Error::UnsupportedCertVersion instead of BadDER on certificate v1

I agree to license my contributions to each file under the terms given at the top of each file I changed.
2021-02-16 05:11:19 +00:00 · 2021-02-16 05:11:19 +00:00 · 1364e7a902
parent 07306a64a3
commit 1364e7a902
5 changed files with 32 additions and 2 deletions
--- a/src/cert.rs
+++ b/src/cert.rs
@ -135,7 +135,7 @@ fn version3(input: &mut untrusted::Reader) -> Result<(), Error> {
    der::nested(
        input,
        der::Tag::ContextSpecificConstructed0,
-        Error::BadDER,
+        Error::UnsupportedCertVersion,
        |input| {
            let version = der::small_nonnegative_integer(input)?;
            if version != 2 {
--- a/src/error.rs
+++ b/src/error.rs
@ -68,6 +68,9 @@ pub enum Error {
    UnknownIssuer,

    /// The certificate is not a v3 X.509 certificate.
+    ///
+    /// This error may be also reported if the certificate version field
+    /// is malformed.
    UnsupportedCertVersion,

    /// The certificate contains an unsupported critical extension.
--- a/src/trust_anchor.rs
+++ b/src/trust_anchor.rs
@ -57,7 +57,7 @@ impl<'a> TrustAnchor<'a> {
            possibly_invalid_certificate_serial_number,
        ) {
            Ok(cert) => Ok(Self::from(cert)),
-            Err(Error::BadDER) => parse_cert_v1(cert_der).or(Err(Error::BadDER)),
+            Err(Error::UnsupportedCertVersion) => parse_cert_v1(cert_der).or(Err(Error::BadDER)),
            Err(err) => Err(err),
        }
    }
--- a/tests/cert_v1.der
+++ b/tests/cert_v1.der
--- a/tests/cert_v1_unsupported.rs
+++ b/tests/cert_v1_unsupported.rs
@ -0,0 +1,27 @@
+// Copyright 2021 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+use core::convert::TryFrom;
+
+#[test]
+fn test_cert_v1_unsupported() {
+    // Check with `openssl x509 -text -noout -in cert_v1.der -inform DER`
+    // to verify this is a correct version 1 certificate.
+    const CERT_V1_DER: &[u8] = include_bytes!("cert_v1.der");
+
+    assert_eq!(
+        Some(webpki::Error::UnsupportedCertVersion),
+        webpki::EndEntityCert::try_from(CERT_V1_DER).err()
+    );
+}