security/manager/ssl/tests/unit/test_name_constraints.js@b8a032363ba2
security/manager/ssl/tests/unit/test_name_constraints.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 "use strict";
8 do_get_profile(); // must be called before getting nsIX509CertDB
9 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
10 .getService(Ci.nsIX509CertDB);
12 function certFromFile(filename) {
13 let der = readFile(do_get_file("test_name_constraints/" + filename, false));
14 return certdb.constructX509(der, der.length);
15 }
17 function load_cert(cert_name, trust_string) {
18 var cert_filename = cert_name + ".der";
19 addCertFromFile(certdb, "test_name_constraints/" + cert_filename, trust_string);
20 return certFromFile(cert_filename);
21 }
23 function check_cert_err_generic(cert, expected_error, usage) {
24 do_print("cert cn=" + cert.commonName);
25 do_print("cert issuer cn=" + cert.issuerCommonName);
26 let hasEVPolicy = {};
27 let verifiedChain = {};
28 let error = certdb.verifyCertNow(cert, usage,
29 NO_FLAGS, verifiedChain, hasEVPolicy);
30 do_check_eq(error, expected_error);
31 }
33 function check_cert_err(cert, expected_error) {
34 check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
35 }
37 function check_ok(x) {
38 return check_cert_err(x, 0);
39 }
41 function check_ok_ca (x) {
42 return check_cert_err_generic(x, 0, certificateUsageSSLCA);
43 }
45 function check_fail(x) {
46 return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
47 }
49 function check_fail_ca(x) {
50 return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
51 }
53 function run_test_in_mode(useMozillaPKIX) {
54 Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
56 // Note that CN is only looked at when there is NO subjectAltName!
58 // Testing with a unconstrained root, and intermediate constrained to PERMIT
59 // foo.com. All failures on this section are doe to the cert DNS names
60 // not being under foo.com.
61 check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
62 // no dirName
63 check_ok(certFromFile('cn-www.foo.com-int-nc-perm-foo.com-ca-nc.der'));
64 check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der'));
65 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
66 check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
67 check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
68 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
69 // multiple subjectAltnames
70 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der'));
71 // C=US O=bar
72 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der'));
73 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der'));
74 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
75 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
76 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der'));
77 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der'));
78 // multiple subjectAltnames
79 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der'));
81 // Testing with an unconstrained root and intermediate constrained to
82 // EXCLUDE DNS:example.com. All failures on this section are due to the cert
83 // DNS names containing example.com. The dirname does not affect evaluation.
84 check_ok_ca(load_cert('int-nc-excl-foo.com-ca-nc', ',,'));
85 // no dirName
86 check_fail(certFromFile('cn-www.foo.com-int-nc-excl-foo.com-ca-nc.der'));
87 check_ok(certFromFile('cn-www.foo.org-int-nc-excl-foo.com-ca-nc.der'));
88 // notice that since the name constrains apply to the dns name the cn is not
89 // evaluated in the case where a subjectAltName exists. Thus the next case is
90 // correctly passing.
91 check_ok(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
92 check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
93 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
94 check_ok(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
95 // multiple subjectAltnames
96 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der'));
97 // C=US O=bar
98 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der'));
99 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der'));
100 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
101 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
102 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der'));
103 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der'));
104 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der'));
106 // Testing with an unconstrained root, and intermediate constrained to
107 // permitting dirName:C=US. All failures on this section are due to cert
108 // name not being C=US.
109 check_ok_ca(load_cert('int-nc-c-us-ca-nc', ',,'));
110 check_fail(certFromFile('cn-www.foo.com-int-nc-c-us-ca-nc.der'));
111 check_fail(certFromFile('cn-www.foo.org-int-nc-c-us-ca-nc.der'));
112 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.der'));
113 check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.der'));
114 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.der'));
115 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.der'));
116 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der'));
117 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.der'));
118 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.der'));
119 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der'));
120 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der'));
121 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der'));
122 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der'));
123 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der'));
125 // Testing with an unconstrained root, and intermediate constrained to
126 // permitting dirNAME:C=US that issues an intermediate name constrained to
127 // permitting DNS:foo.com. Checks for inheritance and intersection of
128 // different name constraints.
129 check_ok_ca(load_cert('int-nc-foo.com-int-nc-c-us-ca-nc', ',,'));
130 check_fail(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
131 check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
132 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
133 check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
134 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
135 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
136 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
137 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
138 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
139 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
140 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
141 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
142 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
143 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der'));
145 // Testing on a non constrainted root an intermediate name contrainted to
146 // permited dirNAME:C=US and permited DNS:foo.com
147 // checks for compostability of different name constraints with same cert
148 check_ok_ca(load_cert('int-nc-perm-foo.com_c-us-ca-nc' , ',,'));
149 check_fail(certFromFile('cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
150 check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
151 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
152 check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
153 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
154 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
155 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der'));
156 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der'));
157 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der'));
158 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
159 // next check is ok as there is an altname and thus the name constraints do
160 // not apply to the common name
161 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
162 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der'));
163 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der'));
164 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der'));
166 // Testing on an unconstrained root and an intermediate name constrained to
167 // permitted dirNAME: C=UK all but the intermeduate should fail because they
168 // dont have C=UK (missing or C=US)
169 check_ok_ca(load_cert('int-nc-perm-c-uk-ca-nc', ',,'));
170 check_fail(certFromFile('cn-www.foo.com-int-nc-perm-c-uk-ca-nc.der'));
171 check_fail(certFromFile('cn-www.foo.org-int-nc-perm-c-uk-ca-nc.der'));
172 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
173 check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
174 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
175 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
176 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der'));
177 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der'));
178 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der'));
179 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
180 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
181 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der'));
182 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der'));
183 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der'));
185 // Testing on an unconstrained root and an intermediate name constrained to
186 // permitted dirNAME: C=UK and an unconstrained intermediate that contains
187 // dirNAME C=US. EE and and Intermediates should fail
188 check_fail_ca(load_cert('int-c-us-int-nc-perm-c-uk-ca-nc', ',,'));
189 check_fail(certFromFile('cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
190 check_fail(certFromFile('cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
191 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
192 check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
193 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
194 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
195 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
196 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
197 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
198 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
199 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
200 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
201 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
202 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der'));
204 // Testing on an unconstrained root and an intermediate name constrained to
205 // permitted DNS: foo.com and permitted: DNS: a.us
206 check_ok_ca(load_cert('int-nc-foo.com_a.us', ',,'));
207 check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com_a.us.der'));
208 check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com_a.us.der'));
209 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.der'));
210 check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.der'));
211 check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.der'));
212 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.der'));
213 check_ok(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der'));
214 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.der'));
215 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.der'));
216 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der'));
217 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der'));
218 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der'));
219 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der'));
220 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der'));
222 // Testing on an unconstrained root and an intermediate name constrained to
223 // permitted DNS: foo.com and permitted: DNS:a.us that issues an intermediate
224 // permitted DNS: foo.com .
225 // Goal is to ensure that the stricter (inner) name constraint ins enforced.
226 // The multi-subject alt should fail and is the difference from the sets of
227 // tests above.
228 check_ok_ca(load_cert('int-nc-foo.com-int-nc-foo.com_a.us', ',,'));
229 check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
230 check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
231 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
232 check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
233 check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
234 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
235 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
236 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
237 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
238 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
239 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
240 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der'));
241 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der'));
242 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der'));
244 // Testing on a root name constrainted to DNS:foo.com and an unconstrained
245 // intermediate.
246 // Checks that root constraints are enforced.
247 check_ok_ca(load_cert('int-ca-nc-perm-foo.com', ',,'));
248 check_ok(certFromFile('cn-www.foo.com-int-ca-nc-perm-foo.com.der'));
249 check_fail(certFromFile('cn-www.foo.org-int-ca-nc-perm-foo.com.der'));
250 check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.der'));
251 check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.der'));
252 check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.der'));
253 check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.der'));
254 check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
255 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
256 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
257 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
258 check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
259 check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
260 check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
261 check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
263 // We don't enforce dNSName name constraints on CN unless we're validating
264 // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
265 // NSS get it right.
266 {
267 let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
268 check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
269 check_cert_err_generic(cert, 0, certificateUsageSSLClient);
270 }
272 // DCISS tests
273 // The certs used here were generated by the NSS test suite and are
274 // originally located as security/nss/tests/libpkix/cert/
275 load_cert("dcisscopy", "C,C,C");
276 check_ok(certFromFile('NameConstraints.dcissallowed.cert'));
277 check_fail(certFromFile('NameConstraints.dcissblocked.cert'));
278 }
280 function run_test() {
281 load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
282 load_cert("ca-nc", "CTu,CTu,CTu");
284 run_test_in_mode(true);
285 run_test_in_mode(false);
286 }
