Add a function for parsing RFC 5280's "TBSCertificate".

net/cert/internal/parse_certificate_unittest.cc

Index: net/cert/internal/parse_certificate_unittest.cc
diff --git a/net/cert/internal/parse_certificate_unittest.cc b/net/cert/internal/parse_certificate_unittest.cc
index d83d6a58a6b29abe78d8ce965f940c3c7db70cfa..6663e2f973556714f93fc85c9b4b7f4a5c8c0bfe 100644
--- a/net/cert/internal/parse_certificate_unittest.cc
+++ b/net/cert/internal/parse_certificate_unittest.cc
@@ -108,6 +108,130 @@ TEST(ParseCertificateTest, AlgorithmNotSequence) {
   EnsureParsingCertificateFails("cert_algorithm_not_sequence.pem");
 }
 
+// Loads tbsCertificate data and expectations from the PEM file |file_name|.
+// Verifies that parsing the TBSCertificate succeeds, and each parsed field
+// matches the expectations.
+void EnsureParsingTbsSucceds(const std::string& file_name,

[davidben, 2015/08/14 17:51:42]

Succeds -> Succeeds

[eroman, 2015/08/14 21:26:13]

Done. Hah, the power of auto-complete to propagate this mistake throughout the
file!

+                             CertificateVersion expected_version) {
+  std::string data;
+  std::string expected_serial_number;
+  std::string expected_signature_algorithm;
+  std::string expected_issuer;
+  std::string expected_validity;
+  std::string expected_subject;
+  std::string expected_spki;
+  std::string expected_extensions;
+
+  // Read the certificate data and test expectations from a single PEM file.
+  const PemBlockMapping mappings[] = {
+      {"TBS CERTIFICATE", &data},
+      {"SIGNATURE ALGORITHM", &expected_signature_algorithm},
+      {"SERIAL NUMBER", &expected_serial_number},
+      {"ISSUER", &expected_issuer},
+      {"VALIDITY", &expected_validity},
+      {"SUBJECT", &expected_subject},
+      {"SPKI", &expected_spki},
+      {"EXTENSIONS", &expected_extensions},
+  };
+  ASSERT_TRUE(ReadTestDataFromPemFile(GetFilePath(file_name), mappings));
+
+  // Parsing the TBSCertificate should succeed.
+  ParsedTbsCertificate parsed;
+  ASSERT_TRUE(ParseTbsCertificate(InputFromString(&data), &parsed));
+
+  // Ensure that the ParsedTbsCertificate matches expectations.
+  EXPECT_EQ(expected_version, parsed.version);
+
+  EXPECT_EQ(InputFromString(&expected_serial_number), parsed.serial_number);
+  EXPECT_EQ(InputFromString(&expected_signature_algorithm),
+            parsed.signature_algorithm_tlv);
+
+  EXPECT_EQ(InputFromString(&expected_issuer), parsed.issuer_tlv);
+  EXPECT_EQ(InputFromString(&expected_validity), parsed.validity_tlv);
+  EXPECT_EQ(InputFromString(&expected_subject), parsed.subject_tlv);
+  EXPECT_EQ(InputFromString(&expected_spki), parsed.spki_tlv);
+
+  EXPECT_FALSE(parsed.has_issuer_unique_id);
+  EXPECT_FALSE(parsed.has_subject_unique_id);

[davidben, 2015/08/14 17:51:42]

You weren't able to find any certificates with these to test against, right?

[eroman, 2015/08/14 21:26:13]

Correct. I added a TODO and will add some. (Either in this CL or a follow-up,
depends on the timing :)

[eroman, 2015/08/15 01:57:41]

Done -- I added tests for v2 and its fields (issuerUniqueId / subjectUniqueId)

+
+  EXPECT_EQ(InputFromString(&expected_extensions), parsed.extensions_tlv);
+  EXPECT_EQ(!expected_extensions.empty(), parsed.has_extensions);
+}
+
+// Loads certificate data from the PEM file |file_name| and verifies that the
+// Certificate parsing succeed, however the TBSCertificate parsing fails.
+void EnsureParsingTbsFails(const std::string& file_name) {
+  std::string data;
+
+  const PemBlockMapping mappings[] = {
+      {"TBS CERTIFICATE", &data},
+  };
+
+  ASSERT_TRUE(ReadTestDataFromPemFile(GetFilePath(file_name), mappings));
+
+  // Parsing the TBSCertificate should fail.
+  ParsedTbsCertificate parsed;
+  ASSERT_FALSE(ParseTbsCertificate(InputFromString(&data), &parsed));
+}
+
+// Tests parsing a TBSCertificate for v3 that contains no optional fields.
+TEST(ParseTbsCertificateTest, Version3NoOptionals) {
+  EnsureParsingTbsSucceds("tbs_v3_no_optionals.pem", CertificateVersion::V3);
+}
+
+// Tests parsing a TBSCertificate for v3 that contains extensions.
+TEST(ParseTbsCertificateTest, Version3WithExtensions) {
+  EnsureParsingTbsSucceds("tbs_v3_extensions.pem", CertificateVersion::V3);
+}
+
+// Tests parsing a TBSCertificate for v3 that contains no optional fields, and
+// has a negative serial number.
+//
+// CAs are not supposed to include negative serial numbers, however RFC 5280
+// expects consumers to deal with it anyway).
+TEST(ParseTbsCertificateTest, NegativeSerialNumber) {
+  EnsureParsingTbsSucceds("tbs_negative_serial_number.pem",
+                          CertificateVersion::V3);
+}
+
+// Tests parsing a TBSCertificate with a serial number that is 21 octets long
+// (and the first byte is 0).
+TEST(ParseTbCertificateTest, SerialNumber21OctetsLeading0) {
+  EnsureParsingTbsFails("tbs_serial_number_21_octets_leading_0.pem");
+}
+
+// Tests parsing a TBSCertificate with a serial number that is 26 octets long
+// (and does not contain a leading 0).
+TEST(ParseTbsCertificateTest, SerialNumber26Octets) {
+  EnsureParsingTbsFails("tbs_serial_number_26_octets.pem");
+}
+
+// Tests parsing a TBSCertificate which lacks a version number (causing it to
+// default to v1).
+TEST(ParseTbsCertificateTest, Version1) {
+  EnsureParsingTbsSucceds("tbs_v1.pem", CertificateVersion::V1);
+}
+
+// The version was set to v1 explicitly rather than omitting the version field.
+TEST(ParseTbsCertificateTest, ExplicitVersion1) {
+  EnsureParsingTbsFails("tbs_explicit_v1.pem");
+}
+
+// Extensions are not defined in version 1.
+TEST(ParseTbsCertificateTest, Version1WithExtensions) {
+  EnsureParsingTbsFails("tbs_v1_extensions.pem");
+}
+
+// The version was set to v4, which is unrecognized.
+TEST(ParseTbsCertificateTest, Version4) {
+  EnsureParsingTbsFails("tbs_v4.pem");
+}
+
+// Tests that extraneous data after extensions in a v3 is rejected.
+TEST(ParseTbsCertificateTest, Version3DataAfterExtensions) {
+  EnsureParsingTbsFails("tbs_v3_data_after_extensions.pem");
+}
+

[davidben, 2015/08/14 17:51:42]

Think it's worth parsing a real-world certificate as well? I think all of these
tests use bogus ones.

[eroman, 2015/08/14 21:26:13]

Done --> tbs_v3_real.pem

 }  // namespace
 
 }  // namespace net