| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/name_constraints.h" | 5 #include "net/cert/internal/name_constraints.h" |
| 6 | 6 |
| 7 #include "net/cert/internal/test_helpers.h" | 7 #include "net/cert/internal/test_helpers.h" |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 8 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 9 |
| 10 namespace net { | 10 namespace net { |
| (...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 116 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com.")); | 116 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com.")); |
| 117 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com")); | 117 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com")); |
| 118 EXPECT_TRUE( | 118 EXPECT_TRUE( |
| 119 name_constraints->IsPermittedDNSName("a.permitted.example3.com.")); | 119 name_constraints->IsPermittedDNSName("a.permitted.example3.com.")); |
| 120 | 120 |
| 121 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->ConstrainedNameTypes()); | 121 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->ConstrainedNameTypes()); |
| 122 | 122 |
| 123 std::string san; | 123 std::string san; |
| 124 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); | 124 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); |
| 125 EXPECT_TRUE( | 125 EXPECT_TRUE( |
| 126 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 126 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 127 | 127 |
| 128 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); | 128 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); |
| 129 EXPECT_FALSE( | 129 EXPECT_FALSE( |
| 130 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 130 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 131 | 131 |
| 132 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); | 132 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); |
| 133 EXPECT_TRUE( | 133 EXPECT_TRUE( |
| 134 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 134 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 135 | 135 |
| 136 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); | 136 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); |
| 137 EXPECT_TRUE( | 137 EXPECT_TRUE( |
| 138 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 138 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 139 } | 139 } |
| 140 | 140 |
| 141 TEST_P(ParseNameConstraints, | 141 TEST_P(ParseNameConstraints, |
| 142 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) { | 142 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) { |
| 143 std::string a; | 143 std::string a; |
| 144 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a)); | 144 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a)); |
| 145 scoped_ptr<NameConstraints> name_constraints( | 145 scoped_ptr<NameConstraints> name_constraints( |
| 146 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 146 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); |
| 147 ASSERT_TRUE(name_constraints); | 147 ASSERT_TRUE(name_constraints); |
| 148 | 148 |
| (...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 300 SequenceValueFromString(&name_jp))); | 300 SequenceValueFromString(&name_jp))); |
| 301 // Within the permitted C=JP,ST=Tokyo subtree. | 301 // Within the permitted C=JP,ST=Tokyo subtree. |
| 302 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( | 302 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( |
| 303 SequenceValueFromString(&name_jp_tokyo))); | 303 SequenceValueFromString(&name_jp_tokyo))); |
| 304 | 304 |
| 305 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, | 305 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME, |
| 306 name_constraints->ConstrainedNameTypes()); | 306 name_constraints->ConstrainedNameTypes()); |
| 307 | 307 |
| 308 // Within the permitted C=US subtree. | 308 // Within the permitted C=US subtree. |
| 309 EXPECT_TRUE(name_constraints->IsPermittedCert( | 309 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 310 SequenceValueFromString(&name_us), der::Input())); | 310 SequenceValueFromString(&name_us), false, der::Input())); |
| 311 // Within the permitted C=US subtree, however the excluded C=US,ST=California | 311 // Within the permitted C=US subtree, however the excluded C=US,ST=California |
| 312 // subtree takes priority. | 312 // subtree takes priority. |
| 313 EXPECT_FALSE(name_constraints->IsPermittedCert( | 313 EXPECT_FALSE(name_constraints->IsPermittedCert( |
| 314 SequenceValueFromString(&name_us_ca), der::Input())); | 314 SequenceValueFromString(&name_us_ca), false, der::Input())); |
| 315 | 315 |
| 316 std::string san; | 316 std::string san; |
| 317 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); | 317 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); |
| 318 EXPECT_TRUE( | 318 EXPECT_TRUE( |
| 319 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 319 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 320 | 320 |
| 321 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); | 321 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); |
| 322 EXPECT_TRUE( | 322 EXPECT_TRUE( |
| 323 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 323 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 324 | 324 |
| 325 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); | 325 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); |
| 326 EXPECT_FALSE( | 326 EXPECT_FALSE( |
| 327 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 327 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 328 | 328 |
| 329 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); | 329 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); |
| 330 EXPECT_TRUE( | 330 EXPECT_TRUE( |
| 331 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 331 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 332 } | 332 } |
| 333 | 333 |
| 334 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { | 334 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { |
| 335 std::string constraints_der; | 335 std::string constraints_der; |
| 336 ASSERT_TRUE( | 336 ASSERT_TRUE( |
| 337 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); | 337 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); |
| 338 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 338 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 339 der::Input(&constraints_der), is_critical())); | 339 der::Input(&constraints_der), is_critical())); |
| 340 ASSERT_TRUE(name_constraints); | 340 ASSERT_TRUE(name_constraints); |
| 341 | 341 |
| (...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 537 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1}; | 537 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1}; |
| 538 EXPECT_FALSE(name_constraints->IsPermittedIP( | 538 EXPECT_FALSE(name_constraints->IsPermittedIP( |
| 539 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); | 539 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); |
| 540 } | 540 } |
| 541 | 541 |
| 542 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, name_constraints->ConstrainedNameTypes()); | 542 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, name_constraints->ConstrainedNameTypes()); |
| 543 | 543 |
| 544 std::string san; | 544 std::string san; |
| 545 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); | 545 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); |
| 546 EXPECT_TRUE( | 546 EXPECT_TRUE( |
| 547 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 547 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 548 | 548 |
| 549 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); | 549 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); |
| 550 EXPECT_TRUE( | 550 EXPECT_TRUE( |
| 551 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 551 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 552 | 552 |
| 553 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); | 553 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); |
| 554 EXPECT_TRUE( | 554 EXPECT_TRUE( |
| 555 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 555 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 556 | 556 |
| 557 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); | 557 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); |
| 558 EXPECT_FALSE( | 558 EXPECT_FALSE( |
| 559 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 559 name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); |
| 560 } | 560 } |
| 561 | 561 |
| 562 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { | 562 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { |
| 563 std::string a; | 563 std::string a; |
| 564 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); | 564 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); |
| 565 | 565 |
| 566 scoped_ptr<NameConstraints> name_constraints( | 566 scoped_ptr<NameConstraints> name_constraints( |
| 567 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 567 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); |
| 568 ASSERT_TRUE(name_constraints); | 568 ASSERT_TRUE(name_constraints); |
| 569 | 569 |
| (...skipping 225 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 795 | 795 |
| 796 if (is_critical()) { | 796 if (is_critical()) { |
| 797 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, | 797 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, |
| 798 name_constraints->ConstrainedNameTypes()); | 798 name_constraints->ConstrainedNameTypes()); |
| 799 } else { | 799 } else { |
| 800 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 800 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 801 } | 801 } |
| 802 | 802 |
| 803 std::string san; | 803 std::string san; |
| 804 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); | 804 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); |
| 805 EXPECT_EQ(!is_critical(), | 805 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 806 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 806 der::Input(), true, der::Input(&san))); |
| 807 } | 807 } |
| 808 | 808 |
| 809 TEST_P(ParseNameConstraints, OtherNamesInExcluded) { | 809 TEST_P(ParseNameConstraints, OtherNamesInExcluded) { |
| 810 std::string constraints_der; | 810 std::string constraints_der; |
| 811 ASSERT_TRUE( | 811 ASSERT_TRUE( |
| 812 LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); | 812 LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); |
| 813 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 813 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 814 der::Input(&constraints_der), is_critical())); | 814 der::Input(&constraints_der), is_critical())); |
| 815 ASSERT_TRUE(name_constraints); | 815 ASSERT_TRUE(name_constraints); |
| 816 | 816 |
| 817 if (is_critical()) { | 817 if (is_critical()) { |
| 818 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, | 818 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, |
| 819 name_constraints->ConstrainedNameTypes()); | 819 name_constraints->ConstrainedNameTypes()); |
| 820 } else { | 820 } else { |
