From 402c3fe304343974c1730b1dac8e53e52d3dd3aa Mon Sep 17 00:00:00 2001
From: Roger Ng <rogerng@google.com>
Date: Fri, 14 Mar 2025 15:21:04 +0000
Subject: [PATCH] Add `ParseExtKeyUsages` tests

---
 internal/scti/chain_validation.go      |  1 -
 internal/scti/chain_validation_test.go | 73 ++++++++++++++++++++++++++
 2 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go
index 9c315da3..9fe33a3e 100644
--- a/internal/scti/chain_validation.go
+++ b/internal/scti/chain_validation.go
@@ -45,7 +45,6 @@ var stringToKeyUsage = map[string]x509.ExtKeyUsage{
 
 // ParseExtKeyUsages parses strings into x509ExtKeyUsage.
 // Throws an error if the string does not match with a known key usage.
-// TODO(phboneff): add tests
 func ParseExtKeyUsages(kus []string) ([]x509.ExtKeyUsage, error) {
 	lExtKeyUsages := make([]x509.ExtKeyUsage, 0, len(kus))
 	// Validate the extended key usages list.
diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go
index eee64aad..25b7a3ec 100644
--- a/internal/scti/chain_validation_test.go
+++ b/internal/scti/chain_validation_test.go
@@ -27,6 +27,79 @@ import (
 	"github.com/transparency-dev/static-ct/internal/x509util"
 )
 
+func TestParseExtKeyUsages(t *testing.T) {
+	for _, tc := range []struct {
+		desc        string
+		extKeyUsage []string
+		wantEKU     []x509.ExtKeyUsage
+		wantErr     bool
+	}{
+		{
+			desc:        "empty",
+			extKeyUsage: []string{},
+			wantEKU:     []x509.ExtKeyUsage{},
+			wantErr:     false,
+		},
+		{
+			desc:        "valid-single",
+			extKeyUsage: []string{"ServerAuth"},
+			wantEKU:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			wantErr:     false,
+		},
+		{
+			desc:        "valid-multiple",
+			extKeyUsage: []string{"ServerAuth", "ClientAuth"},
+			wantEKU:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+			wantErr:     false,
+		},
+		{
+			desc:        "invalid",
+			extKeyUsage: []string{"InvalidUsage"},
+			wantEKU:     nil,
+			wantErr:     true,
+		},
+		{
+			desc:        "mixed",
+			extKeyUsage: []string{"ServerAuth", "InvalidUsage"},
+			wantEKU:     nil,
+			wantErr:     true,
+		},
+		{
+			desc:        "any",
+			extKeyUsage: []string{"Any"},
+			wantEKU:     nil,
+			wantErr:     false,
+		},
+		{
+			desc:        "any-with-other-usages",
+			extKeyUsage: []string{"Any", "ServerAuth"},
+			wantEKU:     nil,
+			wantErr:     false,
+		},
+	} {
+		t.Run(tc.desc, func(t *testing.T) {
+			got, err := ParseExtKeyUsages(tc.extKeyUsage)
+			if tc.wantErr {
+				if err == nil {
+					t.Errorf("ParseExtKeyUsages(%v) = nil, want error", tc.extKeyUsage)
+				}
+				return
+			}
+			if err != nil {
+				t.Errorf("ParseExtKeyUsages(%v) = %v, want nil", tc.extKeyUsage, err)
+			}
+			if len(got) != len(tc.wantEKU) {
+				t.Errorf("ParseExtKeyUsages(%v) = %v, want %v", tc.extKeyUsage, got, tc.wantEKU)
+			}
+			for i, e := range tc.wantEKU {
+				if got[i] != e {
+					t.Errorf("ParseExtKeyUsages(%v) = %v, want %v", tc.extKeyUsage, got, tc.wantEKU)
+				}
+			}
+		})
+	}
+}
+
 func wipeExtensions(cert *x509.Certificate) *x509.Certificate {
 	cert.Extensions = cert.Extensions[:0]
 	return cert