OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/name_constraints.h" | 5 #include "net/cert/internal/name_constraints.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 | 8 |
9 #include "net/base/ip_address.h" | 9 #include "net/base/ip_address.h" |
10 #include "net/cert/internal/test_helpers.h" | 10 #include "net/cert/internal/test_helpers.h" |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
46 } | 46 } |
47 | 47 |
48 ::testing::AssertionResult LoadTestSubjectAltName( | 48 ::testing::AssertionResult LoadTestSubjectAltName( |
49 const std::string& basename, | 49 const std::string& basename, |
50 std::unique_ptr<GeneralNames>* result) { | 50 std::unique_ptr<GeneralNames>* result) { |
51 std::string san_der; | 51 std::string san_der; |
52 ::testing::AssertionResult load_result = | 52 ::testing::AssertionResult load_result = |
53 LoadTestSubjectAltNameData(basename, &san_der); | 53 LoadTestSubjectAltNameData(basename, &san_der); |
54 if (!load_result) | 54 if (!load_result) |
55 return load_result; | 55 return load_result; |
56 *result = GeneralNames::CreateFromDer(der::Input(&san_der)); | 56 *result = GeneralNames::Create(der::Input(&san_der)); |
57 if (!*result) | 57 if (!*result) |
58 return ::testing::AssertionFailure() << "CreateFromDer failed"; | 58 return ::testing::AssertionFailure() << "Create failed"; |
59 return ::testing::AssertionSuccess(); | 59 return ::testing::AssertionSuccess(); |
60 } | 60 } |
61 | 61 |
62 } // namespace | 62 } // namespace |
63 | 63 |
64 class ParseNameConstraints | 64 class ParseNameConstraints |
65 : public ::testing::TestWithParam<::testing::tuple<bool>> { | 65 : public ::testing::TestWithParam<::testing::tuple<bool>> { |
66 public: | 66 public: |
67 bool is_critical() const { return ::testing::get<0>(GetParam()); } | 67 bool is_critical() const { return ::testing::get<0>(GetParam()); } |
68 }; | 68 }; |
69 | 69 |
70 // Run the tests with the name constraints marked critical and non-critical. For | 70 // Run the tests with the name constraints marked critical and non-critical. For |
71 // supported name types, the results should be the same for both. | 71 // supported name types, the results should be the same for both. |
72 INSTANTIATE_TEST_CASE_P(InstantiationName, | 72 INSTANTIATE_TEST_CASE_P(InstantiationName, |
73 ParseNameConstraints, | 73 ParseNameConstraints, |
74 ::testing::Values(true, false)); | 74 ::testing::Values(true, false)); |
75 | 75 |
76 TEST_P(ParseNameConstraints, DNSNames) { | 76 TEST_P(ParseNameConstraints, DNSNames) { |
77 std::string a; | 77 std::string a; |
78 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); | 78 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); |
79 | 79 |
80 std::unique_ptr<NameConstraints> name_constraints( | 80 std::unique_ptr<NameConstraints> name_constraints( |
81 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 81 NameConstraints::Create(der::Input(&a), is_critical())); |
82 ASSERT_TRUE(name_constraints); | 82 ASSERT_TRUE(name_constraints); |
83 | 83 |
84 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); | 84 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); |
85 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com.")); | 85 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com.")); |
86 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com")); | 86 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com")); |
87 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com")); | 87 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com")); |
88 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com.")); | 88 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com.")); |
89 EXPECT_TRUE( | 89 EXPECT_TRUE( |
90 name_constraints->IsPermittedDNSName("alsopermitted.example.com")); | 90 name_constraints->IsPermittedDNSName("alsopermitted.example.com")); |
91 EXPECT_FALSE( | 91 EXPECT_FALSE( |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
154 | 154 |
155 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); | 155 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); |
156 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get())); | 156 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get())); |
157 } | 157 } |
158 | 158 |
159 TEST_P(ParseNameConstraints, | 159 TEST_P(ParseNameConstraints, |
160 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) { | 160 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) { |
161 std::string a; | 161 std::string a; |
162 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a)); | 162 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a)); |
163 std::unique_ptr<NameConstraints> name_constraints( | 163 std::unique_ptr<NameConstraints> name_constraints( |
164 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 164 NameConstraints::Create(der::Input(&a), is_critical())); |
165 ASSERT_TRUE(name_constraints); | 165 ASSERT_TRUE(name_constraints); |
166 | 166 |
167 // Matches permitted exactly. | 167 // Matches permitted exactly. |
168 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com")); | 168 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com")); |
169 // Contained within permitted and doesn't match excluded (foo.bar.com). | 169 // Contained within permitted and doesn't match excluded (foo.bar.com). |
170 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com")); | 170 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com")); |
171 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com")); | 171 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com")); |
172 // Matches excluded exactly. | 172 // Matches excluded exactly. |
173 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); | 173 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); |
174 // Contained within excluded. | 174 // Contained within excluded. |
175 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com")); | 175 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com")); |
176 | 176 |
177 // Cannot match anything within excluded. | 177 // Cannot match anything within excluded. |
178 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com")); | 178 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com")); |
179 // Wildcard hostnames only match a single label, so cannot match excluded | 179 // Wildcard hostnames only match a single label, so cannot match excluded |
180 // which has two labels before .com. | 180 // which has two labels before .com. |
181 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com")); | 181 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com")); |
182 | 182 |
183 // Partial match of foo.bar.com. | 183 // Partial match of foo.bar.com. |
184 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com")); | 184 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com")); |
185 // All expansions of wildcard are within excluded. | 185 // All expansions of wildcard are within excluded. |
186 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com")); | 186 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com")); |
187 } | 187 } |
188 | 188 |
189 TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) { | 189 TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) { |
190 std::string a; | 190 std::string a; |
191 ASSERT_TRUE( | 191 ASSERT_TRUE( |
192 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a)); | 192 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a)); |
193 std::unique_ptr<NameConstraints> name_constraints( | 193 std::unique_ptr<NameConstraints> name_constraints( |
194 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 194 NameConstraints::Create(der::Input(&a), is_critical())); |
195 ASSERT_TRUE(name_constraints); | 195 ASSERT_TRUE(name_constraints); |
196 | 196 |
197 // dNSName constraints should be specified as a host. A dNSName constraint | 197 // dNSName constraints should be specified as a host. A dNSName constraint |
198 // with a leading "." doesn't make sense, though some certs include it | 198 // with a leading "." doesn't make sense, though some certs include it |
199 // (probably confusing it with the rules for uniformResourceIdentifier | 199 // (probably confusing it with the rules for uniformResourceIdentifier |
200 // constraints). It should not match anything. | 200 // constraints). It should not match anything. |
201 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com")); | 201 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com")); |
202 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com")); | 202 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com")); |
203 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); | 203 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); |
204 } | 204 } |
205 | 205 |
206 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { | 206 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { |
207 std::string a; | 207 std::string a; |
208 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a)); | 208 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a)); |
209 | 209 |
210 std::unique_ptr<NameConstraints> name_constraints( | 210 std::unique_ptr<NameConstraints> name_constraints( |
211 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 211 NameConstraints::Create(der::Input(&a), is_critical())); |
212 ASSERT_TRUE(name_constraints); | 212 ASSERT_TRUE(name_constraints); |
213 | 213 |
214 // Only "excluded.permitted.example.com" is excluded, and since permitted is | 214 // Only "excluded.permitted.example.com" is excluded, and since permitted is |
215 // empty, any dNSName outside that is allowed. | 215 // empty, any dNSName outside that is allowed. |
216 EXPECT_TRUE(name_constraints->IsPermittedDNSName("")); | 216 EXPECT_TRUE(name_constraints->IsPermittedDNSName("")); |
217 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com")); | 217 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com")); |
218 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); | 218 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); |
219 EXPECT_FALSE( | 219 EXPECT_FALSE( |
220 name_constraints->IsPermittedDNSName("excluded.permitted.example.com")); | 220 name_constraints->IsPermittedDNSName("excluded.permitted.example.com")); |
221 EXPECT_FALSE( | 221 EXPECT_FALSE( |
222 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com")); | 222 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com")); |
223 } | 223 } |
224 | 224 |
225 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { | 225 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { |
226 std::string a; | 226 std::string a; |
227 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a)); | 227 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a)); |
228 | 228 |
229 std::unique_ptr<NameConstraints> name_constraints( | 229 std::unique_ptr<NameConstraints> name_constraints( |
230 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 230 NameConstraints::Create(der::Input(&a), is_critical())); |
231 ASSERT_TRUE(name_constraints); | 231 ASSERT_TRUE(name_constraints); |
232 | 232 |
233 // "permitted.example.com" is in the permitted section, but since "" is | 233 // "permitted.example.com" is in the permitted section, but since "" is |
234 // excluded, nothing is permitted. | 234 // excluded, nothing is permitted. |
235 EXPECT_FALSE(name_constraints->IsPermittedDNSName("")); | 235 EXPECT_FALSE(name_constraints->IsPermittedDNSName("")); |
236 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); | 236 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); |
237 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com")); | 237 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com")); |
238 EXPECT_FALSE( | 238 EXPECT_FALSE( |
239 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); | 239 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); |
240 } | 240 } |
241 | 241 |
242 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) { | 242 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) { |
243 std::string a; | 243 std::string a; |
244 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a)); | 244 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a)); |
245 | 245 |
246 std::unique_ptr<NameConstraints> name_constraints( | 246 std::unique_ptr<NameConstraints> name_constraints( |
247 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 247 NameConstraints::Create(der::Input(&a), is_critical())); |
248 ASSERT_TRUE(name_constraints); | 248 ASSERT_TRUE(name_constraints); |
249 | 249 |
250 // "." is excluded, which should match nothing. | 250 // "." is excluded, which should match nothing. |
251 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); | 251 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); |
252 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); | 252 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); |
253 EXPECT_TRUE( | 253 EXPECT_TRUE( |
254 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); | 254 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); |
255 } | 255 } |
256 | 256 |
257 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) { | 257 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) { |
258 std::string a; | 258 std::string a; |
259 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); | 259 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); |
260 | 260 |
261 size_t replace_location = a.find("permitted.example2.com"); | 261 size_t replace_location = a.find("permitted.example2.com"); |
262 ASSERT_NE(std::string::npos, replace_location); | 262 ASSERT_NE(std::string::npos, replace_location); |
263 a.replace(replace_location, 1, 1, -1); | 263 a.replace(replace_location, 1, 1, -1); |
264 | 264 |
265 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 265 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical())); |
266 } | 266 } |
267 | 267 |
268 TEST_P(ParseNameConstraints, DirectoryNames) { | 268 TEST_P(ParseNameConstraints, DirectoryNames) { |
269 std::string constraints_der; | 269 std::string constraints_der; |
270 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); | 270 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); |
271 | 271 |
272 std::string name_us; | 272 std::string name_us; |
273 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); | 273 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); |
274 std::string name_us_ca; | 274 std::string name_us_ca; |
275 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); | 275 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); |
276 std::string name_us_ca_mountain_view; | 276 std::string name_us_ca_mountain_view; |
277 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", | 277 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", |
278 &name_us_ca_mountain_view)); | 278 &name_us_ca_mountain_view)); |
279 std::string name_us_az; | 279 std::string name_us_az; |
280 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az)); | 280 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az)); |
281 std::string name_jp; | 281 std::string name_jp; |
282 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp)); | 282 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp)); |
283 std::string name_jp_tokyo; | 283 std::string name_jp_tokyo; |
284 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo)); | 284 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo)); |
285 std::string name_de; | 285 std::string name_de; |
286 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de)); | 286 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de)); |
287 std::string name_ca; | 287 std::string name_ca; |
288 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca)); | 288 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca)); |
289 | 289 |
290 std::unique_ptr<NameConstraints> name_constraints( | 290 std::unique_ptr<NameConstraints> name_constraints( |
291 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 291 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
292 is_critical())); | |
293 ASSERT_TRUE(name_constraints); | 292 ASSERT_TRUE(name_constraints); |
294 | 293 |
295 // Not in any permitted subtree. | 294 // Not in any permitted subtree. |
296 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 295 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( |
297 SequenceValueFromString(&name_ca))); | 296 SequenceValueFromString(&name_ca))); |
298 // Within the permitted C=US subtree. | 297 // Within the permitted C=US subtree. |
299 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( | 298 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( |
300 SequenceValueFromString(&name_us))); | 299 SequenceValueFromString(&name_us))); |
301 // Within the permitted C=US subtree. | 300 // Within the permitted C=US subtree. |
302 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( | 301 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
344 | 343 |
345 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); | 344 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); |
346 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get())); | 345 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get())); |
347 } | 346 } |
348 | 347 |
349 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { | 348 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { |
350 std::string constraints_der; | 349 std::string constraints_der; |
351 ASSERT_TRUE( | 350 ASSERT_TRUE( |
352 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); | 351 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); |
353 std::unique_ptr<NameConstraints> name_constraints( | 352 std::unique_ptr<NameConstraints> name_constraints( |
354 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 353 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
355 is_critical())); | |
356 ASSERT_TRUE(name_constraints); | 354 ASSERT_TRUE(name_constraints); |
357 | 355 |
358 std::string name_empty; | 356 std::string name_empty; |
359 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); | 357 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); |
360 std::string name_us; | 358 std::string name_us; |
361 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); | 359 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); |
362 std::string name_us_ca; | 360 std::string name_us_ca; |
363 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); | 361 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); |
364 std::string name_us_ca_mountain_view; | 362 std::string name_us_ca_mountain_view; |
365 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", | 363 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", |
366 &name_us_ca_mountain_view)); | 364 &name_us_ca_mountain_view)); |
367 | 365 |
368 // Only "C=US,ST=California" is excluded, and since permitted is empty, | 366 // Only "C=US,ST=California" is excluded, and since permitted is empty, |
369 // any directoryName outside that is allowed. | 367 // any directoryName outside that is allowed. |
370 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( | 368 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( |
371 SequenceValueFromString(&name_empty))); | 369 SequenceValueFromString(&name_empty))); |
372 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( | 370 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( |
373 SequenceValueFromString(&name_us))); | 371 SequenceValueFromString(&name_us))); |
374 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 372 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( |
375 SequenceValueFromString(&name_us_ca))); | 373 SequenceValueFromString(&name_us_ca))); |
376 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 374 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( |
377 SequenceValueFromString(&name_us_ca_mountain_view))); | 375 SequenceValueFromString(&name_us_ca_mountain_view))); |
378 } | 376 } |
379 | 377 |
380 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { | 378 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { |
381 std::string constraints_der; | 379 std::string constraints_der; |
382 ASSERT_TRUE( | 380 ASSERT_TRUE( |
383 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der)); | 381 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der)); |
384 std::unique_ptr<NameConstraints> name_constraints( | 382 std::unique_ptr<NameConstraints> name_constraints( |
385 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 383 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
386 is_critical())); | |
387 ASSERT_TRUE(name_constraints); | 384 ASSERT_TRUE(name_constraints); |
388 | 385 |
389 std::string name_empty; | 386 std::string name_empty; |
390 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); | 387 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); |
391 std::string name_us; | 388 std::string name_us; |
392 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); | 389 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); |
393 std::string name_us_ca; | 390 std::string name_us_ca; |
394 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); | 391 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); |
395 std::string name_us_ca_mountain_view; | 392 std::string name_us_ca_mountain_view; |
396 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", | 393 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", |
(...skipping 11 matching lines...) Expand all Loading... |
408 SequenceValueFromString(&name_us_ca))); | 405 SequenceValueFromString(&name_us_ca))); |
409 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( | 406 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( |
410 SequenceValueFromString(&name_jp))); | 407 SequenceValueFromString(&name_jp))); |
411 } | 408 } |
412 | 409 |
413 TEST_P(ParseNameConstraints, IPAdresses) { | 410 TEST_P(ParseNameConstraints, IPAdresses) { |
414 std::string a; | 411 std::string a; |
415 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a)); | 412 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a)); |
416 | 413 |
417 std::unique_ptr<NameConstraints> name_constraints( | 414 std::unique_ptr<NameConstraints> name_constraints( |
418 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 415 NameConstraints::Create(der::Input(&a), is_critical())); |
419 ASSERT_TRUE(name_constraints); | 416 ASSERT_TRUE(name_constraints); |
420 | 417 |
421 // IPv4 tests: | 418 // IPv4 tests: |
422 | 419 |
423 // Not in any permitted range. | 420 // Not in any permitted range. |
424 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 169, 0, 1))); | 421 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 169, 0, 1))); |
425 | 422 |
426 // Within the permitted 192.168.0.0/255.255.0.0 range. | 423 // Within the permitted 192.168.0.0/255.255.0.0 range. |
427 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); | 424 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); |
428 | 425 |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
523 | 520 |
524 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); | 521 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); |
525 EXPECT_FALSE(name_constraints->IsPermittedCert(der::Input(), san.get())); | 522 EXPECT_FALSE(name_constraints->IsPermittedCert(der::Input(), san.get())); |
526 } | 523 } |
527 | 524 |
528 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { | 525 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { |
529 std::string a; | 526 std::string a; |
530 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); | 527 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); |
531 | 528 |
532 std::unique_ptr<NameConstraints> name_constraints( | 529 std::unique_ptr<NameConstraints> name_constraints( |
533 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 530 NameConstraints::Create(der::Input(&a), is_critical())); |
534 ASSERT_TRUE(name_constraints); | 531 ASSERT_TRUE(name_constraints); |
535 | 532 |
536 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty, | 533 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty, |
537 // any iPAddress outside that is allowed. | 534 // any iPAddress outside that is allowed. |
538 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); | 535 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); |
539 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 5, 1))); | 536 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 5, 1))); |
540 EXPECT_TRUE(name_constraints->IsPermittedIP( | 537 EXPECT_TRUE(name_constraints->IsPermittedIP( |
541 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); | 538 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); |
542 } | 539 } |
543 | 540 |
544 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { | 541 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { |
545 std::string a; | 542 std::string a; |
546 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); | 543 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); |
547 | 544 |
548 std::unique_ptr<NameConstraints> name_constraints( | 545 std::unique_ptr<NameConstraints> name_constraints( |
549 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 546 NameConstraints::Create(der::Input(&a), is_critical())); |
550 ASSERT_TRUE(name_constraints); | 547 ASSERT_TRUE(name_constraints); |
551 | 548 |
552 // 192.168.0.0/255.255.0.0 and | 549 // 192.168.0.0/255.255.0.0 and |
553 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted, | 550 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted, |
554 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted. | 551 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted. |
555 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); | 552 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); |
556 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(1, 1, 1, 1))); | 553 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(1, 1, 1, 1))); |
557 EXPECT_FALSE(name_constraints->IsPermittedIP( | 554 EXPECT_FALSE(name_constraints->IsPermittedIP( |
558 IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))); | 555 IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))); |
559 EXPECT_FALSE(name_constraints->IsPermittedIP( | 556 EXPECT_FALSE(name_constraints->IsPermittedIP( |
560 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); | 557 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); |
561 } | 558 } |
562 | 559 |
563 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) { | 560 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) { |
564 std::string a; | 561 std::string a; |
565 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a)); | 562 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a)); |
566 | 563 |
567 std::unique_ptr<NameConstraints> name_constraints( | 564 std::unique_ptr<NameConstraints> name_constraints( |
568 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 565 NameConstraints::Create(der::Input(&a), is_critical())); |
569 ASSERT_TRUE(name_constraints); | 566 ASSERT_TRUE(name_constraints); |
570 | 567 |
571 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); | 568 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); |
572 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); | 569 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); |
573 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2))); | 570 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2))); |
574 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3))); | 571 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3))); |
575 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4))); | 572 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4))); |
576 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); | 573 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); |
577 } | 574 } |
578 | 575 |
579 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) { | 576 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) { |
580 std::string a; | 577 std::string a; |
581 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a)); | 578 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a)); |
582 | 579 |
583 std::unique_ptr<NameConstraints> name_constraints( | 580 std::unique_ptr<NameConstraints> name_constraints( |
584 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 581 NameConstraints::Create(der::Input(&a), is_critical())); |
585 ASSERT_TRUE(name_constraints); | 582 ASSERT_TRUE(name_constraints); |
586 | 583 |
587 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); | 584 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); |
588 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); | 585 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); |
589 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2))); | 586 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2))); |
590 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3))); | 587 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3))); |
591 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4))); | 588 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4))); |
592 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 5))); | 589 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 5))); |
593 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); | 590 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); |
594 } | 591 } |
595 | 592 |
596 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) { | 593 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) { |
597 std::string a; | 594 std::string a; |
598 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a)); | 595 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a)); |
599 | 596 |
600 std::unique_ptr<NameConstraints> name_constraints( | 597 std::unique_ptr<NameConstraints> name_constraints( |
601 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 598 NameConstraints::Create(der::Input(&a), is_critical())); |
602 ASSERT_TRUE(name_constraints); | 599 ASSERT_TRUE(name_constraints); |
603 | 600 |
604 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); | 601 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); |
605 EXPECT_FALSE( | 602 EXPECT_FALSE( |
606 name_constraints->IsPermittedIP(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))); | 603 name_constraints->IsPermittedIP(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))); |
607 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(0x80, 0, 0, 0))); | 604 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(0x80, 0, 0, 0))); |
608 EXPECT_TRUE( | 605 EXPECT_TRUE( |
609 name_constraints->IsPermittedIP(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))); | 606 name_constraints->IsPermittedIP(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))); |
610 } | 607 } |
611 | 608 |
612 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) { | 609 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) { |
613 std::string a; | 610 std::string a; |
614 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a)); | 611 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a)); |
615 | 612 |
616 std::unique_ptr<NameConstraints> name_constraints( | 613 std::unique_ptr<NameConstraints> name_constraints( |
617 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 614 NameConstraints::Create(der::Input(&a), is_critical())); |
618 ASSERT_TRUE(name_constraints); | 615 ASSERT_TRUE(name_constraints); |
619 | 616 |
620 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); | 617 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); |
621 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); | 618 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); |
622 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); | 619 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); |
623 } | 620 } |
624 | 621 |
625 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) { | 622 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) { |
626 std::string a; | 623 std::string a; |
627 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a)); | 624 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a)); |
628 | 625 |
629 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 626 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical())); |
630 } | 627 } |
631 | 628 |
632 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) { | 629 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) { |
633 std::string a; | 630 std::string a; |
634 ASSERT_TRUE(LoadTestNameConstraint( | 631 ASSERT_TRUE(LoadTestNameConstraint( |
635 "ipaddress-invalid_mask_not_contiguous_1.pem", &a)); | 632 "ipaddress-invalid_mask_not_contiguous_1.pem", &a)); |
636 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 633 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical())); |
637 | 634 |
638 ASSERT_TRUE(LoadTestNameConstraint( | 635 ASSERT_TRUE(LoadTestNameConstraint( |
639 "ipaddress-invalid_mask_not_contiguous_2.pem", &a)); | 636 "ipaddress-invalid_mask_not_contiguous_2.pem", &a)); |
640 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 637 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical())); |
641 | 638 |
642 ASSERT_TRUE(LoadTestNameConstraint( | 639 ASSERT_TRUE(LoadTestNameConstraint( |
643 "ipaddress-invalid_mask_not_contiguous_3.pem", &a)); | 640 "ipaddress-invalid_mask_not_contiguous_3.pem", &a)); |
644 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 641 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical())); |
645 | 642 |
646 ASSERT_TRUE(LoadTestNameConstraint( | 643 ASSERT_TRUE(LoadTestNameConstraint( |
647 "ipaddress-invalid_mask_not_contiguous_4.pem", &a)); | 644 "ipaddress-invalid_mask_not_contiguous_4.pem", &a)); |
648 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); | 645 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical())); |
649 } | 646 } |
650 | 647 |
651 TEST_P(ParseNameConstraints, OtherNamesInPermitted) { | 648 TEST_P(ParseNameConstraints, OtherNamesInPermitted) { |
652 std::string constraints_der; | 649 std::string constraints_der; |
653 ASSERT_TRUE( | 650 ASSERT_TRUE( |
654 LoadTestNameConstraint("othername-permitted.pem", &constraints_der)); | 651 LoadTestNameConstraint("othername-permitted.pem", &constraints_der)); |
655 std::unique_ptr<NameConstraints> name_constraints( | 652 std::unique_ptr<NameConstraints> name_constraints( |
656 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 653 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
657 is_critical())); | |
658 ASSERT_TRUE(name_constraints); | 654 ASSERT_TRUE(name_constraints); |
659 | 655 |
660 if (is_critical()) { | 656 if (is_critical()) { |
661 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, | 657 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, |
662 name_constraints->ConstrainedNameTypes()); | 658 name_constraints->ConstrainedNameTypes()); |
663 } else { | 659 } else { |
664 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 660 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
665 } | 661 } |
666 | 662 |
667 std::unique_ptr<GeneralNames> san; | 663 std::unique_ptr<GeneralNames> san; |
668 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); | 664 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); |
669 EXPECT_EQ(!is_critical(), | 665 EXPECT_EQ(!is_critical(), |
670 name_constraints->IsPermittedCert(der::Input(), san.get())); | 666 name_constraints->IsPermittedCert(der::Input(), san.get())); |
671 } | 667 } |
672 | 668 |
673 TEST_P(ParseNameConstraints, OtherNamesInExcluded) { | 669 TEST_P(ParseNameConstraints, OtherNamesInExcluded) { |
674 std::string constraints_der; | 670 std::string constraints_der; |
675 ASSERT_TRUE( | 671 ASSERT_TRUE( |
676 LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); | 672 LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); |
677 std::unique_ptr<NameConstraints> name_constraints( | 673 std::unique_ptr<NameConstraints> name_constraints( |
678 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 674 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
679 is_critical())); | |
680 ASSERT_TRUE(name_constraints); | 675 ASSERT_TRUE(name_constraints); |
681 | 676 |
682 if (is_critical()) { | 677 if (is_critical()) { |
683 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, | 678 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, |
684 name_constraints->ConstrainedNameTypes()); | 679 name_constraints->ConstrainedNameTypes()); |
685 } else { | 680 } else { |
686 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 681 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
687 } | 682 } |
688 | 683 |
689 std::unique_ptr<GeneralNames> san; | 684 std::unique_ptr<GeneralNames> san; |
690 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); | 685 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); |
691 EXPECT_EQ(!is_critical(), | 686 EXPECT_EQ(!is_critical(), |
692 name_constraints->IsPermittedCert(der::Input(), san.get())); | 687 name_constraints->IsPermittedCert(der::Input(), san.get())); |
693 } | 688 } |
694 | 689 |
695 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { | 690 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { |
696 std::string constraints_der; | 691 std::string constraints_der; |
697 ASSERT_TRUE( | 692 ASSERT_TRUE( |
698 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); | 693 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); |
699 std::unique_ptr<NameConstraints> name_constraints( | 694 std::unique_ptr<NameConstraints> name_constraints( |
700 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 695 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
701 is_critical())); | |
702 ASSERT_TRUE(name_constraints); | 696 ASSERT_TRUE(name_constraints); |
703 | 697 |
704 if (is_critical()) { | 698 if (is_critical()) { |
705 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, | 699 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, |
706 name_constraints->ConstrainedNameTypes()); | 700 name_constraints->ConstrainedNameTypes()); |
707 } else { | 701 } else { |
708 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 702 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
709 } | 703 } |
710 | 704 |
711 std::unique_ptr<GeneralNames> san; | 705 std::unique_ptr<GeneralNames> san; |
712 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); | 706 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); |
713 EXPECT_EQ(!is_critical(), | 707 EXPECT_EQ(!is_critical(), |
714 name_constraints->IsPermittedCert(der::Input(), san.get())); | 708 name_constraints->IsPermittedCert(der::Input(), san.get())); |
715 } | 709 } |
716 | 710 |
717 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { | 711 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { |
718 std::string constraints_der; | 712 std::string constraints_der; |
719 ASSERT_TRUE( | 713 ASSERT_TRUE( |
720 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); | 714 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); |
721 std::unique_ptr<NameConstraints> name_constraints( | 715 std::unique_ptr<NameConstraints> name_constraints( |
722 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 716 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
723 is_critical())); | |
724 ASSERT_TRUE(name_constraints); | 717 ASSERT_TRUE(name_constraints); |
725 | 718 |
726 if (is_critical()) { | 719 if (is_critical()) { |
727 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, | 720 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, |
728 name_constraints->ConstrainedNameTypes()); | 721 name_constraints->ConstrainedNameTypes()); |
729 } else { | 722 } else { |
730 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 723 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
731 } | 724 } |
732 | 725 |
733 std::unique_ptr<GeneralNames> san; | 726 std::unique_ptr<GeneralNames> san; |
734 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); | 727 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); |
735 EXPECT_EQ(!is_critical(), | 728 EXPECT_EQ(!is_critical(), |
736 name_constraints->IsPermittedCert(der::Input(), san.get())); | 729 name_constraints->IsPermittedCert(der::Input(), san.get())); |
737 } | 730 } |
738 | 731 |
739 TEST_P(ParseNameConstraints, X400AddresssInPermitted) { | 732 TEST_P(ParseNameConstraints, X400AddresssInPermitted) { |
740 std::string constraints_der; | 733 std::string constraints_der; |
741 ASSERT_TRUE( | 734 ASSERT_TRUE( |
742 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der)); | 735 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der)); |
743 std::unique_ptr<NameConstraints> name_constraints( | 736 std::unique_ptr<NameConstraints> name_constraints( |
744 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 737 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
745 is_critical())); | |
746 ASSERT_TRUE(name_constraints); | 738 ASSERT_TRUE(name_constraints); |
747 | 739 |
748 if (is_critical()) { | 740 if (is_critical()) { |
749 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, | 741 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, |
750 name_constraints->ConstrainedNameTypes()); | 742 name_constraints->ConstrainedNameTypes()); |
751 } else { | 743 } else { |
752 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 744 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
753 } | 745 } |
754 | 746 |
755 std::unique_ptr<GeneralNames> san; | 747 std::unique_ptr<GeneralNames> san; |
756 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); | 748 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); |
757 EXPECT_EQ(!is_critical(), | 749 EXPECT_EQ(!is_critical(), |
758 name_constraints->IsPermittedCert(der::Input(), san.get())); | 750 name_constraints->IsPermittedCert(der::Input(), san.get())); |
759 } | 751 } |
760 | 752 |
761 TEST_P(ParseNameConstraints, X400AddresssInExcluded) { | 753 TEST_P(ParseNameConstraints, X400AddresssInExcluded) { |
762 std::string constraints_der; | 754 std::string constraints_der; |
763 ASSERT_TRUE( | 755 ASSERT_TRUE( |
764 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der)); | 756 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der)); |
765 std::unique_ptr<NameConstraints> name_constraints( | 757 std::unique_ptr<NameConstraints> name_constraints( |
766 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 758 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
767 is_critical())); | |
768 ASSERT_TRUE(name_constraints); | 759 ASSERT_TRUE(name_constraints); |
769 | 760 |
770 if (is_critical()) { | 761 if (is_critical()) { |
771 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, | 762 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, |
772 name_constraints->ConstrainedNameTypes()); | 763 name_constraints->ConstrainedNameTypes()); |
773 } else { | 764 } else { |
774 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 765 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
775 } | 766 } |
776 | 767 |
777 std::unique_ptr<GeneralNames> san; | 768 std::unique_ptr<GeneralNames> san; |
778 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); | 769 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); |
779 EXPECT_EQ(!is_critical(), | 770 EXPECT_EQ(!is_critical(), |
780 name_constraints->IsPermittedCert(der::Input(), san.get())); | 771 name_constraints->IsPermittedCert(der::Input(), san.get())); |
781 } | 772 } |
782 | 773 |
783 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { | 774 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { |
784 std::string constraints_der; | 775 std::string constraints_der; |
785 ASSERT_TRUE( | 776 ASSERT_TRUE( |
786 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der)); | 777 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der)); |
787 std::unique_ptr<NameConstraints> name_constraints( | 778 std::unique_ptr<NameConstraints> name_constraints( |
788 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 779 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
789 is_critical())); | |
790 ASSERT_TRUE(name_constraints); | 780 ASSERT_TRUE(name_constraints); |
791 | 781 |
792 if (is_critical()) { | 782 if (is_critical()) { |
793 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, | 783 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, |
794 name_constraints->ConstrainedNameTypes()); | 784 name_constraints->ConstrainedNameTypes()); |
795 } else { | 785 } else { |
796 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 786 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
797 } | 787 } |
798 | 788 |
799 std::unique_ptr<GeneralNames> san; | 789 std::unique_ptr<GeneralNames> san; |
800 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); | 790 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); |
801 EXPECT_EQ(!is_critical(), | 791 EXPECT_EQ(!is_critical(), |
802 name_constraints->IsPermittedCert(der::Input(), san.get())); | 792 name_constraints->IsPermittedCert(der::Input(), san.get())); |
803 } | 793 } |
804 | 794 |
805 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { | 795 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { |
806 std::string constraints_der; | 796 std::string constraints_der; |
807 ASSERT_TRUE( | 797 ASSERT_TRUE( |
808 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der)); | 798 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der)); |
809 std::unique_ptr<NameConstraints> name_constraints( | 799 std::unique_ptr<NameConstraints> name_constraints( |
810 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 800 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
811 is_critical())); | |
812 ASSERT_TRUE(name_constraints); | 801 ASSERT_TRUE(name_constraints); |
813 | 802 |
814 if (is_critical()) { | 803 if (is_critical()) { |
815 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, | 804 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, |
816 name_constraints->ConstrainedNameTypes()); | 805 name_constraints->ConstrainedNameTypes()); |
817 } else { | 806 } else { |
818 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 807 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
819 } | 808 } |
820 | 809 |
821 std::unique_ptr<GeneralNames> san; | 810 std::unique_ptr<GeneralNames> san; |
822 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); | 811 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); |
823 EXPECT_EQ(!is_critical(), | 812 EXPECT_EQ(!is_critical(), |
824 name_constraints->IsPermittedCert(der::Input(), san.get())); | 813 name_constraints->IsPermittedCert(der::Input(), san.get())); |
825 } | 814 } |
826 | 815 |
827 TEST_P(ParseNameConstraints, URIsInPermitted) { | 816 TEST_P(ParseNameConstraints, URIsInPermitted) { |
828 std::string constraints_der; | 817 std::string constraints_der; |
829 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der)); | 818 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der)); |
830 std::unique_ptr<NameConstraints> name_constraints( | 819 std::unique_ptr<NameConstraints> name_constraints( |
831 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 820 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
832 is_critical())); | |
833 ASSERT_TRUE(name_constraints); | 821 ASSERT_TRUE(name_constraints); |
834 | 822 |
835 if (is_critical()) { | 823 if (is_critical()) { |
836 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, | 824 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, |
837 name_constraints->ConstrainedNameTypes()); | 825 name_constraints->ConstrainedNameTypes()); |
838 } else { | 826 } else { |
839 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 827 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
840 } | 828 } |
841 | 829 |
842 std::unique_ptr<GeneralNames> san; | 830 std::unique_ptr<GeneralNames> san; |
843 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); | 831 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); |
844 EXPECT_EQ(!is_critical(), | 832 EXPECT_EQ(!is_critical(), |
845 name_constraints->IsPermittedCert(der::Input(), san.get())); | 833 name_constraints->IsPermittedCert(der::Input(), san.get())); |
846 } | 834 } |
847 | 835 |
848 TEST_P(ParseNameConstraints, URIsInExcluded) { | 836 TEST_P(ParseNameConstraints, URIsInExcluded) { |
849 std::string constraints_der; | 837 std::string constraints_der; |
850 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der)); | 838 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der)); |
851 std::unique_ptr<NameConstraints> name_constraints( | 839 std::unique_ptr<NameConstraints> name_constraints( |
852 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 840 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
853 is_critical())); | |
854 ASSERT_TRUE(name_constraints); | 841 ASSERT_TRUE(name_constraints); |
855 | 842 |
856 if (is_critical()) { | 843 if (is_critical()) { |
857 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, | 844 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, |
858 name_constraints->ConstrainedNameTypes()); | 845 name_constraints->ConstrainedNameTypes()); |
859 } else { | 846 } else { |
860 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 847 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
861 } | 848 } |
862 | 849 |
863 std::unique_ptr<GeneralNames> san; | 850 std::unique_ptr<GeneralNames> san; |
864 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); | 851 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); |
865 EXPECT_EQ(!is_critical(), | 852 EXPECT_EQ(!is_critical(), |
866 name_constraints->IsPermittedCert(der::Input(), san.get())); | 853 name_constraints->IsPermittedCert(der::Input(), san.get())); |
867 } | 854 } |
868 | 855 |
869 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { | 856 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { |
870 std::string constraints_der; | 857 std::string constraints_der; |
871 ASSERT_TRUE( | 858 ASSERT_TRUE( |
872 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der)); | 859 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der)); |
873 std::unique_ptr<NameConstraints> name_constraints( | 860 std::unique_ptr<NameConstraints> name_constraints( |
874 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 861 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
875 is_critical())); | |
876 ASSERT_TRUE(name_constraints); | 862 ASSERT_TRUE(name_constraints); |
877 | 863 |
878 if (is_critical()) { | 864 if (is_critical()) { |
879 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, | 865 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, |
880 name_constraints->ConstrainedNameTypes()); | 866 name_constraints->ConstrainedNameTypes()); |
881 } else { | 867 } else { |
882 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 868 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
883 } | 869 } |
884 | 870 |
885 std::unique_ptr<GeneralNames> san; | 871 std::unique_ptr<GeneralNames> san; |
886 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); | 872 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); |
887 EXPECT_EQ(!is_critical(), | 873 EXPECT_EQ(!is_critical(), |
888 name_constraints->IsPermittedCert(der::Input(), san.get())); | 874 name_constraints->IsPermittedCert(der::Input(), san.get())); |
889 } | 875 } |
890 | 876 |
891 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { | 877 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { |
892 std::string constraints_der; | 878 std::string constraints_der; |
893 ASSERT_TRUE( | 879 ASSERT_TRUE( |
894 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der)); | 880 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der)); |
895 std::unique_ptr<NameConstraints> name_constraints( | 881 std::unique_ptr<NameConstraints> name_constraints( |
896 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 882 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
897 is_critical())); | |
898 ASSERT_TRUE(name_constraints); | 883 ASSERT_TRUE(name_constraints); |
899 | 884 |
900 if (is_critical()) { | 885 if (is_critical()) { |
901 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, | 886 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, |
902 name_constraints->ConstrainedNameTypes()); | 887 name_constraints->ConstrainedNameTypes()); |
903 } else { | 888 } else { |
904 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); | 889 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); |
905 } | 890 } |
906 | 891 |
907 std::unique_ptr<GeneralNames> san; | 892 std::unique_ptr<GeneralNames> san; |
908 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); | 893 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); |
909 EXPECT_EQ(!is_critical(), | 894 EXPECT_EQ(!is_critical(), |
910 name_constraints->IsPermittedCert(der::Input(), san.get())); | 895 name_constraints->IsPermittedCert(der::Input(), san.get())); |
911 } | 896 } |
912 | 897 |
913 TEST_P(ParseNameConstraints, | 898 TEST_P(ParseNameConstraints, |
914 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) { | 899 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) { |
915 std::string constraints_der; | 900 std::string constraints_der; |
916 ASSERT_TRUE( | 901 ASSERT_TRUE( |
917 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der)); | 902 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der)); |
918 // The value should not be in the DER encoding if it is the default. But this | 903 // The value should not be in the DER encoding if it is the default. But this |
919 // could be changed to allowed if there are buggy encoders out there that | 904 // could be changed to allowed if there are buggy encoders out there that |
920 // include it anyway. | 905 // include it anyway. |
921 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 906 EXPECT_FALSE( |
922 is_critical())); | 907 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
923 } | 908 } |
924 | 909 |
925 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) { | 910 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) { |
926 std::string constraints_der; | 911 std::string constraints_der; |
927 ASSERT_TRUE( | 912 ASSERT_TRUE( |
928 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der)); | 913 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der)); |
929 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 914 EXPECT_FALSE( |
930 is_critical())); | 915 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
931 } | 916 } |
932 | 917 |
933 TEST_P(ParseNameConstraints, | 918 TEST_P(ParseNameConstraints, |
934 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) { | 919 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) { |
935 std::string constraints_der; | 920 std::string constraints_der; |
936 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem", | 921 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem", |
937 &constraints_der)); | 922 &constraints_der)); |
938 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 923 EXPECT_FALSE( |
939 is_critical())); | 924 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
940 } | 925 } |
941 | 926 |
942 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) { | 927 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) { |
943 std::string constraints_der; | 928 std::string constraints_der; |
944 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem", | 929 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem", |
945 &constraints_der)); | 930 &constraints_der)); |
946 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 931 EXPECT_FALSE( |
947 is_critical())); | 932 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
948 } | 933 } |
949 | 934 |
950 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) { | 935 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) { |
951 std::string constraints_der; | 936 std::string constraints_der; |
952 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der)); | 937 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der)); |
953 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 938 EXPECT_FALSE( |
954 is_critical())); | 939 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
955 } | 940 } |
956 | 941 |
957 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) { | 942 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) { |
958 std::string constraints_der = ""; | 943 std::string constraints_der = ""; |
959 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 944 EXPECT_FALSE( |
960 is_critical())); | 945 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
961 } | 946 } |
962 | 947 |
963 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) { | 948 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) { |
964 std::string constraints_der; | 949 std::string constraints_der; |
965 ASSERT_TRUE( | 950 ASSERT_TRUE( |
966 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der)); | 951 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der)); |
967 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 952 EXPECT_FALSE( |
968 is_critical())); | 953 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
969 } | 954 } |
970 | 955 |
971 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) { | 956 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) { |
972 std::string constraints_der; | 957 std::string constraints_der; |
973 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem", | 958 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem", |
974 &constraints_der)); | 959 &constraints_der)); |
975 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 960 EXPECT_FALSE( |
976 is_critical())); | 961 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
977 } | 962 } |
978 | 963 |
979 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) { | 964 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) { |
980 std::string constraints_der; | 965 std::string constraints_der; |
981 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem", | 966 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem", |
982 &constraints_der)); | 967 &constraints_der)); |
983 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), | 968 EXPECT_FALSE( |
984 is_critical())); | 969 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
985 } | 970 } |
986 | 971 |
987 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) { | 972 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) { |
988 std::string constraints_der; | 973 std::string constraints_der; |
989 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); | 974 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); |
990 std::unique_ptr<NameConstraints> name_constraints( | 975 std::unique_ptr<NameConstraints> name_constraints( |
991 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 976 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
992 is_critical())); | |
993 ASSERT_TRUE(name_constraints); | 977 ASSERT_TRUE(name_constraints); |
994 | 978 |
995 std::string name_us_arizona_email; | 979 std::string name_us_arizona_email; |
996 ASSERT_TRUE( | 980 ASSERT_TRUE( |
997 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); | 981 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); |
998 | 982 |
999 // Name constraints don't contain rfc822Name, so emailAddress in subject is | 983 // Name constraints don't contain rfc822Name, so emailAddress in subject is |
1000 // allowed regardless. | 984 // allowed regardless. |
1001 EXPECT_TRUE(name_constraints->IsPermittedCert( | 985 EXPECT_TRUE(name_constraints->IsPermittedCert( |
1002 SequenceValueFromString(&name_us_arizona_email), | 986 SequenceValueFromString(&name_us_arizona_email), |
1003 nullptr /* subject_alt_names */)); | 987 nullptr /* subject_alt_names */)); |
