Add parsing code for TBSCertificate's "validity" field.

net/cert/internal/parse_certificate.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
 
 #include "base/basictypes.h"
 #include "base/compiler_specific.h"
 #include "net/base/net_export.h"
@@ skipping 36 matching lines @@
 //                                 -- If present, version MUST be v2 or v3
 //            subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
 //                                 -- If present, version MUST be v2 or v3
 //            extensions      [3]  EXPLICIT Extensions OPTIONAL
 //                                 -- If present, version MUST be v3
 //            }
 NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv,
                                     ParsedTbsCertificate* out)
     WARN_UNUSED_RESULT;
 
+// Parses a DER-encoded "Validity" as specified by RFC 5280. Returns true on
+// success and sets the results in |not_before| and |not_after|:
+//
+//       Validity ::= SEQUENCE {
+//            notBefore      Time,
+//            notAfter       Time }
+//
+// Note that upon success it is NOT guaranteed that |*not_before <= *not_after|.
+NET_EXPORT bool ParseValidity(const der::Input& validity_tlv,
+                              der::GeneralizedTime* not_before,
+                              der::GeneralizedTime* not_after)
+    WARN_UNUSED_RESULT;
+
 // Represents a "Version" from RFC 5280:
 //         Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
 enum class CertificateVersion {
   V1,
   V2,
   V3,
 };
 
 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC
 // 5280 "Certificate".
@@ skipping 68 matching lines @@
   //
   // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
   // guarantees are made regarding the value of this SEQUENCE.
   der::Input issuer_tlv;
 
   // Corresponds with "validity" from RFC 5280:
   //         validity             Validity,
   //
   // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
   // guarantees are made regarding the value of this SEQUENCE.
+  //
+  // This can be further parsed using ParseValidity().
   der::Input validity_tlv;

[davidben, 2015/08/14 18:23:10]

Since it's just two fields, I wonder if you should just put not_before and
not_after fields directly into ParsedCertificate. (I dunno what's the criteria
for deciding what does or doesn't get parsed in each pass and probably missed
some design discussions.)

[eroman, 2015/08/14 18:37:04]

I discuss the design overview in this message:
https://codereview.chromium.org/1279963003/#msg2

My rough guideline was that any non-SEQUENCE of Certificate/TBSCertificate would
be parsed fully, and the SEQUENCEs would be deferred to a subsequent parsing
call.

The thinking behind this was primarily to simplify an incremental
implementation, but also with a secondary consideration for performance
(consumers can pick out the pieces they want without having to fully parse
stuff).

In this case it may be better to just parse Validity up-front; I can go ahead
and do that. The only real downside (for me the coder) is it involves needing to
update all the pseudo-TBSCertificate test data :)

 
   // Corresponds with "subject" from RFC 5280:
   //         subject              Name,
   //
   // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
   // guarantees are made regarding the value of this SEQUENCE.
   der::Input subject_tlv;
 
   // Corresponds with "subjectPublicKeyInfo" from RFC 5280:
   //         subjectPublicKeyInfo SubjectPublicKeyInfo,
@@ skipping 30 matching lines @@
   // EXPLICIT outter tag was stripped).
   //
   // Parsing guarantees that if extensions is present the version is v3.
   bool has_extensions;
   der::Input extensions_tlv;
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_