Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(278)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/parse_certificate.cc

Issue 1285593003: Add parsing code for TBSCertificate's "validity" field. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_parsing
Patch Set: rebase Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/parse_certificate.h ('k') | net/cert/internal/parse_certificate_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/parse_certificate.h" 5 #include "net/cert/internal/parse_certificate.h"
6 6
7 #include "net/der/input.h" 7 #include "net/der/input.h"
8 #include "net/der/parse_values.h" 8 #include "net/der/parse_values.h"
9 #include "net/der/parser.h" 9 #include "net/der/parser.h"
10 10
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after
96 if (!der::IsValidInteger(value, &unused_negative)) 96 if (!der::IsValidInteger(value, &unused_negative))
97 return false; 97 return false;
98 98
99 // Check if the serial number is too long per RFC 5280. 99 // Check if the serial number is too long per RFC 5280.
100 if (value.Length() > 20) 100 if (value.Length() > 20)
101 return false; 101 return false;
102 102
103 return true; 103 return true;
104 } 104 }
105 105
106 // Consumes a "Time" value (as defined by RFC 5280) from |parser|. On success
107 // writes the result to |*out| and returns true. On failure no guarantees are
108 // made about the state of |parser|.
109 //
110 // From RFC 5280:
111 //
112 // Time ::= CHOICE {
113 // utcTime UTCTime,
114 // generalTime GeneralizedTime }
115 WARN_UNUSED_RESULT bool ReadTime(der::Parser* parser,
116 der::GeneralizedTime* out) {
117 der::Input value;
118 der::Tag tag;
119
120 if (!parser->ReadTagAndValue(&tag, &value))
121 return false;
122
123 if (tag == der::kUtcTime)
124 return der::ParseUTCTime(value, out);
125
126 if (tag == der::kGeneralizedTime)
127 return der::ParseGeneralizedTime(value, out);
128
129 // Unrecognized tag.
130 return false;
131 }
132
133 // Parses a DER-encoded "Validity" as specified by RFC 5280. Returns true on
134 // success and sets the results in |not_before| and |not_after|:
135 //
136 // Validity ::= SEQUENCE {
137 // notBefore Time,
138 // notAfter Time }
139 //
140 // Note that upon success it is NOT guaranteed that |*not_before <= *not_after|.
141 bool ParseValidity(const der::Input& validity_tlv,
142 der::GeneralizedTime* not_before,
143 der::GeneralizedTime* not_after) {
144 der::Parser parser(validity_tlv);
145
146 // Validity ::= SEQUENCE {
147 der::Parser validity_parser;
148 if (!parser.ReadSequence(&validity_parser))
149 return false;
150
151 // notBefore Time,
152 if (!ReadTime(&validity_parser, not_before))
153 return false;
154
155 // notAfter Time }
156 if (!ReadTime(&validity_parser, not_after))
157 return false;
158
159 // By definition the input was a single Validity sequence, so there shouldn't
160 // be unconsumed data.
161 if (parser.HasMore())
162 return false;
163
164 // The Validity type does not have an extension point.
165 if (validity_parser.HasMore())
166 return false;
167
168 // Note that RFC 5280 doesn't require notBefore to be <=
169 // notAfter, so that will not be considered a "parsing" error here. Instead it
170 // will be considered an expired certificate later when testing against the
171 // current timestamp.
172 return true;
173 }
174
106 } // namespace 175 } // namespace
107 176
108 ParsedTbsCertificate::ParsedTbsCertificate() {} 177 ParsedTbsCertificate::ParsedTbsCertificate() {}
109 178
110 ParsedTbsCertificate::~ParsedTbsCertificate() {} 179 ParsedTbsCertificate::~ParsedTbsCertificate() {}
111 180
112 bool ParseCertificate(const der::Input& certificate_tlv, 181 bool ParseCertificate(const der::Input& certificate_tlv,
113 ParsedCertificate* out) { 182 ParsedCertificate* out) {
114 der::Parser parser(certificate_tlv); 183 der::Parser parser(certificate_tlv);
115 184
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after
194 263
195 // signature AlgorithmIdentifier, 264 // signature AlgorithmIdentifier,
196 if (!ReadSequenceTLV(&tbs_parser, &out->signature_algorithm_tlv)) 265 if (!ReadSequenceTLV(&tbs_parser, &out->signature_algorithm_tlv))
197 return false; 266 return false;
198 267
199 // issuer Name, 268 // issuer Name,
200 if (!ReadSequenceTLV(&tbs_parser, &out->issuer_tlv)) 269 if (!ReadSequenceTLV(&tbs_parser, &out->issuer_tlv))
201 return false; 270 return false;
202 271
203 // validity Validity, 272 // validity Validity,
204 if (!ReadSequenceTLV(&tbs_parser, &out->validity_tlv)) 273 der::Input validity_tlv;
274 if (!tbs_parser.ReadRawTLV(&validity_tlv))
205 return false; 275 return false;
276 if (!ParseValidity(validity_tlv, &out->validity_not_before,
277 &out->validity_not_after)) {
278 return false;
279 }
206 280
207 // subject Name, 281 // subject Name,
208 if (!ReadSequenceTLV(&tbs_parser, &out->subject_tlv)) 282 if (!ReadSequenceTLV(&tbs_parser, &out->subject_tlv))
209 return false; 283 return false;
210 284
211 // subjectPublicKeyInfo SubjectPublicKeyInfo, 285 // subjectPublicKeyInfo SubjectPublicKeyInfo,
212 if (!ReadSequenceTLV(&tbs_parser, &out->spki_tlv)) 286 if (!ReadSequenceTLV(&tbs_parser, &out->spki_tlv))
213 return false; 287 return false;
214 288
215 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 289 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after
273 347
274 // By definition the input was a single TBSCertificate, so there shouldn't be 348 // By definition the input was a single TBSCertificate, so there shouldn't be
275 // unconsumed data. 349 // unconsumed data.
276 if (parser.HasMore()) 350 if (parser.HasMore())
277 return false; 351 return false;
278 352
279 return true; 353 return true;
280 } 354 }
281 355
282 } // namespace net 356 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/parse_certificate.h ('k') | net/cert/internal/parse_certificate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698