The Tor Browser / file revision

security/nss/tests/chains/scenarios/nameconstraints.cfg@b8a032363ba2

security/nss/tests/chains/scenarios/nameconstraints.cfg

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 # This Source Code Form is subject to the terms of the Mozilla Public

     2 # License, v. 2.0. If a copy of the MPL was not distributed with this

     3 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

     4 

     5 scenario TrustAnchors

     6 

     7 db trustanchors

     8 

     9 import NameConstraints.ca:x:CT,C,C

    10 import NameConstraints.ncca:x:CT,C,C

    11 # Name Constrained CA:  Name constrained to permited DNSName ".example"

    12 import NameConstraints.dcisscopy:x:CT,C,C

    13 

    14 # Intermediate 1: Name constrained to permited DNSName ".example"

    15 

    16 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"

    17 # altDNS: test.invalid

    18 #   Fail: CN not in name constraints, altDNS not in name constraints

    19 verify NameConstraints.server1:x

    20   cert NameConstraints.intermediate:x

    21   result fail

    22 

    23 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN

    24 #   Fail: CN not in name constraints

    25 verify NameConstraints.server2:x

    26   cert NameConstraints.intermediate:x

    27   result fail

    28 

    29 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"

    30 # altDNS: test.example

    31 verify NameConstraints.server3:x

    32   cert NameConstraints.intermediate:x

    33   result pass

    34 

    35 # Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)

    36 

    37 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"

    38 # altDNS: test.invalid

    39 #   Fail: CN not in name constraints, altDNS not in name constraints

    40 verify NameConstraints.server4:x

    41   cert NameConstraints.intermediate2:x

    42   cert NameConstraints.intermediate:x

    43   result fail

    44 

    45 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN

    46 #   Fail: CN not in name constraints

    47 verify NameConstraints.server5:x

    48   cert NameConstraints.intermediate2:x

    49   cert NameConstraints.intermediate:x

    50   result fail

    51 

    52 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"

    53 # altDNS: test.example

    54 verify NameConstraints.server6:x

    55   cert NameConstraints.intermediate2:x

    56   cert NameConstraints.intermediate:x

    57   result pass

    58 

    59 # Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"

    60 #                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"

    61 #                 and a permitted DNSName of "foo.example"

    62 

    63 # Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"

    64 #                 No name constraints present

    65 #                 Signed by Intermediate 3 (inherits name constraints)

    66 

    67 # Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN

    68 verify NameConstraints.server7:x

    69   cert NameConstraints.intermediate4:x

    70   cert NameConstraints.intermediate3:x

    71   result pass

    72 

    73 # Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN

    74 verify NameConstraints.server8:x

    75   cert NameConstraints.intermediate4:x

    76   cert NameConstraints.intermediate3:x

    77   result pass

    78 

    79 # Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN

    80 #  Fail: ST is missing in the DirectoryName, thus not matching name constraints

    81 verify NameConstraints.server9:x

    82   cert NameConstraints.intermediate4:x

    83   cert NameConstraints.intermediate3:x

    84   result fail

    85 

    86 # Subject: "C=US, ST=CA, O=Foo, CN=bar.example"

    87 #  Fail: CN not in name constraints

    88 verify NameConstraints.server10:x

    89   cert NameConstraints.intermediate4:x

    90   cert NameConstraints.intermediate3:x

    91   result fail

    92 

    93 # Subject: "C=US, ST=CA, O=Foo, CN=site.example"

    94 # altDNS:foo.example

    95 #   Pass: Ignores CN constraint name violation because SAN is present

    96 verify NameConstraints.server11:x

    97   cert NameConstraints.intermediate4:x

    98   cert NameConstraints.intermediate3:x

    99   result pass

   100 

   101 # Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"

   102 #   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'

   103 verify NameConstraints.server12:x

   104   cert NameConstraints.intermediate4:x

   105   cert NameConstraints.intermediate3:x

   106   result fail

   107 

   108 # Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"

   109 #                 No name constraints present

   110 #                 Signed by Intermediate 3.

   111 #                 Intermediate 5's subject is not in Intermediate 3's permitted

   112 #                 names, so all certs issued by it are invalid.

   113 

   114 # Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"

   115 #   Fail: Org matches Intermediate 5's name constraints, but does not match

   116 #         Intermediate 3' name constraints

   117 verify NameConstraints.server13:x

   118   cert NameConstraints.intermediate5:x

   119   cert NameConstraints.intermediate3:x

   120   result fail

   121 

   122 # Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"

   123 #  Fail: Matches Intermediate 5's name constraints, but fails because

   124 #        Intermediate 5 does not match Intermediate 3's name constraints

   125 verify NameConstraints.server14:x

   126   cert NameConstraints.intermediate5:x

   127   cert NameConstraints.intermediate3:x

   128   result fail

   129 

   130 # Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"

   131 #                 No name constraints present

   132 #                 Signed by Named Constrained CA (inherits root name constraints)

   133 

   134 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"

   135 # altDNS: testfoo.invalid

   136 #   Fail: CN not in name constraints, altDNS not in name constraints

   137 verify NameConstraints.server15:x

   138   cert NameConstraints.intermediate6:x

   139   result fail

   140 

   141 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN

   142 #   Fail: CN not in name constraints

   143 verify NameConstraints.server16:x

   144   cert NameConstraints.intermediate6:x

   145   result fail

   146 

   147 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"

   148 # altDNS: test4.example

   149 verify NameConstraints.server17:x

   150   cert NameConstraints.intermediate6:x

   151   result pass

   152 

   153 # Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"

   154 verify NameConstraints.dcissblocked:x

   155   result fail

   156 

   157 # Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"

   158 verify NameConstraints.dcissallowed:x

   159   result pass

   160 

   161

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial