1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/pki/parse_certificate.h"
6
7 #include "net/cert/pki/cert_errors.h"
8 #include "net/cert/pki/general_names.h"
9 #include "net/cert/pki/parsed_certificate.h"
10 #include "net/cert/pki/test_helpers.h"
11 #include "net/der/input.h"
12 #include "testing/gtest/include/gtest/gtest.h"
13 #include "third_party/boringssl/src/include/openssl/pool.h"
14
15 namespace net {
16
17 namespace {
18
19 // Pretty-prints a GeneralizedTime as a human-readable string for use in test
20 // expectations (it is more readable to specify the expected results as a
21 // string).
ToString(const der::GeneralizedTime & time)22 std::string ToString(const der::GeneralizedTime& time) {
23 std::ostringstream pretty_time;
24 pretty_time << "year=" << int{time.year} << ", month=" << int{time.month}
25 << ", day=" << int{time.day} << ", hours=" << int{time.hours}
26 << ", minutes=" << int{time.minutes}
27 << ", seconds=" << int{time.seconds};
28 return pretty_time.str();
29 }
30
GetFilePath(const std::string & file_name)31 std::string GetFilePath(const std::string& file_name) {
32 return std::string("net/data/parse_certificate_unittest/") + file_name;
33 }
34
35 // Loads certificate data and expectations from the PEM file |file_name|.
36 // Verifies that parsing the Certificate matches expectations:
37 // * If expected to fail, emits the expected errors
38 // * If expected to succeeds, the parsed fields match expectations
RunCertificateTest(const std::string & file_name)39 void RunCertificateTest(const std::string& file_name) {
40 std::string data;
41 std::string expected_errors;
42 std::string expected_tbs_certificate;
43 std::string expected_signature_algorithm;
44 std::string expected_signature;
45
46 // Read the certificate data and test expectations from a single PEM file.
47 const PemBlockMapping mappings[] = {
48 {"CERTIFICATE", &data},
49 {"ERRORS", &expected_errors, true /*optional*/},
50 {"SIGNATURE", &expected_signature, true /*optional*/},
51 {"SIGNATURE ALGORITHM", &expected_signature_algorithm, true /*optional*/},
52 {"TBS CERTIFICATE", &expected_tbs_certificate, true /*optional*/},
53 };
54 std::string test_file_path = GetFilePath(file_name);
55 ASSERT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
56
57 // Note that empty expected_errors doesn't necessarily mean success.
58 bool expected_result = !expected_tbs_certificate.empty();
59
60 // Parsing the certificate.
61 der::Input tbs_certificate_tlv;
62 der::Input signature_algorithm_tlv;
63 der::BitString signature_value;
64 CertErrors errors;
65 bool actual_result =
66 ParseCertificate(der::Input(&data), &tbs_certificate_tlv,
67 &signature_algorithm_tlv, &signature_value, &errors);
68
69 EXPECT_EQ(expected_result, actual_result);
70 VerifyCertErrors(expected_errors, errors, test_file_path);
71
72 // Ensure that the parsed certificate matches expectations.
73 if (expected_result && actual_result) {
74 EXPECT_EQ(0, signature_value.unused_bits());
75 EXPECT_EQ(der::Input(&expected_signature), signature_value.bytes());
76 EXPECT_EQ(der::Input(&expected_signature_algorithm),
77 signature_algorithm_tlv);
78 EXPECT_EQ(der::Input(&expected_tbs_certificate), tbs_certificate_tlv);
79 }
80 }
81
82 // Tests parsing a Certificate.
TEST(ParseCertificateTest,Version3)83 TEST(ParseCertificateTest, Version3) {
84 RunCertificateTest("cert_version3.pem");
85 }
86
87 // Tests parsing a simplified Certificate-like structure (the sub-fields for
88 // algorithm and tbsCertificate are not actually valid, but ParseCertificate()
89 // doesn't check them)
TEST(ParseCertificateTest,Skeleton)90 TEST(ParseCertificateTest, Skeleton) {
91 RunCertificateTest("cert_skeleton.pem");
92 }
93
94 // Tests parsing a Certificate that is not a sequence fails.
TEST(ParseCertificateTest,NotSequence)95 TEST(ParseCertificateTest, NotSequence) {
96 RunCertificateTest("cert_not_sequence.pem");
97 }
98
99 // Tests that uncomsumed data is not allowed after the main SEQUENCE.
TEST(ParseCertificateTest,DataAfterSignature)100 TEST(ParseCertificateTest, DataAfterSignature) {
101 RunCertificateTest("cert_data_after_signature.pem");
102 }
103
104 // Tests that parsing fails if the signature BIT STRING is missing.
TEST(ParseCertificateTest,MissingSignature)105 TEST(ParseCertificateTest, MissingSignature) {
106 RunCertificateTest("cert_missing_signature.pem");
107 }
108
109 // Tests that parsing fails if the signature is present but not a BIT STRING.
TEST(ParseCertificateTest,SignatureNotBitString)110 TEST(ParseCertificateTest, SignatureNotBitString) {
111 RunCertificateTest("cert_signature_not_bit_string.pem");
112 }
113
114 // Tests that parsing fails if the main SEQUENCE is empty (missing all the
115 // fields).
TEST(ParseCertificateTest,EmptySequence)116 TEST(ParseCertificateTest, EmptySequence) {
117 RunCertificateTest("cert_empty_sequence.pem");
118 }
119
120 // Tests what happens when the signature algorithm is present, but has the wrong
121 // tag.
TEST(ParseCertificateTest,AlgorithmNotSequence)122 TEST(ParseCertificateTest, AlgorithmNotSequence) {
123 RunCertificateTest("cert_algorithm_not_sequence.pem");
124 }
125
126 // Loads tbsCertificate data and expectations from the PEM file |file_name|.
127 // Verifies that parsing the TBSCertificate succeeds, and each parsed field
128 // matches the expectations.
129 //
130 // TODO(eroman): Get rid of the |expected_version| parameter -- this should be
131 // encoded in the test expectations file.
RunTbsCertificateTestGivenVersion(const std::string & file_name,CertificateVersion expected_version)132 void RunTbsCertificateTestGivenVersion(const std::string& file_name,
133 CertificateVersion expected_version) {
134 std::string data;
135 std::string expected_serial_number;
136 std::string expected_signature_algorithm;
137 std::string expected_issuer;
138 std::string expected_validity_not_before;
139 std::string expected_validity_not_after;
140 std::string expected_subject;
141 std::string expected_spki;
142 std::string expected_issuer_unique_id;
143 std::string expected_subject_unique_id;
144 std::string expected_extensions;
145 std::string expected_errors;
146
147 // Read the certificate data and test expectations from a single PEM file.
148 const PemBlockMapping mappings[] = {
149 {"TBS CERTIFICATE", &data},
150 {"SIGNATURE ALGORITHM", &expected_signature_algorithm, true},
151 {"SERIAL NUMBER", &expected_serial_number, true},
152 {"ISSUER", &expected_issuer, true},
153 {"VALIDITY NOTBEFORE", &expected_validity_not_before, true},
154 {"VALIDITY NOTAFTER", &expected_validity_not_after, true},
155 {"SUBJECT", &expected_subject, true},
156 {"SPKI", &expected_spki, true},
157 {"ISSUER UNIQUE ID", &expected_issuer_unique_id, true},
158 {"SUBJECT UNIQUE ID", &expected_subject_unique_id, true},
159 {"EXTENSIONS", &expected_extensions, true},
160 {"ERRORS", &expected_errors, true},
161 };
162 std::string test_file_path = GetFilePath(file_name);
163 ASSERT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
164
165 bool expected_result = !expected_spki.empty();
166
167 ParsedTbsCertificate parsed;
168 CertErrors errors;
169 bool actual_result =
170 ParseTbsCertificate(der::Input(&data), {}, &parsed, &errors);
171
172 EXPECT_EQ(expected_result, actual_result);
173 VerifyCertErrors(expected_errors, errors, test_file_path);
174
175 if (!expected_result || !actual_result)
176 return;
177
178 // Ensure that the ParsedTbsCertificate matches expectations.
179 EXPECT_EQ(expected_version, parsed.version);
180
181 EXPECT_EQ(der::Input(&expected_serial_number), parsed.serial_number);
182 EXPECT_EQ(der::Input(&expected_signature_algorithm),
183 parsed.signature_algorithm_tlv);
184
185 EXPECT_EQ(der::Input(&expected_issuer), parsed.issuer_tlv);
186
187 // In the test expectations PEM file, validity is described as a
188 // textual string of the parsed value (rather than as DER).
189 EXPECT_EQ(expected_validity_not_before, ToString(parsed.validity_not_before));
190 EXPECT_EQ(expected_validity_not_after, ToString(parsed.validity_not_after));
191
192 EXPECT_EQ(der::Input(&expected_subject), parsed.subject_tlv);
193 EXPECT_EQ(der::Input(&expected_spki), parsed.spki_tlv);
194
195 EXPECT_EQ(!expected_issuer_unique_id.empty(),
196 parsed.issuer_unique_id.has_value());
197 if (parsed.issuer_unique_id.has_value()) {
198 EXPECT_EQ(der::Input(&expected_issuer_unique_id),
199 parsed.issuer_unique_id->bytes());
200 }
201 EXPECT_EQ(!expected_subject_unique_id.empty(),
202 parsed.subject_unique_id.has_value());
203 if (parsed.subject_unique_id.has_value()) {
204 EXPECT_EQ(der::Input(&expected_subject_unique_id),
205 parsed.subject_unique_id->bytes());
206 }
207
208 EXPECT_EQ(!expected_extensions.empty(), parsed.extensions_tlv.has_value());
209 if (parsed.extensions_tlv) {
210 EXPECT_EQ(der::Input(&expected_extensions), parsed.extensions_tlv.value());
211 }
212 }
213
RunTbsCertificateTest(const std::string & file_name)214 void RunTbsCertificateTest(const std::string& file_name) {
215 RunTbsCertificateTestGivenVersion(file_name, CertificateVersion::V3);
216 }
217
218 // Tests parsing a TBSCertificate for v3 that contains no optional fields.
TEST(ParseTbsCertificateTest,Version3NoOptionals)219 TEST(ParseTbsCertificateTest, Version3NoOptionals) {
220 RunTbsCertificateTest("tbs_v3_no_optionals.pem");
221 }
222
223 // Tests parsing a TBSCertificate for v3 that contains extensions.
TEST(ParseTbsCertificateTest,Version3WithExtensions)224 TEST(ParseTbsCertificateTest, Version3WithExtensions) {
225 RunTbsCertificateTest("tbs_v3_extensions.pem");
226 }
227
228 // Tests parsing a TBSCertificate which lacks a version number (causing it to
229 // default to v1).
TEST(ParseTbsCertificateTest,Version1)230 TEST(ParseTbsCertificateTest, Version1) {
231 RunTbsCertificateTestGivenVersion("tbs_v1.pem", CertificateVersion::V1);
232 }
233
234 // The version was set to v1 explicitly rather than omitting the version field.
TEST(ParseTbsCertificateTest,ExplicitVersion1)235 TEST(ParseTbsCertificateTest, ExplicitVersion1) {
236 RunTbsCertificateTest("tbs_explicit_v1.pem");
237 }
238
239 // Extensions are not defined in version 1.
TEST(ParseTbsCertificateTest,Version1WithExtensions)240 TEST(ParseTbsCertificateTest, Version1WithExtensions) {
241 RunTbsCertificateTest("tbs_v1_extensions.pem");
242 }
243
244 // Extensions are not defined in version 2.
TEST(ParseTbsCertificateTest,Version2WithExtensions)245 TEST(ParseTbsCertificateTest, Version2WithExtensions) {
246 RunTbsCertificateTest("tbs_v2_extensions.pem");
247 }
248
249 // A boring version 2 certificate with none of the optional fields.
TEST(ParseTbsCertificateTest,Version2NoOptionals)250 TEST(ParseTbsCertificateTest, Version2NoOptionals) {
251 RunTbsCertificateTestGivenVersion("tbs_v2_no_optionals.pem",
252 CertificateVersion::V2);
253 }
254
255 // A version 2 certificate with an issuer unique ID field.
TEST(ParseTbsCertificateTest,Version2IssuerUniqueId)256 TEST(ParseTbsCertificateTest, Version2IssuerUniqueId) {
257 RunTbsCertificateTestGivenVersion("tbs_v2_issuer_unique_id.pem",
258 CertificateVersion::V2);
259 }
260
261 // A version 2 certificate with both a issuer and subject unique ID field.
TEST(ParseTbsCertificateTest,Version2IssuerAndSubjectUniqueId)262 TEST(ParseTbsCertificateTest, Version2IssuerAndSubjectUniqueId) {
263 RunTbsCertificateTestGivenVersion("tbs_v2_issuer_and_subject_unique_id.pem",
264 CertificateVersion::V2);
265 }
266
267 // A version 3 certificate with all of the optional fields (issuer unique id,
268 // subject unique id, and extensions).
TEST(ParseTbsCertificateTest,Version3AllOptionals)269 TEST(ParseTbsCertificateTest, Version3AllOptionals) {
270 RunTbsCertificateTest("tbs_v3_all_optionals.pem");
271 }
272
273 // The version was set to v4, which is unrecognized.
TEST(ParseTbsCertificateTest,Version4)274 TEST(ParseTbsCertificateTest, Version4) {
275 RunTbsCertificateTest("tbs_v4.pem");
276 }
277
278 // Tests that extraneous data after extensions in a v3 is rejected.
TEST(ParseTbsCertificateTest,Version3DataAfterExtensions)279 TEST(ParseTbsCertificateTest, Version3DataAfterExtensions) {
280 RunTbsCertificateTest("tbs_v3_data_after_extensions.pem");
281 }
282
283 // Tests using a real-world certificate (whereas the other tests are fabricated
284 // (and in fact invalid) data.
TEST(ParseTbsCertificateTest,Version3Real)285 TEST(ParseTbsCertificateTest, Version3Real) {
286 RunTbsCertificateTest("tbs_v3_real.pem");
287 }
288
289 // Parses a TBSCertificate whose "validity" field expresses both notBefore
290 // and notAfter using UTCTime.
TEST(ParseTbsCertificateTest,ValidityBothUtcTime)291 TEST(ParseTbsCertificateTest, ValidityBothUtcTime) {
292 RunTbsCertificateTest("tbs_validity_both_utc_time.pem");
293 }
294
295 // Parses a TBSCertificate whose "validity" field expresses both notBefore
296 // and notAfter using GeneralizedTime.
TEST(ParseTbsCertificateTest,ValidityBothGeneralizedTime)297 TEST(ParseTbsCertificateTest, ValidityBothGeneralizedTime) {
298 RunTbsCertificateTest("tbs_validity_both_generalized_time.pem");
299 }
300
301 // Parses a TBSCertificate whose "validity" field expresses notBefore using
302 // UTCTime and notAfter using GeneralizedTime.
TEST(ParseTbsCertificateTest,ValidityUTCTimeAndGeneralizedTime)303 TEST(ParseTbsCertificateTest, ValidityUTCTimeAndGeneralizedTime) {
304 RunTbsCertificateTest("tbs_validity_utc_time_and_generalized_time.pem");
305 }
306
307 // Parses a TBSCertificate whose validity" field expresses notBefore using
308 // GeneralizedTime and notAfter using UTCTime. Also of interest, notBefore >
309 // notAfter. Parsing will succeed, however no time can satisfy this constraint.
TEST(ParseTbsCertificateTest,ValidityGeneralizedTimeAndUTCTime)310 TEST(ParseTbsCertificateTest, ValidityGeneralizedTimeAndUTCTime) {
311 RunTbsCertificateTest("tbs_validity_generalized_time_and_utc_time.pem");
312 }
313
314 // Parses a TBSCertificate whose "validity" field does not strictly follow
315 // the DER rules (and fails to be parsed).
TEST(ParseTbsCertificateTest,ValidityRelaxed)316 TEST(ParseTbsCertificateTest, ValidityRelaxed) {
317 RunTbsCertificateTest("tbs_validity_relaxed.pem");
318 }
319
320 // Parses a KeyUsage with a single 0 bit.
TEST(ParseKeyUsageTest,OneBitAllZeros)321 TEST(ParseKeyUsageTest, OneBitAllZeros) {
322 const uint8_t der[] = {
323 0x03, 0x02, // BIT STRING
324 0x07, // Number of unused bits
325 0x00, // bits
326 };
327
328 der::BitString key_usage;
329 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
330 }
331
332 // Parses a KeyUsage with 32 bits that are all 0.
333 TEST(ParseKeyUsageTest, 32BitsAllZeros) {
334 const uint8_t der[] = {
335 0x03, 0x05, // BIT STRING
336 0x00, // Number of unused bits
337 0x00, 0x00, 0x00, 0x00,
338 };
339
340 der::BitString key_usage;
341 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
342 }
343
344 // Parses a KeyUsage with 32 bits, one of which is 1 (but not in recognized
345 // set).
346 TEST(ParseKeyUsageTest, 32BitsOneSet) {
347 const uint8_t der[] = {
348 0x03, 0x05, // BIT STRING
349 0x00, // Number of unused bits
350 0x00, 0x00, 0x00, 0x02,
351 };
352
353 der::BitString key_usage;
354 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
355
356 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
357 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
358 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
359 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
360 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
361 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
362 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
363 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
364 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
365 }
366
367 // Parses a KeyUsage containing bit string 101.
TEST(ParseKeyUsageTest,ThreeBits)368 TEST(ParseKeyUsageTest, ThreeBits) {
369 const uint8_t der[] = {
370 0x03, 0x02, // BIT STRING
371 0x05, // Number of unused bits
372 0xA0, // bits
373 };
374
375 der::BitString key_usage;
376 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
377
378 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
379 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
380 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
381 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
382 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
383 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
384 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
385 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
386 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
387 }
388
389 // Parses a KeyUsage containing DECIPHER_ONLY, which is the
390 // only bit that doesn't fit in the first byte.
TEST(ParseKeyUsageTest,DecipherOnly)391 TEST(ParseKeyUsageTest, DecipherOnly) {
392 const uint8_t der[] = {
393 0x03, 0x03, // BIT STRING
394 0x07, // Number of unused bits
395 0x00, 0x80, // bits
396 };
397
398 der::BitString key_usage;
399 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
400
401 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
402 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
403 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
404 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
405 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
406 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
407 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
408 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
409 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
410 }
411
412 // Parses an empty KeyUsage.
TEST(ParseKeyUsageTest,Empty)413 TEST(ParseKeyUsageTest, Empty) {
414 const uint8_t der[] = {
415 0x03, 0x01, // BIT STRING
416 0x00, // Number of unused bits
417 };
418
419 der::BitString key_usage;
420 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
421 }
422
TEST(ParseAuthorityInfoAccess,BasicTests)423 TEST(ParseAuthorityInfoAccess, BasicTests) {
424 // SEQUENCE {
425 // SEQUENCE {
426 // # ocsp with directoryName
427 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
428 // [4] {
429 // SEQUENCE {
430 // SET {
431 // SEQUENCE {
432 // # commonName
433 // OBJECT_IDENTIFIER { 2.5.4.3 }
434 // PrintableString { "ocsp" }
435 // }
436 // }
437 // }
438 // }
439 // }
440 // SEQUENCE {
441 // # caIssuers with directoryName
442 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
443 // [4] {
444 // SEQUENCE {
445 // SET {
446 // SEQUENCE {
447 // # commonName
448 // OBJECT_IDENTIFIER { 2.5.4.3 }
449 // PrintableString { "ca issuer" }
450 // }
451 // }
452 // }
453 // }
454 // }
455 // SEQUENCE {
456 // # non-standard method with URI
457 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.3 }
458 // [6 PRIMITIVE] { "http://nonstandard.example.com" }
459 // }
460 // SEQUENCE {
461 // # ocsp with URI
462 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
463 // [6 PRIMITIVE] { "http://ocsp.example.com" }
464 // }
465 // SEQUENCE {
466 // # caIssuers with URI
467 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
468 // [6 PRIMITIVE] { "http://www.example.com/issuer.crt" }
469 // }
470 // }
471 const uint8_t der[] = {
472 0x30, 0x81, 0xc3, 0x30, 0x1d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
473 0x07, 0x30, 0x01, 0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06,
474 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x22,
475 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0xa4, 0x16,
476 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
477 0x09, 0x63, 0x61, 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x30, 0x2a,
478 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x03, 0x86, 0x1e,
479 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6e, 0x6f, 0x6e, 0x73, 0x74,
480 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70,
481 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06,
482 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70,
483 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x65, 0x78, 0x61, 0x6d,
484 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x2d, 0x06, 0x08, 0x2b,
485 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x21, 0x68, 0x74, 0x74,
486 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x78, 0x61, 0x6d,
487 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x73, 0x73, 0x75,
488 0x65, 0x72, 0x2e, 0x63, 0x72, 0x74};
489
490 std::vector<AuthorityInfoAccessDescription> access_descriptions;
491 ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
492 ASSERT_EQ(5u, access_descriptions.size());
493 {
494 const auto& desc = access_descriptions[0];
495 EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
496 const uint8_t location_der[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
497 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
498 0x04, 0x6f, 0x63, 0x73, 0x70};
499 EXPECT_EQ(der::Input(location_der), desc.access_location);
500 }
501 {
502 const auto& desc = access_descriptions[1];
503 EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
504 const uint8_t location_der[] = {
505 0xa4, 0x16, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
506 0x03, 0x13, 0x09, 0x63, 0x61, 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72};
507 EXPECT_EQ(der::Input(location_der), desc.access_location);
508 }
509 {
510 const auto& desc = access_descriptions[2];
511 const uint8_t method_oid[] = {0x2b, 0x06, 0x01, 0x05,
512 0x05, 0x07, 0x30, 0x03};
513 EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
514 const uint8_t location_der[] = {
515 0x86, 0x1e, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6e, 0x6f,
516 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x2e, 0x65,
517 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
518 EXPECT_EQ(der::Input(location_der), desc.access_location);
519 }
520 {
521 const auto& desc = access_descriptions[3];
522 EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
523 const uint8_t location_der[] = {0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a,
524 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e,
525 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65,
526 0x2e, 0x63, 0x6f, 0x6d};
527 EXPECT_EQ(der::Input(location_der), desc.access_location);
528 }
529 {
530 const auto& desc = access_descriptions[4];
531 EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
532 const uint8_t location_der[] = {
533 0x86, 0x21, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
534 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
535 0x2f, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x2e, 0x63, 0x72, 0x74};
536 EXPECT_EQ(der::Input(location_der), desc.access_location);
537 }
538
539 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
540 ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
541 &ocsp_uris));
542 ASSERT_EQ(1u, ca_issuers_uris.size());
543 EXPECT_EQ("http://www.example.com/issuer.crt", ca_issuers_uris.front());
544 ASSERT_EQ(1u, ocsp_uris.size());
545 EXPECT_EQ("http://ocsp.example.com", ocsp_uris.front());
546 }
547
TEST(ParseAuthorityInfoAccess,NoOcspOrCaIssuersURIs)548 TEST(ParseAuthorityInfoAccess, NoOcspOrCaIssuersURIs) {
549 // SEQUENCE {
550 // SEQUENCE {
551 // # non-standard method with directoryName
552 // OBJECT_IDENTIFIER { 1.2.3 }
553 // [4] {
554 // SEQUENCE {
555 // SET {
556 // SEQUENCE {
557 // # commonName
558 // OBJECT_IDENTIFIER { 2.5.4.3 }
559 // PrintableString { "foo" }
560 // }
561 // }
562 // }
563 // }
564 // }
565 // }
566 const uint8_t der[] = {0x30, 0x18, 0x30, 0x16, 0x06, 0x02, 0x2a, 0x03, 0xa4,
567 0x10, 0x30, 0x0e, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03,
568 0x55, 0x04, 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f};
569
570 std::vector<AuthorityInfoAccessDescription> access_descriptions;
571 ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
572 ASSERT_EQ(1u, access_descriptions.size());
573 const auto& desc = access_descriptions[0];
574 const uint8_t method_oid[] = {0x2a, 0x03};
575 EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
576 const uint8_t location_der[] = {0xa4, 0x10, 0x30, 0x0e, 0x31, 0x0c,
577 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04,
578 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f};
579 EXPECT_EQ(der::Input(location_der), desc.access_location);
580
581 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
582 // ParseAuthorityInfoAccessURIs should still return success since it was a
583 // valid AuthorityInfoAccess extension, even though it did not contain any
584 // elements we care about, and both output vectors should be empty.
585 ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
586 &ocsp_uris));
587 EXPECT_EQ(0u, ca_issuers_uris.size());
588 EXPECT_EQ(0u, ocsp_uris.size());
589 }
590
TEST(ParseAuthorityInfoAccess,IncompleteAccessDescription)591 TEST(ParseAuthorityInfoAccess, IncompleteAccessDescription) {
592 // SEQUENCE {
593 // # first entry is ok
594 // SEQUENCE {
595 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
596 // [6 PRIMITIVE] { "http://ocsp.example.com" }
597 // }
598 // # second is missing accessLocation field
599 // SEQUENCE {
600 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
601 // }
602 // }
603 const uint8_t der[] = {0x30, 0x31, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06, 0x01,
604 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74,
605 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70,
606 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
607 0x63, 0x6f, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
608 0x01, 0x05, 0x05, 0x07, 0x30, 0x02};
609
610 std::vector<AuthorityInfoAccessDescription> access_descriptions;
611 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
612
613 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
614 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
615 &ocsp_uris));
616 }
617
TEST(ParseAuthorityInfoAccess,ExtraDataInAccessDescription)618 TEST(ParseAuthorityInfoAccess, ExtraDataInAccessDescription) {
619 // SEQUENCE {
620 // SEQUENCE {
621 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
622 // [6 PRIMITIVE] { "http://ocsp.example.com" }
623 // # invalid, AccessDescription only has 2 fields
624 // PrintableString { "henlo" }
625 // }
626 // }
627 const uint8_t der[] = {
628 0x30, 0x2c, 0x30, 0x2a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
629 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f,
630 0x63, 0x73, 0x70, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
631 0x63, 0x6f, 0x6d, 0x13, 0x05, 0x68, 0x65, 0x6e, 0x6c, 0x6f};
632
633 std::vector<AuthorityInfoAccessDescription> access_descriptions;
634 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
635
636 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
637 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
638 &ocsp_uris));
639 }
640
TEST(ParseAuthorityInfoAccess,EmptySequence)641 TEST(ParseAuthorityInfoAccess, EmptySequence) {
642 // SEQUENCE { }
643 const uint8_t der[] = {0x30, 0x00};
644
645 std::vector<AuthorityInfoAccessDescription> access_descriptions;
646 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
647
648 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
649 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
650 &ocsp_uris));
651 }
652
653 // Test fixture for testing ParseCrlDistributionPoints.
654 //
655 // Test data is encoded in certificate files. This fixture is responsible for
656 // reading and parsing the certificates to get at the extension under test.
657 class ParseCrlDistributionPointsTest : public ::testing::Test {
658 public:
659 protected:
GetCrlDps(const char * file_name,std::vector<ParsedDistributionPoint> * dps)660 bool GetCrlDps(const char* file_name,
661 std::vector<ParsedDistributionPoint>* dps) {
662 std::string cert_bytes;
663 // Read the test certificate file.
664 const PemBlockMapping mappings[] = {
665 {"CERTIFICATE", &cert_bytes},
666 };
667 std::string test_file_path = GetFilePath(file_name);
668 EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
669
670 // Extract the CRLDP from the test Certificate.
671 CertErrors errors;
672 std::shared_ptr<const ParsedCertificate> cert = ParsedCertificate::Create(
673 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
674 reinterpret_cast<const uint8_t*>(cert_bytes.data()),
675 cert_bytes.size(), nullptr)),
676 {}, &errors);
677
678 if (!cert)
679 return false;
680
681 auto it = cert->extensions().find(der::Input(kCrlDistributionPointsOid));
682 if (it == cert->extensions().end())
683 return false;
684
685 der::Input crl_dp_tlv = it->second.value;
686
687 // Keep the certificate data alive, since this function will return
688 // der::Inputs that reference it. Run the function under test (for parsing
689 //
690 // TODO(eroman): The use of ParsedCertificate in this test should be removed
691 // in lieu of lazy parsing.
692 keep_alive_certs_.push_back(cert);
693
694 return ParseCrlDistributionPoints(crl_dp_tlv, dps);
695 }
696
697 private:
698 ParsedCertificateList keep_alive_certs_;
699 };
700
TEST_F(ParseCrlDistributionPointsTest,OneUriNoIssuer)701 TEST_F(ParseCrlDistributionPointsTest, OneUriNoIssuer) {
702 std::vector<ParsedDistributionPoint> dps;
703 ASSERT_TRUE(GetCrlDps("crldp_1uri_noissuer.pem", &dps));
704
705 ASSERT_EQ(1u, dps.size());
706 const ParsedDistributionPoint& dp1 = dps.front();
707
708 ASSERT_TRUE(dp1.distribution_point_fullname);
709 const GeneralNames& fullname = *dp1.distribution_point_fullname;
710 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
711 fullname.present_name_types);
712 ASSERT_EQ(1u, fullname.uniform_resource_identifiers.size());
713 EXPECT_EQ(fullname.uniform_resource_identifiers.front(),
714 std::string("http://www.example.com/foo.crl"));
715
716 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
717 EXPECT_FALSE(dp1.reasons);
718 EXPECT_FALSE(dp1.crl_issuer);
719 }
720
TEST_F(ParseCrlDistributionPointsTest,ThreeUrisNoIssuer)721 TEST_F(ParseCrlDistributionPointsTest, ThreeUrisNoIssuer) {
722 std::vector<ParsedDistributionPoint> dps;
723 ASSERT_TRUE(GetCrlDps("crldp_3uri_noissuer.pem", &dps));
724
725 ASSERT_EQ(1u, dps.size());
726 const ParsedDistributionPoint& dp1 = dps.front();
727
728 ASSERT_TRUE(dp1.distribution_point_fullname);
729 const GeneralNames& fullname = *dp1.distribution_point_fullname;
730 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
731 fullname.present_name_types);
732 ASSERT_EQ(3u, fullname.uniform_resource_identifiers.size());
733 EXPECT_EQ(fullname.uniform_resource_identifiers[0],
734 std::string("http://www.example.com/foo1.crl"));
735 EXPECT_EQ(fullname.uniform_resource_identifiers[1],
736 std::string("http://www.example.com/blah.crl"));
737 EXPECT_EQ(fullname.uniform_resource_identifiers[2],
738 std::string("not-even-a-url"));
739
740 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
741 EXPECT_FALSE(dp1.reasons);
742 EXPECT_FALSE(dp1.crl_issuer);
743 }
744
TEST_F(ParseCrlDistributionPointsTest,CrlIssuerAsDirname)745 TEST_F(ParseCrlDistributionPointsTest, CrlIssuerAsDirname) {
746 std::vector<ParsedDistributionPoint> dps;
747 ASSERT_TRUE(GetCrlDps("crldp_issuer_as_dirname.pem", &dps));
748
749 ASSERT_EQ(1u, dps.size());
750 const ParsedDistributionPoint& dp1 = dps.front();
751 ASSERT_TRUE(dp1.distribution_point_fullname);
752 const GeneralNames& fullname = *dp1.distribution_point_fullname;
753 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
754 // Generated by `ascii2der | xxd -i` from the Name value in
755 // crldp_issuer_as_dirname.pem.
756 const uint8_t kExpectedName[] = {
757 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
758 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
759 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
760 0x63, 0x61, 0x74, 0x65, 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x22,
761 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x19, 0x69, 0x6e, 0x64,
762 0x69, 0x72, 0x65, 0x63, 0x74, 0x43, 0x52, 0x4c, 0x20, 0x43, 0x41, 0x33,
763 0x20, 0x63, 0x52, 0x4c, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72, 0x31, 0x29,
764 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x20, 0x69, 0x6e, 0x64,
765 0x69, 0x72, 0x65, 0x63, 0x74, 0x20, 0x43, 0x52, 0x4c, 0x20, 0x66, 0x6f,
766 0x72, 0x20, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x43, 0x52,
767 0x4c, 0x20, 0x43, 0x41, 0x33};
768 ASSERT_EQ(1u, fullname.directory_names.size());
769 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
770
771 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
772 EXPECT_FALSE(dp1.reasons);
773
774 ASSERT_TRUE(dp1.crl_issuer);
775 // Generated by `ascii2der | xxd -i` from the cRLIssuer value in
776 // crldp_issuer_as_dirname.pem.
777 const uint8_t kExpectedCrlIssuer[] = {
778 0xa4, 0x54, 0x30, 0x52, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
779 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06,
780 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16, 0x54, 0x65, 0x73, 0x74, 0x20,
781 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
782 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x22, 0x30, 0x20, 0x06,
783 0x03, 0x55, 0x04, 0x0b, 0x13, 0x19, 0x69, 0x6e, 0x64, 0x69, 0x72,
784 0x65, 0x63, 0x74, 0x43, 0x52, 0x4c, 0x20, 0x43, 0x41, 0x33, 0x20,
785 0x63, 0x52, 0x4c, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72};
786 EXPECT_EQ(der::Input(kExpectedCrlIssuer), dp1.crl_issuer);
787 }
788
TEST_F(ParseCrlDistributionPointsTest,FullnameAsDirname)789 TEST_F(ParseCrlDistributionPointsTest, FullnameAsDirname) {
790 std::vector<ParsedDistributionPoint> dps;
791 ASSERT_TRUE(GetCrlDps("crldp_full_name_as_dirname.pem", &dps));
792
793 ASSERT_EQ(1u, dps.size());
794 const ParsedDistributionPoint& dp1 = dps.front();
795
796 ASSERT_TRUE(dp1.distribution_point_fullname);
797 const GeneralNames& fullname = *dp1.distribution_point_fullname;
798 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
799 // Generated by `ascii2der | xxd -i` from the Name value in
800 // crldp_full_name_as_dirname.pem.
801 const uint8_t kExpectedName[] = {
802 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
803 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
804 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
805 0x63, 0x61, 0x74, 0x65, 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x45,
806 0x30, 0x43, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x3c, 0x53, 0x65, 0x6c,
807 0x66, 0x2d, 0x49, 0x73, 0x73, 0x75, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72,
808 0x74, 0x20, 0x44, 0x50, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x42, 0x61, 0x73,
809 0x69, 0x63, 0x20, 0x53, 0x65, 0x6c, 0x66, 0x2d, 0x49, 0x73, 0x73, 0x75,
810 0x65, 0x64, 0x20, 0x43, 0x52, 0x4c, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
811 0x6e, 0x67, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x43, 0x41};
812 ASSERT_EQ(1u, fullname.directory_names.size());
813 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
814
815 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
816 EXPECT_FALSE(dp1.reasons);
817 EXPECT_FALSE(dp1.crl_issuer);
818 }
819
TEST_F(ParseCrlDistributionPointsTest,RelativeNameAndReasonsAndMultipleDPs)820 TEST_F(ParseCrlDistributionPointsTest, RelativeNameAndReasonsAndMultipleDPs) {
821 // SEQUENCE {
822 // SEQUENCE {
823 // # distributionPoint
824 // [0] {
825 // # nameRelativeToCRLIssuer
826 // [1] {
827 // SET {
828 // SEQUENCE {
829 // # commonName
830 // OBJECT_IDENTIFIER { 2.5.4.3 }
831 // PrintableString { "CRL1" }
832 // }
833 // }
834 // }
835 // }
836 // # reasons
837 // [1 PRIMITIVE] { b`011` }
838 // }
839 // SEQUENCE {
840 // # distributionPoint
841 // [0] {
842 // # fullName
843 // [0] {
844 // [4] {
845 // SEQUENCE {
846 // SET {
847 // SEQUENCE {
848 // # commonName
849 // OBJECT_IDENTIFIER { 2.5.4.3 }
850 // PrintableString { "CRL2" }
851 // }
852 // }
853 // }
854 // }
855 // }
856 // }
857 // # reasons
858 // [1 PRIMITIVE] { b`100111111` }
859 // }
860 // }
861 const uint8_t kInputDer[] = {
862 0x30, 0x37, 0x30, 0x17, 0xa0, 0x11, 0xa1, 0x0f, 0x31, 0x0d, 0x30, 0x0b,
863 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x43, 0x52, 0x4c, 0x31, 0x81,
864 0x02, 0x05, 0x60, 0x30, 0x1c, 0xa0, 0x15, 0xa0, 0x13, 0xa4, 0x11, 0x30,
865 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04,
866 0x43, 0x52, 0x4c, 0x32, 0x81, 0x03, 0x07, 0x9f, 0x80};
867
868 std::vector<ParsedDistributionPoint> dps;
869 ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
870 ASSERT_EQ(2u, dps.size());
871 {
872 const ParsedDistributionPoint& dp = dps[0];
873 EXPECT_FALSE(dp.distribution_point_fullname);
874
875 ASSERT_TRUE(dp.distribution_point_name_relative_to_crl_issuer);
876 // SET {
877 // SEQUENCE {
878 // # commonName