| 821 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 821 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 822 } | 822 } |
| 823 | 823 |
| 824 std::string san; | 824 std::string san; |
| 825 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); | 825 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); |
| 826 EXPECT_EQ(!is_critical(), | 826 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 827 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 827 der::Input(), true, der::Input(&san))); |
| 828 } | 828 } |
| 829 | 829 |
| 830 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { | 830 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { |
| 831 std::string constraints_der; | 831 std::string constraints_der; |
| 832 ASSERT_TRUE( | 832 ASSERT_TRUE( |
| 833 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); | 833 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); |
| 834 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 834 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 835 der::Input(&constraints_der), is_critical())); | 835 der::Input(&constraints_der), is_critical())); |
| 836 ASSERT_TRUE(name_constraints); | 836 ASSERT_TRUE(name_constraints); |
| 837 | 837 |
| 838 if (is_critical()) { | 838 if (is_critical()) { |
| 839 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, | 839 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, |
| 840 name_constraints->ConstrainedNameTypes()); | 840 name_constraints->ConstrainedNameTypes()); |
| 841 } else { | 841 } else { |
| 842 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 842 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 843 } | 843 } |
| 844 | 844 |
| 845 std::string san; | 845 std::string san; |
| 846 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); | 846 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); |
| 847 EXPECT_EQ(!is_critical(), | 847 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 848 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 848 der::Input(), true, der::Input(&san))); |
| 849 } | 849 } |
| 850 | 850 |
| 851 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { | 851 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { |
| 852 std::string constraints_der; | 852 std::string constraints_der; |
| 853 ASSERT_TRUE( | 853 ASSERT_TRUE( |
| 854 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); | 854 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); |
| 855 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 855 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 856 der::Input(&constraints_der), is_critical())); | 856 der::Input(&constraints_der), is_critical())); |
| 857 ASSERT_TRUE(name_constraints); | 857 ASSERT_TRUE(name_constraints); |
| 858 | 858 |
| 859 if (is_critical()) { | 859 if (is_critical()) { |
| 860 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, | 860 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, |
| 861 name_constraints->ConstrainedNameTypes()); | 861 name_constraints->ConstrainedNameTypes()); |
| 862 } else { | 862 } else { |
| 863 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 863 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 864 } | 864 } |
| 865 | 865 |
| 866 std::string san; | 866 std::string san; |
| 867 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); | 867 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); |
| 868 EXPECT_EQ(!is_critical(), | 868 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 869 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 869 der::Input(), true, der::Input(&san))); |
| 870 } | 870 } |
| 871 | 871 |
| 872 TEST_P(ParseNameConstraints, X400AddresssInPermitted) { | 872 TEST_P(ParseNameConstraints, X400AddresssInPermitted) { |
| 873 std::string constraints_der; | 873 std::string constraints_der; |
| 874 ASSERT_TRUE( | 874 ASSERT_TRUE( |
| 875 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der)); | 875 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der)); |
| 876 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 876 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 877 der::Input(&constraints_der), is_critical())); | 877 der::Input(&constraints_der), is_critical())); |
| 878 ASSERT_TRUE(name_constraints); | 878 ASSERT_TRUE(name_constraints); |
| 879 | 879 |
| 880 if (is_critical()) { | 880 if (is_critical()) { |
| 881 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, | 881 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, |
| 882 name_constraints->ConstrainedNameTypes()); | 882 name_constraints->ConstrainedNameTypes()); |
| 883 } else { | 883 } else { |
| 884 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 884 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 885 } | 885 } |
| 886 | 886 |
| 887 std::string san; | 887 std::string san; |
| 888 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); | 888 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); |
| 889 EXPECT_EQ(!is_critical(), | 889 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 890 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 890 der::Input(), true, der::Input(&san))); |
| 891 } | 891 } |
| 892 | 892 |
| 893 TEST_P(ParseNameConstraints, X400AddresssInExcluded) { | 893 TEST_P(ParseNameConstraints, X400AddresssInExcluded) { |
| 894 std::string constraints_der; | 894 std::string constraints_der; |
| 895 ASSERT_TRUE( | 895 ASSERT_TRUE( |
| 896 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der)); | 896 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der)); |
| 897 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 897 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 898 der::Input(&constraints_der), is_critical())); | 898 der::Input(&constraints_der), is_critical())); |
| 899 ASSERT_TRUE(name_constraints); | 899 ASSERT_TRUE(name_constraints); |
| 900 | 900 |
| 901 if (is_critical()) { | 901 if (is_critical()) { |
| 902 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, | 902 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, |
| 903 name_constraints->ConstrainedNameTypes()); | 903 name_constraints->ConstrainedNameTypes()); |
| 904 } else { | 904 } else { |
| 905 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 905 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 906 } | 906 } |
| 907 | 907 |
| 908 std::string san; | 908 std::string san; |
| 909 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); | 909 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); |
| 910 EXPECT_EQ(!is_critical(), | 910 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 911 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 911 der::Input(), true, der::Input(&san))); |
| 912 } | 912 } |
| 913 | 913 |
| 914 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { | 914 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { |
| 915 std::string constraints_der; | 915 std::string constraints_der; |
| 916 ASSERT_TRUE( | 916 ASSERT_TRUE( |
| 917 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der)); | 917 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der)); |
| 918 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 918 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 919 der::Input(&constraints_der), is_critical())); | 919 der::Input(&constraints_der), is_critical())); |
| 920 ASSERT_TRUE(name_constraints); | 920 ASSERT_TRUE(name_constraints); |
| 921 | 921 |
| 922 if (is_critical()) { | 922 if (is_critical()) { |
| 923 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, | 923 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, |
| 924 name_constraints->ConstrainedNameTypes()); | 924 name_constraints->ConstrainedNameTypes()); |
| 925 } else { | 925 } else { |
| 926 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 926 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 927 } | 927 } |
| 928 | 928 |
| 929 std::string san; | 929 std::string san; |
| 930 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); | 930 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); |
| 931 EXPECT_EQ(!is_critical(), | 931 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 932 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 932 der::Input(), true, der::Input(&san))); |
| 933 } | 933 } |
| 934 | 934 |
| 935 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { | 935 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { |
| 936 std::string constraints_der; | 936 std::string constraints_der; |
| 937 ASSERT_TRUE( | 937 ASSERT_TRUE( |
| 938 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der)); | 938 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der)); |
| 939 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 939 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 940 der::Input(&constraints_der), is_critical())); | 940 der::Input(&constraints_der), is_critical())); |
| 941 ASSERT_TRUE(name_constraints); | 941 ASSERT_TRUE(name_constraints); |
| 942 | 942 |
| 943 if (is_critical()) { | 943 if (is_critical()) { |
| 944 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, | 944 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, |
| 945 name_constraints->ConstrainedNameTypes()); | 945 name_constraints->ConstrainedNameTypes()); |
| 946 } else { | 946 } else { |
| 947 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 947 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 948 } | 948 } |
| 949 | 949 |
| 950 std::string san; | 950 std::string san; |
| 951 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); | 951 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); |
| 952 EXPECT_EQ(!is_critical(), | 952 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 953 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 953 der::Input(), true, der::Input(&san))); |
| 954 } | 954 } |
| 955 | 955 |
| 956 TEST_P(ParseNameConstraints, URIsInPermitted) { | 956 TEST_P(ParseNameConstraints, URIsInPermitted) { |
| 957 std::string constraints_der; | 957 std::string constraints_der; |
| 958 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der)); | 958 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der)); |
| 959 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 959 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 960 der::Input(&constraints_der), is_critical())); | 960 der::Input(&constraints_der), is_critical())); |
| 961 ASSERT_TRUE(name_constraints); | 961 ASSERT_TRUE(name_constraints); |
| 962 | 962 |
| 963 if (is_critical()) { | 963 if (is_critical()) { |
| 964 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, | 964 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, |
| 965 name_constraints->ConstrainedNameTypes()); | 965 name_constraints->ConstrainedNameTypes()); |
| 966 } else { | 966 } else { |
| 967 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 967 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 968 } | 968 } |
| 969 | 969 |
| 970 std::string san; | 970 std::string san; |
| 971 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); | 971 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); |
