Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(181)

Side by Side Diff: net/cert/internal/name_constraints_unittest.cc

Issue 2353333003: Rename CreateFromDer() to Create(). (Closed)
Patch Set: rebase Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | net/cert/internal/parse_certificate.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/name_constraints.h" 5 #include "net/cert/internal/name_constraints.h"
6 6
7 #include <memory> 7 #include <memory>
8 8
9 #include "net/base/ip_address.h" 9 #include "net/base/ip_address.h"
10 #include "net/cert/internal/test_helpers.h" 10 #include "net/cert/internal/test_helpers.h"
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after
46 } 46 }
47 47
48 ::testing::AssertionResult LoadTestSubjectAltName( 48 ::testing::AssertionResult LoadTestSubjectAltName(
49 const std::string& basename, 49 const std::string& basename,
50 std::unique_ptr<GeneralNames>* result) { 50 std::unique_ptr<GeneralNames>* result) {
51 std::string san_der; 51 std::string san_der;
52 ::testing::AssertionResult load_result = 52 ::testing::AssertionResult load_result =
53 LoadTestSubjectAltNameData(basename, &san_der); 53 LoadTestSubjectAltNameData(basename, &san_der);
54 if (!load_result) 54 if (!load_result)
55 return load_result; 55 return load_result;
56 *result = GeneralNames::CreateFromDer(der::Input(&san_der)); 56 *result = GeneralNames::Create(der::Input(&san_der));
57 if (!*result) 57 if (!*result)
58 return ::testing::AssertionFailure() << "CreateFromDer failed"; 58 return ::testing::AssertionFailure() << "Create failed";
59 return ::testing::AssertionSuccess(); 59 return ::testing::AssertionSuccess();
60 } 60 }
61 61
62 } // namespace 62 } // namespace
63 63
64 class ParseNameConstraints 64 class ParseNameConstraints
65 : public ::testing::TestWithParam<::testing::tuple<bool>> { 65 : public ::testing::TestWithParam<::testing::tuple<bool>> {
66 public: 66 public:
67 bool is_critical() const { return ::testing::get<0>(GetParam()); } 67 bool is_critical() const { return ::testing::get<0>(GetParam()); }
68 }; 68 };
69 69
70 // Run the tests with the name constraints marked critical and non-critical. For 70 // Run the tests with the name constraints marked critical and non-critical. For
71 // supported name types, the results should be the same for both. 71 // supported name types, the results should be the same for both.
72 INSTANTIATE_TEST_CASE_P(InstantiationName, 72 INSTANTIATE_TEST_CASE_P(InstantiationName,
73 ParseNameConstraints, 73 ParseNameConstraints,
74 ::testing::Values(true, false)); 74 ::testing::Values(true, false));
75 75
76 TEST_P(ParseNameConstraints, DNSNames) { 76 TEST_P(ParseNameConstraints, DNSNames) {
77 std::string a; 77 std::string a;
78 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); 78 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
79 79
80 std::unique_ptr<NameConstraints> name_constraints( 80 std::unique_ptr<NameConstraints> name_constraints(
81 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 81 NameConstraints::Create(der::Input(&a), is_critical()));
82 ASSERT_TRUE(name_constraints); 82 ASSERT_TRUE(name_constraints);
83 83
84 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); 84 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
85 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com.")); 85 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com."));
86 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com")); 86 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com"));
87 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com")); 87 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com"));
88 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com.")); 88 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com."));
89 EXPECT_TRUE( 89 EXPECT_TRUE(
90 name_constraints->IsPermittedDNSName("alsopermitted.example.com")); 90 name_constraints->IsPermittedDNSName("alsopermitted.example.com"));
91 EXPECT_FALSE( 91 EXPECT_FALSE(
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after
154 154
155 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); 155 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
156 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get())); 156 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get()));
157 } 157 }
158 158
159 TEST_P(ParseNameConstraints, 159 TEST_P(ParseNameConstraints,
160 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) { 160 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) {
161 std::string a; 161 std::string a;
162 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a)); 162 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
163 std::unique_ptr<NameConstraints> name_constraints( 163 std::unique_ptr<NameConstraints> name_constraints(
164 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 164 NameConstraints::Create(der::Input(&a), is_critical()));
165 ASSERT_TRUE(name_constraints); 165 ASSERT_TRUE(name_constraints);
166 166
167 // Matches permitted exactly. 167 // Matches permitted exactly.
168 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com")); 168 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
169 // Contained within permitted and doesn't match excluded (foo.bar.com). 169 // Contained within permitted and doesn't match excluded (foo.bar.com).
170 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com")); 170 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
171 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com")); 171 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com"));
172 // Matches excluded exactly. 172 // Matches excluded exactly.
173 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); 173 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
174 // Contained within excluded. 174 // Contained within excluded.
175 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com")); 175 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com"));
176 176
177 // Cannot match anything within excluded. 177 // Cannot match anything within excluded.
178 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com")); 178 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com"));
179 // Wildcard hostnames only match a single label, so cannot match excluded 179 // Wildcard hostnames only match a single label, so cannot match excluded
180 // which has two labels before .com. 180 // which has two labels before .com.
181 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com")); 181 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
182 182
183 // Partial match of foo.bar.com. 183 // Partial match of foo.bar.com.
184 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com")); 184 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
185 // All expansions of wildcard are within excluded. 185 // All expansions of wildcard are within excluded.
186 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com")); 186 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
187 } 187 }
188 188
189 TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) { 189 TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) {
190 std::string a; 190 std::string a;
191 ASSERT_TRUE( 191 ASSERT_TRUE(
192 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a)); 192 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
193 std::unique_ptr<NameConstraints> name_constraints( 193 std::unique_ptr<NameConstraints> name_constraints(
194 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 194 NameConstraints::Create(der::Input(&a), is_critical()));
195 ASSERT_TRUE(name_constraints); 195 ASSERT_TRUE(name_constraints);
196 196
197 // dNSName constraints should be specified as a host. A dNSName constraint 197 // dNSName constraints should be specified as a host. A dNSName constraint
198 // with a leading "." doesn't make sense, though some certs include it 198 // with a leading "." doesn't make sense, though some certs include it
199 // (probably confusing it with the rules for uniformResourceIdentifier 199 // (probably confusing it with the rules for uniformResourceIdentifier
200 // constraints). It should not match anything. 200 // constraints). It should not match anything.
201 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com")); 201 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
202 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com")); 202 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
203 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); 203 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
204 } 204 }
205 205
206 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { 206 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
207 std::string a; 207 std::string a;
208 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a)); 208 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
209 209
210 std::unique_ptr<NameConstraints> name_constraints( 210 std::unique_ptr<NameConstraints> name_constraints(
211 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 211 NameConstraints::Create(der::Input(&a), is_critical()));
212 ASSERT_TRUE(name_constraints); 212 ASSERT_TRUE(name_constraints);
213 213
214 // Only "excluded.permitted.example.com" is excluded, and since permitted is 214 // Only "excluded.permitted.example.com" is excluded, and since permitted is
215 // empty, any dNSName outside that is allowed. 215 // empty, any dNSName outside that is allowed.
216 EXPECT_TRUE(name_constraints->IsPermittedDNSName("")); 216 EXPECT_TRUE(name_constraints->IsPermittedDNSName(""));
217 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com")); 217 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com"));
218 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); 218 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
219 EXPECT_FALSE( 219 EXPECT_FALSE(
220 name_constraints->IsPermittedDNSName("excluded.permitted.example.com")); 220 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
221 EXPECT_FALSE( 221 EXPECT_FALSE(
222 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com")); 222 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
223 } 223 }
224 224
225 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { 225 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
226 std::string a; 226 std::string a;
227 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a)); 227 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
228 228
229 std::unique_ptr<NameConstraints> name_constraints( 229 std::unique_ptr<NameConstraints> name_constraints(
230 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 230 NameConstraints::Create(der::Input(&a), is_critical()));
231 ASSERT_TRUE(name_constraints); 231 ASSERT_TRUE(name_constraints);
232 232
233 // "permitted.example.com" is in the permitted section, but since "" is 233 // "permitted.example.com" is in the permitted section, but since "" is
234 // excluded, nothing is permitted. 234 // excluded, nothing is permitted.
235 EXPECT_FALSE(name_constraints->IsPermittedDNSName("")); 235 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
236 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); 236 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
237 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com")); 237 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
238 EXPECT_FALSE( 238 EXPECT_FALSE(
239 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); 239 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
240 } 240 }
241 241
242 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) { 242 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
243 std::string a; 243 std::string a;
244 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a)); 244 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a));
245 245
246 std::unique_ptr<NameConstraints> name_constraints( 246 std::unique_ptr<NameConstraints> name_constraints(
247 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 247 NameConstraints::Create(der::Input(&a), is_critical()));
248 ASSERT_TRUE(name_constraints); 248 ASSERT_TRUE(name_constraints);
249 249
250 // "." is excluded, which should match nothing. 250 // "." is excluded, which should match nothing.
251 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); 251 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
252 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); 252 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
253 EXPECT_TRUE( 253 EXPECT_TRUE(
254 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); 254 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
255 } 255 }
256 256
257 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) { 257 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
258 std::string a; 258 std::string a;
259 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); 259 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
260 260
261 size_t replace_location = a.find("permitted.example2.com"); 261 size_t replace_location = a.find("permitted.example2.com");
262 ASSERT_NE(std::string::npos, replace_location); 262 ASSERT_NE(std::string::npos, replace_location);
263 a.replace(replace_location, 1, 1, -1); 263 a.replace(replace_location, 1, 1, -1);
264 264
265 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 265 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical()));
266 } 266 }
267 267
268 TEST_P(ParseNameConstraints, DirectoryNames) { 268 TEST_P(ParseNameConstraints, DirectoryNames) {
269 std::string constraints_der; 269 std::string constraints_der;
270 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); 270 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
271 271
272 std::string name_us; 272 std::string name_us;
273 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 273 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
274 std::string name_us_ca; 274 std::string name_us_ca;
275 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 275 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
276 std::string name_us_ca_mountain_view; 276 std::string name_us_ca_mountain_view;
277 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", 277 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
278 &name_us_ca_mountain_view)); 278 &name_us_ca_mountain_view));
279 std::string name_us_az; 279 std::string name_us_az;
280 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az)); 280 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
281 std::string name_jp; 281 std::string name_jp;
282 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp)); 282 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
283 std::string name_jp_tokyo; 283 std::string name_jp_tokyo;
284 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo)); 284 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo));
285 std::string name_de; 285 std::string name_de;
286 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de)); 286 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de));
287 std::string name_ca; 287 std::string name_ca;
288 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca)); 288 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca));
289 289
290 std::unique_ptr<NameConstraints> name_constraints( 290 std::unique_ptr<NameConstraints> name_constraints(
291 NameConstraints::CreateFromDer(der::Input(&constraints_der), 291 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
292 is_critical()));
293 ASSERT_TRUE(name_constraints); 292 ASSERT_TRUE(name_constraints);
294 293
295 // Not in any permitted subtree. 294 // Not in any permitted subtree.
296 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 295 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
297 SequenceValueFromString(&name_ca))); 296 SequenceValueFromString(&name_ca)));
298 // Within the permitted C=US subtree. 297 // Within the permitted C=US subtree.
299 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( 298 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
300 SequenceValueFromString(&name_us))); 299 SequenceValueFromString(&name_us)));
301 // Within the permitted C=US subtree. 300 // Within the permitted C=US subtree.
