Error::UnsupportedCertWithoutExtensions

Better error than `BadDER` when certificate is generated incorrectly.

I agree to license my contributions to each file under the terms given at the top of each file I changed.

src/cert.rs

@@ -104,7 +104,7 @@ pub(crate) fn parse_cert_internal<'a>(
         der::nested(
             tbs,
             der::Tag::ContextSpecificConstructed3,
-            Error::BadDER,
+            Error::MissingOrMalformedExtensions,
             |tagged| {
                 der::nested_of_mut(
                     tagged,

src/error.rs

@@ -73,6 +73,13 @@ pub enum Error {
     /// is malformed.
     UnsupportedCertVersion,
 
+    /// The certificate extensions are missing or malformed.
+    ///
+    /// In particular, webpki requires the DNS name(s) be in the subjectAltName
+    /// extension as required by the CA/Browser Forum Baseline Requirements
+    /// and as recommended by RFC6125.
+    MissingOrMalformedExtensions,
+
     /// The certificate contains an unsupported critical extension.
     UnsupportedCriticalExtension,
 

tests/cert_without_extensions.rs

@@ -0,0 +1,27 @@
+// Copyright 2021 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+use core::convert::TryFrom;
+
+#[test]
+fn cert_without_extensions_test() {
+    // Check the certificate is valid with
+    // `openssl x509 -in cert_without_extensions.der -inform DER -text -noout`
+    const CERT_WITHOUT_EXTENSIONS_DER: &[u8] = include_bytes!("cert_without_extensions.der");
+
+    assert_eq!(
+        Some(webpki::Error::MissingOrMalformedExtensions),
+        webpki::EndEntityCert::try_from(CERT_WITHOUT_EXTENSIONS_DER).err()
+    );
+}