| 972 EXPECT_EQ(!is_critical(), | 972 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 973 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 973 der::Input(), true, der::Input(&san))); |
| 974 } | 974 } |
| 975 | 975 |
| 976 TEST_P(ParseNameConstraints, URIsInExcluded) { | 976 TEST_P(ParseNameConstraints, URIsInExcluded) { |
| 977 std::string constraints_der; | 977 std::string constraints_der; |
| 978 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der)); | 978 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der)); |
| 979 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 979 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 980 der::Input(&constraints_der), is_critical())); | 980 der::Input(&constraints_der), is_critical())); |
| 981 ASSERT_TRUE(name_constraints); | 981 ASSERT_TRUE(name_constraints); |
| 982 | 982 |
| 983 if (is_critical()) { | 983 if (is_critical()) { |
| 984 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, | 984 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, |
| 985 name_constraints->ConstrainedNameTypes()); | 985 name_constraints->ConstrainedNameTypes()); |
| 986 } else { | 986 } else { |
| 987 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 987 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 988 } | 988 } |
| 989 | 989 |
| 990 std::string san; | 990 std::string san; |
| 991 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); | 991 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); |
| 992 EXPECT_EQ(!is_critical(), | 992 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 993 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 993 der::Input(), true, der::Input(&san))); |
| 994 } | 994 } |
| 995 | 995 |
| 996 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { | 996 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { |
| 997 std::string constraints_der; | 997 std::string constraints_der; |
| 998 ASSERT_TRUE( | 998 ASSERT_TRUE( |
| 999 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der)); | 999 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der)); |
| 1000 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 1000 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 1001 der::Input(&constraints_der), is_critical())); | 1001 der::Input(&constraints_der), is_critical())); |
| 1002 ASSERT_TRUE(name_constraints); | 1002 ASSERT_TRUE(name_constraints); |
| 1003 | 1003 |
| 1004 if (is_critical()) { | 1004 if (is_critical()) { |
| 1005 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, | 1005 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, |
| 1006 name_constraints->ConstrainedNameTypes()); | 1006 name_constraints->ConstrainedNameTypes()); |
| 1007 } else { | 1007 } else { |
| 1008 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 1008 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 1009 } | 1009 } |
| 1010 | 1010 |
| 1011 std::string san; | 1011 std::string san; |
| 1012 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); | 1012 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); |
| 1013 EXPECT_EQ(!is_critical(), | 1013 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 1014 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 1014 der::Input(), true, der::Input(&san))); |
| 1015 } | 1015 } |
| 1016 | 1016 |
| 1017 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { | 1017 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { |
| 1018 std::string constraints_der; | 1018 std::string constraints_der; |
| 1019 ASSERT_TRUE( | 1019 ASSERT_TRUE( |
| 1020 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der)); | 1020 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der)); |
| 1021 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 1021 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 1022 der::Input(&constraints_der), is_critical())); | 1022 der::Input(&constraints_der), is_critical())); |
| 1023 ASSERT_TRUE(name_constraints); | 1023 ASSERT_TRUE(name_constraints); |
| 1024 | 1024 |
| 1025 if (is_critical()) { | 1025 if (is_critical()) { |
| 1026 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, | 1026 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, |
| 1027 name_constraints->ConstrainedNameTypes()); | 1027 name_constraints->ConstrainedNameTypes()); |
| 1028 } else { | 1028 } else { |
| 1029 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 1029 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
| 1030 } | 1030 } |
| 1031 | 1031 |
| 1032 std::string san; | 1032 std::string san; |
| 1033 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); | 1033 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); |
| 1034 EXPECT_EQ(!is_critical(), | 1034 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 1035 name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); | 1035 der::Input(), true, der::Input(&san))); |
| 1036 } | 1036 } |
| 1037 | 1037 |
| 1038 TEST_P(ParseNameConstraints, | 1038 TEST_P(ParseNameConstraints, |
| 1039 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) { | 1039 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) { |
| 1040 std::string constraints_der; | 1040 std::string constraints_der; |
| 1041 ASSERT_TRUE( | 1041 ASSERT_TRUE( |
| 1042 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der)); | 1042 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der)); |
| 1043 // The value should not be in the DER encoding if it is the default. But this | 1043 // The value should not be in the DER encoding if it is the default. But this |
