| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/name_constraints.h" | 5 #include "net/cert/internal/name_constraints.h" |
| 6 | 6 |
| 7 #include "net/cert/internal/test_helpers.h" | 7 #include "net/cert/internal/test_helpers.h" |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 9 |
| 10 namespace net { | 10 namespace net { |
| (...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 186 } | 186 } |
| 187 | 187 |
| 188 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { | 188 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { |
| 189 std::string a; | 189 std::string a; |
| 190 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a)); | 190 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a)); |
| 191 | 191 |
| 192 scoped_ptr<NameConstraints> name_constraints( | 192 scoped_ptr<NameConstraints> name_constraints( |
| 193 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); | 193 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); |
| 194 ASSERT_TRUE(name_constraints); | 194 ASSERT_TRUE(name_constraints); |
| 195 | 195 |
| 196 // Only "excluded.permitted.example.com" is excluded, but since no dNSNames | 196 // Only "excluded.permitted.example.com" is excluded, and since permitted is |
| 197 // are permitted, everything is excluded. | 197 // empty, any dNSName outside that is allowed. |
| 198 EXPECT_FALSE(name_constraints->IsPermittedDNSName("")); | 198 EXPECT_TRUE(name_constraints->IsPermittedDNSName("")); |
| 199 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); | 199 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com")); |
| 200 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com")); | 200 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); |
| 201 EXPECT_FALSE( | 201 EXPECT_FALSE( |
| 202 name_constraints->IsPermittedDNSName("excluded.permitted.example.com")); | 202 name_constraints->IsPermittedDNSName("excluded.permitted.example.com")); |
| 203 EXPECT_FALSE( | 203 EXPECT_FALSE( |
| 204 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com")); | 204 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com")); |
| 205 } | 205 } |
| 206 | 206 |
| 207 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { | 207 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { |
| 208 std::string a; | 208 std::string a; |
| 209 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a)); | 209 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a)); |
| 210 | 210 |
| (...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 343 std::string name_empty; | 343 std::string name_empty; |
| 344 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); | 344 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); |
| 345 std::string name_us; | 345 std::string name_us; |
| 346 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); | 346 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); |
| 347 std::string name_us_ca; | 347 std::string name_us_ca; |
| 348 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); | 348 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); |
| 349 std::string name_us_ca_mountain_view; | 349 std::string name_us_ca_mountain_view; |
| 350 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", | 350 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", |
| 351 &name_us_ca_mountain_view)); | 351 &name_us_ca_mountain_view)); |
| 352 | 352 |
| 353 // Only "C=US,ST=California" is excluded, but since no directoryNames are | 353 // Only "C=US,ST=California" is excluded, and since permitted is empty, |
| 354 // permitted, everything is excluded. | 354 // any directoryName outside that is allowed. |
| 355 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 355 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( |
| 356 SequenceValueFromString(&name_empty))); | 356 SequenceValueFromString(&name_empty))); |
| 357 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 357 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( |
| 358 SequenceValueFromString(&name_us))); | 358 SequenceValueFromString(&name_us))); |
| 359 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 359 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( |
| 360 SequenceValueFromString(&name_us_ca))); | 360 SequenceValueFromString(&name_us_ca))); |
| 361 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 361 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( |
| 362 SequenceValueFromString(&name_us_ca_mountain_view))); | 362 SequenceValueFromString(&name_us_ca_mountain_view))); |
| 363 } | 363 } |
| 364 | 364 |
| 365 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { | 365 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { |
| 366 std::string constraints_der; | 366 std::string constraints_der; |
| 367 ASSERT_TRUE( | 367 ASSERT_TRUE( |
| 368 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); | 368 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der)); |
| 369 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 369 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 370 InputFromString(&constraints_der), is_critical())); | 370 InputFromString(&constraints_der), is_critical())); |
| 371 ASSERT_TRUE(name_constraints); | 371 ASSERT_TRUE(name_constraints); |
| 372 | 372 |
| 373 std::string name_empty; | 373 std::string name_empty; |
| 374 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); | 374 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); |
| 375 std::string name_us; | 375 std::string name_us; |
| 376 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); | 376 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); |
| 377 std::string name_us_ca; | 377 std::string name_us_ca; |
| 378 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); | 378 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); |
| (...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 561 } | 561 } |
| 562 | 562 |
| 563 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { | 563 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { |
| 564 std::string a; | 564 std::string a; |
| 565 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); | 565 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); |
| 566 | 566 |
| 567 scoped_ptr<NameConstraints> name_constraints( | 567 scoped_ptr<NameConstraints> name_constraints( |
| 568 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); | 568 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); |
| 569 ASSERT_TRUE(name_constraints); | 569 ASSERT_TRUE(name_constraints); |
| 570 | 570 |
| 571 // Only 192.168.5.0/255.255.255.0 is excluded, but since no iPAddresses | 571 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty, |
| 572 // are permitted, everything is excluded. | 572 // any iPAddress outside that is allowed. |
| 573 { | 573 { |
| 574 const uint8_t ip4[] = {192, 168, 0, 1}; | 574 const uint8_t ip4[] = {192, 168, 0, 1}; |
| 575 EXPECT_FALSE(name_constraints->IsPermittedIP( | 575 EXPECT_TRUE(name_constraints->IsPermittedIP( |
| 576 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); | 576 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); |
| 577 } | 577 } |
| 578 { | 578 { |
| 579 const uint8_t ip4[] = {192, 168, 5, 1}; | 579 const uint8_t ip4[] = {192, 168, 5, 1}; |
| 580 EXPECT_FALSE(name_constraints->IsPermittedIP( | 580 EXPECT_FALSE(name_constraints->IsPermittedIP( |
| 581 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); | 581 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); |
| 582 } | 582 } |
| 583 { | 583 { |
| 584 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1}; | 584 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1}; |
| 585 EXPECT_FALSE(name_constraints->IsPermittedIP( | 585 EXPECT_TRUE(name_constraints->IsPermittedIP( |
| 586 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); | 586 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); |
| 587 } | 587 } |
| 588 } | 588 } |
| 589 | 589 |
| 590 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { | 590 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { |
| 591 std::string a; | 591 std::string a; |
| 592 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); | 592 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); |
| 593 | 593 |
| 594 scoped_ptr<NameConstraints> name_constraints( | 594 scoped_ptr<NameConstraints> name_constraints( |
| 595 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); | 595 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); |
| (...skipping 677 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); | 1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); |
| 1274 | 1274 |
| 1275 std::string san; | 1275 std::string san; |
| 1276 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san)); | 1276 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san)); |
| 1277 // Should fail if subjectAltName contains an invalid ip address. | 1277 // Should fail if subjectAltName contains an invalid ip address. |
| 1278 EXPECT_FALSE(name_constraints->IsPermittedCert( | 1278 EXPECT_FALSE(name_constraints->IsPermittedCert( |
| 1279 SequenceValueFromString(&name_us_az_192_168_1_1), InputFromString(&san))); | 1279 SequenceValueFromString(&name_us_az_192_168_1_1), InputFromString(&san))); |
| 1280 } | 1280 } |
| 1281 | 1281 |
| 1282 } // namespace net | 1282 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1546653004:
Name constraints with excluded names but no permitted names should allow names not matching the exc… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master