[FIPS - Cherry-pick] Support allowing specific unknown critical extensions (#2377) #2473

justsmth · 2025-06-06T20:56:49Z

This change is outside of the FIPS module and does not affect its hash.

Commit was cherry-picked from mainline PR #2377. Original description is below.

As of today, AWS-LC returns an error as part of verification if there are any critical extensions present in the certificate being validated. There have been asks to set a custom OID on the issued certificates to ensure that additional validation is performed by customers after or during the handshake. The intention is to prevent accidental mis-use of these certificates without that extra validation.

To support this, we've decided to add two new APIs for this use case.

X509_STORE_CTX_add_custom_crit_oid adds an oid as an ASN1_OBJECT to the list of "known" critical extension OIDs in ctx. Typical OpenSSL/AWS-LC behavior returns an error if there are any unknown critical extensions present within the certificates being validated. This function lets users specify custom OIDs of any critical extensions that are within the certificates being validated, that they wish to allow. The callback mechanism enabled with
X509_STORE_CTX_set_verify_crit_oids must be set for this feature to enabled.
X509_STORE_CTX_set_verify_crit_oids enables the X509_STORE_CTX_verify_crit_oids_cb with X509_STORE_CTX. Consumers should be performing additional validation against the custom extension oids after or during the handshake. This callback forces users to validate their custom OIDs when processing unknown custom critical extensions. The X509_STORE_CTX_verify_crit_oids_cb callback function gives the user the current certificate being validated as x509 and a stack of ASN1_OBJECTs representing unknown critical extension OIDs that were found in x509 and match those previously registered via|X509_STORE_CTX_add_custom_crit_oid as oids.

This should not effect any existing consumers of X509_verify_cert. Any existence of an unknown critical extension will still cause the entire verification to be aborted. Only consumers that have enabled the callback and set specific OIDs with ASN1_OBJECT can circumvent the check and trigger the verification to pass.

Testing:

Test certs were generated by the team asking for this feature.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

As of today, AWS-LC returns an error as part of verification if there are any critical extensions present in the certificate being validated. There have been asks to set a custom OID on the issued certificates to ensure that additional validation is performed by customers after or during the handshake. The intention is to prevent accidental mis-use of these certificates without that extra validation. To support this, we've decided to add two new APIs for this use case. 1. `X509_STORE_CTX_add_custom_crit_oid` adds an oid as an `ASN1_OBJECT` to the list of "known" critical extension OIDs in `ctx`. Typical OpenSSL/AWS-LC behavior returns an error if there are any unknown critical extensions present within the certificates being validated. This function lets users specify custom OIDs of any critical extensions that are within the certificates being validated, that they wish to allow. The callback mechanism enabled with `X509_STORE_CTX_set_verify_crit_oids` must be set for this feature to enabled. 2. `X509_STORE_CTX_set_verify_crit_oids` enables the `X509_STORE_CTX_verify_crit_oids_cb` with `X509_STORE_CTX`. Consumers should be performing additional validation against the custom extension oids after or during the handshake. This callback forces users to validate their custom OIDs when processing unknown custom critical extensions. The `X509_STORE_CTX_verify_crit_oids_cb` callback function gives the user the current certificate being validated as `x509` and a stack of `ASN1_OBJECT`s representing unknown critical extension OIDs that were found in `x509` and match those previously registered via`|X509_STORE_CTX_add_custom_crit_oid` as `oids`. This should not effect any existing consumers of `X509_verify_cert`. Any existence of an unknown critical extension will still cause the entire verification to be aborted. Only consumers that have enabled the callback and set specific OIDs with `ASN1_OBJECT` can circumvent the check and trigger the verification to pass. ### Testing: Test certs were generated by the team asking for this feature. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

codecov-commenter · 2025-06-06T21:15:36Z

Codecov Report

Attention: Patch coverage is 91.59664% with 10 lines in your changes missing coverage. Please review.

Project coverage is 78.61%. Comparing base (bf95683) to head (d3a0911).

Files with missing lines	Patch %	Lines
crypto/x509/x509_vfy.c	86.66%	8 Missing ⚠️
crypto/x509/x509_test.cc	96.61%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##           fips-2024-09-27    #2473      +/-   ##
===================================================
+ Coverage            78.59%   78.61%   +0.02%     
===================================================
  Files                  585      585              
  Lines               100608   100723     +115     
  Branches             14263    14271       +8     
===================================================
+ Hits                 79070    79188     +118     
+ Misses               20903    20898       -5     
- Partials               635      637       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

justsmth requested a review from a team as a code owner June 6, 2025 20:56

justsmth requested review from samuel40791765 and darylmartin100 June 6, 2025 20:58

darylmartin100 approved these changes Jun 9, 2025

View reviewed changes

samuel40791765 approved these changes Jun 10, 2025

View reviewed changes

justsmth merged commit 205ad18 into aws:fips-2024-09-27 Jun 11, 2025 7D12
81 of 110 checks passed

justsmth deleted the fips-unknown-critical-extensions branch June 11, 2025 13:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FIPS - Cherry-pick] Support allowing specific unknown critical extensions (#2377) #2473

[FIPS - Cherry-pick] Support allowing specific unknown critical extensions (#2377) #2473

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[FIPS - Cherry-pick] Support allowing specific unknown critical extensions (#2377) #2473

[FIPS - Cherry-pick] Support allowing specific unknown critical extensions (#2377) #2473

Uh oh!

Conversation

Testing:

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!