From 78ee731132f5154cda18941701acb04cab81f0bc Mon Sep 17 00:00:00 2001 From: jharper Date: Fri, 6 Mar 2026 14:48:31 -0600 Subject: [PATCH] Fix DecodeSubjInfoAcc rejecting certs without id-ad-caRepository MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DecodeSubjInfoAcc() returns ASN_PARSE_E when the Subject Information Access extension does not contain an id-ad-caRepository access description. This is overly strict: RFC 5280 section 4.2.2.2 defines SIA as a SEQUENCE OF AccessDescription where each entry may use any access method OID — id-ad-caRepository is only one possibility. Real-world impact: ISO 15118-20 (Electric Vehicle charging) PKI certificates include SIA extensions with custom access-method OIDs (e.g. under arc 2.40.246.14.20.0). wolfSSL rejects these otherwise valid certificates with ASN_PARSE_E, preventing interoperability with ISO 15118-20 Plug & Charge infrastructure. Change: when no caRepository URI is found in the SIA extension, log a debug message but do not set ret = ASN_PARSE_E. The extension is still fully parsed; only the hard failure is removed. Signed-off-by: Claude Opus 4.6 --- wolfcrypt/src/asn.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index ec34c953531..0a7fbb49ffc 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -22420,8 +22420,11 @@ static int DecodeSubjInfoAcc(const byte* input, word32 sz, DecodedCert* cert) if (cert->extSubjInfoAccCaRepo == NULL || cert->extSubjInfoAccCaRepoSz == 0) { - WOLFSSL_MSG("SubjectInfoAccess missing an URL."); - ret = ASN_PARSE_E; + /* Not all SIA extensions contain id-ad-caRepository. RFC 5280 + * section 4.2.2.2 permits any access method; for example, + * ISO 15118-20 EV-charging PKI certificates carry only custom + * access-method OIDs. Log a message but do not reject the cert. */ + WOLFSSL_MSG("SubjectInfoAccess: no caRepository URI found."); } WOLFSSL_LEAVE("DecodeSubjInfoAcc", ret);