- Introduced POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION flag to continue parsing when encountering a critical flag that's not supported by PolarSSL

- Minor Fix in ASN.1 comments of PrivateKeyInfo

include/polarssl/config.h

@@ -180,6 +180,17 @@
  * Enable the checkup functions (*_self_test).
  */
 #define POLARSSL_SELF_TEST
+
+/**
+ * \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an unknown critical extension.
+ *
+ * Uncomment to prevent an error.
+ *
+#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ */
 /* \} name */
 
 /**

library/x509parse.c

@@ -1013,12 +1013,14 @@ static int x509_get_crt_ext( unsigned char **p,
             /* No parser found, skip extension */
             *p = end_ext_octet;
 
+#if !defined(POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
             if( is_critical )
             {
                 /* Data is marked as critical: fail */
                 return ( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
                         POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
             }
+#endif
         }
     }
 
@@ -1916,6 +1918,7 @@ int x509parse_key( rsa_context *rsa, const unsigned char *key, size_t keylen,
      * PrivatKeyInfo object (PKCS#8) or a RSAPrivateKey (PKCS#1) directly.
      *
      *  PrivateKeyInfo ::= SEQUENCE {
+     *    version           Version,
      *    algorithm       AlgorithmIdentifier,
      *    PrivateKey      BIT STRING
      *  }