Fix wolfSSL_sk_X509_OBJECT_deep_copy to check CTC_MAX_SKID_SIZE#10178
Fix wolfSSL_sk_X509_OBJECT_deep_copy to check CTC_MAX_SKID_SIZE#10178embhorn wants to merge 4 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Fixes CSR re-encoding behavior in ReqCertFromX509() by rejecting oversized SubjectKeyIdentifier (SKID) values (bounded by CTC_MAX_SKID_SIZE) and adds a regression test to ensure encoding fails when SKID exceeds the max.
Changes:
- Add bounds checking for SKID copy during X509 object deep copy to prevent overflow and fail cleanly.
- Add a new regression test that constructs a CSR with SKID size
CTC_MAX_SKID_SIZE + 1and asserts re-encoding fails. - Register the new test in the x509 API test suite.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| tests/api/test_x509.h | Declares and registers the new SKID overflow regression test. |
| tests/api/test_x509.c | Adds DER construction + assertions ensuring oversized SKID causes encode failure. |
| src/x509.c | Enforces CTC_MAX_SKID_SIZE when copying SKID from CSR into certificate during deep copy. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Jenkins retest this please |
Description
Fixed the CSR SKID issue in
ReqCertFromX509()Fixes zd21575
Testing
Added
test_x509_CertFromX509_akid_overflowChecklist