1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "parse_certificate.h"
6
7 #include <gtest/gtest.h>
8 #include <openssl/pool.h>
9 #include "cert_errors.h"
10 #include "general_names.h"
11 #include "input.h"
12 #include "parsed_certificate.h"
13 #include "test_helpers.h"
14
15 namespace bssl {
16
17 namespace {
18
19 // Pretty-prints a GeneralizedTime as a human-readable string for use in test
20 // expectations (it is more readable to specify the expected results as a
21 // string).
ToString(const der::GeneralizedTime & time)22 std::string ToString(const der::GeneralizedTime &time) {
23 std::ostringstream pretty_time;
24 pretty_time << "year=" << int{time.year} << ", month=" << int{time.month}
25 << ", day=" << int{time.day} << ", hours=" << int{time.hours}
26 << ", minutes=" << int{time.minutes}
27 << ", seconds=" << int{time.seconds};
28 return pretty_time.str();
29 }
30
GetFilePath(const std::string & file_name)31 std::string GetFilePath(const std::string &file_name) {
32 return std::string("testdata/parse_certificate_unittest/") + file_name;
33 }
34
35 // Loads certificate data and expectations from the PEM file |file_name|.
36 // Verifies that parsing the Certificate matches expectations:
37 // * If expected to fail, emits the expected errors
38 // * If expected to succeeds, the parsed fields match expectations
RunCertificateTest(const std::string & file_name)39 void RunCertificateTest(const std::string &file_name) {
40 std::string data;
41 std::string expected_errors;
42 std::string expected_tbs_certificate;
43 std::string expected_signature_algorithm;
44 std::string expected_signature;
45
46 // Read the certificate data and test expectations from a single PEM file.
47 const PemBlockMapping mappings[] = {
48 {"CERTIFICATE", &data},
49 {"ERRORS", &expected_errors, true /*optional*/},
50 {"SIGNATURE", &expected_signature, true /*optional*/},
51 {"SIGNATURE ALGORITHM", &expected_signature_algorithm, true /*optional*/},
52 {"TBS CERTIFICATE", &expected_tbs_certificate, true /*optional*/},
53 };
54 std::string test_file_path = GetFilePath(file_name);
55 ASSERT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
56
57 // Note that empty expected_errors doesn't necessarily mean success.
58 bool expected_result = !expected_tbs_certificate.empty();
59
60 // Parsing the certificate.
61 der::Input tbs_certificate_tlv;
62 der::Input signature_algorithm_tlv;
63 der::BitString signature_value;
64 CertErrors errors;
65 bool actual_result =
66 ParseCertificate(der::Input(data), &tbs_certificate_tlv,
67 &signature_algorithm_tlv, &signature_value, &errors);
68
69 EXPECT_EQ(expected_result, actual_result);
70 VerifyCertErrors(expected_errors, errors, test_file_path);
71
72 // Ensure that the parsed certificate matches expectations.
73 if (expected_result && actual_result) {
74 EXPECT_EQ(0, signature_value.unused_bits());
75 EXPECT_EQ(der::Input(expected_signature), signature_value.bytes());
76 EXPECT_EQ(der::Input(expected_signature_algorithm),
77 signature_algorithm_tlv);
78 EXPECT_EQ(der::Input(expected_tbs_certificate), tbs_certificate_tlv);
79 }
80 }
81
82 // Tests parsing a Certificate.
TEST(ParseCertificateTest,Version3)83 TEST(ParseCertificateTest, Version3) {
84 RunCertificateTest("cert_version3.pem");
85 }
86
87 // Tests parsing a simplified Certificate-like structure (the sub-fields for
88 // algorithm and tbsCertificate are not actually valid, but ParseCertificate()
89 // doesn't check them)
TEST(ParseCertificateTest,Skeleton)90 TEST(ParseCertificateTest, Skeleton) {
91 RunCertificateTest("cert_skeleton.pem");
92 }
93
94 // Tests parsing a Certificate that is not a sequence fails.
TEST(ParseCertificateTest,NotSequence)95 TEST(ParseCertificateTest, NotSequence) {
96 RunCertificateTest("cert_not_sequence.pem");
97 }
98
99 // Tests that uncomsumed data is not allowed after the main SEQUENCE.
TEST(ParseCertificateTest,DataAfterSignature)100 TEST(ParseCertificateTest, DataAfterSignature) {
101 RunCertificateTest("cert_data_after_signature.pem");
102 }
103
104 // Tests that parsing fails if the signature BIT STRING is missing.
TEST(ParseCertificateTest,MissingSignature)105 TEST(ParseCertificateTest, MissingSignature) {
106 RunCertificateTest("cert_missing_signature.pem");
107 }
108
109 // Tests that parsing fails if the signature is present but not a BIT STRING.
TEST(ParseCertificateTest,SignatureNotBitString)110 TEST(ParseCertificateTest, SignatureNotBitString) {
111 RunCertificateTest("cert_signature_not_bit_string.pem");
112 }
113
114 // Tests that parsing fails if the main SEQUENCE is empty (missing all the
115 // fields).
TEST(ParseCertificateTest,EmptySequence)116 TEST(ParseCertificateTest, EmptySequence) {
117 RunCertificateTest("cert_empty_sequence.pem");
118 }
119
120 // Tests what happens when the signature algorithm is present, but has the wrong
121 // tag.
TEST(ParseCertificateTest,AlgorithmNotSequence)122 TEST(ParseCertificateTest, AlgorithmNotSequence) {
123 RunCertificateTest("cert_algorithm_not_sequence.pem");
124 }
125
126 // Loads tbsCertificate data and expectations from the PEM file |file_name|.
127 // Verifies that parsing the TBSCertificate succeeds, and each parsed field
128 // matches the expectations.
129 //
130 // TODO(eroman): Get rid of the |expected_version| parameter -- this should be
131 // encoded in the test expectations file.
RunTbsCertificateTestGivenVersion(const std::string & file_name,CertificateVersion expected_version)132 void RunTbsCertificateTestGivenVersion(const std::string &file_name,
133 CertificateVersion expected_version) {
134 std::string data;
135 std::string expected_serial_number;
136 std::string expected_signature_algorithm;
137 std::string expected_issuer;
138 std::string expected_validity_not_before;
139 std::string expected_validity_not_after;
140 std::string expected_subject;
141 std::string expected_spki;
142 std::string expected_issuer_unique_id;
143 std::string expected_subject_unique_id;
144 std::string expected_extensions;
145 std::string expected_errors;
146
147 // Read the certificate data and test expectations from a single PEM file.
148 const PemBlockMapping mappings[] = {
149 {"TBS CERTIFICATE", &data},
150 {"SIGNATURE ALGORITHM", &expected_signature_algorithm, true},
151 {"SERIAL NUMBER", &expected_serial_number, true},
152 {"ISSUER", &expected_issuer, true},
153 {"VALIDITY NOTBEFORE", &expected_validity_not_before, true},
154 {"VALIDITY NOTAFTER", &expected_validity_not_after, true},
155 {"SUBJECT", &expected_subject, true},
156 {"SPKI", &expected_spki, true},
157 {"ISSUER UNIQUE ID", &expected_issuer_unique_id, true},
158 {"SUBJECT UNIQUE ID", &expected_subject_unique_id, true},
159 {"EXTENSIONS", &expected_extensions, true},
160 {"ERRORS", &expected_errors, true},
161 };
162 std::string test_file_path = GetFilePath(file_name);
163 ASSERT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
164
165 bool expected_result = !expected_spki.empty();
166
167 ParsedTbsCertificate parsed;
168 CertErrors errors;
169 bool actual_result =
170 ParseTbsCertificate(der::Input(data), {}, &parsed, &errors);
171
172 EXPECT_EQ(expected_result, actual_result);
173 VerifyCertErrors(expected_errors, errors, test_file_path);
174
175 if (!expected_result || !actual_result) {
176 return;
177 }
178
179 // Ensure that the ParsedTbsCertificate matches expectations.
180 EXPECT_EQ(expected_version, parsed.version);
181
182 EXPECT_EQ(der::Input(expected_serial_number), parsed.serial_number);
183 EXPECT_EQ(der::Input(expected_signature_algorithm),
184 parsed.signature_algorithm_tlv);
185
186 EXPECT_EQ(der::Input(expected_issuer), parsed.issuer_tlv);
187
188 // In the test expectations PEM file, validity is described as a
189 // textual string of the parsed value (rather than as DER).
190 EXPECT_EQ(expected_validity_not_before, ToString(parsed.validity_not_before));
191 EXPECT_EQ(expected_validity_not_after, ToString(parsed.validity_not_after));
192
193 EXPECT_EQ(der::Input(expected_subject), parsed.subject_tlv);
194 EXPECT_EQ(der::Input(expected_spki), parsed.spki_tlv);
195
196 EXPECT_EQ(!expected_issuer_unique_id.empty(),
197 parsed.issuer_unique_id.has_value());
198 if (parsed.issuer_unique_id.has_value()) {
199 EXPECT_EQ(der::Input(expected_issuer_unique_id),
200 parsed.issuer_unique_id->bytes());
201 }
202 EXPECT_EQ(!expected_subject_unique_id.empty(),
203 parsed.subject_unique_id.has_value());
204 if (parsed.subject_unique_id.has_value()) {
205 EXPECT_EQ(der::Input(expected_subject_unique_id),
206 parsed.subject_unique_id->bytes());
207 }
208
209 EXPECT_EQ(!expected_extensions.empty(), parsed.extensions_tlv.has_value());
210 if (parsed.extensions_tlv) {
211 EXPECT_EQ(der::Input(expected_extensions), parsed.extensions_tlv.value());
212 }
213 }
214
RunTbsCertificateTest(const std::string & file_name)215 void RunTbsCertificateTest(const std::string &file_name) {
216 RunTbsCertificateTestGivenVersion(file_name, CertificateVersion::V3);
217 }
218
219 // Tests parsing a TBSCertificate for v3 that contains no optional fields.
TEST(ParseTbsCertificateTest,Version3NoOptionals)220 TEST(ParseTbsCertificateTest, Version3NoOptionals) {
221 RunTbsCertificateTest("tbs_v3_no_optionals.pem");
222 }
223
224 // Tests parsing a TBSCertificate for v3 that contains extensions.
TEST(ParseTbsCertificateTest,Version3WithExtensions)225 TEST(ParseTbsCertificateTest, Version3WithExtensions) {
226 RunTbsCertificateTest("tbs_v3_extensions.pem");
227 }
228
229 // Tests parsing a TBSCertificate which lacks a version number (causing it to
230 // default to v1).
TEST(ParseTbsCertificateTest,Version1)231 TEST(ParseTbsCertificateTest, Version1) {
232 RunTbsCertificateTestGivenVersion("tbs_v1.pem", CertificateVersion::V1);
233 }
234
235 // The version was set to v1 explicitly rather than omitting the version field.
TEST(ParseTbsCertificateTest,ExplicitVersion1)236 TEST(ParseTbsCertificateTest, ExplicitVersion1) {
237 RunTbsCertificateTest("tbs_explicit_v1.pem");
238 }
239
240 // Extensions are not defined in version 1.
TEST(ParseTbsCertificateTest,Version1WithExtensions)241 TEST(ParseTbsCertificateTest, Version1WithExtensions) {
242 RunTbsCertificateTest("tbs_v1_extensions.pem");
243 }
244
245 // Extensions are not defined in version 2.
TEST(ParseTbsCertificateTest,Version2WithExtensions)246 TEST(ParseTbsCertificateTest, Version2WithExtensions) {
247 RunTbsCertificateTest("tbs_v2_extensions.pem");
248 }
249
250 // A boring version 2 certificate with none of the optional fields.
TEST(ParseTbsCertificateTest,Version2NoOptionals)251 TEST(ParseTbsCertificateTest, Version2NoOptionals) {
252 RunTbsCertificateTestGivenVersion("tbs_v2_no_optionals.pem",
253 CertificateVersion::V2);
254 }
255
256 // A version 2 certificate with an issuer unique ID field.
TEST(ParseTbsCertificateTest,Version2IssuerUniqueId)257 TEST(ParseTbsCertificateTest, Version2IssuerUniqueId) {
258 RunTbsCertificateTestGivenVersion("tbs_v2_issuer_unique_id.pem",
259 CertificateVersion::V2);
260 }
261
262 // A version 2 certificate with both a issuer and subject unique ID field.
TEST(ParseTbsCertificateTest,Version2IssuerAndSubjectUniqueId)263 TEST(ParseTbsCertificateTest, Version2IssuerAndSubjectUniqueId) {
264 RunTbsCertificateTestGivenVersion("tbs_v2_issuer_and_subject_unique_id.pem",
265 CertificateVersion::V2);
266 }
267
268 // A version 3 certificate with all of the optional fields (issuer unique id,
269 // subject unique id, and extensions).
TEST(ParseTbsCertificateTest,Version3AllOptionals)270 TEST(ParseTbsCertificateTest, Version3AllOptionals) {
271 RunTbsCertificateTest("tbs_v3_all_optionals.pem");
272 }
273
274 // The version was set to v4, which is unrecognized.
TEST(ParseTbsCertificateTest,Version4)275 TEST(ParseTbsCertificateTest, Version4) { RunTbsCertificateTest("tbs_v4.pem"); }
276
277 // Tests that extraneous data after extensions in a v3 is rejected.
TEST(ParseTbsCertificateTest,Version3DataAfterExtensions)278 TEST(ParseTbsCertificateTest, Version3DataAfterExtensions) {
279 RunTbsCertificateTest("tbs_v3_data_after_extensions.pem");
280 }
281
282 // Tests using a real-world certificate (whereas the other tests are fabricated
283 // (and in fact invalid) data.
TEST(ParseTbsCertificateTest,Version3Real)284 TEST(ParseTbsCertificateTest, Version3Real) {
285 RunTbsCertificateTest("tbs_v3_real.pem");
286 }
287
288 // Parses a TBSCertificate whose "validity" field expresses both notBefore
289 // and notAfter using UTCTime.
TEST(ParseTbsCertificateTest,ValidityBothUtcTime)290 TEST(ParseTbsCertificateTest, ValidityBothUtcTime) {
291 RunTbsCertificateTest("tbs_validity_both_utc_time.pem");
292 }
293
294 // Parses a TBSCertificate whose "validity" field expresses both notBefore
295 // and notAfter using GeneralizedTime.
TEST(ParseTbsCertificateTest,ValidityBothGeneralizedTime)296 TEST(ParseTbsCertificateTest, ValidityBothGeneralizedTime) {
297 RunTbsCertificateTest("tbs_validity_both_generalized_time.pem");
298 }
299
300 // Parses a TBSCertificate whose "validity" field expresses notBefore using
301 // UTCTime and notAfter using GeneralizedTime.
TEST(ParseTbsCertificateTest,ValidityUTCTimeAndGeneralizedTime)302 TEST(ParseTbsCertificateTest, ValidityUTCTimeAndGeneralizedTime) {
303 RunTbsCertificateTest("tbs_validity_utc_time_and_generalized_time.pem");
304 }
305
306 // Parses a TBSCertificate whose validity" field expresses notBefore using
307 // GeneralizedTime and notAfter using UTCTime. Also of interest, notBefore >
308 // notAfter. Parsing will succeed, however no time can satisfy this constraint.
TEST(ParseTbsCertificateTest,ValidityGeneralizedTimeAndUTCTime)309 TEST(ParseTbsCertificateTest, ValidityGeneralizedTimeAndUTCTime) {
310 RunTbsCertificateTest("tbs_validity_generalized_time_and_utc_time.pem");
311 }
312
313 // Parses a TBSCertificate whose "validity" field does not strictly follow
314 // the DER rules (and fails to be parsed).
TEST(ParseTbsCertificateTest,ValidityRelaxed)315 TEST(ParseTbsCertificateTest, ValidityRelaxed) {
316 RunTbsCertificateTest("tbs_validity_relaxed.pem");
317 }
318
319 // Parses a KeyUsage with a single 0 bit.
TEST(ParseKeyUsageTest,OneBitAllZeros)320 TEST(ParseKeyUsageTest, OneBitAllZeros) {
321 const uint8_t der[] = {
322 0x03, 0x02, // BIT STRING
323 0x07, // Number of unused bits
324 0x00, // bits
325 };
326
327 der::BitString key_usage;
328 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
329 }
330
331 // Parses a KeyUsage with 32 bits that are all 0.
332 TEST(ParseKeyUsageTest, 32BitsAllZeros) {
333 const uint8_t der[] = {
334 0x03, 0x05, // BIT STRING
335 0x00, // Number of unused bits
336 0x00, 0x00, 0x00, 0x00,
337 };
338
339 der::BitString key_usage;
340 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
341 }
342
343 // Parses a KeyUsage with 32 bits, one of which is 1 (but not in recognized
344 // set).
345 TEST(ParseKeyUsageTest, 32BitsOneSet) {
346 const uint8_t der[] = {
347 0x03, 0x05, // BIT STRING
348 0x00, // Number of unused bits
349 0x00, 0x00, 0x00, 0x02,
350 };
351
352 der::BitString key_usage;
353 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
354
355 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
356 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
357 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
358 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
359 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
360 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
361 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
362 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
363 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
364 }
365
366 // Parses a KeyUsage containing bit string 101.
TEST(ParseKeyUsageTest,ThreeBits)367 TEST(ParseKeyUsageTest, ThreeBits) {
368 const uint8_t der[] = {
369 0x03, 0x02, // BIT STRING
370 0x05, // Number of unused bits
371 0xA0, // bits
372 };
373
374 der::BitString key_usage;
375 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
376
377 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
378 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
379 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
380 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
381 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
382 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
383 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
384 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
385 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
386 }
387
388 // Parses a KeyUsage containing DECIPHER_ONLY, which is the
389 // only bit that doesn't fit in the first byte.
TEST(ParseKeyUsageTest,DecipherOnly)390 TEST(ParseKeyUsageTest, DecipherOnly) {
391 const uint8_t der[] = {
392 0x03, 0x03, // BIT STRING
393 0x07, // Number of unused bits
394 0x00, 0x80, // bits
395 };
396
397 der::BitString key_usage;
398 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
399
400 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
401 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
402 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
403 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
404 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
405 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
406 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
407 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
408 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
409 }
410
411 // Parses an empty KeyUsage.
TEST(ParseKeyUsageTest,Empty)412 TEST(ParseKeyUsageTest, Empty) {
413 const uint8_t der[] = {
414 0x03, 0x01, // BIT STRING
415 0x00, // Number of unused bits
416 };
417
418 der::BitString key_usage;
419 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
420 }
421
TEST(ParseAuthorityInfoAccess,BasicTests)422 TEST(ParseAuthorityInfoAccess, BasicTests) {
423 // SEQUENCE {
424 // SEQUENCE {
425 // # ocsp with directoryName
426 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
427 // [4] {
428 // SEQUENCE {
429 // SET {
430 // SEQUENCE {
431 // # commonName
432 // OBJECT_IDENTIFIER { 2.5.4.3 }
433 // PrintableString { "ocsp" }
434 // }
435 // }
436 // }
437 // }
438 // }
439 // SEQUENCE {
440 // # caIssuers with directoryName
441 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
442 // [4] {
443 // SEQUENCE {
444 // SET {
445 // SEQUENCE {
446 // # commonName
447 // OBJECT_IDENTIFIER { 2.5.4.3 }
448 // PrintableString { "ca issuer" }
449 // }
450 // }
451 // }
452 // }
453 // }
454 // SEQUENCE {
455 // # non-standard method with URI
456 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.3 }
457 // [6 PRIMITIVE] { "http://nonstandard.example.com" }
458 // }
459 // SEQUENCE {
460 // # ocsp with URI
461 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
462 // [6 PRIMITIVE] { "http://ocsp.example.com" }
463 // }
464 // SEQUENCE {
465 // # caIssuers with URI
466 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
467 // [6 PRIMITIVE] { "http://www.example.com/issuer.crt" }
468 // }
469 // }
470 const uint8_t der[] = {
471 0x30, 0x81, 0xc3, 0x30, 0x1d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
472 0x07, 0x30, 0x01, 0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06,
473 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x22,
474 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0xa4, 0x16,
475 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
476 0x09, 0x63, 0x61, 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x30, 0x2a,
477 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x03, 0x86, 0x1e,
478 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6e, 0x6f, 0x6e, 0x73, 0x74,
479 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70,
480 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06,
481 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70,
482 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x65, 0x78, 0x61, 0x6d,
483 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x2d, 0x06, 0x08, 0x2b,
484 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x21, 0x68, 0x74, 0x74,
485 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x78, 0x61, 0x6d,
486 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x73, 0x73, 0x75,
487 0x65, 0x72, 0x2e, 0x63, 0x72, 0x74};
488
489 std::vector<AuthorityInfoAccessDescription> access_descriptions;
490 ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
491 ASSERT_EQ(5u, access_descriptions.size());
492 {
493 const auto &desc = access_descriptions[0];
494 EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
495 const uint8_t location_der[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
496 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
497 0x04, 0x6f, 0x63, 0x73, 0x70};
498 EXPECT_EQ(der::Input(location_der), desc.access_location);
499 }
500 {
501 const auto &desc = access_descriptions[1];
502 EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
503 const uint8_t location_der[] = {
504 0xa4, 0x16, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
505 0x03, 0x13, 0x09, 0x63, 0x61, 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72};
506 EXPECT_EQ(der::Input(location_der), desc.access_location);
507 }
508 {
509 const auto &desc = access_descriptions[2];
510 const uint8_t method_oid[] = {0x2b, 0x06, 0x01, 0x05,
511 0x05, 0x07, 0x30, 0x03};
512 EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
513 const uint8_t location_der[] = {
514 0x86, 0x1e, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6e, 0x6f,
515 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x2e, 0x65,
516 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
517 EXPECT_EQ(der::Input(location_der), desc.access_location);
518 }
519 {
520 const auto &desc = access_descriptions[3];
521 EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
522 const uint8_t location_der[] = {0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a,
523 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e,
524 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65,
525 0x2e, 0x63, 0x6f, 0x6d};
526 EXPECT_EQ(der::Input(location_der), desc.access_location);
527 }
528 {
529 const auto &desc = access_descriptions[4];
530 EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
531 const uint8_t location_der[] = {
532 0x86, 0x21, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
533 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
534 0x2f, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x2e, 0x63, 0x72, 0x74};
535 EXPECT_EQ(der::Input(location_der), desc.access_location);
536 }
537
538 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
539 ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
540 &ocsp_uris));
541 ASSERT_EQ(1u, ca_issuers_uris.size());
542 EXPECT_EQ("http://www.example.com/issuer.crt", ca_issuers_uris.front());
543 ASSERT_EQ(1u, ocsp_uris.size());
544 EXPECT_EQ("http://ocsp.example.com", ocsp_uris.front());
545 }
546
TEST(ParseAuthorityInfoAccess,NoOcspOrCaIssuersURIs)547 TEST(ParseAuthorityInfoAccess, NoOcspOrCaIssuersURIs) {
548 // SEQUENCE {
549 // SEQUENCE {
550 // # non-standard method with directoryName
551 // OBJECT_IDENTIFIER { 1.2.3 }
552 // [4] {
553 // SEQUENCE {
554 // SET {
555 // SEQUENCE {
556 // # commonName
557 // OBJECT_IDENTIFIER { 2.5.4.3 }
558 // PrintableString { "foo" }
559 // }
560 // }
561 // }
562 // }
563 // }
564 // }
565 const uint8_t der[] = {0x30, 0x18, 0x30, 0x16, 0x06, 0x02, 0x2a, 0x03, 0xa4,
566 0x10, 0x30, 0x0e, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03,
567 0x55, 0x04, 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f};
568
569 std::vector<AuthorityInfoAccessDescription> access_descriptions;
570 ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
571 ASSERT_EQ(1u, access_descriptions.size());
572 const auto &desc = access_descriptions[0];
573 const uint8_t method_oid[] = {0x2a, 0x03};
574 EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
575 const uint8_t location_der[] = {0xa4, 0x10, 0x30, 0x0e, 0x31, 0x0c,
576 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04,
577 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f};
578 EXPECT_EQ(der::Input(location_der), desc.access_location);
579
580 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
581 // ParseAuthorityInfoAccessURIs should still return success since it was a
582 // valid AuthorityInfoAccess extension, even though it did not contain any
583 // elements we care about, and both output vectors should be empty.
