security/nss/tests/chains/scenarios/nameconstraints.cfg@b8a032363ba2 (annotated)
security/nss/tests/chains/scenarios/nameconstraints.cfg
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | # This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | # License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | # file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| michael@0 | 4 | |
| michael@0 | 5 | scenario TrustAnchors |
| michael@0 | 6 | |
| michael@0 | 7 | db trustanchors |
| michael@0 | 8 | |
| michael@0 | 9 | import NameConstraints.ca:x:CT,C,C |
| michael@0 | 10 | import NameConstraints.ncca:x:CT,C,C |
| michael@0 | 11 | # Name Constrained CA: Name constrained to permited DNSName ".example" |
| michael@0 | 12 | import NameConstraints.dcisscopy:x:CT,C,C |
| michael@0 | 13 | |
| michael@0 | 14 | # Intermediate 1: Name constrained to permited DNSName ".example" |
| michael@0 | 15 | |
| michael@0 | 16 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" |
| michael@0 | 17 | # altDNS: test.invalid |
| michael@0 | 18 | # Fail: CN not in name constraints, altDNS not in name constraints |
| michael@0 | 19 | verify NameConstraints.server1:x |
| michael@0 | 20 | cert NameConstraints.intermediate:x |
| michael@0 | 21 | result fail |
| michael@0 | 22 | |
| michael@0 | 23 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN |
| michael@0 | 24 | # Fail: CN not in name constraints |
| michael@0 | 25 | verify NameConstraints.server2:x |
| michael@0 | 26 | cert NameConstraints.intermediate:x |
| michael@0 | 27 | result fail |
| michael@0 | 28 | |
| michael@0 | 29 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" |
| michael@0 | 30 | # altDNS: test.example |
| michael@0 | 31 | verify NameConstraints.server3:x |
| michael@0 | 32 | cert NameConstraints.intermediate:x |
| michael@0 | 33 | result pass |
| michael@0 | 34 | |
| michael@0 | 35 | # Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints) |
| michael@0 | 36 | |
| michael@0 | 37 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" |
| michael@0 | 38 | # altDNS: test.invalid |
| michael@0 | 39 | # Fail: CN not in name constraints, altDNS not in name constraints |
| michael@0 | 40 | verify NameConstraints.server4:x |
| michael@0 | 41 | cert NameConstraints.intermediate2:x |
| michael@0 | 42 | cert NameConstraints.intermediate:x |
| michael@0 | 43 | result fail |
| michael@0 | 44 | |
| michael@0 | 45 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN |
| michael@0 | 46 | # Fail: CN not in name constraints |
| michael@0 | 47 | verify NameConstraints.server5:x |
| michael@0 | 48 | cert NameConstraints.intermediate2:x |
| michael@0 | 49 | cert NameConstraints.intermediate:x |
| michael@0 | 50 | result fail |
| michael@0 | 51 | |
| michael@0 | 52 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" |
| michael@0 | 53 | # altDNS: test.example |
| michael@0 | 54 | verify NameConstraints.server6:x |
| michael@0 | 55 | cert NameConstraints.intermediate2:x |
| michael@0 | 56 | cert NameConstraints.intermediate:x |
| michael@0 | 57 | result pass |
| michael@0 | 58 | |
| michael@0 | 59 | # Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3" |
| michael@0 | 60 | # Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo" |
| michael@0 | 61 | # and a permitted DNSName of "foo.example" |
| michael@0 | 62 | |
| michael@0 | 63 | # Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2" |
| michael@0 | 64 | # No name constraints present |
| michael@0 | 65 | # Signed by Intermediate 3 (inherits name constraints) |
| michael@0 | 66 | |
| michael@0 | 67 | # Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN |
| michael@0 | 68 | verify NameConstraints.server7:x |
| michael@0 | 69 | cert NameConstraints.intermediate4:x |
| michael@0 | 70 | cert NameConstraints.intermediate3:x |
| michael@0 | 71 | result pass |
| michael@0 | 72 | |
| michael@0 | 73 | # Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN |
| michael@0 | 74 | verify NameConstraints.server8:x |
| michael@0 | 75 | cert NameConstraints.intermediate4:x |
| michael@0 | 76 | cert NameConstraints.intermediate3:x |
| michael@0 | 77 | result pass |
| michael@0 | 78 | |
| michael@0 | 79 | # Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN |
| michael@0 | 80 | # Fail: ST is missing in the DirectoryName, thus not matching name constraints |
| michael@0 | 81 | verify NameConstraints.server9:x |
| michael@0 | 82 | cert NameConstraints.intermediate4:x |
| michael@0 | 83 | cert NameConstraints.intermediate3:x |
| michael@0 | 84 | result fail |
| michael@0 | 85 | |
| michael@0 | 86 | # Subject: "C=US, ST=CA, O=Foo, CN=bar.example" |
| michael@0 | 87 | # Fail: CN not in name constraints |
| michael@0 | 88 | verify NameConstraints.server10:x |
| michael@0 | 89 | cert NameConstraints.intermediate4:x |
| michael@0 | 90 | cert NameConstraints.intermediate3:x |
| michael@0 | 91 | result fail |
| michael@0 | 92 | |
| michael@0 | 93 | # Subject: "C=US, ST=CA, O=Foo, CN=site.example" |
| michael@0 | 94 | # altDNS:foo.example |
| michael@0 | 95 | # Pass: Ignores CN constraint name violation because SAN is present |
| michael@0 | 96 | verify NameConstraints.server11:x |
| michael@0 | 97 | cert NameConstraints.intermediate4:x |
| michael@0 | 98 | cert NameConstraints.intermediate3:x |
| michael@0 | 99 | result pass |
| michael@0 | 100 | |
| michael@0 | 101 | # Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed" |
| michael@0 | 102 | # Fail: CN does not match DNS name constraints - even though is not 'DNS shaped' |
| michael@0 | 103 | verify NameConstraints.server12:x |
| michael@0 | 104 | cert NameConstraints.intermediate4:x |
| michael@0 | 105 | cert NameConstraints.intermediate3:x |
| michael@0 | 106 | result fail |
| michael@0 | 107 | |
| michael@0 | 108 | # Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2" |
| michael@0 | 109 | # No name constraints present |
| michael@0 | 110 | # Signed by Intermediate 3. |
| michael@0 | 111 | # Intermediate 5's subject is not in Intermediate 3's permitted |
| michael@0 | 112 | # names, so all certs issued by it are invalid. |
| michael@0 | 113 | |
| michael@0 | 114 | # Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example" |
| michael@0 | 115 | # Fail: Org matches Intermediate 5's name constraints, but does not match |
| michael@0 | 116 | # Intermediate 3' name constraints |
| michael@0 | 117 | verify NameConstraints.server13:x |
| michael@0 | 118 | cert NameConstraints.intermediate5:x |
| michael@0 | 119 | cert NameConstraints.intermediate3:x |
| michael@0 | 120 | result fail |
| michael@0 | 121 | |
| michael@0 | 122 | # Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example" |
| michael@0 | 123 | # Fail: Matches Intermediate 5's name constraints, but fails because |
| michael@0 | 124 | # Intermediate 5 does not match Intermediate 3's name constraints |
| michael@0 | 125 | verify NameConstraints.server14:x |
| michael@0 | 126 | cert NameConstraints.intermediate5:x |
| michael@0 | 127 | cert NameConstraints.intermediate3:x |
| michael@0 | 128 | result fail |
| michael@0 | 129 | |
| michael@0 | 130 | # Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6" |
| michael@0 | 131 | # No name constraints present |
| michael@0 | 132 | # Signed by Named Constrained CA (inherits root name constraints) |
| michael@0 | 133 | |
| michael@0 | 134 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid" |
| michael@0 | 135 | # altDNS: testfoo.invalid |
| michael@0 | 136 | # Fail: CN not in name constraints, altDNS not in name constraints |
| michael@0 | 137 | verify NameConstraints.server15:x |
| michael@0 | 138 | cert NameConstraints.intermediate6:x |
| michael@0 | 139 | result fail |
| michael@0 | 140 | |
| michael@0 | 141 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN |
| michael@0 | 142 | # Fail: CN not in name constraints |
| michael@0 | 143 | verify NameConstraints.server16:x |
| michael@0 | 144 | cert NameConstraints.intermediate6:x |
| michael@0 | 145 | result fail |
| michael@0 | 146 | |
| michael@0 | 147 | # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example" |
| michael@0 | 148 | # altDNS: test4.example |
| michael@0 | 149 | verify NameConstraints.server17:x |
| michael@0 | 150 | cert NameConstraints.intermediate6:x |
| michael@0 | 151 | result pass |
| michael@0 | 152 | |
| michael@0 | 153 | # Subject: "C = US, ST=CA, O=Foo CN=foo.example.com" |
| michael@0 | 154 | verify NameConstraints.dcissblocked:x |
| michael@0 | 155 | result fail |
| michael@0 | 156 | |
| michael@0 | 157 | # Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr" |
| michael@0 | 158 | verify NameConstraints.dcissallowed:x |
| michael@0 | 159 | result pass |
| michael@0 | 160 | |
| michael@0 | 161 |
