Support PEM input in CertificateView and CertificatePrivateKey.
Since most of the certificate files out there are encoded in PEM, we will need to eventually parse those. This implements PEM patching from scratch, since that appears to be less effort than using openssl/pem.h.
gfe-relnote: n/a (no functional change)
PiperOrigin-RevId: 307510249
Change-Id: Ieec30267af8a9ea8f5c476cc6eaa411c06599baf
diff --git a/quic/core/crypto/certificate_view.cc b/quic/core/crypto/certificate_view.cc
index 5176987..0f17d12 100644
--- a/quic/core/crypto/certificate_view.cc
+++ b/quic/core/crypto/certificate_view.cc
@@ -6,19 +6,24 @@
#include <cstdint>
#include <memory>
+#include <string>
+#include "third_party/boringssl/src/include/openssl/base.h"
#include "third_party/boringssl/src/include/openssl/bytestring.h"
#include "third_party/boringssl/src/include/openssl/digest.h"
#include "third_party/boringssl/src/include/openssl/ec.h"
#include "third_party/boringssl/src/include/openssl/evp.h"
#include "third_party/boringssl/src/include/openssl/nid.h"
+#include "third_party/boringssl/src/include/openssl/rsa.h"
#include "third_party/boringssl/src/include/openssl/ssl.h"
#include "net/third_party/quiche/src/quic/core/crypto/boring_utils.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_ip_address.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
#include "net/third_party/quiche/src/common/platform/api/quiche_optional.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_str_cat.h"
#include "net/third_party/quiche/src/common/platform/api/quiche_string_piece.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_text_utils.h"
// The literals below were encoded using `ascii2der | xxd -i`. The comments
// above the literals are the contents in the der2ascii syntax.
@@ -89,6 +94,52 @@
namespace quic {
+PemReadResult ReadNextPemMessage(std::istream* input) {
+ constexpr quiche::QuicheStringPiece kPemBegin = "-----BEGIN ";
+ constexpr quiche::QuicheStringPiece kPemEnd = "-----END ";
+ constexpr quiche::QuicheStringPiece kPemDashes = "-----";
+
+ std::string line_buffer, encoded_message_contents, expected_end;
+ bool pending_message = false;
+ PemReadResult result;
+ while (std::getline(*input, line_buffer)) {
+ quiche::QuicheStringPiece line(line_buffer);
+ quiche::QuicheTextUtils::RemoveLeadingAndTrailingWhitespace(&line);
+
+ // Handle BEGIN lines.
+ if (!pending_message &&
+ quiche::QuicheTextUtils::StartsWith(line, kPemBegin) &&
+ quiche::QuicheTextUtils::EndsWith(line, kPemDashes)) {
+ result.type = std::string(
+ line.substr(kPemBegin.size(),
+ line.size() - kPemDashes.size() - kPemBegin.size()));
+ expected_end = quiche::QuicheStrCat(kPemEnd, result.type, kPemDashes);
+ pending_message = true;
+ continue;
+ }
+
+ // Handle END lines.
+ if (pending_message && line == expected_end) {
+ quiche::QuicheOptional<std::string> data =
+ quiche::QuicheTextUtils::Base64Decode(encoded_message_contents);
+ if (data.has_value()) {
+ result.status = PemReadResult::kOk;
+ result.contents = data.value();
+ } else {
+ result.status = PemReadResult::kError;
+ }
+ return result;
+ }
+
+ if (pending_message) {
+ encoded_message_contents.append(std::string(line));
+ }
+ }
+ bool eof_reached = input->eof() && !pending_message;
+ return PemReadResult{
+ .status = (eof_reached ? PemReadResult::kEof : PemReadResult::kError)};
+}
+
std::unique_ptr<CertificateView> CertificateView::ParseSingleCertificate(
quiche::QuicheStringPiece certificate) {
std::unique_ptr<CertificateView> result(new CertificateView());
@@ -265,6 +316,24 @@
return true;
}
+std::vector<std::string> CertificateView::LoadPemFromStream(
+ std::istream* input) {
+ std::vector<std::string> result;
+ for (;;) {
+ PemReadResult read_result = ReadNextPemMessage(input);
+ if (read_result.status == PemReadResult::kEof) {
+ return result;
+ }
+ if (read_result.status != PemReadResult::kOk) {
+ return std::vector<std::string>();
+ }
+ if (read_result.type != "CERTIFICATE") {
+ continue;
+ }
+ result.emplace_back(std::move(read_result.contents));
+ }
+}
+
bool CertificateView::ValidatePublicKeyParameters() {
// The profile here affects what certificates can be used:
// (1) when QUIC is used as a server library without any custom certificate
@@ -327,6 +396,33 @@
return result;
}
+std::unique_ptr<CertificatePrivateKey> CertificatePrivateKey::LoadPemFromStream(
+ std::istream* input) {
+ PemReadResult result = ReadNextPemMessage(input);
+ if (result.status != PemReadResult::kOk) {
+ return nullptr;
+ }
+ // RFC 5958 OneAsymmetricKey message.
+ if (result.type == "PRIVATE KEY") {
+ return LoadFromDer(result.contents);
+ }
+ // Legacy OpenSSL format: PKCS#1 (RFC 8017) RSAPrivateKey message.
+ if (result.type == "RSA PRIVATE KEY") {
+ CBS private_key_cbs = StringPieceToCbs(result.contents);
+ bssl::UniquePtr<RSA> rsa(RSA_parse_private_key(&private_key_cbs));
+ if (rsa == nullptr || CBS_len(&private_key_cbs) != 0) {
+ return nullptr;
+ }
+
+ std::unique_ptr<CertificatePrivateKey> key(new CertificatePrivateKey());
+ key->private_key_.reset(EVP_PKEY_new());
+ EVP_PKEY_assign_RSA(key->private_key_.get(), rsa.release());
+ return key;
+ }
+ // Unknown format.
+ return nullptr;
+}
+
std::string CertificatePrivateKey::Sign(quiche::QuicheStringPiece input,
uint16_t signature_algorithm) {
if (PublicKeyTypeFromSignatureAlgorithm(signature_algorithm) !=
diff --git a/quic/core/crypto/certificate_view.h b/quic/core/crypto/certificate_view.h
index 1707440..286226d 100644
--- a/quic/core/crypto/certificate_view.h
+++ b/quic/core/crypto/certificate_view.h
@@ -5,6 +5,7 @@
#ifndef QUICHE_QUIC_CORE_CRYPTO_CERTIFICATE_VIEW_H_
#define QUICHE_QUIC_CORE_CRYPTO_CERTIFICATE_VIEW_H_
+#include <istream>
#include <memory>
#include <vector>
@@ -18,6 +19,18 @@
namespace quic {
+struct QUIC_EXPORT_PRIVATE PemReadResult {
+ enum Status { kOk, kEof, kError };
+ Status status;
+ std::string contents;
+ // The type of the PEM message (e.g., if the message starts with
+ // "-----BEGIN CERTIFICATE-----", the |type| would be "CERTIFICATE").
+ std::string type;
+};
+
+// Reads |input| line-by-line and returns the next available PEM message.
+QUIC_EXPORT_PRIVATE PemReadResult ReadNextPemMessage(std::istream* input);
+
// CertificateView represents a parsed version of a single X.509 certificate. As
// the word "view" implies, it does not take ownership of the underlying strings
// and consists primarily of pointers into the certificate that is passed into
@@ -29,6 +42,10 @@
static std::unique_ptr<CertificateView> ParseSingleCertificate(
quiche::QuicheStringPiece certificate);
+ // Loads all PEM-encoded X.509 certificates found in the |input| stream
+ // without parsing them. Returns an empty vector if any parsing error occurs.
+ static std::vector<std::string> LoadPemFromStream(std::istream* input);
+
const EVP_PKEY* public_key() const { return public_key_.get(); }
const std::vector<quiche::QuicheStringPiece>& subject_alt_name_domains()
@@ -67,6 +84,11 @@
static std::unique_ptr<CertificatePrivateKey> LoadFromDer(
quiche::QuicheStringPiece private_key);
+ // Loads a private key from a PEM file formatted according to RFC 7468. Also
+ // supports legacy OpenSSL RSA key format ("BEGIN RSA PRIVATE KEY").
+ static std::unique_ptr<CertificatePrivateKey> LoadPemFromStream(
+ std::istream* input);
+
// |signature_algorithm| is a TLS signature algorithm ID.
std::string Sign(quiche::QuicheStringPiece input,
uint16_t signature_algorithm);
diff --git a/quic/core/crypto/certificate_view_der_fuzzer.cc b/quic/core/crypto/certificate_view_der_fuzzer.cc
new file mode 100644
index 0000000..e2de1ba
--- /dev/null
+++ b/quic/core/crypto/certificate_view_der_fuzzer.cc
@@ -0,0 +1,15 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+
+#include "net/third_party/quiche/src/quic/core/crypto/certificate_view.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ std::string input(reinterpret_cast<const char*>(data), size);
+
+ quic::CertificateView::ParseSingleCertificate(input);
+ quic::CertificatePrivateKey::LoadFromDer(input);
+ return 0;
+}
diff --git a/quic/core/crypto/certificate_view_pem_fuzzer.cc b/quic/core/crypto/certificate_view_pem_fuzzer.cc
new file mode 100644
index 0000000..e1efd98
--- /dev/null
+++ b/quic/core/crypto/certificate_view_pem_fuzzer.cc
@@ -0,0 +1,18 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <sstream>
+#include <string>
+
+#include "net/third_party/quiche/src/quic/core/crypto/certificate_view.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ std::string input(reinterpret_cast<const char*>(data), size);
+ std::stringstream stream(input);
+
+ quic::CertificateView::LoadPemFromStream(&stream);
+ stream.seekg(0);
+ quic::CertificatePrivateKey::LoadPemFromStream(&stream);
+ return 0;
+}
diff --git a/quic/core/crypto/certificate_view_test.cc b/quic/core/crypto/certificate_view_test.cc
index 899ae13..661aa27 100644
--- a/quic/core/crypto/certificate_view_test.cc
+++ b/quic/core/crypto/certificate_view_test.cc
@@ -5,6 +5,7 @@
#include "net/third_party/quiche/src/quic/core/crypto/certificate_view.h"
#include <memory>
+#include <sstream>
#include "third_party/boringssl/src/include/openssl/base.h"
#include "third_party/boringssl/src/include/openssl/evp.h"
@@ -17,6 +18,7 @@
namespace {
using testing::ElementsAre;
+using testing::HasSubstr;
// A test certificate generated by //net/tools/quic/certs/generate-certs.sh.
constexpr char kTestCertificateRaw[] = {
@@ -131,6 +133,135 @@
kTestCertificateRaw,
sizeof(kTestCertificateRaw));
+constexpr char kTestCertificatePem[] =
+ R"(Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=QUIC Server Root CA
+ Validity
+ Not Before: Jan 30 18:13:59 2020 GMT
+ Not After : Feb 2 18:13:59 2020 GMT
+ Subject: C=US, ST=California, L=Mountain View, O=QUIC Server, CN=127.0.0.1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (2048 bit)
+ Modulus:
+ 00:c5:e2:51:6d:3f:d6:28:f2:ad:34:73:87:64:ca:
+ 33:19:33:b7:75:91:ab:31:19:2b:e3:a4:26:09:29:
+ 8b:2d:f7:52:75:a7:55:15:f0:11:c7:c2:c4:ed:18:
+ 1b:33:0b:71:32:e6:35:89:cd:2d:5a:05:57:4e:c2:
+ 78:75:65:72:2d:8a:17:83:d6:32:90:85:f8:22:e2:
+ 65:a9:e0:a0:fe:19:b2:39:2d:14:03:10:2f:cc:8b:
+ 5e:aa:25:27:0d:a3:37:10:0c:17:ec:f0:8b:c5:6b:
+ ed:6b:5e:b2:e2:35:3e:46:3b:f7:f6:59:b1:e0:16:
+ a6:fb:03:bf:84:4f:ce:64:15:0d:59:99:a6:f0:7f:
+ 8a:33:4b:bb:0b:b8:f2:d1:27:90:8f:38:f8:5a:41:
+ 82:07:9b:0d:d9:52:e0:70:ff:de:da:d8:25:4e:2f:
+ 2d:9f:af:92:63:c7:42:b4:dc:16:95:23:05:02:6b:
+ b0:e8:c5:fe:15:9a:e8:7d:2f:dc:43:f4:70:91:1a:
+ 93:be:71:af:85:84:db:cf:6b:5c:80:b2:d3:f3:42:
+ 6e:24:ec:2a:62:99:c6:3c:e5:32:e5:72:37:30:9b:
+ 0b:e4:06:b4:64:26:95:59:ba:f1:53:83:3d:99:6d:
+ f0:80:e2:db:6b:34:52:06:77:3c:73:be:c6:e3:ce:
+ b2:11
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ C8:54:28:F6:D2:D5:12:35:89:15:75:B8:BF:DD:FB:4A:FC:6C:89:DE
+ X509v3 Authority Key Identifier:
+ keyid:50:E4:1D:C3:1A:FB:FD:38:DD:A2:05:FD:C8:FA:57:0A:C1:06:0F:AE
+
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Subject Alternative Name:
+ DNS:www.example.org, DNS:mail.example.org, DNS:mail.example.com, IP Address:127.0.0.1
+ Signature Algorithm: sha256WithRSAEncryption
+ 45:41:7a:68:e0:a7:59:a1:62:54:73:74:14:4f:de:9c:51:ac:
+ 25:97:70:f7:09:51:39:72:39:3c:d0:31:e1:c3:02:91:14:4d:
+ 8f:1d:31:ab:98:7e:e6:bb:ab:6a:d9:c5:86:aa:4e:6a:48:e9:
+ f8:d7:b3:1d:a0:c5:e6:bf:4c:5a:9b:b5:78:01:a3:39:7b:5f:
+ bc:b8:a7:c2:71:b0:7b:dd:a1:87:a6:54:9c:f6:59:81:b1:2c:
+ de:c5:8a:a2:06:89:b5:c1:7a:be:0c:9f:3d:de:81:48:53:71:
+ 7b:8d:c7:ea:87:d7:d1:da:94:b4:c5:ac:1e:83:a3:42:7d:e6:
+ ab:3f:d6:1c:d6:65:c3:60:e9:76:54:79:3f:eb:65:85:4f:60:
+ 7d:bb:96:03:54:2e:d0:1b:e2:6c:2d:91:ae:33:9c:04:c4:44:
+ 0a:7d:5f:bb:80:a2:01:bc:90:81:a5:dc:4a:c8:77:c9:8d:34:
+ 17:e6:2a:7d:02:1e:32:3f:7d:d7:0c:80:5b:c6:94:6a:42:36:
+ 05:9f:9e:c5:85:9f:60:e3:72:73:34:39:44:75:55:60:24:7a:
+ 8b:09:74:84:72:fd:91:68:93:57:9e:70:46:4d:e4:30:84:5f:
+ 20:07:ad:fd:86:32:d3:fb:ba:af:d9:61:14:3c:e0:a1:a9:51:
+ 51:0f:ad:60
+-----BEGIN CERTIFICATE-----
+MIIDtDCCApygAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNRVUlD
+IFNlcnZlciBSb290IENBMB4XDTIwMDEzMDE4MTM1OVoXDTIwMDIwMjE4MTM1OVow
+ZDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxFDASBgNVBAoMC1FVSUMgU2VydmVyMRIwEAYDVQQDDAkxMjcu
+MC4wLjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF4lFtP9Yo8q00
+c4dkyjMZM7d1kasxGSvjpCYJKYst91J1p1UV8BHHwsTtGBszC3Ey5jWJzS1aBVdO
+wnh1ZXItiheD1jKQhfgi4mWp4KD+GbI5LRQDEC/Mi16qJScNozcQDBfs8IvFa+1r
+XrLiNT5GO/f2WbHgFqb7A7+ET85kFQ1Zmabwf4ozS7sLuPLRJ5CPOPhaQYIHmw3Z
+UuBw/97a2CVOLy2fr5Jjx0K03BaVIwUCa7Doxf4Vmuh9L9xD9HCRGpO+ca+FhNvP
+a1yAstPzQm4k7CpimcY85TLlcjcwmwvkBrRkJpVZuvFTgz2ZbfCA4ttrNFIGdzxz
+vsbjzrIRAgMBAAGjgbYwgbMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUyFQo9tLV
+EjWJFXW4v937Svxsid4wHwYDVR0jBBgwFoAUUOQdwxr7/TjdogX9yPpXCsEGD64w
+HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEQGA1UdEQQ9MDuCD3d3dy5l
+eGFtcGxlLm9yZ4IQbWFpbC5leGFtcGxlLm9yZ4IQbWFpbC5leGFtcGxlLmNvbYcE
+fwAAATANBgkqhkiG9w0BAQsFAAOCAQEARUF6aOCnWaFiVHN0FE/enFGsJZdw9wlR
+OXI5PNAx4cMCkRRNjx0xq5h+5ruratnFhqpOakjp+NezHaDF5r9MWpu1eAGjOXtf
+vLinwnGwe92hh6ZUnPZZgbEs3sWKogaJtcF6vgyfPd6BSFNxe43H6ofX0dqUtMWs
+HoOjQn3mqz/WHNZlw2DpdlR5P+tlhU9gfbuWA1Qu0BvibC2RrjOcBMRECn1fu4Ci
+AbyQgaXcSsh3yY00F+YqfQIeMj991wyAW8aUakI2BZ+exYWfYONyczQ5RHVVYCR6
+iwl0hHL9kWiTV55wRk3kMIRfIAet/YYy0/u6r9lhFDzgoalRUQ+tYA==
+-----END CERTIFICATE-----)";
+
+// Same leaf as above, but with an intermediary attached.
+constexpr char kTestCertificateChainPem[] =
+ R"(-----BEGIN CERTIFICATE-----
+MIIDtDCCApygAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNRVUlD
+IFNlcnZlciBSb290IENBMB4XDTIwMDEzMDE4MTM1OVoXDTIwMDIwMjE4MTM1OVow
+ZDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxFDASBgNVBAoMC1FVSUMgU2VydmVyMRIwEAYDVQQDDAkxMjcu
+MC4wLjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF4lFtP9Yo8q00
+c4dkyjMZM7d1kasxGSvjpCYJKYst91J1p1UV8BHHwsTtGBszC3Ey5jWJzS1aBVdO
+wnh1ZXItiheD1jKQhfgi4mWp4KD+GbI5LRQDEC/Mi16qJScNozcQDBfs8IvFa+1r
+XrLiNT5GO/f2WbHgFqb7A7+ET85kFQ1Zmabwf4ozS7sLuPLRJ5CPOPhaQYIHmw3Z
+UuBw/97a2CVOLy2fr5Jjx0K03BaVIwUCa7Doxf4Vmuh9L9xD9HCRGpO+ca+FhNvP
+a1yAstPzQm4k7CpimcY85TLlcjcwmwvkBrRkJpVZuvFTgz2ZbfCA4ttrNFIGdzxz
+vsbjzrIRAgMBAAGjgbYwgbMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUyFQo9tLV
+EjWJFXW4v937Svxsid4wHwYDVR0jBBgwFoAUUOQdwxr7/TjdogX9yPpXCsEGD64w
+HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEQGA1UdEQQ9MDuCD3d3dy5l
+eGFtcGxlLm9yZ4IQbWFpbC5leGFtcGxlLm9yZ4IQbWFpbC5leGFtcGxlLmNvbYcE
+fwAAATANBgkqhkiG9w0BAQsFAAOCAQEARUF6aOCnWaFiVHN0FE/enFGsJZdw9wlR
+OXI5PNAx4cMCkRRNjx0xq5h+5ruratnFhqpOakjp+NezHaDF5r9MWpu1eAGjOXtf
+vLinwnGwe92hh6ZUnPZZgbEs3sWKogaJtcF6vgyfPd6BSFNxe43H6ofX0dqUtMWs
+HoOjQn3mqz/WHNZlw2DpdlR5P+tlhU9gfbuWA1Qu0BvibC2RrjOcBMRECn1fu4Ci
+AbyQgaXcSsh3yY00F+YqfQIeMj991wyAW8aUakI2BZ+exYWfYONyczQ5RHVVYCR6
+iwl0hHL9kWiTV55wRk3kMIRfIAet/YYy0/u6r9lhFDzgoalRUQ+tYA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDDDCCAfSgAwIBAgIUfVS7RH+aVGqZhrjyuyD4qCnTS+MwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTUVVJQyBTZXJ2ZXIgUm9vdCBDQTAeFw0yMDAxMzAxODEz
+NTlaFw0yMDAyMDIxODEzNTlaMB4xHDAaBgNVBAMME1FVSUMgU2VydmVyIFJvb3Qg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc3k0GGpCBf6jXHxia
+QM4ntB6pWkT+NbaZUNHb1SkG2Cp9dN5dEKOXiqOi9306j4WNWTq/q0Ku9lCPPPFs
+JTIVC3tKY8Nbiczw+mohgW4rwLgpAP5rjjVzTxSFpDWZlgkH54HpqLjJFVl4Fklg
+vzSj+rYfqP+ueesi7z7KwPwzd30jjsJlpr2rlkZkidWT5vRTD3uYhNOW7IIT0lRP
+MDTwdxTEU5unyxESAsZyckNuJDeNF0y1Aw5Xiw/Bww+CyRH+tX6OUcWNtA+ZSDU8
+oVH5m4rxYK/DaHAZrA672/ywvUcPQaNaRxsAWRVjhktgyGPT3pjqiHDCN8+42uhH
+SgrbAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFDkHcMa+/04
+3aIF/cj6VwrBBg+uMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
+iX+tn1Zfxx4M5YqZlPgXFB219agrJP2vM0fzW0E4zqDvA2ALaQN+lwdnFueN3tDk
+3IJvxd2W5k1Qh7LqWFUbBghDAP43XffW/yNy0+nuR2n3nRYdNStSMrGQm7oywhBd
+5jQl0GQUyYf1jcbD76HA5JraBjEXnQyJe6gJYHiRiMaMURWyzcngOPv5w3XBzIe3
+sRM0Rk/TTZP1Qx7fDY3ikFe1w9LzAMGbKDTKfc1+F0GZByJ3pdWakUNXZvtGFhIF
+hTXMooR/wD7an6gtnXD8ixCh7bP0TyPiBhNsUb12WrvSEAm/UyciQbQlR7P+K0Z7
+Cmn1Mj4hQ+pT0t+pw/DMOw==
+-----END CERTIFICATE-----)";
+
constexpr char kTestCertificatePrivateKeyRaw[] = {
'\x30', '\x82', '\x04', '\xbc', '\x02', '\x01', '\x00', '\x30', '\x0d',
'\x06', '\x09', '\x2a', '\x86', '\x48', '\x86', '\xf7', '\x0d', '\x01',
@@ -273,6 +404,73 @@
kTestCertificatePrivateKeyRaw,
sizeof(kTestCertificatePrivateKeyRaw));
+constexpr char kTestCertificatePrivateKeyPem[] =
+ R"(-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDF4lFtP9Yo8q00
+c4dkyjMZM7d1kasxGSvjpCYJKYst91J1p1UV8BHHwsTtGBszC3Ey5jWJzS1aBVdO
+wnh1ZXItiheD1jKQhfgi4mWp4KD+GbI5LRQDEC/Mi16qJScNozcQDBfs8IvFa+1r
+XrLiNT5GO/f2WbHgFqb7A7+ET85kFQ1Zmabwf4ozS7sLuPLRJ5CPOPhaQYIHmw3Z
+UuBw/97a2CVOLy2fr5Jjx0K03BaVIwUCa7Doxf4Vmuh9L9xD9HCRGpO+ca+FhNvP
+a1yAstPzQm4k7CpimcY85TLlcjcwmwvkBrRkJpVZuvFTgz2ZbfCA4ttrNFIGdzxz
+vsbjzrIRAgMBAAECggEAOXWsG0MMFrvQ24goanXkPI8t2G/B+/HJMsK5YLO1fFVy
+lkNOi544K38823PCgiHybss2BJuVbaxbW71QaRZZ/ys4BMovyJN+J/MBfkCBvwcL
+H1sdkn4iwww9Ir7DBky8cmZwlBaNH3hlamYHH3RCbvZ+3APTiLRLLFw8QllCHwET
+McUi52qW8vtm/sihfiSWXwLuOCGlFNKmNXBsjabYKtJFMV9nnjVXasQV57pgL45S
+TvxvoAiRMXEGaBlIx4ENXlKTV8z+RqypT+KWT68S+8JLxI07sDjku40ZgeR0Y5yN
+qoSCkd/cRfA5srSsRdo/ME1GseGynd/YxKLv6RqXeQKBgQDlI7jXCVRUO7Z4eGdX
+ZcXUdK8FT7XIjBvRmizW5GjRrz1yQlDI3bHud1K4sTG+8HR4QlnqE4uCAFQi0gok
+sB8edieuY8ZrWSgdoJ9CMPHjWRxPMUn/RX5r7+lv3q8eBJZhTp9Y9Q1kCEgKrqzk
+dpHdbjOXxZba/7xCW3G1dq4BswKBgQDdFKVsiSuAePbDgE1TVLMrQM6YFqC/cvHj
+3OkLRSOGOEwp8aDgLPqGPwGQxRuWEESE++w8dGwNzMPNGygSqrRngMjZG33nVDkD
+bbqqb/eTH5R21qub2j2JN4P+ciq7bzbF4K5l+bvG4pgPvfYi+DVbmeb/bW6ykpNk
+JcHonGtzKwKBgBMwGppnPZiQJ4ePDZhT/Wz9GGrpcd+JXAsBTh/woJZuhka7Juir
+J+tAMr0kmXXTzO0FIWJooJYSUPlZfV/1H6X9XvVLhaIXpTRV7wAr+RWAsM4w4nFt
+8Fg5juK/UwrAd5dObimU27o0t1OtrOy0wSI5yDg9Y5STNcCYx7zaY1fhAoGAUXF8
+q2ow42gsh8LpOYyXYJTERtT3LPAcWjQUiflTZ+uvazg/arZHKFNnsTxbuEGP7Gme
+EntVHxRTAWlCrvXB9etEkm6FSEYHptKylH0g+EsG92yH1adlSfpwnrjSMzB6PhVS
+SfDhExiAqjPxy9oiVfdxWKGoyRIkSB18vMN69fcCgYBBfK5uSD+1C5mqxeqBrYRr
+KXhLGNsO0z5gi+9lTVglOgi1IbZhDPrwaXhOaDbbQUtQ2NOOPXSAjqDm2uxwiXey
+ndZuCsS99poHFbpVn9RNOg9REqTZwph2xbcpQMr0u3QtcQNN5wV1wI2Wflmhizuj
+K6WjyPfTPmsu+k9N5r7TWQ==
+-----END PRIVATE KEY-----)";
+
+// The legacy version was manually generated from the one above using der2ascii.
+constexpr char kTestCertificatePrivateKeyLegacyPem[] =
+ R"(-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAxeJRbT/WKPKtNHOHZMozGTO3dZGrMRkr46QmCSmLLfdSdadVFfARx8LE7Rgb
+MwtxMuY1ic0tWgVXTsJ4dWVyLYoXg9YykIX4IuJlqeCg/hmyOS0UAxAvzIteqiUnDaM3EAwX7PCL
+xWvta16y4jU+Rjv39lmx4Bam+wO/hE/OZBUNWZmm8H+KM0u7C7jy0SeQjzj4WkGCB5sN2VLgcP/e
+2tglTi8tn6+SY8dCtNwWlSMFAmuw6MX+FZrofS/cQ/RwkRqTvnGvhYTbz2tcgLLT80JuJOwqYpnG
+POUy5XI3MJsL5Aa0ZCaVWbrxU4M9mW3wgOLbazRSBnc8c77G486yEQIDAQABAoIBADl1rBtDDBa7
+0NuIKGp15DyPLdhvwfvxyTLCuWCztXxVcpZDToueOCt/PNtzwoIh8m7LNgSblW2sW1u9UGkWWf8r
+OATKL8iTfifzAX5Agb8HCx9bHZJ+IsMMPSK+wwZMvHJmcJQWjR94ZWpmBx90Qm72ftwD04i0Syxc
+PEJZQh8BEzHFIudqlvL7Zv7IoX4kll8C7jghpRTSpjVwbI2m2CrSRTFfZ541V2rEFee6YC+OUk78
+b6AIkTFxBmgZSMeBDV5Sk1fM/kasqU/ilk+vEvvCS8SNO7A45LuNGYHkdGOcjaqEgpHf3EXwObK0
+rEXaPzBNRrHhsp3f2MSi7+kal3kCgYEA5SO41wlUVDu2eHhnV2XF1HSvBU+1yIwb0Zos1uRo0a89
+ckJQyN2x7ndSuLExvvB0eEJZ6hOLggBUItIKJLAfHnYnrmPGa1koHaCfQjDx41kcTzFJ/0V+a+/p
+b96vHgSWYU6fWPUNZAhICq6s5HaR3W4zl8WW2v+8QltxtXauAbMCgYEA3RSlbIkrgHj2w4BNU1Sz
+K0DOmBagv3Lx49zpC0UjhjhMKfGg4Cz6hj8BkMUblhBEhPvsPHRsDczDzRsoEqq0Z4DI2Rt951Q5
+A226qm/3kx+Udtarm9o9iTeD/nIqu282xeCuZfm7xuKYD732Ivg1W5nm/21uspKTZCXB6JxrcysC
+gYATMBqaZz2YkCeHjw2YU/1s/Rhq6XHfiVwLAU4f8KCWboZGuyboqyfrQDK9JJl108ztBSFiaKCW
+ElD5WX1f9R+l/V71S4WiF6U0Ve8AK/kVgLDOMOJxbfBYOY7iv1MKwHeXTm4plNu6NLdTrazstMEi
+Ocg4PWOUkzXAmMe82mNX4QKBgFFxfKtqMONoLIfC6TmMl2CUxEbU9yzwHFo0FIn5U2frr2s4P2q2
+RyhTZ7E8W7hBj+xpnhJ7VR8UUwFpQq71wfXrRJJuhUhGB6bSspR9IPhLBvdsh9WnZUn6cJ640jMw
+ej4VUknw4RMYgKoz8cvaIlX3cVihqMkSJEgdfLzDevX3AoGAQXyubkg/tQuZqsXqga2Eayl4Sxjb
+DtM+YIvvZU1YJToItSG2YQz68Gl4Tmg220FLUNjTjj10gI6g5trscIl3sp3WbgrEvfaaBxW6VZ/U
+TToPURKk2cKYdsW3KUDK9Lt0LXEDTecFdcCNln5ZoYs7oyulo8j30z5rLvpPTea+01k=
+-----END RSA PRIVATE KEY-----)";
+
+TEST(CertificateViewTest, PemParser) {
+ std::stringstream stream(kTestCertificatePem);
+ PemReadResult result = ReadNextPemMessage(&stream);
+ EXPECT_EQ(result.status, PemReadResult::kOk);
+ EXPECT_EQ(result.type, "CERTIFICATE");
+ EXPECT_EQ(result.contents, kTestCertificate);
+
+ result = ReadNextPemMessage(&stream);
+ EXPECT_EQ(result.status, PemReadResult::kEof);
+}
+
TEST(CertificateViewTest, Parse) {
std::unique_ptr<CertificateView> view =
CertificateView::ParseSingleCertificate(kTestCertificate);
@@ -287,6 +485,28 @@
EXPECT_EQ(EVP_PKEY_id(view->public_key()), EVP_PKEY_RSA);
}
+TEST(CertificateViewTest, PemSingleCertificate) {
+ std::stringstream pem_stream(kTestCertificatePem);
+ std::vector<std::string> chain =
+ CertificateView::LoadPemFromStream(&pem_stream);
+ EXPECT_THAT(chain, ElementsAre(kTestCertificate));
+}
+
+TEST(CertificateViewTest, PemMultipleCertificates) {
+ std::stringstream pem_stream(kTestCertificateChainPem);
+ std::vector<std::string> chain =
+ CertificateView::LoadPemFromStream(&pem_stream);
+ EXPECT_THAT(chain,
+ ElementsAre(kTestCertificate, HasSubstr("QUIC Server Root CA")));
+}
+
+TEST(CertificateViewTest, PemNoCertificates) {
+ std::stringstream pem_stream("one\ntwo\nthree\n");
+ std::vector<std::string> chain =
+ CertificateView::LoadPemFromStream(&pem_stream);
+ EXPECT_TRUE(chain.empty());
+}
+
TEST(CertificateViewTest, SignAndVerify) {
std::unique_ptr<CertificatePrivateKey> key =
CertificatePrivateKey::LoadFromDer(kTestCertificatePrivateKey);
@@ -309,5 +529,23 @@
SSL_SIGN_RSA_PSS_RSAE_SHA256));
}
+TEST(CertificateViewTest, PrivateKeyPem) {
+ std::unique_ptr<CertificateView> view =
+ CertificateView::ParseSingleCertificate(kTestCertificate);
+ ASSERT_TRUE(view != nullptr);
+
+ std::stringstream pem_stream(kTestCertificatePrivateKeyPem);
+ std::unique_ptr<CertificatePrivateKey> pem_key =
+ CertificatePrivateKey::LoadPemFromStream(&pem_stream);
+ ASSERT_TRUE(pem_key != nullptr);
+ EXPECT_TRUE(pem_key->MatchesPublicKey(*view));
+
+ std::stringstream legacy_stream(kTestCertificatePrivateKeyLegacyPem);
+ std::unique_ptr<CertificatePrivateKey> legacy_key =
+ CertificatePrivateKey::LoadPemFromStream(&legacy_stream);
+ ASSERT_TRUE(legacy_key != nullptr);
+ EXPECT_TRUE(legacy_key->MatchesPublicKey(*view));
+}
+
} // namespace
} // namespace quic
