update main-with-bazel from master branch
diff --git a/BUILD.generated_tests.bzl b/BUILD.generated_tests.bzl
index 4dbefb3..8960bbd 100644
--- a/BUILD.generated_tests.bzl
+++ b/BUILD.generated_tests.bzl
@@ -1484,6 +1484,8 @@
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/chain.pem",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/chain.pem",
diff --git a/sources.json b/sources.json
index ca32208..91bccfd 100644
--- a/sources.json
+++ b/sources.json
@@ -2091,6 +2091,8 @@
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth-strict.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/chain.pem",
+ "src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/chain.pem",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/main.test",
"src/pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/chain.pem",
diff --git a/src/gen/sources.cmake b/src/gen/sources.cmake
index 6c8b176..52dc5de 100644
--- a/src/gen/sources.cmake
+++ b/src/gen/sources.cmake
@@ -2176,6 +2176,8 @@
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth-strict.test
pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test
+ pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/chain.pem
+ pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/main.test
pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/chain.pem
pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/main.test
pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/chain.pem
diff --git a/src/gen/sources.json b/src/gen/sources.json
index 77b1343..0f13f82 100644
--- a/src/gen/sources.json
+++ b/src/gen/sources.json
@@ -2117,6 +2117,8 @@
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-clientAuth.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth-strict.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-eku-server-gated-crypto/sha256-eku-serverAuth.test",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/chain.pem",
+ "pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/main.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/chain.pem",
"pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/main.test",
"pki/testdata/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/chain.pem",
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/README.md b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/README.md
new file mode 100644
index 0000000..dd4090d
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/README.md
@@ -0,0 +1,22 @@
+This test verifies behavior when a certificate has an unparseable/unsupported
+SPKI. It should be handled equivalently to a certificate with a failed
+signature verification: further processing should be shortcircuited.
+The certificate chain has 2 problems:
+* leaf is expired
+* intermediate has invalid SPKI
+
+The verification should fail with only the SPKI parsing error, since further
+processing should be short-circuited.
+
+Instructions for generating test certificate chain:
+* `cp ../expired-target/chain.pem .`
+* extract intermediate cert to `int-pre.pem`
+* `print_certificates --output=der2ascii int-pre.pem > int.derascii`
+* edit `int.derascii` to replace SPKI OID with something invalid
+* extract the TBSCertificate part of the certificate to `int.tbs.derascii`
+ `ascii2der < int.tbs.derascii > int.tbs.der`
+* generate new signature: `openssl pkeyutl -sign -rawin -in int.tbs.der -digest sha256 -inkey ../expired-target/keys/Root.key -out - | xxd -p -c 0`
+* replace the signature hex in `int.derascii`
+* `ascii2der < int.derascii > int.der`
+* `print_certificates --output=openssl_text,pem int.der > int.pem`
+* replace the intermediate certificate in `chain.pem` with the contents of `int.pem`
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/chain.pem b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/chain.pem
new file mode 100644
index 0000000..172aca6
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/chain.pem
@@ -0,0 +1,252 @@
+Manually generated test chain, see README.md for instructions to update.