1004 } | 988 } |
1005 | 989 |
1006 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { | 990 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { |
1007 std::string constraints_der; | 991 std::string constraints_der; |
1008 ASSERT_TRUE( | 992 ASSERT_TRUE( |
1009 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); | 993 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); |
1010 std::unique_ptr<NameConstraints> name_constraints( | 994 std::unique_ptr<NameConstraints> name_constraints( |
1011 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 995 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
1012 is_critical())); | |
1013 ASSERT_TRUE(name_constraints); | 996 ASSERT_TRUE(name_constraints); |
1014 | 997 |
1015 std::string name_us_arizona_email; | 998 std::string name_us_arizona_email; |
1016 ASSERT_TRUE( | 999 ASSERT_TRUE( |
1017 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); | 1000 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); |
1018 | 1001 |
1019 // Name constraints contain rfc822Name, so emailAddress in subject is not | 1002 // Name constraints contain rfc822Name, so emailAddress in subject is not |
1020 // allowed if the constraints were critical. | 1003 // allowed if the constraints were critical. |
1021 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( | 1004 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( |
1022 SequenceValueFromString(&name_us_arizona_email), | 1005 SequenceValueFromString(&name_us_arizona_email), |
1023 nullptr /* subject_alt_names */)); | 1006 nullptr /* subject_alt_names */)); |
1024 } | 1007 } |
1025 | 1008 |
1026 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests | 1009 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests |
1027 // are not particularly interesting, just verifying that the commonName is | 1010 // are not particularly interesting, just verifying that the commonName is |
1028 // ignored for dNSName constraints. | 1011 // ignored for dNSName constraints. |
1029 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { | 1012 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { |
1030 std::string constraints_der; | 1013 std::string constraints_der; |
1031 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem", | 1014 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem", |
1032 &constraints_der)); | 1015 &constraints_der)); |
1033 std::unique_ptr<NameConstraints> name_constraints( | 1016 std::unique_ptr<NameConstraints> name_constraints( |
1034 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 1017 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
1035 is_critical())); | |
1036 ASSERT_TRUE(name_constraints); | 1018 ASSERT_TRUE(name_constraints); |
1037 | 1019 |
1038 std::string name_us_az_foocom; | 1020 std::string name_us_az_foocom; |
1039 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom)); | 1021 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom)); |
1040 // The subject is within permitted directoryName constraints, so permitted. | 1022 // The subject is within permitted directoryName constraints, so permitted. |
1041 // (The commonName hostname is not within permitted dNSName constraints, so | 1023 // (The commonName hostname is not within permitted dNSName constraints, so |
1042 // this would not be permitted if hostnames in commonName were checked.) | 1024 // this would not be permitted if hostnames in commonName were checked.) |
1043 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1025 EXPECT_TRUE(name_constraints->IsPermittedCert( |
1044 SequenceValueFromString(&name_us_az_foocom), | 1026 SequenceValueFromString(&name_us_az_foocom), |
1045 nullptr /* subject_alt_names */)); | 1027 nullptr /* subject_alt_names */)); |
(...skipping 20 matching lines...) Expand all Loading... |
1066 } | 1048 } |
1067 | 1049 |
1068 // IP addresses in commonName are not allowed (crbug.com/308330), so these are | 1050 // IP addresses in commonName are not allowed (crbug.com/308330), so these are |
1069 // tests are not particularly interesting, just verifying that the commonName is | 1051 // tests are not particularly interesting, just verifying that the commonName is |
1070 // ignored for iPAddress constraints. | 1052 // ignored for iPAddress constraints. |
1071 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { | 1053 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { |
1072 std::string constraints_der; | 1054 std::string constraints_der; |
1073 ASSERT_TRUE(LoadTestNameConstraint( | 1055 ASSERT_TRUE(LoadTestNameConstraint( |
1074 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der)); | 1056 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der)); |
1075 std::unique_ptr<NameConstraints> name_constraints( | 1057 std::unique_ptr<NameConstraints> name_constraints( |
1076 NameConstraints::CreateFromDer(der::Input(&constraints_der), | 1058 NameConstraints::Create(der::Input(&constraints_der), is_critical())); |
1077 is_critical())); | |
1078 ASSERT_TRUE(name_constraints); | 1059 ASSERT_TRUE(name_constraints); |
1079 | 1060 |
1080 std::string name_us_az_1_1_1_1; | 1061 std::string name_us_az_1_1_1_1; |
1081 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1)); | 1062 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1)); |
1082 // The subject is within permitted directoryName constraints, so permitted. | 1063 // The subject is within permitted directoryName constraints, so permitted. |
1083 // (The commonName IP address is not within permitted iPAddresses constraints, | 1064 // (The commonName IP address is not within permitted iPAddresses constraints, |
1084 // so this would not be permitted if IP addresses in commonName were checked.) | 1065 // so this would not be permitted if IP addresses in commonName were checked.) |
1085 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1066 EXPECT_TRUE(name_constraints->IsPermittedCert( |
1086 SequenceValueFromString(&name_us_az_1_1_1_1), | 1067 SequenceValueFromString(&name_us_az_1_1_1_1), |
1087 nullptr /* subject_alt_names */)); | 1068 nullptr /* subject_alt_names */)); |
(...skipping 21 matching lines...) Expand all Loading... |
1109 std::string name_us_az_ipv6; | 1090 std::string name_us_az_ipv6; |
1110 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6)); | 1091 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6)); |
1111 // The subject is within permitted directoryName constraints, so permitted. | 1092 // The subject is within permitted directoryName constraints, so permitted. |
1112 // (The commonName is an ipv6 address which wasn't supported in the past, but | 1093 // (The commonName is an ipv6 address which wasn't supported in the past, but |
1113 // since commonName checking is ignored entirely, this is permitted.) | 1094 // since commonName checking is ignored entirely, this is permitted.) |
1114 EXPECT_TRUE(name_constraints->IsPermittedCert( | 1095 EXPECT_TRUE(name_constraints->IsPermittedCert( |
1115 SequenceValueFromString(&name_us_az_ipv6), | 1096 SequenceValueFromString(&name_us_az_ipv6), |
1116 nullptr /* subject_alt_names */)); | 1097 nullptr /* subject_alt_names */)); |
1117 } | 1098 } |
1118 | 1099 |
1119 TEST_P(ParseNameConstraints, | 1100 TEST_P(ParseNameConstraints, GeneralNamesCreateFailsOnEmptySubjectAltName) { |
1120 GeneralNamesCreateFromDerFailsOnEmptySubjectAltName) { | |
1121 std::string invalid_san_der; | 1101 std::string invalid_san_der; |
1122 ASSERT_TRUE( | 1102 ASSERT_TRUE( |
1123 LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der)); | 1103 LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der)); |
1124 EXPECT_FALSE(GeneralNames::CreateFromDer(der::Input(&invalid_san_der))); | 1104 EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der))); |
1125 } | 1105 } |
1126 | 1106 |
1127 TEST_P(ParseNameConstraints, | 1107 TEST_P(ParseNameConstraints, |
1128 GeneralNamesCreateFromDerFailsOnInvalidIpInSubjectAltName) { | 1108 GeneralNamesCreateFailsOnInvalidIpInSubjectAltName) { |
1129 std::string invalid_san_der; | 1109 std::string invalid_san_der; |
1130 ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem", | 1110 ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem", |
1131 &invalid_san_der)); | 1111 &invalid_san_der)); |
1132 EXPECT_FALSE(GeneralNames::CreateFromDer(der::Input(&invalid_san_der))); | 1112 EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der))); |
1133 } | 1113 } |
1134 | 1114 |
1135 } // namespace net | 1115 } // namespace net |
OLD | NEW |