michael@0: // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: // This Source Code Form is subject to the terms of the Mozilla Public michael@0: // License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: // file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: "use strict"; michael@0: michael@0: do_get_profile(); // must be called before getting nsIX509CertDB michael@0: const certdb = Cc["@mozilla.org/security/x509certdb;1"] michael@0: .getService(Ci.nsIX509CertDB); michael@0: michael@0: function certFromFile(filename) { michael@0: let der = readFile(do_get_file("test_name_constraints/" + filename, false)); michael@0: return certdb.constructX509(der, der.length); michael@0: } michael@0: michael@0: function load_cert(cert_name, trust_string) { michael@0: var cert_filename = cert_name + ".der"; michael@0: addCertFromFile(certdb, "test_name_constraints/" + cert_filename, trust_string); michael@0: return certFromFile(cert_filename); michael@0: } michael@0: michael@0: function check_cert_err_generic(cert, expected_error, usage) { michael@0: do_print("cert cn=" + cert.commonName); michael@0: do_print("cert issuer cn=" + cert.issuerCommonName); michael@0: let hasEVPolicy = {}; michael@0: let verifiedChain = {}; michael@0: let error = certdb.verifyCertNow(cert, usage, michael@0: NO_FLAGS, verifiedChain, hasEVPolicy); michael@0: do_check_eq(error, expected_error); michael@0: } michael@0: michael@0: function check_cert_err(cert, expected_error) { michael@0: check_cert_err_generic(cert, expected_error, certificateUsageSSLServer) michael@0: } michael@0: michael@0: function check_ok(x) { michael@0: return check_cert_err(x, 0); michael@0: } michael@0: michael@0: function check_ok_ca (x) { michael@0: return check_cert_err_generic(x, 0, certificateUsageSSLCA); michael@0: } michael@0: michael@0: function check_fail(x) { michael@0: return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE); michael@0: } michael@0: michael@0: function check_fail_ca(x) { michael@0: return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA); michael@0: } michael@0: michael@0: function run_test_in_mode(useMozillaPKIX) { michael@0: Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); michael@0: michael@0: // Note that CN is only looked at when there is NO subjectAltName! michael@0: michael@0: // Testing with a unconstrained root, and intermediate constrained to PERMIT michael@0: // foo.com. All failures on this section are doe to the cert DNS names michael@0: // not being under foo.com. michael@0: check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,')); michael@0: // no dirName michael@0: check_ok(certFromFile('cn-www.foo.com-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com-ca-nc.der')); michael@0: // multiple subjectAltnames michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der')); michael@0: // C=US O=bar michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com-ca-nc.der')); michael@0: // multiple subjectAltnames michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com-ca-nc.der')); michael@0: michael@0: // Testing with an unconstrained root and intermediate constrained to michael@0: // EXCLUDE DNS:example.com. All failures on this section are due to the cert michael@0: // DNS names containing example.com. The dirname does not affect evaluation. michael@0: check_ok_ca(load_cert('int-nc-excl-foo.com-ca-nc', ',,')); michael@0: // no dirName michael@0: check_fail(certFromFile('cn-www.foo.com-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org-int-nc-excl-foo.com-ca-nc.der')); michael@0: // notice that since the name constrains apply to the dns name the cn is not michael@0: // evaluated in the case where a subjectAltName exists. Thus the next case is michael@0: // correctly passing. michael@0: check_ok(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-excl-foo.com-ca-nc.der')); michael@0: // multiple subjectAltnames michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der')); michael@0: // C=US O=bar michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-excl-foo.com-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-excl-foo.com-ca-nc.der')); michael@0: michael@0: // Testing with an unconstrained root, and intermediate constrained to michael@0: // permitting dirName:C=US. All failures on this section are due to cert michael@0: // name not being C=US. michael@0: check_ok_ca(load_cert('int-nc-c-us-ca-nc', ',,')); michael@0: check_fail(certFromFile('cn-www.foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-c-us-ca-nc.der')); michael@0: michael@0: // Testing with an unconstrained root, and intermediate constrained to michael@0: // permitting dirNAME:C=US that issues an intermediate name constrained to michael@0: // permitting DNS:foo.com. Checks for inheritance and intersection of michael@0: // different name constraints. michael@0: check_ok_ca(load_cert('int-nc-foo.com-int-nc-c-us-ca-nc', ',,')); michael@0: check_fail(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-c-us-ca-nc.der')); michael@0: michael@0: // Testing on a non constrainted root an intermediate name contrainted to michael@0: // permited dirNAME:C=US and permited DNS:foo.com michael@0: // checks for compostability of different name constraints with same cert michael@0: check_ok_ca(load_cert('int-nc-perm-foo.com_c-us-ca-nc' , ',,')); michael@0: check_fail(certFromFile('cn-www.foo.com-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: // next check is ok as there is an altname and thus the name constraints do michael@0: // not apply to the common name michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-foo.com_c-us-ca-nc.der')); michael@0: michael@0: // Testing on an unconstrained root and an intermediate name constrained to michael@0: // permitted dirNAME: C=UK all but the intermeduate should fail because they michael@0: // dont have C=UK (missing or C=US) michael@0: check_ok_ca(load_cert('int-nc-perm-c-uk-ca-nc', ',,')); michael@0: check_fail(certFromFile('cn-www.foo.com-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-perm-c-uk-ca-nc.der')); michael@0: michael@0: // Testing on an unconstrained root and an intermediate name constrained to michael@0: // permitted dirNAME: C=UK and an unconstrained intermediate that contains michael@0: // dirNAME C=US. EE and and Intermediates should fail michael@0: check_fail_ca(load_cert('int-c-us-int-nc-perm-c-uk-ca-nc', ',,')); michael@0: check_fail(certFromFile('cn-www.foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-c-us-int-nc-perm-c-uk-ca-nc.der')); michael@0: michael@0: // Testing on an unconstrained root and an intermediate name constrained to michael@0: // permitted DNS: foo.com and permitted: DNS: a.us michael@0: check_ok_ca(load_cert('int-nc-foo.com_a.us', ',,')); michael@0: check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com_a.us.der')); michael@0: michael@0: // Testing on an unconstrained root and an intermediate name constrained to michael@0: // permitted DNS: foo.com and permitted: DNS:a.us that issues an intermediate michael@0: // permitted DNS: foo.com . michael@0: // Goal is to ensure that the stricter (inner) name constraint ins enforced. michael@0: // The multi-subject alt should fail and is the difference from the sets of michael@0: // tests above. michael@0: check_ok_ca(load_cert('int-nc-foo.com-int-nc-foo.com_a.us', ',,')); michael@0: check_ok(certFromFile('cn-www.foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-nc-foo.com-int-nc-foo.com_a.us.der')); michael@0: michael@0: // Testing on a root name constrainted to DNS:foo.com and an unconstrained michael@0: // intermediate. michael@0: // Checks that root constraints are enforced. michael@0: check_ok_ca(load_cert('int-ca-nc-perm-foo.com', ',,')); michael@0: check_ok(certFromFile('cn-www.foo.com-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.org-int-ca-nc-perm-foo.com.der')); michael@0: check_ok(certFromFile('cn-www.foo.org-alt-foo.com-int-ca-nc-perm-foo.com.der')); michael@0: check_ok(certFromFile('cn-www.foo.com-alt-foo.com-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.org-alt-foo.org-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.com-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der')); michael@0: check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der')); michael@0: check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der')); michael@0: check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der')); michael@0: michael@0: // We don't enforce dNSName name constraints on CN unless we're validating michael@0: // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic michael@0: // NSS get it right. michael@0: { michael@0: let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der'); michael@0: check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer); michael@0: check_cert_err_generic(cert, 0, certificateUsageSSLClient); michael@0: } michael@0: michael@0: // DCISS tests michael@0: // The certs used here were generated by the NSS test suite and are michael@0: // originally located as security/nss/tests/libpkix/cert/ michael@0: load_cert("dcisscopy", "C,C,C"); michael@0: check_ok(certFromFile('NameConstraints.dcissallowed.cert')); michael@0: check_fail(certFromFile('NameConstraints.dcissblocked.cert')); michael@0: } michael@0: michael@0: function run_test() { michael@0: load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu"); michael@0: load_cert("ca-nc", "CTu,CTu,CTu"); michael@0: michael@0: run_test_in_mode(true); michael@0: run_test_in_mode(false); michael@0: }