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 41:12:68:d0:ed:0e:6e:55:d8:c9:2b:43:af:b7:eb:4e:6a:f7:e3:4e
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Intermediate
+ Validity
+ Not Before: Mar 1 12:00:00 2015 GMT
+ Not After : Sep 1 12:00:00 2015 GMT
+ Subject: CN=Target
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:d1:ba:03:81:9f:9e:55:9e:1a:95:8f:fd:1b:45:
+ 51:fe:91:3c:ac:14:9b:08:b7:0e:db:f2:2f:3f:83:
+ b8:06:59:7b:5f:67:74:e4:a1:36:40:b1:a0:32:c5:
+ 13:d7:ad:cb:3c:a7:e8:5d:73:bd:40:8b:0d:f1:3c:
+ fc:38:a1:e7:a1:09:94:44:e6:7d:86:cf:fd:cd:eb:
+ 47:90:29:53:97:22:3f:40:d4:d4:73:a2:17:00:fc:
+ 81:a9:57:5f:d6:21:92:06:8e:72:5e:f0:f7:f5:90:
+ aa:a2:b5:c6:58:9c:90:14:6f:72:f5:f0:8a:27:f6:
+ 4e:22:b2:3a:29:47:e1:3f:b5:69:38:e1:f0:6e:81:
+ 7e:9e:b0:0e:d3:01:81:57:95:78:06:75:66:4c:1e:
+ 2b:2d:d1:68:47:b9:94:47:55:a8:08:a8:0d:64:95:
+ e6:a2:b5:ce:74:74:91:3f:20:db:05:77:6b:0c:ed:
+ b4:6e:95:7d:d1:8c:d0:6c:3f:2f:ab:0e:d0:a9:c1:
+ 4e:2f:02:1b:e5:37:02:61:ab:6d:0e:2f:a8:d5:ca:
+ 08:1c:3c:75:17:e0:56:fc:07:68:89:4a:e3:1c:f4:
+ af:f1:eb:a6:b3:5e:68:9d:2f:e7:08:23:a3:9d:e5:
+ a4:78:ae:cc:39:95:a7:e1:6e:31:73:51:99:19:b2:
+ 17:87
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 25:FF:8A:94:CE:C2:88:76:B1:E3:8A:B4:0E:F5:5F:B5:3A:2F:6C:B6
+ X509v3 Authority Key Identifier:
+ keyid:83:98:28:40:CF:A4:63:D5:9B:A8:81:96:82:A5:40:A6:47:2C:F2:42
+
+ Authority Information Access:
+ CA Issuers - URI:http://url-for-aia/Intermediate.cer
+
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://url-for-crl/Intermediate.crl
+
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ Signature Algorithm: sha256WithRSAEncryption
+ 7b:93:fd:c4:48:b8:6b:24:b7:cf:2a:7e:e5:b1:80:9e:87:1f:
+ 64:ea:80:ef:54:45:e2:87:d6:93:70:0c:54:20:79:c3:be:f0:
+ 12:e5:f7:2e:0a:fa:2b:21:29:7f:be:f4:9f:44:ad:9f:7e:30:
+ 93:a3:1b:2c:a4:16:11:97:6e:7e:85:08:17:35:1f:2c:4b:3f:
+ aa:9b:a7:48:f5:87:66:03:e0:c0:d3:43:3e:01:57:c3:30:0d:
+ 89:71:fc:bc:c1:64:af:cb:72:a9:8f:8f:28:d1:6a:49:95:af:
+ 54:ab:93:cb:73:d4:a3:05:b4:88:c2:05:20:4b:88:39:1b:61:
+ fa:80:35:7a:4d:ef:3c:79:59:7e:73:ff:73:80:a3:d4:27:b0:
+ 49:4d:cd:40:ab:69:99:40:e6:c4:16:13:ca:53:b9:7a:39:60:
+ 54:ce:e2:2e:5e:05:4c:ff:de:e7:2d:d9:bd:98:e3:61:b8:7b:
+ a7:0a:f4:1f:06:b8:99:55:fb:6b:cb:c6:88:7c:e3:d0:d1:24:
+ e1:ca:9d:19:bc:b4:dc:9c:37:b0:19:18:00:cc:9d:ba:68:67:
+ 07:36:25:c4:60:a6:fe:31:a2:56:f0:d2:f8:15:4e:c2:2b:07:
+ 2b:cd:08:27:5d:77:7f:2f:ee:21:5f:65:aa:3d:b4:d8:ad:92:
+ b3:f1:e8:24
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIUQRJo0O0OblXYyStDr7frTmr3404wDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMSW50ZXJtZWRpYXRlMB4XDTE1MDMwMTEyMDAwMFoXDTE1
+MDkwMTEyMDAwMFowETEPMA0GA1UEAwwGVGFyZ2V0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA0boDgZ+eVZ4alY/9G0VR/pE8rBSbCLcO2/IvP4O4Bll7
