net/cert/internal/parse_certificate_unittest.cc - Issue 1279963003: Add a function for parsing RFC 5280's "TBSCertificate".

Side by Side Diff: net/cert/internal/parse_certificate_unittest.cc

Issue 1279963003: Add a function for parsing RFC 5280's "TBSCertificate". (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_mapper

Patch Set: rebase onto master Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« net/cert/internal/parse_certificate.cc ('K') | « net/cert/internal/parse_certificate.cc ('k') | net/data/parse_certificate_unittest/tbs_explicit_v1.pem » ('j') | net/data/parse_certificate_unittest/tbs_explicit_v1.pem » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/internal/parse_certificate.h"	5 #include "net/cert/internal/parse_certificate.h"

6	6

7 #include "net/cert/internal/test_helpers.h"	7 #include "net/cert/internal/test_helpers.h"

8 #include "net/der/input.h"	8 #include "net/der/input.h"

9 #include "testing/gtest/include/gtest/gtest.h"	9 #include "testing/gtest/include/gtest/gtest.h"

10	10

(...skipping 90 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
101 TEST(ParseCertificateTest, EmptySequence) {	101 TEST(ParseCertificateTest, EmptySequence) {

102 EnsureParsingCertificateFails("cert_empty_sequence.pem");	102 EnsureParsingCertificateFails("cert_empty_sequence.pem");

103 }	103 }

104	104

105 // Tests what happens when the signature algorithm is present, but has the wrong	105 // Tests what happens when the signature algorithm is present, but has the wrong

106 // tag.	106 // tag.

107 TEST(ParseCertificateTest, AlgorithmNotSequence) {	107 TEST(ParseCertificateTest, AlgorithmNotSequence) {

108 EnsureParsingCertificateFails("cert_algorithm_not_sequence.pem");	108 EnsureParsingCertificateFails("cert_algorithm_not_sequence.pem");

109 }	109 }

110	110

	111 // Loads tbsCertificate data and expectations from the PEM file \|file_name\|.

	112 // Verifies that parsing the TBSCertificate succeeds, and each parsed field

	113 // matches the expectations.

	114 void EnsureParsingTbsSucceds(const std::string& file_name,
	davidben 2015/08/14 17:51:42 Succeds -> Succeeds Succeds -> Succeeds eroman 2015/08/14 21:26:13 Done. Hah, the power of auto-complete to propagate Show quoted text On 2015/08/14 17:51:42, David Benjamin wrote: > Succeds -> Succeeds Done. Hah, the power of auto-complete to propagate this mistake throughout the file!
	115 CertificateVersion expected_version) {

	116 std::string data;

	117 std::string expected_serial_number;

	118 std::string expected_signature_algorithm;

	119 std::string expected_issuer;

	120 std::string expected_validity;

	121 std::string expected_subject;

	122 std::string expected_spki;

	123 std::string expected_extensions;

	124

	125 // Read the certificate data and test expectations from a single PEM file.

	126 const PemBlockMapping mappings[] = {

	127 {"TBS CERTIFICATE", &data},

	128 {"SIGNATURE ALGORITHM", &expected_signature_algorithm},

	129 {"SERIAL NUMBER", &expected_serial_number},

	130 {"ISSUER", &expected_issuer},

	131 {"VALIDITY", &expected_validity},

	132 {"SUBJECT", &expected_subject},

	133 {"SPKI", &expected_spki},

	134 {"EXTENSIONS", &expected_extensions},

	135 };

	136 ASSERT_TRUE(ReadTestDataFromPemFile(GetFilePath(file_name), mappings));

	137

	138 // Parsing the TBSCertificate should succeed.

	139 ParsedTbsCertificate parsed;

	140 ASSERT_TRUE(ParseTbsCertificate(InputFromString(&data), &parsed));

	141

	142 // Ensure that the ParsedTbsCertificate matches expectations.

	143 EXPECT_EQ(expected_version, parsed.version);

	144

	145 EXPECT_EQ(InputFromString(&expected_serial_number), parsed.serial_number);

	146 EXPECT_EQ(InputFromString(&expected_signature_algorithm),

	147 parsed.signature_algorithm_tlv);

	148

	149 EXPECT_EQ(InputFromString(&expected_issuer), parsed.issuer_tlv);

	150 EXPECT_EQ(InputFromString(&expected_validity), parsed.validity_tlv);

	151 EXPECT_EQ(InputFromString(&expected_subject), parsed.subject_tlv);

	152 EXPECT_EQ(InputFromString(&expected_spki), parsed.spki_tlv);

	153

	154 EXPECT_FALSE(parsed.has_issuer_unique_id);

	155 EXPECT_FALSE(parsed.has_subject_unique_id);
	davidben 2015/08/14 17:51:42 You weren't able to find any certificates with the You weren't able to find any certificates with these to test against, right? eroman 2015/08/14 21:26:13 Correct. I added a TODO and will add some. (Either Show quoted text On 2015/08/14 17:51:42, David Benjamin wrote: > You weren't able to find any certificates with these to test against, right? Correct. I added a TODO and will add some. (Either in this CL or a follow-up, depends on the timing :) eroman 2015/08/15 01:57:41 Done -- I added tests for v2 and its fields (issue Show quoted text On 2015/08/14 21:26:13, eroman wrote: > On 2015/08/14 17:51:42, David Benjamin wrote: > > You weren't able to find any certificates with these to test against, right? > > Correct. I added a TODO and will add some. (Either in this CL or a follow-up, > depends on the timing :) Done -- I added tests for v2 and its fields (issuerUniqueId / subjectUniqueId)
	156

	157 EXPECT_EQ(InputFromString(&expected_extensions), parsed.extensions_tlv);

	158 EXPECT_EQ(!expected_extensions.empty(), parsed.has_extensions);

	159 }

	160

	161 // Loads certificate data from the PEM file \|file_name\| and verifies that the

	162 // Certificate parsing succeed, however the TBSCertificate parsing fails.

	163 void EnsureParsingTbsFails(const std::string& file_name) {

	164 std::string data;

	165

	166 const PemBlockMapping mappings[] = {

	167 {"TBS CERTIFICATE", &data},

	168 };

	169

	170 ASSERT_TRUE(ReadTestDataFromPemFile(GetFilePath(file_name), mappings));

	171

	172 // Parsing the TBSCertificate should fail.

	173 ParsedTbsCertificate parsed;

	174 ASSERT_FALSE(ParseTbsCertificate(InputFromString(&data), &parsed));

	175 }

	176

	177 // Tests parsing a TBSCertificate for v3 that contains no optional fields.

	178 TEST(ParseTbsCertificateTest, Version3NoOptionals) {

	179 EnsureParsingTbsSucceds("tbs_v3_no_optionals.pem", CertificateVersion::V3);

	180 }

	181

	182 // Tests parsing a TBSCertificate for v3 that contains extensions.

	183 TEST(ParseTbsCertificateTest, Version3WithExtensions) {

	184 EnsureParsingTbsSucceds("tbs_v3_extensions.pem", CertificateVersion::V3);

	185 }

	186

	187 // Tests parsing a TBSCertificate for v3 that contains no optional fields, and

	188 // has a negative serial number.

	189 //

	190 // CAs are not supposed to include negative serial numbers, however RFC 5280

	191 // expects consumers to deal with it anyway).

	192 TEST(ParseTbsCertificateTest, NegativeSerialNumber) {

	193 EnsureParsingTbsSucceds("tbs_negative_serial_number.pem",

	194 CertificateVersion::V3);

	195 }

	196

	197 // Tests parsing a TBSCertificate with a serial number that is 21 octets long

	198 // (and the first byte is 0).

	199 TEST(ParseTbCertificateTest, SerialNumber21OctetsLeading0) {

	200 EnsureParsingTbsFails("tbs_serial_number_21_octets_leading_0.pem");

	201 }

	202

	203 // Tests parsing a TBSCertificate with a serial number that is 26 octets long

	204 // (and does not contain a leading 0).

	205 TEST(ParseTbsCertificateTest, SerialNumber26Octets) {

	206 EnsureParsingTbsFails("tbs_serial_number_26_octets.pem");

	207 }

	208

	209 // Tests parsing a TBSCertificate which lacks a version number (causing it to

	210 // default to v1).

	211 TEST(ParseTbsCertificateTest, Version1) {

	212 EnsureParsingTbsSucceds("tbs_v1.pem", CertificateVersion::V1);

	213 }

	214

	215 // The version was set to v1 explicitly rather than omitting the version field.

	216 TEST(ParseTbsCertificateTest, ExplicitVersion1) {

	217 EnsureParsingTbsFails("tbs_explicit_v1.pem");

	218 }

	219

	220 // Extensions are not defined in version 1.

	221 TEST(ParseTbsCertificateTest, Version1WithExtensions) {

	222 EnsureParsingTbsFails("tbs_v1_extensions.pem");

	223 }

	224

	225 // The version was set to v4, which is unrecognized.

	226 TEST(ParseTbsCertificateTest, Version4) {

	227 EnsureParsingTbsFails("tbs_v4.pem");

	228 }

	229

	230 // Tests that extraneous data after extensions in a v3 is rejected.

	231 TEST(ParseTbsCertificateTest, Version3DataAfterExtensions) {

	232 EnsureParsingTbsFails("tbs_v3_data_after_extensions.pem");

	233 }

	234
	davidben 2015/08/14 17:51:42 Think it's worth parsing a real-world certificate Think it's worth parsing a real-world certificate as well? I think all of these tests use bogus ones. eroman 2015/08/14 21:26:13 Done --> tbs_v3_real.pem Show quoted text On 2015/08/14 17:51:42, David Benjamin wrote: > Think it's worth parsing a real-world certificate as well? I think all of these > tests use bogus ones. Done --> tbs_v3_real.pem
111 } // namespace	235 } // namespace

112	236

113 } // namespace net	237 } // namespace net

OLD	NEW