Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(442)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/name_constraints_unittest.cc

Issue 1214933009: Class for parsing and evaluating RFC 5280 NameConstraints. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@compare_DN2
Patch Set: changes for comment #16 Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | net/cert/internal/test_helpers.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/internal/name_constraints.h"
6
7 #include "net/cert/internal/test_helpers.h"
8 #include "testing/gtest/include/gtest/gtest.h"
9
10 namespace net {
11 namespace {
12
13 ::testing::AssertionResult LoadTestData(const char* token,
14 const std::string& basename,
15 std::string* result) {
16 std::string path = "net/data/name_constraints_unittest/" + basename;
17
18 const PemBlockMapping mappings[] = {
19 {token, result},
20 };
21
22 return ReadTestDataFromPemFile(path, mappings);
23 }
24
25 ::testing::AssertionResult LoadTestName(const std::string& basename,
26 std::string* result) {
27 return LoadTestData("NAME", basename, result);
28 }
29
30 ::testing::AssertionResult LoadTestNameConstraint(const std::string& basename,
31 std::string* result) {
32 return LoadTestData("NAME CONSTRAINTS", basename, result);
33 }
34
35 ::testing::AssertionResult LoadTestSubjectAltName(const std::string& basename,
36 std::string* result) {
37 return LoadTestData("SUBJECT ALTERNATIVE NAME", basename, result);
38 }
39
40 } // namespace
41
42 class ParseNameConstraints
43 : public ::testing::TestWithParam<::testing::tuple<bool>> {
44 public:
45 bool is_critical() const { return ::testing::get<0>(GetParam()); }
46 };
47
48 // Run the tests with the name constraints marked critical and non-critical. For
49 // supported name types, the results should be the same for both.
50 INSTANTIATE_TEST_CASE_P(InstantiationName,
51 ParseNameConstraints,
52 ::testing::Values(true, false));
53
54 TEST_P(ParseNameConstraints, DNSNames) {
55 std::string a;
56 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
57
58 scoped_ptr<NameConstraints> name_constraints(
59 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
60 ASSERT_TRUE(name_constraints);
61
62 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
63 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com."));
64 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com"));
65 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com"));
66 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com."));
67 EXPECT_TRUE(
68 name_constraints->IsPermittedDNSName("alsopermitted.example.com"));
69 EXPECT_FALSE(
70 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
71 EXPECT_FALSE(
72 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
73 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
74 "stillnotpermitted.excluded.permitted.example.com"));
75 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
76 "a.stillnotpermitted.excluded.permitted.example.com"));
77 EXPECT_FALSE(
78 name_constraints->IsPermittedDNSName("extraneousexclusion.example.com"));
79 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
80 "a.extraneousexclusion.example.com"));
81 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.example.com"));
82 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.com"));
83
84 // Wildcard names:
85 // Pattern could match excluded.permitted.example.com, thus should not be
86 // allowed.
87 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.permitted.example.com"));
88 // Entirely within excluded name, obviously not allowed.
89 EXPECT_FALSE(
90 name_constraints->IsPermittedDNSName("*.excluded.permitted.example.com"));
91 // Within permitted.example.com and cannot match any exclusion, thus these are
92 // allowed.
93 EXPECT_TRUE(
94 name_constraints->IsPermittedDNSName("*.foo.permitted.example.com"));
95 EXPECT_TRUE(
96 name_constraints->IsPermittedDNSName("*.alsopermitted.example.com"));
97 // Matches permitted.example2.com, but also matches other .example2.com names
98 // which are not in either permitted or excluded, so not allowed.
99 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.example2.com"));
100 // Partial wildcards are not supported, so these name are permitted even if
101 // it seems like they shouldn't be. It's fine, since certificate verification
102 // won't treat them as wildcard names either.
103 EXPECT_TRUE(
104 name_constraints->IsPermittedDNSName("*xcluded.permitted.example.com"));
105 EXPECT_TRUE(
106 name_constraints->IsPermittedDNSName("exclude*.permitted.example.com"));
107 EXPECT_TRUE(
108 name_constraints->IsPermittedDNSName("excl*ded.permitted.example.com"));
109 // Garbage wildcard data.
110 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*."));
111 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.*"));
112 EXPECT_FALSE(name_constraints->IsPermittedDNSName(".*"));
113 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*"));
114 // Matches SAN with trailing dot.
115 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com"));
116 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com."));
117 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com"));
118 EXPECT_TRUE(
119 name_constraints->IsPermittedDNSName("a.permitted.example3.com."));
120
121 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->ConstrainedNameTypes());
122
123 std::string san;
124 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san));
125 EXPECT_TRUE(
126 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
127
128 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san));
129 EXPECT_FALSE(
130 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
131
132 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san));
133 EXPECT_TRUE(
134 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
135
136 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
137 EXPECT_TRUE(
138 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
139 }
140
141 TEST_P(ParseNameConstraints,
142 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) {
143 std::string a;
144 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
145 scoped_ptr<NameConstraints> name_constraints(
146 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
147 ASSERT_TRUE(name_constraints);
148
149 // Matches permitted exactly.
150 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
151 // Contained within permitted and doesn't match excluded (foo.bar.com).
152 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
153 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com"));
154 // Matches excluded exactly.
155 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
156 // Contained within excluded.
157 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com"));
158
159 // Cannot match anything within excluded.
160 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com"));
161 // Wildcard hostnames only match a single label, so cannot match excluded
162 // which has two labels before .com.
163 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
164
165 // Partial match of foo.bar.com.
166 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
167 // All expansions of wildcard are within excluded.
168 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
169 }
170
171 TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) {
172 std::string a;
173 ASSERT_TRUE(
174 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
175 scoped_ptr<NameConstraints> name_constraints(
176 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
177 ASSERT_TRUE(name_constraints);
178
179 // dNSName constraints should be specified as a host. A dNSName constraint
180 // with a leading "." doesn't make sense, though some certs include it
181 // (probably confusing it with the rules for uniformResourceIdentifier
182 // constraints). It should not match anything.
183 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
184 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
185 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
186 }
187
188 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
189 std::string a;
190 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
191
192 scoped_ptr<NameConstraints> name_constraints(
193 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
194 ASSERT_TRUE(name_constraints);
195
196 // Only "excluded.permitted.example.com" is excluded, but since no dNSNames
197 // are permitted, everything is excluded.
198 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
199 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
200 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
201 EXPECT_FALSE(
202 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
203 EXPECT_FALSE(
204 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
205 }
206
207 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
208 std::string a;
209 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
210
211 scoped_ptr<NameConstraints> name_constraints(
212 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
213 ASSERT_TRUE(name_constraints);
214
215 // "permitted.example.com" is in the permitted section, but since "" is
216 // excluded, nothing is permitted.
217 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
218 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
219 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
220 EXPECT_FALSE(
221 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
222 }
223
224 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
225 std::string a;
226 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a));
227
228 scoped_ptr<NameConstraints> name_constraints(
229 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
230 ASSERT_TRUE(name_constraints);
231
232 // "." is excluded, which should match nothing.
233 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
234 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
235 EXPECT_TRUE(
236 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
237 }
238
239 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
240 std::string a;
241 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
242
243 size_t replace_location = a.find("permitted.example2.com");
244 ASSERT_NE(std::string::npos, replace_location);
245 a.replace(replace_location, 1, 1, -1);
246
247 EXPECT_FALSE(
248 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
249 }
250
251 TEST_P(ParseNameConstraints, DirectoryNames) {
252 std::string constraints_der;
253 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
254
255 std::string name_us;
256 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
257 std::string name_us_ca;
258 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
259 std::string name_us_ca_mountain_view;
260 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
261 &name_us_ca_mountain_view));
262 std::string name_us_az;
263 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
264 std::string name_jp;
265 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
266 std::string name_jp_tokyo;
267 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo));
268 std::string name_de;
269 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de));
270 std::string name_ca;
271 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca));
272
273 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
274 InputFromString(&constraints_der), is_critical()));
275 ASSERT_TRUE(name_constraints);
276
277 // Not in any permitted subtree.
278 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
279 SequenceValueFromString(&name_ca)));
280 // Within the permitted C=US subtree.
281 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
282 SequenceValueFromString(&name_us)));
283 // Within the permitted C=US subtree.
284 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
285 SequenceValueFromString(&name_us_az)));
286 // Within the permitted C=US subtree, however the excluded C=US,ST=California
287 // subtree takes priority.
288 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
289 SequenceValueFromString(&name_us_ca)));
290 // Within the permitted C=US subtree as well as the permitted
291 // C=US,ST=California,L=Mountain View subtree, however the excluded
292 // C=US,ST=California subtree still takes priority.
293 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
294 SequenceValueFromString(&name_us_ca_mountain_view)));
295 // Not in any permitted subtree, and also inside the extraneous excluded C=DE
296 // subtree.
297 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
298 SequenceValueFromString(&name_de)));
299 // Not in any permitted subtree.
300 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
301 SequenceValueFromString(&name_jp)));
302 // Within the permitted C=JP,ST=Tokyo subtree.
