Test a few more unusual TBS certificates
I missed we had another field where the TBS cache is load-bearing:
the critical bit is not parsed correctly.
Bug: 442221114
Change-Id: I5a87c3af81805d82ee70c9688fe81ab3f949e900
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/81967
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/test/make_unusual_tbs.go b/crypto/x509/test/make_unusual_tbs.go
index 2ce33ed..8424ba5 100644
--- a/crypto/x509/test/make_unusual_tbs.go
+++ b/crypto/x509/test/make_unusual_tbs.go
@@ -121,6 +121,8 @@
}
paths := []string{
+ "unusual_tbs_critical_ber.pem",
+ "unusual_tbs_critical_false_not_omitted.pem",
"unusual_tbs_empty_extension_not_omitted.pem",
"unusual_tbs_null_sigalg_param.pem",
"unusual_tbs_uid_both.pem",
diff --git a/crypto/x509/test/unusual_tbs_critical_ber.pem b/crypto/x509/test/unusual_tbs_critical_ber.pem
new file mode 100644
index 0000000..80b85bd
--- /dev/null
+++ b/crypto/x509/test/unusual_tbs_critical_ber.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBJjCBzqADAgECAgkAhl+3uPLdFykwCgYIKoZIzj0EAwIwDzENMAsGA1UEAwwE
+VGVzdDAeFw0yNTA5MDIxODQzMTdaFw0yNTEwMDIxODQzMTdaMA8xDTALBgNVBAMM
+BFRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATszjOipC1du8ay50pozmB3
+x6bHKTrwAVOMhhTg87UC2JhffDIvz2TBsePGC+aH/1oGDUs6PqR+wkjFQtSZSl3N
+oxMwETAPBgNVHRMBAQEEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHsifHzBqZaB
+miT+i/7bzfKSRBxGlETKtQ4Uk+970fQWAiAZDm/huJD42HnOi9q4OUHzAtsxVAml
+NtUuQ1k4eJAh/A==
+-----END CERTIFICATE-----
diff --git a/crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem b/crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem
new file mode 100644
index 0000000..7e0bda4
--- /dev/null
+++ b/crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBJjCBzqADAgECAgkAhl+3uPLdFykwCgYIKoZIzj0EAwIwDzENMAsGA1UEAwwE
+VGVzdDAeFw0yNTA5MDIxODQzMTdaFw0yNTEwMDIxODQzMTdaMA8xDTALBgNVBAMM
+BFRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATszjOipC1du8ay50pozmB3
+x6bHKTrwAVOMhhTg87UC2JhffDIvz2TBsePGC+aH/1oGDUs6PqR+wkjFQtSZSl3N
+oxMwETAPBgNVHRMBAQAEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEWpqBLkyjns
+J0B3yF1vBxYjctK0JlIcM7zaesbsiAMMAiAwm4T0zi2e72yk5NNuL1CJTqUeJ/OC
+FCj5wnR6w2Si+A==
+-----END CERTIFICATE-----
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 354955e..a452cc6 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -8911,6 +8911,12 @@
// The TBSCertificates were made with https://github.com/google/der-ascii.
// crypto/x509/test/make_unusual_tbs.go then filled in valid signatures.
const char *kPaths[] = {
+ // Non-canonical encoding of TRUE in the critical bit.
+ // TODO(crbug.com/442221114): The parser should reject this.
+ "crypto/x509/test/unusual_tbs_critical_ber.pem",
+ // A FALSE critical bit is encoded instead of omitted as DEFAULT.
+ // TODO(crbug.com/442221114): The parser should reject this.
+ "crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem",
// Empty extension instead of omitting the entire field.
// TODO(crbug.com/442221114): The parser should reject this.
"crypto/x509/test/unusual_tbs_empty_extension_not_omitted.pem",
@@ -8918,8 +8924,7 @@
// omitted. We accept this due to b/167375496.
"crypto/x509/test/unusual_tbs_null_sigalg_param.pem",
// Deprecated subject and issuer unique IDs are present. This is valid,
- // but
- // rarely exercised.
+ // but rarely exercised.
"crypto/x509/test/unusual_tbs_uid_both.pem",
"crypto/x509/test/unusual_tbs_uid_issuer.pem",
"crypto/x509/test/unusual_tbs_uid_subject.pem",
diff --git a/gen/sources.bzl b/gen/sources.bzl
index edc4dca..cb6ded9 100644
--- a/gen/sources.bzl
+++ b/gen/sources.bzl
@@ -1005,6 +1005,8 @@
"crypto/x509/test/trailing_data_leaf_name_constraints.pem",
"crypto/x509/test/trailing_data_leaf_subject_alt_name.pem",
"crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem",
+ "crypto/x509/test/unusual_tbs_critical_ber.pem",
+ "crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem",
"crypto/x509/test/unusual_tbs_empty_extension_not_omitted.pem",
"crypto/x509/test/unusual_tbs_key.pem",
"crypto/x509/test/unusual_tbs_null_sigalg_param.pem",
diff --git a/gen/sources.cmake b/gen/sources.cmake
index 0a5e083..b0311e8 100644
--- a/gen/sources.cmake
+++ b/gen/sources.cmake
@@ -1031,6 +1031,8 @@
crypto/x509/test/trailing_data_leaf_name_constraints.pem
crypto/x509/test/trailing_data_leaf_subject_alt_name.pem
crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem
+ crypto/x509/test/unusual_tbs_critical_ber.pem
+ crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem
crypto/x509/test/unusual_tbs_empty_extension_not_omitted.pem
crypto/x509/test/unusual_tbs_key.pem
crypto/x509/test/unusual_tbs_null_sigalg_param.pem
diff --git a/gen/sources.gni b/gen/sources.gni
index 4807120..ece0757 100644
--- a/gen/sources.gni
+++ b/gen/sources.gni
@@ -1005,6 +1005,8 @@
"crypto/x509/test/trailing_data_leaf_name_constraints.pem",
"crypto/x509/test/trailing_data_leaf_subject_alt_name.pem",
"crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem",
+ "crypto/x509/test/unusual_tbs_critical_ber.pem",
+ "crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem",
"crypto/x509/test/unusual_tbs_empty_extension_not_omitted.pem",
"crypto/x509/test/unusual_tbs_key.pem",
"crypto/x509/test/unusual_tbs_null_sigalg_param.pem",
diff --git a/gen/sources.json b/gen/sources.json
index 29be1ce..3d59d7b 100644
--- a/gen/sources.json
+++ b/gen/sources.json
@@ -985,6 +985,8 @@
"crypto/x509/test/trailing_data_leaf_name_constraints.pem",
"crypto/x509/test/trailing_data_leaf_subject_alt_name.pem",
"crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem",
+ "crypto/x509/test/unusual_tbs_critical_ber.pem",
+ "crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem",
"crypto/x509/test/unusual_tbs_empty_extension_not_omitted.pem",
"crypto/x509/test/unusual_tbs_key.pem",
"crypto/x509/test/unusual_tbs_null_sigalg_param.pem",
diff --git a/gen/sources.mk b/gen/sources.mk
index de380cf..e58826e 100644
--- a/gen/sources.mk
+++ b/gen/sources.mk
@@ -993,6 +993,8 @@
crypto/x509/test/trailing_data_leaf_name_constraints.pem \
crypto/x509/test/trailing_data_leaf_subject_alt_name.pem \
crypto/x509/test/trailing_data_leaf_subject_key_identifier.pem \
+ crypto/x509/test/unusual_tbs_critical_ber.pem \
+ crypto/x509/test/unusual_tbs_critical_false_not_omitted.pem \
crypto/x509/test/unusual_tbs_empty_extension_not_omitted.pem \
crypto/x509/test/unusual_tbs_key.pem \
crypto/x509/test/unusual_tbs_null_sigalg_param.pem \
