1 // Copyright 2015 The Chromium Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "parse_certificate.h"
16
17 #include <gtest/gtest.h>
18
19 #include <openssl/pool.h>
20 #include <openssl/span.h>
21
22 #include "cert_errors.h"
23 #include "general_names.h"
24 #include "input.h"
25 #include "parsed_certificate.h"
26 #include "test_helpers.h"
27
28 BSSL_NAMESPACE_BEGIN
29
30 namespace {
31
32 // Pretty-prints a GeneralizedTime as a human-readable string for use in test
33 // expectations (it is more readable to specify the expected results as a
34 // string).
ToString(const der::GeneralizedTime & time)35 std::string ToString(const der::GeneralizedTime &time) {
36 std::ostringstream pretty_time;
37 pretty_time << "year=" << int{time.year} << ", month=" << int{time.month}
38 << ", day=" << int{time.day} << ", hours=" << int{time.hours}
39 << ", minutes=" << int{time.minutes}
40 << ", seconds=" << int{time.seconds};
41 return pretty_time.str();
42 }
43
GetFilePath(const std::string & file_name)44 std::string GetFilePath(const std::string &file_name) {
45 return std::string("testdata/parse_certificate_unittest/") + file_name;
46 }
47
48 // Loads certificate data and expectations from the PEM file |file_name|.
49 // Verifies that parsing the Certificate matches expectations:
50 // * If expected to fail, emits the expected errors
51 // * If expected to succeeds, the parsed fields match expectations
RunCertificateTest(const std::string & file_name)52 void RunCertificateTest(const std::string &file_name) {
53 std::string data;
54 std::string expected_errors;
55 std::string expected_tbs_certificate;
56 std::string expected_signature_algorithm;
57 std::string expected_signature;
58
59 // Read the certificate data and test expectations from a single PEM file.
60 const PemBlockMapping mappings[] = {
61 {"CERTIFICATE", &data},
62 {"ERRORS", &expected_errors, true /*optional*/},
63 {"SIGNATURE", &expected_signature, true /*optional*/},
64 {"SIGNATURE ALGORITHM", &expected_signature_algorithm, true /*optional*/},
65 {"TBS CERTIFICATE", &expected_tbs_certificate, true /*optional*/},
66 };
67 std::string test_file_path = GetFilePath(file_name);
68 ASSERT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
69
70 // Note that empty expected_errors doesn't necessarily mean success.
71 bool expected_result = !expected_tbs_certificate.empty();
72
73 // Parsing the certificate.
74 der::Input tbs_certificate_tlv;
75 der::Input signature_algorithm_tlv;
76 der::BitString signature_value;
77 CertErrors errors;
78 bool actual_result =
79 ParseCertificate(StringAsBytes(data), &tbs_certificate_tlv,
80 &signature_algorithm_tlv, &signature_value, &errors);
81
82 EXPECT_EQ(expected_result, actual_result);
83 VerifyCertErrors(expected_errors, errors, test_file_path);
84
85 // Ensure that the parsed certificate matches expectations.
86 if (expected_result && actual_result) {
87 EXPECT_EQ(0, signature_value.unused_bits());
88 EXPECT_EQ(der::Input(StringAsBytes(expected_signature)),
89 signature_value.bytes());
90 EXPECT_EQ(der::Input(StringAsBytes(expected_signature_algorithm)),
91 signature_algorithm_tlv);
92 EXPECT_EQ(der::Input(StringAsBytes(expected_tbs_certificate)),
93 tbs_certificate_tlv);
94 }
95 }
96
97 // Tests parsing a Certificate.
TEST(ParseCertificateTest,Version3)98 TEST(ParseCertificateTest, Version3) {
99 RunCertificateTest("cert_version3.pem");
100 }
101
102 // Tests parsing a simplified Certificate-like structure (the sub-fields for
103 // algorithm and tbsCertificate are not actually valid, but ParseCertificate()
104 // doesn't check them)
TEST(ParseCertificateTest,Skeleton)105 TEST(ParseCertificateTest, Skeleton) {
106 RunCertificateTest("cert_skeleton.pem");
107 }
108
109 // Tests parsing a Certificate that is not a sequence fails.
TEST(ParseCertificateTest,NotSequence)110 TEST(ParseCertificateTest, NotSequence) {
111 RunCertificateTest("cert_not_sequence.pem");
112 }
113
114 // Tests that uncomsumed data is not allowed after the main SEQUENCE.
TEST(ParseCertificateTest,DataAfterSignature)115 TEST(ParseCertificateTest, DataAfterSignature) {
116 RunCertificateTest("cert_data_after_signature.pem");
117 }
118
119 // Tests that parsing fails if the signature BIT STRING is missing.
TEST(ParseCertificateTest,MissingSignature)120 TEST(ParseCertificateTest, MissingSignature) {
121 RunCertificateTest("cert_missing_signature.pem");
122 }
123
124 // Tests that parsing fails if the signature is present but not a BIT STRING.
TEST(ParseCertificateTest,SignatureNotBitString)125 TEST(ParseCertificateTest, SignatureNotBitString) {
126 RunCertificateTest("cert_signature_not_bit_string.pem");
127 }
128
129 // Tests that parsing fails if the main SEQUENCE is empty (missing all the
130 // fields).
TEST(ParseCertificateTest,EmptySequence)131 TEST(ParseCertificateTest, EmptySequence) {
132 RunCertificateTest("cert_empty_sequence.pem");
133 }
134
135 // Tests what happens when the signature algorithm is present, but has the wrong
136 // tag.
TEST(ParseCertificateTest,AlgorithmNotSequence)137 TEST(ParseCertificateTest, AlgorithmNotSequence) {
138 RunCertificateTest("cert_algorithm_not_sequence.pem");
139 }
140
141 // Loads tbsCertificate data and expectations from the PEM file |file_name|.
142 // Verifies that parsing the TBSCertificate succeeds, and each parsed field
143 // matches the expectations.
144 //
145 // TODO(eroman): Get rid of the |expected_version| parameter -- this should be
146 // encoded in the test expectations file.
RunTbsCertificateTestGivenVersion(const std::string & file_name,CertificateVersion expected_version)147 void RunTbsCertificateTestGivenVersion(const std::string &file_name,
148 CertificateVersion expected_version) {
149 std::string data;
150 std::string expected_serial_number;
151 std::string expected_signature_algorithm;
152 std::string expected_issuer;
153 std::string expected_validity_not_before;
154 std::string expected_validity_not_after;
155 std::string expected_subject;
156 std::string expected_spki;
157 std::string expected_issuer_unique_id;
158 std::string expected_subject_unique_id;
159 std::string expected_extensions;
160 std::string expected_errors;
161
162 // Read the certificate data and test expectations from a single PEM file.
163 const PemBlockMapping mappings[] = {
164 {"TBS CERTIFICATE", &data},
165 {"SIGNATURE ALGORITHM", &expected_signature_algorithm, true},
166 {"SERIAL NUMBER", &expected_serial_number, true},
167 {"ISSUER", &expected_issuer, true},
168 {"VALIDITY NOTBEFORE", &expected_validity_not_before, true},
169 {"VALIDITY NOTAFTER", &expected_validity_not_after, true},
170 {"SUBJECT", &expected_subject, true},
171 {"SPKI", &expected_spki, true},
172 {"ISSUER UNIQUE ID", &expected_issuer_unique_id, true},
173 {"SUBJECT UNIQUE ID", &expected_subject_unique_id, true},
174 {"EXTENSIONS", &expected_extensions, true},
175 {"ERRORS", &expected_errors, true},
176 };
177 std::string test_file_path = GetFilePath(file_name);
178 ASSERT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
179
180 bool expected_result = !expected_spki.empty();
181
182 ParsedTbsCertificate parsed;
183 CertErrors errors;
184 bool actual_result =
185 ParseTbsCertificate(StringAsBytes(data), {}, &parsed, &errors);
186
187 EXPECT_EQ(expected_result, actual_result);
188 VerifyCertErrors(expected_errors, errors, test_file_path);
189
190 if (!expected_result || !actual_result) {
191 return;
192 }
193
194 // Ensure that the ParsedTbsCertificate matches expectations.
195 EXPECT_EQ(expected_version, parsed.version);
196
197 EXPECT_EQ(der::Input(StringAsBytes(expected_serial_number)),
198 parsed.serial_number);
199 EXPECT_EQ(der::Input(StringAsBytes(expected_signature_algorithm)),
200 parsed.signature_algorithm_tlv);
201
202 EXPECT_EQ(der::Input(StringAsBytes(expected_issuer)), parsed.issuer_tlv);
203
204 // In the test expectations PEM file, validity is described as a
205 // textual string of the parsed value (rather than as DER).
206 EXPECT_EQ(expected_validity_not_before, ToString(parsed.validity_not_before));
207 EXPECT_EQ(expected_validity_not_after, ToString(parsed.validity_not_after));
208
209 EXPECT_EQ(der::Input(StringAsBytes(expected_subject)), parsed.subject_tlv);
210 EXPECT_EQ(der::Input(StringAsBytes(expected_spki)), parsed.spki_tlv);
211
212 EXPECT_EQ(!expected_issuer_unique_id.empty(),
213 parsed.issuer_unique_id.has_value());
214 if (parsed.issuer_unique_id.has_value()) {
215 EXPECT_EQ(der::Input(StringAsBytes(expected_issuer_unique_id)),
216 parsed.issuer_unique_id->bytes());
217 }
218 EXPECT_EQ(!expected_subject_unique_id.empty(),
219 parsed.subject_unique_id.has_value());
220 if (parsed.subject_unique_id.has_value()) {
221 EXPECT_EQ(der::Input(StringAsBytes(expected_subject_unique_id)),
222 parsed.subject_unique_id->bytes());
223 }
224
225 EXPECT_EQ(!expected_extensions.empty(), parsed.extensions_tlv.has_value());
226 if (parsed.extensions_tlv) {
227 EXPECT_EQ(der::Input(StringAsBytes(expected_extensions)),
228 parsed.extensions_tlv.value());
229 }
230 }
231
RunTbsCertificateTest(const std::string & file_name)232 void RunTbsCertificateTest(const std::string &file_name) {
233 RunTbsCertificateTestGivenVersion(file_name, CertificateVersion::V3);
234 }
235
236 // Tests parsing a TBSCertificate for v3 that contains no optional fields.
TEST(ParseTbsCertificateTest,Version3NoOptionals)237 TEST(ParseTbsCertificateTest, Version3NoOptionals) {
238 RunTbsCertificateTest("tbs_v3_no_optionals.pem");
239 }
240
241 // Tests parsing a TBSCertificate for v3 that contains extensions.
TEST(ParseTbsCertificateTest,Version3WithExtensions)242 TEST(ParseTbsCertificateTest, Version3WithExtensions) {
243 RunTbsCertificateTest("tbs_v3_extensions.pem");
244 }
245
246 // Tests parsing a TBSCertificate which lacks a version number (causing it to
247 // default to v1).
TEST(ParseTbsCertificateTest,Version1)248 TEST(ParseTbsCertificateTest, Version1) {
249 RunTbsCertificateTestGivenVersion("tbs_v1.pem", CertificateVersion::V1);
250 }
251
252 // The version was set to v1 explicitly rather than omitting the version field.
TEST(ParseTbsCertificateTest,ExplicitVersion1)253 TEST(ParseTbsCertificateTest, ExplicitVersion1) {
254 RunTbsCertificateTest("tbs_explicit_v1.pem");
255 }
256
257 // Extensions are not defined in version 1.
TEST(ParseTbsCertificateTest,Version1WithExtensions)258 TEST(ParseTbsCertificateTest, Version1WithExtensions) {
259 RunTbsCertificateTest("tbs_v1_extensions.pem");
260 }
261
262 // Extensions are not defined in version 2.
TEST(ParseTbsCertificateTest,Version2WithExtensions)263 TEST(ParseTbsCertificateTest, Version2WithExtensions) {
264 RunTbsCertificateTest("tbs_v2_extensions.pem");
265 }
266
267 // A boring version 2 certificate with none of the optional fields.
TEST(ParseTbsCertificateTest,Version2NoOptionals)268 TEST(ParseTbsCertificateTest, Version2NoOptionals) {
269 RunTbsCertificateTestGivenVersion("tbs_v2_no_optionals.pem",
270 CertificateVersion::V2);
271 }
272
273 // A version 2 certificate with an issuer unique ID field.
TEST(ParseTbsCertificateTest,Version2IssuerUniqueId)274 TEST(ParseTbsCertificateTest, Version2IssuerUniqueId) {
275 RunTbsCertificateTestGivenVersion("tbs_v2_issuer_unique_id.pem",
276 CertificateVersion::V2);
277 }
278
279 // A version 2 certificate with both a issuer and subject unique ID field.
TEST(ParseTbsCertificateTest,Version2IssuerAndSubjectUniqueId)280 TEST(ParseTbsCertificateTest, Version2IssuerAndSubjectUniqueId) {
281 RunTbsCertificateTestGivenVersion("tbs_v2_issuer_and_subject_unique_id.pem",
282 CertificateVersion::V2);
283 }
284
285 // A version 3 certificate with all of the optional fields (issuer unique id,
286 // subject unique id, and extensions).
TEST(ParseTbsCertificateTest,Version3AllOptionals)287 TEST(ParseTbsCertificateTest, Version3AllOptionals) {
288 RunTbsCertificateTest("tbs_v3_all_optionals.pem");
289 }
290
291 // The version was set to v4, which is unrecognized.
TEST(ParseTbsCertificateTest,Version4)292 TEST(ParseTbsCertificateTest, Version4) { RunTbsCertificateTest("tbs_v4.pem"); }
293
294 // Tests that extraneous data after extensions in a v3 is rejected.
TEST(ParseTbsCertificateTest,Version3DataAfterExtensions)295 TEST(ParseTbsCertificateTest, Version3DataAfterExtensions) {
296 RunTbsCertificateTest("tbs_v3_data_after_extensions.pem");
297 }
298
299 // Tests using a real-world certificate (whereas the other tests are fabricated
300 // (and in fact invalid) data.
TEST(ParseTbsCertificateTest,Version3Real)301 TEST(ParseTbsCertificateTest, Version3Real) {
302 RunTbsCertificateTest("tbs_v3_real.pem");
303 }
304
305 // Parses a TBSCertificate whose "validity" field expresses both notBefore
306 // and notAfter using UTCTime.
TEST(ParseTbsCertificateTest,ValidityBothUtcTime)307 TEST(ParseTbsCertificateTest, ValidityBothUtcTime) {
308 RunTbsCertificateTest("tbs_validity_both_utc_time.pem");
309 }
310
311 // Parses a TBSCertificate whose "validity" field expresses both notBefore
312 // and notAfter using GeneralizedTime.
TEST(ParseTbsCertificateTest,ValidityBothGeneralizedTime)313 TEST(ParseTbsCertificateTest, ValidityBothGeneralizedTime) {
314 RunTbsCertificateTest("tbs_validity_both_generalized_time.pem");
315 }
316
317 // Parses a TBSCertificate whose "validity" field expresses notBefore using
318 // UTCTime and notAfter using GeneralizedTime.
TEST(ParseTbsCertificateTest,ValidityUTCTimeAndGeneralizedTime)319 TEST(ParseTbsCertificateTest, ValidityUTCTimeAndGeneralizedTime) {
320 RunTbsCertificateTest("tbs_validity_utc_time_and_generalized_time.pem");
321 }
322
323 // Parses a TBSCertificate whose validity" field expresses notBefore using
324 // GeneralizedTime and notAfter using UTCTime. Also of interest, notBefore >
325 // notAfter. Parsing will succeed, however no time can satisfy this constraint.
TEST(ParseTbsCertificateTest,ValidityGeneralizedTimeAndUTCTime)326 TEST(ParseTbsCertificateTest, ValidityGeneralizedTimeAndUTCTime) {
327 RunTbsCertificateTest("tbs_validity_generalized_time_and_utc_time.pem");
328 }
329
330 // Parses a TBSCertificate whose "validity" field does not strictly follow
331 // the DER rules (and fails to be parsed).
TEST(ParseTbsCertificateTest,ValidityRelaxed)332 TEST(ParseTbsCertificateTest, ValidityRelaxed) {
333 RunTbsCertificateTest("tbs_validity_relaxed.pem");
334 }
335
336 // Parses a KeyUsage with a single 0 bit.
TEST(ParseKeyUsageTest,OneBitAllZeros)337 TEST(ParseKeyUsageTest, OneBitAllZeros) {
338 const uint8_t der[] = {
339 0x03, 0x02, // BIT STRING
340 0x07, // Number of unused bits
341 0x00, // bits
342 };
343
344 der::BitString key_usage;
345 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
346 }
347
348 // Parses a KeyUsage with 32 bits that are all 0.
349 TEST(ParseKeyUsageTest, 32BitsAllZeros) {
350 const uint8_t der[] = {
351 0x03, 0x05, // BIT STRING
352 0x00, // Number of unused bits
353 0x00, 0x00, 0x00, 0x00,
354 };
355
356 der::BitString key_usage;
357 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
358 }
359
360 // Parses a KeyUsage with 32 bits, one of which is 1 (but not in recognized
361 // set).
362 TEST(ParseKeyUsageTest, 32BitsOneSet) {
363 const uint8_t der[] = {
364 0x03, 0x05, // BIT STRING
365 0x00, // Number of unused bits
366 0x00, 0x00, 0x00, 0x02,
367 };
368
369 der::BitString key_usage;
370 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
371
372 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
373 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
374 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
375 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
376 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
377 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
378 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
379 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
380 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
381 }
382
383 // Parses a KeyUsage containing bit string 101.
TEST(ParseKeyUsageTest,ThreeBits)384 TEST(ParseKeyUsageTest, ThreeBits) {
385 const uint8_t der[] = {
386 0x03, 0x02, // BIT STRING
387 0x05, // Number of unused bits
388 0xA0, // bits
389 };
390
391 der::BitString key_usage;
392 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
393
394 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
395 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
396 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
397 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
398 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
399 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
400 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
401 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
402 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
403 }
404
405 // Parses a KeyUsage containing DECIPHER_ONLY, which is the
406 // only bit that doesn't fit in the first byte.
TEST(ParseKeyUsageTest,DecipherOnly)407 TEST(ParseKeyUsageTest, DecipherOnly) {
408 const uint8_t der[] = {
409 0x03, 0x03, // BIT STRING
410 0x07, // Number of unused bits
411 0x00, 0x80, // bits
412 };
413
414 der::BitString key_usage;
415 ASSERT_TRUE(ParseKeyUsage(der::Input(der), &key_usage));
416
417 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DIGITAL_SIGNATURE));
418 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_NON_REPUDIATION));
419 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_ENCIPHERMENT));
420 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_DATA_ENCIPHERMENT));
421 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_AGREEMENT));
422 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_KEY_CERT_SIGN));
423 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_CRL_SIGN));
424 EXPECT_FALSE(key_usage.AssertsBit(KEY_USAGE_BIT_ENCIPHER_ONLY));
425 EXPECT_TRUE(key_usage.AssertsBit(KEY_USAGE_BIT_DECIPHER_ONLY));
426 }
427
428 // Parses an empty KeyUsage.
TEST(ParseKeyUsageTest,Empty)429 TEST(ParseKeyUsageTest, Empty) {
430 const uint8_t der[] = {
431 0x03, 0x01, // BIT STRING
432 0x00, // Number of unused bits
433 };
434
435 der::BitString key_usage;
436 ASSERT_FALSE(ParseKeyUsage(der::Input(der), &key_usage));
437 }
438
TEST(ParseAuthorityInfoAccess,BasicTests)439 TEST(ParseAuthorityInfoAccess, BasicTests) {
440 // SEQUENCE {
441 // SEQUENCE {
442 // # ocsp with directoryName
443 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
444 // [4] {
445 // SEQUENCE {
446 // SET {
447 // SEQUENCE {
448 // # commonName
449 // OBJECT_IDENTIFIER { 2.5.4.3 }
450 // PrintableString { "ocsp" }
451 // }
452 // }
453 // }
454 // }
455 // }
456 // SEQUENCE {
457 // # caIssuers with directoryName
458 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
459 // [4] {
460 // SEQUENCE {
461 // SET {
462 // SEQUENCE {
463 // # commonName
464 // OBJECT_IDENTIFIER { 2.5.4.3 }
465 // PrintableString { "ca issuer" }
466 // }
467 // }
468 // }
469 // }
470 // }
471 // SEQUENCE {
472 // # non-standard method with URI
473 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.3 }
474 // [6 PRIMITIVE] { "http://nonstandard.example.com" }
475 // }
476 // SEQUENCE {
477 // # ocsp with URI
478 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
479 // [6 PRIMITIVE] { "http://ocsp.example.com" }
480 // }
481 // SEQUENCE {
482 // # caIssuers with URI
483 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
484 // [6 PRIMITIVE] { "http://www.example.com/issuer.crt" }
485 // }
486 // }
487 const uint8_t der[] = {
488 0x30, 0x81, 0xc3, 0x30, 0x1d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
489 0x07, 0x30, 0x01, 0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06,
490 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x22,
491 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0xa4, 0x16,
492 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
493 0x09, 0x63, 0x61, 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x30, 0x2a,
494 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x03, 0x86, 0x1e,
495 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6e, 0x6f, 0x6e, 0x73, 0x74,
496 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70,
497 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06,
498 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70,
499 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x65, 0x78, 0x61, 0x6d,
500 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x2d, 0x06, 0x08, 0x2b,
501 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x21, 0x68, 0x74, 0x74,
502 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x78, 0x61, 0x6d,
503 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x73, 0x73, 0x75,
504 0x65, 0x72, 0x2e, 0x63, 0x72, 0x74};
505
506 std::vector<AuthorityInfoAccessDescription> access_descriptions;
507 ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
508 ASSERT_EQ(5u, access_descriptions.size());
509 {
510 const auto &desc = access_descriptions[0];
511 EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
512 const uint8_t location_der[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
513 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
514 0x04, 0x6f, 0x63, 0x73, 0x70};
515 EXPECT_EQ(der::Input(location_der), desc.access_location);
516 }
517 {
518 const auto &desc = access_descriptions[1];
519 EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
520 const uint8_t location_der[] = {
521 0xa4, 0x16, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
522 0x03, 0x13, 0x09, 0x63, 0x61, 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72};
523 EXPECT_EQ(der::Input(location_der), desc.access_location);
524 }
525 {
526 const auto &desc = access_descriptions[2];
527 const uint8_t method_oid[] = {0x2b, 0x06, 0x01, 0x05,
528 0x05, 0x07, 0x30, 0x03};
529 EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
530 const uint8_t location_der[] = {
531 0x86, 0x1e, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6e, 0x6f,
532 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x2e, 0x65,
533 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d};
534 EXPECT_EQ(der::Input(location_der), desc.access_location);
535 }
536 {
537 const auto &desc = access_descriptions[3];
538 EXPECT_EQ(der::Input(kAdOcspOid), desc.access_method_oid);
539 const uint8_t location_der[] = {0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a,
540 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e,
541 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65,
542 0x2e, 0x63, 0x6f, 0x6d};
543 EXPECT_EQ(der::Input(location_der), desc.access_location);
544 }
545 {
546 const auto &desc = access_descriptions[4];
547 EXPECT_EQ(der::Input(kAdCaIssuersOid), desc.access_method_oid);
548 const uint8_t location_der[] = {
549 0x86, 0x21, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
550 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
551 0x2f, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x2e, 0x63, 0x72, 0x74};
552 EXPECT_EQ(der::Input(location_der), desc.access_location);
553 }
554
555 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
556 ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
557 &ocsp_uris));
558 ASSERT_EQ(1u, ca_issuers_uris.size());
559 EXPECT_EQ("http://www.example.com/issuer.crt", ca_issuers_uris.front());
560 ASSERT_EQ(1u, ocsp_uris.size());
561 EXPECT_EQ("http://ocsp.example.com", ocsp_uris.front());
562 }
563
TEST(ParseAuthorityInfoAccess,NoOcspOrCaIssuersURIs)564 TEST(ParseAuthorityInfoAccess, NoOcspOrCaIssuersURIs) {
565 // SEQUENCE {
566 // SEQUENCE {
567 // # non-standard method with directoryName
568 // OBJECT_IDENTIFIER { 1.2.3 }
569 // [4] {
570 // SEQUENCE {
571 // SET {
572 // SEQUENCE {
573 // # commonName
574 // OBJECT_IDENTIFIER { 2.5.4.3 }
575 // PrintableString { "foo" }
576 // }
577 // }
578 // }
579 // }
580 // }
581 // }
582 const uint8_t der[] = {0x30, 0x18, 0x30, 0x16, 0x06, 0x02, 0x2a, 0x03, 0xa4,
583 0x10, 0x30, 0x0e, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03,
584 0x55, 0x04, 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f};
585
586 std::vector<AuthorityInfoAccessDescription> access_descriptions;
587 ASSERT_TRUE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
588 ASSERT_EQ(1u, access_descriptions.size());
589 const auto &desc = access_descriptions[0];
590 const uint8_t method_oid[] = {0x2a, 0x03};
591 EXPECT_EQ(der::Input(method_oid), desc.access_method_oid);
592 const uint8_t location_der[] = {0xa4, 0x10, 0x30, 0x0e, 0x31, 0x0c,
593 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04,
594 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f};
595 EXPECT_EQ(der::Input(location_der), desc.access_location);
596
597 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
598 // ParseAuthorityInfoAccessURIs should still return success since it was a
599 // valid AuthorityInfoAccess extension, even though it did not contain any
600 // elements we care about, and both output vectors should be empty.
601 ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
602 &ocsp_uris));
603 EXPECT_EQ(0u, ca_issuers_uris.size());
604 EXPECT_EQ(0u, ocsp_uris.size());
605 }
606
TEST(ParseAuthorityInfoAccess,IncompleteAccessDescription)607 TEST(ParseAuthorityInfoAccess, IncompleteAccessDescription) {
608 // SEQUENCE {
609 // # first entry is ok
610 // SEQUENCE {
611 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
612 // [6 PRIMITIVE] { "http://ocsp.example.com" }
613 // }
614 // # second is missing accessLocation field
615 // SEQUENCE {
616 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.2 }
617 // }
618 // }
619 const uint8_t der[] = {0x30, 0x31, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06, 0x01,
620 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74,
621 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70,
622 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
623 0x63, 0x6f, 0x6d, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
624 0x01, 0x05, 0x05, 0x07, 0x30, 0x02};
625
626 std::vector<AuthorityInfoAccessDescription> access_descriptions;
627 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
628
629 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
630 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
631 &ocsp_uris));
632 }
633
TEST(ParseAuthorityInfoAccess,ExtraDataInAccessDescription)634 TEST(ParseAuthorityInfoAccess, ExtraDataInAccessDescription) {
635 // SEQUENCE {
636 // SEQUENCE {
637 // OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.48.1 }
638 // [6 PRIMITIVE] { "http://ocsp.example.com" }
639 // # invalid, AccessDescription only has 2 fields
640 // PrintableString { "henlo" }
641 // }
642 // }
643 const uint8_t der[] = {
644 0x30, 0x2c, 0x30, 0x2a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
645 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f,
646 0x63, 0x73, 0x70, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e,
647 0x63, 0x6f, 0x6d, 0x13, 0x05, 0x68, 0x65, 0x6e, 0x6c, 0x6f};
648
649 std::vector<AuthorityInfoAccessDescription> access_descriptions;
650 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
651
652 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
653 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
654 &ocsp_uris));
655 }
656
TEST(ParseAuthorityInfoAccess,EmptySequence)657 TEST(ParseAuthorityInfoAccess, EmptySequence) {
658 // SEQUENCE { }
659 const uint8_t der[] = {0x30, 0x00};
660
661 std::vector<AuthorityInfoAccessDescription> access_descriptions;
662 EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
663
664 std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
665 EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
666 &ocsp_uris));
667 }
668
669 // Test fixture for testing ParseCrlDistributionPoints.
670 //
671 // Test data is encoded in certificate files. This fixture is responsible for
672 // reading and parsing the certificates to get at the extension under test.
673 class ParseCrlDistributionPointsTest : public ::testing::Test {
674 public:
675 protected:
GetCrlDps(const char * file_name,std::vector<ParsedDistributionPoint> * dps)676 bool GetCrlDps(const char *file_name,
677 std::vector<ParsedDistributionPoint> *dps) {
678 std::string cert_bytes;
679 // Read the test certificate file.
680 const PemBlockMapping mappings[] = {
681 {"CERTIFICATE", &cert_bytes},
682 };
683 std::string test_file_path = GetFilePath(file_name);
684 EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
685
686 // Extract the CRLDP from the test Certificate.
687 CertErrors errors;
688 std::shared_ptr<const ParsedCertificate> cert = ParsedCertificate::Create(
689 bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
690 reinterpret_cast<const uint8_t *>(cert_bytes.data()),
691 cert_bytes.size(), nullptr)),
692 {}, &errors);
693
694 if (!cert) {
695 return false;
696 }
697
698 auto it = cert->extensions().find(der::Input(kCrlDistributionPointsOid));
699 if (it == cert->extensions().end()) {
700 return false;
701 }
702
703 der::Input crl_dp_tlv = it->second.value;
704
705 // Keep the certificate data alive, since this function will return
706 // der::Inputs that reference it. Run the function under test (for parsing
707 //
708 // TODO(eroman): The use of ParsedCertificate in this test should be removed
709 // in lieu of lazy parsing.
710 keep_alive_certs_.push_back(cert);
711
712 return ParseCrlDistributionPoints(crl_dp_tlv, dps);
713 }
714
715 private:
716 ParsedCertificateList keep_alive_certs_;
717 };
718
TEST_F(ParseCrlDistributionPointsTest,OneUriNoIssuer)719 TEST_F(ParseCrlDistributionPointsTest, OneUriNoIssuer) {
720 std::vector<ParsedDistributionPoint> dps;
721 ASSERT_TRUE(GetCrlDps("crldp_1uri_noissuer.pem", &dps));
722
723 ASSERT_EQ(1u, dps.size());
724 const ParsedDistributionPoint &dp1 = dps.front();
725
726 ASSERT_TRUE(dp1.distribution_point_fullname);
727 const GeneralNames &fullname = *dp1.distribution_point_fullname;
728 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
729 fullname.present_name_types);
730 ASSERT_EQ(1u, fullname.uniform_resource_identifiers.size());
731 EXPECT_EQ(fullname.uniform_resource_identifiers.front(),
732 std::string("http://www.example.com/foo.crl"));
733
734 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
735 EXPECT_FALSE(dp1.reasons);
736 EXPECT_FALSE(dp1.crl_issuer);
737 }
738
TEST_F(ParseCrlDistributionPointsTest,ThreeUrisNoIssuer)739 TEST_F(ParseCrlDistributionPointsTest, ThreeUrisNoIssuer) {
740 std::vector<ParsedDistributionPoint> dps;
741 ASSERT_TRUE(GetCrlDps("crldp_3uri_noissuer.pem", &dps));
742
743 ASSERT_EQ(1u, dps.size());
744 const ParsedDistributionPoint &dp1 = dps.front();
745
746 ASSERT_TRUE(dp1.distribution_point_fullname);
747 const GeneralNames &fullname = *dp1.distribution_point_fullname;
748 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
749 fullname.present_name_types);
750 ASSERT_EQ(3u, fullname.uniform_resource_identifiers.size());
751 EXPECT_EQ(fullname.uniform_resource_identifiers[0],
752 std::string("http://www.example.com/foo1.crl"));
753 EXPECT_EQ(fullname.uniform_resource_identifiers[1],
754 std::string("http://www.example.com/blah.crl"));
755 EXPECT_EQ(fullname.uniform_resource_identifiers[2],
756 std::string("not-even-a-url"));
757
758 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
759 EXPECT_FALSE(dp1.reasons);
760 EXPECT_FALSE(dp1.crl_issuer);
761 }
762
TEST_F(ParseCrlDistributionPointsTest,CrlIssuerAsDirname)763 TEST_F(ParseCrlDistributionPointsTest, CrlIssuerAsDirname) {
764 std::vector<ParsedDistributionPoint> dps;
765 ASSERT_TRUE(GetCrlDps("crldp_issuer_as_dirname.pem", &dps));
766
767 ASSERT_EQ(1u, dps.size());
768 const ParsedDistributionPoint &dp1 = dps.front();
769 ASSERT_TRUE(dp1.distribution_point_fullname);
770 const GeneralNames &fullname = *dp1.distribution_point_fullname;
771 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
772 // Generated by `ascii2der | xxd -i` from the Name value in
773 // crldp_issuer_as_dirname.pem.
774 const uint8_t kExpectedName[] = {
775 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
776 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
777 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
778 0x63, 0x61, 0x74, 0x65, 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x22,
779 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x19, 0x69, 0x6e, 0x64,
780 0x69, 0x72, 0x65, 0x63, 0x74, 0x43, 0x52, 0x4c, 0x20, 0x43, 0x41, 0x33,
781 0x20, 0x63, 0x52, 0x4c, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72, 0x31, 0x29,
782 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x20, 0x69, 0x6e, 0x64,
783 0x69, 0x72, 0x65, 0x63, 0x74, 0x20, 0x43, 0x52, 0x4c, 0x20, 0x66, 0x6f,
784 0x72, 0x20, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x43, 0x52,
785 0x4c, 0x20, 0x43, 0x41, 0x33};
786 ASSERT_EQ(1u, fullname.directory_names.size());
787 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
788
789 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
790 EXPECT_FALSE(dp1.reasons);
791
792 ASSERT_TRUE(dp1.crl_issuer);
793 // Generated by `ascii2der | xxd -i` from the cRLIssuer value in
794 // crldp_issuer_as_dirname.pem.
795 const uint8_t kExpectedCrlIssuer[] = {
796 0xa4, 0x54, 0x30, 0x52, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
797 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06,
798 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16, 0x54, 0x65, 0x73, 0x74, 0x20,
799 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
800 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x22, 0x30, 0x20, 0x06,
801 0x03, 0x55, 0x04, 0x0b, 0x13, 0x19, 0x69, 0x6e, 0x64, 0x69, 0x72,
802 0x65, 0x63, 0x74, 0x43, 0x52, 0x4c, 0x20, 0x43, 0x41, 0x33, 0x20,
803 0x63, 0x52, 0x4c, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72};
804 EXPECT_EQ(der::Input(kExpectedCrlIssuer), dp1.crl_issuer);
805 }
806
TEST_F(ParseCrlDistributionPointsTest,FullnameAsDirname)807 TEST_F(ParseCrlDistributionPointsTest, FullnameAsDirname) {
808 std::vector<ParsedDistributionPoint> dps;
809 ASSERT_TRUE(GetCrlDps("crldp_full_name_as_dirname.pem", &dps));
810
811 ASSERT_EQ(1u, dps.size());
812 const ParsedDistributionPoint &dp1 = dps.front();
813
814 ASSERT_TRUE(dp1.distribution_point_fullname);
815 const GeneralNames &fullname = *dp1.distribution_point_fullname;
816 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
817 // Generated by `ascii2der | xxd -i` from the Name value in
818 // crldp_full_name_as_dirname.pem.
819 const uint8_t kExpectedName[] = {
820 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
821 0x53, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x16,
822 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
823 0x63, 0x61, 0x74, 0x65, 0x73, 0x20, 0x32, 0x30, 0x31, 0x31, 0x31, 0x45,
824 0x30, 0x43, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x3c, 0x53, 0x65, 0x6c,
825 0x66, 0x2d, 0x49, 0x73, 0x73, 0x75, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72,
826 0x74, 0x20, 0x44, 0x50, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x42, 0x61, 0x73,
827 0x69, 0x63, 0x20, 0x53, 0x65, 0x6c, 0x66, 0x2d, 0x49, 0x73, 0x73, 0x75,
828 0x65, 0x64, 0x20, 0x43, 0x52, 0x4c, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
829 0x6e, 0x67, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x43, 0x41};
830 ASSERT_EQ(1u, fullname.directory_names.size());
831 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
832
833 EXPECT_FALSE(dp1.distribution_point_name_relative_to_crl_issuer);
834 EXPECT_FALSE(dp1.reasons);
835 EXPECT_FALSE(dp1.crl_issuer);
836 }
837
TEST_F(ParseCrlDistributionPointsTest,RelativeNameAndReasonsAndMultipleDPs)838 TEST_F(ParseCrlDistributionPointsTest, RelativeNameAndReasonsAndMultipleDPs) {
839 // SEQUENCE {
840 // SEQUENCE {
841 // # distributionPoint
842 // [0] {
843 // # nameRelativeToCRLIssuer
844 // [1] {
845 // SET {
846 // SEQUENCE {
847 // # commonName
848 // OBJECT_IDENTIFIER { 2.5.4.3 }
849 // PrintableString { "CRL1" }
850 // }
851 // }
852 // }
853 // }
854 // # reasons
855 // [1 PRIMITIVE] { b`011` }
856 // }
857 // SEQUENCE {
858 // # distributionPoint
859 // [0] {
860 // # fullName
861 // [0] {
862 // [4] {
863 // SEQUENCE {
864 // SET {
865 // SEQUENCE {
866 // # commonName
867 // OBJECT_IDENTIFIER { 2.5.4.3 }
868 // PrintableString { "CRL2" }
869 // }
870 // }
871 // }
872 // }
873 // }
874 // }
875 // # reasons
876 // [1 PRIMITIVE] { b`100111111` }
877 // }
878 // }
879 const uint8_t kInputDer[] = {
880 0x30, 0x37, 0x30, 0x17, 0xa0, 0x11, 0xa1, 0x0f, 0x31, 0x0d, 0x30, 0x0b,
881 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x43, 0x52, 0x4c, 0x31, 0x81,
882 0x02, 0x05, 0x60, 0x30, 0x1c, 0xa0, 0x15, 0xa0, 0x13, 0xa4, 0x11, 0x30,
883 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04,
884 0x43, 0x52, 0x4c, 0x32, 0x81, 0x03, 0x07, 0x9f, 0x80};
885
886 std::vector<ParsedDistributionPoint> dps;
887 ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
888 ASSERT_EQ(2u, dps.size());
889 {
890 const ParsedDistributionPoint &dp = dps[0];
891 EXPECT_FALSE(dp.distribution_point_fullname);
892
893 ASSERT_TRUE(dp.distribution_point_name_relative_to_crl_issuer);
894 // SET {
895 // SEQUENCE {
896 // # commonName
897 // OBJECT_IDENTIFIER { 2.5.4.3 }
898 // PrintableString { "CRL1" }
899 // }
900 // }
901 const uint8_t kExpectedRDN[] = {0x31, 0x0d, 0x30, 0x0b, 0x06,
902 0x03, 0x55, 0x04, 0x03, 0x13,
903 0x04, 0x43, 0x52, 0x4c, 0x31};
904 EXPECT_EQ(der::Input(kExpectedRDN),
905 *dp.distribution_point_name_relative_to_crl_issuer);
906
907 ASSERT_TRUE(dp.reasons);
908 const uint8_t kExpectedReasons[] = {0x05, 0x60};
909 EXPECT_EQ(der::Input(kExpectedReasons), *dp.reasons);
910
911 EXPECT_FALSE(dp.crl_issuer);
912 }
913 {
914 const ParsedDistributionPoint &dp = dps[1];
915 ASSERT_TRUE(dp.distribution_point_fullname);
916 const GeneralNames &fullname = *dp.distribution_point_fullname;
917 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, fullname.present_name_types);
918 // SET {
919 // SEQUENCE {
920 // # commonName
921 // OBJECT_IDENTIFIER { 2.5.4.3 }
922 // PrintableString { "CRL2" }
923 // }
924 // }
925 const uint8_t kExpectedName[] = {0x31, 0x0d, 0x30, 0x0b, 0x06,
926 0x03, 0x55, 0x04, 0x03, 0x13,
927 0x04, 0x43, 0x52, 0x4c, 0x32};
928 ASSERT_EQ(1u, fullname.directory_names.size());
929 EXPECT_EQ(der::Input(kExpectedName), fullname.directory_names[0]);
930
931 EXPECT_FALSE(dp.distribution_point_name_relative_to_crl_issuer);
932
933 ASSERT_TRUE(dp.reasons);
934 const uint8_t kExpectedReasons[] = {0x07, 0x9f, 0x80};
935 EXPECT_EQ(der::Input(kExpectedReasons), *dp.reasons);
936
937 EXPECT_FALSE(dp.crl_issuer);
938 }
939 }
940
TEST_F(ParseCrlDistributionPointsTest,NoDistributionPointName)941 TEST_F(ParseCrlDistributionPointsTest, NoDistributionPointName) {
942 // SEQUENCE {
943 // SEQUENCE {
944 // # cRLIssuer
945 // [2] {
946 // [4] {
947 // SEQUENCE {
948 // SET {
949 // SEQUENCE {
950 // # organizationUnitName
951 // OBJECT_IDENTIFIER { 2.5.4.11 }
952 // PrintableString { "crl issuer" }
953 // }
954 // }
955 // }
956 // }
957 // }
958 // }
959 // }
960 const uint8_t kInputDer[] = {0x30, 0x1d, 0x30, 0x1b, 0xa2, 0x19, 0xa4, 0x17,
961 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
962 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x63, 0x72, 0x6c,
963 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72};
964
965 std::vector<ParsedDistributionPoint> dps;
966 ASSERT_TRUE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
967 ASSERT_EQ(1u, dps.size());
968 const ParsedDistributionPoint &dp = dps[0];
969 EXPECT_FALSE(dp.distribution_point_fullname);
970
971 EXPECT_FALSE(dp.distribution_point_name_relative_to_crl_issuer);
972
973 EXPECT_FALSE(dp.reasons);
974
975 ASSERT_TRUE(dp.crl_issuer);
976 const uint8_t kExpectedDer[] = {0xa4, 0x17, 0x30, 0x15, 0x31, 0x13, 0x30,
977 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
978 0x0a, 0x63, 0x72, 0x6c, 0x20, 0x69, 0x73,
979 0x73, 0x75, 0x65, 0x72};
980 EXPECT_EQ(der::Input(kExpectedDer), *dp.crl_issuer);
981 }
982
TEST_F(ParseCrlDistributionPointsTest,OnlyReasons)983 TEST_F(ParseCrlDistributionPointsTest, OnlyReasons) {
984 // SEQUENCE {
985 // SEQUENCE {
986 // # reasons
987 // [1 PRIMITIVE] { b`011` }
988 // }
989 // }
990 const uint8_t kInputDer[] = {0x30, 0x06, 0x30, 0x04, 0x81, 0x02, 0x05, 0x60};
991
992 std::vector<ParsedDistributionPoint> dps;
993 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
994 }
995
TEST_F(ParseCrlDistributionPointsTest,EmptyDistributionPoint)996 TEST_F(ParseCrlDistributionPointsTest, EmptyDistributionPoint) {
997 // SEQUENCE {
998 // SEQUENCE {
999 // }
1000 // }
1001 const uint8_t kInputDer[] = {0x30, 0x02, 0x30, 0x00};
1002
1003 std::vector<ParsedDistributionPoint> dps;
1004 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
1005 }
1006
TEST_F(ParseCrlDistributionPointsTest,EmptyDistributionPoints)1007 TEST_F(ParseCrlDistributionPointsTest, EmptyDistributionPoints) {
1008 // SEQUENCE { }
1009 const uint8_t kInputDer[] = {0x30, 0x00};
1010
1011 std::vector<ParsedDistributionPoint> dps;
1012 EXPECT_FALSE(ParseCrlDistributionPoints(der::Input(kInputDer), &dps));
1013 }
1014
ParseAuthorityKeyIdentifierTestData(const char * file_name,std::string * backing_bytes,ParsedAuthorityKeyIdentifier * authority_key_identifier)1015 bool ParseAuthorityKeyIdentifierTestData(
1016 const char *file_name, std::string *backing_bytes,
1017 ParsedAuthorityKeyIdentifier *authority_key_identifier) {
1018 // Read the test file.
1019 const PemBlockMapping mappings[] = {
1020 {"AUTHORITY_KEY_IDENTIFIER", backing_bytes},
1021 };
1022 std::string test_file_path =
1023 std::string(
1024 "testdata/parse_certificate_unittest/authority_key_identifier/") +
1025 file_name;
1026 EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
1027
1028 return ParseAuthorityKeyIdentifier(StringAsBytes(*backing_bytes),
1029 authority_key_identifier);
1030 }
1031
TEST(ParseAuthorityKeyIdentifierTest,EmptyInput)1032 TEST(ParseAuthorityKeyIdentifierTest, EmptyInput) {
1033 ParsedAuthorityKeyIdentifier authority_key_identifier;
1034 EXPECT_FALSE(
1035 ParseAuthorityKeyIdentifier(der::Input(), &authority_key_identifier));
1036 }
1037
TEST(ParseAuthorityKeyIdentifierTest,EmptySequence)1038 TEST(ParseAuthorityKeyIdentifierTest, EmptySequence) {
1039 std::string backing_bytes;
1040 ParsedAuthorityKeyIdentifier authority_key_identifier;
1041 // TODO(mattm): should this be an error? RFC 5280 doesn't explicitly say it.
1042 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1043 "empty_sequence.pem", &backing_bytes, &authority_key_identifier));
1044
1045 EXPECT_FALSE(authority_key_identifier.key_identifier);
1046 EXPECT_FALSE(authority_key_identifier.authority_cert_issuer);
1047 EXPECT_FALSE(authority_key_identifier.authority_cert_serial_number);
1048 }
1049
TEST(ParseAuthorityKeyIdentifierTest,KeyIdentifier)1050 TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifier) {
1051 std::string backing_bytes;
1052 ParsedAuthorityKeyIdentifier authority_key_identifier;
1053 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1054 "key_identifier.pem", &backing_bytes, &authority_key_identifier));
1055
1056 ASSERT_TRUE(authority_key_identifier.key_identifier);
1057 const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
1058 EXPECT_EQ(der::Input(kExpectedValue),
1059 authority_key_identifier.key_identifier);
1060 }
1061
TEST(ParseAuthorityKeyIdentifierTest,IssuerAndSerial)1062 TEST(ParseAuthorityKeyIdentifierTest, IssuerAndSerial) {
1063 std::string backing_bytes;
1064 ParsedAuthorityKeyIdentifier authority_key_identifier;
1065 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1066 "issuer_and_serial.pem", &backing_bytes, &authority_key_identifier));
1067
1068 EXPECT_FALSE(authority_key_identifier.key_identifier);
1069
1070 ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
1071 const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
1072 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
1073 0x04, 0x52, 0x6f, 0x6f, 0x74};
1074 EXPECT_EQ(der::Input(kExpectedIssuer),
1075 authority_key_identifier.authority_cert_issuer);
1076
1077 ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
1078 const uint8_t kExpectedSerial[] = {0x27, 0x4F};
1079 EXPECT_EQ(der::Input(kExpectedSerial),
1080 authority_key_identifier.authority_cert_serial_number);
1081 }
1082
TEST(ParseAuthorityKeyIdentifierTest,KeyIdentifierAndIssuerAndSerial)1083 TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifierAndIssuerAndSerial) {
1084 std::string backing_bytes;
1085 ParsedAuthorityKeyIdentifier authority_key_identifier;
1086 ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
1087 "key_identifier_and_issuer_and_serial.pem", &backing_bytes,
1088 &authority_key_identifier));
1089
1090 ASSERT_TRUE(authority_key_identifier.key_identifier);
1091 const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
1092 EXPECT_EQ(der::Input(kExpectedValue),
1093 authority_key_identifier.key_identifier);
1094
1095 ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
1096 const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
1097 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
1098 0x04, 0x52, 0x6f, 0x6f, 0x74};
1099 EXPECT_EQ(der::Input(kExpectedIssuer),
1100 authority_key_identifier.authority_cert_issuer);
1101
1102 ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
1103 const uint8_t kExpectedSerial[] = {0x27, 0x4F};
1104 EXPECT_EQ(der::Input(kExpectedSerial),
1105 authority_key_identifier.authority_cert_serial_number);
1106 }
1107
TEST(ParseAuthorityKeyIdentifierTest,IssuerOnly)1108 TEST(ParseAuthorityKeyIdentifierTest, IssuerOnly) {
1109 std::string backing_bytes;
1110 ParsedAuthorityKeyIdentifier authority_key_identifier;
1111 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1112 "issuer_only.pem", &backing_bytes, &authority_key_identifier));
1113 }
1114
TEST(ParseAuthorityKeyIdentifierTest,SerialOnly)1115 TEST(ParseAuthorityKeyIdentifierTest, SerialOnly) {
1116 std::string backing_bytes;
1117 ParsedAuthorityKeyIdentifier authority_key_identifier;
1118 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1119 "serial_only.pem", &backing_bytes, &authority_key_identifier));
1120 }
1121
TEST(ParseAuthorityKeyIdentifierTest,InvalidContents)1122 TEST(ParseAuthorityKeyIdentifierTest, InvalidContents) {
1123 std::string backing_bytes;
1124 ParsedAuthorityKeyIdentifier authority_key_identifier;
1125 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1126 "invalid_contents.pem", &backing_bytes, &authority_key_identifier));
1127 }
1128
TEST(ParseAuthorityKeyIdentifierTest,InvalidKeyIdentifier)1129 TEST(ParseAuthorityKeyIdentifierTest, InvalidKeyIdentifier) {
1130 std::string backing_bytes;
1131 ParsedAuthorityKeyIdentifier authority_key_identifier;
1132 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1133 "invalid_key_identifier.pem", &backing_bytes, &authority_key_identifier));
1134 }
1135
TEST(ParseAuthorityKeyIdentifierTest,InvalidIssuer)1136 TEST(ParseAuthorityKeyIdentifierTest, InvalidIssuer) {
1137 std::string backing_bytes;
1138 ParsedAuthorityKeyIdentifier authority_key_identifier;
1139 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1140 "invalid_issuer.pem", &backing_bytes, &authority_key_identifier));
1141 }
1142
TEST(ParseAuthorityKeyIdentifierTest,InvalidSerial)1143 TEST(ParseAuthorityKeyIdentifierTest, InvalidSerial) {
1144 std::string backing_bytes;
1145 ParsedAuthorityKeyIdentifier authority_key_identifier;
1146 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1147 "invalid_serial.pem", &backing_bytes, &authority_key_identifier));
1148 }
1149
TEST(ParseAuthorityKeyIdentifierTest,ExtraContentsAfterIssuerAndSerial)1150 TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterIssuerAndSerial) {
1151 std::string backing_bytes;
1152 ParsedAuthorityKeyIdentifier authority_key_identifier;
1153 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1154 "extra_contents_after_issuer_and_serial.pem", &backing_bytes,
1155 &authority_key_identifier));
1156 }
1157
TEST(ParseAuthorityKeyIdentifierTest,ExtraContentsAfterExtensionSequence)1158 TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterExtensionSequence) {
1159 std::string backing_bytes;
1160 ParsedAuthorityKeyIdentifier authority_key_identifier;
1161 EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
1162 "extra_contents_after_extension_sequence.pem", &backing_bytes,
1163 &authority_key_identifier));
1164 }
1165
TEST(ParseSubjectKeyIdentifierTest,EmptyInput)1166 TEST(ParseSubjectKeyIdentifierTest, EmptyInput) {
1167 der::Input subject_key_identifier;
1168 EXPECT_FALSE(
1169 ParseSubjectKeyIdentifier(der::Input(), &subject_key_identifier));
1170 }
1171
TEST(ParseSubjectKeyIdentifierTest,Valid)1172 TEST(ParseSubjectKeyIdentifierTest, Valid) {
1173 // OCTET_STRING {`abcd`}
1174 const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd};
1175 const uint8_t kExpected[] = {0xab, 0xcd};
1176 der::Input subject_key_identifier;
1177 EXPECT_TRUE(
1178 ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
1179 EXPECT_EQ(der::Input(kExpected), subject_key_identifier);
1180 }
1181
TEST(ParseSubjectKeyIdentifierTest,ExtraData)1182 TEST(ParseSubjectKeyIdentifierTest, ExtraData) {
1183 // OCTET_STRING {`abcd`}
1184 // NULL
1185 const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd, 0x05};
1186 der::Input subject_key_identifier;
1187 EXPECT_FALSE(
1188 ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
1189 }
1190
1191 } // namespace
1192
1193 BSSL_NAMESPACE_END
1194