[ tor-browser ].git.dasho

nameconstraints.cfg (6600B)
      1 # This Source Code Form is subject to the terms of the Mozilla Public
      2 # License, v. 2.0. If a copy of the MPL was not distributed with this
      3 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
      4 
      5 scenario TrustAnchors
      6 
      7 db trustanchors
      8 
      9 import NameConstraints.ca:x:CT,C,C
     10 # Name Constrained CA:  Name constrained to permited DNSName ".example"
     11 import NameConstraints.ncca:x:CT,C,C
     12 import NameConstraints.dcisscopy:x:CT,C,C
     13 import NameConstraints.ipaca:x:CT,C,C
     14 
     15 # Intermediate 1: Name constrained to permited DNSName ".example"
     16 
     17 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
     18 # altDNS: test.invalid
     19 #   Fail: CN not in name constraints, altDNS not in name constraints
     20 verify NameConstraints.server1:x
     21  cert NameConstraints.intermediate:x
     22  result fail
     23 
     24 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
     25 #   Fail: CN not in name constraints
     26 verify NameConstraints.server2:x
     27  cert NameConstraints.intermediate:x
     28  result fail
     29 
     30 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
     31 # altDNS: test.example
     32 verify NameConstraints.server3:x
     33  cert NameConstraints.intermediate:x
     34  result pass
     35 
     36 # Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
     37 
     38 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
     39 # altDNS: test.invalid
     40 #   Fail: CN not in name constraints, altDNS not in name constraints
     41 verify NameConstraints.server4:x
     42  cert NameConstraints.intermediate2:x
     43  cert NameConstraints.intermediate:x
     44  result fail
     45 
     46 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
     47 #   Fail: CN not in name constraints
     48 verify NameConstraints.server5:x
     49  cert NameConstraints.intermediate2:x
     50  cert NameConstraints.intermediate:x
     51  result fail
     52 
     53 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
     54 # altDNS: test.example
     55 verify NameConstraints.server6:x
     56  cert NameConstraints.intermediate2:x
     57  cert NameConstraints.intermediate:x
     58  result pass
     59 
     60 # Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
     61 #                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
     62 #                 and a permitted DNSName of "foo.example"
     63 
     64 # Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
     65 #                 No name constraints present
     66 #                 Signed by Intermediate 3 (inherits name constraints)
     67 
     68 # Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
     69 verify NameConstraints.server7:x
     70  cert NameConstraints.intermediate4:x
     71  cert NameConstraints.intermediate3:x
     72  result pass
     73 
     74 # Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
     75 verify NameConstraints.server8:x
     76  cert NameConstraints.intermediate4:x
     77  cert NameConstraints.intermediate3:x
     78  result pass
     79 
     80 # Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
     81 #  Fail: ST is missing in the DirectoryName, thus not matching name constraints
     82 verify NameConstraints.server9:x
     83  cert NameConstraints.intermediate4:x
     84  cert NameConstraints.intermediate3:x
     85  result fail
     86 
     87 # Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
     88 #  Fail: CN not in name constraints
     89 verify NameConstraints.server10:x
     90  cert NameConstraints.intermediate4:x
     91  cert NameConstraints.intermediate3:x
     92  result fail
     93 
     94 # Subject: "C=US, ST=CA, O=Foo, CN=site.example"
     95 # altDNS:foo.example
     96 #   Pass: Ignores CN constraint name violation because SAN is present
     97 verify NameConstraints.server11:x
     98  cert NameConstraints.intermediate4:x
     99  cert NameConstraints.intermediate3:x
    100  result pass
    101 
    102 # Subject: "C=US, ST=CA, O=Foo, CN=Certified pre-owned"
    103 #   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
    104 verify NameConstraints.server12:x
    105  cert NameConstraints.intermediate4:x
    106  cert NameConstraints.intermediate3:x
    107  result fail
    108 
    109 # Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
    110 #                 No name constraints present
    111 #                 Signed by Intermediate 3.
    112 #                 Intermediate 5's subject is not in Intermediate 3's permitted
    113 #                 names, so all certs issued by it are invalid.
    114 
    115 # Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
    116 #   Fail: Org matches Intermediate 5's name constraints, but does not match
    117 #         Intermediate 3' name constraints
    118 verify NameConstraints.server13:x
    119  cert NameConstraints.intermediate5:x
    120  cert NameConstraints.intermediate3:x
    121  result fail
    122 
    123 # Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
    124 #  Fail: Matches Intermediate 5's name constraints, but fails because
    125 #        Intermediate 5 does not match Intermediate 3's name constraints
    126 verify NameConstraints.server14:x
    127  cert NameConstraints.intermediate5:x
    128  cert NameConstraints.intermediate3:x
    129  result fail
    130 
    131 # Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
    132 #                 No name constraints present
    133 #                 Signed by Named Constrained CA (inherits root name constraints)
    134 
    135 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
    136 # altDNS: testfoo.invalid
    137 #   Fail: CN not in name constraints, altDNS not in name constraints
    138 verify NameConstraints.server15:x
    139  cert NameConstraints.intermediate6:x
    140  result fail
    141 
    142 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
    143 #   Fail: CN not in name constraints
    144 verify NameConstraints.server16:x
    145  cert NameConstraints.intermediate6:x
    146  result fail
    147 
    148 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
    149 # altDNS: test4.example
    150 verify NameConstraints.server17:x
    151  cert NameConstraints.intermediate6:x
    152  result pass
    153 
    154 # Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
    155 verify NameConstraints.dcissblocked:x
    156  result fail
    157 
    158 # Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
    159 verify NameConstraints.dcissallowed:x
    160  result pass
    161 
    162 # Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC"
    163 # EKUs: OCSPSigning,ipsecUser
    164 #
    165 # This tests that a non server certificate (i.e. id-kp-serverAuth
    166 # not present in EKU) does *NOT* have CN treated as dnsName for
    167 # purposes of Name Constraints validation (certificateUsageStatusResponder)
    168 # https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650
    169 verify NameConstraints.ocsp1:x
    170  usage 10
    171  result pass
    172 
    173 # This tests that a non server certificate (i.e. id-kp-serverAuth
    174 # not present in EKU) does *NOT* have CN treated as dnsName for
    175 # purposes of Name Constraints validation (certificateUsageIPsec)
    176 verify NameConstraints.ocsp1:x
    177 usage 12
    178 result pass
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE