The Tor Browser / file diff

diff: security/nss/tests/chains/scenarios/nameconstraints.cfg

security/nss/tests/chains/scenarios/nameconstraints.cfg

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,161 @@
     1.4 +# This Source Code Form is subject to the terms of the Mozilla Public
     1.5 +# License, v. 2.0. If a copy of the MPL was not distributed with this
     1.6 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
     1.7 +
     1.8 +scenario TrustAnchors
     1.9 +
    1.10 +db trustanchors
    1.11 +
    1.12 +import NameConstraints.ca:x:CT,C,C
    1.13 +import NameConstraints.ncca:x:CT,C,C
    1.14 +# Name Constrained CA:  Name constrained to permited DNSName ".example"
    1.15 +import NameConstraints.dcisscopy:x:CT,C,C
    1.16 +
    1.17 +# Intermediate 1: Name constrained to permited DNSName ".example"
    1.18 +
    1.19 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
    1.20 +# altDNS: test.invalid
    1.21 +#   Fail: CN not in name constraints, altDNS not in name constraints
    1.22 +verify NameConstraints.server1:x
    1.23 +  cert NameConstraints.intermediate:x
    1.24 +  result fail
    1.25 +
    1.26 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
    1.27 +#   Fail: CN not in name constraints
    1.28 +verify NameConstraints.server2:x
    1.29 +  cert NameConstraints.intermediate:x
    1.30 +  result fail
    1.31 +
    1.32 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
    1.33 +# altDNS: test.example
    1.34 +verify NameConstraints.server3:x
    1.35 +  cert NameConstraints.intermediate:x
    1.36 +  result pass
    1.37 +
    1.38 +# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
    1.39 +
    1.40 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
    1.41 +# altDNS: test.invalid
    1.42 +#   Fail: CN not in name constraints, altDNS not in name constraints
    1.43 +verify NameConstraints.server4:x
    1.44 +  cert NameConstraints.intermediate2:x
    1.45 +  cert NameConstraints.intermediate:x
    1.46 +  result fail
    1.47 +
    1.48 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
    1.49 +#   Fail: CN not in name constraints
    1.50 +verify NameConstraints.server5:x
    1.51 +  cert NameConstraints.intermediate2:x
    1.52 +  cert NameConstraints.intermediate:x
    1.53 +  result fail
    1.54 +
    1.55 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
    1.56 +# altDNS: test.example
    1.57 +verify NameConstraints.server6:x
    1.58 +  cert NameConstraints.intermediate2:x
    1.59 +  cert NameConstraints.intermediate:x
    1.60 +  result pass
    1.61 +
    1.62 +# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
    1.63 +#                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
    1.64 +#                 and a permitted DNSName of "foo.example"
    1.65 +
    1.66 +# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
    1.67 +#                 No name constraints present
    1.68 +#                 Signed by Intermediate 3 (inherits name constraints)
    1.69 +
    1.70 +# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
    1.71 +verify NameConstraints.server7:x
    1.72 +  cert NameConstraints.intermediate4:x
    1.73 +  cert NameConstraints.intermediate3:x
    1.74 +  result pass
    1.75 +
    1.76 +# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
    1.77 +verify NameConstraints.server8:x
    1.78 +  cert NameConstraints.intermediate4:x
    1.79 +  cert NameConstraints.intermediate3:x
    1.80 +  result pass
    1.81 +
    1.82 +# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
    1.83 +#  Fail: ST is missing in the DirectoryName, thus not matching name constraints
    1.84 +verify NameConstraints.server9:x
    1.85 +  cert NameConstraints.intermediate4:x
    1.86 +  cert NameConstraints.intermediate3:x
    1.87 +  result fail
    1.88 +
    1.89 +# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
    1.90 +#  Fail: CN not in name constraints
    1.91 +verify NameConstraints.server10:x
    1.92 +  cert NameConstraints.intermediate4:x
    1.93 +  cert NameConstraints.intermediate3:x
    1.94 +  result fail
    1.95 +
    1.96 +# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
    1.97 +# altDNS:foo.example
    1.98 +#   Pass: Ignores CN constraint name violation because SAN is present
    1.99 +verify NameConstraints.server11:x
   1.100 +  cert NameConstraints.intermediate4:x
   1.101 +  cert NameConstraints.intermediate3:x
   1.102 +  result pass
   1.103 +
   1.104 +# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
   1.105 +#   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
   1.106 +verify NameConstraints.server12:x
   1.107 +  cert NameConstraints.intermediate4:x
   1.108 +  cert NameConstraints.intermediate3:x
   1.109 +  result fail
   1.110 +
   1.111 +# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
   1.112 +#                 No name constraints present
   1.113 +#                 Signed by Intermediate 3.
   1.114 +#                 Intermediate 5's subject is not in Intermediate 3's permitted
   1.115 +#                 names, so all certs issued by it are invalid.
   1.116 +
   1.117 +# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
   1.118 +#   Fail: Org matches Intermediate 5's name constraints, but does not match
   1.119 +#         Intermediate 3' name constraints
   1.120 +verify NameConstraints.server13:x
   1.121 +  cert NameConstraints.intermediate5:x
   1.122 +  cert NameConstraints.intermediate3:x
   1.123 +  result fail
   1.124 +
   1.125 +# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
   1.126 +#  Fail: Matches Intermediate 5's name constraints, but fails because
   1.127 +#        Intermediate 5 does not match Intermediate 3's name constraints
   1.128 +verify NameConstraints.server14:x
   1.129 +  cert NameConstraints.intermediate5:x
   1.130 +  cert NameConstraints.intermediate3:x
   1.131 +  result fail
   1.132 +
   1.133 +# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
   1.134 +#                 No name constraints present
   1.135 +#                 Signed by Named Constrained CA (inherits root name constraints)
   1.136 +
   1.137 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
   1.138 +# altDNS: testfoo.invalid
   1.139 +#   Fail: CN not in name constraints, altDNS not in name constraints
   1.140 +verify NameConstraints.server15:x
   1.141 +  cert NameConstraints.intermediate6:x
   1.142 +  result fail
   1.143 +
   1.144 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
   1.145 +#   Fail: CN not in name constraints
   1.146 +verify NameConstraints.server16:x
   1.147 +  cert NameConstraints.intermediate6:x
   1.148 +  result fail
   1.149 +
   1.150 +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
   1.151 +# altDNS: test4.example
   1.152 +verify NameConstraints.server17:x
   1.153 +  cert NameConstraints.intermediate6:x
   1.154 +  result pass
   1.155 +
   1.156 +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
   1.157 +verify NameConstraints.dcissblocked:x
   1.158 +  result fail
   1.159 +
   1.160 +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
   1.161 +verify NameConstraints.dcissallowed:x
   1.162 +  result pass
   1.163 +
   1.164 +

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial