michael@0: # This Source Code Form is subject to the terms of the Mozilla Public michael@0: # License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: # file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: scenario TrustAnchors michael@0: michael@0: db trustanchors michael@0: michael@0: import NameConstraints.ca:x:CT,C,C michael@0: import NameConstraints.ncca:x:CT,C,C michael@0: # Name Constrained CA: Name constrained to permited DNSName ".example" michael@0: import NameConstraints.dcisscopy:x:CT,C,C michael@0: michael@0: # Intermediate 1: Name constrained to permited DNSName ".example" michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" michael@0: # altDNS: test.invalid michael@0: # Fail: CN not in name constraints, altDNS not in name constraints michael@0: verify NameConstraints.server1:x michael@0: cert NameConstraints.intermediate:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN michael@0: # Fail: CN not in name constraints michael@0: verify NameConstraints.server2:x michael@0: cert NameConstraints.intermediate:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" michael@0: # altDNS: test.example michael@0: verify NameConstraints.server3:x michael@0: cert NameConstraints.intermediate:x michael@0: result pass michael@0: michael@0: # Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints) michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" michael@0: # altDNS: test.invalid michael@0: # Fail: CN not in name constraints, altDNS not in name constraints michael@0: verify NameConstraints.server4:x michael@0: cert NameConstraints.intermediate2:x michael@0: cert NameConstraints.intermediate:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN michael@0: # Fail: CN not in name constraints michael@0: verify NameConstraints.server5:x michael@0: cert NameConstraints.intermediate2:x michael@0: cert NameConstraints.intermediate:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" michael@0: # altDNS: test.example michael@0: verify NameConstraints.server6:x michael@0: cert NameConstraints.intermediate2:x michael@0: cert NameConstraints.intermediate:x michael@0: result pass michael@0: michael@0: # Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3" michael@0: # Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo" michael@0: # and a permitted DNSName of "foo.example" michael@0: michael@0: # Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2" michael@0: # No name constraints present michael@0: # Signed by Intermediate 3 (inherits name constraints) michael@0: michael@0: # Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN michael@0: verify NameConstraints.server7:x michael@0: cert NameConstraints.intermediate4:x michael@0: cert NameConstraints.intermediate3:x michael@0: result pass michael@0: michael@0: # Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN michael@0: verify NameConstraints.server8:x michael@0: cert NameConstraints.intermediate4:x michael@0: cert NameConstraints.intermediate3:x michael@0: result pass michael@0: michael@0: # Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN michael@0: # Fail: ST is missing in the DirectoryName, thus not matching name constraints michael@0: verify NameConstraints.server9:x michael@0: cert NameConstraints.intermediate4:x michael@0: cert NameConstraints.intermediate3:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=CA, O=Foo, CN=bar.example" michael@0: # Fail: CN not in name constraints michael@0: verify NameConstraints.server10:x michael@0: cert NameConstraints.intermediate4:x michael@0: cert NameConstraints.intermediate3:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=CA, O=Foo, CN=site.example" michael@0: # altDNS:foo.example michael@0: # Pass: Ignores CN constraint name violation because SAN is present michael@0: verify NameConstraints.server11:x michael@0: cert NameConstraints.intermediate4:x michael@0: cert NameConstraints.intermediate3:x michael@0: result pass michael@0: michael@0: # Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed" michael@0: # Fail: CN does not match DNS name constraints - even though is not 'DNS shaped' michael@0: verify NameConstraints.server12:x michael@0: cert NameConstraints.intermediate4:x michael@0: cert NameConstraints.intermediate3:x michael@0: result fail michael@0: michael@0: # Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2" michael@0: # No name constraints present michael@0: # Signed by Intermediate 3. michael@0: # Intermediate 5's subject is not in Intermediate 3's permitted michael@0: # names, so all certs issued by it are invalid. michael@0: michael@0: # Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example" michael@0: # Fail: Org matches Intermediate 5's name constraints, but does not match michael@0: # Intermediate 3' name constraints michael@0: verify NameConstraints.server13:x michael@0: cert NameConstraints.intermediate5:x michael@0: cert NameConstraints.intermediate3:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example" michael@0: # Fail: Matches Intermediate 5's name constraints, but fails because michael@0: # Intermediate 5 does not match Intermediate 3's name constraints michael@0: verify NameConstraints.server14:x michael@0: cert NameConstraints.intermediate5:x michael@0: cert NameConstraints.intermediate3:x michael@0: result fail michael@0: michael@0: # Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6" michael@0: # No name constraints present michael@0: # Signed by Named Constrained CA (inherits root name constraints) michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid" michael@0: # altDNS: testfoo.invalid michael@0: # Fail: CN not in name constraints, altDNS not in name constraints michael@0: verify NameConstraints.server15:x michael@0: cert NameConstraints.intermediate6:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN michael@0: # Fail: CN not in name constraints michael@0: verify NameConstraints.server16:x michael@0: cert NameConstraints.intermediate6:x michael@0: result fail michael@0: michael@0: # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example" michael@0: # altDNS: test4.example michael@0: verify NameConstraints.server17:x michael@0: cert NameConstraints.intermediate6:x michael@0: result pass michael@0: michael@0: # Subject: "C = US, ST=CA, O=Foo CN=foo.example.com" michael@0: verify NameConstraints.dcissblocked:x michael@0: result fail michael@0: michael@0: # Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr" michael@0: verify NameConstraints.dcissallowed:x michael@0: result pass michael@0: michael@0: