Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(143)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/name_constraints_unittest.cc

Issue 1546653004: Name constraints with excluded names but no permitted names should allow names not matching the exc… (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/name_constraints.h" 5 #include "net/cert/internal/name_constraints.h"
6 6
7 #include "net/cert/internal/test_helpers.h" 7 #include "net/cert/internal/test_helpers.h"
8 #include "testing/gtest/include/gtest/gtest.h" 8 #include "testing/gtest/include/gtest/gtest.h"
9 9
10 namespace net { 10 namespace net {
(...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after
186 } 186 }
187 187
188 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { 188 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
189 std::string a; 189 std::string a;
190 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a)); 190 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
191 191
192 scoped_ptr<NameConstraints> name_constraints( 192 scoped_ptr<NameConstraints> name_constraints(
193 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 193 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
194 ASSERT_TRUE(name_constraints); 194 ASSERT_TRUE(name_constraints);
195 195
196 // Only "excluded.permitted.example.com" is excluded, but since no dNSNames 196 // Only "excluded.permitted.example.com" is excluded, and since permitted is
197 // are permitted, everything is excluded. 197 // empty, any dNSName outside that is allowed.
198 EXPECT_FALSE(name_constraints->IsPermittedDNSName("")); 198 EXPECT_TRUE(name_constraints->IsPermittedDNSName(""));
199 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); 199 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com"));
200 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com")); 200 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
201 EXPECT_FALSE( 201 EXPECT_FALSE(
202 name_constraints->IsPermittedDNSName("excluded.permitted.example.com")); 202 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
203 EXPECT_FALSE( 203 EXPECT_FALSE(
204 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com")); 204 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
205 } 205 }
206 206
207 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { 207 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
208 std::string a; 208 std::string a;
209 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a)); 209 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
210 210
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after
342 std::string name_empty; 342 std::string name_empty;
343 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); 343 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
344 std::string name_us; 344 std::string name_us;
345 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 345 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
346 std::string name_us_ca; 346 std::string name_us_ca;
347 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 347 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
348 std::string name_us_ca_mountain_view; 348 std::string name_us_ca_mountain_view;
349 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", 349 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
350 &name_us_ca_mountain_view)); 350 &name_us_ca_mountain_view));
351 351
352 // Only "C=US,ST=California" is excluded, but since no directoryNames are 352 // Only "C=US,ST=California" is excluded, and since permitted is empty,
353 // permitted, everything is excluded. 353 // any directoryName outside that is allowed.
354 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 354 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
355 SequenceValueFromString(&name_empty))); 355 SequenceValueFromString(&name_empty)));
356 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 356 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
357 SequenceValueFromString(&name_us))); 357 SequenceValueFromString(&name_us)));
358 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 358 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
359 SequenceValueFromString(&name_us_ca))); 359 SequenceValueFromString(&name_us_ca)));
360 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 360 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
361 SequenceValueFromString(&name_us_ca_mountain_view))); 361 SequenceValueFromString(&name_us_ca_mountain_view)));
362 } 362 }
363 363
364 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { 364 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
365 std::string constraints_der; 365 std::string constraints_der;
366 ASSERT_TRUE( 366 ASSERT_TRUE(
367 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); 367 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
368 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 368 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
369 der::Input(&constraints_der), is_critical())); 369 der::Input(&constraints_der), is_critical()));
370 ASSERT_TRUE(name_constraints); 370 ASSERT_TRUE(name_constraints);
371 371
372 std::string name_empty; 372 std::string name_empty;
373 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); 373 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
374 std::string name_us; 374 std::string name_us;
375 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 375 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
376 std::string name_us_ca; 376 std::string name_us_ca;
377 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 377 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after
560 } 560 }
561 561
562 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { 562 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
563 std::string a; 563 std::string a;
564 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); 564 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
565 565
566 scoped_ptr<NameConstraints> name_constraints( 566 scoped_ptr<NameConstraints> name_constraints(
567 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 567 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
568 ASSERT_TRUE(name_constraints); 568 ASSERT_TRUE(name_constraints);
569 569
570 // Only 192.168.5.0/255.255.255.0 is excluded, but since no iPAddresses 570 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
571 // are permitted, everything is excluded. 571 // any iPAddress outside that is allowed.
572 { 572 {
573 const uint8_t ip4[] = {192, 168, 0, 1}; 573 const uint8_t ip4[] = {192, 168, 0, 1};
574 EXPECT_FALSE(name_constraints->IsPermittedIP( 574 EXPECT_TRUE(name_constraints->IsPermittedIP(
575 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 575 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
576 } 576 }
577 { 577 {
578 const uint8_t ip4[] = {192, 168, 5, 1}; 578 const uint8_t ip4[] = {192, 168, 5, 1};
579 EXPECT_FALSE(name_constraints->IsPermittedIP( 579 EXPECT_FALSE(name_constraints->IsPermittedIP(
580 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 580 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
581 } 581 }
582 { 582 {
583 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1}; 583 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1};
584 EXPECT_FALSE(name_constraints->IsPermittedIP( 584 EXPECT_TRUE(name_constraints->IsPermittedIP(
585 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); 585 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
586 } 586 }
587 } 587 }
588 588
589 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { 589 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
590 std::string a; 590 std::string a;
591 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); 591 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
592 592
593 scoped_ptr<NameConstraints> name_constraints( 593 scoped_ptr<NameConstraints> name_constraints(
594 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 594 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
(...skipping 672 matching lines...) Expand 10 before | Expand all | Expand 10 after
1267 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); 1267 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input()));
1268 1268
1269 std::string san; 1269 std::string san;
1270 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san)); 1270 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san));
1271 // Should fail if subjectAltName contains an invalid ip address. 1271 // Should fail if subjectAltName contains an invalid ip address.
1272 EXPECT_FALSE(name_constraints->IsPermittedCert( 1272 EXPECT_FALSE(name_constraints->IsPermittedCert(
1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input(&san))); 1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input(&san)));
1274 } 1274 }
1275 1275
1276 } // namespace net 1276 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698