From 1803ae76d6b14e02bcba915bf4796932ad97be99 Mon Sep 17 00:00:00 2001
From: Stiopa Koltsov <stepan.koltsov@gmail.com>
Date: Tue, 16 Feb 2021 05:11:19 +0000
Subject: [PATCH] Error::UnsupportedCertVersion instead of BadDER on
 certificate v1

---
 src/cert.rs                  |   2 +-
 src/trust_anchor.rs          |   2 +-
 tests/cert_v1.der            | Bin 0 -> 809 bytes
 tests/cert_v1_unsupported.rs |  13 +++++++++++++
 4 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 tests/cert_v1.der
 create mode 100644 tests/cert_v1_unsupported.rs

diff --git a/src/cert.rs b/src/cert.rs
index ef5c61a2..4f236ea8 100644
--- a/src/cert.rs
+++ b/src/cert.rs
@@ -135,7 +135,7 @@ fn version3(input: &mut untrusted::Reader) -> Result<(), Error> {
     der::nested(
         input,
         der::Tag::ContextSpecificConstructed0,
-        Error::BadDER,
+        Error::UnsupportedCertVersion,
         |input| {
             let version = der::small_nonnegative_integer(input)?;
             if version != 2 {
diff --git a/src/trust_anchor.rs b/src/trust_anchor.rs
index b1011ccf..414658e2 100644
--- a/src/trust_anchor.rs
+++ b/src/trust_anchor.rs
@@ -57,7 +57,7 @@ impl<'a> TrustAnchor<'a> {
             possibly_invalid_certificate_serial_number,
         ) {
             Ok(cert) => Ok(Self::from(cert)),
-            Err(Error::BadDER) => parse_cert_v1(cert_der).or(Err(Error::BadDER)),
+            Err(Error::UnsupportedCertVersion) => parse_cert_v1(cert_der).or(Err(Error::BadDER)),
             Err(err) => Err(err),
         }
     }
diff --git a/tests/cert_v1.der b/tests/cert_v1.der
new file mode 100644
index 0000000000000000000000000000000000000000..a603733a5cb7ac3f925324d531f6b5f6098b36d2
GIT binary patch
literal 809
zcmXqLVpcV1V&Y}uWVrTv)m#IuADjlfY@Awc9&O)w85vnw84Q99xeYkkm_u3EgqcEv
z4f%ocKn@2Fn@eh5W@3(^h=CADfSrdsxS%LAuOuxqH7CW8$AAkY%EiO%l38rXXTSsE
zG4rtIR_Y}u8pw(B8W|cG8JZaw8(WxIMnSpeP_98Zs-3(B+z>liLQ4`eV5YJ2um%+6
zm*pFZ8VEz|;&F8LbyWyXEh@`QPBj!V5P(?9nUkNKn3IuTTw>6~sD$i4Mpg#qCPsb+
zpg0#(6C)$T{+P(mQE8s%7;d?``8R)iloy^q;fTOe*>sUh|H@?xIo1iuuRL~x>C1{=
zmzy54XIPw?wRrW3K<yU20Lfc*hIx6LKfJl@XTSKa9>>{mE&W>sXI{*|mE$I!<URA3
z&WRO$Wx6>gl}mqHo%rZk`>H)PW^L??#E-wz&Gr}H45@6|`HF+%*YceevWNKWS~$8E
zYi&Eaa_zZCuem>@KFK`3qCkGropoCbtn;pMp4!W>=y95*K!li##A1D353xh<Zayou
zFwi-1piS-Yap$ZB9AT>c$3;$>w0L^CTkWVaJ**c}o^7<4*JAyL56c9S&t1&>pzBe*
zr7ylOWgc&ofu`>~jf(ARx0#q385og62$%wZA;iew@Ww-s!_;!mRnC{U0;9aXtuIOa
z$5$h;U}i#!45!}m6va7Gr;jhIi&SRdUBza+t~aLU_spDJM&*TZGuVD!d2GGoO;-JS
z%l8YHPwR<)bN5F%yXvy<h0z!PHkY0V$ZPPBnr;!CE_6mq%F<n*+3~8nRZKw2!+OzD
z_stQ<59pbB3&kJ%`F=0!r|BQv(|dU@e(n!rO;Foo74k6j1Z&*hIf2O`^S;00X6@=@
z<@kNr<VwAf&U8QBuT!jd)YcoPefb?#AeFg<;gm~J@#XBJC%0?QdYZQX@Pn^k<Fa)$
sV>d7{e!l*oD)M*YQsG-GTVj;2rAOxWHt3qx)d%-Sb7ySS-mJ450C?UoM*si-

literal 0
HcmV?d00001

diff --git a/tests/cert_v1_unsupported.rs b/tests/cert_v1_unsupported.rs
new file mode 100644
index 00000000..edffeacc
--- /dev/null
+++ b/tests/cert_v1_unsupported.rs
@@ -0,0 +1,13 @@
+use std::convert::TryFrom;
+
+// Check with `openssl x509 -text -noout -in cert_v1.der -inform DER`
+// to verify this is a correct 1 certificate.
+const CERT_V1_DER: &[u8] = include_bytes!("cert_v1.der");
+
+#[test]
+fn error() {
+    assert_eq!(
+        Some(webpki::Error::UnsupportedCertVersion),
+        webpki::EndEntityCert::try_from(CERT_V1_DER).err()
+    );
+}