pkixnames_tests.cpp (111653B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This code is made available to you under your choice of the following sets 4 * of licensing terms: 5 */ 6 /* This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. 9 */ 10 /* Copyright 2014 Mozilla Contributors 11 * 12 * Licensed under the Apache License, Version 2.0 (the "License"); 13 * you may not use this file except in compliance with the License. 14 * You may obtain a copy of the License at 15 * 16 * http://www.apache.org/licenses/LICENSE-2.0 17 * 18 * Unless required by applicable law or agreed to in writing, software 19 * distributed under the License is distributed on an "AS IS" BASIS, 20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 * See the License for the specific language governing permissions and 22 * limitations under the License. 23 */ 24 #include "pkixgtest.h" 25 26 #include "mozpkix/pkixcheck.h" 27 #include "mozpkix/pkixder.h" 28 #include "mozpkix/pkixutil.h" 29 30 namespace mozilla { namespace pkix { 31 32 Result MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID, 33 Input referenceDNSID, 34 /*out*/ bool& matches); 35 36 bool IsValidReferenceDNSID(Input hostname); 37 bool IsValidPresentedDNSID(Input hostname); 38 bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]); 39 bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]); 40 41 } } // namespace mozilla::pkix 42 43 using namespace mozilla::pkix; 44 using namespace mozilla::pkix::test; 45 46 struct PresentedMatchesReference 47 { 48 ByteString presentedDNSID; 49 ByteString referenceDNSID; 50 Result expectedResult; 51 bool expectedMatches; // only valid when expectedResult == Success 52 }; 53 54 ::std::ostream& operator<<(::std::ostream& os, const PresentedMatchesReference&) 55 { 56 return os << "TODO (bug 1318770)"; 57 } 58 59 #define DNS_ID_MATCH(a, b) \ 60 { \ 61 ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \ 62 ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \ 63 Success, \ 64 true \ 65 } 66 67 #define DNS_ID_MISMATCH(a, b) \ 68 { \ 69 ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \ 70 ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \ 71 Success, \ 72 false \ 73 } 74 75 #define DNS_ID_BAD_DER(a, b) \ 76 { \ 77 ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \ 78 ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \ 79 Result::ERROR_BAD_DER, \ 80 false \ 81 } 82 83 static const PresentedMatchesReference DNSID_MATCH_PARAMS[] = 84 { 85 DNS_ID_BAD_DER("", "a"), 86 87 DNS_ID_MATCH("a", "a"), 88 DNS_ID_MISMATCH("b", "a"), 89 90 DNS_ID_MATCH("*.b.a", "c.b.a"), 91 DNS_ID_MISMATCH("*.b.a", "b.a"), 92 DNS_ID_MISMATCH("*.b.a", "b.a."), 93 94 // We allow underscores for compatibility with existing practices. 95 DNS_ID_MATCH("a_b", "a_b"), 96 DNS_ID_MATCH("*.example.com", "uses_underscore.example.com"), 97 DNS_ID_MATCH("*.uses_underscore.example.com", "a.uses_underscore.example.com"), 98 99 // See bug 1139039 100 DNS_ID_MATCH("_.example.com", "_.example.com"), 101 DNS_ID_MATCH("*.example.com", "_.example.com"), 102 DNS_ID_MATCH("_", "_"), 103 DNS_ID_MATCH("___", "___"), 104 DNS_ID_MATCH("example_", "example_"), 105 DNS_ID_MATCH("_example", "_example"), 106 DNS_ID_MATCH("*._._", "x._._"), 107 108 // We allow reference ID labels to start and end with hyphens for 109 // compatibility. 110 DNS_ID_MATCH("*.example.com", "-.example.com"), 111 DNS_ID_MATCH("*.example.com", "-hyphenstart.example.com"), 112 DNS_ID_MATCH("*.example.com", "hyphenend-.example.com"), 113 // Presented ID labels may not start or end with hyphens. 114 DNS_ID_BAD_DER("-.example.com", "-.example.com"), 115 DNS_ID_BAD_DER("-hyphenstart.example.com", "-hyphenstart.example.com"), 116 DNS_ID_BAD_DER("hyphenend-.example.com", "hyphenend-.example.com"), 117 118 // See bug 1139039 119 // A DNS-ID must not end in an all-numeric label. We don't consider 120 // underscores to be numeric. 121 DNS_ID_MATCH("_1", "_1"), 122 DNS_ID_MATCH("example._1", "example._1"), 123 DNS_ID_MATCH("example.1_", "example.1_"), 124 125 // Wildcard not in leftmost label 126 DNS_ID_MATCH("d.c.b.a", "d.c.b.a"), 127 DNS_ID_BAD_DER("d.*.b.a", "d.c.b.a"), 128 DNS_ID_BAD_DER("d.c*.b.a", "d.c.b.a"), 129 DNS_ID_BAD_DER("d.c*.b.a", "d.cc.b.a"), 130 131 // case sensitivity 132 DNS_ID_MATCH("abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"), 133 DNS_ID_MATCH("ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz"), 134 DNS_ID_MATCH("aBc", "Abc"), 135 136 // digits 137 DNS_ID_MATCH("a1", "a1"), 138 139 // A trailing dot indicates an absolute name. Absolute presented names are 140 // not allowed, but absolute reference names are allowed. 141 DNS_ID_MATCH("example", "example"), 142 DNS_ID_BAD_DER("example.", "example."), 143 DNS_ID_MATCH("example", "example."), 144 DNS_ID_BAD_DER("example.", "example"), 145 DNS_ID_MATCH("example.com", "example.com"), 146 DNS_ID_BAD_DER("example.com.", "example.com."), 147 DNS_ID_MATCH("example.com", "example.com."), 148 DNS_ID_BAD_DER("example.com.", "example.com"), 149 DNS_ID_BAD_DER("example.com..", "example.com."), 150 DNS_ID_BAD_DER("example.com..", "example.com"), 151 DNS_ID_BAD_DER("example.com...", "example.com."), 152 153 // xn-- IDN prefix 154 DNS_ID_BAD_DER("x*.b.a", "xa.b.a"), 155 DNS_ID_BAD_DER("x*.b.a", "xna.b.a"), 156 DNS_ID_BAD_DER("x*.b.a", "xn-a.b.a"), 157 DNS_ID_BAD_DER("x*.b.a", "xn--a.b.a"), 158 DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"), 159 DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"), 160 DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"), 161 DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"), 162 DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"), 163 DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"), 164 DNS_ID_BAD_DER("xn---*.b.a", "xn--a.b.a"), 165 166 // "*" cannot expand to nothing. 167 DNS_ID_BAD_DER("c*.b.a", "c.b.a"), 168 169 ///////////////////////////////////////////////////////////////////////////// 170 // These are test cases adapted from Chromium's x509_certificate_unittest.cc. 171 // The parameter order is the opposite in Chromium's tests. Also, some tests 172 // were modified to fit into this framework or due to intentional differences 173 // between mozilla::pkix and Chromium. 174 175 DNS_ID_MATCH("foo.com", "foo.com"), 176 DNS_ID_MATCH("f", "f"), 177 DNS_ID_MISMATCH("i", "h"), 178 DNS_ID_MATCH("*.foo.com", "bar.foo.com"), 179 DNS_ID_MATCH("*.test.fr", "www.test.fr"), 180 DNS_ID_MATCH("*.test.FR", "wwW.tESt.fr"), 181 DNS_ID_BAD_DER(".uk", "f.uk"), 182 DNS_ID_BAD_DER("?.bar.foo.com", "w.bar.foo.com"), 183 DNS_ID_BAD_DER("(www|ftp).foo.com", "www.foo.com"), // regex! 184 DNS_ID_BAD_DER("www.foo.com\0", "www.foo.com"), 185 DNS_ID_BAD_DER("www.foo.com\0*.foo.com", "www.foo.com"), 186 DNS_ID_MISMATCH("ww.house.example", "www.house.example"), 187 DNS_ID_MISMATCH("www.test.org", "test.org"), 188 DNS_ID_MISMATCH("*.test.org", "test.org"), 189 DNS_ID_BAD_DER("*.org", "test.org"), 190 DNS_ID_BAD_DER("w*.bar.foo.com", "w.bar.foo.com"), 191 DNS_ID_BAD_DER("ww*ww.bar.foo.com", "www.bar.foo.com"), 192 DNS_ID_BAD_DER("ww*ww.bar.foo.com", "wwww.bar.foo.com"), 193 194 // Different than Chromium, matches NSS. 195 DNS_ID_BAD_DER("w*w.bar.foo.com", "wwww.bar.foo.com"), 196 197 DNS_ID_BAD_DER("w*w.bar.foo.c0m", "wwww.bar.foo.com"), 198 199 // '*' must be the only character in the wildcard label 200 DNS_ID_BAD_DER("wa*.bar.foo.com", "WALLY.bar.foo.com"), 201 202 // We require "*" to be the last character in a wildcard label, but 203 // Chromium does not. 204 DNS_ID_BAD_DER("*Ly.bar.foo.com", "wally.bar.foo.com"), 205 206 // Chromium does URL decoding of the reference ID, but we don't, and we also 207 // require that the reference ID is valid, so we can't test these two. 208 // DNS_ID_MATCH("www.foo.com", "ww%57.foo.com"), 209 // DNS_ID_MATCH("www&.foo.com", "www%26.foo.com"), 210 211 DNS_ID_MISMATCH("*.test.de", "www.test.co.jp"), 212 DNS_ID_BAD_DER("*.jp", "www.test.co.jp"), 213 DNS_ID_MISMATCH("www.test.co.uk", "www.test.co.jp"), 214 DNS_ID_BAD_DER("www.*.co.jp", "www.test.co.jp"), 215 DNS_ID_MATCH("www.bar.foo.com", "www.bar.foo.com"), 216 DNS_ID_MISMATCH("*.foo.com", "www.bar.foo.com"), 217 DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"), 218 DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"), 219 220 // Our matcher requires the reference ID to be a valid DNS name, so we cannot 221 // test this case. 222 //DNS_ID_BAD_DER("*.*.bar.foo.com", "*..bar.foo.com"), 223 224 DNS_ID_MATCH("www.bath.org", "www.bath.org"), 225 226 // Our matcher requires the reference ID to be a valid DNS name, so we cannot 227 // test these cases. 228 // DNS_ID_BAD_DER("www.bath.org", ""), 229 // DNS_ID_BAD_DER("www.bath.org", "20.30.40.50"), 230 // DNS_ID_BAD_DER("www.bath.org", "66.77.88.99"), 231 232 // IDN tests 233 DNS_ID_MATCH("xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"), 234 DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"), 235 DNS_ID_MISMATCH("*.xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"), 236 DNS_ID_BAD_DER("xn--poema-*.com.br", "xn--poema-9qae5a.com.br"), 237 DNS_ID_BAD_DER("xn--*-9qae5a.com.br", "xn--poema-9qae5a.com.br"), 238 DNS_ID_BAD_DER("*--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"), 239 240 // The following are adapted from the examples quoted from 241 // http://tools.ietf.org/html/rfc6125#section-6.4.3 242 // (e.g., *.example.com would match foo.example.com but 243 // not bar.foo.example.com or example.com). 244 DNS_ID_MATCH("*.example.com", "foo.example.com"), 245 DNS_ID_MISMATCH("*.example.com", "bar.foo.example.com"), 246 DNS_ID_MISMATCH("*.example.com", "example.com"), 247 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would 248 // be taken to match baz1.example.net and foobaz.example.net and 249 // buzz.example.net, respectively. However, we don't allow any characters 250 // other than '*' in the wildcard label. 251 DNS_ID_BAD_DER("baz*.example.net", "baz1.example.net"), 252 253 // Both of these are different from Chromium, but match NSS, becaues the 254 // wildcard character "*" is not the last character of the label. 255 DNS_ID_BAD_DER("*baz.example.net", "foobaz.example.net"), 256 DNS_ID_BAD_DER("b*z.example.net", "buzz.example.net"), 257 258 // Wildcards should not be valid for public registry controlled domains, 259 // and unknown/unrecognized domains, at least three domain components must 260 // be present. For mozilla::pkix and NSS, there must always be at least two 261 // labels after the wildcard label. 262 DNS_ID_MATCH("*.test.example", "www.test.example"), 263 DNS_ID_MATCH("*.example.co.uk", "test.example.co.uk"), 264 DNS_ID_BAD_DER("*.exmaple", "test.example"), 265 266 // The result is different than Chromium, because Chromium takes into account 267 // the additional knowledge it has that "co.uk" is a TLD. mozilla::pkix does 268 // not know that. 269 DNS_ID_MATCH("*.co.uk", "example.co.uk"), 270 271 DNS_ID_BAD_DER("*.com", "foo.com"), 272 DNS_ID_BAD_DER("*.us", "foo.us"), 273 DNS_ID_BAD_DER("*", "foo"), 274 275 // IDN variants of wildcards and registry controlled domains. 276 DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"), 277 DNS_ID_MATCH("*.example.xn--mgbaam7a8h", "test.example.xn--mgbaam7a8h"), 278 279 // RFC6126 allows this, and NSS accepts it, but Chromium disallows it. 280 // TODO: File bug against Chromium. 281 DNS_ID_MATCH("*.com.br", "xn--poema-9qae5a.com.br"), 282 283 DNS_ID_BAD_DER("*.xn--mgbaam7a8h", "example.xn--mgbaam7a8h"), 284 // Wildcards should be permissible for 'private' registry-controlled 285 // domains. (In mozilla::pkix, we do not know if it is a private registry- 286 // controlled domain or not.) 287 DNS_ID_MATCH("*.appspot.com", "www.appspot.com"), 288 DNS_ID_MATCH("*.s3.amazonaws.com", "foo.s3.amazonaws.com"), 289 290 // Multiple wildcards are not valid. 291 DNS_ID_BAD_DER("*.*.com", "foo.example.com"), 292 DNS_ID_BAD_DER("*.bar.*.com", "foo.bar.example.com"), 293 294 // Absolute vs relative DNS name tests. Although not explicitly specified 295 // in RFC 6125, absolute reference names (those ending in a .) should 296 // match either absolute or relative presented names. We don't allow 297 // absolute presented names. 298 // TODO: File errata against RFC 6125 about this. 299 DNS_ID_BAD_DER("foo.com.", "foo.com"), 300 DNS_ID_MATCH("foo.com", "foo.com."), 301 DNS_ID_BAD_DER("foo.com.", "foo.com."), 302 DNS_ID_BAD_DER("f.", "f"), 303 DNS_ID_MATCH("f", "f."), 304 DNS_ID_BAD_DER("f.", "f."), 305 DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com"), 306 DNS_ID_MATCH("*.bar.foo.com", "www-3.bar.foo.com."), 307 DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com."), 308 309 // We require the reference ID to be a valid DNS name, so we cannot test this 310 // case. 311 // DNS_ID_MISMATCH(".", "."), 312 313 DNS_ID_BAD_DER("*.com.", "example.com"), 314 DNS_ID_BAD_DER("*.com", "example.com."), 315 DNS_ID_BAD_DER("*.com.", "example.com."), 316 DNS_ID_BAD_DER("*.", "foo."), 317 DNS_ID_BAD_DER("*.", "foo"), 318 319 // The result is different than Chromium because we don't know that co.uk is 320 // a TLD. 321 DNS_ID_MATCH("*.co.uk", "foo.co.uk"), 322 DNS_ID_MATCH("*.co.uk", "foo.co.uk."), 323 DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk"), 324 DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk."), 325 326 DNS_ID_MISMATCH("*.example.com", "localhost"), 327 DNS_ID_MISMATCH("*.example.com", "localhost."), 328 // Note that we already have the testcase DNS_ID_BAD_DER("*", "foo") above 329 }; 330 331 struct InputValidity 332 { 333 ByteString input; 334 bool isValidReferenceID; 335 bool isValidPresentedID; 336 }; 337 338 ::std::ostream& operator<<(::std::ostream& os, const InputValidity&) 339 { 340 return os << "TODO (bug 1318770)"; 341 } 342 343 // str is null-terminated, which is why we subtract 1. str may contain embedded 344 // nulls (including at the end) preceding the null terminator though. 345 #define I(str, validReferenceID, validPresentedID) \ 346 { \ 347 ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \ 348 validReferenceID, \ 349 validPresentedID, \ 350 } 351 352 static const InputValidity DNSNAMES_VALIDITY[] = 353 { 354 I("a", true, true), 355 I("a.b", true, true), 356 I("a.b.c", true, true), 357 I("a.b.c.d", true, true), 358 359 // empty labels 360 I("", false, false), 361 I(".", false, false), 362 I("a", true, true), 363 I(".a", false, false), 364 I(".a.b", false, false), 365 I("..a", false, false), 366 I("a..b", false, false), 367 I("a...b", false, false), 368 I("a..b.c", false, false), 369 I("a.b..c", false, false), 370 I(".a.b.c.", false, false), 371 372 // absolute names (only allowed for reference names) 373 I("a.", true, false), 374 I("a.b.", true, false), 375 I("a.b.c.", true, false), 376 377 // absolute names with empty label at end 378 I("a..", false, false), 379 I("a.b..", false, false), 380 I("a.b.c..", false, false), 381 I("a...", false, false), 382 383 // Punycode 384 I("xn--", true, false), 385 I("xn--.", true, false), 386 I("xn--.a", true, false), 387 I("a.xn--", true, false), 388 I("a.xn--.", true, false), 389 I("a.xn--.b", true, false), 390 I("a.xn--.b", true, false), 391 I("a.xn--\0.b", false, false), 392 I("a.xn--a.b", true, true), 393 I("xn--a", true, true), 394 I("a.xn--a", true, true), 395 I("a.xn--a.a", true, true), 396 I("\xc4\x95.com", false, false), // UTF-8 ĕ 397 I("xn--jea.com", true, true), // punycode ĕ 398 I("xn--\xc4\x95.com", false, false), // UTF-8 ĕ, malformed punycode + UTF-8 mashup 399 400 // Surprising punycode 401 I("xn--google.com", true, true), // 䕮䕵䕶䕱.com 402 I("xn--citibank.com", true, true), // 岍岊岊岅岉岎.com 403 I("xn--cnn.com", true, true), // 䁾.com 404 I("a.xn--cnn", true, true), // a.䁾 405 I("a.xn--cnn.com", true, true), // a.䁾.com 406 407 I("1.2.3.4", false, false), // IPv4 address 408 I("1::2", false, false), // IPV6 address 409 410 // whitespace not allowed anywhere. 411 I(" ", false, false), 412 I(" a", false, false), 413 I("a ", false, false), 414 I("a b", false, false), 415 I("a.b 1", false, false), 416 I("a\t", false, false), 417 418 // Nulls not allowed 419 I("\0", false, false), 420 I("a\0", false, false), 421 I("example.org\0.example.com", false, false), // Hi Moxie! 422 I("\0a", false, false), 423 I("xn--\0", false, false), 424 425 // Allowed character set 426 I("a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z", true, true), 427 I("A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z", true, true), 428 I("0.1.2.3.4.5.6.7.8.9.a", true, true), // "a" needed to avoid numeric last label 429 I("a-b", true, true), // hyphen (presented ID labels cannot start or end with a hyphen) 430 431 // Underscores 432 I("a_b", true, true), 433 // See bug 1139039 434 I("_", true, true), 435 I("a_", true, true), 436 I("_a", true, true), 437 I("_1", true, true), 438 I("1_", true, true), 439 I("___", true, true), 440 441 // An invalid character in various positions 442 I("!", false, false), 443 I("!a", false, false), 444 I("a!", false, false), 445 I("a!b", false, false), 446 I("a.!", false, false), 447 I("a.a!", false, false), 448 I("a.!a", false, false), 449 I("a.a!a", false, false), 450 I("a.!a.a", false, false), 451 I("a.a!.a", false, false), 452 I("a.a!a.a", false, false), 453 454 // Various other invalid characters 455 I("a!", false, false), 456 I("a@", false, false), 457 I("a#", false, false), 458 I("a$", false, false), 459 I("a%", false, false), 460 I("a^", false, false), 461 I("a&", false, false), 462 I("a*", false, false), 463 I("a(", false, false), 464 I("a)", false, false), 465 466 // last label can't be fully numeric 467 I("1", false, false), 468 I("a.1", false, false), 469 470 // other labels can be fully numeric 471 I("1.a", true, true), 472 I("1.2.a", true, true), 473 I("1.2.3.a", true, true), 474 475 // last label can be *partly* numeric 476 I("1a", true, true), 477 I("1.1a", true, true), 478 I("1-1", true, true), 479 I("a.1-1", true, true), 480 I("a.1-a", true, true), 481 482 // presented ID labels cannot start with a hyphen 483 I("-", true, false), 484 I("-1", true, false), 485 486 // presented ID labels cannot end with a hyphen 487 I("1-", true, false), 488 I("1-.a", true, false), 489 I("a-", true, false), 490 I("a-.a", true, false), 491 I("a.1-.a", true, false), 492 I("a.a-.a", true, false), 493 494 // labels can contain a hyphen in the middle 495 I("a-b", true, true), 496 I("1-2", true, true), 497 I("a.a-1", true, true), 498 499 // multiple consecutive hyphens allowed 500 I("a--1", true, true), 501 I("1---a", true, true), 502 I("a-----------------b", true, true), 503 504 // Wildcard specifications are not valid reference names, but are valid 505 // presented names if there are enough labels and if '*' is the only 506 // character in the wildcard label. 507 I("*.a", false, false), 508 I("a*", false, false), 509 I("a*.", false, false), 510 I("a*.a", false, false), 511 I("a*.a.", false, false), 512 I("*.a.b", false, true), 513 I("*.a.b.", false, false), 514 I("a*.b.c", false, false), 515 I("*.a.b.c", false, true), 516 I("a*.b.c.d", false, false), 517 518 // Multiple wildcards are not allowed. 519 I("a**.b.c", false, false), 520 I("a*b*.c.d", false, false), 521 I("a*.b*.c", false, false), 522 523 // Wildcards are only allowed in the first label. 524 I("a.*", false, false), 525 I("a.*.b", false, false), 526 I("a.b.*", false, false), 527 I("a.b*.c", false, false), 528 I("*.b*.c", false, false), 529 I(".*.a.b", false, false), 530 I(".a*.b.c", false, false), 531 532 // Wildcards must be at the *end* of the first label. 533 I("*a.b.c", false, false), 534 I("a*b.c.d", false, false), 535 536 // Wildcards not allowed with IDNA prefix 537 I("x*.a.b", false, false), 538 I("xn*.a.b", false, false), 539 I("xn-*.a.b", false, false), 540 I("xn--*.a.b", false, false), 541 I("xn--w*.a.b", false, false), 542 543 // Redacted labels from RFC6962bis draft 4 544 // https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-04#section-3.2.2 545 I("(PRIVATE).foo", false, false), 546 547 // maximum label length is 63 characters 548 I("1234567890" "1234567890" "1234567890" 549 "1234567890" "1234567890" "1234567890" "abc", true, true), 550 I("1234567890" "1234567890" "1234567890" 551 "1234567890" "1234567890" "1234567890" "abcd", false, false), 552 553 // maximum total length is 253 characters 554 I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 555 "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 556 "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 557 "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 558 "1234567890" "1234567890" "1234567890" "1234567890" "12345678" "a", 559 true, true), 560 I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 561 "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 562 "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 563 "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "." 564 "1234567890" "1234567890" "1234567890" "1234567890" "123456789" "a", 565 false, false), 566 }; 567 568 static const InputValidity DNSNAMES_VALIDITY_TURKISH_I[] = 569 { 570 // http://en.wikipedia.org/wiki/Dotted_and_dotless_I#In_computing 571 // IDN registration rules disallow "latin capital letter i with dot above," 572 // but our checks aren't intended to enforce those rules. 573 I("I", true, true), // ASCII capital I 574 I("i", true, true), // ASCII lowercase i 575 I("\xC4\xB0", false, false), // latin capital letter i with dot above 576 I("\xC4\xB1", false, false), // latin small letter dotless i 577 I("xn--i-9bb", true, true), // latin capital letter i with dot above, in punycode 578 I("xn--cfa", true, true), // latin small letter dotless i, in punycode 579 I("xn--\xC4\xB0", false, false), // latin capital letter i with dot above, mashup 580 I("xn--\xC4\xB1", false, false), // latin small letter dotless i, mashup 581 }; 582 583 static const uint8_t LOWERCASE_I_VALUE[1] = { 'i' }; 584 static const uint8_t UPPERCASE_I_VALUE[1] = { 'I' }; 585 static const Input LOWERCASE_I(LOWERCASE_I_VALUE); 586 static const Input UPPERCASE_I(UPPERCASE_I_VALUE); 587 588 template <unsigned int L> 589 struct IPAddressParams 590 { 591 ByteString input; 592 bool isValid; 593 uint8_t expectedValueIfValid[L]; 594 }; 595 596 template <unsigned int L> 597 ::std::ostream& operator<<(::std::ostream& os, const IPAddressParams<L>&) 598 { 599 return os << "TODO (bug 1318770)"; 600 } 601 602 #define IPV4_VALID(str, a, b, c, d) \ 603 { \ 604 ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \ 605 true, \ 606 { a, b, c, d } \ 607 } 608 609 // The value of expectedValueIfValid must be ignored for invalid IP addresses. 610 // The value { 73, 73, 73, 73 } is used because it is unlikely to result in an 611 // accidental match, unlike { 0, 0, 0, 0 }, which is a value we actually test. 612 #define IPV4_INVALID(str) \ 613 { \ 614 ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \ 615 false, \ 616 { 73, 73, 73, 73 } \ 617 } 618 619 static const IPAddressParams<4> IPV4_ADDRESSES[] = 620 { 621 IPV4_INVALID(""), 622 IPV4_INVALID("1"), 623 IPV4_INVALID("1.2"), 624 IPV4_INVALID("1.2.3"), 625 IPV4_VALID("1.2.3.4", 1, 2, 3, 4), 626 IPV4_INVALID("1.2.3.4.5"), 627 628 IPV4_INVALID("1.2.3.4a"), // a DNSName! 629 IPV4_INVALID("a.2.3.4"), // not even a DNSName! 630 IPV4_INVALID("1::2"), // IPv6 address 631 632 // Whitespace not allowed 633 IPV4_INVALID(" 1.2.3.4"), 634 IPV4_INVALID("1.2.3.4 "), 635 IPV4_INVALID("1 .2.3.4"), 636 IPV4_INVALID("\n1.2.3.4"), 637 IPV4_INVALID("1.2.3.4\n"), 638 639 // Nulls not allowed 640 IPV4_INVALID("\0"), 641 IPV4_INVALID("\0" "1.2.3.4"), 642 IPV4_INVALID("1.2.3.4\0"), 643 IPV4_INVALID("1.2.3.4\0.5"), 644 645 // Range 646 IPV4_VALID("0.0.0.0", 0, 0, 0, 0), 647 IPV4_VALID("255.255.255.255", 255, 255, 255, 255), 648 IPV4_INVALID("256.0.0.0"), 649 IPV4_INVALID("0.256.0.0"), 650 IPV4_INVALID("0.0.256.0"), 651 IPV4_INVALID("0.0.0.256"), 652 IPV4_INVALID("999.0.0.0"), 653 IPV4_INVALID("9999999999999999999.0.0.0"), 654 655 // All digits allowed 656 IPV4_VALID("0.1.2.3", 0, 1, 2, 3), 657 IPV4_VALID("4.5.6.7", 4, 5, 6, 7), 658 IPV4_VALID("8.9.0.1", 8, 9, 0, 1), 659 660 // Leading zeros not allowed 661 IPV4_INVALID("01.2.3.4"), 662 IPV4_INVALID("001.2.3.4"), 663 IPV4_INVALID("00000000001.2.3.4"), 664 IPV4_INVALID("010.2.3.4"), 665 IPV4_INVALID("1.02.3.4"), 666 IPV4_INVALID("1.2.03.4"), 667 IPV4_INVALID("1.2.3.04"), 668 669 // Empty components 670 IPV4_INVALID(".2.3.4"), 671 IPV4_INVALID("1..3.4"), 672 IPV4_INVALID("1.2..4"), 673 IPV4_INVALID("1.2.3."), 674 675 // Too many components 676 IPV4_INVALID("1.2.3.4.5"), 677 IPV4_INVALID("1.2.3.4.5.6"), 678 IPV4_INVALID("0.1.2.3.4"), 679 IPV4_INVALID("1.2.3.4.0"), 680 681 // Leading/trailing dot 682 IPV4_INVALID(".1.2.3.4"), 683 IPV4_INVALID("1.2.3.4."), 684 685 // Other common forms of IPv4 address 686 // http://en.wikipedia.org/wiki/IPv4#Address_representations 687 IPV4_VALID("192.0.2.235", 192, 0, 2, 235), // dotted decimal (control value) 688 IPV4_INVALID("0xC0.0x00.0x02.0xEB"), // dotted hex 689 IPV4_INVALID("0301.0000.0002.0353"), // dotted octal 690 IPV4_INVALID("0xC00002EB"), // non-dotted hex 691 IPV4_INVALID("3221226219"), // non-dotted decimal 692 IPV4_INVALID("030000001353"), // non-dotted octal 693 IPV4_INVALID("192.0.0002.0xEB"), // mixed 694 }; 695 696 #define IPV6_VALID(str, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) \ 697 { \ 698 ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \ 699 true, \ 700 { a, b, c, d, \ 701 e, f, g, h, \ 702 i, j, k, l, \ 703 m, n, o, p } \ 704 } 705 706 #define IPV6_INVALID(str) \ 707 { \ 708 ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \ 709 false, \ 710 { 73, 73, 73, 73, \ 711 73, 73, 73, 73, \ 712 73, 73, 73, 73, \ 713 73, 73, 73, 73 } \ 714 } 715 716 static const IPAddressParams<16> IPV6_ADDRESSES[] = 717 { 718 IPV6_INVALID(""), 719 IPV6_INVALID("1234"), 720 IPV6_INVALID("1234:5678"), 721 IPV6_INVALID("1234:5678:9abc"), 722 IPV6_INVALID("1234:5678:9abc:def0"), 723 IPV6_INVALID("1234:5678:9abc:def0:1234:"), 724 IPV6_INVALID("1234:5678:9abc:def0:1234:5678:"), 725 IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:"), 726 IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc:def0", 727 0x12, 0x34, 0x56, 0x78, 728 0x9a, 0xbc, 0xde, 0xf0, 729 0x12, 0x34, 0x56, 0x78, 730 0x9a, 0xbc, 0xde, 0xf0), 731 IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:"), 732 IPV6_INVALID(":1234:5678:9abc:def0:1234:5678:9abc:def0"), 733 IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:0000"), 734 735 // Valid contractions 736 IPV6_VALID("::1", 737 0x00, 0x00, 0x00, 0x00, 738 0x00, 0x00, 0x00, 0x00, 739 0x00, 0x00, 0x00, 0x00, 740 0x00, 0x00, 0x00, 0x01), 741 IPV6_VALID("::1234", 742 0x00, 0x00, 0x00, 0x00, 743 0x00, 0x00, 0x00, 0x00, 744 0x00, 0x00, 0x00, 0x00, 745 0x00, 0x00, 0x12, 0x34), 746 IPV6_VALID("1234::", 747 0x12, 0x34, 0x00, 0x00, 748 0x00, 0x00, 0x00, 0x00, 749 0x00, 0x00, 0x00, 0x00, 750 0x00, 0x00, 0x00, 0x00), 751 IPV6_VALID("1234::5678", 752 0x12, 0x34, 0x00, 0x00, 753 0x00, 0x00, 0x00, 0x00, 754 0x00, 0x00, 0x00, 0x00, 755 0x00, 0x00, 0x56, 0x78), 756 IPV6_VALID("1234:5678::abcd", 757 0x12, 0x34, 0x56, 0x78, 758 0x00, 0x00, 0x00, 0x00, 759 0x00, 0x00, 0x00, 0x00, 760 0x00, 0x00, 0xab, 0xcd), 761 IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc::", 762 0x12, 0x34, 0x56, 0x78, 763 0x9a, 0xbc, 0xde, 0xf0, 764 0x12, 0x34, 0x56, 0x78, 765 0x9a, 0xbc, 0x00, 0x00), 766 767 // Contraction in full IPv6 addresses not allowed 768 IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"), // start 769 IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"), // end 770 IPV6_INVALID("1234:5678::9abc:def0:1234:5678:9abc:def0"), // interior 771 772 // Multiple contractions not allowed 773 IPV6_INVALID("::1::"), 774 IPV6_INVALID("::1::2"), 775 IPV6_INVALID("1::2::"), 776 777 // Colon madness! 778 IPV6_INVALID(":"), 779 IPV6_INVALID("::"), 780 IPV6_INVALID(":::"), 781 IPV6_INVALID("::::"), 782 IPV6_INVALID(":::1"), 783 IPV6_INVALID("::::1"), 784 IPV6_INVALID("1:::2"), 785 IPV6_INVALID("1::::2"), 786 IPV6_INVALID("1:2:::"), 787 IPV6_INVALID("1:2::::"), 788 IPV6_INVALID("::1234:"), 789 IPV6_INVALID(":1234::"), 790 791 IPV6_INVALID("01234::"), // too many digits, even if zero 792 IPV6_INVALID("12345678::"), // too many digits or missing colon 793 794 // uppercase 795 IPV6_VALID("ABCD:EFAB::", 796 0xab, 0xcd, 0xef, 0xab, 797 0x00, 0x00, 0x00, 0x00, 798 0x00, 0x00, 0x00, 0x00, 799 0x00, 0x00, 0x00, 0x00), 800 801 // miXeD CAse 802 IPV6_VALID("aBcd:eFAb::", 803 0xab, 0xcd, 0xef, 0xab, 804 0x00, 0x00, 0x00, 0x00, 805 0x00, 0x00, 0x00, 0x00, 806 0x00, 0x00, 0x00, 0x00), 807 808 // IPv4-style 809 IPV6_VALID("::2.3.4.5", 810 0x00, 0x00, 0x00, 0x00, 811 0x00, 0x00, 0x00, 0x00, 812 0x00, 0x00, 0x00, 0x00, 813 0x02, 0x03, 0x04, 0x05), 814 IPV6_VALID("1234::2.3.4.5", 815 0x12, 0x34, 0x00, 0x00, 816 0x00, 0x00, 0x00, 0x00, 817 0x00, 0x00, 0x00, 0x00, 818 0x02, 0x03, 0x04, 0x05), 819 IPV6_VALID("::abcd:2.3.4.5", 820 0x00, 0x00, 0x00, 0x00, 821 0x00, 0x00, 0x00, 0x00, 822 0x00, 0x00, 0xab, 0xcd, 823 0x02, 0x03, 0x04, 0x05), 824 IPV6_VALID("1234:5678:9abc:def0:1234:5678:252.253.254.255", 825 0x12, 0x34, 0x56, 0x78, 826 0x9a, 0xbc, 0xde, 0xf0, 827 0x12, 0x34, 0x56, 0x78, 828 252, 253, 254, 255), 829 IPV6_VALID("1234:5678:9abc:def0:1234::252.253.254.255", 830 0x12, 0x34, 0x56, 0x78, 831 0x9a, 0xbc, 0xde, 0xf0, 832 0x12, 0x34, 0x00, 0x00, 833 252, 253, 254, 255), 834 IPV6_INVALID("1234::252.253.254"), 835 IPV6_INVALID("::252.253.254"), 836 IPV6_INVALID("::252.253.254.300"), 837 IPV6_INVALID("1234::252.253.254.255:"), 838 IPV6_INVALID("1234::252.253.254.255:5678"), 839 840 // Contractions that don't contract 841 IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"), 842 IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"), 843 IPV6_INVALID("1234:5678:9abc:def0::1234:5678:9abc:def0"), 844 IPV6_INVALID("1234:5678:9abc:def0:1234:5678::252.253.254.255"), 845 846 // With and without leading zeros 847 IPV6_VALID("::123", 848 0x00, 0x00, 0x00, 0x00, 849 0x00, 0x00, 0x00, 0x00, 850 0x00, 0x00, 0x00, 0x00, 851 0x00, 0x00, 0x01, 0x23), 852 IPV6_VALID("::0123", 853 0x00, 0x00, 0x00, 0x00, 854 0x00, 0x00, 0x00, 0x00, 855 0x00, 0x00, 0x00, 0x00, 856 0x00, 0x00, 0x01, 0x23), 857 IPV6_VALID("::012", 858 0x00, 0x00, 0x00, 0x00, 859 0x00, 0x00, 0x00, 0x00, 860 0x00, 0x00, 0x00, 0x00, 861 0x00, 0x00, 0x00, 0x12), 862 IPV6_VALID("::0012", 863 0x00, 0x00, 0x00, 0x00, 864 0x00, 0x00, 0x00, 0x00, 865 0x00, 0x00, 0x00, 0x00, 866 0x00, 0x00, 0x00, 0x12), 867 IPV6_VALID("::01", 868 0x00, 0x00, 0x00, 0x00, 869 0x00, 0x00, 0x00, 0x00, 870 0x00, 0x00, 0x00, 0x00, 871 0x00, 0x00, 0x00, 0x01), 872 IPV6_VALID("::001", 873 0x00, 0x00, 0x00, 0x00, 874 0x00, 0x00, 0x00, 0x00, 875 0x00, 0x00, 0x00, 0x00, 876 0x00, 0x00, 0x00, 0x01), 877 IPV6_VALID("::0001", 878 0x00, 0x00, 0x00, 0x00, 879 0x00, 0x00, 0x00, 0x00, 880 0x00, 0x00, 0x00, 0x00, 881 0x00, 0x00, 0x00, 0x01), 882 IPV6_VALID("::0", 883 0x00, 0x00, 0x00, 0x00, 884 0x00, 0x00, 0x00, 0x00, 885 0x00, 0x00, 0x00, 0x00, 886 0x00, 0x00, 0x00, 0x00), 887 IPV6_VALID("::00", 888 0x00, 0x00, 0x00, 0x00, 889 0x00, 0x00, 0x00, 0x00, 890 0x00, 0x00, 0x00, 0x00, 891 0x00, 0x00, 0x00, 0x00), 892 IPV6_VALID("::000", 893 0x00, 0x00, 0x00, 0x00, 894 0x00, 0x00, 0x00, 0x00, 895 0x00, 0x00, 0x00, 0x00, 896 0x00, 0x00, 0x00, 0x00), 897 IPV6_VALID("::0000", 898 0x00, 0x00, 0x00, 0x00, 899 0x00, 0x00, 0x00, 0x00, 900 0x00, 0x00, 0x00, 0x00, 901 0x00, 0x00, 0x00, 0x00), 902 IPV6_INVALID("::01234"), 903 IPV6_INVALID("::00123"), 904 IPV6_INVALID("::000123"), 905 906 // Trailing zero 907 IPV6_INVALID("::12340"), 908 909 // Whitespace 910 IPV6_INVALID(" 1234:5678:9abc:def0:1234:5678:9abc:def0"), 911 IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0"), 912 IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0\n"), 913 IPV6_INVALID("1234 :5678:9abc:def0:1234:5678:9abc:def0"), 914 IPV6_INVALID("1234: 5678:9abc:def0:1234:5678:9abc:def0"), 915 IPV6_INVALID(":: 2.3.4.5"), 916 IPV6_INVALID("1234::252.253.254.255 "), 917 IPV6_INVALID("1234::252.253.254.255\n"), 918 IPV6_INVALID("1234::252.253. 254.255"), 919 920 // Nulls 921 IPV6_INVALID("\0"), 922 IPV6_INVALID("::1\0:2"), 923 IPV6_INVALID("::1\0"), 924 IPV6_INVALID("::1.2.3.4\0"), 925 IPV6_INVALID("::1.2\02.3.4"), 926 }; 927 928 class pkixnames_MatchPresentedDNSIDWithReferenceDNSID 929 : public ::testing::Test 930 , public ::testing::WithParamInterface<PresentedMatchesReference> 931 { 932 public: 933 DefaultNameMatchingPolicy mNameMatchingPolicy; 934 }; 935 936 TEST_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID, 937 MatchPresentedDNSIDWithReferenceDNSID) 938 { 939 const PresentedMatchesReference& param(GetParam()); 940 SCOPED_TRACE(param.presentedDNSID.c_str()); 941 SCOPED_TRACE(param.referenceDNSID.c_str()); 942 Input presented; 943 ASSERT_EQ(Success, presented.Init(param.presentedDNSID.data(), 944 param.presentedDNSID.length())); 945 Input reference; 946 ASSERT_EQ(Success, reference.Init(param.referenceDNSID.data(), 947 param.referenceDNSID.length())); 948 949 // sanity check that test makes sense 950 ASSERT_TRUE(IsValidReferenceDNSID(reference)); 951 952 bool matches; 953 ASSERT_EQ(param.expectedResult, 954 MatchPresentedDNSIDWithReferenceDNSID(presented, reference, 955 matches)); 956 if (param.expectedResult == Success) { 957 ASSERT_EQ(param.expectedMatches, matches); 958 } 959 } 960 961 INSTANTIATE_TEST_SUITE_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID, 962 pkixnames_MatchPresentedDNSIDWithReferenceDNSID, 963 testing::ValuesIn(DNSID_MATCH_PARAMS)); 964 965 class pkixnames_Turkish_I_Comparison 966 : public ::testing::Test 967 , public ::testing::WithParamInterface<InputValidity> 968 { 969 public: 970 DefaultNameMatchingPolicy mNameMatchingPolicy; 971 }; 972 973 TEST_P(pkixnames_Turkish_I_Comparison, MatchPresentedDNSIDWithReferenceDNSID) 974 { 975 // Make sure we don't have the similar problems that strcasecmp and others 976 // have with the other kinds of "i" and "I" commonly used in Turkish locales. 977 978 const InputValidity& inputValidity(GetParam()); 979 SCOPED_TRACE(inputValidity.input.c_str()); 980 Input input; 981 ASSERT_EQ(Success, input.Init(inputValidity.input.data(), 982 inputValidity.input.length())); 983 984 bool isASCII = InputsAreEqual(LOWERCASE_I, input) || 985 InputsAreEqual(UPPERCASE_I, input); 986 { 987 bool matches; 988 ASSERT_EQ(inputValidity.isValidPresentedID ? Success 989 : Result::ERROR_BAD_DER, 990 MatchPresentedDNSIDWithReferenceDNSID(input, LOWERCASE_I, 991 matches)); 992 if (inputValidity.isValidPresentedID) { 993 ASSERT_EQ(isASCII, matches); 994 } 995 } 996 { 997 bool matches; 998 ASSERT_EQ(inputValidity.isValidPresentedID ? Success 999 : Result::ERROR_BAD_DER, 1000 MatchPresentedDNSIDWithReferenceDNSID(input, UPPERCASE_I, 1001 matches)); 1002 if (inputValidity.isValidPresentedID) { 1003 ASSERT_EQ(isASCII, matches); 1004 } 1005 } 1006 } 1007 1008 INSTANTIATE_TEST_SUITE_P(pkixnames_Turkish_I_Comparison, 1009 pkixnames_Turkish_I_Comparison, 1010 testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I)); 1011 1012 class pkixnames_IsValidReferenceDNSID 1013 : public ::testing::Test 1014 , public ::testing::WithParamInterface<InputValidity> 1015 { 1016 public: 1017 DefaultNameMatchingPolicy mNameMatchingPolicy; 1018 }; 1019 1020 TEST_P(pkixnames_IsValidReferenceDNSID, IsValidReferenceDNSID) 1021 { 1022 const InputValidity& inputValidity(GetParam()); 1023 SCOPED_TRACE(inputValidity.input.c_str()); 1024 Input input; 1025 ASSERT_EQ(Success, input.Init(inputValidity.input.data(), 1026 inputValidity.input.length())); 1027 ASSERT_EQ(inputValidity.isValidReferenceID, IsValidReferenceDNSID(input)); 1028 ASSERT_EQ(inputValidity.isValidPresentedID, IsValidPresentedDNSID(input)); 1029 } 1030 1031 INSTANTIATE_TEST_SUITE_P(pkixnames_IsValidReferenceDNSID, 1032 pkixnames_IsValidReferenceDNSID, 1033 testing::ValuesIn(DNSNAMES_VALIDITY)); 1034 INSTANTIATE_TEST_SUITE_P(pkixnames_IsValidReferenceDNSID_Turkish_I, 1035 pkixnames_IsValidReferenceDNSID, 1036 testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I)); 1037 1038 class pkixnames_ParseIPv4Address 1039 : public ::testing::Test 1040 , public ::testing::WithParamInterface<IPAddressParams<4>> 1041 { 1042 public: 1043 DefaultNameMatchingPolicy mNameMatchingPolicy; 1044 }; 1045 1046 TEST_P(pkixnames_ParseIPv4Address, ParseIPv4Address) 1047 { 1048 const IPAddressParams<4>& param(GetParam()); 1049 SCOPED_TRACE(param.input.c_str()); 1050 Input input; 1051 ASSERT_EQ(Success, input.Init(param.input.data(), 1052 param.input.length())); 1053 uint8_t ipAddress[4]; 1054 ASSERT_EQ(param.isValid, ParseIPv4Address(input, ipAddress)); 1055 if (param.isValid) { 1056 for (size_t i = 0; i < sizeof(ipAddress); ++i) { 1057 ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]); 1058 } 1059 } 1060 } 1061 1062 INSTANTIATE_TEST_SUITE_P(pkixnames_ParseIPv4Address, 1063 pkixnames_ParseIPv4Address, 1064 testing::ValuesIn(IPV4_ADDRESSES)); 1065 1066 class pkixnames_ParseIPv6Address 1067 : public ::testing::Test 1068 , public ::testing::WithParamInterface<IPAddressParams<16>> 1069 { 1070 public: 1071 DefaultNameMatchingPolicy mNameMatchingPolicy; 1072 }; 1073 1074 TEST_P(pkixnames_ParseIPv6Address, ParseIPv6Address) 1075 { 1076 const IPAddressParams<16>& param(GetParam()); 1077 SCOPED_TRACE(param.input.c_str()); 1078 Input input; 1079 ASSERT_EQ(Success, input.Init(param.input.data(), 1080 param.input.length())); 1081 uint8_t ipAddress[16]; 1082 ASSERT_EQ(param.isValid, ParseIPv6Address(input, ipAddress)); 1083 if (param.isValid) { 1084 for (size_t i = 0; i < sizeof(ipAddress); ++i) { 1085 ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]); 1086 } 1087 } 1088 } 1089 1090 INSTANTIATE_TEST_SUITE_P(pkixnames_ParseIPv6Address, 1091 pkixnames_ParseIPv6Address, 1092 testing::ValuesIn(IPV6_ADDRESSES)); 1093 1094 // This is an arbitrary string that is used to indicate that no SAN extension 1095 // should be put into the generated certificate. It needs to be different from 1096 // "" or any other subjectAltName value that we actually want to test, but its 1097 // actual value does not matter. Note that this isn't a correctly-encoded SAN 1098 // extension value! 1099 static const ByteString 1100 NO_SAN(reinterpret_cast<const uint8_t*>("I'm a bad, bad, certificate")); 1101 1102 struct CheckCertHostnameParams 1103 { 1104 ByteString hostname; 1105 ByteString subject; 1106 ByteString subjectAltName; 1107 Result result; 1108 }; 1109 1110 ::std::ostream& operator<<(::std::ostream& os, const CheckCertHostnameParams&) 1111 { 1112 return os << "TODO (bug 1318770)"; 1113 } 1114 1115 class pkixnames_CheckCertHostname 1116 : public ::testing::Test 1117 , public ::testing::WithParamInterface<CheckCertHostnameParams> 1118 { 1119 public: 1120 DefaultNameMatchingPolicy mNameMatchingPolicy; 1121 }; 1122 1123 #define WITH_SAN(r, ps, psan, result) \ 1124 { \ 1125 ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \ 1126 ps, \ 1127 psan, \ 1128 result \ 1129 } 1130 1131 #define WITHOUT_SAN(r, ps, result) \ 1132 { \ 1133 ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \ 1134 ps, \ 1135 NO_SAN, \ 1136 result \ 1137 } 1138 1139 static const uint8_t example_com[] = { 1140 'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm' 1141 }; 1142 1143 // Note that We avoid zero-valued bytes in these IP addresses so that we don't 1144 // get false negatives from anti-NULL-byte defenses in dNSName decoding. 1145 static const uint8_t ipv4_addr_bytes[] = { 1146 1, 2, 3, 4 1147 }; 1148 static const char ipv4_addr_bytes_as_str[] = "\x01\x02\x03\x04"; 1149 static const char ipv4_addr_str[] = "1.2.3.4"; 1150 static const uint8_t ipv4_addr_bytes_FFFFFFFF[8] = { 1151 1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff 1152 }; 1153 1154 static const uint8_t ipv4_compatible_ipv6_addr_bytes[] = { 1155 0, 0, 0, 0, 1156 0, 0, 0, 0, 1157 0, 0, 0, 0, 1158 1, 2, 3, 4 1159 }; 1160 static const char ipv4_compatible_ipv6_addr_str[] = "::1.2.3.4"; 1161 1162 static const uint8_t ipv4_mapped_ipv6_addr_bytes[] = { 1163 0, 0, 0, 0, 1164 0, 0, 0, 0, 1165 0, 0, 0xFF, 0xFF, 1166 1, 2, 3, 4 1167 }; 1168 static const char ipv4_mapped_ipv6_addr_str[] = "::FFFF:1.2.3.4"; 1169 1170 static const uint8_t ipv6_addr_bytes[] = { 1171 0x11, 0x22, 0x33, 0x44, 1172 0x55, 0x66, 0x77, 0x88, 1173 0x99, 0xaa, 0xbb, 0xcc, 1174 0xdd, 0xee, 0xff, 0x11 1175 }; 1176 static const char ipv6_addr_bytes_as_str[] = 1177 "\x11\x22\x33\x44" 1178 "\x55\x66\x77\x88" 1179 "\x99\xaa\xbb\xcc" 1180 "\xdd\xee\xff\x11"; 1181 1182 static const char ipv6_addr_str[] = 1183 "1122:3344:5566:7788:99aa:bbcc:ddee:ff11"; 1184 1185 static const uint8_t ipv6_other_addr_bytes[] = { 1186 0xff, 0xee, 0xdd, 0xcc, 1187 0xbb, 0xaa, 0x99, 0x88, 1188 0x77, 0x66, 0x55, 0x44, 1189 0x33, 0x22, 0x11, 0x00, 1190 }; 1191 1192 static const uint8_t ipv4_other_addr_bytes[] = { 1193 5, 6, 7, 8 1194 }; 1195 static const uint8_t ipv4_other_addr_bytes_FFFFFFFF[] = { 1196 5, 6, 7, 8, 0xff, 0xff, 0xff, 0xff 1197 }; 1198 1199 static const uint8_t ipv4_addr_00000000_bytes[] = { 1200 0, 0, 0, 0 1201 }; 1202 static const uint8_t ipv4_addr_FFFFFFFF_bytes[] = { 1203 0, 0, 0, 0 1204 }; 1205 1206 static const uint8_t ipv4_constraint_all_zeros_bytes[] = { 1207 0, 0, 0, 0, 0, 0, 0, 0 1208 }; 1209 1210 static const uint8_t ipv6_addr_all_zeros_bytes[] = { 1211 0, 0, 0, 0, 0, 0, 0, 0, 1212 0, 0, 0, 0, 0, 0, 0, 0, 1213 }; 1214 1215 static const uint8_t ipv6_constraint_all_zeros_bytes[] = { 1216 0, 0, 0, 0, 0, 0, 0, 0, 1217 0, 0, 0, 0, 0, 0, 0, 0, 1218 0, 0, 0, 0, 0, 0, 0, 0, 1219 0, 0, 0, 0, 0, 0, 0, 0 1220 }; 1221 1222 static const uint8_t ipv4_constraint_CIDR_16_bytes[] = { 1223 1, 2, 0, 0, 0xff, 0xff, 0, 0 1224 }; 1225 static const uint8_t ipv4_constraint_CIDR_17_bytes[] = { 1226 1, 2, 0, 0, 0xff, 0xff, 0x80, 0 1227 }; 1228 1229 // The subnet is 1.2.0.0/16 but it is specified as 1.2.3.0/16 1230 static const uint8_t ipv4_constraint_CIDR_16_bad_addr_bytes[] = { 1231 1, 2, 3, 0, 0xff, 0xff, 0, 0 1232 }; 1233 1234 // Masks are supposed to be of the form <ones><zeros>, but this one is of the 1235 // form <ones><zeros><ones><zeros>. 1236 static const uint8_t ipv4_constraint_bad_mask_bytes[] = { 1237 1, 2, 3, 0, 0xff, 0, 0xff, 0 1238 }; 1239 1240 static const uint8_t ipv6_constraint_CIDR_16_bytes[] = { 1241 0x11, 0x22, 0, 0, 0, 0, 0, 0, 1242 0, 0, 0, 0, 0, 0, 0, 0, 1243 0xff, 0xff, 0, 0, 0, 0, 0, 0, 1244 0, 0, 0, 0, 0, 0, 0, 0 1245 }; 1246 1247 // The subnet is 1122::/16 but it is specified as 1122:3344::/16 1248 static const uint8_t ipv6_constraint_CIDR_16_bad_addr_bytes[] = { 1249 0x11, 0x22, 0x33, 0x44, 0, 0, 0, 0, 1250 0, 0, 0, 0, 0, 0, 0, 0, 1251 0xff, 0xff, 0, 0, 0, 0, 0, 0, 1252 0, 0, 0, 0, 0, 0, 0, 0 1253 }; 1254 1255 // Masks are supposed to be of the form <ones><zeros>, but this one is of the 1256 // form <ones><zeros><ones><zeros>. 1257 static const uint8_t ipv6_constraint_bad_mask_bytes[] = { 1258 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0, 0, 1259 0, 0, 0, 0, 0, 0, 0, 0, 1260 0xff, 0xff, 0, 0, 0xff, 0xff, 0, 0, 1261 0, 0, 0, 0, 0, 0, 0, 0, 1262 }; 1263 1264 static const uint8_t ipv4_addr_truncated_bytes[] = { 1265 1, 2, 3 1266 }; 1267 static const uint8_t ipv4_addr_overlong_bytes[] = { 1268 1, 2, 3, 4, 5 1269 }; 1270 static const uint8_t ipv4_constraint_truncated_bytes[] = { 1271 0, 0, 0, 0, 1272 0, 0, 0, 1273 }; 1274 static const uint8_t ipv4_constraint_overlong_bytes[] = { 1275 0, 0, 0, 0, 1276 0, 0, 0, 0, 0 1277 }; 1278 1279 static const uint8_t ipv6_addr_truncated_bytes[] = { 1280 0x11, 0x22, 0x33, 0x44, 1281 0x55, 0x66, 0x77, 0x88, 1282 0x99, 0xaa, 0xbb, 0xcc, 1283 0xdd, 0xee, 0xff 1284 }; 1285 static const uint8_t ipv6_addr_overlong_bytes[] = { 1286 0x11, 0x22, 0x33, 0x44, 1287 0x55, 0x66, 0x77, 0x88, 1288 0x99, 0xaa, 0xbb, 0xcc, 1289 0xdd, 0xee, 0xff, 0x11, 0x00 1290 }; 1291 static const uint8_t ipv6_constraint_truncated_bytes[] = { 1292 0x11, 0x22, 0, 0, 0, 0, 0, 0, 1293 0, 0, 0, 0, 0, 0, 0, 0, 1294 0xff, 0xff, 0, 0, 0, 0, 0, 0, 1295 0, 0, 0, 0, 0, 0, 0 1296 }; 1297 static const uint8_t ipv6_constraint_overlong_bytes[] = { 1298 0x11, 0x22, 0, 0, 0, 0, 0, 0, 1299 0, 0, 0, 0, 0, 0, 0, 0, 1300 0xff, 0xff, 0, 0, 0, 0, 0, 0, 1301 0, 0, 0, 0, 0, 0, 0, 0, 0 1302 }; 1303 1304 // Note that, for DNSNames, these test cases in CHECK_CERT_HOSTNAME_PARAMS are 1305 // mostly about testing different scenerios regarding the structure of entries 1306 // in the subjectAltName and subject of the certificate, than about the how 1307 // specific presented identifier values are matched against the reference 1308 // identifier values. This is because we also use the test cases in 1309 // DNSNAMES_VALIDITY to test CheckCertHostname. Consequently, tests about 1310 // whether specific presented DNSNames (including wildcards, in particular) are 1311 // matched against a reference DNSName only need to be added to 1312 // DNSNAMES_VALIDITY, and not here. 1313 static const CheckCertHostnameParams CHECK_CERT_HOSTNAME_PARAMS[] = 1314 { 1315 // This is technically illegal. PrintableString is defined in such a way that 1316 // '*' is not an allowed character, but there are many real-world certificates 1317 // that are encoded this way. 1318 WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::PrintableString)), 1319 Success), 1320 WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::UTF8String)), 1321 Success), 1322 1323 // Many certificates use TeletexString when encoding wildcards in CN-IDs 1324 // because PrintableString is defined as not allowing '*' and UTF8String was, 1325 // at one point in history, considered too new to depend on for compatibility. 1326 // We accept TeletexString-encoded CN-IDs when they don't contain any escape 1327 // sequences. The reference I used for the escape codes was 1328 // https://tools.ietf.org/html/rfc1468. The escaping mechanism is actually 1329 // pretty complex and these tests don't even come close to testing all the 1330 // possibilities. 1331 WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::TeletexString)), 1332 Success), 1333 // "ESC ( B" ({0x1B,0x50,0x42}) is the escape code to switch to ASCII, which 1334 // is redundant because it already the default. 1335 WITHOUT_SAN("foo.example.com", 1336 RDN(CN("\x1B(B*.example.com", der::TeletexString)), 1337 Result::ERROR_BAD_CERT_DOMAIN), 1338 WITHOUT_SAN("foo.example.com", 1339 RDN(CN("*.example\x1B(B.com", der::TeletexString)), 1340 Result::ERROR_BAD_CERT_DOMAIN), 1341 WITHOUT_SAN("foo.example.com", 1342 RDN(CN("*.example.com\x1B(B", der::TeletexString)), 1343 Result::ERROR_BAD_CERT_DOMAIN), 1344 // "ESC $ B" ({0x1B,0x24,0x42}) is the escape code to switch to 1345 // JIS X 0208-1983 (a Japanese character set). 1346 WITHOUT_SAN("foo.example.com", 1347 RDN(CN("\x1B$B*.example.com", der::TeletexString)), 1348 Result::ERROR_BAD_CERT_DOMAIN), 1349 WITHOUT_SAN("foo.example.com", 1350 RDN(CN("*.example.com\x1B$B", der::TeletexString)), 1351 Result::ERROR_BAD_CERT_DOMAIN), 1352 1353 // Match a DNSName SAN entry with a redundant (ignored) matching CN-ID. 1354 WITH_SAN("a", RDN(CN("a")), DNSName("a"), Success), 1355 // Match a DNSName SAN entry when there is an CN-ID that doesn't match. 1356 WITH_SAN("b", RDN(CN("a")), DNSName("b"), Success), 1357 // Do not match a CN-ID when there is a valid DNSName SAN Entry. 1358 WITH_SAN("a", RDN(CN("a")), DNSName("b"), Result::ERROR_BAD_CERT_DOMAIN), 1359 // Do not match a CN-ID when there is a malformed DNSName SAN Entry. 1360 WITH_SAN("a", RDN(CN("a")), DNSName("!"), Result::ERROR_BAD_DER), 1361 // Do not match a matching CN-ID when there is a valid IPAddress SAN entry. 1362 WITH_SAN("a", RDN(CN("a")), IPAddress(ipv4_addr_bytes), 1363 Result::ERROR_BAD_CERT_DOMAIN), 1364 // Do not match a matching CN-ID when there is a malformed IPAddress SAN entry. 1365 WITH_SAN("a", RDN(CN("a")), IPAddress(example_com), 1366 Result::ERROR_BAD_CERT_DOMAIN), 1367 // Match a DNSName against a matching CN-ID when there is a SAN, but the SAN 1368 // does not contain an DNSName or IPAddress entry. 1369 WITH_SAN("a", RDN(CN("a")), RFC822Name("foo@example.com"), Success), 1370 // Match a matching CN-ID when there is no SAN. 1371 WITHOUT_SAN("a", RDN(CN("a")), Success), 1372 // Do not match a mismatching CN-ID when there is no SAN. 1373 WITHOUT_SAN("a", RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN), 1374 1375 // The first DNSName matches. 1376 WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success), 1377 // The last DNSName matches. 1378 WITH_SAN("b", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success), 1379 // The middle DNSName matches. 1380 WITH_SAN("b", RDN(CN("foo")), 1381 DNSName("a") + DNSName("b") + DNSName("c"), Success), 1382 // After an IP address. 1383 WITH_SAN("b", RDN(CN("foo")), 1384 IPAddress(ipv4_addr_bytes) + DNSName("b"), Success), 1385 // Before an IP address. 1386 WITH_SAN("a", RDN(CN("foo")), 1387 DNSName("a") + IPAddress(ipv4_addr_bytes), Success), 1388 // Between an RFC822Name and an IP address. 1389 WITH_SAN("b", RDN(CN("foo")), 1390 RFC822Name("foo@example.com") + DNSName("b") + 1391 IPAddress(ipv4_addr_bytes), 1392 Success), 1393 // Duplicate DNSName. 1394 WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("a"), Success), 1395 // After an invalid DNSName. 1396 WITH_SAN("b", RDN(CN("foo")), DNSName("!") + DNSName("b"), 1397 Result::ERROR_BAD_DER), 1398 1399 // http://tools.ietf.org/html/rfc5280#section-4.2.1.6: "If the subjectAltName 1400 // extension is present, the sequence MUST contain at least one entry." 1401 // However, for compatibility reasons, this is not enforced. See bug 1143085. 1402 // This case is treated as if the extension is not present (i.e. name 1403 // matching falls back to the subject CN). 1404 WITH_SAN("a", RDN(CN("a")), ByteString(), Success), 1405 WITH_SAN("a", RDN(CN("b")), ByteString(), Result::ERROR_BAD_CERT_DOMAIN), 1406 1407 // http://tools.ietf.org/html/rfc5280#section-4.1.2.6 says "If subject naming 1408 // information is present only in the subjectAltName extension (e.g., a key 1409 // bound only to an email address or URI), then the subject name MUST be an 1410 // empty sequence and the subjectAltName extension MUST be critical." So, we 1411 // have to support an empty subject. We don't enforce that the SAN must be 1412 // critical or even that there is a SAN when the subject is empty, though. 1413 WITH_SAN("a", ByteString(), DNSName("a"), Success), 1414 // Make sure we return ERROR_BAD_CERT_DOMAIN and not ERROR_BAD_DER. 1415 WITHOUT_SAN("a", ByteString(), Result::ERROR_BAD_CERT_DOMAIN), 1416 1417 // Two CNs in the same RDN, both match. 1418 WITHOUT_SAN("a", RDN(CN("a") + CN("a")), Success), 1419 // Two CNs in the same RDN, both DNSNames, first one matches. 1420 WITHOUT_SAN("a", RDN(CN("a") + CN("b")), 1421 Result::ERROR_BAD_CERT_DOMAIN), 1422 // Two CNs in the same RDN, both DNSNames, last one matches. 1423 WITHOUT_SAN("b", RDN(CN("a") + CN("b")), Success), 1424 // Two CNs in the same RDN, first one matches, second isn't a DNSName. 1425 WITHOUT_SAN("a", RDN(CN("a") + CN("Not a DNSName")), 1426 Result::ERROR_BAD_CERT_DOMAIN), 1427 // Two CNs in the same RDN, first one not a DNSName, second matches. 1428 WITHOUT_SAN("b", RDN(CN("Not a DNSName") + CN("b")), Success), 1429 1430 // Two CNs in separate RDNs, both match. 1431 WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("a")), Success), 1432 // Two CNs in separate RDNs, both DNSNames, first one matches. 1433 WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("b")), 1434 Result::ERROR_BAD_CERT_DOMAIN), 1435 // Two CNs in separate RDNs, both DNSNames, last one matches. 1436 WITHOUT_SAN("b", RDN(CN("a")) + RDN(CN("b")), Success), 1437 // Two CNs in separate RDNs, first one matches, second isn't a DNSName. 1438 WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("Not a DNSName")), 1439 Result::ERROR_BAD_CERT_DOMAIN), 1440 // Two CNs in separate RDNs, first one not a DNSName, second matches. 1441 WITHOUT_SAN("b", RDN(CN("Not a DNSName")) + RDN(CN("b")), Success), 1442 1443 // One CN, one RDN, CN is the first AVA in the RDN, CN matches. 1444 WITHOUT_SAN("a", RDN(CN("a") + OU("b")), Success), 1445 // One CN, one RDN, CN is the first AVA in the RDN, CN does not match. 1446 WITHOUT_SAN("b", RDN(CN("a") + OU("b")), 1447 Result::ERROR_BAD_CERT_DOMAIN), 1448 // One CN, one RDN, CN is not the first AVA in the RDN, CN matches. 1449 WITHOUT_SAN("b", RDN(OU("a") + CN("b")), Success), 1450 // One CN, one RDN, CN is not the first AVA in the RDN, CN does not match. 1451 WITHOUT_SAN("a", RDN(OU("a") + CN("b")), 1452 Result::ERROR_BAD_CERT_DOMAIN), 1453 1454 // One CN, multiple RDNs, CN is in the first RDN, CN matches. 1455 WITHOUT_SAN("a", RDN(CN("a")) + RDN(OU("b")), Success), 1456 // One CN, multiple RDNs, CN is in the first RDN, CN does not match. 1457 WITHOUT_SAN("b", RDN(CN("a")) + RDN(OU("b")), Result::ERROR_BAD_CERT_DOMAIN), 1458 // One CN, multiple RDNs, CN is not in the first RDN, CN matches. 1459 WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")), Success), 1460 // One CN, multiple RDNs, CN is not in the first RDN, CN does not match. 1461 WITHOUT_SAN("a", RDN(OU("a")) + RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN), 1462 1463 // One CN, one RDN, CN is not in the first or last AVA, CN matches. 1464 WITHOUT_SAN("b", RDN(OU("a") + CN("b") + OU("c")), Success), 1465 // One CN, multiple RDNs, CN is not in the first or last RDN, CN matches. 1466 WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")) + RDN(OU("c")), Success), 1467 1468 // Empty CN does not match. 1469 WITHOUT_SAN("example.com", RDN(CN("")), Result::ERROR_BAD_CERT_DOMAIN), 1470 1471 WITHOUT_SAN("uses_underscore.example.com", RDN(CN("*.example.com")), Success), 1472 WITHOUT_SAN("a.uses_underscore.example.com", 1473 RDN(CN("*.uses_underscore.example.com")), Success), 1474 WITH_SAN("uses_underscore.example.com", RDN(CN("foo")), 1475 DNSName("*.example.com"), Success), 1476 WITH_SAN("a.uses_underscore.example.com", RDN(CN("foo")), 1477 DNSName("*.uses_underscore.example.com"), Success), 1478 1479 // Do not match a DNSName that is encoded in a malformed IPAddress. 1480 WITH_SAN("example.com", RDN(CN("foo")), IPAddress(example_com), 1481 Result::ERROR_BAD_CERT_DOMAIN), 1482 1483 // We skip over the malformed IPAddress and match the DNSName entry because 1484 // we've heard reports of real-world certificates that have malformed 1485 // IPAddress SANs. 1486 WITH_SAN("example.org", RDN(CN("foo")), 1487 IPAddress(example_com) + DNSName("example.org"), Success), 1488 1489 WITH_SAN("example.com", RDN(CN("foo")), 1490 DNSName("!") + DNSName("example.com"), Result::ERROR_BAD_DER), 1491 1492 // Match a matching IPv4 address SAN entry. 1493 WITH_SAN(ipv4_addr_str, RDN(CN("foo")), IPAddress(ipv4_addr_bytes), 1494 Success), 1495 // Match a matching IPv4 addresses in the CN when there is no SAN 1496 WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), Success), 1497 // Do not match a matching IPv4 address in the CN when there is a SAN with 1498 // a DNSName entry. 1499 WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), 1500 DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN), 1501 // Do not match a matching IPv4 address in the CN when there is a SAN with 1502 // a non-matching IPAddress entry. 1503 WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), 1504 IPAddress(ipv6_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN), 1505 // Match a matching IPv4 address in the CN when there is a SAN with a 1506 // non-IPAddress, non-DNSName entry. 1507 WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), 1508 RFC822Name("foo@example.com"), Success), 1509 // Do not match a matching IPv4 address in the CN when there is a SAN with a 1510 // malformed IPAddress entry. 1511 WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), 1512 IPAddress(example_com), Result::ERROR_BAD_CERT_DOMAIN), 1513 // Do not match a matching IPv4 address in the CN when there is a SAN with a 1514 // malformed DNSName entry. 1515 WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), 1516 DNSName("!"), Result::ERROR_BAD_CERT_DOMAIN), 1517 1518 // We don't match IPv6 addresses in the CN, regardless of whether there is 1519 // a SAN. 1520 WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)), 1521 Result::ERROR_BAD_CERT_DOMAIN), 1522 WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)), 1523 DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN), 1524 WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)), 1525 IPAddress(ipv6_addr_bytes), Success), 1526 WITH_SAN(ipv6_addr_str, RDN(CN("foo")), IPAddress(ipv6_addr_bytes), 1527 Success), 1528 1529 // We don't match the binary encoding of the bytes of IP addresses in the 1530 // CN. 1531 WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_bytes_as_str)), 1532 Result::ERROR_BAD_CERT_DOMAIN), 1533 WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_bytes_as_str)), 1534 Result::ERROR_BAD_CERT_DOMAIN), 1535 1536 // We don't match IP addresses with DNSName SANs. 1537 WITH_SAN(ipv4_addr_str, RDN(CN("foo")), 1538 DNSName(ipv4_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN), 1539 WITH_SAN(ipv4_addr_str, RDN(CN("foo")), DNSName(ipv4_addr_str), 1540 Result::ERROR_BAD_CERT_DOMAIN), 1541 WITH_SAN(ipv6_addr_str, RDN(CN("foo")), 1542 DNSName(ipv6_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN), 1543 WITH_SAN(ipv6_addr_str, RDN(CN("foo")), DNSName(ipv6_addr_str), 1544 Result::ERROR_BAD_CERT_DOMAIN), 1545 1546 // Do not match an IPv4 reference ID against the equivalent IPv4-compatible 1547 // IPv6 SAN entry. 1548 WITH_SAN(ipv4_addr_str, RDN(CN("foo")), 1549 IPAddress(ipv4_compatible_ipv6_addr_bytes), 1550 Result::ERROR_BAD_CERT_DOMAIN), 1551 // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6 1552 // SAN entry. 1553 WITH_SAN(ipv4_addr_str, RDN(CN("foo")), 1554 IPAddress(ipv4_mapped_ipv6_addr_bytes), 1555 Result::ERROR_BAD_CERT_DOMAIN), 1556 // Do not match an IPv4-compatible IPv6 reference ID against the equivalent 1557 // IPv4 SAN entry. 1558 WITH_SAN(ipv4_compatible_ipv6_addr_str, RDN(CN("foo")), 1559 IPAddress(ipv4_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN), 1560 // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6 1561 // SAN entry. 1562 WITH_SAN(ipv4_mapped_ipv6_addr_str, RDN(CN("foo")), 1563 IPAddress(ipv4_addr_bytes), 1564 Result::ERROR_BAD_CERT_DOMAIN), 1565 1566 // Test that the presence of an otherName entry is handled appropriately. 1567 // (The actual value of the otherName entry isn't important - that's not what 1568 // we're testing here.) 1569 WITH_SAN("example.com", ByteString(), 1570 // The tag for otherName is CONTEXT_SPECIFIC | CONSTRUCTED | 0 1571 TLV((2 << 6) | (1 << 5) | 0, ByteString()) + DNSName("example.com"), 1572 Success), 1573 WITH_SAN("example.com", ByteString(), 1574 TLV((2 << 6) | (1 << 5) | 0, ByteString()), 1575 Result::ERROR_BAD_CERT_DOMAIN), 1576 }; 1577 1578 ByteString 1579 CreateCert(const ByteString& subject, const ByteString& subjectAltName, 1580 EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity) 1581 { 1582 ByteString serialNumber(CreateEncodedSerialNumber(1)); 1583 EXPECT_FALSE(ENCODING_FAILED(serialNumber)); 1584 1585 ByteString issuerDER(Name(RDN(CN("issuer")))); 1586 EXPECT_FALSE(ENCODING_FAILED(issuerDER)); 1587 1588 ByteString extensions[2]; 1589 if (subjectAltName != NO_SAN) { 1590 extensions[0] = CreateEncodedSubjectAltName(subjectAltName); 1591 EXPECT_FALSE(ENCODING_FAILED(extensions[0])); 1592 } 1593 if (endEntityOrCA == EndEntityOrCA::MustBeCA) { 1594 // Currently, these tests assume that if we're creating a CA certificate, it 1595 // will not have a subjectAlternativeName extension. If that assumption 1596 // changes, this code will have to be updated. Ideally this would be 1597 // ASSERT_EQ, but that inserts a 'return;', which doesn't match this 1598 // function's return type. 1599 EXPECT_EQ(subjectAltName, NO_SAN); 1600 extensions[0] = CreateEncodedBasicConstraints(true, nullptr, 1601 Critical::Yes); 1602 EXPECT_FALSE(ENCODING_FAILED(extensions[0])); 1603 } 1604 1605 ScopedTestKeyPair keyPair(CloneReusedKeyPair()); 1606 return CreateEncodedCertificate( 1607 v3, sha256WithRSAEncryption(), serialNumber, issuerDER, 1608 oneDayBeforeNow, oneDayAfterNow, Name(subject), *keyPair, 1609 extensions, *keyPair, sha256WithRSAEncryption()); 1610 } 1611 1612 TEST_P(pkixnames_CheckCertHostname, CheckCertHostname) 1613 { 1614 const CheckCertHostnameParams& param(GetParam()); 1615 1616 ByteString cert(CreateCert(param.subject, param.subjectAltName)); 1617 ASSERT_FALSE(ENCODING_FAILED(cert)); 1618 Input certInput; 1619 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1620 1621 Input hostnameInput; 1622 ASSERT_EQ(Success, hostnameInput.Init(param.hostname.data(), 1623 param.hostname.length())); 1624 1625 ASSERT_EQ(param.result, CheckCertHostname(certInput, hostnameInput, 1626 mNameMatchingPolicy)); 1627 } 1628 1629 INSTANTIATE_TEST_SUITE_P(pkixnames_CheckCertHostname, 1630 pkixnames_CheckCertHostname, 1631 testing::ValuesIn(CHECK_CERT_HOSTNAME_PARAMS)); 1632 1633 TEST_F(pkixnames_CheckCertHostname, SANWithoutSequence) 1634 { 1635 // A certificate with a truly empty SAN extension (one that doesn't even 1636 // contain a SEQUENCE at all) is malformed. If we didn't treat this as 1637 // malformed then we'd have to treat it like the CN_EmptySAN cases. 1638 1639 ByteString serialNumber(CreateEncodedSerialNumber(1)); 1640 EXPECT_FALSE(ENCODING_FAILED(serialNumber)); 1641 1642 ByteString extensions[2]; 1643 extensions[0] = CreateEncodedEmptySubjectAltName(); 1644 ASSERT_FALSE(ENCODING_FAILED(extensions[0])); 1645 1646 ScopedTestKeyPair keyPair(CloneReusedKeyPair()); 1647 ByteString certDER(CreateEncodedCertificate( 1648 v3, sha256WithRSAEncryption(), serialNumber, 1649 Name(RDN(CN("issuer"))), oneDayBeforeNow, oneDayAfterNow, 1650 Name(RDN(CN("a"))), *keyPair, extensions, 1651 *keyPair, sha256WithRSAEncryption())); 1652 ASSERT_FALSE(ENCODING_FAILED(certDER)); 1653 Input certInput; 1654 ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length())); 1655 1656 static const uint8_t a[] = { 'a' }; 1657 ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID, 1658 CheckCertHostname(certInput, Input(a), mNameMatchingPolicy)); 1659 } 1660 1661 class SkipInvalidSubjectAlternativeNamesNameMatchingPolicy : public NameMatchingPolicy { 1662 public: 1663 virtual Result FallBackToCommonName( 1664 Time, 1665 /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) override { 1666 fallBackToCommonName = FallBackToSearchWithinSubject::No; 1667 return Success; 1668 } 1669 1670 virtual HandleInvalidSubjectAlternativeNamesBy 1671 HandleInvalidSubjectAlternativeNames() override { 1672 return HandleInvalidSubjectAlternativeNamesBy::Skipping; 1673 } 1674 }; 1675 1676 TEST_F(pkixnames_CheckCertHostname, SkipInvalidSubjectAlternativeNames) 1677 { 1678 ByteString cert(CreateCert(RDN(CN("invalid SAN example")), DNSName("192.0.2.0"))); 1679 ASSERT_FALSE(ENCODING_FAILED(cert)); 1680 Input certInput; 1681 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1682 1683 const char* hostname = "example.com"; 1684 Input hostnameInput; 1685 ASSERT_EQ(Success, 1686 hostnameInput.Init(reinterpret_cast<const uint8_t*>(hostname), 1687 strlen(hostname))); 1688 1689 // The default name matching policy halts on invalid SAN entries. 1690 ASSERT_EQ(Result::ERROR_BAD_DER, 1691 CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy)); 1692 1693 SkipInvalidSubjectAlternativeNamesNameMatchingPolicy nameMatchingPolicy; 1694 // A policy that skips invalid SAN entries should result in a domain mismatch 1695 // error. 1696 ASSERT_EQ(Result::ERROR_BAD_CERT_DOMAIN, 1697 CheckCertHostname(certInput, hostnameInput, nameMatchingPolicy)); 1698 } 1699 1700 class pkixnames_CheckCertHostname_PresentedMatchesReference 1701 : public ::testing::Test 1702 , public ::testing::WithParamInterface<PresentedMatchesReference> 1703 { 1704 public: 1705 DefaultNameMatchingPolicy mNameMatchingPolicy; 1706 }; 1707 1708 TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference, CN_NoSAN) 1709 { 1710 // Since there is no SAN, a valid presented DNS ID in the subject CN field 1711 // should result in a match. 1712 1713 const PresentedMatchesReference& param(GetParam()); 1714 1715 ByteString cert(CreateCert(RDN(CN(param.presentedDNSID)), NO_SAN)); 1716 ASSERT_FALSE(ENCODING_FAILED(cert)); 1717 Input certInput; 1718 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1719 1720 Input hostnameInput; 1721 ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(), 1722 param.referenceDNSID.length())); 1723 1724 ASSERT_EQ(param.expectedMatches ? Success : Result::ERROR_BAD_CERT_DOMAIN, 1725 CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy)); 1726 } 1727 1728 TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference, 1729 SubjectAltName_CNNotDNSName) 1730 { 1731 // A DNSName SAN entry should match, regardless of the contents of the 1732 // subject CN. 1733 1734 const PresentedMatchesReference& param(GetParam()); 1735 1736 ByteString cert(CreateCert(RDN(CN("Common Name")), 1737 DNSName(param.presentedDNSID))); 1738 ASSERT_FALSE(ENCODING_FAILED(cert)); 1739 Input certInput; 1740 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1741 1742 Input hostnameInput; 1743 ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(), 1744 param.referenceDNSID.length())); 1745 Result expectedResult 1746 = param.expectedResult != Success ? param.expectedResult 1747 : param.expectedMatches ? Success 1748 : Result::ERROR_BAD_CERT_DOMAIN; 1749 ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput, 1750 mNameMatchingPolicy)); 1751 } 1752 1753 INSTANTIATE_TEST_SUITE_P(pkixnames_CheckCertHostname_DNSID_MATCH_PARAMS, 1754 pkixnames_CheckCertHostname_PresentedMatchesReference, 1755 testing::ValuesIn(DNSID_MATCH_PARAMS)); 1756 1757 TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_CN_NoSAN) 1758 { 1759 // Make sure we don't have the similar problems that strcasecmp and others 1760 // have with the other kinds of "i" and "I" commonly used in Turkish locales, 1761 // when we're matching a CN due to lack of subjectAltName. 1762 1763 const InputValidity& param(GetParam()); 1764 SCOPED_TRACE(param.input.c_str()); 1765 1766 Input input; 1767 ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length())); 1768 1769 ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN)); 1770 ASSERT_FALSE(ENCODING_FAILED(cert)); 1771 Input certInput; 1772 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1773 1774 Result expectedResult = (InputsAreEqual(LOWERCASE_I, input) || 1775 InputsAreEqual(UPPERCASE_I, input)) 1776 ? Success 1777 : Result::ERROR_BAD_CERT_DOMAIN; 1778 1779 ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I, 1780 mNameMatchingPolicy)); 1781 ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I, 1782 mNameMatchingPolicy)); 1783 } 1784 1785 TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_SAN) 1786 { 1787 // Make sure we don't have the similar problems that strcasecmp and others 1788 // have with the other kinds of "i" and "I" commonly used in Turkish locales, 1789 // when we're matching a dNSName in the SAN. 1790 1791 const InputValidity& param(GetParam()); 1792 SCOPED_TRACE(param.input.c_str()); 1793 1794 Input input; 1795 ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length())); 1796 1797 ByteString cert(CreateCert(RDN(CN("Common Name")), DNSName(param.input))); 1798 ASSERT_FALSE(ENCODING_FAILED(cert)); 1799 Input certInput; 1800 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1801 1802 Result expectedResult 1803 = (!param.isValidPresentedID) ? Result::ERROR_BAD_DER 1804 : (InputsAreEqual(LOWERCASE_I, input) || 1805 InputsAreEqual(UPPERCASE_I, input)) ? Success 1806 : Result::ERROR_BAD_CERT_DOMAIN; 1807 1808 ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I, 1809 mNameMatchingPolicy)); 1810 ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I, 1811 mNameMatchingPolicy)); 1812 } 1813 1814 class pkixnames_CheckCertHostname_IPV4_Addresses 1815 : public ::testing::Test 1816 , public ::testing::WithParamInterface<IPAddressParams<4>> 1817 { 1818 public: 1819 DefaultNameMatchingPolicy mNameMatchingPolicy; 1820 }; 1821 1822 TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses, 1823 ValidIPv4AddressInIPAddressSAN) 1824 { 1825 // When the reference hostname is a valid IPv4 address, a correctly-formed 1826 // IPv4 Address SAN matches it. 1827 1828 const IPAddressParams<4>& param(GetParam()); 1829 1830 ByteString cert(CreateCert(RDN(CN("Common Name")), 1831 IPAddress(param.expectedValueIfValid))); 1832 ASSERT_FALSE(ENCODING_FAILED(cert)); 1833 Input certInput; 1834 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1835 1836 Input hostnameInput; 1837 ASSERT_EQ(Success, hostnameInput.Init(param.input.data(), 1838 param.input.length())); 1839 1840 ASSERT_EQ(param.isValid ? Success : Result::ERROR_BAD_CERT_DOMAIN, 1841 CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy)); 1842 } 1843 1844 TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses, 1845 ValidIPv4AddressInCN_NoSAN) 1846 { 1847 // When the reference hostname is a valid IPv4 address, a correctly-formed 1848 // IPv4 Address in the CN matches it when there is no SAN. 1849 1850 const IPAddressParams<4>& param(GetParam()); 1851 1852 SCOPED_TRACE(param.input.c_str()); 1853 1854 ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN)); 1855 ASSERT_FALSE(ENCODING_FAILED(cert)); 1856 Input certInput; 1857 ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length())); 1858 1859 Input hostnameInput; 1860 ASSERT_EQ(Success, hostnameInput.Init(param.input.data(), 1861 param.input.length())); 1862 1863 // Some of the invalid IPv4 addresses are valid DNS names! 1864 Result expectedResult = (param.isValid || IsValidReferenceDNSID(hostnameInput)) 1865 ? Success 1866 : Result::ERROR_BAD_CERT_DOMAIN; 1867 1868 ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput, 1869 mNameMatchingPolicy)); 1870 } 1871 1872 INSTANTIATE_TEST_SUITE_P(pkixnames_CheckCertHostname_IPV4_ADDRESSES, 1873 pkixnames_CheckCertHostname_IPV4_Addresses, 1874 testing::ValuesIn(IPV4_ADDRESSES)); 1875 1876 struct NameConstraintParams 1877 { 1878 ByteString subject; 1879 ByteString subjectAltName; 1880 ByteString subtrees; 1881 Result expectedPermittedSubtreesResult; 1882 Result expectedExcludedSubtreesResult; 1883 }; 1884 1885 ::std::ostream& operator<<(::std::ostream& os, const NameConstraintParams&) 1886 { 1887 return os << "TODO (bug 1318770)"; 1888 } 1889 1890 static ByteString 1891 PermittedSubtrees(const ByteString& generalSubtrees) 1892 { 1893 return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0, 1894 generalSubtrees); 1895 } 1896 1897 static ByteString 1898 ExcludedSubtrees(const ByteString& generalSubtrees) 1899 { 1900 return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, 1901 generalSubtrees); 1902 } 1903 1904 // Does not encode min or max. 1905 static ByteString 1906 GeneralSubtree(const ByteString& base) 1907 { 1908 return TLV(der::SEQUENCE, base); 1909 } 1910 1911 static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] = 1912 { 1913 ///////////////////////////////////////////////////////////////////////////// 1914 // XXX: Malformed name constraints for supported types of names are ignored 1915 // when there are no names of that type to constrain. 1916 { ByteString(), NO_SAN, 1917 GeneralSubtree(DNSName("!")), 1918 Success, Success 1919 }, 1920 { // DirectoryName constraints are an exception, because *every* certificate 1921 // has at least one DirectoryName (tbsCertificate.subject). 1922 ByteString(), NO_SAN, 1923 GeneralSubtree(Name(ByteString(reinterpret_cast<const uint8_t*>("!"), 1))), 1924 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 1925 }, 1926 { ByteString(), NO_SAN, 1927 GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)), 1928 Success, Success 1929 }, 1930 { ByteString(), NO_SAN, 1931 GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)), 1932 Success, Success 1933 }, 1934 { ByteString(), NO_SAN, 1935 GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)), 1936 Success, Success 1937 }, 1938 { ByteString(), NO_SAN, 1939 GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)), 1940 Success, Success 1941 }, 1942 { ByteString(), NO_SAN, 1943 GeneralSubtree(RFC822Name("!")), 1944 Success, Success 1945 }, 1946 1947 ///////////////////////////////////////////////////////////////////////////// 1948 // Edge cases of name constraint absolute vs. relative and subdomain matching 1949 // that are not clearly explained in RFC 5280. (See the long comment above 1950 // MatchPresentedDNSIDWithReferenceDNSID.) 1951 1952 // Q: Does a presented identifier equal (case insensitive) to the name 1953 // constraint match the constraint? For example, does the presented 1954 // ID "host.example.com" match a "host.example.com" constraint? 1955 { ByteString(), DNSName("host.example.com"), 1956 GeneralSubtree(DNSName("host.example.com")), 1957 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 1958 }, 1959 { // This test case is an example from RFC 5280. 1960 ByteString(), DNSName("host1.example.com"), 1961 GeneralSubtree(DNSName("host.example.com")), 1962 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 1963 }, 1964 { ByteString(), RFC822Name("a@host.example.com"), 1965 GeneralSubtree(RFC822Name("host.example.com")), 1966 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 1967 }, 1968 { // This test case is an example from RFC 5280. 1969 ByteString(), RFC822Name("a@host1.example.com"), 1970 GeneralSubtree(RFC822Name("host.example.com")), 1971 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 1972 }, 1973 1974 // Q: When the name constraint does not start with ".", do subdomain 1975 // presented identifiers match it? For example, does the presented 1976 // ID "www.host.example.com" match a "host.example.com" constraint? 1977 { // This test case is an example from RFC 5280. 1978 ByteString(), DNSName("www.host.example.com"), 1979 GeneralSubtree(DNSName( "host.example.com")), 1980 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 1981 }, 1982 { // The subdomain matching rule for host names that do not start with "." is 1983 // different for RFC822Names than for DNSNames! 1984 ByteString(), RFC822Name("a@www.host.example.com"), 1985 GeneralSubtree(RFC822Name( "host.example.com")), 1986 Result::ERROR_CERT_NOT_IN_NAME_SPACE, 1987 Success 1988 }, 1989 1990 // Q: When the name constraint does not start with ".", does a 1991 // non-subdomain prefix match it? For example, does "bigfoo.bar.com" 1992 // match "foo.bar.com"? 1993 { ByteString(), DNSName("bigfoo.bar.com"), 1994 GeneralSubtree(DNSName( "foo.bar.com")), 1995 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 1996 }, 1997 { ByteString(), RFC822Name("a@bigfoo.bar.com"), 1998 GeneralSubtree(RFC822Name( "foo.bar.com")), 1999 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2000 }, 2001 2002 // Q: Is a name constraint that starts with "." valid, and if so, what 2003 // semantics does it have? For example, does a presented ID of 2004 // "www.example.com" match a constraint of ".example.com"? Does a 2005 // presented ID of "example.com" match a constraint of ".example.com"? 2006 { ByteString(), DNSName("www.example.com"), 2007 GeneralSubtree(DNSName( ".example.com")), 2008 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2009 }, 2010 { // When there is no Local-part, an RFC822 name constraint's domain may 2011 // start with '.', and the semantics are the same as for DNSNames. 2012 ByteString(), RFC822Name("a@www.example.com"), 2013 GeneralSubtree(RFC822Name( ".example.com")), 2014 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2015 }, 2016 { // When there is a Local-part, an RFC822 name constraint's domain must not 2017 // start with '.'. 2018 ByteString(), RFC822Name("a@www.example.com"), 2019 GeneralSubtree(RFC822Name( "a@.example.com")), 2020 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2021 }, 2022 { // Check that we only allow subdomains to match. 2023 ByteString(), DNSName( "example.com"), 2024 GeneralSubtree(DNSName(".example.com")), 2025 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2026 }, 2027 { // Check that we only allow subdomains to match. 2028 ByteString(), RFC822Name("a@example.com"), 2029 GeneralSubtree(RFC822Name(".example.com")), 2030 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2031 }, 2032 { // Check that we don't get confused and consider "b" == "." 2033 ByteString(), DNSName("bexample.com"), 2034 GeneralSubtree(DNSName(".example.com")), 2035 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2036 }, 2037 { // Check that we don't get confused and consider "b" == "." 2038 ByteString(), RFC822Name("a@bexample.com"), 2039 GeneralSubtree(RFC822Name( ".example.com")), 2040 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2041 }, 2042 2043 // Q: Is there a way to prevent subdomain matches? 2044 // (This is tested in a different set of tests because it requires a 2045 // combination of permittedSubtrees and excludedSubtrees.) 2046 2047 // Q: Are name constraints allowed to be specified as absolute names? 2048 // For example, does a presented ID of "example.com" match a name 2049 // constraint of "example.com." and vice versa? 2050 // 2051 { // The DNSName in the constraint is not valid because constraint DNS IDs 2052 // are not allowed to be absolute. 2053 ByteString(), DNSName("example.com"), 2054 GeneralSubtree(DNSName("example.com.")), 2055 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2056 }, 2057 { ByteString(), RFC822Name("a@example.com"), 2058 GeneralSubtree(RFC822Name( "example.com.")), 2059 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2060 }, 2061 { // The DNSName in the SAN is not valid because presented DNS IDs are not 2062 // allowed to be absolute. 2063 ByteString(), DNSName("example.com."), 2064 GeneralSubtree(DNSName("example.com")), 2065 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2066 }, 2067 { ByteString(), RFC822Name("a@example.com."), 2068 GeneralSubtree(RFC822Name( "example.com")), 2069 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2070 }, 2071 { // The presented DNSName is the same length as the constraint, because the 2072 // subdomain is only one character long and because the constraint both 2073 // begins and ends with ".". But, it doesn't matter because absolute names 2074 // are not allowed for DNSName constraints. 2075 ByteString(), DNSName("p.example.com"), 2076 GeneralSubtree(DNSName(".example.com.")), 2077 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2078 }, 2079 { // The presented DNSName is the same length as the constraint, because the 2080 // subdomain is only one character long and because the constraint both 2081 // begins and ends with ".". 2082 ByteString(), RFC822Name("a@p.example.com"), 2083 GeneralSubtree(RFC822Name( ".example.com.")), 2084 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2085 }, 2086 { // Same as previous test case, but using a wildcard presented ID. 2087 ByteString(), DNSName("*.example.com"), 2088 GeneralSubtree(DNSName(".example.com.")), 2089 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2090 }, 2091 { // Same as previous test case, but using a wildcard presented ID, which is 2092 // invalid in an RFC822Name. 2093 ByteString(), RFC822Name("a@*.example.com"), 2094 GeneralSubtree(RFC822Name( ".example.com.")), 2095 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2096 }, 2097 2098 // Q: Are "" and "." valid DNSName constraints? If so, what do they mean? 2099 { ByteString(), DNSName("example.com"), 2100 GeneralSubtree(DNSName("")), 2101 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2102 }, 2103 { ByteString(), RFC822Name("a@example.com"), 2104 GeneralSubtree(RFC822Name("")), 2105 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2106 }, 2107 { // The malformed (absolute) presented ID does not match. 2108 ByteString(), DNSName("example.com."), 2109 GeneralSubtree(DNSName("")), 2110 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2111 }, 2112 { ByteString(), RFC822Name("a@example.com."), 2113 GeneralSubtree(RFC822Name("")), 2114 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2115 }, 2116 { // Invalid syntax in name constraint 2117 ByteString(), DNSName("example.com"), 2118 GeneralSubtree(DNSName(".")), 2119 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2120 }, 2121 { // Invalid syntax in name constraint 2122 ByteString(), RFC822Name("a@example.com"), 2123 GeneralSubtree(RFC822Name(".")), 2124 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER, 2125 }, 2126 { ByteString(), DNSName("example.com."), 2127 GeneralSubtree(DNSName(".")), 2128 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2129 }, 2130 { ByteString(), RFC822Name("a@example.com."), 2131 GeneralSubtree(RFC822Name(".")), 2132 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2133 }, 2134 2135 ///////////////////////////////////////////////////////////////////////////// 2136 // Basic IP Address constraints (non-CN-ID) 2137 2138 // The Mozilla CA Policy says this means "no IPv4 addresses allowed." 2139 { ByteString(), IPAddress(ipv4_addr_bytes), 2140 GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)), 2141 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2142 }, 2143 { ByteString(), IPAddress(ipv4_addr_00000000_bytes), 2144 GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)), 2145 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2146 }, 2147 { ByteString(), IPAddress(ipv4_addr_FFFFFFFF_bytes), 2148 GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)), 2149 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2150 }, 2151 2152 // The Mozilla CA Policy says this means "no IPv6 addresses allowed." 2153 { ByteString(), IPAddress(ipv6_addr_bytes), 2154 GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)), 2155 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2156 }, 2157 { ByteString(), IPAddress(ipv6_addr_all_zeros_bytes), 2158 GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)), 2159 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2160 }, 2161 2162 // RFC 5280 doesn't partition IP address constraints into separate IPv4 and 2163 // IPv6 categories, so a IPv4 permittedSubtrees constraint excludes all IPv6 2164 // addresses, and vice versa. 2165 { ByteString(), IPAddress(ipv4_addr_bytes), 2166 GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)), 2167 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2168 }, 2169 { ByteString(), IPAddress(ipv6_addr_bytes), 2170 GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)), 2171 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2172 }, 2173 2174 // IPv4 Subnets 2175 { ByteString(), IPAddress(ipv4_addr_bytes), 2176 GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)), 2177 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2178 }, 2179 { ByteString(), IPAddress(ipv4_addr_bytes), 2180 GeneralSubtree(IPAddress(ipv4_constraint_CIDR_17_bytes)), 2181 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2182 }, 2183 { ByteString(), IPAddress(ipv4_other_addr_bytes), 2184 GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)), 2185 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2186 }, 2187 { // XXX(bug 1089430): We don't reject this even though it is weird. 2188 ByteString(), IPAddress(ipv4_addr_bytes), 2189 GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bad_addr_bytes)), 2190 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2191 }, 2192 { // XXX(bug 1089430): We don't reject this even though it is weird. 2193 ByteString(), IPAddress(ipv4_other_addr_bytes), 2194 GeneralSubtree(IPAddress(ipv4_constraint_bad_mask_bytes)), 2195 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2196 }, 2197 2198 // IPv6 Subnets 2199 { ByteString(), IPAddress(ipv6_addr_bytes), 2200 GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)), 2201 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2202 }, 2203 { ByteString(), IPAddress(ipv6_other_addr_bytes), 2204 GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)), 2205 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2206 }, 2207 { // XXX(bug 1089430): We don't reject this even though it is weird. 2208 ByteString(), IPAddress(ipv6_addr_bytes), 2209 GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bad_addr_bytes)), 2210 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2211 }, 2212 { // XXX(bug 1089430): We don't reject this even though it is weird. 2213 ByteString(), IPAddress(ipv6_other_addr_bytes), 2214 GeneralSubtree(IPAddress(ipv6_constraint_bad_mask_bytes)), 2215 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2216 }, 2217 2218 // Malformed presented IP addresses and constraints 2219 2220 { // The presented IPv4 address is empty 2221 ByteString(), IPAddress(), 2222 GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)), 2223 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2224 }, 2225 { // The presented IPv4 address is truncated 2226 ByteString(), IPAddress(ipv4_addr_truncated_bytes), 2227 GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)), 2228 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2229 }, 2230 { // The presented IPv4 address is too long 2231 ByteString(), IPAddress(ipv4_addr_overlong_bytes), 2232 GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)), 2233 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2234 }, 2235 { // The presented IPv4 constraint is empty 2236 ByteString(), IPAddress(ipv4_addr_bytes), 2237 GeneralSubtree(IPAddress()), 2238 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2239 }, 2240 { // The presented IPv4 constraint is truncated 2241 ByteString(), IPAddress(ipv4_addr_bytes), 2242 GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)), 2243 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2244 }, 2245 { // The presented IPv4 constraint is too long 2246 ByteString(), IPAddress(ipv4_addr_bytes), 2247 GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)), 2248 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2249 }, 2250 { // The presented IPv6 address is empty 2251 ByteString(), IPAddress(), 2252 GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)), 2253 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2254 }, 2255 { // The presented IPv6 address is truncated 2256 ByteString(), IPAddress(ipv6_addr_truncated_bytes), 2257 GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)), 2258 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2259 }, 2260 { // The presented IPv6 address is too long 2261 ByteString(), IPAddress(ipv6_addr_overlong_bytes), 2262 GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)), 2263 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2264 }, 2265 { // The presented IPv6 constraint is empty 2266 ByteString(), IPAddress(ipv6_addr_bytes), 2267 GeneralSubtree(IPAddress()), 2268 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2269 }, 2270 { // The presented IPv6 constraint is truncated 2271 ByteString(), IPAddress(ipv6_addr_bytes), 2272 GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)), 2273 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2274 }, 2275 { // The presented IPv6 constraint is too long 2276 ByteString(), IPAddress(ipv6_addr_bytes), 2277 GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)), 2278 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2279 }, 2280 2281 ///////////////////////////////////////////////////////////////////////////// 2282 // XXX: We don't reject malformed name constraints when there are no names of 2283 // that type. 2284 { ByteString(), NO_SAN, GeneralSubtree(DNSName("!")), 2285 Success, Success 2286 }, 2287 { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv4_addr_overlong_bytes)), 2288 Success, Success 2289 }, 2290 { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv6_addr_overlong_bytes)), 2291 Success, Success 2292 }, 2293 { ByteString(), NO_SAN, GeneralSubtree(RFC822Name("\0")), 2294 Success, Success 2295 }, 2296 2297 ///////////////////////////////////////////////////////////////////////////// 2298 // Basic CN-ID DNSName constraint tests. 2299 2300 { // Empty Name is ignored for DNSName constraints. 2301 ByteString(), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2302 Success, Success 2303 }, 2304 { // Empty CN is ignored for DNSName constraints because it isn't a 2305 // syntactically-valid DNSName. 2306 // 2307 // NSS gives different results. 2308 RDN(CN("")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2309 Success, Success 2310 }, 2311 { // IP Address is ignored for DNSName constraints. 2312 // 2313 // NSS gives different results. 2314 RDN(CN("1.2.3.4")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2315 Success, Success 2316 }, 2317 { // OU has something that looks like a dNSName that matches. 2318 RDN(OU("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2319 Success, Success 2320 }, 2321 { // OU has something that looks like a dNSName that does not match. 2322 RDN(OU("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2323 Success, Success 2324 }, 2325 { // NSS gives different results. 2326 RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2327 Success, Success 2328 }, 2329 { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2330 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2331 }, 2332 { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2333 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2334 }, 2335 { // DNSName CN-ID match is detected when there is a SAN w/o any DNSName or 2336 // IPAddress 2337 RDN(CN("a.example.com")), RFC822Name("foo@example.com"), 2338 GeneralSubtree(DNSName("a.example.com")), 2339 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2340 }, 2341 { // DNSName CN-ID mismatch is detected when there is a SAN w/o any DNSName 2342 // or IPAddress 2343 RDN(CN("a.example.com")), RFC822Name("foo@example.com"), 2344 GeneralSubtree(DNSName("b.example.com")), 2345 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2346 }, 2347 { // DNSName CN-ID match not reported when there is a DNSName SAN 2348 RDN(CN("a.example.com")), DNSName("b.example.com"), 2349 GeneralSubtree(DNSName("a.example.com")), 2350 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2351 }, 2352 { // DNSName CN-ID mismatch not reported when there is a DNSName SAN 2353 RDN(CN("a.example.com")), DNSName("b.example.com"), 2354 GeneralSubtree(DNSName("b.example.com")), 2355 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE, 2356 }, 2357 { // DNSName CN-ID match not reported when there is an IPAddress SAN 2358 RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes), 2359 GeneralSubtree(DNSName("a.example.com")), 2360 Success, Success 2361 }, 2362 { // DNSName CN-ID mismatch not reported when there is an IPAddress SAN 2363 RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes), 2364 GeneralSubtree(DNSName("b.example.com")), 2365 Success, Success 2366 }, 2367 2368 { // IPAddress CN-ID match is detected when there is a SAN w/o any DNSName or 2369 // IPAddress 2370 RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"), 2371 GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)), 2372 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2373 }, 2374 { // IPAddress CN-ID mismatch is detected when there is a SAN w/o any DNSName 2375 // or IPAddress 2376 RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"), 2377 GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)), 2378 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2379 }, 2380 { // IPAddress CN-ID match not reported when there is a DNSName SAN 2381 RDN(CN(ipv4_addr_str)), DNSName("b.example.com"), 2382 GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)), 2383 Success, Success 2384 }, 2385 { // IPAddress CN-ID mismatch not reported when there is a DNSName SAN 2386 RDN(CN(ipv4_addr_str)), DNSName("b.example.com"), 2387 GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)), 2388 Success, Success 2389 }, 2390 { // IPAddress CN-ID match not reported when there is an IPAddress SAN 2391 RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes), 2392 GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)), 2393 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2394 }, 2395 { // IPAddress CN-ID mismatch not reported when there is an IPAddress SAN 2396 RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes), 2397 GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)), 2398 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2399 }, 2400 2401 ///////////////////////////////////////////////////////////////////////////// 2402 // Test that constraints are applied to the most specific (last) CN, and only 2403 // that CN-ID. 2404 2405 { // Name constraint only matches a.example.com, but the most specific CN 2406 // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.) 2407 RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN, 2408 GeneralSubtree(DNSName("a.example.com")), 2409 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2410 }, 2411 { // Name constraint only matches a.example.com, but the most specific CN 2412 // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.) 2413 RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN, 2414 GeneralSubtree(DNSName("a.example.com")), 2415 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success 2416 }, 2417 { // Name constraint only permits b.example.com, and the most specific CN 2418 // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.) 2419 RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN, 2420 GeneralSubtree(DNSName("b.example.com")), 2421 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2422 }, 2423 { // Name constraint only permits b.example.com, and the most specific CN 2424 // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.) 2425 RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN, 2426 GeneralSubtree(DNSName("b.example.com")), 2427 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2428 }, 2429 2430 ///////////////////////////////////////////////////////////////////////////// 2431 // Additional RFC822 name constraint tests. There are more tests regarding 2432 // the DNSName part of the constraint mixed into the DNSName constraint 2433 // tests. 2434 2435 { ByteString(), RFC822Name("a@example.com"), 2436 GeneralSubtree(RFC822Name("a@example.com")), 2437 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2438 }, 2439 2440 // Bug 1056773: name constraints that omit Local-part but include '@' are 2441 // invalid. 2442 { ByteString(), RFC822Name("a@example.com"), 2443 GeneralSubtree(RFC822Name("@example.com")), 2444 Result::ERROR_BAD_DER, 2445 Result::ERROR_BAD_DER 2446 }, 2447 { ByteString(), RFC822Name("@example.com"), 2448 GeneralSubtree(RFC822Name("@example.com")), 2449 Result::ERROR_BAD_DER, 2450 Result::ERROR_BAD_DER 2451 }, 2452 { ByteString(), RFC822Name("example.com"), 2453 GeneralSubtree(RFC822Name("@example.com")), 2454 Result::ERROR_BAD_DER, 2455 Result::ERROR_BAD_DER 2456 }, 2457 { ByteString(), RFC822Name("a@mail.example.com"), 2458 GeneralSubtree(RFC822Name("a@*.example.com")), 2459 Result::ERROR_BAD_DER, 2460 Result::ERROR_BAD_DER 2461 }, 2462 { ByteString(), RFC822Name("a@*.example.com"), 2463 GeneralSubtree(RFC822Name(".example.com")), 2464 Result::ERROR_BAD_DER, 2465 Result::ERROR_BAD_DER 2466 }, 2467 { ByteString(), RFC822Name("@example.com"), 2468 GeneralSubtree(RFC822Name(".example.com")), 2469 Result::ERROR_BAD_DER, 2470 Result::ERROR_BAD_DER 2471 }, 2472 { ByteString(), RFC822Name("@a.example.com"), 2473 GeneralSubtree(RFC822Name(".example.com")), 2474 Result::ERROR_BAD_DER, 2475 Result::ERROR_BAD_DER 2476 }, 2477 2478 ///////////////////////////////////////////////////////////////////////////// 2479 // Test name constraints with underscores. 2480 // 2481 { ByteString(), DNSName("uses_underscore.example.com"), 2482 GeneralSubtree(DNSName("uses_underscore.example.com")), 2483 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2484 }, 2485 { ByteString(), DNSName("uses_underscore.example.com"), 2486 GeneralSubtree(DNSName("example.com")), 2487 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2488 }, 2489 { ByteString(), DNSName("a.uses_underscore.example.com"), 2490 GeneralSubtree(DNSName("uses_underscore.example.com")), 2491 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2492 }, 2493 { ByteString(), RFC822Name("a@uses_underscore.example.com"), 2494 GeneralSubtree(RFC822Name("uses_underscore.example.com")), 2495 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2496 }, 2497 { ByteString(), RFC822Name("uses_underscore@example.com"), 2498 GeneralSubtree(RFC822Name("example.com")), 2499 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2500 }, 2501 { ByteString(), RFC822Name("a@a.uses_underscore.example.com"), 2502 GeneralSubtree(RFC822Name(".uses_underscore.example.com")), 2503 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2504 }, 2505 2506 ///////////////////////////////////////////////////////////////////////////// 2507 // Name constraint tests that relate to having an empty SAN. According to RFC 2508 // 5280 this isn't valid, but we allow it for compatibility reasons (see bug 2509 // 1143085). 2510 { // For DNSNames, we fall back to the subject CN. 2511 RDN(CN("a.example.com")), ByteString(), 2512 GeneralSubtree(DNSName("a.example.com")), 2513 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2514 }, 2515 { // For RFC822Names, we do not fall back to the subject emailAddress. 2516 // This new implementation seems to conform better to the standards for 2517 // RFC822 name constraints, by only applying the name constraints to 2518 // emailAddress names in the certificate subject if there is no 2519 // subjectAltName extension in the cert. 2520 // In this case, the presence of the (empty) SAN extension means that RFC822 2521 // name constraints are not enforced on the emailAddress attributes of the 2522 // subject. 2523 RDN(emailAddress("a@example.com")), ByteString(), 2524 GeneralSubtree(RFC822Name("a@example.com")), 2525 Success, Success 2526 }, 2527 { // Compare this to the case where there is no SAN (i.e. the name 2528 // constraints are enforced, because the extension is not present at all). 2529 RDN(emailAddress("a@example.com")), NO_SAN, 2530 GeneralSubtree(RFC822Name("a@example.com")), 2531 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2532 }, 2533 2534 ///////////////////////////////////////////////////////////////////////////// 2535 // DirectoryName name constraint tests 2536 2537 { // One AVA per RDN 2538 RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN, 2539 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) + 2540 RDN(CN("example.com"))))), 2541 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2542 }, 2543 { // RDNs can have multiple AVAs. 2544 RDN(OU("Example Organization") + CN("example.com")), NO_SAN, 2545 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") + 2546 CN("example.com"))))), 2547 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2548 }, 2549 { // The constraint is a prefix of the subject DN. 2550 RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN, 2551 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))), 2552 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2553 }, 2554 { // The name constraint is not a prefix of the subject DN. 2555 // Note that for excludedSubtrees, we simply prohibit any non-empty 2556 // directoryName constraint to ensure we are not being too lenient. 2557 RDN(OU("Other Example Organization")) + RDN(CN("example.com")), NO_SAN, 2558 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) + 2559 RDN(CN("example.com"))))), 2560 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2561 }, 2562 { // Same as the previous one, but one RDN with multiple AVAs. 2563 RDN(OU("Other Example Organization") + CN("example.com")), NO_SAN, 2564 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") + 2565 CN("example.com"))))), 2566 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2567 }, 2568 { // With multiple AVAs per RDN in the subject DN, the constraint is not a 2569 // prefix of the subject DN. 2570 RDN(OU("Example Organization") + CN("example.com")), NO_SAN, 2571 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))), 2572 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2573 }, 2574 { // The subject DN RDN has multiple AVAs, but the name constraint has only 2575 // one AVA per RDN. 2576 RDN(OU("Example Organization") + CN("example.com")), NO_SAN, 2577 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) + 2578 RDN(CN("example.com"))))), 2579 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2580 }, 2581 { // The name constraint RDN has multiple AVAs, but the subject DN has only 2582 // one AVA per RDN. 2583 RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN, 2584 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") + 2585 CN("example.com"))))), 2586 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2587 }, 2588 { // In this case, the constraint uses a different encoding from the subject. 2589 // We consider them to match because we allow UTF8String and 2590 // PrintableString to compare equal when their contents are equal. 2591 RDN(OU("Example Organization", der::UTF8String)) + RDN(CN("example.com")), 2592 NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization", 2593 der::PrintableString)) + 2594 RDN(CN("example.com"))))), 2595 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2596 }, 2597 { // Same as above, but with UTF8String/PrintableString switched. 2598 RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")), 2599 NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization", 2600 der::UTF8String)) + 2601 RDN(CN("example.com"))))), 2602 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2603 }, 2604 { // If the contents aren't the same, then they shouldn't match. 2605 RDN(OU("Other Example Organization", der::UTF8String)) + RDN(CN("example.com")), 2606 NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization", 2607 der::PrintableString)) + 2608 RDN(CN("example.com"))))), 2609 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2610 }, 2611 { // Only UTF8String and PrintableString are considered equivalent. 2612 RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")), 2613 NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization", 2614 der::TeletexString)) + 2615 RDN(CN("example.com"))))), 2616 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2617 }, 2618 // Some additional tests for completeness: 2619 // Ensure that wildcards are handled: 2620 { RDN(CN("*.example.com")), NO_SAN, GeneralSubtree(DNSName("example.com")), 2621 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2622 }, 2623 { ByteString(), DNSName("*.example.com"), 2624 GeneralSubtree(DNSName("example.com")), 2625 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2626 }, 2627 { ByteString(), DNSName("www.example.com"), 2628 GeneralSubtree(DNSName("*.example.com")), 2629 Result::ERROR_BAD_DER, Result::ERROR_BAD_DER 2630 }, 2631 // Handle multiple name constraint entries: 2632 { RDN(CN("example.com")), NO_SAN, 2633 GeneralSubtree(DNSName("example.org")) + 2634 GeneralSubtree(DNSName("example.com")), 2635 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2636 }, 2637 { ByteString(), DNSName("example.com"), 2638 GeneralSubtree(DNSName("example.org")) + 2639 GeneralSubtree(DNSName("example.com")), 2640 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2641 }, 2642 // Handle multiple names in subject alternative name extension: 2643 { ByteString(), DNSName("example.com") + DNSName("example.org"), 2644 GeneralSubtree(DNSName("example.com")), 2645 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2646 }, 2647 // Handle a mix of DNSName and DirectoryName: 2648 { RDN(OU("Example Organization")), DNSName("example.com"), 2649 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) + 2650 GeneralSubtree(DNSName("example.com")), 2651 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2652 }, 2653 { RDN(OU("Other Example Organization")), DNSName("example.com"), 2654 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) + 2655 GeneralSubtree(DNSName("example.com")), 2656 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2657 }, 2658 { RDN(OU("Example Organization")), DNSName("example.org"), 2659 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) + 2660 GeneralSubtree(DNSName("example.com")), 2661 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2662 }, 2663 // Handle a certificate with no DirectoryName: 2664 { ByteString(), DNSName("example.com"), 2665 GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))), 2666 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2667 }, 2668 }; 2669 2670 class pkixnames_CheckNameConstraints 2671 : public ::testing::Test 2672 , public ::testing::WithParamInterface<NameConstraintParams> 2673 { 2674 public: 2675 DefaultNameMatchingPolicy mNameMatchingPolicy; 2676 }; 2677 2678 TEST_P(pkixnames_CheckNameConstraints, 2679 NameConstraintsEnforcedForDirectlyIssuedEndEntity) 2680 { 2681 // Test that name constraints are enforced on a certificate directly issued by 2682 // a certificate with the given name constraints. 2683 2684 const NameConstraintParams& param(GetParam()); 2685 2686 ByteString certDER(CreateCert(param.subject, param.subjectAltName)); 2687 ASSERT_FALSE(ENCODING_FAILED(certDER)); 2688 Input certInput; 2689 ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length())); 2690 BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr); 2691 ASSERT_EQ(Success, cert.Init()); 2692 2693 { 2694 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2695 PermittedSubtrees(param.subtrees))); 2696 Input nameConstraints; 2697 ASSERT_EQ(Success, 2698 nameConstraints.Init(nameConstraintsDER.data(), 2699 nameConstraintsDER.length())); 2700 ASSERT_EQ(param.expectedPermittedSubtreesResult, 2701 CheckNameConstraints(nameConstraints, cert, 2702 KeyPurposeId::id_kp_serverAuth)); 2703 } 2704 { 2705 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2706 ExcludedSubtrees(param.subtrees))); 2707 Input nameConstraints; 2708 ASSERT_EQ(Success, 2709 nameConstraints.Init(nameConstraintsDER.data(), 2710 nameConstraintsDER.length())); 2711 ASSERT_EQ(param.expectedExcludedSubtreesResult, 2712 CheckNameConstraints(nameConstraints, cert, 2713 KeyPurposeId::id_kp_serverAuth)); 2714 } 2715 { 2716 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2717 PermittedSubtrees(param.subtrees) + 2718 ExcludedSubtrees(param.subtrees))); 2719 Input nameConstraints; 2720 ASSERT_EQ(Success, 2721 nameConstraints.Init(nameConstraintsDER.data(), 2722 nameConstraintsDER.length())); 2723 ASSERT_EQ((param.expectedPermittedSubtreesResult == 2724 param.expectedExcludedSubtreesResult) 2725 ? param.expectedExcludedSubtreesResult 2726 : Result::ERROR_CERT_NOT_IN_NAME_SPACE, 2727 CheckNameConstraints(nameConstraints, cert, 2728 KeyPurposeId::id_kp_serverAuth)); 2729 } 2730 } 2731 2732 INSTANTIATE_TEST_SUITE_P(pkixnames_CheckNameConstraints, 2733 pkixnames_CheckNameConstraints, 2734 testing::ValuesIn(NAME_CONSTRAINT_PARAMS)); 2735 2736 // The |subjectAltName| param is not used for these test cases (hence the use of 2737 // "NO_SAN"). 2738 static const NameConstraintParams NO_FALLBACK_NAME_CONSTRAINT_PARAMS[] = 2739 { 2740 // The only difference between end-entities being verified for serverAuth and 2741 // intermediates or end-entities being verified for other uses is that for 2742 // the latter cases, there is no fallback matching of DNSName entries to the 2743 // subject common name. 2744 { RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2745 Success, Success 2746 }, 2747 { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2748 Success, Success 2749 }, 2750 { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")), 2751 Success, Success 2752 }, 2753 // Sanity-check that name constraints are in fact enforced in these cases. 2754 { RDN(CN("Example Name")), NO_SAN, 2755 GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))), 2756 Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2757 }, 2758 // (In this implementation, if a DirectoryName is in excludedSubtrees, nothing 2759 // is considered to be in the name space.) 2760 { RDN(CN("Other Example Name")), NO_SAN, 2761 GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))), 2762 Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE 2763 }, 2764 }; 2765 2766 class pkixnames_CheckNameConstraintsOnIntermediate 2767 : public ::testing::Test 2768 , public ::testing::WithParamInterface<NameConstraintParams> 2769 { 2770 }; 2771 2772 TEST_P(pkixnames_CheckNameConstraintsOnIntermediate, 2773 NameConstraintsEnforcedOnIntermediate) 2774 { 2775 // Test that name constraints are enforced on an intermediate certificate 2776 // directly issued by a certificate with the given name constraints. 2777 2778 const NameConstraintParams& param(GetParam()); 2779 2780 ByteString certDER(CreateCert(param.subject, NO_SAN, 2781 EndEntityOrCA::MustBeCA)); 2782 ASSERT_FALSE(ENCODING_FAILED(certDER)); 2783 Input certInput; 2784 ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length())); 2785 BackCert cert(certInput, EndEntityOrCA::MustBeCA, nullptr); 2786 ASSERT_EQ(Success, cert.Init()); 2787 2788 { 2789 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2790 PermittedSubtrees(param.subtrees))); 2791 Input nameConstraints; 2792 ASSERT_EQ(Success, 2793 nameConstraints.Init(nameConstraintsDER.data(), 2794 nameConstraintsDER.length())); 2795 ASSERT_EQ(param.expectedPermittedSubtreesResult, 2796 CheckNameConstraints(nameConstraints, cert, 2797 KeyPurposeId::id_kp_serverAuth)); 2798 } 2799 { 2800 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2801 ExcludedSubtrees(param.subtrees))); 2802 Input nameConstraints; 2803 ASSERT_EQ(Success, 2804 nameConstraints.Init(nameConstraintsDER.data(), 2805 nameConstraintsDER.length())); 2806 ASSERT_EQ(param.expectedExcludedSubtreesResult, 2807 CheckNameConstraints(nameConstraints, cert, 2808 KeyPurposeId::id_kp_serverAuth)); 2809 } 2810 { 2811 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2812 PermittedSubtrees(param.subtrees) + 2813 ExcludedSubtrees(param.subtrees))); 2814 Input nameConstraints; 2815 ASSERT_EQ(Success, 2816 nameConstraints.Init(nameConstraintsDER.data(), 2817 nameConstraintsDER.length())); 2818 ASSERT_EQ(param.expectedExcludedSubtreesResult, 2819 CheckNameConstraints(nameConstraints, cert, 2820 KeyPurposeId::id_kp_serverAuth)); 2821 } 2822 } 2823 2824 INSTANTIATE_TEST_SUITE_P(pkixnames_CheckNameConstraintsOnIntermediate, 2825 pkixnames_CheckNameConstraintsOnIntermediate, 2826 testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS)); 2827 2828 class pkixnames_CheckNameConstraintsForNonServerAuthUsage 2829 : public ::testing::Test 2830 , public ::testing::WithParamInterface<NameConstraintParams> 2831 { 2832 }; 2833 2834 TEST_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage, 2835 NameConstraintsEnforcedForNonServerAuthUsage) 2836 { 2837 // Test that for key purposes other than serverAuth, fallback to the subject 2838 // common name does not occur. 2839 2840 const NameConstraintParams& param(GetParam()); 2841 2842 ByteString certDER(CreateCert(param.subject, NO_SAN)); 2843 ASSERT_FALSE(ENCODING_FAILED(certDER)); 2844 Input certInput; 2845 ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length())); 2846 BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr); 2847 ASSERT_EQ(Success, cert.Init()); 2848 2849 { 2850 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2851 PermittedSubtrees(param.subtrees))); 2852 Input nameConstraints; 2853 ASSERT_EQ(Success, 2854 nameConstraints.Init(nameConstraintsDER.data(), 2855 nameConstraintsDER.length())); 2856 ASSERT_EQ(param.expectedPermittedSubtreesResult, 2857 CheckNameConstraints(nameConstraints, cert, 2858 KeyPurposeId::id_kp_clientAuth)); 2859 } 2860 { 2861 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2862 ExcludedSubtrees(param.subtrees))); 2863 Input nameConstraints; 2864 ASSERT_EQ(Success, 2865 nameConstraints.Init(nameConstraintsDER.data(), 2866 nameConstraintsDER.length())); 2867 ASSERT_EQ(param.expectedExcludedSubtreesResult, 2868 CheckNameConstraints(nameConstraints, cert, 2869 KeyPurposeId::id_kp_clientAuth)); 2870 } 2871 { 2872 ByteString nameConstraintsDER(TLV(der::SEQUENCE, 2873 PermittedSubtrees(param.subtrees) + 2874 ExcludedSubtrees(param.subtrees))); 2875 Input nameConstraints; 2876 ASSERT_EQ(Success, 2877 nameConstraints.Init(nameConstraintsDER.data(), 2878 nameConstraintsDER.length())); 2879 ASSERT_EQ(param.expectedExcludedSubtreesResult, 2880 CheckNameConstraints(nameConstraints, cert, 2881 KeyPurposeId::id_kp_clientAuth)); 2882 } 2883 } 2884 2885 INSTANTIATE_TEST_SUITE_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage, 2886 pkixnames_CheckNameConstraintsForNonServerAuthUsage, 2887 testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));