Merge pull request #15 from apple/cb-new-asn1-error

Lukasa · web-flow · commit aaafa59d4803 · 2023-02-06T12:10:27.000Z
Update to swift-asn1 new error type
diff --git a/Package.swift b/Package.swift
@@ -31,8 +31,8 @@ let package = Package(
     dependencies: [
         .package(url: "https://github.com/apple/swift-crypto.git", from: "2.2.1"),
         // swift-asn1 repo is private, so we can't access it anonymously yet
-        // .package(url: "https://github.com/apple/swift-asn1.git", .upToNextMinor(from: "0.4.0")),
-        .package(url: "git@github.com:apple/swift-asn1.git", .upToNextMinor(from: "0.4.0")),
+        // .package(url: "https://github.com/apple/swift-asn1.git", .upToNextMinor(from: "0.5.0")),
+        .package(url: "git@github.com:apple/swift-asn1.git", .upToNextMinor(from: "0.5.0")),
         .package(url: "https://github.com/apple/swift-docc-plugin", from: "1.0.0"),
     ],
     targets: [
diff --git a/Sources/X509/Certificate.swift b/Sources/X509/Certificate.swift
@@ -264,7 +264,7 @@ extension Certificate: DERImplicitlyTaggable {
     public init(derEncoded rootNode: ASN1Node, withIdentifier identifier: ASN1Identifier) throws {
         self = try DER.sequence(rootNode, identifier: identifier) { nodes in
             guard let tbsCertificateNode = nodes.next() else {
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "TBSCertificate missing")
             }
             let tbsCertificate = try TBSCertificate(derEncoded: tbsCertificateNode)
             let signatureAlgorithm = try AlgorithmIdentifier(derEncoded: &nodes)
diff --git a/Sources/X509/CryptographicMessageSyntax/CMSSignerIdentifier.swift b/Sources/X509/CryptographicMessageSyntax/CMSSignerIdentifier.swift
@@ -36,7 +36,7 @@ enum CMSSignerIdentifier: DERParseable, DERSerializable, Hashable {
             self = try .subjectKeyIdentifier(.init(keyIdentifier: .init(derEncoded: node, withIdentifier: Self.skiIdentifier)))
 
         default:
-            throw ASN1Error.invalidASN1Object
+            throw ASN1Error.unexpectedFieldType(node.identifier)
         }
     }
     
diff --git a/Sources/X509/Extension Types/BasicConstraints.swift b/Sources/X509/Extension Types/BasicConstraints.swift
@@ -111,7 +111,7 @@ struct BasicConstraintsValue: DERImplicitlyTaggable {
 
         // CA's must not assert the path len constraint field unless isCA is true.
         guard pathLenConstraint == nil || isCA else {
-            throw ASN1Error.invalidASN1Object
+            throw ASN1Error.invalidASN1Object(reason: "Invalid combination of isCA (\(isCA)) and path length constraint (\(pathLenConstraint)")
         }
     }
 
diff --git a/Sources/X509/Extension Types/KeyUsage.swift b/Sources/X509/Extension Types/KeyUsage.swift
@@ -259,16 +259,16 @@ extension Certificate.Extensions {
                 precondition(bitstring.paddingBits < 8)
                 let bitMask = UInt8(0x01) << bitstring.paddingBits
                 if (bitstring.bytes[bitstring.bytes.startIndex] & bitMask) == 0 {
-                    throw ASN1Error.invalidASN1Object
+                    throw ASN1Error.invalidASN1Object(reason: "Invalid leading padding bit")
                 }
             case 2 where bitstring.paddingBits == 7:
                 // This is fine, there are 9 valid bits: 8 from the prior byte and 1 here.
                 if (bitstring.bytes[bitstring.bytes.startIndex &+ 1] & 0x80) == 0 {
-                    throw ASN1Error.invalidASN1Object
+                    throw ASN1Error.invalidASN1Object(reason: "Invalid padding bit")
                 }
             default:
                 // Too many bits!
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "Too many bits for Key Usage")
             }
         }
     }
diff --git a/Sources/X509/Extension Types/NameConstraints.swift b/Sources/X509/Extension Types/NameConstraints.swift
@@ -278,7 +278,7 @@ extension Certificate.Extensions {
 
             let nameConstraintsValue = try NameConstraintsValue(derEncoded: ext.value)
             guard nameConstraintsValue.permittedSubtrees != nil || nameConstraintsValue.excludedSubtrees != nil else {
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "Name Constraints has no permitted or excluded subtrees")
             }
 
             self.permittedSubtrees = nameConstraintsValue.permittedSubtrees ?? []
diff --git a/Sources/X509/GeneralName.swift b/Sources/X509/GeneralName.swift
@@ -69,7 +69,7 @@ public enum GeneralName: Hashable, Sendable, DERParseable, DERSerializable {
         case Self.registeredIDTag:
             self = try .registeredID(ASN1ObjectIdentifier(derEncoded: rootNode, withIdentifier: Self.registeredIDTag))
         default:
-            throw ASN1Error.invalidFieldIdentifier
+            throw ASN1Error.unexpectedFieldType(rootNode.identifier)
         }
     }
 
diff --git a/Sources/X509/OCSP/BasicOCSPResponse.swift b/Sources/X509/OCSP/BasicOCSPResponse.swift
@@ -129,26 +129,26 @@ enum ResponderID: DERParseable, DERSerializable, Hashable {
         switch derEncoded.identifier {
         case ResponderID.nameIdentifier:
             guard case .constructed(let nodes) = derEncoded.content else {
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "ResponderID content must be constructed.")
             }
             var iterator = nodes.makeIterator()
             guard let rootNode = iterator.next(), iterator.next() == nil else {
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "Invalid number of responder nodes.")
             }
 
             self = try .byName(.init(derEncoded: rootNode))
         case ResponderID.keyIdentifier:
             guard case .constructed(let nodes) = derEncoded.content else {
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "ResponderID content must be constructed")
             }
             var iterator = nodes.makeIterator()
             guard let rootNode = iterator.next(), iterator.next() == nil else {
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "Invalid number of responder nodes")
             }
 
             self = try .byKey(.init(derEncoded: rootNode))
         default:
-            throw ASN1Error.unexpectedFieldType
+            throw ASN1Error.unexpectedFieldType(derEncoded.identifier)
         }
     }
 
diff --git a/Sources/X509/OCSP/DirectoryString.swift b/Sources/X509/OCSP/DirectoryString.swift
@@ -48,7 +48,7 @@ enum DirectoryString: DERParseable, DERSerializable, Hashable {
         case .bmpString:
             self = .bmpString(try ASN1BMPString(derEncoded: rootNode))
         default:
-            throw ASN1Error.unexpectedFieldType
+            throw ASN1Error.unexpectedFieldType(rootNode.identifier)
         }
     }
 
diff --git a/Sources/X509/OCSP/OCSPCertStatus.swift b/Sources/X509/OCSP/OCSPCertStatus.swift
@@ -65,7 +65,7 @@ enum OCSPCertStatus: DERParseable, DERSerializable, Hashable {
             self = .unknown
 
         default:
-            throw ASN1Error.invalidASN1Object
+            throw ASN1Error.unexpectedFieldType(node.identifier)
         }
     }
 
diff --git a/Sources/X509/OCSP/OCSPNonce.swift b/Sources/X509/OCSP/OCSPNonce.swift
@@ -46,7 +46,7 @@ struct OCSPNonce: DERImplicitlyTaggable, Hashable, Sendable {
     init(derEncoded rootNode: ASN1Node, withIdentifier identifier: ASN1Identifier) throws {
         self.rawValue = try ASN1OctetString(derEncoded: rootNode, withIdentifier: identifier)
         guard (1...32).contains(self.rawValue.bytes.count) else {
-            throw ASN1Error.unsupportedFieldLength
+            throw ASN1Error.unsupportedFieldLength(reason: "OCSP Nonce has invalid number of bytes: \(self.rawValue.bytes.count)")
         }
     }
     
diff --git a/Sources/X509/OCSP/OCSPResponse.swift b/Sources/X509/OCSP/OCSPResponse.swift
@@ -46,7 +46,7 @@ enum OCSPResponse: DERImplicitlyTaggable, Hashable {
                 guard let responseBytes,
                       responseBytes.responseType == .OCSP.basicResponse
                 else {
-                    throw ASN1Error.invalidASN1Object
+                    throw ASN1Error.invalidASN1Object(reason: "Successful response does not have appropriate response bytes: \(responseBytes)")
                 }
                 return .successful(try BasicOCSPResponse(derEncoded: responseBytes.response.bytes))
             case .malformedRequest:
@@ -67,7 +67,9 @@ enum OCSPResponse: DERImplicitlyTaggable, Hashable {
         if case .successful = unsuccessfulStatus {
             preconditionFailure("this init is not allowed to be called with a successful response status")
         }
-        guard responseBytes == nil else { throw ASN1Error.invalidASN1Object }
+        guard responseBytes == nil else {
+            throw ASN1Error.invalidASN1Object(reason: "Must not have response bytes for unsuccessful OCSP response")
+        }
         self = unsuccessfulStatus
     }
 
diff --git a/Sources/X509/OCSP/OCSPResponseBytes.swift b/Sources/X509/OCSP/OCSPResponseBytes.swift
@@ -60,7 +60,7 @@ struct OCSPResponseBytes: DERImplicitlyTaggable, Hashable {
 extension BasicOCSPResponse {
     init(decoding original: OCSPResponseBytes) throws {
         guard original.responseType == .OCSP.basicResponse else {
-            throw ASN1Error.invalidASN1Object
+            throw ASN1Error.invalidASN1Object(reason: "Cannot decode BasicOCSPResponse from \(original.responseType)")
         }
 
         self = try .init(derEncoded: original.response.bytes)
diff --git a/Sources/X509/OCSP/OCSPResponseStatus.swift b/Sources/X509/OCSP/OCSPResponseStatus.swift
@@ -58,7 +58,7 @@ enum OCSPResponseStatus: DERImplicitlyTaggable, Hashable {
         case 6:
             self = .unauthorized
         default:
-            throw ASN1Error.invalidASN1Object
+            throw ASN1Error.invalidASN1Object(reason: "Unexpected OCSP response status: \(rawValue)")
         }
     }
     
diff --git a/Sources/X509/X509BaseTypes/TBSCertificate.swift b/Sources/X509/X509BaseTypes/TBSCertificate.swift
@@ -106,7 +106,7 @@ struct TBSCertificate: DERImplicitlyTaggable, Hashable, Sendable {
         self = try DER.sequence(rootNode, identifier: identifier) { nodes in
             let version = try DER.decodeDefaultExplicitlyTagged(&nodes, tagNumber: 0, tagClass: .contextSpecific, defaultValue: Int(0))
             guard (0...2).contains(version) else {
-                throw ASN1Error.invalidASN1Object
+                throw ASN1Error.invalidASN1Object(reason: "Invalid X.509 version \(version)")
             }
 
             let serialNumber = try ArraySlice<UInt8>(derEncoded: &nodes)
diff --git a/Sources/X509/X509BaseTypes/Time.swift b/Sources/X509/X509BaseTypes/Time.swift
@@ -31,7 +31,7 @@ enum Time: DERParseable, DERSerializable, Hashable, Sendable {
         case UTCTime.defaultIdentifier:
             self = .utcTime(try UTCTime(derEncoded: rootNode))
         default:
-            throw ASN1Error.invalidASN1Object
+            throw ASN1Error.unexpectedFieldType(rootNode.identifier)
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,7 @@ extension Certificate: DERImplicitlyTaggable {`
`264`	`264`	`public init(derEncoded rootNode: ASN1Node, withIdentifier identifier: ASN1Identifier) throws {`
`265`	`265`	`self = try DER.sequence(rootNode, identifier: identifier) { nodes in`
`266`	`266`	`guard let tbsCertificateNode = nodes.next() else {`
`267`		`- throw ASN1Error.invalidASN1Object`
	`267`	`+ throw ASN1Error.invalidASN1Object(reason: "TBSCertificate missing")`
`268`	`268`	`}`
`269`	`269`	`let tbsCertificate = try TBSCertificate(derEncoded: tbsCertificateNode)`
`270`	`270`	`let signatureAlgorithm = try AlgorithmIdentifier(derEncoded: &nodes)`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ enum CMSSignerIdentifier: DERParseable, DERSerializable, Hashable {`
`36`	`36`	`self = try .subjectKeyIdentifier(.init(keyIdentifier: .init(derEncoded: node, withIdentifier: Self.skiIdentifier)))`
`37`	`37`
`38`	`38`	`default:`
`39`		`- throw ASN1Error.invalidASN1Object`
	`39`	`+ throw ASN1Error.unexpectedFieldType(node.identifier)`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ struct BasicConstraintsValue: DERImplicitlyTaggable {`
`111`	`111`
`112`	`112`	`// CA's must not assert the path len constraint field unless isCA is true.`
`113`	`113`	`guard pathLenConstraint == nil \|\| isCA else {`
`114`		`- throw ASN1Error.invalidASN1Object`
	`114`	`+ throw ASN1Error.invalidASN1Object(reason: "Invalid combination of isCA (\(isCA)) and path length constraint (\(pathLenConstraint)")`
`115`	`115`	`}`
`116`	`116`	`}`
`117`	`117`
Original file line number	Diff line number	Diff line change
`@@ -259,16 +259,16 @@ extension Certificate.Extensions {`
`259`	`259`	`precondition(bitstring.paddingBits < 8)`
`260`	`260`	`let bitMask = UInt8(0x01) << bitstring.paddingBits`
`261`	`261`	`if (bitstring.bytes[bitstring.bytes.startIndex] & bitMask) == 0 {`
`262`		`- throw ASN1Error.invalidASN1Object`
	`262`	`+ throw ASN1Error.invalidASN1Object(reason: "Invalid leading padding bit")`
`263`	`263`	`}`
`264`	`264`	`case 2 where bitstring.paddingBits == 7:`
`265`	`265`	`// This is fine, there are 9 valid bits: 8 from the prior byte and 1 here.`
`266`	`266`	`if (bitstring.bytes[bitstring.bytes.startIndex &+ 1] & 0x80) == 0 {`
`267`		`- throw ASN1Error.invalidASN1Object`
	`267`	`+ throw ASN1Error.invalidASN1Object(reason: "Invalid padding bit")`
`268`	`268`	`}`
`269`	`269`	`default:`
`270`	`270`	`// Too many bits!`
`271`		`- throw ASN1Error.invalidASN1Object`
	`271`	`+ throw ASN1Error.invalidASN1Object(reason: "Too many bits for Key Usage")`
`272`	`272`	`}`
`273`	`273`	`}`
`274`	`274`	`}`
Original file line number	Diff line number	Diff line change
`@@ -278,7 +278,7 @@ extension Certificate.Extensions {`
`278`	`278`
`279`	`279`	`let nameConstraintsValue = try NameConstraintsValue(derEncoded: ext.value)`
`280`	`280`	`guard nameConstraintsValue.permittedSubtrees != nil \|\| nameConstraintsValue.excludedSubtrees != nil else {`
`281`		`- throw ASN1Error.invalidASN1Object`
	`281`	`+ throw ASN1Error.invalidASN1Object(reason: "Name Constraints has no permitted or excluded subtrees")`
`282`	`282`	`}`
`283`	`283`
`284`	`284`	`self.permittedSubtrees = nameConstraintsValue.permittedSubtrees ?? []`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public enum GeneralName: Hashable, Sendable, DERParseable, DERSerializable {`
`69`	`69`	`case Self.registeredIDTag:`
`70`	`70`	`self = try .registeredID(ASN1ObjectIdentifier(derEncoded: rootNode, withIdentifier: Self.registeredIDTag))`
`71`	`71`	`default:`
`72`		`- throw ASN1Error.invalidFieldIdentifier`
	`72`	`+ throw ASN1Error.unexpectedFieldType(rootNode.identifier)`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`
Original file line number	Diff line number	Diff line change
`@@ -129,26 +129,26 @@ enum ResponderID: DERParseable, DERSerializable, Hashable {`
`129`	`129`	`switch derEncoded.identifier {`
`130`	`130`	`case ResponderID.nameIdentifier:`
`131`	`131`	`guard case .constructed(let nodes) = derEncoded.content else {`
`132`		`- throw ASN1Error.invalidASN1Object`
	`132`	`+ throw ASN1Error.invalidASN1Object(reason: "ResponderID content must be constructed.")`
`133`	`133`	`}`
`134`	`134`	`var iterator = nodes.makeIterator()`
`135`	`135`	`guard let rootNode = iterator.next(), iterator.next() == nil else {`
`136`		`- throw ASN1Error.invalidASN1Object`
	`136`	`+ throw ASN1Error.invalidASN1Object(reason: "Invalid number of responder nodes.")`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	`self = try .byName(.init(derEncoded: rootNode))`
`140`	`140`	`case ResponderID.keyIdentifier:`
`141`	`141`	`guard case .constructed(let nodes) = derEncoded.content else {`
`142`		`- throw ASN1Error.invalidASN1Object`
	`142`	`+ throw ASN1Error.invalidASN1Object(reason: "ResponderID content must be constructed")`
`143`	`143`	`}`
`144`	`144`	`var iterator = nodes.makeIterator()`
`145`	`145`	`guard let rootNode = iterator.next(), iterator.next() == nil else {`
`146`		`- throw ASN1Error.invalidASN1Object`
	`146`	`+ throw ASN1Error.invalidASN1Object(reason: "Invalid number of responder nodes")`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	`self = try .byKey(.init(derEncoded: rootNode))`
`150`	`150`	`default:`
`151`		`- throw ASN1Error.unexpectedFieldType`
	`151`	`+ throw ASN1Error.unexpectedFieldType(derEncoded.identifier)`
`152`	`152`	`}`
`153`	`153`	`}`
`154`	`154`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ enum DirectoryString: DERParseable, DERSerializable, Hashable {`
`48`	`48`	`case .bmpString:`
`49`	`49`	`self = .bmpString(try ASN1BMPString(derEncoded: rootNode))`
`50`	`50`	`default:`
`51`		`- throw ASN1Error.unexpectedFieldType`
	`51`	`+ throw ASN1Error.unexpectedFieldType(rootNode.identifier)`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ enum OCSPCertStatus: DERParseable, DERSerializable, Hashable {`
`65`	`65`	`self = .unknown`
`66`	`66`
`67`	`67`	`default:`
`68`		`- throw ASN1Error.invalidASN1Object`
	`68`	`+ throw ASN1Error.unexpectedFieldType(node.identifier)`
`69`	`69`	`}`
`70`	`70`	`}`
`71`	`71`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ struct OCSPNonce: DERImplicitlyTaggable, Hashable, Sendable {`
`46`	`46`	`init(derEncoded rootNode: ASN1Node, withIdentifier identifier: ASN1Identifier) throws {`
`47`	`47`	`self.rawValue = try ASN1OctetString(derEncoded: rootNode, withIdentifier: identifier)`
`48`	`48`	`guard (1...32).contains(self.rawValue.bytes.count) else {`
`49`		`- throw ASN1Error.unsupportedFieldLength`
	`49`	`+ throw ASN1Error.unsupportedFieldLength(reason: "OCSP Nonce has invalid number of bytes: \(self.rawValue.bytes.count)")`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`