1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "name_constraints.h"
6
7 #include <array>
8 #include <memory>
9
10 #include <gtest/gtest.h>
11 #include "common_cert_errors.h"
12 #include "test_helpers.h"
13
14 namespace bssl {
15 namespace {
16
LoadTestData(const char * token,const std::string & basename,std::string * result)17 ::testing::AssertionResult LoadTestData(const char *token,
18 const std::string &basename,
19 std::string *result) {
20 std::string path = "testdata/name_constraints_unittest/" + basename;
21
22 const PemBlockMapping mappings[] = {
23 {token, result},
24 };
25
26 return ReadTestDataFromPemFile(path, mappings);
27 }
28
LoadTestName(const std::string & basename,std::string * result)29 ::testing::AssertionResult LoadTestName(const std::string &basename,
30 std::string *result) {
31 return LoadTestData("NAME", basename, result);
32 }
33
LoadTestNameConstraint(const std::string & basename,std::string * result)34 ::testing::AssertionResult LoadTestNameConstraint(const std::string &basename,
35 std::string *result) {
36 return LoadTestData("NAME CONSTRAINTS", basename, result);
37 }
38
LoadTestSubjectAltNameData(const std::string & basename,std::string * result)39 ::testing::AssertionResult LoadTestSubjectAltNameData(
40 const std::string &basename, std::string *result) {
41 return LoadTestData("SUBJECT ALTERNATIVE NAME", basename, result);
42 }
43
LoadTestSubjectAltName(const std::string & basename,std::unique_ptr<GeneralNames> * result,std::string * result_der)44 ::testing::AssertionResult LoadTestSubjectAltName(
45 const std::string &basename, std::unique_ptr<GeneralNames> *result,
46 std::string *result_der) {
47 ::testing::AssertionResult load_result =
48 LoadTestSubjectAltNameData(basename, result_der);
49 if (!load_result) {
50 return load_result;
51 }
52 CertErrors errors;
53 *result = GeneralNames::Create(der::Input(*result_der), &errors);
54 if (!*result) {
55 return ::testing::AssertionFailure() << "Create failed";
56 }
57 return ::testing::AssertionSuccess();
58 }
59
IsPermittedCert(const NameConstraints * name_constraints,der::Input subject_rdn_sequence,const GeneralNames * subject_alt_names)60 ::testing::AssertionResult IsPermittedCert(
61 const NameConstraints *name_constraints, der::Input subject_rdn_sequence,
62 const GeneralNames *subject_alt_names) {
63 CertErrors errors;
64 name_constraints->IsPermittedCert(subject_rdn_sequence, subject_alt_names,
65 &errors);
66 if (!errors.ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH)) {
67 return ::testing::AssertionSuccess();
68 }
69 if (!errors.ContainsError(cert_errors::kNotPermittedByNameConstraints)) {
70 ADD_FAILURE() << "unexpected error " << errors.ToDebugString();
71 }
72 return ::testing::AssertionFailure();
73 }
74
IPAddress(uint8_t b0,uint8_t b1,uint8_t b2,uint8_t b3)75 std::array<uint8_t, 4> IPAddress(uint8_t b0, uint8_t b1, uint8_t b2,
76 uint8_t b3) {
77 return {b0, b1, b2, b3};
78 }
IPAddress(uint8_t b0,uint8_t b1,uint8_t b2,uint8_t b3,uint8_t b4,uint8_t b5,uint8_t b6,uint8_t b7,uint8_t b8,uint8_t b9,uint8_t b10,uint8_t b11,uint8_t b12,uint8_t b13,uint8_t b14,uint8_t b15)79 std::array<uint8_t, 16> IPAddress(uint8_t b0, uint8_t b1, uint8_t b2,
80 uint8_t b3, uint8_t b4, uint8_t b5,
81 uint8_t b6, uint8_t b7, uint8_t b8,
82 uint8_t b9, uint8_t b10, uint8_t b11,
83 uint8_t b12, uint8_t b13, uint8_t b14,
84 uint8_t b15) {
85 return {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15};
86 }
87
88 } // namespace
89
90 class ParseNameConstraints
91 : public ::testing::TestWithParam<::testing::tuple<bool>> {
92 public:
is_critical() const93 bool is_critical() const { return ::testing::get<0>(GetParam()); }
94 };
95
96 // Run the tests with the name constraints marked critical and non-critical. For
97 // supported name types, the results should be the same for both.
98 INSTANTIATE_TEST_SUITE_P(InstantiationName, ParseNameConstraints,
99 ::testing::Values(true, false));
100
TEST_P(ParseNameConstraints,DNSNames)101 TEST_P(ParseNameConstraints, DNSNames) {
102 std::string a;
103 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
104
105 CertErrors errors;
106 std::unique_ptr<NameConstraints> name_constraints(
107 NameConstraints::Create(der::Input(a), is_critical(), &errors));
108 ASSERT_TRUE(name_constraints);
109
110 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
111 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com."));
112 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com"));
113 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com"));
114 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com."));
115 EXPECT_TRUE(
116 name_constraints->IsPermittedDNSName("alsopermitted.example.com"));
117 EXPECT_FALSE(
118 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
119 EXPECT_FALSE(
120 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
121 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
122 "stillnotpermitted.excluded.permitted.example.com"));
123 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
124 "a.stillnotpermitted.excluded.permitted.example.com"));
125 EXPECT_FALSE(
126 name_constraints->IsPermittedDNSName("extraneousexclusion.example.com"));
127 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
128 "a.extraneousexclusion.example.com"));
129 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.example.com"));
130 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.com"));
131
132 // Wildcard names:
133 // Pattern could match excluded.permitted.example.com, thus should not be
134 // allowed.
135 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.permitted.example.com"));
136 // Entirely within excluded name, obviously not allowed.
137 EXPECT_FALSE(
138 name_constraints->IsPermittedDNSName("*.excluded.permitted.example.com"));
139 // Within permitted.example.com and cannot match any exclusion, thus these are
140 // allowed.
141 EXPECT_TRUE(
142 name_constraints->IsPermittedDNSName("*.foo.permitted.example.com"));
143 EXPECT_TRUE(
144 name_constraints->IsPermittedDNSName("*.alsopermitted.example.com"));
145 // Matches permitted.example2.com, but also matches other .example2.com names
146 // which are not in either permitted or excluded, so not allowed.
147 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.example2.com"));
148 // Partial wildcards are not supported, so these name are permitted even if
149 // it seems like they shouldn't be. It's fine, since certificate verification
150 // won't treat them as wildcard names either.
151 EXPECT_TRUE(
152 name_constraints->IsPermittedDNSName("*xcluded.permitted.example.com"));
153 EXPECT_TRUE(
154 name_constraints->IsPermittedDNSName("exclude*.permitted.example.com"));
155 EXPECT_TRUE(
156 name_constraints->IsPermittedDNSName("excl*ded.permitted.example.com"));
157 // Garbage wildcard data.
158 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*."));
159 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.*"));
160 EXPECT_FALSE(name_constraints->IsPermittedDNSName(".*"));
161 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*"));
162 // Matches SAN with trailing dot.
163 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com"));
164 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com."));
165 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com"));
166 EXPECT_TRUE(
167 name_constraints->IsPermittedDNSName("a.permitted.example3.com."));
168
169 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->constrained_name_types());
170
171 std::string san_der;
172 std::unique_ptr<GeneralNames> san;
173 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
174 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
175
176 ASSERT_TRUE(
177 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
178 EXPECT_FALSE(
179 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
180
181 ASSERT_TRUE(
182 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
183 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
184
185 ASSERT_TRUE(
186 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
187 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
188 }
189
TEST_P(ParseNameConstraints,DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted)190 TEST_P(ParseNameConstraints,
191 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) {
192 std::string a;
193 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
194 CertErrors errors;
195 std::unique_ptr<NameConstraints> name_constraints(
196 NameConstraints::Create(der::Input(a), is_critical(), &errors));
197 ASSERT_TRUE(name_constraints);
198
199 // Matches permitted exactly.
200 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
201 // Contained within permitted and doesn't match excluded (foo.bar.com).
202 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
203 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com"));
204 // Matches excluded exactly.
205 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
206 // Contained within excluded.
207 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com"));
208
209 // Cannot match anything within excluded.
210 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com"));
211 // Wildcard hostnames only match a single label, so cannot match excluded
212 // which has two labels before .com.
213 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
214
215 // Partial match of foo.bar.com.
216 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
217 // All expansions of wildcard are within excluded.
218 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
219 }
220
TEST_P(ParseNameConstraints,DNSNamesPermittedWithLeadingDot)221 TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
222 std::string a;
223 ASSERT_TRUE(
224 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
225 CertErrors errors;
226 std::unique_ptr<NameConstraints> name_constraints(
227 NameConstraints::Create(der::Input(a), is_critical(), &errors));
228 ASSERT_TRUE(name_constraints);
229
230 // A permitted dNSName constraint of ".bar.com" should only match subdomains
231 // of .bar.com, but not bar.com itself.
232 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
233 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
234 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foobar.com"));
235 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.bar.com"));
236 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.bar.com"));
237 }
238
TEST_P(ParseNameConstraints,DNSNamesExcludedWithLeadingDot)239 TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
240 std::string a;
241 ASSERT_TRUE(
242 LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
243 CertErrors errors;
244 std::unique_ptr<NameConstraints> name_constraints(
245 NameConstraints::Create(der::Input(a), is_critical(), &errors));
246 ASSERT_TRUE(name_constraints);
247
248 // An excluded dNSName constraint of ".bar.com" should only match subdomains
249 // of .bar.com, but not bar.com itself.
250 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
251 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
252 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foobar.com"));
253 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
254 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
255 }
256
TEST_P(ParseNameConstraints,DNSNamesPermittedTwoDot)257 TEST_P(ParseNameConstraints, DNSNamesPermittedTwoDot) {
258 std::string a;
259 ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a));
260 CertErrors errors;
261 std::unique_ptr<NameConstraints> name_constraints(
262 NameConstraints::Create(der::Input(a), is_critical(), &errors));
263 ASSERT_TRUE(name_constraints);
264
265 // A dNSName constraint of ".." isn't meaningful. Shouldn't match anything.
266 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
267 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com."));
268 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
269 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.com"));
270 }
271
TEST_P(ParseNameConstraints,DNSNamesExcludeOnly)272 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
273 std::string a;
274 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
275
276 CertErrors errors;
277 std::unique_ptr<NameConstraints> name_constraints(
278 NameConstraints::Create(der::Input(a), is_critical(), &errors));
279 ASSERT_TRUE(name_constraints);
280
281 // Only "excluded.permitted.example.com" is excluded, and since permitted is
282 // empty, any dNSName outside that is allowed.
283 EXPECT_TRUE(name_constraints->IsPermittedDNSName(""));
284 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com"));
285 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
286 EXPECT_FALSE(
287 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
288 EXPECT_FALSE(
289 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
290 }
291
TEST_P(ParseNameConstraints,DNSNamesExcludeAll)292 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
293 std::string a;
294 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
295
296 CertErrors errors;
297 std::unique_ptr<NameConstraints> name_constraints(
298 NameConstraints::Create(der::Input(a), is_critical(), &errors));
299 ASSERT_TRUE(name_constraints);
300
301 // "permitted.example.com" is in the permitted section, but since "" is
302 // excluded, nothing is permitted.
303 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
304 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
305 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
306 EXPECT_FALSE(
307 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
308 }
309
TEST_P(ParseNameConstraints,DNSNamesExcludeDot)310 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
311 std::string a;
312 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a));
313
314 CertErrors errors;
315 std::unique_ptr<NameConstraints> name_constraints(
316 NameConstraints::Create(der::Input(a), is_critical(), &errors));
317 ASSERT_TRUE(name_constraints);
318
319 // "." is excluded, which should match nothing.
320 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
321 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
322 EXPECT_TRUE(
323 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
324 }
325
TEST_P(ParseNameConstraints,DNSNamesFailOnInvalidIA5String)326 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
327 std::string a;
328 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
329
330 size_t replace_location = a.find("permitted.example2.com");
331 ASSERT_NE(std::string::npos, replace_location);
332 a.replace(replace_location, 1, 1, -1);
333
334 CertErrors errors;
335 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
336 }
337
TEST_P(ParseNameConstraints,DirectoryNames)338 TEST_P(ParseNameConstraints, DirectoryNames) {
339 std::string constraints_der;
340 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
341
342 std::string name_us;
343 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
344 std::string name_us_ca;
345 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
346 std::string name_us_ca_mountain_view;
347 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
348 &name_us_ca_mountain_view));
349 std::string name_us_az;
350 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
351 std::string name_jp;
352 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
353 std::string name_jp_tokyo;
354 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo));
355 std::string name_de;
356 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de));
357 std::string name_ca;
358 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca));
359
360 CertErrors errors;
361 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
362 der::Input(constraints_der), is_critical(), &errors));
363 ASSERT_TRUE(name_constraints);
364
365 // Not in any permitted subtree.
366 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
367 SequenceValueFromString(name_ca)));
368 // Within the permitted C=US subtree.
369 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
370 SequenceValueFromString(name_us)));
371 // Within the permitted C=US subtree.
372 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
373 SequenceValueFromString(name_us_az)));
374 // Within the permitted C=US subtree, however the excluded C=US,ST=California
375 // subtree takes priority.
376 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
377 SequenceValueFromString(name_us_ca)));
378 // Within the permitted C=US subtree as well as the permitted
379 // C=US,ST=California,L=Mountain View subtree, however the excluded
380 // C=US,ST=California subtree still takes priority.
381 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
382 SequenceValueFromString(name_us_ca_mountain_view)));
383 // Not in any permitted subtree, and also inside the extraneous excluded C=DE
384 // subtree.
385 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
386 SequenceValueFromString(name_de)));
387 // Not in any permitted subtree.
388 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
389 SequenceValueFromString(name_jp)));
390 // Within the permitted C=JP,ST=Tokyo subtree.
391 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
392 SequenceValueFromString(name_jp_tokyo)));
393
394 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
395 name_constraints->constrained_name_types());
396
397 // Within the permitted C=US subtree.
398 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
399 SequenceValueFromString(name_us),
400 nullptr /* subject_alt_names */));
401 // Within the permitted C=US subtree, however the excluded C=US,ST=California
402 // subtree takes priority.
403 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
404 SequenceValueFromString(name_us_ca),
405 nullptr /* subject_alt_names */));
406
407 std::string san_der;
408 std::unique_ptr<GeneralNames> san;
409 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
410 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
411
412 ASSERT_TRUE(
413 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
414 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
415
416 ASSERT_TRUE(
417 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
418 EXPECT_FALSE(
419 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
420
421 ASSERT_TRUE(
422 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
423 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
424 }
425
TEST_P(ParseNameConstraints,DirectoryNamesExcludeOnly)426 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
427 std::string constraints_der;
428 ASSERT_TRUE(
429 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
430 CertErrors errors;
431 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
432 der::Input(constraints_der), is_critical(), &errors));
433 ASSERT_TRUE(name_constraints);
434
435 std::string name_empty;
436 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
437 std::string name_us;
438 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
439 std::string name_us_ca;
440 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
441 std::string name_us_ca_mountain_view;
442 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
443 &name_us_ca_mountain_view));
444
445 // Only "C=US,ST=California" is excluded, and since permitted is empty,
446 // any directoryName outside that is allowed.
447 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
448 SequenceValueFromString(name_empty)));
449 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
450 SequenceValueFromString(name_us)));
451 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
452 SequenceValueFromString(name_us_ca)));
453 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
454 SequenceValueFromString(name_us_ca_mountain_view)));
455 }
456
TEST_P(ParseNameConstraints,DirectoryNamesExcludeAll)457 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
458 std::string constraints_der;
459 ASSERT_TRUE(
460 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
461 CertErrors errors;
462 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
463 der::Input(constraints_der), is_critical(), &errors));
464 ASSERT_TRUE(name_constraints);
465
466 std::string name_empty;
467 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
468 std::string name_us;
469 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
470 std::string name_us_ca;
471 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
472 std::string name_us_ca_mountain_view;
473 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
474 &name_us_ca_mountain_view));
475 std::string name_jp;
476 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
477
478 // "C=US" is in the permitted section, but since an empty
479 // directoryName is excluded, nothing is permitted.
480 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
481 SequenceValueFromString(name_empty)));
482 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
483 SequenceValueFromString(name_us)));
484 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
485 SequenceValueFromString(name_us_ca)));
486 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
487 SequenceValueFromString(name_jp)));
488 }
489
TEST_P(ParseNameConstraints,IPAddresses)490 TEST_P(ParseNameConstraints, IPAddresses) {
491 std::string a;
492 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
493
494 CertErrors errors;
495 std::unique_ptr<NameConstraints> name_constraints(
496 NameConstraints::Create(der::Input(a), is_critical(), &errors));
497 ASSERT_TRUE(name_constraints);
498
499 // IPv4 tests:
500
501 // Not in any permitted range.
502 EXPECT_FALSE(
503 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 169, 0, 1))));
504
505 // Within the permitted 192.168.0.0/255.255.0.0 range.
506 EXPECT_TRUE(
507 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
508
509 // Within the permitted 192.168.0.0/255.255.0.0 range, however the
510 // excluded 192.168.5.0/255.255.255.0 takes priority.
511 EXPECT_FALSE(
512 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
513
514 // Within the permitted 192.168.0.0/255.255.0.0 range as well as the
515 // permitted 192.168.5.32/255.255.255.224 range, however the excluded
516 // 192.168.5.0/255.255.255.0 still takes priority.
517 EXPECT_FALSE(
518 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 33))));
519
520 // Not in any permitted range. (Just outside the
521 // 192.167.5.32/255.255.255.224 range.)
522 EXPECT_FALSE(
523 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 31))));
524
525 // Within the permitted 192.167.5.32/255.255.255.224 range.
526 EXPECT_TRUE(
527 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 32))));
528
529 // Within the permitted 192.167.5.32/255.255.255.224 range.
530 EXPECT_TRUE(
531 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 63))));
532
533 // Not in any permitted range. (Just outside the
534 // 192.167.5.32/255.255.255.224 range.)
535 EXPECT_FALSE(
536 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 64))));
537
538 // Not in any permitted range, and also inside the extraneous excluded
539 // 192.166.5.32/255.255.255.224 range.
540 EXPECT_FALSE(
541 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 166, 5, 32))));
542
543 // IPv6 tests:
544
545 // Not in any permitted range.
546 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
547 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
548
549 // Within the permitted
550 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range.
551 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
552 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1))));
553
554 // Within the permitted
555 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range, however
556 // the excluded
557 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
558 // priority.
559 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
560 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1))));
561
562 // Within the permitted
563 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range as well
564 // as the permitted
565 // 102:304:506:708:90a:b0c:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0,
566 // however the excluded
567 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
568 // priority.
569 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
570 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1))));
571
572 // Not in any permitted range. (Just outside the
573 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
574 // range.)
575 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
576 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255))));
577
578 // Within the permitted
579 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
580 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
581 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0))));
582
583 // Within the permitted
584 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
585 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
586 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255))));
587
588 // Not in any permitted range. (Just outside the
589 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
590 // range.)
591 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
592 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0))));
593
594 // Not in any permitted range, and also inside the extraneous excluded
595 // 102:304:506:708:90a:b0a:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
596 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
597 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1))));
598
599 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS,
600 name_constraints->constrained_name_types());
601
602 std::string san_der;
603 std::unique_ptr<GeneralNames> san;
604 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
605 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
606
607 ASSERT_TRUE(
608 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
609 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
610
611 ASSERT_TRUE(
612 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
613 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
614
615 ASSERT_TRUE(
616 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
617 EXPECT_FALSE(
618 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
619 }
620
TEST_P(ParseNameConstraints,IPAddressesExcludeOnly)621 TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) {
622 std::string a;
623 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
624
625 CertErrors errors;
626 std::unique_ptr<NameConstraints> name_constraints(
627 NameConstraints::Create(der::Input(a), is_critical(), &errors));
628 ASSERT_TRUE(name_constraints);
629
630 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
631 // any iPAddress outside that is allowed.
632 EXPECT_TRUE(
633 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
634 EXPECT_FALSE(
635 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
636 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
637 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
638 }
639
TEST_P(ParseNameConstraints,IPAddressesExcludeAll)640 TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
641 std::string a;
642 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
643
644 CertErrors errors;
645 std::unique_ptr<NameConstraints> name_constraints(
646 NameConstraints::Create(der::Input(a), is_critical(), &errors));
647 ASSERT_TRUE(name_constraints);
648
649 // 192.168.0.0/255.255.0.0 and
650 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
651 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
652 EXPECT_FALSE(
653 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
654 EXPECT_FALSE(
655 name_constraints->IsPermittedIP(der::Input(IPAddress(1, 1, 1, 1))));
656 EXPECT_FALSE(name_constraints->IsPermittedIP(
657 der::Input(IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))));
658 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
659 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
660 }
661
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitSingleHost)662 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
663 std::string a;
664 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
665
666 CertErrors errors;
667 std::unique_ptr<NameConstraints> name_constraints(
668 NameConstraints::Create(der::Input(a), is_critical(), &errors));
669 ASSERT_TRUE(name_constraints);
670
671 EXPECT_FALSE(
672 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
673 EXPECT_FALSE(
674 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
675 EXPECT_FALSE(
676 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
677 EXPECT_TRUE(
678 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
679 EXPECT_FALSE(
680 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
681 EXPECT_FALSE(name_constraints->IsPermittedIP(
682 der::Input(IPAddress(255, 255, 255, 255))));
683 }
684
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitPrefixLen31)685 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
686 std::string a;
687 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
688
689 CertErrors errors;
690 std::unique_ptr<NameConstraints> name_constraints(
691 NameConstraints::Create(der::Input(a), is_critical(), &errors));
692 ASSERT_TRUE(name_constraints);
693
694 EXPECT_FALSE(
695 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
696 EXPECT_FALSE(
697 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
698 EXPECT_TRUE(
699 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
700 EXPECT_TRUE(
701 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
702 EXPECT_FALSE(
703 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
704 EXPECT_FALSE(
705 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 5))));
706 EXPECT_FALSE(name_constraints->IsPermittedIP(
707 der::Input(IPAddress(255, 255, 255, 255))));
708 }
709
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitPrefixLen1)710 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
711 std::string a;
712 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
713
714 CertErrors errors;
715 std::unique_ptr<NameConstraints> name_constraints(
716 NameConstraints::Create(der::Input(a), is_critical(), &errors));
717 ASSERT_TRUE(name_constraints);
718
719 EXPECT_FALSE(
720 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
721 EXPECT_FALSE(name_constraints->IsPermittedIP(
722 der::Input(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))));
723 EXPECT_TRUE(
724 name_constraints->IsPermittedIP(der::Input(IPAddress(0x80, 0, 0, 0))));
725 EXPECT_TRUE(name_constraints->IsPermittedIP(
726 der::Input(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))));
727 }
728
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitAll)729 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
730 std::string a;
731 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
732
733 CertErrors errors;
734 std::unique_ptr<NameConstraints> name_constraints(
735 NameConstraints::Create(der::Input(a), is_critical(), &errors));
736 ASSERT_TRUE(name_constraints);
737
738 EXPECT_TRUE(
739 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
740 EXPECT_TRUE(
741 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
742 EXPECT_TRUE(name_constraints->IsPermittedIP(
743 der::Input(IPAddress(255, 255, 255, 255))));
744 }
745
TEST_P(ParseNameConstraints,IPAddressesFailOnInvalidAddr)746 TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
747 std::string a;
748 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
749
750 CertErrors errors;
751 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
752 }
753
TEST_P(ParseNameConstraints,IPAddressesFailOnInvalidMaskNotContiguous)754 TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidMaskNotContiguous) {
755 std::string a;
756 ASSERT_TRUE(LoadTestNameConstraint(
757 "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
758 CertErrors errors;
759 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
760
761 ASSERT_TRUE(LoadTestNameConstraint(
762 "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
763 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
764
765 ASSERT_TRUE(LoadTestNameConstraint(
766 "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
767 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
768
769 ASSERT_TRUE(LoadTestNameConstraint(
770 "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
771 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
772 }
773
774 // Test that v4/v6 mapping is not applied when evaluating name constraints.
TEST_P(ParseNameConstraints,IPAddressesMapped)775 TEST_P(ParseNameConstraints, IPAddressesMapped) {
776 std::string a;
777 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-mapped_addrs.pem", &a));
778
779 CertErrors errors;
780 std::unique_ptr<NameConstraints> name_constraints(
781 NameConstraints::Create(der::Input(a), is_critical(), &errors));
782 ASSERT_TRUE(name_constraints);
783
784 // 192.168.1.0/24 is a permitted subtree.
785 EXPECT_TRUE(
786 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 0))));
787 // This does not cover ::ffff:192.168.1.0.
788 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
789 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0))));
790 // 192.168.1.1 is excluded.
791 EXPECT_FALSE(
792 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
793 // ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
794 EXPECT_TRUE(
795 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
796
797 // ::ffff:192.168.2.0/120 is a permitted subtree.
798 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
799 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0))));
800 // This does not cover 192.168.2.0.
801 EXPECT_FALSE(
802 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 2, 0))));
803 // ::ffff:192.168.2.1 is excluded.
804 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
805 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1))));
806 // 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
807 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
808 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2))));
809 }
810
TEST_P(ParseNameConstraints,OtherNamesInPermitted)811 TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
812 std::string constraints_der;
813 ASSERT_TRUE(
814 LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
815 CertErrors errors;
816 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
817 der::Input(constraints_der), is_critical(), &errors));
818 ASSERT_TRUE(name_constraints);
819
820 if (is_critical()) {
821 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
822 name_constraints->constrained_name_types());
823 } else {
824 EXPECT_EQ(0, name_constraints->constrained_name_types());
825 }
826
827 std::string san_der;
828 std::unique_ptr<GeneralNames> san;
829 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
830 EXPECT_EQ(!is_critical(),
831 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
832 }
833
TEST_P(ParseNameConstraints,OtherNamesInExcluded)834 TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
835 std::string constraints_der;
836 ASSERT_TRUE(
837 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
838 CertErrors errors;
839 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
840 der::Input(constraints_der), is_critical(), &errors));
841 ASSERT_TRUE(name_constraints);
842
843 if (is_critical()) {
844 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
845 name_constraints->constrained_name_types());
846 } else {
847 EXPECT_EQ(0, name_constraints->constrained_name_types());
848 }
849
850 std::string san_der;
851 std::unique_ptr<GeneralNames> san;
852 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
853 EXPECT_EQ(!is_critical(),
854 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
855 }
856
TEST_P(ParseNameConstraints,Rfc822NamesInPermitted)857 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
858 std::string constraints_der;
859 ASSERT_TRUE(
860 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
861 CertErrors errors;
862 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
863 der::Input(constraints_der), is_critical(), &errors));
864 ASSERT_TRUE(name_constraints);
865
866 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
867 name_constraints->constrained_name_types());
868
869 std::string san_der;
870 std::unique_ptr<GeneralNames> san;
871
872 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
873 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
874
875 ASSERT_TRUE(
876 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
877 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
878
879 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
880 &san_der));
881 EXPECT_FALSE(
882 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
883
884 ASSERT_TRUE(
885 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
886 EXPECT_FALSE(
887 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
888
889 ASSERT_TRUE(
890 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
891 EXPECT_FALSE(
892 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
893
894 ASSERT_TRUE(
895 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
896 EXPECT_FALSE(
897 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
898
899 ASSERT_TRUE(
900 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
901 // `"foo"@example.com` and `[email protected]` are the same address, but we
902 // don't support quoted address at all.
903 EXPECT_FALSE(
904 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
905
906 ASSERT_TRUE(
907 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
908 EXPECT_FALSE(
909 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
910
911 ASSERT_TRUE(
912 LoadTestSubjectAltName("san-rfc822name-multiple.pem", &san, &san_der));
913 // SAN contains multiple email addresses, only the first matches the
914 // permitted constraint.
915 EXPECT_FALSE(
916 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
917 }
918
TEST_P(ParseNameConstraints,Rfc822NamesInExcluded)919 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
920 std::string constraints_der;
921 ASSERT_TRUE(
922 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
923 CertErrors errors;
924 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
925 der::Input(constraints_der), is_critical(), &errors));
926 ASSERT_TRUE(name_constraints);
927
928 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
929 name_constraints->constrained_name_types());
930
931 std::string san_der;
932 std::unique_ptr<GeneralNames> san;
933
934 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
935 EXPECT_FALSE(
936 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
937
938 ASSERT_TRUE(
939 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
940 EXPECT_FALSE(
941 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
942
943 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
944 &san_der));
945 // Excluded names are matched case-sensitive in the local-part for addresses
946 // from subjectAlternativeName, so this is allowed.
947 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
948
949 ASSERT_TRUE(
950 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
951 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
952
953 ASSERT_TRUE(
954 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
955 EXPECT_FALSE(
956 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
957
958 ASSERT_TRUE(
959 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
960 EXPECT_FALSE(
961 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
962
963 ASSERT_TRUE(
964 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
965 EXPECT_FALSE(
966 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
967 }
968
TEST_P(ParseNameConstraints,Rfc822NameHostnameInPermitted)969 TEST_P(ParseNameConstraints, Rfc822NameHostnameInPermitted) {
970 std::string constraints_der;
971 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostname.pem",
972 &constraints_der));
973 CertErrors errors;
974 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
975 der::Input(constraints_der), is_critical(), &errors));
976 ASSERT_TRUE(name_constraints);
977
978 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
979 name_constraints->constrained_name_types());
980
981 std::string san_der;
982 std::unique_ptr<GeneralNames> san;
983
984 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
985 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
986
987 ASSERT_TRUE(
988 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
989 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
990
991 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
992 &san_der));
993 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
994
995 ASSERT_TRUE(
996 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
997 EXPECT_FALSE(
998 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
999
1000 ASSERT_TRUE(
1001 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1002 EXPECT_FALSE(
1003 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1004
1005 ASSERT_TRUE(
1006 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1007 EXPECT_FALSE(
1008 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1009
1010 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1011 &san_der));
1012 EXPECT_FALSE(
1013 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1014
1015 ASSERT_TRUE(
1016 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1017 // `"foo"@example.com` would match `example.com` hostname, but we don't
1018 // support quoted address at all.
1019 EXPECT_FALSE(
1020 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1021
1022 ASSERT_TRUE(
1023 LoadTestSubjectAltName("san-rfc822name-multiple.pem", &san, &san_der));
1024 // SAN contains multiple email addresses, all match the permitted hostname.
1025 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1026 }
1027
TEST_P(ParseNameConstraints,Rfc822NameHostnameInExcluded)1028 TEST_P(ParseNameConstraints, Rfc822NameHostnameInExcluded) {
1029 std::string constraints_der;
1030 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-hostname.pem",
1031 &constraints_der));
1032 CertErrors errors;
1033 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1034 der::Input(constraints_der), is_critical(), &errors));
1035 ASSERT_TRUE(name_constraints);
1036
1037 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1038 name_constraints->constrained_name_types());
1039
1040 std::string san_der;
1041 std::unique_ptr<GeneralNames> san;
1042
1043 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1044 EXPECT_FALSE(
1045 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1046
1047 ASSERT_TRUE(
1048 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1049 EXPECT_FALSE(
1050 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1051
1052 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1053 &san_der));
1054 EXPECT_FALSE(
1055 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1056
1057 ASSERT_TRUE(
1058 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1059 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1060
1061 ASSERT_TRUE(
1062 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1063 EXPECT_FALSE(
1064 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1065
1066 ASSERT_TRUE(
1067 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1068 EXPECT_FALSE(
1069 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1070
1071 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1072 &san_der));
1073 EXPECT_FALSE(
1074 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1075 }
1076
TEST_P(ParseNameConstraints,Rfc822NameHostnameWithAtInPermitted)1077 TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInPermitted) {
1078 std::string constraints_der;
1079 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostnamewithat.pem",
1080 &constraints_der));
1081 CertErrors errors;
1082 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1083 der::Input(constraints_der), is_critical(), &errors));
1084 ASSERT_TRUE(name_constraints);
1085
1086 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1087 name_constraints->constrained_name_types());
1088
1089 std::string san_der;
1090 std::unique_ptr<GeneralNames> san;
1091
1092 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1093 &san_der));
1094 EXPECT_FALSE(
1095 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1096
1097 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1098 EXPECT_FALSE(
1099 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1100
1101 ASSERT_TRUE(
1102 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1103 EXPECT_FALSE(
1104 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1105
1106 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1107 &san_der));
1108 EXPECT_FALSE(
1109 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1110
1111 ASSERT_TRUE(
1112 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1113 EXPECT_FALSE(
1114 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1115
1116 ASSERT_TRUE(
1117 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1118 EXPECT_FALSE(
1119 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1120
1121 ASSERT_TRUE(
1122 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1123 EXPECT_FALSE(
1124 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1125 }
1126
TEST_P(ParseNameConstraints,Rfc822NameHostnameWithAtInExcluded)1127 TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInExcluded) {
1128 std::string constraints_der;
1129 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-hostnamewithat.pem",
1130 &constraints_der));
1131 CertErrors errors;
1132 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1133 der::Input(constraints_der), is_critical(), &errors));
1134 ASSERT_TRUE(name_constraints);
1135
1136 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1137 name_constraints->constrained_name_types());
1138
1139 std::string san_der;
1140 std::unique_ptr<GeneralNames> san;
1141
1142 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1143 &san_der));
1144 EXPECT_FALSE(
1145 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1146
1147 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1148 EXPECT_FALSE(
1149 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1150
1151 ASSERT_TRUE(
1152 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1153 EXPECT_FALSE(
1154 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1155
1156 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1157 &san_der));
1158 EXPECT_FALSE(
1159 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1160
1161 ASSERT_TRUE(
1162 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1163 EXPECT_FALSE(
1164 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1165
1166 ASSERT_TRUE(
1167 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1168 EXPECT_FALSE(
1169 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1170
1171 ASSERT_TRUE(
1172 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1173 EXPECT_FALSE(
1174 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1175 }
1176
TEST_P(ParseNameConstraints,Rfc822NameSubdomainInPermitted)1177 TEST_P(ParseNameConstraints, Rfc822NameSubdomainInPermitted) {
1178 std::string constraints_der;
1179 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-subdomains.pem",
1180 &constraints_der));
1181 CertErrors errors;
1182 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1183 der::Input(constraints_der), is_critical(), &errors));
1184 ASSERT_TRUE(name_constraints);
1185
1186 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1187 name_constraints->constrained_name_types());
1188
1189 std::string san_der;
1190 std::unique_ptr<GeneralNames> san;
1191
1192 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1193 EXPECT_FALSE(
1194 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1195
1196 ASSERT_TRUE(
1197 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1198 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1199
1200 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomaincase.pem", &san,
1201 &san_der));
1202 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1203
1204 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-no-at.pem", &san,
1205 &san_der));
1206 EXPECT_FALSE(
1207 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1208
1209 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-two-ats.pem",
1210 &san, &san_der));
1211 EXPECT_FALSE(
1212 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1213 }
1214
TEST_P(ParseNameConstraints,Rfc822NameSubdomainInExcluded)1215 TEST_P(ParseNameConstraints, Rfc822NameSubdomainInExcluded) {
1216 std::string constraints_der;
1217 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-subdomains.pem",
1218 &constraints_der));
1219 CertErrors errors;
1220 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1221 der::Input(constraints_der), is_critical(), &errors));
1222 ASSERT_TRUE(name_constraints);
1223
1224 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1225 name_constraints->constrained_name_types());
1226
1227 std::string san_der;
1228 std::unique_ptr<GeneralNames> san;
1229
1230 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1231 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1232
1233 ASSERT_TRUE(
1234 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1235 EXPECT_FALSE(
1236 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1237
1238 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomaincase.pem", &san,
1239 &san_der));
1240 EXPECT_FALSE(
1241 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1242
1243 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-no-at.pem", &san,
1244 &san_der));
1245 EXPECT_FALSE(
1246 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1247
1248 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-two-ats.pem",
1249 &san, &san_der));
1250 EXPECT_FALSE(
1251 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1252 }
1253
TEST_P(ParseNameConstraints,Rfc822NameEmptyPermitted)1254 TEST_P(ParseNameConstraints, Rfc822NameEmptyPermitted) {
1255 std::string constraints_der;
1256 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-empty.pem",
1257 &constraints_der));
1258 CertErrors errors;
1259 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1260 der::Input(constraints_der), is_critical(), &errors));
1261 ASSERT_TRUE(name_constraints);
1262
1263 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1264 name_constraints->constrained_name_types());
1265
1266 std::string san_der;
1267 std::unique_ptr<GeneralNames> san;
1268
1269 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1270 EXPECT_FALSE(
1271 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1272
1273 ASSERT_TRUE(
1274 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1275 EXPECT_FALSE(
1276 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1277 }
1278
TEST_P(ParseNameConstraints,Rfc822NameEmptyExcluded)1279 TEST_P(ParseNameConstraints, Rfc822NameEmptyExcluded) {
1280 std::string constraints_der;
1281 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-empty.pem",
1282 &constraints_der));
1283 CertErrors errors;
1284 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1285 der::Input(constraints_der), is_critical(), &errors));
1286 ASSERT_TRUE(name_constraints);
1287
1288 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1289 name_constraints->constrained_name_types());
1290
1291 std::string san_der;
1292 std::unique_ptr<GeneralNames> san;
1293
1294 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1295 EXPECT_FALSE(
1296 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1297
1298 ASSERT_TRUE(
1299 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1300 EXPECT_FALSE(
1301 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1302 }
1303
TEST_P(ParseNameConstraints,Rfc822NameIPv4Permitted)1304 TEST_P(ParseNameConstraints, Rfc822NameIPv4Permitted) {
1305 std::string constraints_der;
1306 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-ipv4.pem",
1307 &constraints_der));
1308 CertErrors errors;
1309 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1310 der::Input(constraints_der), is_critical(), &errors));
1311 ASSERT_TRUE(name_constraints);
1312
1313 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1314 name_constraints->constrained_name_types());
1315
1316 std::string san_der;
1317 std::unique_ptr<GeneralNames> san;
1318
1319 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1320 EXPECT_FALSE(
1321 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1322
1323 ASSERT_TRUE(
1324 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1325 EXPECT_FALSE(
1326 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1327
1328 ASSERT_TRUE(
1329 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
1330 EXPECT_FALSE(
1331 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1332 }
1333
TEST_P(ParseNameConstraints,Rfc822NameIPv4Excluded)1334 TEST_P(ParseNameConstraints, Rfc822NameIPv4Excluded) {
1335 std::string constraints_der;
1336 ASSERT_TRUE(
1337 LoadTestNameConstraint("rfc822name-excluded-ipv4.pem", &constraints_der));
1338 CertErrors errors;
1339 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1340 der::Input(constraints_der), is_critical(), &errors));
1341 ASSERT_TRUE(name_constraints);
1342
1343 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1344 name_constraints->constrained_name_types());
1345
1346 std::string san_der;
1347 std::unique_ptr<GeneralNames> san;
1348
1349 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1350 EXPECT_FALSE(
1351 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1352
1353 ASSERT_TRUE(
1354 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1355 EXPECT_FALSE(
1356 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1357
1358 ASSERT_TRUE(
1359 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
1360 EXPECT_FALSE(
1361 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1362 }
1363
TEST_P(ParseNameConstraints,QuotedRfc822SanWithNoRfc822Constraints)1364 TEST_P(ParseNameConstraints, QuotedRfc822SanWithNoRfc822Constraints) {
1365 // Load an unrelated (non-rfc822) constraint.
1366 std::string constraints_der;
1367 ASSERT_TRUE(
1368 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
1369 CertErrors errors;
1370 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1371 der::Input(constraints_der), is_critical(), &errors));
1372 ASSERT_TRUE(name_constraints);
1373
1374 std::string san_der;
1375 std::unique_ptr<GeneralNames> san;
1376 ASSERT_TRUE(
1377 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1378 // A rfc822 in SAN with quotes should be allowed since we only try to parse
1379 // the name if we are enforcing a constraint against it.
1380 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1381 }
1382
TEST_P(ParseNameConstraints,QuotedRfc822SanMatchesQuotedPermitted)1383 TEST_P(ParseNameConstraints, QuotedRfc822SanMatchesQuotedPermitted) {
1384 std::string constraints_der;
1385 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-quoted.pem",
1386 &constraints_der));
1387 CertErrors errors;
1388 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1389 der::Input(constraints_der), is_critical(), &errors));
1390 ASSERT_TRUE(name_constraints);
1391
1392 std::string san_der;
1393 std::unique_ptr<GeneralNames> san;
1394 ASSERT_TRUE(
1395 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1396 // Both SAN and constraint are `"foo"@example.com`, but we don't support
1397 // quoted address at all.
1398 EXPECT_FALSE(
1399 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1400 }
1401
TEST_P(ParseNameConstraints,UnquotedRfc822SanNotMatchingQuotedExcluded)1402 TEST_P(ParseNameConstraints, UnquotedRfc822SanNotMatchingQuotedExcluded) {
1403 std::string constraints_der;
1404 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-quoted.pem",
1405 &constraints_der));
1406 CertErrors errors;
1407 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1408 der::Input(constraints_der), is_critical(), &errors));
1409 ASSERT_TRUE(name_constraints);
1410
1411 std::string san_der;
1412 std::unique_ptr<GeneralNames> san;
1413 ASSERT_TRUE(
1414 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1415 // The name `[email protected]` should be allowed since it doesn't
1416 // match an exclude of `"foo"@example.com`, but we don't support quoted
1417 // address at all so this is not allowed.
1418 EXPECT_FALSE(
1419 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1420 }
1421
TEST_P(ParseNameConstraints,X400AddresssInPermitted)1422 TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
1423 std::string constraints_der;
1424 ASSERT_TRUE(
1425 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
1426 CertErrors errors;
1427 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1428 der::Input(constraints_der), is_critical(), &errors));
1429 ASSERT_TRUE(name_constraints);
1430
1431 if (is_critical()) {
1432 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
1433 name_constraints->constrained_name_types());
1434 } else {
1435 EXPECT_EQ(0, name_constraints->constrained_name_types());
1436 }
1437
1438 std::string san_der;
1439 std::unique_ptr<GeneralNames> san;
1440 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
1441 EXPECT_EQ(!is_critical(),
1442 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1443 }
1444
TEST_P(ParseNameConstraints,X400AddresssInExcluded)1445 TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
1446 std::string constraints_der;
1447 ASSERT_TRUE(
1448 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
1449 CertErrors errors;
1450 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1451 der::Input(constraints_der), is_critical(), &errors));
1452 ASSERT_TRUE(name_constraints);
1453
1454 if (is_critical()) {
1455 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
1456 name_constraints->constrained_name_types());
1457 } else {
1458 EXPECT_EQ(0, name_constraints->constrained_name_types());
1459 }
1460
1461 std::string san_der;
1462 std::unique_ptr<GeneralNames> san;
1463 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
1464 EXPECT_EQ(!is_critical(),
1465 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1466 }
1467
TEST_P(ParseNameConstraints,EdiPartyNamesInPermitted)1468 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
1469 std::string constraints_der;
1470 ASSERT_TRUE(
1471 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
1472 CertErrors errors;
1473 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1474 der::Input(constraints_der), is_critical(), &errors));
1475 ASSERT_TRUE(name_constraints);
1476
1477 if (is_critical()) {
1478 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
1479 name_constraints->constrained_name_types());
1480 } else {
1481 EXPECT_EQ(0, name_constraints->constrained_name_types());
1482 }
1483
1484 std::string san_der;
1485 std::unique_ptr<GeneralNames> san;
1486 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
1487 EXPECT_EQ(!is_critical(),
1488 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1489 }
1490
TEST_P(ParseNameConstraints,EdiPartyNamesInExcluded)1491 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
1492 std::string constraints_der;
1493 ASSERT_TRUE(
1494 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
1495 CertErrors errors;
1496 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1497 der::Input(constraints_der), is_critical(), &errors));
1498 ASSERT_TRUE(name_constraints);
1499
1500 if (is_critical()) {
1501 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
1502 name_constraints->constrained_name_types());
1503 } else {
1504 EXPECT_EQ(0, name_constraints->constrained_name_types());
1505 }
1506
1507 std::string san_der;
1508 std::unique_ptr<GeneralNames> san;
1509 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
1510 EXPECT_EQ(!is_critical(),
1511 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1512 }
1513
TEST_P(ParseNameConstraints,URIsInPermitted)1514 TEST_P(ParseNameConstraints, URIsInPermitted) {
1515 std::string constraints_der;
1516 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
1517 CertErrors errors;
1518 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1519 der::Input(constraints_der), is_critical(), &errors));
1520 ASSERT_TRUE(name_constraints);
1521
1522 if (is_critical()) {
1523 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
1524 name_constraints->constrained_name_types());
1525 } else {
1526 EXPECT_EQ(0, name_constraints->constrained_name_types());
1527 }
1528
1529 std::string san_der;
1530 std::unique_ptr<GeneralNames> san;
1531 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
1532 EXPECT_EQ(!is_critical(),
1533 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1534 }
1535
TEST_P(ParseNameConstraints,URIsInExcluded)1536 TEST_P(ParseNameConstraints, URIsInExcluded) {
1537 std::string constraints_der;
1538 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
1539 CertErrors errors;
1540 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1541 der::Input(constraints_der), is_critical(), &errors));
1542 ASSERT_TRUE(name_constraints);
1543
1544 if (is_critical()) {
1545 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
1546 name_constraints->constrained_name_types());
1547 } else {
1548 EXPECT_EQ(0, name_constraints->constrained_name_types());
1549 }
1550
1551 std::string san_der;
1552 std::unique_ptr<GeneralNames> san;
1553 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
1554 EXPECT_EQ(!is_critical(),
1555 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1556 }
1557
TEST_P(ParseNameConstraints,RegisteredIDsInPermitted)1558 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
1559 std::string constraints_der;
1560 ASSERT_TRUE(
1561 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
1562 CertErrors errors;
1563 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1564 der::Input(constraints_der), is_critical(), &errors));
1565 ASSERT_TRUE(name_constraints);
1566
1567 if (is_critical()) {
1568 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1569 name_constraints->constrained_name_types());
1570 } else {
1571 EXPECT_EQ(0, name_constraints->constrained_name_types());
1572 }
1573
1574 std::string san_der;
1575 std::unique_ptr<GeneralNames> san;
1576 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
1577 EXPECT_EQ(!is_critical(),
1578 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1579 }
1580
TEST_P(ParseNameConstraints,RegisteredIDsInExcluded)1581 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
1582 std::string constraints_der;
1583 ASSERT_TRUE(
1584 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
1585 CertErrors errors;
1586 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1587 der::Input(constraints_der), is_critical(), &errors));
1588 ASSERT_TRUE(name_constraints);
1589
1590 if (is_critical()) {
1591 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1592 name_constraints->constrained_name_types());
1593 } else {
1594 EXPECT_EQ(0, name_constraints->constrained_name_types());
1595 }
1596
1597 std::string san_der;
1598 std::unique_ptr<GeneralNames> san;
1599 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
1600 EXPECT_EQ(!is_critical(),
1601 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1602 }
1603
TEST_P(ParseNameConstraints,failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily)1604 TEST_P(ParseNameConstraints,
1605 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) {
1606 std::string constraints_der;
1607 ASSERT_TRUE(
1608 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der));
1609 // The value should not be in the DER encoding if it is the default. But this
1610 // could be changed to allowed if there are buggy encoders out there that
1611 // include it anyway.
1612 CertErrors errors;
1613 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1614 is_critical(), &errors));
1615 }
1616
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMinimum)1617 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
1618 std::string constraints_der;
1619 ASSERT_TRUE(
1620 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
1621 CertErrors errors;
1622 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1623 is_critical(), &errors));
1624 }
1625
TEST_P(ParseNameConstraints,failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum)1626 TEST_P(ParseNameConstraints,
1627 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) {
1628 std::string constraints_der;
1629 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
1630 &constraints_der));
1631 CertErrors errors;
1632 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1633 is_critical(), &errors));
1634 }
1635
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMinimumAndMaximum)1636 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
1637 std::string constraints_der;
1638 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
1639 &constraints_der));
1640 CertErrors errors;
1641 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1642 is_critical(), &errors));
1643 }
1644
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMaximum)1645 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
1646 std::string constraints_der;
1647 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
1648 CertErrors errors;
1649 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1650 is_critical(), &errors));
1651 }
1652
TEST_P(ParseNameConstraints,FailsOnEmptyExtensionValue)1653 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
1654 std::string constraints_der = "";
1655 CertErrors errors;
1656 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1657 is_critical(), &errors));
1658 }
1659
TEST_P(ParseNameConstraints,FailsOnNoPermittedAndExcluded)1660 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
1661 std::string constraints_der;
1662 ASSERT_TRUE(
1663 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
1664 CertErrors errors;
1665 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1666 is_critical(), &errors));
1667 }
1668
TEST_P(ParseNameConstraints,FailsOnEmptyPermitted)1669 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
1670 std::string constraints_der;
1671 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
1672 &constraints_der));
1673 CertErrors errors;
1674 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1675 is_critical(), &errors));
1676 }
1677
TEST_P(ParseNameConstraints,FailsOnEmptyExcluded)1678 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
1679 std::string constraints_der;
1680 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
1681 &constraints_der));
1682 CertErrors errors;
1683 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1684 is_critical(), &errors));
1685 }
1686
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressNoEmailConstraint)1687 TEST_P(ParseNameConstraints,
1688 IsPermittedCertSubjectEmailAddressNoEmailConstraint) {
1689 std::string constraints_der;
1690 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
1691 CertErrors errors;
1692 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1693 der::Input(constraints_der), is_critical(), &errors));
1694 ASSERT_TRUE(name_constraints);
1695
1696 std::string name;
1697 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1698 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1699 // allowed regardless.
1700 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1701 SequenceValueFromString(name),
1702 /*subject_alt_names=*/nullptr));
1703
1704 ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
1705 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1706 // allowed regardless.
1707 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1708 SequenceValueFromString(name),
1709 /*subject_alt_names=*/nullptr));
1710 }
1711
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressIsOk)1712 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
1713 std::string constraints_der;
1714 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostname.pem",
1715 &constraints_der));
1716 CertErrors errors;
1717 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1718 der::Input(constraints_der), is_critical(), &errors));
1719 ASSERT_TRUE(name_constraints);
1720
1721 std::string name;
1722 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1723
1724 // Name constraints contain rfc822Name, and the address matches the
1725 // constraint (which is all addresses on the hostname.)
1726 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1727 SequenceValueFromString(name),
1728 /*subject_alt_names=*/nullptr));
1729
1730 ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
1731 // The bytes of the name string match, but the string type is VISIBLESTRING
1732 // which is not supported, so this should fail.
1733 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1734 SequenceValueFromString(name),
1735 /*subject_alt_names=*/nullptr));
1736
1737 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1738 // Subject contains multiple rfc822Names, and they all match the constraint
1739 // (which is all addresses on the hostname.)
1740 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1741 SequenceValueFromString(name),
1742 /*subject_alt_names=*/nullptr));
1743 }
1744
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressIsNotOk)1745 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
1746 std::string constraints_der;
1747 ASSERT_TRUE(
1748 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
1749 CertErrors errors;
1750 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1751 der::Input(constraints_der), is_critical(), &errors));
1752 ASSERT_TRUE(name_constraints);
1753
1754 std::string name;
1755 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1756
1757 // Name constraints contain rfc822Name, and the address does not match the
1758 // constraint.
1759 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1760 SequenceValueFromString(name),
1761 /*subject_alt_names=*/nullptr));
1762
1763 // Address is a case-insensitive match, but name constraints (permitted) are
1764 // case-sensitive, so this fails.
1765 ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
1766 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1767 SequenceValueFromString(name),
1768 /*subject_alt_names=*/nullptr));
1769
1770 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1771 // Subject contains multiple rfc822Names, and only the first one matches the
1772 // constraint.
1773 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1774 SequenceValueFromString(name),
1775 /*subject_alt_names=*/nullptr));
1776 }
1777
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressExcluded)1778 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) {
1779 std::string constraints_der;
1780 ASSERT_TRUE(
1781 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
1782 CertErrors errors;
1783 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1784 der::Input(constraints_der), is_critical(), &errors));
1785 ASSERT_TRUE(name_constraints);
1786
1787 std::string name;
1788 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1789
1790 // Name constraints contain excluded rfc822Name, and the address does not
1791 // match the constraint.
1792 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1793 SequenceValueFromString(name),
1794 /*subject_alt_names=*/nullptr));
1795
1796 // Name constraints for excluded are done case-insensitive in the local part,
1797 // so this is not allowed.
1798 ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
1799 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1800 SequenceValueFromString(name),
1801 /*subject_alt_names=*/nullptr));
1802
1803 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1804 // Subject contains multiple rfc822Names, and one of them is excluded by the
1805 // constraint.
1806 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1807 SequenceValueFromString(name),
1808 /*subject_alt_names=*/nullptr));
1809 }
1810
1811 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests
1812 // are not particularly interesting, just verifying that the commonName is
1813 // ignored for dNSName constraints.
TEST_P(ParseNameConstraints,IsPermittedCertSubjectDnsNames)1814 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
1815 std::string constraints_der;
1816 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem",
1817 &constraints_der));
1818 CertErrors errors;
1819 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1820 der::Input(constraints_der), is_critical(), &errors));
1821 ASSERT_TRUE(name_constraints);
1822
1823 std::string name_us_az_foocom;
1824 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom));
1825 // The subject is within permitted directoryName constraints, so permitted.
1826 // (The commonName hostname is not within permitted dNSName constraints, so
1827 // this would not be permitted if hostnames in commonName were checked.)
1828 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1829 SequenceValueFromString(name_us_az_foocom),
1830 nullptr /* subject_alt_names */));
1831
1832 std::string name_us_az_permitted;
1833 ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem",
1834 &name_us_az_permitted));
1835 // The subject is in permitted directoryName and the commonName is within
1836 // permitted dNSName constraints, so this should be permitted regardless if
1837 // hostnames in commonName are checked or not.
1838 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1839 SequenceValueFromString(name_us_az_permitted),
1840 nullptr /* subject_alt_names */));
1841
1842 std::string name_us_ca_permitted;
1843 ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem",
1844 &name_us_ca_permitted));
1845 // The subject is within the excluded C=US,ST=California directoryName, so
1846 // this should not be allowed, regardless of checking the
1847 // permitted.example.com in commonName.
1848 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1849 SequenceValueFromString(name_us_ca_permitted),
1850 nullptr /* subject_alt_names */));
1851 }
1852
1853 // IP addresses in commonName are not allowed (crbug.com/308330), so these are
1854 // tests are not particularly interesting, just verifying that the commonName is
1855 // ignored for iPAddress constraints.
TEST_P(ParseNameConstraints,IsPermittedCertSubjectIpAddresses)1856 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
1857 std::string constraints_der;
1858 ASSERT_TRUE(LoadTestNameConstraint(
1859 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
1860 CertErrors errors;
1861 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1862 der::Input(constraints_der), is_critical(), &errors));
1863 ASSERT_TRUE(name_constraints);
1864
1865 std::string name_us_az_1_1_1_1;
1866 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1));
1867 // The subject is within permitted directoryName constraints, so permitted.
1868 // (The commonName IP address is not within permitted iPAddresses constraints,
1869 // so this would not be permitted if IP addresses in commonName were checked.)
1870 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1871 SequenceValueFromString(name_us_az_1_1_1_1),
1872 nullptr /* subject_alt_names */));
1873
1874 std::string name_us_az_192_168_1_1;
1875 ASSERT_TRUE(
1876 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1));
1877 // The subject is in permitted directoryName and the commonName is within
1878 // permitted iPAddress constraints, so this should be permitted regardless if
1879 // IP addresses in commonName are checked or not.
1880 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1881 SequenceValueFromString(name_us_az_192_168_1_1),
1882 nullptr /* subject_alt_names */));
1883
1884 std::string name_us_ca_192_168_1_1;
1885 ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem",
1886 &name_us_ca_192_168_1_1));
1887 // The subject is within the excluded C=US,ST=California directoryName, so
1888 // this should not be allowed, regardless of checking the
1889 // IP address in commonName.
1890 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1891 SequenceValueFromString(name_us_ca_192_168_1_1),
1892 nullptr /* subject_alt_names */));
1893
1894 std::string name_us_az_ipv6;
1895 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6));
1896 // The subject is within permitted directoryName constraints, so permitted.
1897 // (The commonName is an ipv6 address which wasn't supported in the past, but
1898 // since commonName checking is ignored entirely, this is permitted.)
1899 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1900 SequenceValueFromString(name_us_az_ipv6),
1901 nullptr /* subject_alt_names */));
1902 }
1903
1904 } // namespace bssl
1905