1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "name_constraints.h"
6
7 #include <array>
8 #include <memory>
9
10 #include "common_cert_errors.h"
11 #include "test_helpers.h"
12 #include <gtest/gtest.h>
13
14 namespace bssl {
15 namespace {
16
LoadTestData(const char * token,const std::string & basename,std::string * result)17 ::testing::AssertionResult LoadTestData(const char* token,
18 const std::string& basename,
19 std::string* result) {
20 std::string path = "testdata/name_constraints_unittest/" + basename;
21
22 const PemBlockMapping mappings[] = {
23 {token, result},
24 };
25
26 return ReadTestDataFromPemFile(path, mappings);
27 }
28
LoadTestName(const std::string & basename,std::string * result)29 ::testing::AssertionResult LoadTestName(const std::string& basename,
30 std::string* result) {
31 return LoadTestData("NAME", basename, result);
32 }
33
LoadTestNameConstraint(const std::string & basename,std::string * result)34 ::testing::AssertionResult LoadTestNameConstraint(const std::string& basename,
35 std::string* result) {
36 return LoadTestData("NAME CONSTRAINTS", basename, result);
37 }
38
LoadTestSubjectAltNameData(const std::string & basename,std::string * result)39 ::testing::AssertionResult LoadTestSubjectAltNameData(
40 const std::string& basename,
41 std::string* result) {
42 return LoadTestData("SUBJECT ALTERNATIVE NAME", basename, result);
43 }
44
LoadTestSubjectAltName(const std::string & basename,std::unique_ptr<GeneralNames> * result,std::string * result_der)45 ::testing::AssertionResult LoadTestSubjectAltName(
46 const std::string& basename,
47 std::unique_ptr<GeneralNames>* result,
48 std::string* result_der) {
49 ::testing::AssertionResult load_result =
50 LoadTestSubjectAltNameData(basename, result_der);
51 if (!load_result) {
52 return load_result;
53 }
54 CertErrors errors;
55 *result = GeneralNames::Create(der::Input(*result_der), &errors);
56 if (!*result) {
57 return ::testing::AssertionFailure() << "Create failed";
58 }
59 return ::testing::AssertionSuccess();
60 }
61
IsPermittedCert(const NameConstraints * name_constraints,const der::Input & subject_rdn_sequence,const GeneralNames * subject_alt_names)62 ::testing::AssertionResult IsPermittedCert(
63 const NameConstraints* name_constraints,
64 const der::Input& subject_rdn_sequence,
65 const GeneralNames* subject_alt_names) {
66 CertErrors errors;
67 name_constraints->IsPermittedCert(subject_rdn_sequence, subject_alt_names,
68 &errors);
69 if (!errors.ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH))
70 return ::testing::AssertionSuccess();
71 if (!errors.ContainsError(cert_errors::kNotPermittedByNameConstraints))
72 ADD_FAILURE() << "unexpected error " << errors.ToDebugString();
73 return ::testing::AssertionFailure();
74 }
75
IPAddress(uint8_t b0,uint8_t b1,uint8_t b2,uint8_t b3)76 std::array<uint8_t, 4> IPAddress(uint8_t b0,
77 uint8_t b1,
78 uint8_t b2,
79 uint8_t b3) {
80 return {b0, b1, b2, b3};
81 }
IPAddress(uint8_t b0,uint8_t b1,uint8_t b2,uint8_t b3,uint8_t b4,uint8_t b5,uint8_t b6,uint8_t b7,uint8_t b8,uint8_t b9,uint8_t b10,uint8_t b11,uint8_t b12,uint8_t b13,uint8_t b14,uint8_t b15)82 std::array<uint8_t, 16> IPAddress(uint8_t b0,
83 uint8_t b1,
84 uint8_t b2,
85 uint8_t b3,
86 uint8_t b4,
87 uint8_t b5,
88 uint8_t b6,
89 uint8_t b7,
90 uint8_t b8,
91 uint8_t b9,
92 uint8_t b10,
93 uint8_t b11,
94 uint8_t b12,
95 uint8_t b13,
96 uint8_t b14,
97 uint8_t b15) {
98 return {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15};
99 }
100
101 } // namespace
102
103 class ParseNameConstraints
104 : public ::testing::TestWithParam<::testing::tuple<bool>> {
105 public:
is_critical() const106 bool is_critical() const { return ::testing::get<0>(GetParam()); }
107 };
108
109 // Run the tests with the name constraints marked critical and non-critical. For
110 // supported name types, the results should be the same for both.
111 INSTANTIATE_TEST_SUITE_P(InstantiationName,
112 ParseNameConstraints,
113 ::testing::Values(true, false));
114
TEST_P(ParseNameConstraints,DNSNames)115 TEST_P(ParseNameConstraints, DNSNames) {
116 std::string a;
117 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
118
119 CertErrors errors;
120 std::unique_ptr<NameConstraints> name_constraints(
121 NameConstraints::Create(der::Input(a), is_critical(), &errors));
122 ASSERT_TRUE(name_constraints);
123
124 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
125 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com."));
126 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com"));
127 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com"));
128 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com."));
129 EXPECT_TRUE(
130 name_constraints->IsPermittedDNSName("alsopermitted.example.com"));
131 EXPECT_FALSE(
132 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
133 EXPECT_FALSE(
134 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
135 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
136 "stillnotpermitted.excluded.permitted.example.com"));
137 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
138 "a.stillnotpermitted.excluded.permitted.example.com"));
139 EXPECT_FALSE(
140 name_constraints->IsPermittedDNSName("extraneousexclusion.example.com"));
141 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
142 "a.extraneousexclusion.example.com"));
143 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.example.com"));
144 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.com"));
145
146 // Wildcard names:
147 // Pattern could match excluded.permitted.example.com, thus should not be
148 // allowed.
149 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.permitted.example.com"));
150 // Entirely within excluded name, obviously not allowed.
151 EXPECT_FALSE(
152 name_constraints->IsPermittedDNSName("*.excluded.permitted.example.com"));
153 // Within permitted.example.com and cannot match any exclusion, thus these are
154 // allowed.
155 EXPECT_TRUE(
156 name_constraints->IsPermittedDNSName("*.foo.permitted.example.com"));
157 EXPECT_TRUE(
158 name_constraints->IsPermittedDNSName("*.alsopermitted.example.com"));
159 // Matches permitted.example2.com, but also matches other .example2.com names
160 // which are not in either permitted or excluded, so not allowed.
161 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.example2.com"));
162 // Partial wildcards are not supported, so these name are permitted even if
163 // it seems like they shouldn't be. It's fine, since certificate verification
164 // won't treat them as wildcard names either.
165 EXPECT_TRUE(
166 name_constraints->IsPermittedDNSName("*xcluded.permitted.example.com"));
167 EXPECT_TRUE(
168 name_constraints->IsPermittedDNSName("exclude*.permitted.example.com"));
169 EXPECT_TRUE(
170 name_constraints->IsPermittedDNSName("excl*ded.permitted.example.com"));
171 // Garbage wildcard data.
172 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*."));
173 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.*"));
174 EXPECT_FALSE(name_constraints->IsPermittedDNSName(".*"));
175 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*"));
176 // Matches SAN with trailing dot.
177 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com"));
178 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com."));
179 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com"));
180 EXPECT_TRUE(
181 name_constraints->IsPermittedDNSName("a.permitted.example3.com."));
182
183 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->constrained_name_types());
184
185 std::string san_der;
186 std::unique_ptr<GeneralNames> san;
187 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
188 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
189
190 ASSERT_TRUE(
191 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
192 EXPECT_FALSE(
193 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
194
195 ASSERT_TRUE(
196 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
197 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
198
199 ASSERT_TRUE(
200 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
201 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
202 }
203
TEST_P(ParseNameConstraints,DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted)204 TEST_P(ParseNameConstraints,
205 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) {
206 std::string a;
207 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
208 CertErrors errors;
209 std::unique_ptr<NameConstraints> name_constraints(
210 NameConstraints::Create(der::Input(a), is_critical(), &errors));
211 ASSERT_TRUE(name_constraints);
212
213 // Matches permitted exactly.
214 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
215 // Contained within permitted and doesn't match excluded (foo.bar.com).
216 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
217 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com"));
218 // Matches excluded exactly.
219 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
220 // Contained within excluded.
221 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com"));
222
223 // Cannot match anything within excluded.
224 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com"));
225 // Wildcard hostnames only match a single label, so cannot match excluded
226 // which has two labels before .com.
227 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
228
229 // Partial match of foo.bar.com.
230 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
231 // All expansions of wildcard are within excluded.
232 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
233 }
234
TEST_P(ParseNameConstraints,DNSNamesPermittedWithLeadingDot)235 TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
236 std::string a;
237 ASSERT_TRUE(
238 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
239 CertErrors errors;
240 std::unique_ptr<NameConstraints> name_constraints(
241 NameConstraints::Create(der::Input(a), is_critical(), &errors));
242 ASSERT_TRUE(name_constraints);
243
244 // A permitted dNSName constraint of ".bar.com" should only match subdomains
245 // of .bar.com, but not bar.com itself.
246 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
247 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
248 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foobar.com"));
249 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.bar.com"));
250 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.bar.com"));
251 }
252
TEST_P(ParseNameConstraints,DNSNamesExcludedWithLeadingDot)253 TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
254 std::string a;
255 ASSERT_TRUE(
256 LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
257 CertErrors errors;
258 std::unique_ptr<NameConstraints> name_constraints(
259 NameConstraints::Create(der::Input(a), is_critical(), &errors));
260 ASSERT_TRUE(name_constraints);
261
262 // An excluded dNSName constraint of ".bar.com" should only match subdomains
263 // of .bar.com, but not bar.com itself.
264 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
265 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
266 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foobar.com"));
267 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
268 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
269 }
270
TEST_P(ParseNameConstraints,DNSNamesPermittedTwoDot)271 TEST_P(ParseNameConstraints, DNSNamesPermittedTwoDot) {
272 std::string a;
273 ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a));
274 CertErrors errors;
275 std::unique_ptr<NameConstraints> name_constraints(
276 NameConstraints::Create(der::Input(a), is_critical(), &errors));
277 ASSERT_TRUE(name_constraints);
278
279 // A dNSName constraint of ".." isn't meaningful. Shouldn't match anything.
280 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
281 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com."));
282 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
283 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.com"));
284 }
285
TEST_P(ParseNameConstraints,DNSNamesExcludeOnly)286 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
287 std::string a;
288 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
289
290 CertErrors errors;
291 std::unique_ptr<NameConstraints> name_constraints(
292 NameConstraints::Create(der::Input(a), is_critical(), &errors));
293 ASSERT_TRUE(name_constraints);
294
295 // Only "excluded.permitted.example.com" is excluded, and since permitted is
296 // empty, any dNSName outside that is allowed.
297 EXPECT_TRUE(name_constraints->IsPermittedDNSName(""));
298 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com"));
299 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
300 EXPECT_FALSE(
301 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
302 EXPECT_FALSE(
303 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
304 }
305
TEST_P(ParseNameConstraints,DNSNamesExcludeAll)306 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
307 std::string a;
308 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
309
310 CertErrors errors;
311 std::unique_ptr<NameConstraints> name_constraints(
312 NameConstraints::Create(der::Input(a), is_critical(), &errors));
313 ASSERT_TRUE(name_constraints);
314
315 // "permitted.example.com" is in the permitted section, but since "" is
316 // excluded, nothing is permitted.
317 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
318 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
319 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
320 EXPECT_FALSE(
321 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
322 }
323
TEST_P(ParseNameConstraints,DNSNamesExcludeDot)324 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
325 std::string a;
326 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a));
327
328 CertErrors errors;
329 std::unique_ptr<NameConstraints> name_constraints(
330 NameConstraints::Create(der::Input(a), is_critical(), &errors));
331 ASSERT_TRUE(name_constraints);
332
333 // "." is excluded, which should match nothing.
334 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
335 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
336 EXPECT_TRUE(
337 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
338 }
339
TEST_P(ParseNameConstraints,DNSNamesFailOnInvalidIA5String)340 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
341 std::string a;
342 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
343
344 size_t replace_location = a.find("permitted.example2.com");
345 ASSERT_NE(std::string::npos, replace_location);
346 a.replace(replace_location, 1, 1, -1);
347
348 CertErrors errors;
349 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
350 }
351
TEST_P(ParseNameConstraints,DirectoryNames)352 TEST_P(ParseNameConstraints, DirectoryNames) {
353 std::string constraints_der;
354 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
355
356 std::string name_us;
357 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
358 std::string name_us_ca;
359 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
360 std::string name_us_ca_mountain_view;
361 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
362 &name_us_ca_mountain_view));
363 std::string name_us_az;
364 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
365 std::string name_jp;
366 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
367 std::string name_jp_tokyo;
368 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo));
369 std::string name_de;
370 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de));
371 std::string name_ca;
372 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca));
373
374 CertErrors errors;
375 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
376 der::Input(constraints_der), is_critical(), &errors));
377 ASSERT_TRUE(name_constraints);
378
379 // Not in any permitted subtree.
380 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
381 SequenceValueFromString(name_ca)));
382 // Within the permitted C=US subtree.
383 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
384 SequenceValueFromString(name_us)));
385 // Within the permitted C=US subtree.
386 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
387 SequenceValueFromString(name_us_az)));
388 // Within the permitted C=US subtree, however the excluded C=US,ST=California
389 // subtree takes priority.
390 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
391 SequenceValueFromString(name_us_ca)));
392 // Within the permitted C=US subtree as well as the permitted
393 // C=US,ST=California,L=Mountain View subtree, however the excluded
394 // C=US,ST=California subtree still takes priority.
395 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
396 SequenceValueFromString(name_us_ca_mountain_view)));
397 // Not in any permitted subtree, and also inside the extraneous excluded C=DE
398 // subtree.
399 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
400 SequenceValueFromString(name_de)));
401 // Not in any permitted subtree.
402 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
403 SequenceValueFromString(name_jp)));
404 // Within the permitted C=JP,ST=Tokyo subtree.
405 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
406 SequenceValueFromString(name_jp_tokyo)));
407
408 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
409 name_constraints->constrained_name_types());
410
411 // Within the permitted C=US subtree.
412 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
413 SequenceValueFromString(name_us),
414 nullptr /* subject_alt_names */));
415 // Within the permitted C=US subtree, however the excluded C=US,ST=California
416 // subtree takes priority.
417 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
418 SequenceValueFromString(name_us_ca),
419 nullptr /* subject_alt_names */));
420
421 std::string san_der;
422 std::unique_ptr<GeneralNames> san;
423 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
424 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
425
426 ASSERT_TRUE(
427 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
428 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
429
430 ASSERT_TRUE(
431 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
432 EXPECT_FALSE(
433 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
434
435 ASSERT_TRUE(
436 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
437 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
438 }
439
TEST_P(ParseNameConstraints,DirectoryNamesExcludeOnly)440 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
441 std::string constraints_der;
442 ASSERT_TRUE(
443 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
444 CertErrors errors;
445 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
446 der::Input(constraints_der), is_critical(), &errors));
447 ASSERT_TRUE(name_constraints);
448
449 std::string name_empty;
450 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
451 std::string name_us;
452 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
453 std::string name_us_ca;
454 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
455 std::string name_us_ca_mountain_view;
456 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
457 &name_us_ca_mountain_view));
458
459 // Only "C=US,ST=California" is excluded, and since permitted is empty,
460 // any directoryName outside that is allowed.
461 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
462 SequenceValueFromString(name_empty)));
463 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
464 SequenceValueFromString(name_us)));
465 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
466 SequenceValueFromString(name_us_ca)));
467 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
468 SequenceValueFromString(name_us_ca_mountain_view)));
469 }
470
TEST_P(ParseNameConstraints,DirectoryNamesExcludeAll)471 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
472 std::string constraints_der;
473 ASSERT_TRUE(
474 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
475 CertErrors errors;
476 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
477 der::Input(constraints_der), is_critical(), &errors));
478 ASSERT_TRUE(name_constraints);
479
480 std::string name_empty;
481 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
482 std::string name_us;
483 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
484 std::string name_us_ca;
485 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
486 std::string name_us_ca_mountain_view;
487 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
488 &name_us_ca_mountain_view));
489 std::string name_jp;
490 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
491
492 // "C=US" is in the permitted section, but since an empty
493 // directoryName is excluded, nothing is permitted.
494 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
495 SequenceValueFromString(name_empty)));
496 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
497 SequenceValueFromString(name_us)));
498 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
499 SequenceValueFromString(name_us_ca)));
500 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
501 SequenceValueFromString(name_jp)));
502 }
503
TEST_P(ParseNameConstraints,IPAddresses)504 TEST_P(ParseNameConstraints, IPAddresses) {
505 std::string a;
506 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
507
508 CertErrors errors;
509 std::unique_ptr<NameConstraints> name_constraints(
510 NameConstraints::Create(der::Input(a), is_critical(), &errors));
511 ASSERT_TRUE(name_constraints);
512
513 // IPv4 tests:
514
515 // Not in any permitted range.
516 EXPECT_FALSE(
517 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 169, 0, 1))));
518
519 // Within the permitted 192.168.0.0/255.255.0.0 range.
520 EXPECT_TRUE(
521 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
522
523 // Within the permitted 192.168.0.0/255.255.0.0 range, however the
524 // excluded 192.168.5.0/255.255.255.0 takes priority.
525 EXPECT_FALSE(
526 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
527
528 // Within the permitted 192.168.0.0/255.255.0.0 range as well as the
529 // permitted 192.168.5.32/255.255.255.224 range, however the excluded
530 // 192.168.5.0/255.255.255.0 still takes priority.
531 EXPECT_FALSE(
532 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 33))));
533
534 // Not in any permitted range. (Just outside the
535 // 192.167.5.32/255.255.255.224 range.)
536 EXPECT_FALSE(
537 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 31))));
538
539 // Within the permitted 192.167.5.32/255.255.255.224 range.
540 EXPECT_TRUE(
541 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 32))));
542
543 // Within the permitted 192.167.5.32/255.255.255.224 range.
544 EXPECT_TRUE(
545 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 63))));
546
547 // Not in any permitted range. (Just outside the
548 // 192.167.5.32/255.255.255.224 range.)
549 EXPECT_FALSE(
550 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 64))));
551
552 // Not in any permitted range, and also inside the extraneous excluded
553 // 192.166.5.32/255.255.255.224 range.
554 EXPECT_FALSE(
555 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 166, 5, 32))));
556
557 // IPv6 tests:
558
559 // Not in any permitted range.
560 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
561 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
562
563 // Within the permitted
564 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range.
565 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
566 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1))));
567
568 // Within the permitted
569 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range, however
570 // the excluded
571 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
572 // priority.
573 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
574 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1))));
575
576 // Within the permitted
577 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range as well
578 // as the permitted
579 // 102:304:506:708:90a:b0c:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0,
580 // however the excluded
581 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
582 // priority.
583 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
584 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1))));
585
586 // Not in any permitted range. (Just outside the
587 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
588 // range.)
589 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
590 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255))));
591
592 // Within the permitted
593 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
594 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
595 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0))));
596
597 // Within the permitted
598 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
599 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
600 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255))));
601
602 // Not in any permitted range. (Just outside the
603 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
604 // range.)
605 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
606 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0))));
607
608 // Not in any permitted range, and also inside the extraneous excluded
609 // 102:304:506:708:90a:b0a:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
610 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
611 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1))));
612
613 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS,
614 name_constraints->constrained_name_types());
615
616 std::string san_der;
617 std::unique_ptr<GeneralNames> san;
618 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
619 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
620
621 ASSERT_TRUE(
622 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
623 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
624
625 ASSERT_TRUE(
626 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
627 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
628
629 ASSERT_TRUE(
630 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
631 EXPECT_FALSE(
632 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
633 }
634
TEST_P(ParseNameConstraints,IPAddressesExcludeOnly)635 TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) {
636 std::string a;
637 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
638
639 CertErrors errors;
640 std::unique_ptr<NameConstraints> name_constraints(
641 NameConstraints::Create(der::Input(a), is_critical(), &errors));
642 ASSERT_TRUE(name_constraints);
643
644 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
645 // any iPAddress outside that is allowed.
646 EXPECT_TRUE(
647 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
648 EXPECT_FALSE(
649 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
650 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
651 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
652 }
653
TEST_P(ParseNameConstraints,IPAddressesExcludeAll)654 TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
655 std::string a;
656 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
657
658 CertErrors errors;
659 std::unique_ptr<NameConstraints> name_constraints(
660 NameConstraints::Create(der::Input(a), is_critical(), &errors));
661 ASSERT_TRUE(name_constraints);
662
663 // 192.168.0.0/255.255.0.0 and
664 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
665 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
666 EXPECT_FALSE(
667 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
668 EXPECT_FALSE(
669 name_constraints->IsPermittedIP(der::Input(IPAddress(1, 1, 1, 1))));
670 EXPECT_FALSE(name_constraints->IsPermittedIP(
671 der::Input(IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))));
672 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
673 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
674 }
675
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitSingleHost)676 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
677 std::string a;
678 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
679
680 CertErrors errors;
681 std::unique_ptr<NameConstraints> name_constraints(
682 NameConstraints::Create(der::Input(a), is_critical(), &errors));
683 ASSERT_TRUE(name_constraints);
684
685 EXPECT_FALSE(
686 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
687 EXPECT_FALSE(
688 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
689 EXPECT_FALSE(
690 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
691 EXPECT_TRUE(
692 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
693 EXPECT_FALSE(
694 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
695 EXPECT_FALSE(name_constraints->IsPermittedIP(
696 der::Input(IPAddress(255, 255, 255, 255))));
697 }
698
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitPrefixLen31)699 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
700 std::string a;
701 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
702
703 CertErrors errors;
704 std::unique_ptr<NameConstraints> name_constraints(
705 NameConstraints::Create(der::Input(a), is_critical(), &errors));
706 ASSERT_TRUE(name_constraints);
707
708 EXPECT_FALSE(
709 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
710 EXPECT_FALSE(
711 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
712 EXPECT_TRUE(
713 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
714 EXPECT_TRUE(
715 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
716 EXPECT_FALSE(
717 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
718 EXPECT_FALSE(
719 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 5))));
720 EXPECT_FALSE(name_constraints->IsPermittedIP(
721 der::Input(IPAddress(255, 255, 255, 255))));
722 }
723
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitPrefixLen1)724 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
725 std::string a;
726 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
727
728 CertErrors errors;
729 std::unique_ptr<NameConstraints> name_constraints(
730 NameConstraints::Create(der::Input(a), is_critical(), &errors));
731 ASSERT_TRUE(name_constraints);
732
733 EXPECT_FALSE(
734 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
735 EXPECT_FALSE(name_constraints->IsPermittedIP(
736 der::Input(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))));
737 EXPECT_TRUE(
738 name_constraints->IsPermittedIP(der::Input(IPAddress(0x80, 0, 0, 0))));
739 EXPECT_TRUE(name_constraints->IsPermittedIP(
740 der::Input(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))));
741 }
742
TEST_P(ParseNameConstraints,IPAddressesNetmaskPermitAll)743 TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
744 std::string a;
745 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
746
747 CertErrors errors;
748 std::unique_ptr<NameConstraints> name_constraints(
749 NameConstraints::Create(der::Input(a), is_critical(), &errors));
750 ASSERT_TRUE(name_constraints);
751
752 EXPECT_TRUE(
753 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
754 EXPECT_TRUE(
755 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
756 EXPECT_TRUE(name_constraints->IsPermittedIP(
757 der::Input(IPAddress(255, 255, 255, 255))));
758 }
759
TEST_P(ParseNameConstraints,IPAddressesFailOnInvalidAddr)760 TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
761 std::string a;
762 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
763
764 CertErrors errors;
765 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
766 }
767
TEST_P(ParseNameConstraints,IPAddressesFailOnInvalidMaskNotContiguous)768 TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidMaskNotContiguous) {
769 std::string a;
770 ASSERT_TRUE(LoadTestNameConstraint(
771 "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
772 CertErrors errors;
773 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
774
775 ASSERT_TRUE(LoadTestNameConstraint(
776 "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
777 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
778
779 ASSERT_TRUE(LoadTestNameConstraint(
780 "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
781 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
782
783 ASSERT_TRUE(LoadTestNameConstraint(
784 "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
785 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
786 }
787
788 // Test that v4/v6 mapping is not applied when evaluating name constraints.
TEST_P(ParseNameConstraints,IPAddressesMapped)789 TEST_P(ParseNameConstraints, IPAddressesMapped) {
790 std::string a;
791 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-mapped_addrs.pem", &a));
792
793 CertErrors errors;
794 std::unique_ptr<NameConstraints> name_constraints(
795 NameConstraints::Create(der::Input(a), is_critical(), &errors));
796 ASSERT_TRUE(name_constraints);
797
798 // 192.168.1.0/24 is a permitted subtree.
799 EXPECT_TRUE(
800 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 0))));
801 // This does not cover ::ffff:192.168.1.0.
802 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
803 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0))));
804 // 192.168.1.1 is excluded.
805 EXPECT_FALSE(
806 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
807 // ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
808 EXPECT_TRUE(
809 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
810
811 // ::ffff:192.168.2.0/120 is a permitted subtree.
812 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
813 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0))));
814 // This does not cover 192.168.2.0.
815 EXPECT_FALSE(
816 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 2, 0))));
817 // ::ffff:192.168.2.1 is excluded.
818 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
819 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1))));
820 // 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
821 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
822 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2))));
823 }
824
TEST_P(ParseNameConstraints,OtherNamesInPermitted)825 TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
826 std::string constraints_der;
827 ASSERT_TRUE(
828 LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
829 CertErrors errors;
830 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
831 der::Input(constraints_der), is_critical(), &errors));
832 ASSERT_TRUE(name_constraints);
833
834 if (is_critical()) {
835 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
836 name_constraints->constrained_name_types());
837 } else {
838 EXPECT_EQ(0, name_constraints->constrained_name_types());
839 }
840
841 std::string san_der;
842 std::unique_ptr<GeneralNames> san;
843 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
844 EXPECT_EQ(!is_critical(),
845 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
846 }
847
TEST_P(ParseNameConstraints,OtherNamesInExcluded)848 TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
849 std::string constraints_der;
850 ASSERT_TRUE(
851 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
852 CertErrors errors;
853 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
854 der::Input(constraints_der), is_critical(), &errors));
855 ASSERT_TRUE(name_constraints);
856
857 if (is_critical()) {
858 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
859 name_constraints->constrained_name_types());
860 } else {
861 EXPECT_EQ(0, name_constraints->constrained_name_types());
862 }
863
864 std::string san_der;
865 std::unique_ptr<GeneralNames> san;
866 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
867 EXPECT_EQ(!is_critical(),
868 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
869 }
870
TEST_P(ParseNameConstraints,Rfc822NamesInPermitted)871 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
872 std::string constraints_der;
873 ASSERT_TRUE(
874 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
875 CertErrors errors;
876 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
877 der::Input(constraints_der), is_critical(), &errors));
878 ASSERT_TRUE(name_constraints);
879
880 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
881 name_constraints->constrained_name_types());
882
883 std::string san_der;
884 std::unique_ptr<GeneralNames> san;
885
886 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
887 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
888
889 ASSERT_TRUE(
890 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
891 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
892
893 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
894 &san_der));
895 EXPECT_FALSE(
896 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
897
898 ASSERT_TRUE(
899 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
900 EXPECT_FALSE(
901 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
902
903 ASSERT_TRUE(
904 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
905 EXPECT_FALSE(
906 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
907
908 ASSERT_TRUE(
909 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
910 EXPECT_FALSE(
911 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
912
913 ASSERT_TRUE(
914 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
915 // `"foo"@example.com` and `foo@example.com` are the same address, but we
916 // don't support quoted address at all.
917 EXPECT_FALSE(
918 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
919
920 ASSERT_TRUE(
921 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
922 EXPECT_FALSE(
923 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
924
925 ASSERT_TRUE(
926 LoadTestSubjectAltName("san-rfc822name-multiple.pem", &san, &san_der));
927 // SAN contains multiple email addresses, only the first matches the
928 // permitted constraint.
929 EXPECT_FALSE(
930 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
931 }
932
TEST_P(ParseNameConstraints,Rfc822NamesInExcluded)933 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
934 std::string constraints_der;
935 ASSERT_TRUE(
936 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
937 CertErrors errors;
938 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
939 der::Input(constraints_der), is_critical(), &errors));
940 ASSERT_TRUE(name_constraints);
941
942 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
943 name_constraints->constrained_name_types());
944
945 std::string san_der;
946 std::unique_ptr<GeneralNames> san;
947
948 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
949 EXPECT_FALSE(
950 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
951
952 ASSERT_TRUE(
953 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
954 EXPECT_FALSE(
955 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
956
957 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
958 &san_der));
959 // Excluded names are matched case-sensitive in the local-part for addresses
960 // from subjectAlternativeName, so this is allowed.
961 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
962
963 ASSERT_TRUE(
964 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
965 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
966
967 ASSERT_TRUE(
968 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
969 EXPECT_FALSE(
970 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
971
972 ASSERT_TRUE(
973 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
974 EXPECT_FALSE(
975 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
976
977 ASSERT_TRUE(
978 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
979 EXPECT_FALSE(
980 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
981 }
982
TEST_P(ParseNameConstraints,Rfc822NameHostnameInPermitted)983 TEST_P(ParseNameConstraints, Rfc822NameHostnameInPermitted) {
984 std::string constraints_der;
985 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostname.pem",
986 &constraints_der));
987 CertErrors errors;
988 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
989 der::Input(constraints_der), is_critical(), &errors));
990 ASSERT_TRUE(name_constraints);
991
992 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
993 name_constraints->constrained_name_types());
994
995 std::string san_der;
996 std::unique_ptr<GeneralNames> san;
997
998 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
999 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1000
1001 ASSERT_TRUE(
1002 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1003 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1004
1005 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1006 &san_der));
1007 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1008
1009 ASSERT_TRUE(
1010 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1011 EXPECT_FALSE(
1012 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1013
1014 ASSERT_TRUE(
1015 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1016 EXPECT_FALSE(
1017 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1018
1019 ASSERT_TRUE(
1020 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1021 EXPECT_FALSE(
1022 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1023
1024 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1025 &san_der));
1026 EXPECT_FALSE(
1027 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1028
1029 ASSERT_TRUE(
1030 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1031 // `"foo"@example.com` would match `example.com` hostname, but we don't
1032 // support quoted address at all.
1033 EXPECT_FALSE(
1034 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1035
1036 ASSERT_TRUE(
1037 LoadTestSubjectAltName("san-rfc822name-multiple.pem", &san, &san_der));
1038 // SAN contains multiple email addresses, all match the permitted hostname.
1039 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1040 }
1041
TEST_P(ParseNameConstraints,Rfc822NameHostnameInExcluded)1042 TEST_P(ParseNameConstraints, Rfc822NameHostnameInExcluded) {
1043 std::string constraints_der;
1044 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-hostname.pem",
1045 &constraints_der));
1046 CertErrors errors;
1047 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1048 der::Input(constraints_der), is_critical(), &errors));
1049 ASSERT_TRUE(name_constraints);
1050
1051 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1052 name_constraints->constrained_name_types());
1053
1054 std::string san_der;
1055 std::unique_ptr<GeneralNames> san;
1056
1057 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1058 EXPECT_FALSE(
1059 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1060
1061 ASSERT_TRUE(
1062 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1063 EXPECT_FALSE(
1064 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1065
1066 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1067 &san_der));
1068 EXPECT_FALSE(
1069 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1070
1071 ASSERT_TRUE(
1072 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1073 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1074
1075 ASSERT_TRUE(
1076 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1077 EXPECT_FALSE(
1078 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1079
1080 ASSERT_TRUE(
1081 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1082 EXPECT_FALSE(
1083 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1084
1085 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1086 &san_der));
1087 EXPECT_FALSE(
1088 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1089 }
1090
TEST_P(ParseNameConstraints,Rfc822NameHostnameWithAtInPermitted)1091 TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInPermitted) {
1092 std::string constraints_der;
1093 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostnamewithat.pem",
1094 &constraints_der));
1095 CertErrors errors;
1096 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1097 der::Input(constraints_der), is_critical(), &errors));
1098 ASSERT_TRUE(name_constraints);
1099
1100 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1101 name_constraints->constrained_name_types());
1102
1103 std::string san_der;
1104 std::unique_ptr<GeneralNames> san;
1105
1106 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1107 &san_der));
1108 EXPECT_FALSE(
1109 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1110
1111 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1112 EXPECT_FALSE(
1113 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1114
1115 ASSERT_TRUE(
1116 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1117 EXPECT_FALSE(
1118 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1119
1120 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1121 &san_der));
1122 EXPECT_FALSE(
1123 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1124
1125 ASSERT_TRUE(
1126 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1127 EXPECT_FALSE(
1128 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1129
1130 ASSERT_TRUE(
1131 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1132 EXPECT_FALSE(
1133 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1134
1135 ASSERT_TRUE(
1136 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1137 EXPECT_FALSE(
1138 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1139 }
1140
TEST_P(ParseNameConstraints,Rfc822NameHostnameWithAtInExcluded)1141 TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInExcluded) {
1142 std::string constraints_der;
1143 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-hostnamewithat.pem",
1144 &constraints_der));
1145 CertErrors errors;
1146 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1147 der::Input(constraints_der), is_critical(), &errors));
1148 ASSERT_TRUE(name_constraints);
1149
1150 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1151 name_constraints->constrained_name_types());
1152
1153 std::string san_der;
1154 std::unique_ptr<GeneralNames> san;
1155
1156 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1157 &san_der));
1158 EXPECT_FALSE(
1159 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1160
1161 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1162 EXPECT_FALSE(
1163 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1164
1165 ASSERT_TRUE(
1166 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1167 EXPECT_FALSE(
1168 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1169
1170 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1171 &san_der));
1172 EXPECT_FALSE(
1173 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1174
1175 ASSERT_TRUE(
1176 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1177 EXPECT_FALSE(
1178 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1179
1180 ASSERT_TRUE(
1181 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1182 EXPECT_FALSE(
1183 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1184
1185 ASSERT_TRUE(
1186 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1187 EXPECT_FALSE(
1188 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1189 }
1190
TEST_P(ParseNameConstraints,Rfc822NameSubdomainInPermitted)1191 TEST_P(ParseNameConstraints, Rfc822NameSubdomainInPermitted) {
1192 std::string constraints_der;
1193 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-subdomains.pem",
1194 &constraints_der));
1195 CertErrors errors;
1196 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1197 der::Input(constraints_der), is_critical(), &errors));
1198 ASSERT_TRUE(name_constraints);
1199
1200 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1201 name_constraints->constrained_name_types());
1202
1203 std::string san_der;
1204 std::unique_ptr<GeneralNames> san;
1205
1206 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1207 EXPECT_FALSE(
1208 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1209
1210 ASSERT_TRUE(
1211 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1212 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1213
1214 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomaincase.pem", &san,
1215 &san_der));
1216 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1217
1218 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-no-at.pem", &san,
1219 &san_der));
1220 EXPECT_FALSE(
1221 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1222
1223 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-two-ats.pem",
1224 &san, &san_der));
1225 EXPECT_FALSE(
1226 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1227 }
1228
TEST_P(ParseNameConstraints,Rfc822NameSubdomainInExcluded)1229 TEST_P(ParseNameConstraints, Rfc822NameSubdomainInExcluded) {
1230 std::string constraints_der;
1231 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-subdomains.pem",
1232 &constraints_der));
1233 CertErrors errors;
1234 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1235 der::Input(constraints_der), is_critical(), &errors));
1236 ASSERT_TRUE(name_constraints);
1237
1238 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1239 name_constraints->constrained_name_types());
1240
1241 std::string san_der;
1242 std::unique_ptr<GeneralNames> san;
1243
1244 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1245 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1246
1247 ASSERT_TRUE(
1248 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1249 EXPECT_FALSE(
1250 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1251
1252 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomaincase.pem", &san,
1253 &san_der));
1254 EXPECT_FALSE(
1255 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1256
1257 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-no-at.pem", &san,
1258 &san_der));
1259 EXPECT_FALSE(
1260 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1261
1262 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-two-ats.pem",
1263 &san, &san_der));
1264 EXPECT_FALSE(
1265 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1266 }
1267
TEST_P(ParseNameConstraints,Rfc822NameEmptyPermitted)1268 TEST_P(ParseNameConstraints, Rfc822NameEmptyPermitted) {
1269 std::string constraints_der;
1270 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-empty.pem",
1271 &constraints_der));
1272 CertErrors errors;
1273 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1274 der::Input(constraints_der), is_critical(), &errors));
1275 ASSERT_TRUE(name_constraints);
1276
1277 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1278 name_constraints->constrained_name_types());
1279
1280 std::string san_der;
1281 std::unique_ptr<GeneralNames> san;
1282
1283 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1284 EXPECT_FALSE(
1285 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1286
1287 ASSERT_TRUE(
1288 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1289 EXPECT_FALSE(
1290 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1291 }
1292
TEST_P(ParseNameConstraints,Rfc822NameEmptyExcluded)1293 TEST_P(ParseNameConstraints, Rfc822NameEmptyExcluded) {
1294 std::string constraints_der;
1295 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-empty.pem",
1296 &constraints_der));
1297 CertErrors errors;
1298 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1299 der::Input(constraints_der), is_critical(), &errors));
1300 ASSERT_TRUE(name_constraints);
1301
1302 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1303 name_constraints->constrained_name_types());
1304
1305 std::string san_der;
1306 std::unique_ptr<GeneralNames> san;
1307
1308 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1309 EXPECT_FALSE(
1310 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1311
1312 ASSERT_TRUE(
1313 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1314 EXPECT_FALSE(
1315 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1316 }
1317
TEST_P(ParseNameConstraints,Rfc822NameIPv4Permitted)1318 TEST_P(ParseNameConstraints, Rfc822NameIPv4Permitted) {
1319 std::string constraints_der;
1320 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-ipv4.pem",
1321 &constraints_der));
1322 CertErrors errors;
1323 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1324 der::Input(constraints_der), is_critical(), &errors));
1325 ASSERT_TRUE(name_constraints);
1326
1327 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1328 name_constraints->constrained_name_types());
1329
1330 std::string san_der;
1331 std::unique_ptr<GeneralNames> san;
1332
1333 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1334 EXPECT_FALSE(
1335 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1336
1337 ASSERT_TRUE(
1338 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1339 EXPECT_FALSE(
1340 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1341
1342 ASSERT_TRUE(
1343 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
1344 EXPECT_FALSE(
1345 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1346 }
1347
TEST_P(ParseNameConstraints,Rfc822NameIPv4Excluded)1348 TEST_P(ParseNameConstraints, Rfc822NameIPv4Excluded) {
1349 std::string constraints_der;
1350 ASSERT_TRUE(
1351 LoadTestNameConstraint("rfc822name-excluded-ipv4.pem", &constraints_der));
1352 CertErrors errors;
1353 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1354 der::Input(constraints_der), is_critical(), &errors));
1355 ASSERT_TRUE(name_constraints);
1356
1357 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1358 name_constraints->constrained_name_types());
1359
1360 std::string san_der;
1361 std::unique_ptr<GeneralNames> san;
1362
1363 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1364 EXPECT_FALSE(
1365 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1366
1367 ASSERT_TRUE(
1368 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1369 EXPECT_FALSE(
1370 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1371
1372 ASSERT_TRUE(
1373 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
1374 EXPECT_FALSE(
1375 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1376 }
1377
TEST_P(ParseNameConstraints,QuotedRfc822SanWithNoRfc822Constraints)1378 TEST_P(ParseNameConstraints, QuotedRfc822SanWithNoRfc822Constraints) {
1379 // Load an unrelated (non-rfc822) constraint.
1380 std::string constraints_der;
1381 ASSERT_TRUE(
1382 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
1383 CertErrors errors;
1384 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1385 der::Input(constraints_der), is_critical(), &errors));
1386 ASSERT_TRUE(name_constraints);
1387
1388 std::string san_der;
1389 std::unique_ptr<GeneralNames> san;
1390 ASSERT_TRUE(
1391 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1392 // A rfc822 in SAN with quotes should be allowed since we only try to parse
1393 // the name if we are enforcing a constraint against it.
1394 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1395 }
1396
TEST_P(ParseNameConstraints,QuotedRfc822SanMatchesQuotedPermitted)1397 TEST_P(ParseNameConstraints, QuotedRfc822SanMatchesQuotedPermitted) {
1398 std::string constraints_der;
1399 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-quoted.pem",
1400 &constraints_der));
1401 CertErrors errors;
1402 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1403 der::Input(constraints_der), is_critical(), &errors));
1404 ASSERT_TRUE(name_constraints);
1405
1406 std::string san_der;
1407 std::unique_ptr<GeneralNames> san;
1408 ASSERT_TRUE(
1409 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1410 // Both SAN and constraint are `"foo"@example.com`, but we don't support
1411 // quoted address at all.
1412 EXPECT_FALSE(
1413 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1414 }
1415
TEST_P(ParseNameConstraints,UnquotedRfc822SanNotMatchingQuotedExcluded)1416 TEST_P(ParseNameConstraints, UnquotedRfc822SanNotMatchingQuotedExcluded) {
1417 std::string constraints_der;
1418 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-quoted.pem",
1419 &constraints_der));
1420 CertErrors errors;
1421 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1422 der::Input(constraints_der), is_critical(), &errors));
1423 ASSERT_TRUE(name_constraints);
1424
1425 std::string san_der;
1426 std::unique_ptr<GeneralNames> san;
1427 ASSERT_TRUE(
1428 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1429 // The name `foo@subdomain.example.com` should be allowed since it doesn't
1430 // match an exclude of `"foo"@example.com`, but we don't support quoted
1431 // address at all so this is not allowed.
1432 EXPECT_FALSE(
1433 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1434 }
1435
TEST_P(ParseNameConstraints,X400AddresssInPermitted)1436 TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
1437 std::string constraints_der;
1438 ASSERT_TRUE(
1439 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
1440 CertErrors errors;
1441 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1442 der::Input(constraints_der), is_critical(), &errors));
1443 ASSERT_TRUE(name_constraints);
1444
1445 if (is_critical()) {
1446 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
1447 name_constraints->constrained_name_types());
1448 } else {
1449 EXPECT_EQ(0, name_constraints->constrained_name_types());
1450 }
1451
1452 std::string san_der;
1453 std::unique_ptr<GeneralNames> san;
1454 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
1455 EXPECT_EQ(!is_critical(),
1456 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1457 }
1458
TEST_P(ParseNameConstraints,X400AddresssInExcluded)1459 TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
1460 std::string constraints_der;
1461 ASSERT_TRUE(
1462 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
1463 CertErrors errors;
1464 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1465 der::Input(constraints_der), is_critical(), &errors));
1466 ASSERT_TRUE(name_constraints);
1467
1468 if (is_critical()) {
1469 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
1470 name_constraints->constrained_name_types());
1471 } else {
1472 EXPECT_EQ(0, name_constraints->constrained_name_types());
1473 }
1474
1475 std::string san_der;
1476 std::unique_ptr<GeneralNames> san;
1477 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
1478 EXPECT_EQ(!is_critical(),
1479 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1480 }
1481
TEST_P(ParseNameConstraints,EdiPartyNamesInPermitted)1482 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
1483 std::string constraints_der;
1484 ASSERT_TRUE(
1485 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
1486 CertErrors errors;
1487 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1488 der::Input(constraints_der), is_critical(), &errors));
1489 ASSERT_TRUE(name_constraints);
1490
1491 if (is_critical()) {
1492 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
1493 name_constraints->constrained_name_types());
1494 } else {
1495 EXPECT_EQ(0, name_constraints->constrained_name_types());
1496 }
1497
1498 std::string san_der;
1499 std::unique_ptr<GeneralNames> san;
1500 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
1501 EXPECT_EQ(!is_critical(),
1502 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1503 }
1504
TEST_P(ParseNameConstraints,EdiPartyNamesInExcluded)1505 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
1506 std::string constraints_der;
1507 ASSERT_TRUE(
1508 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
1509 CertErrors errors;
1510 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1511 der::Input(constraints_der), is_critical(), &errors));
1512 ASSERT_TRUE(name_constraints);
1513
1514 if (is_critical()) {
1515 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
1516 name_constraints->constrained_name_types());
1517 } else {
1518 EXPECT_EQ(0, name_constraints->constrained_name_types());
1519 }
1520
1521 std::string san_der;
1522 std::unique_ptr<GeneralNames> san;
1523 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
1524 EXPECT_EQ(!is_critical(),
1525 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1526 }
1527
TEST_P(ParseNameConstraints,URIsInPermitted)1528 TEST_P(ParseNameConstraints, URIsInPermitted) {
1529 std::string constraints_der;
1530 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
1531 CertErrors errors;
1532 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1533 der::Input(constraints_der), is_critical(), &errors));
1534 ASSERT_TRUE(name_constraints);
1535
1536 if (is_critical()) {
1537 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
1538 name_constraints->constrained_name_types());
1539 } else {
1540 EXPECT_EQ(0, name_constraints->constrained_name_types());
1541 }
1542
1543 std::string san_der;
1544 std::unique_ptr<GeneralNames> san;
1545 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
1546 EXPECT_EQ(!is_critical(),
1547 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1548 }
1549
TEST_P(ParseNameConstraints,URIsInExcluded)1550 TEST_P(ParseNameConstraints, URIsInExcluded) {
1551 std::string constraints_der;
1552 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
1553 CertErrors errors;
1554 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1555 der::Input(constraints_der), is_critical(), &errors));
1556 ASSERT_TRUE(name_constraints);
1557
1558 if (is_critical()) {
1559 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
1560 name_constraints->constrained_name_types());
1561 } else {
1562 EXPECT_EQ(0, name_constraints->constrained_name_types());
1563 }
1564
1565 std::string san_der;
1566 std::unique_ptr<GeneralNames> san;
1567 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
1568 EXPECT_EQ(!is_critical(),
1569 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1570 }
1571
TEST_P(ParseNameConstraints,RegisteredIDsInPermitted)1572 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
1573 std::string constraints_der;
1574 ASSERT_TRUE(
1575 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
1576 CertErrors errors;
1577 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1578 der::Input(constraints_der), is_critical(), &errors));
1579 ASSERT_TRUE(name_constraints);
1580
1581 if (is_critical()) {
1582 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1583 name_constraints->constrained_name_types());
1584 } else {
1585 EXPECT_EQ(0, name_constraints->constrained_name_types());
1586 }
1587
1588 std::string san_der;
1589 std::unique_ptr<GeneralNames> san;
1590 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
1591 EXPECT_EQ(!is_critical(),
1592 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1593 }
1594
TEST_P(ParseNameConstraints,RegisteredIDsInExcluded)1595 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
1596 std::string constraints_der;
1597 ASSERT_TRUE(
1598 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
1599 CertErrors errors;
1600 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1601 der::Input(constraints_der), is_critical(), &errors));
1602 ASSERT_TRUE(name_constraints);
1603
1604 if (is_critical()) {
1605 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1606 name_constraints->constrained_name_types());
1607 } else {
1608 EXPECT_EQ(0, name_constraints->constrained_name_types());
1609 }
1610
1611 std::string san_der;
1612 std::unique_ptr<GeneralNames> san;
1613 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
1614 EXPECT_EQ(!is_critical(),
1615 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1616 }
1617
TEST_P(ParseNameConstraints,failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily)1618 TEST_P(ParseNameConstraints,
1619 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) {
1620 std::string constraints_der;
1621 ASSERT_TRUE(
1622 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der));
1623 // The value should not be in the DER encoding if it is the default. But this
1624 // could be changed to allowed if there are buggy encoders out there that
1625 // include it anyway.
1626 CertErrors errors;
1627 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1628 is_critical(), &errors));
1629 }
1630
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMinimum)1631 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
1632 std::string constraints_der;
1633 ASSERT_TRUE(
1634 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
1635 CertErrors errors;
1636 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1637 is_critical(), &errors));
1638 }
1639
TEST_P(ParseNameConstraints,failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum)1640 TEST_P(ParseNameConstraints,
1641 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) {
1642 std::string constraints_der;
1643 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
1644 &constraints_der));
1645 CertErrors errors;
1646 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1647 is_critical(), &errors));
1648 }
1649
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMinimumAndMaximum)1650 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
1651 std::string constraints_der;
1652 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
1653 &constraints_der));
1654 CertErrors errors;
1655 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1656 is_critical(), &errors));
1657 }
1658
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMaximum)1659 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
1660 std::string constraints_der;
1661 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
1662 CertErrors errors;
1663 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1664 is_critical(), &errors));
1665 }
1666
TEST_P(ParseNameConstraints,FailsOnEmptyExtensionValue)1667 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
1668 std::string constraints_der = "";
1669 CertErrors errors;
1670 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1671 is_critical(), &errors));
1672 }
1673
TEST_P(ParseNameConstraints,FailsOnNoPermittedAndExcluded)1674 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
1675 std::string constraints_der;
1676 ASSERT_TRUE(
1677 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
1678 CertErrors errors;
1679 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1680 is_critical(), &errors));
1681 }
1682
TEST_P(ParseNameConstraints,FailsOnEmptyPermitted)1683 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
1684 std::string constraints_der;
1685 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
1686 &constraints_der));
1687 CertErrors errors;
1688 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1689 is_critical(), &errors));
1690 }
1691
TEST_P(ParseNameConstraints,FailsOnEmptyExcluded)1692 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
1693 std::string constraints_der;
1694 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
1695 &constraints_der));
1696 CertErrors errors;
1697 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
1698 is_critical(), &errors));
1699 }
1700
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressNoEmailConstraint)1701 TEST_P(ParseNameConstraints,
1702 IsPermittedCertSubjectEmailAddressNoEmailConstraint) {
1703 std::string constraints_der;
1704 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
1705 CertErrors errors;
1706 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1707 der::Input(constraints_der), is_critical(), &errors));
1708 ASSERT_TRUE(name_constraints);
1709
1710 std::string name;
1711 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1712 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1713 // allowed regardless.