| 1044 // could be changed to allowed if there are buggy encoders out there that | 1044 // could be changed to allowed if there are buggy encoders out there that |
| 1045 // include it anyway. | 1045 // include it anyway. |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1116 der::Input(&constraints_der), is_critical())); | 1116 der::Input(&constraints_der), is_critical())); |
| 1117 ASSERT_TRUE(name_constraints); | 1117 ASSERT_TRUE(name_constraints); |
| 1118 | 1118 |
| 1119 std::string name_us_arizona_email; | 1119 std::string name_us_arizona_email; |
| 1120 ASSERT_TRUE( | 1120 ASSERT_TRUE( |
| 1121 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); | 1121 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); |
| 1122 | 1122 |
| 1123 // Name constraints don't contain rfc822Name, so emailAddress in subject is | 1123 // Name constraints don't contain rfc822Name, so emailAddress in subject is |
| 1124 // allowed regardless. | 1124 // allowed regardless. |
| 1125 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1125 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1126 SequenceValueFromString(&name_us_arizona_email), der::Input())); | 1126 SequenceValueFromString(&name_us_arizona_email), false, der::Input())); |
| 1127 } | 1127 } |
| 1128 | 1128 |
| 1129 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { | 1129 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { |
| 1130 std::string constraints_der; | 1130 std::string constraints_der; |
| 1131 ASSERT_TRUE( | 1131 ASSERT_TRUE( |
| 1132 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); | 1132 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); |
| 1133 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 1133 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 1134 der::Input(&constraints_der), is_critical())); | 1134 der::Input(&constraints_der), is_critical())); |
| 1135 ASSERT_TRUE(name_constraints); | 1135 ASSERT_TRUE(name_constraints); |
| 1136 | 1136 |
| 1137 std::string name_us_arizona_email; | 1137 std::string name_us_arizona_email; |
| 1138 ASSERT_TRUE( | 1138 ASSERT_TRUE( |
| 1139 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); | 1139 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); |
| 1140 | 1140 |
| 1141 // Name constraints contain rfc822Name, so emailAddress in subject is not | 1141 // Name constraints contain rfc822Name, so emailAddress in subject is not |
| 1142 // allowed if the constraints were critical. | 1142 // allowed if the constraints were critical. |
| 1143 EXPECT_EQ(!is_critical(), | 1143 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
| 1144 name_constraints->IsPermittedCert( | 1144 SequenceValueFromString(&name_us_arizona_email), |
| 1145 SequenceValueFromString(&name_us_arizona_email), der::Input())); | 1145 false, der::Input())); |
| 1146 } | 1146 } |
| 1147 | 1147 |
| 1148 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests | 1148 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests |
| 1149 // are not particularly interesting, just verifying that the commonName is | 1149 // are not particularly interesting, just verifying that the commonName is |
| 1150 // ignored for dNSName constraints. | 1150 // ignored for dNSName constraints. |
| 1151 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { | 1151 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { |
| 1152 std::string constraints_der; | 1152 std::string constraints_der; |
| 1153 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem", | 1153 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem", |
| 1154 &constraints_der)); | 1154 &constraints_der)); |
| 1155 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 1155 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 1156 der::Input(&constraints_der), is_critical())); | 1156 der::Input(&constraints_der), is_critical())); |
| 1157 ASSERT_TRUE(name_constraints); | 1157 ASSERT_TRUE(name_constraints); |
| 1158 | 1158 |
| 1159 std::string name_us_az_foocom; | 1159 std::string name_us_az_foocom; |
| 1160 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom)); | 1160 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom)); |
| 1161 // The subject is within permitted directoryName constraints, so permitted. | 1161 // The subject is within permitted directoryName constraints, so permitted. |
| 1162 // (The commonName hostname is not within permitted dNSName constraints, so | 1162 // (The commonName hostname is not within permitted dNSName constraints, so |
| 1163 // this would not be permitted if hostnames in commonName were checked.) | 1163 // this would not be permitted if hostnames in commonName were checked.) |
| 1164 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1164 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1165 SequenceValueFromString(&name_us_az_foocom), der::Input())); | 1165 SequenceValueFromString(&name_us_az_foocom), false, der::Input())); |
| 1166 | 1166 |
| 1167 std::string name_us_az_permitted; | 1167 std::string name_us_az_permitted; |
| 1168 ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem", | 1168 ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem", |
| 1169 &name_us_az_permitted)); | 1169 &name_us_az_permitted)); |
| 1170 // The subject is in permitted directoryName and the commonName is within | 1170 // The subject is in permitted directoryName and the commonName is within |
| 1171 // permitted dNSName constraints, so this should be permitted regardless if | 1171 // permitted dNSName constraints, so this should be permitted regardless if |
| 1172 // hostnames in commonName are checked or not. | 1172 // hostnames in commonName are checked or not. |
| 1173 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1173 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1174 SequenceValueFromString(&name_us_az_permitted), der::Input())); | 1174 SequenceValueFromString(&name_us_az_permitted), false, der::Input())); |
| 1175 | 1175 |
| 1176 std::string name_us_ca_permitted; | 1176 std::string name_us_ca_permitted; |
| 1177 ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem", | 1177 ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem", |
| 1178 &name_us_ca_permitted)); | 1178 &name_us_ca_permitted)); |
| 1179 // The subject is within the excluded C=US,ST=California directoryName, so | 1179 // The subject is within the excluded C=US,ST=California directoryName, so |
| 1180 // this should not be allowed, regardless of checking the | 1180 // this should not be allowed, regardless of checking the |
| 1181 // permitted.example.com in commonName. | 1181 // permitted.example.com in commonName. |
| 1182 EXPECT_FALSE(name_constraints->IsPermittedCert( | 1182 EXPECT_FALSE(name_constraints->IsPermittedCert( |
| 1183 SequenceValueFromString(&name_us_ca_permitted), der::Input())); | 1183 SequenceValueFromString(&name_us_ca_permitted), false, der::Input())); |
| 1184 } | 1184 } |
| 1185 | 1185 |
| 1186 // IP addresses in commonName are not allowed (crbug.com/308330), so these are | 1186 // IP addresses in commonName are not allowed (crbug.com/308330), so these are |
| 1187 // tests are not particularly interesting, just verifying that the commonName is | 1187 // tests are not particularly interesting, just verifying that the commonName is |
| 1188 // ignored for iPAddress constraints. | 1188 // ignored for iPAddress constraints. |
| 1189 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { | 1189 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { |
| 1190 std::string constraints_der; | 1190 std::string constraints_der; |
| 1191 ASSERT_TRUE(LoadTestNameConstraint( | 1191 ASSERT_TRUE(LoadTestNameConstraint( |
| 1192 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der)); | 1192 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der)); |
| 1193 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 1193 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 1194 der::Input(&constraints_der), is_critical())); | 1194 der::Input(&constraints_der), is_critical())); |
| 1195 ASSERT_TRUE(name_constraints); | 1195 ASSERT_TRUE(name_constraints); |
| 1196 | 1196 |
| 1197 std::string name_us_az_1_1_1_1; | 1197 std::string name_us_az_1_1_1_1; |
| 1198 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1)); | 1198 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1)); |
| 1199 // The subject is within permitted directoryName constraints, so permitted. | 1199 // The subject is within permitted directoryName constraints, so permitted. |
| 1200 // (The commonName IP address is not within permitted iPAddresses constraints, | 1200 // (The commonName IP address is not within permitted iPAddresses constraints, |
| 1201 // so this would not be permitted if IP addresses in commonName were checked.) | 1201 // so this would not be permitted if IP addresses in commonName were checked.) |
| 1202 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1202 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1203 SequenceValueFromString(&name_us_az_1_1_1_1), der::Input())); | 1203 SequenceValueFromString(&name_us_az_1_1_1_1), false, der::Input())); |
| 1204 | 1204 |
| 1205 std::string name_us_az_192_168_1_1; | 1205 std::string name_us_az_192_168_1_1; |
| 1206 ASSERT_TRUE( | 1206 ASSERT_TRUE( |
| 1207 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1)); | 1207 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1)); |
| 1208 // The subject is in permitted directoryName and the commonName is within | 1208 // The subject is in permitted directoryName and the commonName is within |
| 1209 // permitted iPAddress constraints, so this should be permitted regardless if | 1209 // permitted iPAddress constraints, so this should be permitted regardless if |
| 1210 // IP addresses in commonName are checked or not. | 1210 // IP addresses in commonName are checked or not. |
| 1211 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1211 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1212 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); | 1212 SequenceValueFromString(&name_us_az_192_168_1_1), false, der::Input())); |
| 1213 | 1213 |
| 1214 std::string name_us_ca_192_168_1_1; | 1214 std::string name_us_ca_192_168_1_1; |
| 1215 ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem", | 1215 ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem", |
| 1216 &name_us_ca_192_168_1_1)); | 1216 &name_us_ca_192_168_1_1)); |
| 1217 // The subject is within the excluded C=US,ST=California directoryName, so | 1217 // The subject is within the excluded C=US,ST=California directoryName, so |
| 1218 // this should not be allowed, regardless of checking the | 1218 // this should not be allowed, regardless of checking the |
| 1219 // IP address in commonName. | 1219 // IP address in commonName. |
| 1220 EXPECT_FALSE(name_constraints->IsPermittedCert( | 1220 EXPECT_FALSE(name_constraints->IsPermittedCert( |
| 1221 SequenceValueFromString(&name_us_ca_192_168_1_1), der::Input())); | 1221 SequenceValueFromString(&name_us_ca_192_168_1_1), false, der::Input())); |
