Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(148)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/internal/name_constraints_unittest.cc

Issue 2521813002: PKI library: dNSName constraints starting with dot should match subdomains. (Closed)
Patch Set: update gypi Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | net/data/name_constraints_unittest/dnsname-excluded_with_leading_dot.pem » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/internal/name_constraints_unittest.cc
diff --git a/net/cert/internal/name_constraints_unittest.cc b/net/cert/internal/name_constraints_unittest.cc
index f1dd470d093bdb9df61f06eba901c8b51cffba2c..f4eabf110ed10cf35abb585541039332a05c8ab6 100644
--- a/net/cert/internal/name_constraints_unittest.cc
+++ b/net/cert/internal/name_constraints_unittest.cc
@@ -186,7 +186,7 @@ TEST_P(ParseNameConstraints,
EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
}
-TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) {
+TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
std::string a;
ASSERT_TRUE(
LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
@@ -194,13 +194,30 @@ TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) {
NameConstraints::Create(der::Input(&a), is_critical()));
ASSERT_TRUE(name_constraints);
- // dNSName constraints should be specified as a host. A dNSName constraint
- // with a leading "." doesn't make sense, though some certs include it
- // (probably confusing it with the rules for uniformResourceIdentifier
- // constraints). It should not match anything.
+ // A permitted dNSName constraint of ".bar.com" should only match subdomains
eroman 2016/11/22 23:34:15 If we don't already, might be good to have a test
mattm 2016/11/24 00:08:50 Done.
+ // of .bar.com, but not bar.com itself.
EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
+ EXPECT_FALSE(name_constraints->IsPermittedDNSName("foobar.com"));
+ EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.bar.com"));
+ EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.bar.com"));
+}
+
+TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
+ std::string a;
+ ASSERT_TRUE(
+ LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
+ std::unique_ptr<NameConstraints> name_constraints(
+ NameConstraints::Create(der::Input(&a), is_critical()));
+ ASSERT_TRUE(name_constraints);
+
+ // An excluded dNSName constraint of ".bar.com" should only match subdomains
+ // of .bar.com, but not bar.com itself.
+ EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
+ EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
+ EXPECT_TRUE(name_constraints->IsPermittedDNSName("foobar.com"));
EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
+ EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
}
TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
« no previous file with comments | « net/cert/internal/name_constraints.cc ('k') | net/data/name_constraints_unittest/dnsname-excluded_with_leading_dot.pem » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698