PKI library: dNSName constraints starting with dot should match subdomains.

net/cert/internal/name_constraints_unittest.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/name_constraints.h"
 
 #include <memory>
 
 #include "net/base/ip_address.h"
 #include "net/cert/internal/test_helpers.h"
@@ skipping 168 matching lines @@
   // Wildcard hostnames only match a single label, so cannot match excluded
   // which has two labels before .com.
   EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
 
   // Partial match of foo.bar.com.
   EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
   // All expansions of wildcard are within excluded.
   EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
 }
 
-TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) {
+TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
   std::string a;
   ASSERT_TRUE(
       LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
   std::unique_ptr<NameConstraints> name_constraints(
       NameConstraints::Create(der::Input(&a), is_critical()));
   ASSERT_TRUE(name_constraints);
 
-  // dNSName constraints should be specified as a host. A dNSName constraint
-  // with a leading "." doesn't make sense, though some certs include it
-  // (probably confusing it with the rules for uniformResourceIdentifier
-  // constraints). It should not match anything.
+  // A permitted dNSName constraint of ".bar.com" should only match subdomains

[eroman, 2016/11/22 23:34:15]

If we don't already, might be good to have a test for ".." too (since we have
logic that strips the trailing dot first).

[mattm, 2016/11/24 00:08:50]

Done.

+  // of .bar.com, but not bar.com itself.
   EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
   EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
+  EXPECT_FALSE(name_constraints->IsPermittedDNSName("foobar.com"));
+  EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.bar.com"));
+  EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.bar.com"));
+}
+
+TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
+  std::string a;
+  ASSERT_TRUE(
+      LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
+  std::unique_ptr<NameConstraints> name_constraints(
+      NameConstraints::Create(der::Input(&a), is_critical()));
+  ASSERT_TRUE(name_constraints);
+
+  // An excluded dNSName constraint of ".bar.com" should only match subdomains
+  // of .bar.com, but not bar.com itself.
+  EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
+  EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
+  EXPECT_TRUE(name_constraints->IsPermittedDNSName("foobar.com"));
   EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
+  EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
 }
 
 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
   std::string a;
   ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
 
   std::unique_ptr<NameConstraints> name_constraints(
       NameConstraints::Create(der::Input(&a), is_critical()));
   ASSERT_TRUE(name_constraints);
 
@@ skipping 892 matching lines @@
 
 TEST_P(ParseNameConstraints,
        GeneralNamesCreateFailsOnInvalidIpInSubjectAltName) {
   std::string invalid_san_der;
   ASSERT_TRUE(LoadTestSubjectAltNameData("san-invalid-ipaddress.pem",
                                          &invalid_san_der));
   EXPECT_FALSE(GeneralNames::Create(der::Input(&invalid_san_der)));
 }
 
 }  // namespace net