| 1222 | 1222 |
| 1223 std::string name_us_az_ipv6; | 1223 std::string name_us_az_ipv6; |
| 1224 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6)); | 1224 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6)); |
| 1225 // The subject is within permitted directoryName constraints, so permitted. | 1225 // The subject is within permitted directoryName constraints, so permitted. |
| 1226 // (The commonName is an ipv6 address which wasn't supported in the past, but | 1226 // (The commonName is an ipv6 address which wasn't supported in the past, but |
| 1227 // since commonName checking is ignored entirely, this is permitted.) | 1227 // since commonName checking is ignored entirely, this is permitted.) |
| 1228 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1228 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1229 SequenceValueFromString(&name_us_az_ipv6), der::Input())); | 1229 SequenceValueFromString(&name_us_az_ipv6), false, der::Input())); |
| 1230 } | 1230 } |
| 1231 | 1231 |
| 1232 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnEmptySubjectAltName) { | 1232 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnEmptySubjectAltName) { |
| 1233 std::string constraints_der; | 1233 std::string constraints_der; |
| 1234 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &constraints_der)); | 1234 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &constraints_der)); |
| 1235 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 1235 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 1236 der::Input(&constraints_der), is_critical())); | 1236 der::Input(&constraints_der), is_critical())); |
| 1237 ASSERT_TRUE(name_constraints); | 1237 ASSERT_TRUE(name_constraints); |
| 1238 | 1238 |
| 1239 std::string name_us_az; | 1239 std::string name_us_az; |
| 1240 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az)); | 1240 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az)); |
| 1241 | 1241 |
| 1242 // No constraints on directoryName type, so name_us_az should be allowed when | 1242 // No constraints on directoryName type, so name_us_az should be allowed when |
| 1243 // subjectAltName is not present. | 1243 // subjectAltName is not present. |
| 1244 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1244 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1245 SequenceValueFromString(&name_us_az), der::Input())); | 1245 SequenceValueFromString(&name_us_az), false, der::Input())); |
| 1246 | 1246 |
| 1247 std::string san; | 1247 std::string san; |
| 1248 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-empty.pem", &san)); | 1248 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-empty.pem", &san)); |
| 1249 // Should fail if subjectAltName is present but empty. | 1249 // Should fail if subjectAltName is present but empty. |
| 1250 EXPECT_FALSE(name_constraints->IsPermittedCert( | 1250 EXPECT_FALSE(name_constraints->IsPermittedCert( |
| 1251 SequenceValueFromString(&name_us_az), der::Input(&san))); | 1251 SequenceValueFromString(&name_us_az), true, der::Input(&san))); |
| 1252 } | 1252 } |
| 1253 | 1253 |
| 1254 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnInvalidIpInSubjectAltName) { | 1254 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnInvalidIpInSubjectAltName) { |
| 1255 std::string constraints_der; | 1255 std::string constraints_der; |
| 1256 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &constraints_der)); | 1256 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &constraints_der)); |
| 1257 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( | 1257 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( |
| 1258 der::Input(&constraints_der), is_critical())); | 1258 der::Input(&constraints_der), is_critical())); |
| 1259 ASSERT_TRUE(name_constraints); | 1259 ASSERT_TRUE(name_constraints); |
| 1260 | 1260 |
| 1261 std::string name_us_az_192_168_1_1; | 1261 std::string name_us_az_192_168_1_1; |
| 1262 ASSERT_TRUE( | 1262 ASSERT_TRUE( |
| 1263 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1)); | 1263 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1)); |
| 1264 | 1264 |
| 1265 // Without the invalid subjectAltName, it passes. | 1265 // Without the invalid subjectAltName, it passes. |
| 1266 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1266 EXPECT_TRUE(name_constraints->IsPermittedCert( |
| 1267 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); | 1267 SequenceValueFromString(&name_us_az_192_168_1_1), false, der::Input())); |
| 1268 | 1268 |
| 1269 std::string san; | 1269 std::string san; |
| 1270 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san)); | 1270 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san)); |
| 1271 // Should fail if subjectAltName contains an invalid ip address. | 1271 // Should fail if subjectAltName contains an invalid ip address. |
| 1272 EXPECT_FALSE(name_constraints->IsPermittedCert( | 1272 EXPECT_FALSE(name_constraints->IsPermittedCert( |
| 1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input(&san))); | 1273 SequenceValueFromString(&name_us_az_192_168_1_1), true, |
| 1274 der::Input(&san))); |
| 1274 } | 1275 } |
| 1275 | 1276 |
| 1276 } // namespace net | 1277 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1685023002:
Fix API mismatch between NameConstraints::IsPermittedCert's subjectAltName param and ParseExtension. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@name-constraints-directorynameparsing