+X2d05KE2QLGgMsUT163LPKfoXXO9QIsN8Tz8OKHnoQmUROZ9hs/9zetHkClTlyI/
+QNTUc6IXAPyBqVdf1iGSBo5yXvD39ZCqorXGWJyQFG9y9fCKJ/ZOIrI6KUfhP7Vp
+OOHwboF+nrAO0wGBV5V4BnVmTB4rLdFoR7mUR1WoCKgNZJXmorXOdHSRPyDbBXdr
+DO20bpV90YzQbD8vqw7QqcFOLwIb5TcCYattDi+o1coIHDx1F+BW/AdoiUrjHPSv
+8eums15onS/nCCOjneWkeK7MOZWn4W4xc1GZGbIXhwIDAQABo4HpMIHmMB0GA1Ud
+DgQWBBQl/4qUzsKIdrHjirQO9V+1Oi9stjAfBgNVHSMEGDAWgBSDmChAz6Rj1Zuo
+gZaCpUCmRyzyQjA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKGI2h0dHA6Ly91
+cmwtZm9yLWFpYS9JbnRlcm1lZGlhdGUuY2VyMDQGA1UdHwQtMCswKaAnoCWGI2h0
+dHA6Ly91cmwtZm9yLWNybC9JbnRlcm1lZGlhdGUuY3JsMA4GA1UdDwEB/wQEAwIF
+oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQAD
+ggEBAHuT/cRIuGskt88qfuWxgJ6HH2TqgO9UReKH1pNwDFQgecO+8BLl9y4K+ish
+KX++9J9ErZ9+MJOjGyykFhGXbn6FCBc1HyxLP6qbp0j1h2YD4MDTQz4BV8MwDYlx
+/LzBZK/LcqmPjyjRakmVr1Srk8tz1KMFtIjCBSBLiDkbYfqANXpN7zx5WX5z/3OA
+o9QnsElNzUCraZlA5sQWE8pTuXo5YFTO4i5eBUz/3uct2b2Y42G4e6cK9B8GuJlV
++2vLxoh849DRJOHKnRm8tNycN7AZGADMnbpoZwc2JcRgpv4xolbw0vgVTsIrByvN
+CCddd38v7iFfZao9tNitkrPx6CQ=
+-----END CERTIFICATE-----
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 6b:fe:73:9b:39:80:90:40:2b:a7:4b:81:15:15:0d:0f:11:a3:f7:a8
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN = Root
+ Validity
+ Not Before: Jan 1 12:00:00 2015 GMT
+ Not After : Jan 1 12:00:00 2016 GMT
+ Subject: CN = Intermediate
+ Subject Public Key Info:
+ Public Key Algorithm: 1.2.3.4
+ Unable to load Public Key
+400765FF1F7F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
+400765FF1F7F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 83:98:28:40:CF:A4:63:D5:9B:A8:81:96:82:A5:40:A6:47:2C:F2:42
+ X509v3 Authority Key Identifier:
+ 03:75:5B:98:4F:24:A0:F2:7C:A3:A1:C3:82:12:34:75:A6:66:8B:30
+ Authority Information Access:
+ CA Issuers - URI:http://url-for-aia/Root.cer
+ X509v3 CRL Distribution Points:
+ Full Name:
+ URI:http://url-for-crl/Root.crl
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ 72:3e:2c:68:4f:7f:86:0f:02:18:05:fc:f9:7a:24:47:8e:4a:
+ 92:37:cf:23:5e:9e:73:bd:80:89:cf:13:93:05:97:c1:1a:ec:
+ f9:10:3b:2c:d4:6e:67:b7:5f:15:1a:ef:ff:d1:be:aa:5a:29:
+ 66:45:2e:78:67:18:89:f0:41:47:43:11:c1:cd:d0:71:67:3a:
+ 66:13:05:d0:4d:2a:db:52:e4:f3:84:f6:fa:a6:3a:44:c6:2d:
+ fb:9d:52:4d:5e:3c:f6:c7:25:f7:f9:e3:34:53:82:e6:72:af:
+ 4e:21:a5:fc:88:ce:5e:0d:73:b0:59:cb:4a:1b:5c:fe:7c:0e:
+ fd:2d:4a:15:3f:b5:49:86:a0:25:0d:3e:67:80:f2:3b:86:79:
+ 4c:ee:ad:de:08:37:13:06:ca:d8:54:7d:d6:ac:ad:5d:3a:15:
+ 78:c8:d1:14:92:69:2c:19:65:48:0f:cc:1b:3b:b2:3b:02:8f:
+ af:ee:21:c4:8e:89:3b:cf:3e:82:86:ed:fb:dc:05:b0:00:e0:
+ 4d:5c:5a:df:3d:74:6f:50:dc:96:c8:cb:54:a9:80:71:0b:4a:
+ c6:7f:83:5f:13:10:d7:86:16:1b:c2:40:d4:89:0e:b7:e4:08:
+ 44:59:8e:e0:f0:97:4c:6c:57:b9:ef:99:3d:ec:e6:23:e4:98:
+ cb:67:d7:0e
+
+-----BEGIN CERTIFICATE-----
+MIIDejCCAmKgAwIBAgIUa/5zmzmAkEArp0uBFRUNDxGj96gwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0xNTAxMDExMjAwMDBaFw0xNjAxMDExMjAw
+MDBaMBcxFTATBgNVBAMMDEludGVybWVkaWF0ZTCCARwwBwYDKgMEBQADggEPADCC
+AQoCggEBANfmMKtuUEw3lxILo4fraJnfg77lcO50uGQnoWDOAklqhNiIcK1Tz3aU
+OHuRre2kHVifmf/GPl8Rvhfx46AFPhAAtxBMBBzm+uRwyQGvvbS8fKKOJHlyefFY
+Gte50zz8zBbwFGfy5YnlzzfrFtKL5iGqg9TYlM8/o/QK4dw36OkkQmAUIJwsOyXv
+gdRaCaiG13YMMRKWyiQBalSo1QBqdFrnITkMoLVj/qkRrN3KsjB6lIVCygz9re/R
+lFclk9SD5d7owZabQ1Jd4aG43JGXFQmAWEIBbipHyuWhukfh0nrGILO76XlliJRY
+f66WAdPjF5DUBnSSlnH8RzaEaq2FcbkCAwEAAaOByzCByDAdBgNVHQ4EFgQUg5go
+QM+kY9WbqIGWgqVApkcs8kIwHwYDVR0jBBgwFoAUA3VbmE8koPJ8o6HDghI0daZm
+izAwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzAChhtodHRwOi8vdXJsLWZvci1h
+aWEvUm9vdC5jZXIwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL3VybC1mb3ItY3Js
+L1Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQByPixoT3+GDwIYBfz5eiRHjkqSN88jXp5zvYCJzxOTBZfB
+Guz5EDss1G5nt18VGu//0b6qWilmRS54ZxiJ8EFHQxHBzdBxZzpmEwXQTSrbUuTz
+hPb6pjpExi37nVJNXjz2xyX3+eM0U4Lmcq9OIaX8iM5eDXOwWctKG1z+fA79LUoV
+P7VJhqAlDT5ngPI7hnlM7q3eCDcTBsrYVH3WrK1dOhV4yNEUkmksGWVID8wbO7I7
+Ao+v7iHEjok7zz6Chu373AWwAOBNXFrfPXRvUNyWyMtUqYBxC0rGf4NfExDXhhYb
+wkDUiQ635AhEWY7g8JdMbFe575k97OYj5JjLZ9cO
+-----END CERTIFICATE-----
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 6b:fe:73:9b:39:80:90:40:2b:a7:4b:81:15:15:0d:0f:11:a3:f7:a7
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Root
+ Validity
+ Not Before: Jan 1 12:00:00 2015 GMT
+ Not After : Jan 1 12:00:00 2016 GMT
+ Subject: CN=Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:a8:75:44:0e:b5:bf:02:84:f6:a2:71:18:fe:02:
+ cc:88:ee:9a:e6:c7:d2:42:52:e2:77:5a:89:e0:d8:
+ f3:db:39:4d:90:d8:f0:e8:91:d6:04:08:fc:ff:b6:
+ 28:84:7a:be:68:4c:be:b7:a5:34:14:8e:de:8d:9e:
+ 42:a9:83:4b:ce:9f:6f:fe:99:40:ff:90:67:96:22:
+ 72:3d:6d:e2:7c:f9:e4:28:d6:cb:48:1f:55:2c:68:
+ ea:83:74:2f:c4:d2:79:91:0c:51:4d:bb:a5:6d:e0:
+ 0b:27:29:71:c3:05:73:cb:81:04:43:da:5c:17:b4:
+ 94:d0:f6:71:72:d1:24:0f:c3:31:5f:f0:5c:69:62:
+ 14:6b:a3:55:2d:c4:d6:4c:10:31:f3:ab:40:3a:52:
+ d3:84:08:c3:57:df:29:26:f4:98:81:18:fc:48:f8:
+ 2b:2e:65:35:81:fa:09:3d:bf:63:b3:f2:e6:fd:23:
+ 3a:bc:4e:1a:47:f6:5c:31:82:e5:fe:a1:09:ce:c5:
+ 0c:29:55:39:52:e9:d9:62:86:c7:2c:c3:da:d9:bc:
+ f0:38:97:93:54:21:2e:69:e0:a0:49:d8:27:1b:e6:
+ a9:0a:74:64:34:f7:ed:20:61:9f:48:db:87:aa:43:
+ 41:09:fb:ec:f4:ae:a8:e8:f4:f2:7b:6a:de:dc:b6:
+ 52:9b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 03:75:5B:98:4F:24:A0:F2:7C:A3:A1:C3:82:12:34:75:A6:66:8B:30
+ X509v3 Authority Key Identifier:
+ keyid:03:75:5B:98:4F:24:A0:F2:7C:A3:A1:C3:82:12:34:75:A6:66:8B:30
+
