mirror of https://github.com/briansmith/webpki
Error::UnsupportedCertWithoutExtensions
Better error than `BadDER` when certificate is generated incorrectly. I agree to license my contributions to each file under the terms given at the top of each file I changed.
This commit is contained in:
parent
1364e7a902
commit
ba54ede055
|
@ -104,7 +104,7 @@ pub(crate) fn parse_cert_internal<'a>(
|
|||
der::nested(
|
||||
tbs,
|
||||
der::Tag::ContextSpecificConstructed3,
|
||||
Error::BadDER,
|
||||
Error::MissingOrMalformedExtensions,
|
||||
|tagged| {
|
||||
der::nested_of_mut(
|
||||
tagged,
|
||||
|
|
|
@ -73,6 +73,13 @@ pub enum Error {
|
|||
/// is malformed.
|
||||
UnsupportedCertVersion,
|
||||
|
||||
/// The certificate extensions are missing or malformed.
|
||||
///
|
||||
/// In particular, webpki requires the DNS name(s) be in the subjectAltName
|
||||
/// extension as required by the CA/Browser Forum Baseline Requirements
|
||||
/// and as recommended by RFC6125.
|
||||
MissingOrMalformedExtensions,
|
||||
|
||||
/// The certificate contains an unsupported critical extension.
|
||||
UnsupportedCriticalExtension,
|
||||
|
||||
|
|
Binary file not shown.
|
@ -0,0 +1,27 @@
|
|||
// Copyright 2021 Brian Smith.
|
||||
//
|
||||
// Permission to use, copy, modify, and/or distribute this software for any
|
||||
// purpose with or without fee is hereby granted, provided that the above
|
||||
// copyright notice and this permission notice appear in all copies.
|
||||
//
|
||||
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
|
||||
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
|
||||
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
use core::convert::TryFrom;
|
||||
|
||||
#[test]
|
||||
fn cert_without_extensions_test() {
|
||||
// Check the certificate is valid with
|
||||
// `openssl x509 -in cert_without_extensions.der -inform DER -text -noout`
|
||||
const CERT_WITHOUT_EXTENSIONS_DER: &[u8] = include_bytes!("cert_without_extensions.der");
|
||||
|
||||
assert_eq!(
|
||||
Some(webpki::Error::MissingOrMalformedExtensions),
|
||||
webpki::EndEntityCert::try_from(CERT_WITHOUT_EXTENSIONS_DER).err()
|
||||
);
|
||||
}
|
Loading…
Reference in New Issue