Add a function for parsing RFC 5280's "TBSCertificate".

net/cert/internal/parse_certificate.h

Index: net/cert/internal/parse_certificate.h
diff --git a/net/cert/internal/parse_certificate.h b/net/cert/internal/parse_certificate.h
index ebf1b1a957b4d75622cdb6a316f178921d5c2bb4..67bcb0043fbcf704d75896f4a46fe57f1a02db1b 100644
--- a/net/cert/internal/parse_certificate.h
+++ b/net/cert/internal/parse_certificate.h
@@ -14,6 +14,7 @@
 namespace net {
 
 struct ParsedCertificate;
+struct ParsedTbsCertificate;
 
 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on
 // success and sets the results in |out|.
@@ -35,6 +36,46 @@ struct ParsedCertificate;
 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv,
                                  ParsedCertificate* out) WARN_UNUSED_RESULT;
 
+// Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true
+// on success and sets the results in |out|.
+//
+// Note that on success |out| aliases data from the input |tbs_tlv|.
+// Hence the fields of the ParsedTbsCertificate are only valid as long as
+// |tbs_tlv| remains valid.
+//
+// On failure |out| has an undefined state. Some of its fields may have been
+// updated during parsing, whereas others were not changed.

[davidben, 2015/08/17 21:16:02]

Nit: were not -> may not have been

[eroman, 2015/08/18 00:20:50]

Done (also changed the wording in ParseCertificate to match).

+//
+// Refer to the per-field documentation of ParsedTbsCertificate for details on
+// what validity checks parsing performs.
+//
+//       TBSCertificate  ::=  SEQUENCE  {
+//            version         [0]  EXPLICIT Version DEFAULT v1,
+//            serialNumber         CertificateSerialNumber,
+//            signature            AlgorithmIdentifier,
+//            issuer               Name,
+//            validity             Validity,
+//            subject              Name,
+//            subjectPublicKeyInfo SubjectPublicKeyInfo,
+//            issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+//                                 -- If present, version MUST be v2 or v3
+//            subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+//                                 -- If present, version MUST be v2 or v3
+//            extensions      [3]  EXPLICIT Extensions OPTIONAL
+//                                 -- If present, version MUST be v3
+//            }
+NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv,
+                                    ParsedTbsCertificate* out)
+    WARN_UNUSED_RESULT;
+
+// Represents a "Version" from RFC 5280:
+//         Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+enum class CertificateVersion {
+  V1,
+  V2,
+  V3,
+};
+
 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC
 // 5280 "Certificate".
 //
@@ -46,6 +87,8 @@ struct NET_EXPORT ParsedCertificate {
   //
   // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
   // guarantees are made regarding the value of this SEQUENCE.
+  //
+  // This can be further parsed using ParseTbsCertificate().
   der::Input tbs_certificate_tlv;
 
   // Corresponds with "signatureAlgorithm" from RFC 5280:
@@ -64,6 +107,103 @@ struct NET_EXPORT ParsedCertificate {
   der::BitString signature_value;
 };
 
+// ParsedTbsCertificate contains pointers to the main fields of a DER-encoded
+// RFC 5280 "TBSCertificate".
+//
+// ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so
+// subsequent field descriptions are in terms of what ParseTbsCertificate()
+// sets.
+struct NET_EXPORT ParsedTbsCertificate {
+  ParsedTbsCertificate();
+  ~ParsedTbsCertificate();
+
+  // Corresponds with "version" from RFC 5280:
+  //         version         [0]  EXPLICIT Version DEFAULT v1,
+  //
+  // Parsing guarantees that the version is one of v1, v2, or v3.
+  CertificateVersion version;
+
+  // Corresponds with "serialNumber" from RFC 5280:
+  //         serialNumber         CertificateSerialNumber,
+  //
+  // This field specifically contains the content bytes of the INTEGER. So for
+  // instance if the serial number was 1000 then this would contain bytes
+  // {0x03, 0xE8}.
+  //
+  // In addition to being a valid DER-encoded INTEGER, parsing guarantees that
+  // the serial number is at most 20 bytes long. Parsing does NOT guarantee
+  // that the integer is positive (might be zero or negative).
+  der::Input serial_number;
+
+  // Corresponds with "signatureAlgorithm" from RFC 5280:
+  //         signatureAlgorithm   AlgorithmIdentifier,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  //
+  // This can be further parsed using SignatureValue::CreateFromDer().
+  der::Input signature_algorithm_tlv;
+
+  // Corresponds with "issuer" from RFC 5280:
+  //         issuer               Name,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  der::Input issuer_tlv;
+
+  // Corresponds with "validity" from RFC 5280:
+  //         validity             Validity,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  der::Input validity_tlv;
+
+  // Corresponds with "subject" from RFC 5280:
+  //         subject              Name,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  der::Input subject_tlv;
+
+  // Corresponds with "subjectPublicKeyInfo" from RFC 5280:
+  //         subjectPublicKeyInfo SubjectPublicKeyInfo,
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE.
+  der::Input spki_tlv;
+
+  // Corresponds with "issuerUniqueID" from RFC 5280:
+  //         issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+  //                              -- If present, version MUST be v2 or v3
+  //
+  // Parsing guarantees that if issuer_unique_id is present it is a valid BIT
+  // STRING, and that the version is either v2 or v3
+  bool has_issuer_unique_id;
+  der::BitString issuer_unique_id;
+
+  // Corresponds with "subjectUniqueID" from RFC 5280:
+  //         subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+  //                              -- If present, version MUST be v2 or v3
+  //
+  // Parsing guarantees that if subject_unique_id is present it is a valid BIT
+  // STRING, and that the version is either v2 or v3
+  bool has_subject_unique_id;
+  der::BitString subject_unique_id;
+
+  // Corresponds with "extensions" from RFC 5280:
+  //         extensions      [3]  EXPLICIT Extensions OPTIONAL
+  //                              -- If present, version MUST be v3
+  //
+  //
+  // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
+  // guarantees are made regarding the value of this SEQUENCE. (Note that the
+  // EXPLICIT outter tag was stripped.)

[davidben, 2015/08/17 21:16:02]

outter -> outer
was -> is

[eroman, 2015/08/18 00:35:52]

Done.

+  //
+  // Parsing guarantees that if extensions is present the version is v3.
+  bool has_extensions;
+  der::Input extensions_tlv;
+};
+
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_