1714 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1715 SequenceValueFromString(name),
1716 /*subject_alt_names=*/nullptr));
1717
1718 ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
1719 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1720 // allowed regardless.
1721 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1722 SequenceValueFromString(name),
1723 /*subject_alt_names=*/nullptr));
1724 }
1725
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressIsOk)1726 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
1727 std::string constraints_der;
1728 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostname.pem",
1729 &constraints_der));
1730 CertErrors errors;
1731 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1732 der::Input(constraints_der), is_critical(), &errors));
1733 ASSERT_TRUE(name_constraints);
1734
1735 std::string name;
1736 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1737
1738 // Name constraints contain rfc822Name, and the address matches the
1739 // constraint (which is all addresses on the hostname.)
1740 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1741 SequenceValueFromString(name),
1742 /*subject_alt_names=*/nullptr));
1743
1744 ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
1745 // The bytes of the name string match, but the string type is VISIBLESTRING
1746 // which is not supported, so this should fail.
1747 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1748 SequenceValueFromString(name),
1749 /*subject_alt_names=*/nullptr));
1750
1751 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1752 // Subject contains multiple rfc822Names, and they all match the constraint
1753 // (which is all addresses on the hostname.)
1754 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1755 SequenceValueFromString(name),
1756 /*subject_alt_names=*/nullptr));
1757 }
1758
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressIsNotOk)1759 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
1760 std::string constraints_der;
1761 ASSERT_TRUE(
1762 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
1763 CertErrors errors;
1764 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1765 der::Input(constraints_der), is_critical(), &errors));
1766 ASSERT_TRUE(name_constraints);
1767
1768 std::string name;
1769 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1770
1771 // Name constraints contain rfc822Name, and the address does not match the
1772 // constraint.
1773 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1774 SequenceValueFromString(name),
1775 /*subject_alt_names=*/nullptr));
1776
1777 // Address is a case-insensitive match, but name constraints (permitted) are
1778 // case-sensitive, so this fails.
1779 ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
1780 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1781 SequenceValueFromString(name),
1782 /*subject_alt_names=*/nullptr));
1783
1784 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1785 // Subject contains multiple rfc822Names, and only the first one matches the
1786 // constraint.
1787 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1788 SequenceValueFromString(name),
1789 /*subject_alt_names=*/nullptr));
1790 }
1791
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressExcluded)1792 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) {
1793 std::string constraints_der;
1794 ASSERT_TRUE(
1795 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
1796 CertErrors errors;
1797 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1798 der::Input(constraints_der), is_critical(), &errors));
1799 ASSERT_TRUE(name_constraints);
1800
1801 std::string name;
1802 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1803
1804 // Name constraints contain excluded rfc822Name, and the address does not
1805 // match the constraint.
1806 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1807 SequenceValueFromString(name),
1808 /*subject_alt_names=*/nullptr));
1809
1810 // Name constraints for excluded are done case-insensitive in the local part,
1811 // so this is not allowed.
1812 ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
1813 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1814 SequenceValueFromString(name),
1815 /*subject_alt_names=*/nullptr));
1816
1817 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1818 // Subject contains multiple rfc822Names, and one of them is excluded by the
1819 // constraint.
1820 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1821 SequenceValueFromString(name),
1822 /*subject_alt_names=*/nullptr));
1823 }
1824
1825 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests
1826 // are not particularly interesting, just verifying that the commonName is
1827 // ignored for dNSName constraints.
TEST_P(ParseNameConstraints,IsPermittedCertSubjectDnsNames)1828 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
1829 std::string constraints_der;
1830 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem",
1831 &constraints_der));
1832 CertErrors errors;
1833 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1834 der::Input(constraints_der), is_critical(), &errors));
1835 ASSERT_TRUE(name_constraints);
1836
1837 std::string name_us_az_foocom;
1838 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom));
1839 // The subject is within permitted directoryName constraints, so permitted.
1840 // (The commonName hostname is not within permitted dNSName constraints, so
1841 // this would not be permitted if hostnames in commonName were checked.)
1842 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1843 SequenceValueFromString(name_us_az_foocom),
1844 nullptr /* subject_alt_names */));
1845
1846 std::string name_us_az_permitted;
1847 ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem",
1848 &name_us_az_permitted));
1849 // The subject is in permitted directoryName and the commonName is within
1850 // permitted dNSName constraints, so this should be permitted regardless if
1851 // hostnames in commonName are checked or not.
1852 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1853 SequenceValueFromString(name_us_az_permitted),
1854 nullptr /* subject_alt_names */));
1855
1856 std::string name_us_ca_permitted;
1857 ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem",
1858 &name_us_ca_permitted));
1859 // The subject is within the excluded C=US,ST=California directoryName, so
1860 // this should not be allowed, regardless of checking the
1861 // permitted.example.com in commonName.
1862 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1863 SequenceValueFromString(name_us_ca_permitted),
1864 nullptr /* subject_alt_names */));
1865 }
1866
1867 // IP addresses in commonName are not allowed (crbug.com/308330), so these are
1868 // tests are not particularly interesting, just verifying that the commonName is
1869 // ignored for iPAddress constraints.
TEST_P(ParseNameConstraints,IsPermittedCertSubjectIpAddresses)1870 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
1871 std::string constraints_der;
1872 ASSERT_TRUE(LoadTestNameConstraint(
1873 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
1874 CertErrors errors;
1875 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1876 der::Input(constraints_der), is_critical(), &errors));
1877 ASSERT_TRUE(name_constraints);
1878
1879 std::string name_us_az_1_1_1_1;
1880 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1));
1881 // The subject is within permitted directoryName constraints, so permitted.
1882 // (The commonName IP address is not within permitted iPAddresses constraints,
1883 // so this would not be permitted if IP addresses in commonName were checked.)
1884 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1885 SequenceValueFromString(name_us_az_1_1_1_1),
1886 nullptr /* subject_alt_names */));
1887
1888 std::string name_us_az_192_168_1_1;
1889 ASSERT_TRUE(
1890 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1));
1891 // The subject is in permitted directoryName and the commonName is within
1892 // permitted iPAddress constraints, so this should be permitted regardless if
1893 // IP addresses in commonName are checked or not.
1894 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1895 SequenceValueFromString(name_us_az_192_168_1_1),
1896 nullptr /* subject_alt_names */));
1897
1898 std::string name_us_ca_192_168_1_1;
1899 ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem",
1900 &name_us_ca_192_168_1_1));
1901 // The subject is within the excluded C=US,ST=California directoryName, so
1902 // this should not be allowed, regardless of checking the
1903 // IP address in commonName.
1904 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1905 SequenceValueFromString(name_us_ca_192_168_1_1),
1906 nullptr /* subject_alt_names */));
1907
1908 std::string name_us_az_ipv6;
1909 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6));
1910 // The subject is within permitted directoryName constraints, so permitted.
1911 // (The commonName is an ipv6 address which wasn't supported in the past, but
1912 // since commonName checking is ignored entirely, this is permitted.)
1913 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1914 SequenceValueFromString(name_us_az_ipv6),
1915 nullptr /* subject_alt_names */));
1916 }
1917
1918 } // namespace net
1919