Chromium Code Reviews Chromium Code Reviews
Issue 2341943002:
Add error details to TBSCertificate parsing function and tests. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/parse_certificate.h" | 5 #include "net/cert/internal/parse_certificate.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/strings/string_util.h" | 9 #include "base/strings/string_util.h" |
| 10 #include "net/cert/internal/cert_errors.h" | 10 #include "net/cert/internal/cert_errors.h" |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 23 DEFINE_CERT_ERROR_ID(kUnconsumedDataAfterCertificateSequence, | 23 DEFINE_CERT_ERROR_ID(kUnconsumedDataAfterCertificateSequence, |
| 24 "Unconsumed data after Certificate SEQUENCE"); | 24 "Unconsumed data after Certificate SEQUENCE"); |
| 25 DEFINE_CERT_ERROR_ID(kTbsCertificateNotSequence, | 25 DEFINE_CERT_ERROR_ID(kTbsCertificateNotSequence, |
| 26 "Couldn't read Certificate as SEQUENCE"); | 26 "Couldn't read Certificate as SEQUENCE"); |
| 27 DEFINE_CERT_ERROR_ID( | 27 DEFINE_CERT_ERROR_ID( |
| 28 kSignatureAlgorithmNotSequence, | 28 kSignatureAlgorithmNotSequence, |
| 29 "Couldn't read Certificate.signatureAlgorithm as SEQUENCE"); | 29 "Couldn't read Certificate.signatureAlgorithm as SEQUENCE"); |
| 30 DEFINE_CERT_ERROR_ID(kSignatureValueNotBitString, | 30 DEFINE_CERT_ERROR_ID(kSignatureValueNotBitString, |
| 31 "Couldn't read Certificate.signatureValue as BIT STRING"); | 31 "Couldn't read Certificate.signatureValue as BIT STRING"); |
| 32 | 32 |
| 33 DEFINE_CERT_ERROR_ID(kUnconsumedDataInsideTbsCertificateSequence, | |
| 34 "Unconsumed data inside TBSCertificate"); | |
|
mattm
2016/09/16 21:41:48
should tbs be lowercase?
eroman
2016/09/16 22:07:18
I intentionally upper-cased it to refer to the typ
mattm
2016/09/16 22:16:44
ah, sounds good.
| |
| 35 | |
| 33 // Returns true if |input| is a SEQUENCE and nothing else. | 36 // Returns true if |input| is a SEQUENCE and nothing else. |
| 34 WARN_UNUSED_RESULT bool IsSequenceTLV(const der::Input& input) { | 37 WARN_UNUSED_RESULT bool IsSequenceTLV(const der::Input& input) { |
| 35 der::Parser parser(input); | 38 der::Parser parser(input); |
| 36 der::Parser unused_sequence_parser; | 39 der::Parser unused_sequence_parser; |
| 37 if (!parser.ReadSequence(&unused_sequence_parser)) | 40 if (!parser.ReadSequence(&unused_sequence_parser)) |
| 38 return false; | 41 return false; |
| 39 // Should by a single SEQUENCE by definition of the function. | 42 // Should by a single SEQUENCE by definition of the function. |
| 40 return !parser.HasMore(); | 43 return !parser.HasMore(); |
| 41 } | 44 } |
| 42 | 45 |
| (...skipping 208 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 251 // subjectPublicKeyInfo SubjectPublicKeyInfo, | 254 // subjectPublicKeyInfo SubjectPublicKeyInfo, |
| 252 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, | 255 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, |
| 253 // -- If present, version MUST be v2 or v3 | 256 // -- If present, version MUST be v2 or v3 |
| 254 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, | 257 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, |
| 255 // -- If present, version MUST be v2 or v3 | 258 // -- If present, version MUST be v2 or v3 |
| 256 // extensions [3] EXPLICIT Extensions OPTIONAL | 259 // extensions [3] EXPLICIT Extensions OPTIONAL |
| 257 // -- If present, version MUST be v3 | 260 // -- If present, version MUST be v3 |
| 258 // } | 261 // } |
| 259 bool ParseTbsCertificate(const der::Input& tbs_tlv, | 262 bool ParseTbsCertificate(const der::Input& tbs_tlv, |
| 260 const ParseCertificateOptions& options, | 263 const ParseCertificateOptions& options, |
| 261 ParsedTbsCertificate* out) { | 264 ParsedTbsCertificate* out, |
| 265 CertErrors* errors) { | |
| 266 // The rest of this function assumes that |errors| is non-null. | |
| 267 if (!errors) { | |
| 268 CertErrors unused_errors; | |
| 269 return ParseTbsCertificate(tbs_tlv, options, out, &unused_errors); | |
| 270 } | |
| 271 | |
| 272 // TODO(crbug.com/634443): Add useful error information to |errors|. | |
| 273 | |
| 262 der::Parser parser(tbs_tlv); | 274 der::Parser parser(tbs_tlv); |
| 263 | 275 |
| 264 // Certificate ::= SEQUENCE { | 276 // Certificate ::= SEQUENCE { |
| 265 der::Parser tbs_parser; | 277 der::Parser tbs_parser; |
| 266 if (!parser.ReadSequence(&tbs_parser)) | 278 if (!parser.ReadSequence(&tbs_parser)) |
| 267 return false; | 279 return false; |
| 268 | 280 |
| 269 // version [0] EXPLICIT Version DEFAULT v1, | 281 // version [0] EXPLICIT Version DEFAULT v1, |
| 270 der::Input version; | 282 der::Input version; |
| 271 bool has_version; | 283 bool has_version; |
| (...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 367 return false; | 379 return false; |
| 368 } | 380 } |
| 369 | 381 |
| 370 // Note that there IS an extension point at the end of TBSCertificate | 382 // Note that there IS an extension point at the end of TBSCertificate |
| 371 // (according to RFC 5912), so from that interpretation, unconsumed data would | 383 // (according to RFC 5912), so from that interpretation, unconsumed data would |
| 372 // be allowed in |tbs_parser|. | 384 // be allowed in |tbs_parser|. |
| 373 // | 385 // |
| 374 // However because only v1, v2, and v3 certificates are supported by the | 386 // However because only v1, v2, and v3 certificates are supported by the |
| 375 // parsing, there shouldn't be any subsequent data in those versions, so | 387 // parsing, there shouldn't be any subsequent data in those versions, so |
| 376 // reject. | 388 // reject. |
| 377 if (tbs_parser.HasMore()) | 389 if (tbs_parser.HasMore()) { |
| 390 errors->AddError(kUnconsumedDataInsideTbsCertificateSequence); | |
| 378 return false; | 391 return false; |
| 392 } | |
| 379 | 393 |
| 380 // By definition the input was a single TBSCertificate, so there shouldn't be | 394 // By definition the input was a single TBSCertificate, so there shouldn't be |
| 381 // unconsumed data. | 395 // unconsumed data. |
| 382 if (parser.HasMore()) | 396 if (parser.HasMore()) |
| 383 return false; | 397 return false; |
| 384 | 398 |
| 385 return true; | 399 return true; |
| 386 } | 400 } |
| 387 | 401 |
| 388 // From RFC 5280: | 402 // From RFC 5280: |
| (...skipping 320 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 709 out_ca_issuers_uris->push_back(uri); | 723 out_ca_issuers_uris->push_back(uri); |
| 710 else if (access_method_oid == AdOcspOid()) | 724 else if (access_method_oid == AdOcspOid()) |
| 711 out_ocsp_uris->push_back(uri); | 725 out_ocsp_uris->push_back(uri); |
| 712 } | 726 } |
| 713 } | 727 } |
| 714 | 728 |
| 715 return true; | 729 return true; |
| 716 } | 730 } |
| 717 | 731 |
| 718 } // namespace net | 732 } // namespace net |
| OLD | NEW |
