deep_copy to check bounds Fix ReqCertFromX509 to check bounds Apr 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@embhorn embhorn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@embhorn