879 // OBJECT_IDENTIFIER { 2.5.4.3 }
880 // PrintableString { "CRL1" }
881 // }
882 // }
883 const uint8_t kExpectedRDN[] = {0x31, 0x0d, 0x30, 0x0b, 0x06,
884 0x03, 0x55, 0x04, 0x03, 0x13,
885 0x04, 0x43, 0x52, 0x4c, 0x31};
886 EXPECT_EQ(der::Input(kExpectedRDN),
887 *dp.distribution_point_name_relative_to_crl_issuer);
888
889 ASSERT_TRUE(dp.reasons);
890 const uint8_t kExpectedReasons[] = {0x05, 0x60};
891 EXPECT_EQ(der::Input(kExpectedReasons), *dp.reasons);
892
893 EXPECT_FALSE(dp.crl_issuer);
894 }
895 {
896 const ParsedDistributionPoint& dp = dps[1];
897 ASSERT_TRUE(dp.distribution_point_fullname);
898 const GeneralNames& fullname = *dp.distribution_point_fullname;
899 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
900 // SET {
901 // SEQUENCE {
902 // # commonName
903 // OBJECT_IDENTIFIER { 2.5.4.3 }
904 // PrintableString { "CRL2" }
905 // }
906 // }
907 const uint8_t kExpectedName[] = {0x31, 0x0d, 0x30, 0x0b, 0x06,
908 0x03, 0x55, 0x04, 0x03, 0x13,
909 0x04, 0x43, 0x52, 0x4c, 0x32};
910 ASSERT_EQ(1u, fullname.directory_names.size());
911 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
912
913 EXPECT_FALSE(dp.distribution_point_name_relative_to_crl_issuer);
914
915 ASSERT_TRUE(dp.reasons);
916 const uint8_t kExpectedReasons[] = {0x07, 0x9f, 0x80};
917 EXPECT_EQ(der::Input(kExpectedReasons), *dp.reasons);
918
919 EXPECT_FALSE(dp.crl_issuer);
920 }
921 }
922
TEST_F(ParseCrlDistributionPointsTest,NoDistributionPointName)923 TEST_F(ParseCrlDistributionPointsTest, NoDistributionPointName) {
924 // SEQUENCE {
925 // SEQUENCE {
926 // # cRLIssuer
927 // [2] {
928 // [4] {
929 // SEQUENCE {
930 // SET {
931 // SEQUENCE {
932 // # organizationUnitName
933 // OBJECT_IDENTIFIER { 2.5.4.11 }
934 // PrintableString { "crl issuer" }
935 // }
936 // }
937 // }
938 // }
939 // }
940 // }
941 // }
942 const uint8_t kInputDer[] = {0x30, 0x1d, 0x30, 0x1b, 0xa2, 0x19, 0xa4, 0x17,
943 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
944 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x63, 0x72, 0x6c,
945 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72};
946
947 std::vector<ParsedDistributionPoint> dps;
948 ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
949 ASSERT_EQ(1u, dps.size());
950 const ParsedDistributionPoint& dp = dps[0];
951 EXPECT_FALSE(dp.distribution_point_fullname);
952
953 EXPECT_FALSE(dp.distribution_point_name_relative_to_crl_issuer);
954
955 EXPECT_FALSE(dp.reasons);
956
957 ASSERT_TRUE(dp.crl_issuer);
958 const uint8_t kExpectedDer[] = {0xa4, 0x17, 0x30, 0x15, 0x31, 0x13, 0x30,
959 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
960 0x0a, 0x63, 0x72, 0x6c, 0x20, 0x69, 0x73,
961 0x73, 0x75, 0x65, 0x72};
962 EXPECT_EQ(der::Input(kExpectedDer), *dp.crl_issuer);
963 }
964
TEST_F(ParseCrlDistributionPointsTest,OnlyReasons)965 TEST_F(ParseCrlDistributionPointsTest, OnlyReasons) {
966 // SEQUENCE {
967 // SEQUENCE {
968 // # reasons
969 // [1 PRIMITIVE] { b`011` }
970 // }
971 // }
972 const uint8_t kInputDer[] = {0x30, 0x06, 0x30, 0x04, 0x81, 0x02, 0x05, 0x60};
973
974 std::vector<ParsedDistributionPoint> dps;
975 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
976 }
977
TEST_F(ParseCrlDistributionPointsTest,EmptyDistributionPoint)978 TEST_F(ParseCrlDistributionPointsTest, EmptyDistributionPoint) {
979 // SEQUENCE {
980 // SEQUENCE {
981 // }
982 // }
983 const uint8_t kInputDer[] = {0x30, 0x02, 0x30, 0x00};
984
985 std::vector<ParsedDistributionPoint> dps;
986 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
987 }
988
TEST_F(ParseCrlDistributionPointsTest,EmptyDistributionPoints)989 TEST_F(ParseCrlDistributionPointsTest, EmptyDistributionPoints) {
990 // SEQUENCE { }
991 const uint8_t kInputDer[] = {0x30, 0x00};
992
993 std::vector<ParsedDistributionPoint> dps;
994 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
995 }
996
ParseAuthorityKeyIdentifierTestData(const char * file_name,std::string * backing_bytes,ParsedAuthorityKeyIdentifier * authority_key_identifier)997 bool ParseAuthorityKeyIdentifierTestData(
998 const char* file_name,
999 std::string* backing_bytes,
1000 ParsedAuthorityKeyIdentifier* authority_key_identifier) {
1001 // Read the test file.
1002 const PemBlockMapping mappings[] = {
1003 {"AUTHORITY_KEY_IDENTIFIER", backing_bytes},
1004 };
1005 std::string test_file_path =
1006 std::string(
1007 "net/data/parse_certificate_unittest/authority_key_identifier/") +
1008 file_name;
1009 EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
1010
1011 return ParseAuthorityKeyIdentifier(der::Input(backing_bytes),
1012 authority_key_identifier);
1013 }
1014
TEST(ParseAuthorityKeyIdentifierTest,EmptyInput)1015 TEST(ParseAuthorityKeyIdentifierTest, EmptyInput) {
1016 ParsedAuthorityKeyIdentifier authority_key_identifier;
1017 EXPECT_FALSE(
1018 ParseAuthorityKeyIdentifier(der::Input(), &authority_key_identifier));
1019 }
1020
TEST(ParseAuthorityKeyIdentifierTest,EmptySequence)1021 TEST(ParseAuthorityKeyIdentifierTest, EmptySequence) {
1022 std::string backing_bytes;
1023 ParsedAuthorityKeyIdentifier authority_key_identifier;
1024 // TODO(mattm): should this be an error? RFC 5280 doesn't explicitly say it.
1025 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1026 "empty_sequence.pem", &backing_bytes, &authority_key_identifier));
1027
1028 EXPECT_FALSE(authority_key_identifier.key_identifier);
1029 EXPECT_FALSE(authority_key_identifier.authority_cert_issuer);
1030 EXPECT_FALSE(authority_key_identifier.authority_cert_serial_number);
1031 }
1032
TEST(ParseAuthorityKeyIdentifierTest,KeyIdentifier)1033 TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifier) {
1034 std::string backing_bytes;
1035 ParsedAuthorityKeyIdentifier authority_key_identifier;
1036 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1037 "key_identifier.pem", &backing_bytes, &authority_key_identifier));
1038
1039 ASSERT_TRUE(authority_key_identifier.key_identifier);
1040 const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
1041 EXPECT_EQ(der::Input(kExpectedValue),
1042 authority_key_identifier.key_identifier);
1043 }
1044
TEST(ParseAuthorityKeyIdentifierTest,IssuerAndSerial)1045 TEST(ParseAuthorityKeyIdentifierTest, IssuerAndSerial) {
1046 std::string backing_bytes;
1047 ParsedAuthorityKeyIdentifier authority_key_identifier;
1048 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1049 "issuer_and_serial.pem", &backing_bytes, &authority_key_identifier));
1050
1051 EXPECT_FALSE(authority_key_identifier.key_identifier);
1052
1053 ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
1054 const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
1055 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
1056 0x04, 0x52, 0x6f, 0x6f, 0x74};
1057 EXPECT_EQ(der::Input(kExpectedIssuer),
1058 authority_key_identifier.authority_cert_issuer);
1059
1060 ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
1061 const uint8_t kExpectedSerial[] = {0x27, 0x4F};
1062 EXPECT_EQ(der::Input(kExpectedSerial),
1063 authority_key_identifier.authority_cert_serial_number);
1064 }
1065
TEST(ParseAuthorityKeyIdentifierTest,KeyIdentifierAndIssuerAndSerial)1066 TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifierAndIssuerAndSerial) {
1067 std::string backing_bytes;
1068 ParsedAuthorityKeyIdentifier authority_key_identifier;
1069 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1070 "key_identifier_and_issuer_and_serial.pem", &backing_bytes,
1071 &authority_key_identifier));
1072
1073 ASSERT_TRUE(authority_key_identifier.key_identifier);
1074 const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
1075 EXPECT_EQ(der::Input(kExpectedValue),
1076 authority_key_identifier.key_identifier);
1077
1078 ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
1079 const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
1080 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
1081 0x04, 0x52, 0x6f, 0x6f, 0x74};
1082 EXPECT_EQ(der::Input(kExpectedIssuer),
1083 authority_key_identifier.authority_cert_issuer);
1084
1085 ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
1086 const uint8_t kExpectedSerial[] = {0x27, 0x4F};
1087 EXPECT_EQ(der::Input(kExpectedSerial),
1088 authority_key_identifier.authority_cert_serial_number);
1089 }
1090
TEST(ParseAuthorityKeyIdentifierTest,IssuerOnly)1091 TEST(ParseAuthorityKeyIdentifierTest, IssuerOnly) {
1092 std::string backing_bytes;
1093 ParsedAuthorityKeyIdentifier authority_key_identifier;
1094 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1095 "issuer_only.pem", &backing_bytes, &authority_key_identifier));
1096 }
1097
TEST(ParseAuthorityKeyIdentifierTest,SerialOnly)1098 TEST(ParseAuthorityKeyIdentifierTest, SerialOnly) {
1099 std::string backing_bytes;
1100 ParsedAuthorityKeyIdentifier authority_key_identifier;
1101 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1102 "serial_only.pem", &backing_bytes, &authority_key_identifier));
1103 }
1104
TEST(ParseAuthorityKeyIdentifierTest,InvalidContents)1105 TEST(ParseAuthorityKeyIdentifierTest, InvalidContents) {
1106 std::string backing_bytes;
1107 ParsedAuthorityKeyIdentifier authority_key_identifier;
1108 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1109 "invalid_contents.pem", &backing_bytes, &authority_key_identifier));
1110 }
1111
TEST(ParseAuthorityKeyIdentifierTest,InvalidKeyIdentifier)1112 TEST(ParseAuthorityKeyIdentifierTest, InvalidKeyIdentifier) {
1113 std::string backing_bytes;
1114 ParsedAuthorityKeyIdentifier authority_key_identifier;
1115 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1116 "invalid_key_identifier.pem", &backing_bytes, &authority_key_identifier));
1117 }
1118
TEST(ParseAuthorityKeyIdentifierTest,InvalidIssuer)1119 TEST(ParseAuthorityKeyIdentifierTest, InvalidIssuer) {
1120 std::string backing_bytes;
1121 ParsedAuthorityKeyIdentifier authority_key_identifier;
1122 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1123 "invalid_issuer.pem", &backing_bytes, &authority_key_identifier));
1124 }
1125
TEST(ParseAuthorityKeyIdentifierTest,InvalidSerial)1126 TEST(ParseAuthorityKeyIdentifierTest, InvalidSerial) {
1127 std::string backing_bytes;
1128 ParsedAuthorityKeyIdentifier authority_key_identifier;
1129 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1130 "invalid_serial.pem", &backing_bytes, &authority_key_identifier));
1131 }
1132
TEST(ParseAuthorityKeyIdentifierTest,ExtraContentsAfterIssuerAndSerial)1133 TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterIssuerAndSerial) {
1134 std::string backing_bytes;
1135 ParsedAuthorityKeyIdentifier authority_key_identifier;
1136 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1137 "extra_contents_after_issuer_and_serial.pem", &backing_bytes,
1138 &authority_key_identifier));
1139 }
1140
TEST(ParseAuthorityKeyIdentifierTest,ExtraContentsAfterExtensionSequence)1141 TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterExtensionSequence) {
1142 std::string backing_bytes;
1143 ParsedAuthorityKeyIdentifier authority_key_identifier;
1144 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1145 "extra_contents_after_extension_sequence.pem", &backing_bytes,
1146 &authority_key_identifier));
1147 }
1148
TEST(ParseSubjectKeyIdentifierTest,EmptyInput)1149 TEST(ParseSubjectKeyIdentifierTest, EmptyInput) {
1150 der::Input subject_key_identifier;
1151 EXPECT_FALSE(
1152 ParseSubjectKeyIdentifier(der::Input(), &subject_key_identifier));
1153 }
1154
TEST(ParseSubjectKeyIdentifierTest,Valid)1155 TEST(ParseSubjectKeyIdentifierTest, Valid) {
1156 // OCTET_STRING {`abcd`}
1157 const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd};
1158 const uint8_t kExpected[] = {0xab, 0xcd};
1159 der::Input subject_key_identifier;
1160 EXPECT_TRUE(
1161 ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
1162 EXPECT_EQ(der::Input(kExpected), subject_key_identifier);
1163 }
1164
TEST(ParseSubjectKeyIdentifierTest,ExtraData)1165 TEST(ParseSubjectKeyIdentifierTest, ExtraData) {
1166 // OCTET_STRING {`abcd`}
1167 // NULL
1168 const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd, 0x05};
1169 der::Input subject_key_identifier;
1170 EXPECT_FALSE(
1171 ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
1172 }
1173
1174 } // namespace
1175
1176 } // namespace net
1177