584 ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
585 &ocsp_uris));
586 EXPECT_EQ(0u, ca_issuers_uris.size());
587 EXPECT_EQ(0u, ocsp_uris.size());
588 }
589
TEST(ParseAuthorityInfoAccess,IncompleteAccessDescription)590 TEST(ParseAuthorityInfoAccess, IncompleteAccessDescription) {
591 // SEQUENCE {
592 // # first entry is ok
593 // SEQUENCE {
594 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
595 // [6 PRIMITIVE] { "http://ocsp.example.com" }
596 // }
597 // # second is missing accessLocation field
598 // SEQUENCE {
599 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
600 // }
601 // }
602 const uint8_t der[] = {0x30, 0x31, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06, 0x01,
603 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74,
604 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70,
605 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
606 0x63, 0x6f, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
607 0x01, 0x05, 0x05, 0x07, 0x30, 0x02};
608
609 std::vector<AuthorityInfoAccessDescription> access_descriptions;
610 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
611
612 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
613 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
614 &ocsp_uris));
615 }
616
TEST(ParseAuthorityInfoAccess,ExtraDataInAccessDescription)617 TEST(ParseAuthorityInfoAccess, ExtraDataInAccessDescription) {
618 // SEQUENCE {
619 // SEQUENCE {
620 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
621 // [6 PRIMITIVE] { "http://ocsp.example.com" }
622 // # invalid, AccessDescription only has 2 fields
623 // PrintableString { "henlo" }
624 // }
625 // }
626 const uint8_t der[] = {
627 0x30, 0x2c, 0x30, 0x2a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
628 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f,
629 0x63, 0x73, 0x70, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
630 0x63, 0x6f, 0x6d, 0x13, 0x05, 0x68, 0x65, 0x6e, 0x6c, 0x6f};
631
632 std::vector<AuthorityInfoAccessDescription> access_descriptions;
633 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
634
635 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
636 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
637 &ocsp_uris));
638 }
639
TEST(ParseAuthorityInfoAccess,EmptySequence)640 TEST(ParseAuthorityInfoAccess, EmptySequence) {
641 // SEQUENCE { }
642 const uint8_t der[] = {0x30, 0x00};
643
644 std::vector<AuthorityInfoAccessDescription> access_descriptions;
645 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
646
647 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
648 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
649 &ocsp_uris));
650 }
651
652 // Test fixture for testing ParseCrlDistributionPoints.
653 //
654 // Test data is encoded in certificate files. This fixture is responsible for
655 // reading and parsing the certificates to get at the extension under test.
656 class ParseCrlDistributionPointsTest : public ::testing::Test {
657 public:
658 protected:
GetCrlDps(const char * file_name,std::vector<ParsedDistributionPoint> * dps)659 bool GetCrlDps(const char *file_name,
660 std::vector<ParsedDistributionPoint> *dps) {
661 std::string cert_bytes;
662 // Read the test certificate file.
663 const PemBlockMapping mappings[] = {
664 {"CERTIFICATE", &cert_bytes},
665 };
666 std::string test_file_path = GetFilePath(file_name);
667 EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
668
669 // Extract the CRLDP from the test Certificate.
670 CertErrors errors;
671 std::shared_ptr<const ParsedCertificate> cert = ParsedCertificate::Create(
672 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
673 reinterpret_cast<const uint8_t *>(cert_bytes.data()),
674 cert_bytes.size(), nullptr)),
675 {}, &errors);
676
677 if (!cert) {
678 return false;
679 }
680
681 auto it = cert->extensions().find(der::Input(kCrlDistributionPointsOid));
682 if (it == cert->extensions().end()) {
683 return false;
684 }
685
686 der::Input crl_dp_tlv = it->second.value;
687
688 // Keep the certificate data alive, since this function will return
689 // der::Inputs that reference it. Run the function under test (for parsing
690 //
691 // TODO(eroman): The use of ParsedCertificate in this test should be removed
692 // in lieu of lazy parsing.
693 keep_alive_certs_.push_back(cert);
694
695 return ParseCrlDistributionPoints(crl_dp_tlv, dps);
696 }
697
698 private:
699 ParsedCertificateList keep_alive_certs_;
700 };
701
TEST_F(ParseCrlDistributionPointsTest,OneUriNoIssuer)702 TEST_F(ParseCrlDistributionPointsTest, OneUriNoIssuer) {
703 std::vector<ParsedDistributionPoint> dps;
704 ASSERT_TRUE(GetCrlDps("crldp_1uri_noissuer.pem", &dps));
705
706 ASSERT_EQ(1u, dps.size());
707 const ParsedDistributionPoint &dp1 = dps.front();
708
709 ASSERT_TRUE(dp1.distribution_point_fullname);
710 const GeneralNames &fullname = *dp1.distribution_point_fullname;
711 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
712 fullname.present_name_types);
713 ASSERT_EQ(1u, fullname.uniform_resource_identifiers.size());
714 EXPECT_EQ(fullname.uniform_resource_identifiers.front(),
715 std::string("http://www.example.com/foo.crl"));
716
717 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
718 EXPECT_FALSE(dp1.reasons);
719 EXPECT_FALSE(dp1.crl_issuer);
720 }
721
TEST_F(ParseCrlDistributionPointsTest,ThreeUrisNoIssuer)722 TEST_F(ParseCrlDistributionPointsTest, ThreeUrisNoIssuer) {
723 std::vector<ParsedDistributionPoint> dps;
724 ASSERT_TRUE(GetCrlDps("crldp_3uri_noissuer.pem", &dps));
725
726 ASSERT_EQ(1u, dps.size());
727 const ParsedDistributionPoint &dp1 = dps.front();
728
729 ASSERT_TRUE(dp1.distribution_point_fullname);
730 const GeneralNames &fullname = *dp1.distribution_point_fullname;
731 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
732 fullname.present_name_types);
733 ASSERT_EQ(3u, fullname.uniform_resource_identifiers.size());
734 EXPECT_EQ(fullname.uniform_resource_identifiers[0],
735 std::string("http://www.example.com/foo1.crl"));
736 EXPECT_EQ(fullname.uniform_resource_identifiers[1],
737 std::string("http://www.example.com/blah.crl"));
738 EXPECT_EQ(fullname.uniform_resource_identifiers[2],
739 std::string("not-even-a-url"));
740
741 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
742 EXPECT_FALSE(dp1.reasons);
743 EXPECT_FALSE(dp1.crl_issuer);
744 }
745
TEST_F(ParseCrlDistributionPointsTest,CrlIssuerAsDirname)746 TEST_F(ParseCrlDistributionPointsTest, CrlIssuerAsDirname) {
747 std::vector<ParsedDistributionPoint> dps;
748 ASSERT_TRUE(GetCrlDps("crldp_issuer_as_dirname.pem", &dps));
749
750 ASSERT_EQ(1u, dps.size());
751 const ParsedDistributionPoint &dp1 = dps.front();
752 ASSERT_TRUE(dp1.distribution_point_fullname);
753 const GeneralNames &fullname = *dp1.distribution_point_fullname;
754 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
755 // Generated by `ascii2der | xxd -i` from the Name value in
756 // crldp_issuer_as_dirname.pem.
757 const uint8_t kExpectedName[] = {
758 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
759 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
760 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
761 0x63, 0x61, 0x74, 0x65, 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x22,
762 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x19, 0x69, 0x6e, 0x64,
763 0x69, 0x72, 0x65, 0x63, 0x74, 0x43, 0x52, 0x4c, 0x20, 0x43, 0x41, 0x33,
764 0x20, 0x63, 0x52, 0x4c, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72, 0x31, 0x29,
765 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x20, 0x69, 0x6e, 0x64,
766 0x69, 0x72, 0x65, 0x63, 0x74, 0x20, 0x43, 0x52, 0x4c, 0x20, 0x66, 0x6f,
767 0x72, 0x20, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x43, 0x52,
768 0x4c, 0x20, 0x43, 0x41, 0x33};
769 ASSERT_EQ(1u, fullname.directory_names.size());
770 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
771
772 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
773 EXPECT_FALSE(dp1.reasons);
774
775 ASSERT_TRUE(dp1.crl_issuer);
776 // Generated by `ascii2der | xxd -i` from the cRLIssuer value in
777 // crldp_issuer_as_dirname.pem.
778 const uint8_t kExpectedCrlIssuer[] = {
779 0xa4, 0x54, 0x30, 0x52, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
780 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06,
781 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16, 0x54, 0x65, 0x73, 0x74, 0x20,
782 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
783 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x22, 0x30, 0x20, 0x06,
784 0x03, 0x55, 0x04, 0x0b, 0x13, 0x19, 0x69, 0x6e, 0x64, 0x69, 0x72,
785 0x65, 0x63, 0x74, 0x43, 0x52, 0x4c, 0x20, 0x43, 0x41, 0x33, 0x20,
786 0x63, 0x52, 0x4c, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72};
787 EXPECT_EQ(der::Input(kExpectedCrlIssuer), dp1.crl_issuer);
788 }
789
TEST_F(ParseCrlDistributionPointsTest,FullnameAsDirname)790 TEST_F(ParseCrlDistributionPointsTest, FullnameAsDirname) {
791 std::vector<ParsedDistributionPoint> dps;
792 ASSERT_TRUE(GetCrlDps("crldp_full_name_as_dirname.pem", &dps));
793
794 ASSERT_EQ(1u, dps.size());
795 const ParsedDistributionPoint &dp1 = dps.front();
796
797 ASSERT_TRUE(dp1.distribution_point_fullname);
798 const GeneralNames &fullname = *dp1.distribution_point_fullname;
799 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
800 // Generated by `ascii2der | xxd -i` from the Name value in
801 // crldp_full_name_as_dirname.pem.
802 const uint8_t kExpectedName[] = {
803 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
804 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
805 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
806 0x63, 0x61, 0x74, 0x65, 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x45,
807 0x30, 0x43, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x3c, 0x53, 0x65, 0x6c,
808 0x66, 0x2d, 0x49, 0x73, 0x73, 0x75, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72,
809 0x74, 0x20, 0x44, 0x50, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x42, 0x61, 0x73,
810 0x69, 0x63, 0x20, 0x53, 0x65, 0x6c, 0x66, 0x2d, 0x49, 0x73, 0x73, 0x75,
811 0x65, 0x64, 0x20, 0x43, 0x52, 0x4c, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
812 0x6e, 0x67, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x43, 0x41};
813 ASSERT_EQ(1u, fullname.directory_names.size());
814 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
815
816 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
817 EXPECT_FALSE(dp1.reasons);
818 EXPECT_FALSE(dp1.crl_issuer);
819 }
820
TEST_F(ParseCrlDistributionPointsTest,RelativeNameAndReasonsAndMultipleDPs)821 TEST_F(ParseCrlDistributionPointsTest, RelativeNameAndReasonsAndMultipleDPs) {
822 // SEQUENCE {
823 // SEQUENCE {
824 // # distributionPoint
825 // [0] {
826 // # nameRelativeToCRLIssuer
827 // [1] {
828 // SET {
829 // SEQUENCE {
830 // # commonName
831 // OBJECT_IDENTIFIER { 2.5.4.3 }
832 // PrintableString { "CRL1" }
833 // }
834 // }
835 // }
836 // }
837 // # reasons
838 // [1 PRIMITIVE] { b`011` }
839 // }
840 // SEQUENCE {
841 // # distributionPoint
842 // [0] {
843 // # fullName
844 // [0] {
845 // [4] {
846 // SEQUENCE {
847 // SET {
848 // SEQUENCE {
849 // # commonName
850 // OBJECT_IDENTIFIER { 2.5.4.3 }
851 // PrintableString { "CRL2" }
852 // }
853 // }
854 // }
855 // }
856 // }
857 // }
858 // # reasons
859 // [1 PRIMITIVE] { b`100111111` }
860 // }
861 // }
862 const uint8_t kInputDer[] = {
863 0x30, 0x37, 0x30, 0x17, 0xa0, 0x11, 0xa1, 0x0f, 0x31, 0x0d, 0x30, 0x0b,
864 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x43, 0x52, 0x4c, 0x31, 0x81,
865 0x02, 0x05, 0x60, 0x30, 0x1c, 0xa0, 0x15, 0xa0, 0x13, 0xa4, 0x11, 0x30,
866 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04,
867 0x43, 0x52, 0x4c, 0x32, 0x81, 0x03, 0x07, 0x9f, 0x80};
868
869 std::vector<ParsedDistributionPoint> dps;
870 ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
871 ASSERT_EQ(2u, dps.size());
872 {
873 const ParsedDistributionPoint &dp = dps[0];
874 EXPECT_FALSE(dp.distribution_point_fullname);
875
876 ASSERT_TRUE(dp.distribution_point_name_relative_to_crl_issuer);
877 // SET {
878 // SEQUENCE {
879 // # commonName
880 // OBJECT_IDENTIFIER { 2.5.4.3 }
881 // PrintableString { "CRL1" }
882 // }
883 // }
884 const uint8_t kExpectedRDN[] = {0x31, 0x0d, 0x30, 0x0b, 0x06,
885 0x03, 0x55, 0x04, 0x03, 0x13,
886 0x04, 0x43, 0x52, 0x4c, 0x31};
887 EXPECT_EQ(der::Input(kExpectedRDN),
888 *dp.distribution_point_name_relative_to_crl_issuer);
889
890 ASSERT_TRUE(dp.reasons);
891 const uint8_t kExpectedReasons[] = {0x05, 0x60};
892 EXPECT_EQ(der::Input(kExpectedReasons), *dp.reasons);
893
894 EXPECT_FALSE(dp.crl_issuer);
895 }
896 {
897 const ParsedDistributionPoint &dp = dps[1];
898 ASSERT_TRUE(dp.distribution_point_fullname);
899 const GeneralNames &fullname = *dp.distribution_point_fullname;
900 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
901 // SET {
902 // SEQUENCE {
903 // # commonName
904 // OBJECT_IDENTIFIER { 2.5.4.3 }
905 // PrintableString { "CRL2" }
906 // }
907 // }
908 const uint8_t kExpectedName[] = {0x31, 0x0d, 0x30, 0x0b, 0x06,
909 0x03, 0x55, 0x04, 0x03, 0x13,
910 0x04, 0x43, 0x52, 0x4c, 0x32};
911 ASSERT_EQ(1u, fullname.directory_names.size());
912 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
913
914 EXPECT_FALSE(dp.distribution_point_name_relative_to_crl_issuer);
915
916 ASSERT_TRUE(dp.reasons);
917 const uint8_t kExpectedReasons[] = {0x07, 0x9f, 0x80};
918 EXPECT_EQ(der::Input(kExpectedReasons), *dp.reasons);
919
920 EXPECT_FALSE(dp.crl_issuer);
921 }
922 }
923
TEST_F(ParseCrlDistributionPointsTest,NoDistributionPointName)924 TEST_F(ParseCrlDistributionPointsTest, NoDistributionPointName) {
925 // SEQUENCE {
926 // SEQUENCE {
927 // # cRLIssuer
928 // [2] {
929 // [4] {
930 // SEQUENCE {
931 // SET {
932 // SEQUENCE {
933 // # organizationUnitName
934 // OBJECT_IDENTIFIER { 2.5.4.11 }
935 // PrintableString { "crl issuer" }
936 // }
937 // }
938 // }
939 // }
940 // }
941 // }
942 // }
943 const uint8_t kInputDer[] = {0x30, 0x1d, 0x30, 0x1b, 0xa2, 0x19, 0xa4, 0x17,
944 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
945 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x63, 0x72, 0x6c,
946 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72};
947
948 std::vector<ParsedDistributionPoint> dps;
949 ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
950 ASSERT_EQ(1u, dps.size());
951 const ParsedDistributionPoint &dp = dps[0];
952 EXPECT_FALSE(dp.distribution_point_fullname);
953
954 EXPECT_FALSE(dp.distribution_point_name_relative_to_crl_issuer);
955
956 EXPECT_FALSE(dp.reasons);
957
958 ASSERT_TRUE(dp.crl_issuer);
959 const uint8_t kExpectedDer[] = {0xa4, 0x17, 0x30, 0x15, 0x31, 0x13, 0x30,
960 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
961 0x0a, 0x63, 0x72, 0x6c, 0x20, 0x69, 0x73,
962 0x73, 0x75, 0x65, 0x72};
963 EXPECT_EQ(der::Input(kExpectedDer), *dp.crl_issuer);
964 }
965
TEST_F(ParseCrlDistributionPointsTest,OnlyReasons)966 TEST_F(ParseCrlDistributionPointsTest, OnlyReasons) {
967 // SEQUENCE {
968 // SEQUENCE {
969 // # reasons
970 // [1 PRIMITIVE] { b`011` }
971 // }
972 // }
973 const uint8_t kInputDer[] = {0x30, 0x06, 0x30, 0x04, 0x81, 0x02, 0x05, 0x60};
974
975 std::vector<ParsedDistributionPoint> dps;
976 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
977 }
978
TEST_F(ParseCrlDistributionPointsTest,EmptyDistributionPoint)979 TEST_F(ParseCrlDistributionPointsTest, EmptyDistributionPoint) {
980 // SEQUENCE {
981 // SEQUENCE {
982 // }
983 // }
984 const uint8_t kInputDer[] = {0x30, 0x02, 0x30, 0x00};
985
986 std::vector<ParsedDistributionPoint> dps;
987 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
988 }
989
TEST_F(ParseCrlDistributionPointsTest,EmptyDistributionPoints)990 TEST_F(ParseCrlDistributionPointsTest, EmptyDistributionPoints) {
991 // SEQUENCE { }
992 const uint8_t kInputDer[] = {0x30, 0x00};
993
994 std::vector<ParsedDistributionPoint> dps;
995 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
996 }
997
ParseAuthorityKeyIdentifierTestData(const char * file_name,std::string * backing_bytes,ParsedAuthorityKeyIdentifier * authority_key_identifier)998 bool ParseAuthorityKeyIdentifierTestData(
999 const char *file_name, std::string *backing_bytes,
1000 ParsedAuthorityKeyIdentifier *authority_key_identifier) {
1001 // Read the test file.
1002 const PemBlockMapping mappings[] = {
1003 {"AUTHORITY_KEY_IDENTIFIER", backing_bytes},
1004 };
1005 std::string test_file_path =
1006 std::string(
1007 "testdata/parse_certificate_unittest/authority_key_identifier/") +
1008 file_name;
1009 EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
1010
1011 return ParseAuthorityKeyIdentifier(der::Input(*backing_bytes),
1012 authority_key_identifier);
1013 }
1014
TEST(ParseAuthorityKeyIdentifierTest,EmptyInput)1015 TEST(ParseAuthorityKeyIdentifierTest, EmptyInput) {
1016 ParsedAuthorityKeyIdentifier authority_key_identifier;
1017 EXPECT_FALSE(
1018 ParseAuthorityKeyIdentifier(der::Input(), &authority_key_identifier));
1019 }
1020
TEST(ParseAuthorityKeyIdentifierTest,EmptySequence)1021 TEST(ParseAuthorityKeyIdentifierTest, EmptySequence) {
1022 std::string backing_bytes;
1023 ParsedAuthorityKeyIdentifier authority_key_identifier;
1024 // TODO(mattm): should this be an error? RFC 5280 doesn't explicitly say it.
1025 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1026 "empty_sequence.pem", &backing_bytes, &authority_key_identifier));
1027
1028 EXPECT_FALSE(authority_key_identifier.key_identifier);
1029 EXPECT_FALSE(authority_key_identifier.authority_cert_issuer);
1030 EXPECT_FALSE(authority_key_identifier.authority_cert_serial_number);
1031 }
1032
TEST(ParseAuthorityKeyIdentifierTest,KeyIdentifier)1033 TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifier) {
1034 std::string backing_bytes;
1035 ParsedAuthorityKeyIdentifier authority_key_identifier;
1036 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1037 "key_identifier.pem", &backing_bytes, &authority_key_identifier));
1038
1039 ASSERT_TRUE(authority_key_identifier.key_identifier);
1040 const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
1041 EXPECT_EQ(der::Input(kExpectedValue),
1042 authority_key_identifier.key_identifier);
1043 }
1044
TEST(ParseAuthorityKeyIdentifierTest,IssuerAndSerial)1045 TEST(ParseAuthorityKeyIdentifierTest, IssuerAndSerial) {
1046 std::string backing_bytes;
1047 ParsedAuthorityKeyIdentifier authority_key_identifier;
1048 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1049 "issuer_and_serial.pem", &backing_bytes, &authority_key_identifier));
1050
1051 EXPECT_FALSE(authority_key_identifier.key_identifier);
1052
1053 ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
1054 const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
1055 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
1056 0x04, 0x52, 0x6f, 0x6f, 0x74};
1057 EXPECT_EQ(der::Input(kExpectedIssuer),
1058 authority_key_identifier.authority_cert_issuer);
1059
1060 ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
1061 const uint8_t kExpectedSerial[] = {0x27, 0x4F};
1062 EXPECT_EQ(der::Input(kExpectedSerial),
1063 authority_key_identifier.authority_cert_serial_number);
1064 }
1065
TEST(ParseAuthorityKeyIdentifierTest,KeyIdentifierAndIssuerAndSerial)1066 TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifierAndIssuerAndSerial) {
1067 std::string backing_bytes;
1068 ParsedAuthorityKeyIdentifier authority_key_identifier;
1069 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1070 "key_identifier_and_issuer_and_serial.pem", &backing_bytes,
1071 &authority_key_identifier));
1072
1073 ASSERT_TRUE(authority_key_identifier.key_identifier);
1074 const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
1075 EXPECT_EQ(der::Input(kExpectedValue),
1076 authority_key_identifier.key_identifier);
1077
1078 ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
1079 const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
1080 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
1081 0x04, 0x52, 0x6f, 0x6f, 0x74};
1082 EXPECT_EQ(der::Input(kExpectedIssuer),
1083 authority_key_identifier.authority_cert_issuer);
1084
1085 ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
1086 const uint8_t kExpectedSerial[] = {0x27, 0x4F};
1087 EXPECT_EQ(der::Input(kExpectedSerial),
1088 authority_key_identifier.authority_cert_serial_number);
1089 }
1090
TEST(ParseAuthorityKeyIdentifierTest,IssuerOnly)1091 TEST(ParseAuthorityKeyIdentifierTest, IssuerOnly) {
1092 std::string backing_bytes;
1093 ParsedAuthorityKeyIdentifier authority_key_identifier;
1094 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1095 "issuer_only.pem", &backing_bytes, &authority_key_identifier));
1096 }
1097
TEST(ParseAuthorityKeyIdentifierTest,SerialOnly)1098 TEST(ParseAuthorityKeyIdentifierTest, SerialOnly) {
1099 std::string backing_bytes;
1100 ParsedAuthorityKeyIdentifier authority_key_identifier;
1101 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1102 "serial_only.pem", &backing_bytes, &authority_key_identifier));
1103 }
1104
TEST(ParseAuthorityKeyIdentifierTest,InvalidContents)1105 TEST(ParseAuthorityKeyIdentifierTest, InvalidContents) {
1106 std::string backing_bytes;
1107 ParsedAuthorityKeyIdentifier authority_key_identifier;
1108 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1109 "invalid_contents.pem", &backing_bytes, &authority_key_identifier));
1110 }
1111
TEST(ParseAuthorityKeyIdentifierTest,InvalidKeyIdentifier)1112 TEST(ParseAuthorityKeyIdentifierTest, InvalidKeyIdentifier) {
1113 std::string backing_bytes;
1114 ParsedAuthorityKeyIdentifier authority_key_identifier;
1115 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1116 "invalid_key_identifier.pem", &backing_bytes, &authority_key_identifier));
1117 }
1118
TEST(ParseAuthorityKeyIdentifierTest,InvalidIssuer)1119 TEST(ParseAuthorityKeyIdentifierTest, InvalidIssuer) {
1120 std::string backing_bytes;
1121 ParsedAuthorityKeyIdentifier authority_key_identifier;
1122 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1123 "invalid_issuer.pem", &backing_bytes, &authority_key_identifier));
1124 }
1125
TEST(ParseAuthorityKeyIdentifierTest,InvalidSerial)1126 TEST(ParseAuthorityKeyIdentifierTest, InvalidSerial) {
1127 std::string backing_bytes;
1128 ParsedAuthorityKeyIdentifier authority_key_identifier;
1129 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1130 "invalid_serial.pem", &backing_bytes, &authority_key_identifier));
1131 }
1132
TEST(ParseAuthorityKeyIdentifierTest,ExtraContentsAfterIssuerAndSerial)1133 TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterIssuerAndSerial) {
1134 std::string backing_bytes;
1135 ParsedAuthorityKeyIdentifier authority_key_identifier;
1136 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1137 "extra_contents_after_issuer_and_serial.pem", &backing_bytes,
1138 &authority_key_identifier));
1139 }
1140
TEST(ParseAuthorityKeyIdentifierTest,ExtraContentsAfterExtensionSequence)1141 TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterExtensionSequence) {
1142 std::string backing_bytes;
1143 ParsedAuthorityKeyIdentifier authority_key_identifier;
1144 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1145 "extra_contents_after_extension_sequence.pem", &backing_bytes,
1146 &authority_key_identifier));
1147 }
1148
TEST(ParseSubjectKeyIdentifierTest,EmptyInput)1149 TEST(ParseSubjectKeyIdentifierTest, EmptyInput) {
1150 der::Input subject_key_identifier;
1151 EXPECT_FALSE(
1152 ParseSubjectKeyIdentifier(der::Input(), &subject_key_identifier));
1153 }
1154
TEST(ParseSubjectKeyIdentifierTest,Valid)1155 TEST(ParseSubjectKeyIdentifierTest, Valid) {
1156 // OCTET_STRING {`abcd`}
1157 const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd};
1158 const uint8_t kExpected[] = {0xab, 0xcd};
1159 der::Input subject_key_identifier;
1160 EXPECT_TRUE(
1161 ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
1162 EXPECT_EQ(der::Input(kExpected), subject_key_identifier);
1163 }
1164
TEST(ParseSubjectKeyIdentifierTest,ExtraData)1165 TEST(ParseSubjectKeyIdentifierTest, ExtraData) {
1166 // OCTET_STRING {`abcd`}
1167 // NULL
1168 const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd, 0x05};
1169 der::Input subject_key_identifier;
1170 EXPECT_FALSE(
1171 ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
1172 }
1173
1174 } // namespace
1175
1176 } // namespace bssl
1177