+ Authority Information Access:
+ CA Issuers - URI:http://url-for-aia/Root.cer
+
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://url-for-crl/Root.crl
+
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 66:f4:dc:40:f9:8d:5a:14:f5:41:d2:4b:a7:3d:5e:95:f5:76:
+ e3:7c:f9:9e:dd:80:c3:3d:2a:de:8b:98:b7:15:6a:95:26:d8:
+ 89:0d:0e:a0:b4:95:9b:79:c5:b4:bb:29:18:da:97:04:14:14:
+ bc:ea:a9:06:99:9e:41:32:a7:11:2c:d6:fd:28:14:ae:1a:b5:
+ b5:2a:63:50:1e:61:e9:90:4a:c1:98:0f:e6:4a:b1:7f:6d:ab:
+ ea:95:28:09:e4:83:98:5d:ac:b1:f1:02:9c:5f:d7:b4:d7:a8:
+ 67:86:25:82:1a:b4:cf:39:ab:c7:8a:99:a3:8d:9b:00:4c:46:
+ bf:94:1a:a5:f3:6e:a9:17:28:9a:e1:2e:ae:26:da:e4:3d:65:
+ 97:04:83:e1:4e:02:ec:3b:c1:84:4d:27:8a:dd:ff:6c:3a:4e:
+ 9f:2d:00:b6:03:2f:10:84:7e:c5:9e:6f:8d:77:34:17:68:35:
+ a8:1e:88:9d:bf:7b:cb:0f:63:c0:e6:71:f8:a2:ff:d1:53:47:
+ 0b:ba:5e:50:66:ec:02:b9:28:54:38:fa:54:ef:c2:0e:96:81:
+ 75:e0:41:41:d6:eb:2c:f9:78:62:a9:7d:85:2b:69:9e:96:6e:
+ de:32:92:60:9f:0a:0b:0c:50:b2:e4:8a:ad:92:d3:dc:77:eb:
+ 51:93:48:66
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgIUa/5zmzmAkEArp0uBFRUNDxGj96cwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0xNTAxMDExMjAwMDBaFw0xNjAxMDExMjAw
+MDBaMA8xDTALBgNVBAMMBFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCodUQOtb8ChPaicRj+AsyI7prmx9JCUuJ3Wong2PPbOU2Q2PDokdYECPz/
+tiiEer5oTL63pTQUjt6NnkKpg0vOn2/+mUD/kGeWInI9beJ8+eQo1stIH1UsaOqD
+dC/E0nmRDFFNu6Vt4AsnKXHDBXPLgQRD2lwXtJTQ9nFy0SQPwzFf8FxpYhRro1Ut
+xNZMEDHzq0A6UtOECMNX3ykm9JiBGPxI+CsuZTWB+gk9v2Oz8ub9Izq8ThpH9lwx
+guX+oQnOxQwpVTlS6dlihscsw9rZvPA4l5NUIS5p4KBJ2Ccb5qkKdGQ09+0gYZ9I
+24eqQ0EJ++z0rqjo9PJ7at7ctlKbAgMBAAGjgcswgcgwHQYDVR0OBBYEFAN1W5hP
+JKDyfKOhw4ISNHWmZoswMB8GA1UdIwQYMBaAFAN1W5hPJKDyfKOhw4ISNHWmZosw
+MDcGCCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAoYbaHR0cDovL3VybC1mb3ItYWlh
+L1Jvb3QuY2VyMCwGA1UdHwQlMCMwIaAfoB2GG2h0dHA6Ly91cmwtZm9yLWNybC9S
+b290LmNybDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAZvTcQPmNWhT1QdJLpz1elfV243z5nt2Awz0q3ouYtxVqlSbY
+iQ0OoLSVm3nFtLspGNqXBBQUvOqpBpmeQTKnESzW/SgUrhq1tSpjUB5h6ZBKwZgP
+5kqxf22r6pUoCeSDmF2ssfECnF/XtNeoZ4Ylghq0zzmrx4qZo42bAExGv5QapfNu
+qRcomuEuriba5D1llwSD4U4C7DvBhE0nit3/bDpOny0AtgMvEIR+xZ5vjXc0F2g1
+qB6Inb97yw9jwOZx+KL/0VNHC7peUGbsArkoVDj6VO/CDpaBdeBBQdbrLPl4Yql9
+hStpnpZu3jKSYJ8KCwxQsuSKrZLT3HfrUZNIZg==
+-----END CERTIFICATE-----
diff --git a/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/main.test b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/main.test
new file mode 100644
index 0000000..b56874c
--- /dev/null
+++ b/src/pki/testdata/verify_certificate_chain_unittest/intermediate-invalid-spki/main.test
@@ -0,0 +1,8 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: 151002120000Z
+key_purpose: SERVER_AUTH
+expected_errors:
+----- Certificate i=1 (CN=Intermediate) -----
+ERROR: Couldn't parse SubjectPublicKeyInfo
+
diff --git a/src/pki/verify_certificate_chain.cc b/src/pki/verify_certificate_chain.cc
index f83aef8..4985ae9 100644
--- a/src/pki/verify_certificate_chain.cc
+++ b/src/pki/verify_certificate_chain.cc
@@ -1042,6 +1042,15 @@
*shortcircuit_chain_validation = true;
errors->AddError(cert_errors::kVerifySignedDataFailed);
}
+ } else {
+ // If `working_public_key_` is null, that indicates the SPKI of the issuer
+ // could not be parsed. Handle this the same way as an invalid signature by
+ // shortcircuiting the rest of verification.
+ // An error should already have been added by ParseAndCheckPublicKey, but
+ // it's added on the CertErrors for the issuer, so we can't BSSL_CHECK
+ // errors->ContainsAnyErrorWithSeverity here. (It will be BSSL_CHECKed when
+ // the shortcircuit_chain_validation is acted on in PathVerifier::Run.)
+ *shortcircuit_chain_validation = true;
}
if (*shortcircuit_chain_validation) {
return;
@@ -1591,11 +1600,11 @@
time, required_key_purpose, cert_errors,
&shortcircuit_chain_validation);
if (shortcircuit_chain_validation) {
- // Signature errors should short-circuit the rest of the verification, as
- // accumulating more errors from untrusted certificates would not be
- // meaningful.
+ // Signature errors or unparsable SPKIs should short-circuit the rest of
+ // the verification, as accumulating more errors from untrusted
+ // certificates would not be meaningful.
BSSL_CHECK(
- cert_errors->ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH));
+ errors->ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH));
return;
}
if (!is_target_cert) {
diff --git a/src/pki/verify_certificate_chain_typed_unittest.h b/src/pki/verify_certificate_chain_typed_unittest.h
index 95b3976..e9948e1 100644
--- a/src/pki/verify_certificate_chain_typed_unittest.h
+++ b/src/pki/verify_certificate_chain_typed_unittest.h
@@ -119,6 +119,10 @@
this->RunTest("target-has-512bit-rsa-key/main.test");
}
+TYPED_TEST_P(VerifyCertificateChainSingleRootTest, InvalidPublicKey) {
+ this->RunTest("intermediate-invalid-spki/main.test");
+}
+
TYPED_TEST_P(VerifyCertificateChainSingleRootTest, TargetSignedUsingEcdsa) {
this->RunTest("target-signed-using-ecdsa/main.test");
}
@@ -333,8 +337,8 @@
UnknownExtension, MSApplicationPolicies,
WeakSignature, WrongSignature,
LastCertificateNotTrusted, WeakPublicKey,
- TargetSignedUsingEcdsa, Expired, TargetNotEndEntity,
- KeyUsage, ExtendedKeyUsage,
+ InvalidPublicKey, TargetSignedUsingEcdsa, Expired,
+ TargetNotEndEntity, KeyUsage, ExtendedKeyUsage,
IssuerAndSubjectNotByteForByteEqual,
TrustAnchorNotSelfSigned, KeyRollover, Policies,
ManyNames, TargetOnly, TargetSelfSigned);