302 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( 301 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after
344 343
345 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); 344 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
346 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get())); 345 EXPECT_TRUE(name_constraints->IsPermittedCert(der::Input(), san.get()));
347 } 346 }
348 347
349 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { 348 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
350 std::string constraints_der; 349 std::string constraints_der;
351 ASSERT_TRUE( 350 ASSERT_TRUE(
352 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); 351 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
353 std::unique_ptr<NameConstraints> name_constraints( 352 std::unique_ptr<NameConstraints> name_constraints(
354 NameConstraints::CreateFromDer(der::Input(&constraints_der), 353 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
355 is_critical()));
356 ASSERT_TRUE(name_constraints); 354 ASSERT_TRUE(name_constraints);
357 355
358 std::string name_empty; 356 std::string name_empty;
359 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); 357 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
360 std::string name_us; 358 std::string name_us;
361 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 359 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
362 std::string name_us_ca; 360 std::string name_us_ca;
363 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 361 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
364 std::string name_us_ca_mountain_view; 362 std::string name_us_ca_mountain_view;
365 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", 363 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
366 &name_us_ca_mountain_view)); 364 &name_us_ca_mountain_view));
367 365
368 // Only "C=US,ST=California" is excluded, and since permitted is empty, 366 // Only "C=US,ST=California" is excluded, and since permitted is empty,
369 // any directoryName outside that is allowed. 367 // any directoryName outside that is allowed.
370 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( 368 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
371 SequenceValueFromString(&name_empty))); 369 SequenceValueFromString(&name_empty)));
372 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( 370 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
373 SequenceValueFromString(&name_us))); 371 SequenceValueFromString(&name_us)));
374 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 372 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
375 SequenceValueFromString(&name_us_ca))); 373 SequenceValueFromString(&name_us_ca)));
376 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 374 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
377 SequenceValueFromString(&name_us_ca_mountain_view))); 375 SequenceValueFromString(&name_us_ca_mountain_view)));
378 } 376 }
379 377
380 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { 378 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
381 std::string constraints_der; 379 std::string constraints_der;
382 ASSERT_TRUE( 380 ASSERT_TRUE(
383 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der)); 381 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
384 std::unique_ptr<NameConstraints> name_constraints( 382 std::unique_ptr<NameConstraints> name_constraints(
385 NameConstraints::CreateFromDer(der::Input(&constraints_der), 383 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
386 is_critical()));
387 ASSERT_TRUE(name_constraints); 384 ASSERT_TRUE(name_constraints);
388 385
389 std::string name_empty; 386 std::string name_empty;
390 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); 387 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
391 std::string name_us; 388 std::string name_us;
392 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 389 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
393 std::string name_us_ca; 390 std::string name_us_ca;
394 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 391 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
395 std::string name_us_ca_mountain_view; 392 std::string name_us_ca_mountain_view;
396 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", 393 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
(...skipping 11 matching lines...) Expand all
408 SequenceValueFromString(&name_us_ca))); 405 SequenceValueFromString(&name_us_ca)));
409 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 406 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
410 SequenceValueFromString(&name_jp))); 407 SequenceValueFromString(&name_jp)));
411 } 408 }
412 409
413 TEST_P(ParseNameConstraints, IPAdresses) { 410 TEST_P(ParseNameConstraints, IPAdresses) {
414 std::string a; 411 std::string a;
415 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a)); 412 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
416 413
417 std::unique_ptr<NameConstraints> name_constraints( 414 std::unique_ptr<NameConstraints> name_constraints(
418 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 415 NameConstraints::Create(der::Input(&a), is_critical()));
419 ASSERT_TRUE(name_constraints); 416 ASSERT_TRUE(name_constraints);
420 417
421 // IPv4 tests: 418 // IPv4 tests:
422 419
423 // Not in any permitted range. 420 // Not in any permitted range.
424 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 169, 0, 1))); 421 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 169, 0, 1)));
425 422
426 // Within the permitted 192.168.0.0/255.255.0.0 range. 423 // Within the permitted 192.168.0.0/255.255.0.0 range.
427 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); 424 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1)));
428 425
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after
523 520
524 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); 521 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
525 EXPECT_FALSE(name_constraints->IsPermittedCert(der::Input(), san.get())); 522 EXPECT_FALSE(name_constraints->IsPermittedCert(der::Input(), san.get()));
526 } 523 }
527 524
528 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { 525 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
529 std::string a; 526 std::string a;
530 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); 527 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
531 528
532 std::unique_ptr<NameConstraints> name_constraints( 529 std::unique_ptr<NameConstraints> name_constraints(
533 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 530 NameConstraints::Create(der::Input(&a), is_critical()));
534 ASSERT_TRUE(name_constraints); 531 ASSERT_TRUE(name_constraints);
535 532
536 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty, 533 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
537 // any iPAddress outside that is allowed. 534 // any iPAddress outside that is allowed.
538 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); 535 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1)));
539 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 5, 1))); 536 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 5, 1)));
540 EXPECT_TRUE(name_constraints->IsPermittedIP( 537 EXPECT_TRUE(name_constraints->IsPermittedIP(
541 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); 538 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
542 } 539 }
543 540
544 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { 541 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
545 std::string a; 542 std::string a;
546 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); 543 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
547 544
548 std::unique_ptr<NameConstraints> name_constraints( 545 std::unique_ptr<NameConstraints> name_constraints(
549 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 546 NameConstraints::Create(der::Input(&a), is_critical()));
550 ASSERT_TRUE(name_constraints); 547 ASSERT_TRUE(name_constraints);
551 548
552 // 192.168.0.0/255.255.0.0 and 549 // 192.168.0.0/255.255.0.0 and
553 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted, 550 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
554 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted. 551 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
555 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1))); 552 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1)));
556 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(1, 1, 1, 1))); 553 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(1, 1, 1, 1)));
557 EXPECT_FALSE(name_constraints->IsPermittedIP( 554 EXPECT_FALSE(name_constraints->IsPermittedIP(
558 IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))); 555 IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)));
559 EXPECT_FALSE(name_constraints->IsPermittedIP( 556 EXPECT_FALSE(name_constraints->IsPermittedIP(
560 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))); 557 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
561 } 558 }
562 559
563 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) { 560 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
564 std::string a; 561 std::string a;
565 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a)); 562 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
566 563
567 std::unique_ptr<NameConstraints> name_constraints( 564 std::unique_ptr<NameConstraints> name_constraints(
568 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 565 NameConstraints::Create(der::Input(&a), is_critical()));
569 ASSERT_TRUE(name_constraints); 566 ASSERT_TRUE(name_constraints);
570 567
571 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); 568 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
572 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); 569 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1)));
573 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2))); 570 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2)));
574 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3))); 571 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3)));
575 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4))); 572 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4)));
576 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); 573 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255)));
577 } 574 }
578 575
579 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) { 576 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
580 std::string a; 577 std::string a;
581 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a)); 578 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
582 579
583 std::unique_ptr<NameConstraints> name_constraints( 580 std::unique_ptr<NameConstraints> name_constraints(
584 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 581 NameConstraints::Create(der::Input(&a), is_critical()));
585 ASSERT_TRUE(name_constraints); 582 ASSERT_TRUE(name_constraints);
586 583
587 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); 584 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
588 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); 585 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1)));
589 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2))); 586 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2)));
590 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3))); 587 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3)));
591 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4))); 588 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4)));
592 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 5))); 589 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 5)));
593 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); 590 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255)));
594 } 591 }
595 592
596 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) { 593 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
597 std::string a; 594 std::string a;
598 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a)); 595 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
599 596
600 std::unique_ptr<NameConstraints> name_constraints( 597 std::unique_ptr<NameConstraints> name_constraints(
601 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 598 NameConstraints::Create(der::Input(&a), is_critical()));
602 ASSERT_TRUE(name_constraints); 599 ASSERT_TRUE(name_constraints);
603 600
604 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); 601 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
605 EXPECT_FALSE( 602 EXPECT_FALSE(
606 name_constraints->IsPermittedIP(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))); 603 name_constraints->IsPermittedIP(IPAddress(0x7F, 0xFF, 0xFF, 0xFF)));
607 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(0x80, 0, 0, 0))); 604 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(0x80, 0, 0, 0)));
608 EXPECT_TRUE( 605 EXPECT_TRUE(
609 name_constraints->IsPermittedIP(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))); 606 name_constraints->IsPermittedIP(IPAddress(0xFF, 0xFF, 0xFF, 0xFF)));
610 } 607 }
611 608
612 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) { 609 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
613 std::string a; 610 std::string a;
614 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a)); 611 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
615 612
616 std::unique_ptr<NameConstraints> name_constraints( 613 std::unique_ptr<NameConstraints> name_constraints(
617 NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 614 NameConstraints::Create(der::Input(&a), is_critical()));
618 ASSERT_TRUE(name_constraints); 615 ASSERT_TRUE(name_constraints);
619 616
620 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros())); 617 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
621 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1))); 618 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1)));
622 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255))); 619 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255)));
623 } 620 }
624 621
625 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) { 622 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) {
626 std::string a; 623 std::string a;
627 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a)); 624 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
628 625
629 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 626 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical()));
630 } 627 }
631 628
632 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) { 629 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) {
633 std::string a; 630 std::string a;
634 ASSERT_TRUE(LoadTestNameConstraint( 631 ASSERT_TRUE(LoadTestNameConstraint(
635 "ipaddress-invalid_mask_not_contiguous_1.pem", &a)); 632 "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
636 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 633 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical()));
637 634
638 ASSERT_TRUE(LoadTestNameConstraint( 635 ASSERT_TRUE(LoadTestNameConstraint(
639 "ipaddress-invalid_mask_not_contiguous_2.pem", &a)); 636 "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
640 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 637 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical()));
641 638
642 ASSERT_TRUE(LoadTestNameConstraint( 639 ASSERT_TRUE(LoadTestNameConstraint(
643 "ipaddress-invalid_mask_not_contiguous_3.pem", &a)); 640 "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
644 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 641 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical()));
645 642
646 ASSERT_TRUE(LoadTestNameConstraint( 643 ASSERT_TRUE(LoadTestNameConstraint(
647 "ipaddress-invalid_mask_not_contiguous_4.pem", &a)); 644 "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
648 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical())); 645 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical()));
649 } 646 }
650 647
651 TEST_P(ParseNameConstraints, OtherNamesInPermitted) { 648 TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
652 std::string constraints_der; 649 std::string constraints_der;
653 ASSERT_TRUE( 650 ASSERT_TRUE(
654 LoadTestNameConstraint("othername-permitted.pem", &constraints_der)); 651 LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
655 std::unique_ptr<NameConstraints> name_constraints( 652 std::unique_ptr<NameConstraints> name_constraints(
656 NameConstraints::CreateFromDer(der::Input(&constraints_der), 653 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
657 is_critical()));
658 ASSERT_TRUE(name_constraints); 654 ASSERT_TRUE(name_constraints);
659 655
660 if (is_critical()) { 656 if (is_critical()) {
661 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, 657 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
662 name_constraints->ConstrainedNameTypes()); 658 name_constraints->ConstrainedNameTypes());
663 } else { 659 } else {
664 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 660 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
665 } 661 }
666 662
667 std::unique_ptr<GeneralNames> san; 663 std::unique_ptr<GeneralNames> san;
668 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); 664 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san));
669 EXPECT_EQ(!is_critical(), 665 EXPECT_EQ(!is_critical(),
670 name_constraints->IsPermittedCert(der::Input(), san.get())); 666 name_constraints->IsPermittedCert(der::Input(), san.get()));
671 } 667 }
672 668
673 TEST_P(ParseNameConstraints, OtherNamesInExcluded) { 669 TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
674 std::string constraints_der; 670 std::string constraints_der;
675 ASSERT_TRUE( 671 ASSERT_TRUE(
676 LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); 672 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
677 std::unique_ptr<NameConstraints> name_constraints( 673 std::unique_ptr<NameConstraints> name_constraints(
678 NameConstraints::CreateFromDer(der::Input(&constraints_der), 674 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
679 is_critical()));
680 ASSERT_TRUE(name_constraints); 675 ASSERT_TRUE(name_constraints);
681 676
682 if (is_critical()) { 677 if (is_critical()) {
683 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, 678 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
684 name_constraints->ConstrainedNameTypes()); 679 name_constraints->ConstrainedNameTypes());
685 } else { 680 } else {
686 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 681 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
687 } 682 }
688 683
689 std::unique_ptr<GeneralNames> san; 684 std::unique_ptr<GeneralNames> san;
690 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); 685 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san));
691 EXPECT_EQ(!is_critical(), 686 EXPECT_EQ(!is_critical(),
692 name_constraints->IsPermittedCert(der::Input(), san.get())); 687 name_constraints->IsPermittedCert(der::Input(), san.get()));
693 } 688 }
694 689
695 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { 690 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
696 std::string constraints_der; 691 std::string constraints_der;
697 ASSERT_TRUE( 692 ASSERT_TRUE(
698 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); 693 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
699 std::unique_ptr<NameConstraints> name_constraints( 694 std::unique_ptr<NameConstraints> name_constraints(
700 NameConstraints::CreateFromDer(der::Input(&constraints_der), 695 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
701 is_critical()));
702 ASSERT_TRUE(name_constraints); 696 ASSERT_TRUE(name_constraints);
703 697
704 if (is_critical()) { 698 if (is_critical()) {
705 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, 699 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
706 name_constraints->ConstrainedNameTypes()); 700 name_constraints->ConstrainedNameTypes());
707 } else { 701 } else {
708 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 702 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
709 } 703 }
710 704
711 std::unique_ptr<GeneralNames> san; 705 std::unique_ptr<GeneralNames> san;
712 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); 706 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san));
713 EXPECT_EQ(!is_critical(), 707 EXPECT_EQ(!is_critical(),
714 name_constraints->IsPermittedCert(der::Input(), san.get())); 708 name_constraints->IsPermittedCert(der::Input(), san.get()));
715 } 709 }
716 710
717 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { 711 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
718 std::string constraints_der; 712 std::string constraints_der;
719 ASSERT_TRUE( 713 ASSERT_TRUE(
720 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); 714 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
721 std::unique_ptr<NameConstraints> name_constraints( 715 std::unique_ptr<NameConstraints> name_constraints(
722 NameConstraints::CreateFromDer(der::Input(&constraints_der), 716 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
723 is_critical()));
724 ASSERT_TRUE(name_constraints); 717 ASSERT_TRUE(name_constraints);
725 718
726 if (is_critical()) { 719 if (is_critical()) {
727 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, 720 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
728 name_constraints->ConstrainedNameTypes()); 721 name_constraints->ConstrainedNameTypes());
729 } else { 722 } else {
730 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 723 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
731 } 724 }
732 725
733 std::unique_ptr<GeneralNames> san; 726 std::unique_ptr<GeneralNames> san;
734 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); 727 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san));
735 EXPECT_EQ(!is_critical(), 728 EXPECT_EQ(!is_critical(),
736 name_constraints->IsPermittedCert(der::Input(), san.get())); 729 name_constraints->IsPermittedCert(der::Input(), san.get()));
737 } 730 }
738 731
739 TEST_P(ParseNameConstraints, X400AddresssInPermitted) { 732 TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
740 std::string constraints_der; 733 std::string constraints_der;
741 ASSERT_TRUE( 734 ASSERT_TRUE(
742 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der)); 735 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
743 std::unique_ptr<NameConstraints> name_constraints( 736 std::unique_ptr<NameConstraints> name_constraints(
744 NameConstraints::CreateFromDer(der::Input(&constraints_der), 737 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
745 is_critical()));
746 ASSERT_TRUE(name_constraints); 738 ASSERT_TRUE(name_constraints);
747 739
748 if (is_critical()) { 740 if (is_critical()) {
749 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, 741 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
750 name_constraints->ConstrainedNameTypes()); 742 name_constraints->ConstrainedNameTypes());
751 } else { 743 } else {
752 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 744 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
753 } 745 }
754 746
755 std::unique_ptr<GeneralNames> san; 747 std::unique_ptr<GeneralNames> san;
756 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); 748 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san));
757 EXPECT_EQ(!is_critical(), 749 EXPECT_EQ(!is_critical(),
758 name_constraints->IsPermittedCert(der::Input(), san.get())); 750 name_constraints->IsPermittedCert(der::Input(), san.get()));
759 } 751 }
760 752
761 TEST_P(ParseNameConstraints, X400AddresssInExcluded) { 753 TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
762 std::string constraints_der; 754 std::string constraints_der;
763 ASSERT_TRUE( 755 ASSERT_TRUE(
764 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der)); 756 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
765 std::unique_ptr<NameConstraints> name_constraints( 757 std::unique_ptr<NameConstraints> name_constraints(
766 NameConstraints::CreateFromDer(der::Input(&constraints_der), 758 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
767 is_critical()));
768 ASSERT_TRUE(name_constraints); 759 ASSERT_TRUE(name_constraints);
769 760
770 if (is_critical()) { 761 if (is_critical()) {
771 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, 762 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
772 name_constraints->ConstrainedNameTypes()); 763 name_constraints->ConstrainedNameTypes());
773 } else { 764 } else {
774 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 765 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
775 } 766 }
776 767
777 std::unique_ptr<GeneralNames> san; 768 std::unique_ptr<GeneralNames> san;
778 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); 769 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san));
779 EXPECT_EQ(!is_critical(), 770 EXPECT_EQ(!is_critical(),
780 name_constraints->IsPermittedCert(der::Input(), san.get())); 771 name_constraints->IsPermittedCert(der::Input(), san.get()));
781 } 772 }
782 773
783 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { 774 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
784 std::string constraints_der; 775 std::string constraints_der;
785 ASSERT_TRUE( 776 ASSERT_TRUE(
786 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der)); 777 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
787 std::unique_ptr<NameConstraints> name_constraints( 778 std::unique_ptr<NameConstraints> name_constraints(
788 NameConstraints::CreateFromDer(der::Input(&constraints_der), 779 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
789 is_critical()));
790 ASSERT_TRUE(name_constraints); 780 ASSERT_TRUE(name_constraints);
791 781
792 if (is_critical()) { 782 if (is_critical()) {
793 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, 783 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
794 name_constraints->ConstrainedNameTypes()); 784 name_constraints->ConstrainedNameTypes());
795 } else { 785 } else {
796 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 786 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
797 } 787 }
798 788
799 std::unique_ptr<GeneralNames> san; 789 std::unique_ptr<GeneralNames> san;
800 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); 790 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san));
801 EXPECT_EQ(!is_critical(), 791 EXPECT_EQ(!is_critical(),
802 name_constraints->IsPermittedCert(der::Input(), san.get())); 792 name_constraints->IsPermittedCert(der::Input(), san.get()));
803 } 793 }
804 794
805 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { 795 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
806 std::string constraints_der; 796 std::string constraints_der;
807 ASSERT_TRUE( 797 ASSERT_TRUE(
808 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der)); 798 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
809 std::unique_ptr<NameConstraints> name_constraints( 799 std::unique_ptr<NameConstraints> name_constraints(
810 NameConstraints::CreateFromDer(der::Input(&constraints_der), 800 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
811 is_critical()));
812 ASSERT_TRUE(name_constraints); 801 ASSERT_TRUE(name_constraints);
813 802
814 if (is_critical()) { 803 if (is_critical()) {
815 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, 804 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
816 name_constraints->ConstrainedNameTypes()); 805 name_constraints->ConstrainedNameTypes());
817 } else { 806 } else {
818 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 807 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
819 } 808 }
820 809
821 std::unique_ptr<GeneralNames> san; 810 std::unique_ptr<GeneralNames> san;
822 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); 811 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san));
823 EXPECT_EQ(!is_critical(), 812 EXPECT_EQ(!is_critical(),
824 name_constraints->IsPermittedCert(der::Input(), san.get())); 813 name_constraints->IsPermittedCert(der::Input(), san.get()));
825 } 814 }
826 815
827 TEST_P(ParseNameConstraints, URIsInPermitted) { 816 TEST_P(ParseNameConstraints, URIsInPermitted) {
828 std::string constraints_der; 817 std::string constraints_der;
829 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der)); 818 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
830 std::unique_ptr<NameConstraints> name_constraints( 819 std::unique_ptr<NameConstraints> name_constraints(
831 NameConstraints::CreateFromDer(der::Input(&constraints_der), 820 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
832 is_critical()));
833 ASSERT_TRUE(name_constraints); 821 ASSERT_TRUE(name_constraints);
834 822
835 if (is_critical()) { 823 if (is_critical()) {
836 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, 824 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
837 name_constraints->ConstrainedNameTypes()); 825 name_constraints->ConstrainedNameTypes());
838 } else { 826 } else {
839 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 827 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
840 } 828 }
841 829
842 std::unique_ptr<GeneralNames> san; 830 std::unique_ptr<GeneralNames> san;
843 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); 831 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san));
844 EXPECT_EQ(!is_critical(), 832 EXPECT_EQ(!is_critical(),
845 name_constraints->IsPermittedCert(der::Input(), san.get())); 833 name_constraints->IsPermittedCert(der::Input(), san.get()));
846 } 834 }
847 835
848 TEST_P(ParseNameConstraints, URIsInExcluded) { 836 TEST_P(ParseNameConstraints, URIsInExcluded) {
849 std::string constraints_der; 837 std::string constraints_der;
850 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der)); 838 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
851 std::unique_ptr<NameConstraints> name_constraints( 839 std::unique_ptr<NameConstraints> name_constraints(
852 NameConstraints::CreateFromDer(der::Input(&constraints_der), 840 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
853 is_critical()));
854 ASSERT_TRUE(name_constraints); 841 ASSERT_TRUE(name_constraints);
855 842
856 if (is_critical()) { 843 if (is_critical()) {
857 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, 844 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
858 name_constraints->ConstrainedNameTypes()); 845 name_constraints->ConstrainedNameTypes());
859 } else { 846 } else {
860 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 847 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
861 } 848 }
862 849
863 std::unique_ptr<GeneralNames> san; 850 std::unique_ptr<GeneralNames> san;
864 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); 851 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san));
865 EXPECT_EQ(!is_critical(), 852 EXPECT_EQ(!is_critical(),
866 name_constraints->IsPermittedCert(der::Input(), san.get())); 853 name_constraints->IsPermittedCert(der::Input(), san.get()));
867 } 854 }
868 855
869 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { 856 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
870 std::string constraints_der; 857 std::string constraints_der;
871 ASSERT_TRUE( 858 ASSERT_TRUE(
872 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der)); 859 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
873 std::unique_ptr<NameConstraints> name_constraints( 860 std::unique_ptr<NameConstraints> name_constraints(
874 NameConstraints::CreateFromDer(der::Input(&constraints_der), 861 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
875 is_critical()));
876 ASSERT_TRUE(name_constraints); 862 ASSERT_TRUE(name_constraints);
877 863
878 if (is_critical()) { 864 if (is_critical()) {
879 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, 865 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
880 name_constraints->ConstrainedNameTypes()); 866 name_constraints->ConstrainedNameTypes());
881 } else { 867 } else {
882 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 868 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
883 } 869 }
884 870
885 std::unique_ptr<GeneralNames> san; 871 std::unique_ptr<GeneralNames> san;
886 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); 872 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san));
887 EXPECT_EQ(!is_critical(), 873 EXPECT_EQ(!is_critical(),
888 name_constraints->IsPermittedCert(der::Input(), san.get())); 874 name_constraints->IsPermittedCert(der::Input(), san.get()));
889 } 875 }
890 876
891 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { 877 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
892 std::string constraints_der; 878 std::string constraints_der;
893 ASSERT_TRUE( 879 ASSERT_TRUE(
894 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der)); 880 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
895 std::unique_ptr<NameConstraints> name_constraints( 881 std::unique_ptr<NameConstraints> name_constraints(
896 NameConstraints::CreateFromDer(der::Input(&constraints_der), 882 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
897 is_critical()));
898 ASSERT_TRUE(name_constraints); 883 ASSERT_TRUE(name_constraints);
899 884
900 if (is_critical()) { 885 if (is_critical()) {
901 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, 886 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
902 name_constraints->ConstrainedNameTypes()); 887 name_constraints->ConstrainedNameTypes());
903 } else { 888 } else {
904 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 889 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
905 } 890 }
906 891
907 std::unique_ptr<GeneralNames> san; 892 std::unique_ptr<GeneralNames> san;
908 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); 893 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san));
909 EXPECT_EQ(!is_critical(), 894 EXPECT_EQ(!is_critical(),
910 name_constraints->IsPermittedCert(der::Input(), san.get())); 895 name_constraints->IsPermittedCert(der::Input(), san.get()));
911 } 896 }
912 897
913 TEST_P(ParseNameConstraints, 898 TEST_P(ParseNameConstraints,
914 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) { 899 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) {
915 std::string constraints_der; 900 std::string constraints_der;
916 ASSERT_TRUE( 901 ASSERT_TRUE(
917 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der)); 902 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der));
918 // The value should not be in the DER encoding if it is the default. But this 903 // The value should not be in the DER encoding if it is the default. But this
919 // could be changed to allowed if there are buggy encoders out there that 904 // could be changed to allowed if there are buggy encoders out there that
920 // include it anyway. 905 // include it anyway.
921 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 906 EXPECT_FALSE(
922 is_critical())); 907 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
923 } 908 }
924 909
925 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) { 910 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
926 std::string constraints_der; 911 std::string constraints_der;
927 ASSERT_TRUE( 912 ASSERT_TRUE(
928 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der)); 913 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
929 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 914 EXPECT_FALSE(
930 is_critical())); 915 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
931 } 916 }
932 917
933 TEST_P(ParseNameConstraints, 918 TEST_P(ParseNameConstraints,
934 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) { 919 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) {
935 std::string constraints_der; 920 std::string constraints_der;
936 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem", 921 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
937 &constraints_der)); 922 &constraints_der));
938 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 923 EXPECT_FALSE(
939 is_critical())); 924 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
940 } 925 }
941 926
942 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) { 927 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
943 std::string constraints_der; 928 std::string constraints_der;
944 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem", 929 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
945 &constraints_der)); 930 &constraints_der));
946 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 931 EXPECT_FALSE(
947 is_critical())); 932 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
948 } 933 }
949 934
950 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) { 935 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
951 std::string constraints_der; 936 std::string constraints_der;
952 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der)); 937 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
953 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 938 EXPECT_FALSE(
954 is_critical())); 939 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
955 } 940 }
956 941
957 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) { 942 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
958 std::string constraints_der = ""; 943 std::string constraints_der = "";
959 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 944 EXPECT_FALSE(
960 is_critical())); 945 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
961 } 946 }
962 947
963 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) { 948 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
964 std::string constraints_der; 949 std::string constraints_der;
965 ASSERT_TRUE( 950 ASSERT_TRUE(
966 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der)); 951 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
967 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 952 EXPECT_FALSE(
968 is_critical())); 953 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
969 } 954 }
970 955
971 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) { 956 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
972 std::string constraints_der; 957 std::string constraints_der;
973 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem", 958 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
974 &constraints_der)); 959 &constraints_der));
975 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 960 EXPECT_FALSE(
976 is_critical())); 961 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
977 } 962 }
978 963
979 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) { 964 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
980 std::string constraints_der; 965 std::string constraints_der;
981 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem", 966 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
982 &constraints_der)); 967 &constraints_der));
983 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der), 968 EXPECT_FALSE(
984 is_critical())); 969 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
985 } 970 }
986 971
987 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) { 972 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
988 std::string constraints_der; 973 std::string constraints_der;
989 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); 974 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
990 std::unique_ptr<NameConstraints> name_constraints( 975 std::unique_ptr<NameConstraints> name_constraints(
991 NameConstraints::CreateFromDer(der::Input(&constraints_der), 976 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
992 is_critical()));
993 ASSERT_TRUE(name_constraints); 977 ASSERT_TRUE(name_constraints);
994 978
995 std::string name_us_arizona_email; 979 std::string name_us_arizona_email;
996 ASSERT_TRUE( 980 ASSERT_TRUE(
997 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); 981 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
998 982
999 // Name constraints don't contain rfc822Name, so emailAddress in subject is 983 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1000 // allowed regardless. 984 // allowed regardless.
1001 EXPECT_TRUE(name_constraints->IsPermittedCert( 985 EXPECT_TRUE(name_constraints->IsPermittedCert(
1002 SequenceValueFromString(&name_us_arizona_email), 986 SequenceValueFromString(&name_us_arizona_email),
1003 nullptr /* subject_alt_names */)); 987 nullptr /* subject_alt_names */));
1004 } 988 }
1005 989
1006 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { 990 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
1007 std::string constraints_der; 991 std::string constraints_der;
1008 ASSERT_TRUE( 992 ASSERT_TRUE(
1009 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); 993 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
1010 std::unique_ptr<NameConstraints> name_constraints( 994 std::unique_ptr<NameConstraints> name_constraints(
1011 NameConstraints::CreateFromDer(der::Input(&constraints_der), 995 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
1012 is_critical()));
1013 ASSERT_TRUE(name_constraints); 996 ASSERT_TRUE(name_constraints);
1014 997
1015 std::string name_us_arizona_email; 998 std::string name_us_arizona_email;
1016 ASSERT_TRUE( 999 ASSERT_TRUE(
1017 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); 1000 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
1018 1001
1019 // Name constraints contain rfc822Name, so emailAddress in subject is not 1002 // Name constraints contain rfc822Name, so emailAddress in subject is not
1020 // allowed if the constraints were critical. 1003 // allowed if the constraints were critical.
1021 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 1004 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert(
1022 SequenceValueFromString(&name_us_arizona_email), 1005 SequenceValueFromString(&name_us_arizona_email),
1023 nullptr /* subject_alt_names */)); 1006 nullptr /* subject_alt_names */));
1024 } 1007 }
1025 1008
1026 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests 1009 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests
1027 // are not particularly interesting, just verifying that the commonName is 1010 // are not particularly interesting, just verifying that the commonName is
1028 // ignored for dNSName constraints. 1011 // ignored for dNSName constraints.
1029 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { 1012 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
1030 std::string constraints_der; 1013 std::string constraints_der;
1031 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem", 1014 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem",
1032 &constraints_der)); 1015 &constraints_der));
1033 std::unique_ptr<NameConstraints> name_constraints( 1016 std::unique_ptr<NameConstraints> name_constraints(
1034 NameConstraints::CreateFromDer(der::Input(&constraints_der), 1017 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
1035 is_critical()));
1036 ASSERT_TRUE(name_constraints); 1018 ASSERT_TRUE(name_constraints);
1037 1019
1038 std::string name_us_az_foocom; 1020 std::string name_us_az_foocom;
1039 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom)); 1021 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom));
1040 // The subject is within permitted directoryName constraints, so permitted. 1022 // The subject is within permitted directoryName constraints, so permitted.
1041 // (The commonName hostname is not within permitted dNSName constraints, so 1023 // (The commonName hostname is not within permitted dNSName constraints, so
1042 // this would not be permitted if hostnames in commonName were checked.) 1024 // this would not be permitted if hostnames in commonName were checked.)
1043 EXPECT_TRUE(name_constraints->IsPermittedCert( 1025 EXPECT_TRUE(name_constraints->IsPermittedCert(
1044 SequenceValueFromString(&name_us_az_foocom), 1026 SequenceValueFromString(&name_us_az_foocom),
1045 nullptr /* subject_alt_names */)); 1027 nullptr /* subject_alt_names */));
(...skipping 20 matching lines...) Expand all
1066 } 1048 }
1067 1049
1068 // IP addresses in commonName are not allowed (crbug.com/308330), so these are 1050 // IP addresses in commonName are not allowed (crbug.com/308330), so these are
1069 // tests are not particularly interesting, just verifying that the commonName is 1051 // tests are not particularly interesting, just verifying that the commonName is
1070 // ignored for iPAddress constraints. 1052 // ignored for iPAddress constraints.
1071 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { 1053 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
1072 std::string constraints_der; 1054 std::string constraints_der;
1073 ASSERT_TRUE(LoadTestNameConstraint( 1055 ASSERT_TRUE(LoadTestNameConstraint(
1074 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der)); 1056 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
1075 std::unique_ptr<NameConstraints> name_constraints( 1057 std::unique_ptr<NameConstraints> name_constraints(
1076 NameConstraints::CreateFromDer(der::Input(&constraints_der), 1058 NameConstraints::Create(der::Input(&constraints_der), is_critical()));
1077 is_critical()));
1078 ASSERT_TRUE(name_constraints); 1059 ASSERT_TRUE(name_constraints);
1079 1060
1080 std::string name_us_az_1_1_1_1; 1061 std::string name_us_az_1_1_1_1;
1081 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1)); 1062 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1));
1082 // The subject is within permitted directoryName constraints, so permitted. 1063 // The subject is within permitted directoryName constraints, so permitted.
1083 // (The commonName IP address is not within permitted iPAddresses constraints, 1064 // (The commonName IP address is not within permitted iPAddresses constraints,
1084 // so this would not be permitted if IP addresses in commonName were checked.) 1065 // so this would not be permitted if IP addresses in commonName were checked.)
1085 EXPECT_TRUE(name_constraints->IsPermittedCert( 1066 EXPECT_TRUE(name_constraints->IsPermittedCert(
1086 SequenceValueFromString(&name_us_az_1_1_1_1), 1067 SequenceValueFromString(&name_us_az_1_1_1_1),
1087 nullptr /* subject_alt_names */)); 1068 nullptr /* subject_alt_names */));
(...skipping 21 matching lines...) Expand all
1109 std::string name_us_az_ipv6; 1090 std::string name_us_az_ipv6;
1110 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6)); 1091 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6));
1111 // The subject is within permitted directoryName constraints, so permitted. 1092 // The subject is within permitted directoryName constraints, so permitted.
1112 // (The commonName is an ipv6 address which wasn't supported in the past, but 1093 // (The commonName is an ipv6 address which wasn't supported in the past, but
1113 // since commonName checking is ignored entirely, this is permitted.) 1094 // since commonName checking is ignored entirely, this is permitted.)
1114 EXPECT_TRUE(name_constraints->IsPermittedCert( 1095 EXPECT_TRUE(name_constraints->IsPermittedCert(
1115 SequenceValueFromString(&name_us_az_ipv6), 1096 SequenceValueFromString(&name_us_az_ipv6),
1116 nullptr /* subject_alt_names */)); 1097 nullptr /* subject_alt_names */));
1117 } 1098 }
1118 1099
1119 TEST_P(ParseNameConstraints, 1100 TEST_P(ParseNameConstraints, GeneralNamesCreateFailsOnEmptySubjectAltName) {
1120 GeneralNamesCreateFromDerFailsOnEmptySubjectAltName) {
1121 std::string invalid_san_der; 1101 std::string invalid_san_der;
1122 ASSERT_TRUE( 1102 ASSERT_TRUE(
1123 LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der)); 1103 LoadTestSubjectAltNameData("san-invalid-empty.pem", &invalid_san_der));
1124 EXPECT_FALSE(GeneralNames::CreateFromDer(der::Input(&invalid_san_der))); 1104 EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der)));
1125 } 1105 }
1126 1106
1127 TEST_P(ParseNameConstraints, 1107 TEST_P(ParseNameConstraints,
1128 GeneralNamesCreateFromDerFailsOnInvalidIpInSubjectAltName) { 1108 GeneralNamesCreateFailsOnInvalidIpInSubjectAltName) {
1129 std::string invalid_san_der; 1109 std::string invalid_san_der;
1130 ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem", 1110 ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem",
1131 &invalid_san_der)); 1111 &invalid_san_der));
1132 EXPECT_FALSE(GeneralNames::CreateFromDer(der::Input(&invalid_san_der))); 1112 EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der)));
1133 } 1113 }
1134 1114
1135 } // namespace net 1115 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | net/cert/internal/parse_certificate.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698