From 1364e7a902c980bf82ea9ad777711b26d4bf9ec7 Mon Sep 17 00:00:00 2001
From: Stiopa Koltsov <stepan.koltsov@gmail.com>
Date: Tue, 16 Feb 2021 05:11:19 +0000
Subject: [PATCH] Error::UnsupportedCertVersion instead of BadDER on
 certificate v1

I agree to license my contributions to each file under the terms given at the top of each file I changed.
---
 src/cert.rs                  |   2 +-
 src/error.rs                 |   3 +++
 src/trust_anchor.rs          |   2 +-
 tests/cert_v1.der            | Bin 0 -> 809 bytes
 tests/cert_v1_unsupported.rs |  27 +++++++++++++++++++++++++++
 5 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 tests/cert_v1.der
 create mode 100644 tests/cert_v1_unsupported.rs

diff --git a/src/cert.rs b/src/cert.rs
index d79282b..9a7233a 100644
--- a/src/cert.rs
+++ b/src/cert.rs
@@ -135,7 +135,7 @@ fn version3(input: &mut untrusted::Reader) -> Result<(), Error> {
     der::nested(
         input,
         der::Tag::ContextSpecificConstructed0,
-        Error::BadDER,
+        Error::UnsupportedCertVersion,
         |input| {
             let version = der::small_nonnegative_integer(input)?;
             if version != 2 {
diff --git a/src/error.rs b/src/error.rs
index 07e0ebb..d5138db 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -68,6 +68,9 @@ pub enum Error {
     UnknownIssuer,
 
     /// The certificate is not a v3 X.509 certificate.
+    ///
+    /// This error may be also reported if the certificate version field
+    /// is malformed.
     UnsupportedCertVersion,
 
     /// The certificate contains an unsupported critical extension.
diff --git a/src/trust_anchor.rs b/src/trust_anchor.rs
index b1011cc..414658e 100644
--- a/src/trust_anchor.rs
+++ b/src/trust_anchor.rs
@@ -57,7 +57,7 @@ impl<'a> TrustAnchor<'a> {
             possibly_invalid_certificate_serial_number,
         ) {
             Ok(cert) => Ok(Self::from(cert)),
-            Err(Error::BadDER) => parse_cert_v1(cert_der).or(Err(Error::BadDER)),
+            Err(Error::UnsupportedCertVersion) => parse_cert_v1(cert_der).or(Err(Error::BadDER)),
             Err(err) => Err(err),
         }
     }
diff --git a/tests/cert_v1.der b/tests/cert_v1.der
new file mode 100644
index 0000000000000000000000000000000000000000..a603733a5cb7ac3f925324d531f6b5f6098b36d2
GIT binary patch
literal 809
zcmXqLVpcV1V&Y}uWVrTv)m#IuADjlfY@Awc9&O)w85vnw84Q99xeYkkm_u3EgqcEv
z4f%ocKn@2Fn@eh5W@3(^h=CADfSrdsxS%LAuOuxqH7CW8$AAkY%EiO%l38rXXTSsE
zG4rtIR_Y}u8pw(B8W|cG8JZaw8(WxIMnSpeP_98Zs-3(B+z>liLQ4`eV5YJ2um%+6
zm*pFZ8VEz|;&F8LbyWyXEh@`QPBj!V5P(?9nUkNKn3IuTTw>6~sD$i4Mpg#qCPsb+
zpg0#(6C)$T{+P(mQE8s%7;d?``8R)iloy^q;fTOe*>sUh|H@?xIo1iuuRL~x>C1{=
zmzy54XIPw?wRrW3K<yU20Lfc*hIx6LKfJl@XTSKa9>>{mE&W>sXI{*|mE$I!<URA3
z&WRO$Wx6>gl}mqHo%rZk`>H)PW^L??#E-wz&Gr}H45@6|`HF+%*YceevWNKWS~$8E
zYi&Eaa_zZCuem>@KFK`3qCkGropoCbtn;pMp4!W>=y95*K!li##A1D353xh<Zayou
zFwi-1piS-Yap$ZB9AT>c$3;$>w0L^CTkWVaJ**c}o^7<4*JAyL56c9S&t1&>pzBe*
zr7ylOWgc&ofu`>~jf(ARx0#q385og62$%wZA;iew@Ww-s!_;!mRnC{U0;9aXtuIOa
z$5$h;U}i#!45!}m6va7Gr;jhIi&SRdUBza+t~aLU_spDJM&*TZGuVD!d2GGoO;-JS
z%l8YHPwR<)bN5F%yXvy<h0z!PHkY0V$ZPPBnr;!CE_6mq%F<n*+3~8nRZKw2!+OzD
z_stQ<59pbB3&kJ%`F=0!r|BQv(|dU@e(n!rO;Foo74k6j1Z&*hIf2O`^S;00X6@=@
z<@kNr<VwAf&U8QBuT!jd)YcoPefb?#AeFg<;gm~J@#XBJC%0?QdYZQX@Pn^k<Fa)$
sV>d7{e!l*oD)M*YQsG-GTVj;2rAOxWHt3qx)d%-Sb7ySS-mJ450C?UoM*si-

literal 0
HcmV?d00001

diff --git a/tests/cert_v1_unsupported.rs b/tests/cert_v1_unsupported.rs
new file mode 100644
index 0000000..d2c7132
--- /dev/null
+++ b/tests/cert_v1_unsupported.rs
@@ -0,0 +1,27 @@
+// Copyright 2021 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+use core::convert::TryFrom;
+
+#[test]
+fn test_cert_v1_unsupported() {
+    // Check with `openssl x509 -text -noout -in cert_v1.der -inform DER`
+    // to verify this is a correct version 1 certificate.
+    const CERT_V1_DER: &[u8] = include_bytes!("cert_v1.der");
+
+    assert_eq!(
+        Some(webpki::Error::UnsupportedCertVersion),
+        webpki::EndEntityCert::try_from(CERT_V1_DER).err()
+    );
+}