1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_name_constraints.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,286 @@
1.4 +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 +// This Source Code Form is subject to the terms of the Mozilla Public
1.6 +// License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 +// file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.8 +
1.9 +"use strict";
1.10 +
1.11 +do_get_profile(); // must be called before getting nsIX509CertDB
1.12 +const certdb = Cc["@mozilla.org/security/x509certdb;1"]
1.13 + .getService(Ci.nsIX509CertDB);
1.14 +
1.15 +function certFromFile(filename) {
1.16 + let der = readFile(do_get_file("test_name_constraints/" + filename, false));
1.17 + return certdb.constructX509(der, der.length);
1.18 +}
1.19 +
1.20 +function load_cert(cert_name, trust_string) {
1.21 + var cert_filename = cert_name + ".der";
1.22 + addCertFromFile(certdb, "test_name_constraints/" + cert_filename, trust_string);
1.23 + return certFromFile(cert_filename);
1.24 +}
1.25 +
1.26 +function check_cert_err_generic(cert, expected_error, usage) {
1.27 + do_print("cert cn=" + cert.commonName);
1.28 + do_print("cert issuer cn=" + cert.issuerCommonName);
1.29 + let hasEVPolicy = {};
1.30 + let verifiedChain = {};
1.31 + let error = certdb.verifyCertNow(cert, usage,
1.32 + NO_FLAGS, verifiedChain, hasEVPolicy);
1.33 + do_check_eq(error, expected_error);
1.34 +}
1.35 +
1.36 +function check_cert_err(cert, expected_error) {
1.37 + check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
1.38 +}
1.39 +
1.40 +function check_ok(x) {
1.41 + return check_cert_err(x, 0);
1.42 +}
1.43 +
1.44 +function check_ok_ca (x) {
1.45 + return check_cert_err_generic(x, 0, certificateUsageSSLCA);
1.46 +}
1.47 +
1.48 +function check_fail(x) {
1.49 + return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
1.50 +}
1.51 +
1.52 +function check_fail_ca(x) {
1.53 + return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
1.54 +}
1.55 +
1.56 +function run_test_in_mode(useMozillaPKIX) {
1.57 + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
1.58 +
1.59 + // Note that CN is only looked at when there is NO subjectAltName!
1.60 +
1.61 + // Testing with a unconstrained root, and intermediate constrained to PERMIT
1.62 + // foo.com. All failures on this section are doe to the cert DNS names
1.63 + // not being under foo.com.
1.64 + check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
1.65 + // no dirName
1.66 + check_ok(certFromFile('cn-www.foo.com-int-nc-perm-foo.com-ca-nc.der'));
1.67 + check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der'));
1.68 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
1.69 + check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
1.70 + check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
1.71 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
1.72 + // multiple subjectAltnames
1.73 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der'));
1.74 + // C=US O=bar
1.75 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der'));
1.76 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der'));
1.77 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
1.78 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
1.79 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
1.80 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
1.81 + // multiple subjectAltnames
1.82 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der'));
1.83 +
1.84 + // Testing with an unconstrained root and intermediate constrained to
1.85 + // EXCLUDE DNS:example.com. All failures on this section are due to the cert
1.86 + // DNS names containing example.com. The dirname does not affect evaluation.
1.87 + check_ok_ca(load_cert('int-nc-excl-foo.com-ca-nc', ',,'));
1.88 + // no dirName
1.89 + check_fail(certFromFile('cn-www.foo.com-int-nc-excl-foo.com-ca-nc.der'));
1.90 + check_ok(certFromFile('cn-www.foo.org-int-nc-excl-foo.com-ca-nc.der'));
1.91 + // notice that since the name constrains apply to the dns name the cn is not
1.92 + // evaluated in the case where a subjectAltName exists. Thus the next case is
1.93 + // correctly passing.
1.94 + check_ok(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
1.95 + check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
1.96 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
1.97 + check_ok(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
1.98 + // multiple subjectAltnames
1.99 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der'));
1.100 + // C=US O=bar
1.101 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der'));
1.102 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der'));
1.103 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
1.104 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
1.105 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
1.106 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
1.107 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der'));
1.108 +
1.109 + // Testing with an unconstrained root, and intermediate constrained to
1.110 + // permitting dirName:C=US. All failures on this section are due to cert
1.111 + // name not being C=US.
1.112 + check_ok_ca(load_cert('int-nc-c-us-ca-nc', ',,'));
1.113 + check_fail(certFromFile('cn-www.foo.com-int-nc-c-us-ca-nc.der'));
1.114 + check_fail(certFromFile('cn-www.foo.org-int-nc-c-us-ca-nc.der'));
1.115 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.der'));
1.116 + check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.der'));
1.117 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.der'));
1.118 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.der'));
1.119 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der'));
1.120 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.der'));
1.121 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.der'));
1.122 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der'));
1.123 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der'));
1.124 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der'));
1.125 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der'));
1.126 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der'));
1.127 +
1.128 + // Testing with an unconstrained root, and intermediate constrained to
1.129 + // permitting dirNAME:C=US that issues an intermediate name constrained to
1.130 + // permitting DNS:foo.com. Checks for inheritance and intersection of
1.131 + // different name constraints.
1.132 + check_ok_ca(load_cert('int-nc-foo.com-int-nc-c-us-ca-nc', ',,'));
1.133 + check_fail(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.134 + check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.135 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.136 + check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.137 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.138 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.139 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.140 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.141 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.142 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.143 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.144 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.145 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.146 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
1.147 +
1.148 + // Testing on a non constrainted root an intermediate name contrainted to
1.149 + // permited dirNAME:C=US and permited DNS:foo.com
1.150 + // checks for compostability of different name constraints with same cert
1.151 + check_ok_ca(load_cert('int-nc-perm-foo.com_c-us-ca-nc' , ',,'));
1.152 + check_fail(certFromFile('cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.153 + check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.154 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.155 + check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.156 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.157 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.158 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.159 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.160 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.161 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.162 + // next check is ok as there is an altname and thus the name constraints do
1.163 + // not apply to the common name
1.164 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.165 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.166 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.167 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der'));
1.168 +
1.169 + // Testing on an unconstrained root and an intermediate name constrained to
1.170 + // permitted dirNAME: C=UK all but the intermeduate should fail because they
1.171 + // dont have C=UK (missing or C=US)
1.172 + check_ok_ca(load_cert('int-nc-perm-c-uk-ca-nc', ',,'));
1.173 + check_fail(certFromFile('cn-www.foo.com-int-nc-perm-c-uk-ca-nc.der'));
1.174 + check_fail(certFromFile('cn-www.foo.org-int-nc-perm-c-uk-ca-nc.der'));
1.175 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
1.176 + check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
1.177 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
1.178 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
1.179 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der'));
1.180 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der'));
1.181 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der'));
1.182 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
1.183 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
1.184 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
1.185 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
1.186 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der'));
1.187 +
1.188 + // Testing on an unconstrained root and an intermediate name constrained to
1.189 + // permitted dirNAME: C=UK and an unconstrained intermediate that contains
1.190 + // dirNAME C=US. EE and and Intermediates should fail
1.191 + check_fail_ca(load_cert('int-c-us-int-nc-perm-c-uk-ca-nc', ',,'));
1.192 + check_fail(certFromFile('cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.193 + check_fail(certFromFile('cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.194 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.195 + check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.196 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.197 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.198 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.199 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.200 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.201 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.202 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.203 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.204 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.205 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
1.206 +
1.207 + // Testing on an unconstrained root and an intermediate name constrained to
1.208 + // permitted DNS: foo.com and permitted: DNS: a.us
1.209 + check_ok_ca(load_cert('int-nc-foo.com_a.us', ',,'));
1.210 + check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com_a.us.der'));
1.211 + check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com_a.us.der'));
1.212 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.der'));
1.213 + check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.der'));
1.214 + check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.der'));
1.215 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.der'));
1.216 + check_ok(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der'));
1.217 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.der'));
1.218 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.der'));
1.219 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der'));
1.220 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der'));
1.221 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der'));
1.222 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der'));
1.223 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der'));
1.224 +
1.225 + // Testing on an unconstrained root and an intermediate name constrained to
1.226 + // permitted DNS: foo.com and permitted: DNS:a.us that issues an intermediate
1.227 + // permitted DNS: foo.com .
1.228 + // Goal is to ensure that the stricter (inner) name constraint ins enforced.
1.229 + // The multi-subject alt should fail and is the difference from the sets of
1.230 + // tests above.
1.231 + check_ok_ca(load_cert('int-nc-foo.com-int-nc-foo.com_a.us', ',,'));
1.232 + check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.233 + check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.234 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.235 + check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.236 + check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.237 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.238 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.239 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.240 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.241 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.242 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.243 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.244 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.245 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
1.246 +
1.247 + // Testing on a root name constrainted to DNS:foo.com and an unconstrained
1.248 + // intermediate.
1.249 + // Checks that root constraints are enforced.
1.250 + check_ok_ca(load_cert('int-ca-nc-perm-foo.com', ',,'));
1.251 + check_ok(certFromFile('cn-www.foo.com-int-ca-nc-perm-foo.com.der'));
1.252 + check_fail(certFromFile('cn-www.foo.org-int-ca-nc-perm-foo.com.der'));
1.253 + check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.der'));
1.254 + check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.der'));
1.255 + check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.der'));
1.256 + check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.der'));
1.257 + check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
1.258 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
1.259 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
1.260 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
1.261 + check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
1.262 + check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
1.263 + check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
1.264 + check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
1.265 +
1.266 + // We don't enforce dNSName name constraints on CN unless we're validating
1.267 + // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
1.268 + // NSS get it right.
1.269 + {
1.270 + let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
1.271 + check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
1.272 + check_cert_err_generic(cert, 0, certificateUsageSSLClient);
1.273 + }
1.274 +
1.275 + // DCISS tests
1.276 + // The certs used here were generated by the NSS test suite and are
1.277 + // originally located as security/nss/tests/libpkix/cert/
1.278 + load_cert("dcisscopy", "C,C,C");
1.279 + check_ok(certFromFile('NameConstraints.dcissallowed.cert'));
1.280 + check_fail(certFromFile('NameConstraints.dcissblocked.cert'));
1.281 +}
1.282 +
1.283 +function run_test() {
1.284 + load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
1.285 + load_cert("ca-nc", "CTu,CTu,CTu");
1.286 +
1.287 + run_test_in_mode(true);
1.288 + run_test_in_mode(false);
1.289 +}
