Add parsing code for RFC 5280 PolicyConstraints.

net/cert/internal/parse_certificate.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/parse_certificate.h"
 
 #include <utility>
 
 #include "base/strings/string_util.h"
 #include "net/cert/internal/cert_errors.h"
@@ skipping 620 matching lines @@
     // the broken encoding.
   }
 
   //         pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
   der::Input encoded_path_len;
   if (!sequence_parser.ReadOptionalTag(der::kInteger, &encoded_path_len,
                                        &out->has_path_len)) {
     return false;
   }
   if (out->has_path_len) {
+    // TODO(eroman): Surface reason for failure if length was longer than uint8.
     if (!der::ParseUint8(encoded_path_len, &out->path_len))
       return false;
   } else {
     // Default initialize to 0 as a precaution.
     out->path_len = 0;
   }
 
   // There shouldn't be any unconsumed data in the extension.
   if (sequence_parser.HasMore())
     return false;
@@ skipping 71 matching lines @@
       if (access_method_oid == AdCaIssuersOid())
         out_ca_issuers_uris->push_back(uri);
       else if (access_method_oid == AdOcspOid())
         out_ocsp_uris->push_back(uri);
     }
   }
 
   return true;
 }
 
+// From RFC 5280:
+//
+//   PolicyConstraints ::= SEQUENCE {
+//        requireExplicitPolicy           [0] SkipCerts OPTIONAL,
+//        inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
+//
+//   SkipCerts ::= INTEGER (0..MAX)
+bool ParsePolicyConstraints(const der::Input& policy_constraints_tlv,
+                            ParsedPolicyConstraints* out) {
+  der::Parser parser(policy_constraints_tlv);
+
+  //   PolicyConstraints ::= SEQUENCE {
+  der::Parser sequence_parser;
+  if (!parser.ReadSequence(&sequence_parser))
+    return false;
+
+  // RFC 5280 prohibits CAs from issuing PolicyConstraints as an empty sequence:
+  //
+  //   Conforming CAs MUST NOT issue certificates where policy constraints
+  //   is an empty sequence.  That is, either the inhibitPolicyMapping field
+  //   or the requireExplicitPolicy field MUST be present.  The behavior of
+  //   clients that encounter an empty policy constraints field is not
+  //   addressed in this profile.
+  if (!sequence_parser.HasMore())
+    return false;
+
+  der::Input value;
+  if (!sequence_parser.ReadOptionalTag(der::ContextSpecificPrimitive(0), &value,
+                                       &out->has_require_explicit_policy)) {
+    return false;
+  }
+
+  if (out->has_require_explicit_policy) {
+    if (!ParseUint8(value, &out->require_explicit_policy)) {
+      // TODO(eroman): Surface reason for failure if length was longer than
+      // uint8.
+      return false;
+    }
+  } else {
+    out->require_explicit_policy = 0;
+  }
+
+  if (!sequence_parser.ReadOptionalTag(der::ContextSpecificPrimitive(1), &value,
+                                       &out->has_inhibit_policy_mapping)) {
+    return false;
+  }
+
+  if (out->has_inhibit_policy_mapping) {
+    if (!ParseUint8(value, &out->inhibit_policy_mapping)) {
+      // TODO(eroman): Surface reason for failure if length was longer than
+      // uint8.
+      return false;
+    }
+  } else {
+    out->inhibit_policy_mapping = 0;
+  }
+
+  // There should be no remaining data.
+  if (sequence_parser.HasMore() || parser.HasMore())
+    return false;
+
+  return true;
+}
+
 }  // namespace net