303 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
304 SequenceValueFromString(&name_jp_tokyo)));
305
306 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
307 name_constraints->ConstrainedNameTypes());
308
309 // Within the permitted C=US subtree.
310 EXPECT_TRUE(name_constraints->IsPermittedCert(
311 SequenceValueFromString(&name_us), der::Input()));
312 // Within the permitted C=US subtree, however the excluded C=US,ST=California
313 // subtree takes priority.
314 EXPECT_FALSE(name_constraints->IsPermittedCert(
315 SequenceValueFromString(&name_us_ca), der::Input()));
316
317 std::string san;
318 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san));
319 EXPECT_TRUE(
320 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
321
322 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san));
323 EXPECT_TRUE(
324 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
325
326 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san));
327 EXPECT_FALSE(
328 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
329
330 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
331 EXPECT_TRUE(
332 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
333 }
334
335 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
336 std::string constraints_der;
337 ASSERT_TRUE(
338 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
339 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
340 InputFromString(&constraints_der), is_critical()));
341 ASSERT_TRUE(name_constraints);
342
343 std::string name_empty;
344 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
345 std::string name_us;
346 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
347 std::string name_us_ca;
348 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
349 std::string name_us_ca_mountain_view;
350 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
351 &name_us_ca_mountain_view));
352
353 // Only "C=US,ST=California" is excluded, but since no directoryNames are
354 // permitted, everything is excluded.
355 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
356 SequenceValueFromString(&name_empty)));
357 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
358 SequenceValueFromString(&name_us)));
359 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
360 SequenceValueFromString(&name_us_ca)));
361 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
362 SequenceValueFromString(&name_us_ca_mountain_view)));
363 }
364
365 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
366 std::string constraints_der;
367 ASSERT_TRUE(
368 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
369 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
370 InputFromString(&constraints_der), is_critical()));
371 ASSERT_TRUE(name_constraints);
372
373 std::string name_empty;
374 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
375 std::string name_us;
376 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
377 std::string name_us_ca;
378 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
379 std::string name_us_ca_mountain_view;
380 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
381 &name_us_ca_mountain_view));
382 std::string name_jp;
383 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
384
385 // "C=US" is in the permitted section, but since an empty
386 // directoryName is excluded, nothing is permitted.
387 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
388 SequenceValueFromString(&name_empty)));
389 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
390 SequenceValueFromString(&name_us)));
391 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
392 SequenceValueFromString(&name_us_ca)));
393 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
394 SequenceValueFromString(&name_jp)));
395 }
396
397 TEST_P(ParseNameConstraints, IPAdresses) {
398 std::string a;
399 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
400
401 scoped_ptr<NameConstraints> name_constraints(
402 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
403 ASSERT_TRUE(name_constraints);
404
405 // IPv4 tests:
406 {
407 // Not in any permitted range.
408 const uint8_t ip4[] = {192, 169, 0, 1};
409 EXPECT_FALSE(name_constraints->IsPermittedIP(
410 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
411 }
412 {
413 // Within the permitted 192.168.0.0/255.255.0.0 range.
414 const uint8_t ip4[] = {192, 168, 0, 1};
415 EXPECT_TRUE(name_constraints->IsPermittedIP(
416 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
417 }
418 {
419 // Within the permitted 192.168.0.0/255.255.0.0 range, however the
420 // excluded 192.168.5.0/255.255.255.0 takes priority.
421 const uint8_t ip4[] = {192, 168, 5, 1};
422 EXPECT_FALSE(name_constraints->IsPermittedIP(
423 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
424 }
425 {
426 // Within the permitted 192.168.0.0/255.255.0.0 range as well as the
427 // permitted 192.168.5.32/255.255.255.224 range, however the excluded
428 // 192.168.5.0/255.255.255.0 still takes priority.
429 const uint8_t ip4[] = {192, 168, 5, 33};
430 EXPECT_FALSE(name_constraints->IsPermittedIP(
431 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
432 }
433 {
434 // Not in any permitted range. (Just outside the
435 // 192.167.5.32/255.255.255.224 range.)
436 const uint8_t ip4[] = {192, 167, 5, 31};
437 EXPECT_FALSE(name_constraints->IsPermittedIP(
438 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
439 }
440 {
441 // Within the permitted 192.167.5.32/255.255.255.224 range.
442 const uint8_t ip4[] = {192, 167, 5, 32};
443 EXPECT_TRUE(name_constraints->IsPermittedIP(
444 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
445 }
446 {
447 // Within the permitted 192.167.5.32/255.255.255.224 range.
448 const uint8_t ip4[] = {192, 167, 5, 63};
449 EXPECT_TRUE(name_constraints->IsPermittedIP(
450 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
451 }
452 {
453 // Not in any permitted range. (Just outside the
454 // 192.167.5.32/255.255.255.224 range.)
455 const uint8_t ip4[] = {192, 167, 5, 64};
456 EXPECT_FALSE(name_constraints->IsPermittedIP(
457 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
458 }
459 {
460 // Not in any permitted range, and also inside the extraneous excluded
461 // 192.166.5.32/255.255.255.224 range.
462 const uint8_t ip4[] = {192, 166, 5, 32};
463 EXPECT_FALSE(name_constraints->IsPermittedIP(
464 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
465 }
466
467 // IPv6 tests:
468 {
469 // Not in any permitted range.
470 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1};
471 EXPECT_FALSE(name_constraints->IsPermittedIP(
472 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
473 }
474 {
475 // Within the permitted
476 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range.
477 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1};
478 EXPECT_TRUE(name_constraints->IsPermittedIP(
479 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
480 }
481 {
482 // Within the permitted
483 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range, however
484 // the excluded
485 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
486 // priority.
487 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1};
488 EXPECT_FALSE(name_constraints->IsPermittedIP(
489 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
490 }
491 {
492 // Within the permitted
493 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range as well
494 // as the permitted
495 // 102:304:506:708:90a:b0c:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0,
496 // however the excluded
497 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
498 // priority.
499 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1};
500 EXPECT_FALSE(name_constraints->IsPermittedIP(
501 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
502 }
503 {
504 // Not in any permitted range. (Just outside the
505 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
506 // range.)
507 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8,
508 9, 10, 11, 11, 5, 31, 255, 255};
509 EXPECT_FALSE(name_constraints->IsPermittedIP(
510 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
511 }
512 {
513 // Within the permitted
514 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
515 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0};
516 EXPECT_TRUE(name_constraints->IsPermittedIP(
517 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
518 }
519 {
520 // Within the permitted
521 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
522 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8,
523 9, 10, 11, 11, 5, 63, 255, 255};
524 EXPECT_TRUE(name_constraints->IsPermittedIP(
525 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
526 }
527 {
528 // Not in any permitted range. (Just outside the
529 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
530 // range.)
531 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0};
532 EXPECT_FALSE(name_constraints->IsPermittedIP(
533 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
534 }
535 {
536 // Not in any permitted range, and also inside the extraneous excluded
537 // 102:304:506:708:90a:b0a:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
538 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1};
539 EXPECT_FALSE(name_constraints->IsPermittedIP(
540 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
541 }
542
543 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, name_constraints->ConstrainedNameTypes());
544
545 std::string san;
546 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san));
547 EXPECT_TRUE(
548 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
549
550 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san));
551 EXPECT_TRUE(
552 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
553
554 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san));
555 EXPECT_TRUE(
556 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
557
558 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
559 EXPECT_FALSE(
560 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san)));
561 }
562
563 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
564 std::string a;
565 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
566
567 scoped_ptr<NameConstraints> name_constraints(
568 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
569 ASSERT_TRUE(name_constraints);
570
571 // Only 192.168.5.0/255.255.255.0 is excluded, but since no iPAddresses
572 // are permitted, everything is excluded.
573 {
574 const uint8_t ip4[] = {192, 168, 0, 1};
575 EXPECT_FALSE(name_constraints->IsPermittedIP(
576 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
577 }
578 {
579 const uint8_t ip4[] = {192, 168, 5, 1};
580 EXPECT_FALSE(name_constraints->IsPermittedIP(
581 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
582 }
583 {
584 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1};
585 EXPECT_FALSE(name_constraints->IsPermittedIP(
586 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
587 }
588 }
589
590 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
591 std::string a;
592 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
593
594 scoped_ptr<NameConstraints> name_constraints(
595 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
596 ASSERT_TRUE(name_constraints);
597
598 // 192.168.0.0/255.255.0.0 and
599 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
600 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
601 {
602 const uint8_t ip4[] = {192, 168, 0, 1};
603 EXPECT_FALSE(name_constraints->IsPermittedIP(
604 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
605 }
606 {
607 const uint8_t ip4[] = {1, 1, 1, 1};
608 EXPECT_FALSE(name_constraints->IsPermittedIP(
609 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
610 }
611 {
612 const uint8_t ip6[] = {2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1};
613 EXPECT_FALSE(name_constraints->IsPermittedIP(
614 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
615 }
616 {
617 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1};
618 EXPECT_FALSE(name_constraints->IsPermittedIP(
619 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
620 }
621 }
622
623 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
624 std::string a;
625 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
626
627 scoped_ptr<NameConstraints> name_constraints(
628 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
629 ASSERT_TRUE(name_constraints);
630
631 {
632 const uint8_t ip4[] = {0, 0, 0, 0};
633 EXPECT_FALSE(name_constraints->IsPermittedIP(
634 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
635 }
636 {
637 const uint8_t ip4[] = {192, 168, 1, 1};
638 EXPECT_FALSE(name_constraints->IsPermittedIP(
639 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
640 }
641 {
642 const uint8_t ip4[] = {192, 168, 1, 2};
643 EXPECT_FALSE(name_constraints->IsPermittedIP(
644 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
645 }
646 {
647 const uint8_t ip4[] = {192, 168, 1, 3};
648 EXPECT_TRUE(name_constraints->IsPermittedIP(
649 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
650 }
651 {
652 const uint8_t ip4[] = {192, 168, 1, 4};
653 EXPECT_FALSE(name_constraints->IsPermittedIP(
654 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
655 }
656 {
657 const uint8_t ip4[] = {255, 255, 255, 255};
658 EXPECT_FALSE(name_constraints->IsPermittedIP(
659 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
660 }
661 }
662
663 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
664 std::string a;
665 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
666
667 scoped_ptr<NameConstraints> name_constraints(
668 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
669 ASSERT_TRUE(name_constraints);
670
671 {
672 const uint8_t ip4[] = {0, 0, 0, 0};
673 EXPECT_FALSE(name_constraints->IsPermittedIP(
674 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
675 }
676 {
677 const uint8_t ip4[] = {192, 168, 1, 1};
678 EXPECT_FALSE(name_constraints->IsPermittedIP(
679 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
680 }
681 {
682 const uint8_t ip4[] = {192, 168, 1, 2};
683 EXPECT_TRUE(name_constraints->IsPermittedIP(
684 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
685 }
686 {
687 const uint8_t ip4[] = {192, 168, 1, 3};
688 EXPECT_TRUE(name_constraints->IsPermittedIP(
689 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
690 }
691 {
692 const uint8_t ip4[] = {192, 168, 1, 4};
693 EXPECT_FALSE(name_constraints->IsPermittedIP(
694 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
695 }
696 {
697 const uint8_t ip4[] = {192, 168, 1, 5};
698 EXPECT_FALSE(name_constraints->IsPermittedIP(
699 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
700 }
701 {
702 const uint8_t ip4[] = {255, 255, 255, 255};
703 EXPECT_FALSE(name_constraints->IsPermittedIP(
704 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
705 }
706 }
707
708 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
709 std::string a;
710 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
711
712 scoped_ptr<NameConstraints> name_constraints(
713 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
714 ASSERT_TRUE(name_constraints);
715
716 {
717 const uint8_t ip4[] = {0, 0, 0, 0};
718 EXPECT_FALSE(name_constraints->IsPermittedIP(
719 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
720 }
721 {
722 const uint8_t ip4[] = {0x7F, 0xFF, 0xFF, 0xFF};
723 EXPECT_FALSE(name_constraints->IsPermittedIP(
724 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
725 }
726 {
727 const uint8_t ip4[] = {0x80, 0, 0, 0};
728 EXPECT_TRUE(name_constraints->IsPermittedIP(
729 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
730 }
731 {
732 const uint8_t ip4[] = {0xFF, 0xFF, 0xFF, 0xFF};
733 EXPECT_TRUE(name_constraints->IsPermittedIP(
734 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
735 }
736 }
737
738 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
739 std::string a;
740 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
741
742 scoped_ptr<NameConstraints> name_constraints(
743 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
744 ASSERT_TRUE(name_constraints);
745
746 {
747 const uint8_t ip4[] = {0, 0, 0, 0};
748 EXPECT_TRUE(name_constraints->IsPermittedIP(
749 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
750 }
751 {
752 const uint8_t ip4[] = {192, 168, 1, 1};
753 EXPECT_TRUE(name_constraints->IsPermittedIP(
754 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
755 }
756 {
757 const uint8_t ip4[] = {255, 255, 255, 255};
758 EXPECT_TRUE(name_constraints->IsPermittedIP(
759 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
760 }
761 }
762
763 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) {
764 std::string a;
765 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
766
767 EXPECT_FALSE(
768 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
769 }
770
771 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) {
772 std::string a;
773 ASSERT_TRUE(LoadTestNameConstraint(
774 "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
775 EXPECT_FALSE(
776 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
777
778 ASSERT_TRUE(LoadTestNameConstraint(
779 "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
780 EXPECT_FALSE(
781 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
782
783 ASSERT_TRUE(LoadTestNameConstraint(
784 "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
785 EXPECT_FALSE(
786 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
787
788 ASSERT_TRUE(LoadTestNameConstraint(
789 "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
790 EXPECT_FALSE(
791 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
792 }
793
794 TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
795 std::string constraints_der;
796 ASSERT_TRUE(
797 LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
798 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
799 InputFromString(&constraints_der), is_critical()));
800 ASSERT_TRUE(name_constraints);
801
802 if (is_critical()) {
803 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
804 name_constraints->ConstrainedNameTypes());
805 } else {
806 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
807 }
808
809 std::string san;
810 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san));
811 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
812 der::Input(), InputFromString(&san)));
813 }
814
815 TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
816 std::string constraints_der;
817 ASSERT_TRUE(
818 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
819 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
820 InputFromString(&constraints_der), is_critical()));
821 ASSERT_TRUE(name_constraints);
822
823 if (is_critical()) {
824 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
825 name_constraints->ConstrainedNameTypes());
826 } else {
827 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
828 }
829
830 std::string san;
831 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san));
832 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
833 der::Input(), InputFromString(&san)));
834 }
835
836 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
837 std::string constraints_der;
838 ASSERT_TRUE(
839 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
840 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
841 InputFromString(&constraints_der), is_critical()));
842 ASSERT_TRUE(name_constraints);
843
844 if (is_critical()) {
845 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
846 name_constraints->ConstrainedNameTypes());
847 } else {
848 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
849 }
850
851 std::string san;
852 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san));
853 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
854 der::Input(), InputFromString(&san)));
855 }
856
857 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
858 std::string constraints_der;
859 ASSERT_TRUE(
860 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
861 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
862 InputFromString(&constraints_der), is_critical()));
863 ASSERT_TRUE(name_constraints);
864
865 if (is_critical()) {
866 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
867 name_constraints->ConstrainedNameTypes());
868 } else {
869 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
870 }
871
872 std::string san;
873 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san));
874 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
875 der::Input(), InputFromString(&san)));
876 }
877
878 TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
879 std::string constraints_der;
880 ASSERT_TRUE(
881 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
882 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
883 InputFromString(&constraints_der), is_critical()));
884 ASSERT_TRUE(name_constraints);
885
886 if (is_critical()) {
887 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
888 name_constraints->ConstrainedNameTypes());
889 } else {
890 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
891 }
892
893 std::string san;
894 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san));
895 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
896 der::Input(), InputFromString(&san)));
897 }
898
899 TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
900 std::string constraints_der;
901 ASSERT_TRUE(
902 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
903 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
904 InputFromString(&constraints_der), is_critical()));
905 ASSERT_TRUE(name_constraints);
906
907 if (is_critical()) {
908 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
909 name_constraints->ConstrainedNameTypes());
910 } else {
911 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
912 }
913
914 std::string san;
915 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san));
916 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
917 der::Input(), InputFromString(&san)));
918 }
919
920 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
921 std::string constraints_der;
922 ASSERT_TRUE(
923 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
924 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
925 InputFromString(&constraints_der), is_critical()));
926 ASSERT_TRUE(name_constraints);
927
928 if (is_critical()) {
929 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
930 name_constraints->ConstrainedNameTypes());
931 } else {
932 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
933 }
934
935 std::string san;
936 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san));
937 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
938 der::Input(), InputFromString(&san)));
939 }
940
941 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
942 std::string constraints_der;
943 ASSERT_TRUE(
944 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
945 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
946 InputFromString(&constraints_der), is_critical()));
947 ASSERT_TRUE(name_constraints);
948
949 if (is_critical()) {
950 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
951 name_constraints->ConstrainedNameTypes());
952 } else {
953 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
954 }
955
956 std::string san;
957 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san));
958 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
959 der::Input(), InputFromString(&san)));
960 }
961
962 TEST_P(ParseNameConstraints, URIsInPermitted) {
963 std::string constraints_der;
964 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
965 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
966 InputFromString(&constraints_der), is_critical()));
967 ASSERT_TRUE(name_constraints);
968
969 if (is_critical()) {
970 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
971 name_constraints->ConstrainedNameTypes());
972 } else {
973 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
974 }
975
976 std::string san;
977 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san));
978 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
979 der::Input(), InputFromString(&san)));
980 }
981
982 TEST_P(ParseNameConstraints, URIsInExcluded) {
983 std::string constraints_der;
984 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
985 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
986 InputFromString(&constraints_der), is_critical()));
987 ASSERT_TRUE(name_constraints);
988
989 if (is_critical()) {
990 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
991 name_constraints->ConstrainedNameTypes());
992 } else {
993 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
994 }
995
996 std::string san;
997 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san));
998 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
999 der::Input(), InputFromString(&san)));
1000 }
1001
1002 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
1003 std::string constraints_der;
1004 ASSERT_TRUE(
1005 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
1006 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1007 InputFromString(&constraints_der), is_critical()));
1008 ASSERT_TRUE(name_constraints);
1009
1010 if (is_critical()) {
1011 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1012 name_constraints->ConstrainedNameTypes());
1013 } else {
1014 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
1015 }
1016
1017 std::string san;
1018 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san));
1019 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
1020 der::Input(), InputFromString(&san)));
1021 }
1022
1023 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
1024 std::string constraints_der;
1025 ASSERT_TRUE(
1026 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
1027 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1028 InputFromString(&constraints_der), is_critical()));
1029 ASSERT_TRUE(name_constraints);
1030
1031 if (is_critical()) {
1032 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1033 name_constraints->ConstrainedNameTypes());
1034 } else {
1035 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
1036 }
1037
1038 std::string san;
1039 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san));
1040 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
1041 der::Input(), InputFromString(&san)));
1042 }
1043
1044 TEST_P(ParseNameConstraints,
1045 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) {
1046 std::string constraints_der;
1047 ASSERT_TRUE(
1048 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der));
1049 // The value should not be in the DER encoding if it is the default. But this
1050 // could be changed to allowed if there are buggy encoders out there that
1051 // include it anyway.
1052 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1053 is_critical()));
1054 }
1055
1056 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
1057 std::string constraints_der;
1058 ASSERT_TRUE(
1059 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
1060 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1061 is_critical()));
1062 }
1063
1064 TEST_P(ParseNameConstraints,
1065 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) {
1066 std::string constraints_der;
1067 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
1068 &constraints_der));
1069 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1070 is_critical()));
1071 }
1072
1073 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
1074 std::string constraints_der;
1075 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
1076 &constraints_der));
1077 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1078 is_critical()));
1079 }
1080
1081 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
1082 std::string constraints_der;
1083 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
1084 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1085 is_critical()));
1086 }
1087
1088 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
1089 std::string constraints_der = "";
1090 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1091 is_critical()));
1092 }
1093
1094 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
1095 std::string constraints_der;
1096 ASSERT_TRUE(
1097 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
1098 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1099 is_critical()));
1100 }
1101
1102 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
1103 std::string constraints_der;
1104 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
1105 &constraints_der));
1106 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1107 is_critical()));
1108 }
1109
1110 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
1111 std::string constraints_der;
1112 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
1113 &constraints_der));
1114 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der),
1115 is_critical()));
1116 }
1117
1118 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
1119 std::string constraints_der;
1120 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
1121 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1122 InputFromString(&constraints_der), is_critical()));
1123 ASSERT_TRUE(name_constraints);
1124
1125 std::string name_us_arizona_email;
1126 ASSERT_TRUE(
1127 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
1128
1129 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1130 // allowed regardless.
1131 EXPECT_TRUE(name_constraints->IsPermittedCert(
1132 SequenceValueFromString(&name_us_arizona_email), der::Input()));
1133 }
1134
1135 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
1136 std::string constraints_der;
1137 ASSERT_TRUE(
1138 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
1139 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1140 InputFromString(&constraints_der), is_critical()));
1141 ASSERT_TRUE(name_constraints);
1142
1143 std::string name_us_arizona_email;
1144 ASSERT_TRUE(
1145 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
1146
1147 // Name constraints contain rfc822Name, so emailAddress in subject is not
1148 // allowed if the constraints were critical.
1149 EXPECT_EQ(!is_critical(),
1150 name_constraints->IsPermittedCert(
1151 SequenceValueFromString(&name_us_arizona_email), der::Input()));
1152 }
1153
1154 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests
1155 // are not particularly interesting, just verifying that the commonName is
1156 // ignored for dNSName constraints.
1157 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
1158 std::string constraints_der;
1159 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem",
1160 &constraints_der));
1161 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1162 InputFromString(&constraints_der), is_critical()));
1163 ASSERT_TRUE(name_constraints);
1164
1165 std::string name_us_az_foocom;
1166 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom));
1167 // The subject is within permitted directoryName constraints, so permitted.
1168 // (The commonName hostname is not within permitted dNSName constraints, so
1169 // this would not be permitted if hostnames in commonName were checked.)
1170 EXPECT_TRUE(name_constraints->IsPermittedCert(
1171 SequenceValueFromString(&name_us_az_foocom), der::Input()));
1172
1173 std::string name_us_az_permitted;
1174 ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem",
1175 &name_us_az_permitted));
1176 // The subject is in permitted directoryName and the commonName is within
1177 // permitted dNSName constraints, so this should be permitted regardless if
1178 // hostnames in commonName are checked or not.
1179 EXPECT_TRUE(name_constraints->IsPermittedCert(
1180 SequenceValueFromString(&name_us_az_permitted), der::Input()));
1181
1182 std::string name_us_ca_permitted;
1183 ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem",
1184 &name_us_ca_permitted));
1185 // The subject is within the excluded C=US,ST=California directoryName, so
1186 // this should not be allowed, regardless of checking the
1187 // permitted.example.com in commonName.
1188 EXPECT_FALSE(name_constraints->IsPermittedCert(
1189 SequenceValueFromString(&name_us_ca_permitted), der::Input()));
1190 }
1191
1192 // IP addresses in commonName are not allowed (crbug.com/308330), so these are
1193 // tests are not particularly interesting, just verifying that the commonName is
1194 // ignored for iPAddress constraints.
1195 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
1196 std::string constraints_der;
1197 ASSERT_TRUE(LoadTestNameConstraint(
1198 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
1199 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1200 InputFromString(&constraints_der), is_critical()));
1201 ASSERT_TRUE(name_constraints);
1202
1203 std::string name_us_az_1_1_1_1;
1204 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1));
1205 // The subject is within permitted directoryName constraints, so permitted.
1206 // (The commonName IP address is not within permitted iPAddresses constraints,
1207 // so this would not be permitted if IP addresses in commonName were checked.)
1208 EXPECT_TRUE(name_constraints->IsPermittedCert(
1209 SequenceValueFromString(&name_us_az_1_1_1_1), der::Input()));
1210
1211 std::string name_us_az_192_168_1_1;
1212 ASSERT_TRUE(
1213 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1));
1214 // The subject is in permitted directoryName and the commonName is within
1215 // permitted iPAddress constraints, so this should be permitted regardless if
1216 // IP addresses in commonName are checked or not.
1217 EXPECT_TRUE(name_constraints->IsPermittedCert(
1218 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input()));
1219
1220 std::string name_us_ca_192_168_1_1;
1221 ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem",
1222 &name_us_ca_192_168_1_1));
1223 // The subject is within the excluded C=US,ST=California directoryName, so
1224 // this should not be allowed, regardless of checking the
1225 // IP address in commonName.
1226 EXPECT_FALSE(name_constraints->IsPermittedCert(
1227 SequenceValueFromString(&name_us_ca_192_168_1_1), der::Input()));
1228
1229 std::string name_us_az_ipv6;
1230 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6));
1231 // The subject is within permitted directoryName constraints, so permitted.
1232 // (The commonName is an ipv6 address which wasn't supported in the past, but
1233 // since commonName checking is ignored entirely, this is permitted.)
1234 EXPECT_TRUE(name_constraints->IsPermittedCert(
1235 SequenceValueFromString(&name_us_az_ipv6), der::Input()));
1236 }
1237
1238 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnEmptySubjectAltName) {
1239 std::string constraints_der;
1240 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &constraints_der));
1241 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1242 InputFromString(&constraints_der), is_critical()));
1243 ASSERT_TRUE(name_constraints);
1244
1245 std::string name_us_az;
1246 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
1247
1248 // No constraints on directoryName type, so name_us_az should be allowed when
1249 // subjectAltName is not present.
1250 EXPECT_TRUE(name_constraints->IsPermittedCert(
1251 SequenceValueFromString(&name_us_az), der::Input()));
1252
1253 std::string san;
1254 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-empty.pem", &san));
1255 // Should fail if subjectAltName is present but empty.
1256 EXPECT_FALSE(name_constraints->IsPermittedCert(
1257 SequenceValueFromString(&name_us_az), InputFromString(&san)));
1258 }
1259
1260 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnInvalidIpInSubjectAltName) {
1261 std::string constraints_der;
1262 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &constraints_der));
1263 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1264 InputFromString(&constraints_der), is_critical()));
1265 ASSERT_TRUE(name_constraints);
1266
1267 std::string name_us_az_192_168_1_1;
1268 ASSERT_TRUE(
1269 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1));
1270
1271 // Without the invalid subjectAltName, it passes.
1272 EXPECT_TRUE(name_constraints->IsPermittedCert(
1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input()));
1274
1275 std::string san;
1276 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san));
1277 // Should fail if subjectAltName contains an invalid ip address.
1278 EXPECT_FALSE(name_constraints->IsPermittedCert(
1279 SequenceValueFromString(&name_us_az_192_168_1_1), InputFromString(&san)));
1280 }
1281
1282 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | net/cert/internal/test_helpers.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698