1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/internal/name_constraints.h"
6
7 #include <memory>
8
9 #include "net/base/ip_address.h"
10 #include "net/cert/internal/common_cert_errors.h"
11 #include "net/cert/internal/test_helpers.h"
12 #include "testing/gmock/include/gmock/gmock.h"
13 #include "testing/gtest/include/gtest/gtest.h"
14
15 namespace net {
16 namespace {
17
LoadTestData(const char * token,const std::string & basename,std::string * result)18 ::testing::AssertionResult LoadTestData(const char* token,
19 const std::string& basename,
20 std::string* result) {
21 std::string path = "net/data/name_constraints_unittest/" + basename;
22
23 const PemBlockMapping mappings[] = {
24 {token, result},
25 };
26
27 return ReadTestDataFromPemFile(path, mappings);
28 }
29
LoadTestName(const std::string & basename,std::string * result)30 ::testing::AssertionResult LoadTestName(const std::string& basename,
31 std::string* result) {
32 return LoadTestData("NAME", basename, result);
33 }
34
LoadTestNameConstraint(const std::string & basename,std::string * result)35 ::testing::AssertionResult LoadTestNameConstraint(const std::string& basename,
36 std::string* result) {
37 return LoadTestData("NAME CONSTRAINTS", basename, result);
38 }
39
LoadTestSubjectAltNameData(const std::string & basename,std::string * result)40 ::testing::AssertionResult LoadTestSubjectAltNameData(
41 const std::string& basename,
42 std::string* result) {
43 return LoadTestData("SUBJECT ALTERNATIVE NAME", basename, result);
44 }
45
LoadTestSubjectAltName(const std::string & basename,std::unique_ptr<GeneralNames> * result,std::string * result_der)46 ::testing::AssertionResult LoadTestSubjectAltName(
47 const std::string& basename,
48 std::unique_ptr<GeneralNames>* result,
49 std::string* result_der) {
50 ::testing::AssertionResult load_result =
51 LoadTestSubjectAltNameData(basename, result_der);
52 if (!load_result)
53 return load_result;
54 CertErrors errors;
55 *result = GeneralNames::Create(der::Input(result_der), &errors);
56 if (!*result)
57 return ::testing::AssertionFailure() << "Create failed";
58 return ::testing::AssertionSuccess();
59 }
60
IsPermittedCert(const NameConstraints * name_constraints,const der::Input & subject_rdn_sequence,const GeneralNames * subject_alt_names)61 ::testing::AssertionResult IsPermittedCert(
62 const NameConstraints* name_constraints,
63 const der::Input& subject_rdn_sequence,
64 const GeneralNames* subject_alt_names) {
65 CertErrors errors;
66 name_constraints->IsPermittedCert(subject_rdn_sequence, subject_alt_names,
67 &errors);
68 if (!errors.ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH))
69 return ::testing::AssertionSuccess();
70 if (!errors.ContainsError(cert_errors::kNotPermittedByNameConstraints))
71 ADD_FAILURE() << "unexpected error " << errors.ToDebugString();
72 return ::testing::AssertionFailure();
73 }
74
75 } // namespace
76
77 class ParseNameConstraints
78 : public ::testing::TestWithParam<::testing::tuple<bool>> {
79 public:
is_critical() const80 bool is_critical() const { return ::testing::get<0>(GetParam()); }
81 };
82
83 // Run the tests with the name constraints marked critical and non-critical. For
84 // supported name types, the results should be the same for both.
85 INSTANTIATE_TEST_SUITE_P(InstantiationName,
86 ParseNameConstraints,
87 ::testing::Values(true, false));
88
TEST_P(ParseNameConstraints,DNSNames)89 TEST_P(ParseNameConstraints, DNSNames) {
90 std::string a;
91 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
92
93 CertErrors errors;
94 std::unique_ptr<NameConstraints> name_constraints(
95 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
96 ASSERT_TRUE(name_constraints);
97
98 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
99 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com."));
100 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com"));
101 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com"));
102 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com."));
103 EXPECT_TRUE(
104 name_constraints->IsPermittedDNSName("alsopermitted.example.com"));
105 EXPECT_FALSE(
106 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
107 EXPECT_FALSE(
108 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
109 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
110 "stillnotpermitted.excluded.permitted.example.com"));
111 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
112 "a.stillnotpermitted.excluded.permitted.example.com"));
113 EXPECT_FALSE(
114 name_constraints->IsPermittedDNSName("extraneousexclusion.example.com"));
115 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
116 "a.extraneousexclusion.example.com"));
117 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.example.com"));
118 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.com"));
119
120 // Wildcard names:
121 // Pattern could match excluded.permitted.example.com, thus should not be
122 // allowed.
123 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.permitted.example.com"));
124 // Entirely within excluded name, obviously not allowed.
125 EXPECT_FALSE(
126 name_constraints->IsPermittedDNSName("*.excluded.permitted.example.com"));
127 // Within permitted.example.com and cannot match any exclusion, thus these are
128 // allowed.
129 EXPECT_TRUE(
130 name_constraints->IsPermittedDNSName("*.foo.permitted.example.com"));
131 EXPECT_TRUE(
132 name_constraints->IsPermittedDNSName("*.alsopermitted.example.com"));
133 // Matches permitted.example2.com, but also matches other .example2.com names
134 // which are not in either permitted or excluded, so not allowed.
135 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.example2.com"));
136 // Partial wildcards are not supported, so these name are permitted even if
137 // it seems like they shouldn't be. It's fine, since certificate verification
138 // won't treat them as wildcard names either.
139 EXPECT_TRUE(
140 name_constraints->IsPermittedDNSName("*xcluded.permitted.example.com"));
141 EXPECT_TRUE(
142 name_constraints->IsPermittedDNSName("exclude*.permitted.example.com"));
143 EXPECT_TRUE(
144 name_constraints->IsPermittedDNSName("excl*ded.permitted.example.com"));
145 // Garbage wildcard data.
146 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*."));
147 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.*"));
148 EXPECT_FALSE(name_constraints->IsPermittedDNSName(".*"));
149 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*"));
150 // Matches SAN with trailing dot.
151 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com"));
152 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com."));
153 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com"));
154 EXPECT_TRUE(
155 name_constraints->IsPermittedDNSName("a.permitted.example3.com."));
156
157 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->constrained_name_types());
158
159 std::string san_der;
160 std::unique_ptr<GeneralNames> san;
161 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
162 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
163
164 ASSERT_TRUE(
165 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
166 EXPECT_FALSE(
167 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
168
169 ASSERT_TRUE(
170 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
171 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
172
173 ASSERT_TRUE(
174 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
175 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
176 }
177
TEST_P(ParseNameConstraints,DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted)178 TEST_P(ParseNameConstraints,
179 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) {
180 std::string a;
181 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
182 CertErrors errors;
183 std::unique_ptr<NameConstraints> name_constraints(
184 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
185 ASSERT_TRUE(name_constraints);
186
187 // Matches permitted exactly.
188 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
189 // Contained within permitted and doesn't match excluded (foo.bar.com).
190 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
191 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com"));
192 // Matches excluded exactly.
193 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
194 // Contained within excluded.
195 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com"));
196
197 // Cannot match anything within excluded.
198 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com"));
199 // Wildcard hostnames only match a single label, so cannot match excluded
200 // which has two labels before .com.
201 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
202
203 // Partial match of foo.bar.com.
204 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
205 // All expansions of wildcard are within excluded.
206 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
207 }
208
TEST_P(ParseNameConstraints,DNSNamesPermittedWithLeadingDot)209 TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
210 std::string a;
211 ASSERT_TRUE(
212 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
213 CertErrors errors;
214 std::unique_ptr<NameConstraints> name_constraints(
215 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
216 ASSERT_TRUE(name_constraints);
217
218 // A permitted dNSName constraint of ".bar.com" should only match subdomains
219 // of .bar.com, but not bar.com itself.
220 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
221 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
222 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foobar.com"));
223 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.bar.com"));
224 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.bar.com"));
225 }
226
TEST_P(ParseNameConstraints,DNSNamesExcludedWithLeadingDot)227 TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
228 std::string a;
229 ASSERT_TRUE(
230 LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
231 CertErrors errors;
232 std::unique_ptr<NameConstraints> name_constraints(
233 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
234 ASSERT_TRUE(name_constraints);
235
236 // An excluded dNSName constraint of ".bar.com" should only match subdomains
237 // of .bar.com, but not bar.com itself.
238 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
239 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
240 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foobar.com"));
241 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
242 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
243 }
244
TEST_P(ParseNameConstraints,DNSNamesPermittedTwoDot)245 TEST_P(ParseNameConstraints, DNSNamesPermittedTwoDot) {
246 std::string a;
247 ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a));
248 CertErrors errors;
249 std::unique_ptr<NameConstraints> name_constraints(
250 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
251 ASSERT_TRUE(name_constraints);
252
253 // A dNSName constraint of ".." isn't meaningful. Shouldn't match anything.
254 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
255 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com."));
256 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
257 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.com"));
258 }
259
TEST_P(ParseNameConstraints,DNSNamesExcludeOnly)260 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
261 std::string a;
262 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
263
264 CertErrors errors;
265 std::unique_ptr<NameConstraints> name_constraints(
266 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
267 ASSERT_TRUE(name_constraints);
268
269 // Only "excluded.permitted.example.com" is excluded, and since permitted is
270 // empty, any dNSName outside that is allowed.
271 EXPECT_TRUE(name_constraints->IsPermittedDNSName(""));
272 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com"));
273 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
274 EXPECT_FALSE(
275 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
276 EXPECT_FALSE(
277 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
278 }
279
TEST_P(ParseNameConstraints,DNSNamesExcludeAll)280 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
281 std::string a;
282 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
283
284 CertErrors errors;
285 std::unique_ptr<NameConstraints> name_constraints(
286 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
287 ASSERT_TRUE(name_constraints);
288
289 // "permitted.example.com" is in the permitted section, but since "" is
290 // excluded, nothing is permitted.
291 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
292 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
293 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
294 EXPECT_FALSE(
295 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
296 }
297
TEST_P(ParseNameConstraints,DNSNamesExcludeDot)298 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
299 std::string a;
300 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a));
301
302 CertErrors errors;
303 std::unique_ptr<NameConstraints> name_constraints(
304 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
305 ASSERT_TRUE(name_constraints);
306
307 // "." is excluded, which should match nothing.
308 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
309 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
310 EXPECT_TRUE(
311 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
312 }
313
TEST_P(ParseNameConstraints,DNSNamesFailOnInvalidIA5String)314 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
315 std::string a;
316 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
317
318 size_t replace_location = a.find("permitted.example2.com");
319 ASSERT_NE(std::string::npos, replace_location);
320 a.replace(replace_location, 1, 1, -1);
321
322 CertErrors errors;
323 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
324 }
325
TEST_P(ParseNameConstraints,DirectoryNames)326 TEST_P(ParseNameConstraints, DirectoryNames) {
327 std::string constraints_der;
328 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
329
330 std::string name_us;
331 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
332 std::string name_us_ca;
333 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
334 std::string name_us_ca_mountain_view;
335 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
336 &name_us_ca_mountain_view));
337 std::string name_us_az;
338 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
339 std::string name_jp;
340 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
341 std::string name_jp_tokyo;
342 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo));
343 std::string name_de;
344 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de));
345 std::string name_ca;
346 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca));
347
348 CertErrors errors;
349 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
350 der::Input(&constraints_der), is_critical(), &errors));
351 ASSERT_TRUE(name_constraints);
352
353 // Not in any permitted subtree.
354 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
355 SequenceValueFromString(&name_ca)));
356 // Within the permitted C=US subtree.
357 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
358 SequenceValueFromString(&name_us)));
359 // Within the permitted C=US subtree.
360 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
361 SequenceValueFromString(&name_us_az)));
362 // Within the permitted C=US subtree, however the excluded C=US,ST=California
363 // subtree takes priority.
364 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
365 SequenceValueFromString(&name_us_ca)));
366 // Within the permitted C=US subtree as well as the permitted
367 // C=US,ST=California,L=Mountain View subtree, however the excluded
368 // C=US,ST=California subtree still takes priority.
369 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
370 SequenceValueFromString(&name_us_ca_mountain_view)));
371 // Not in any permitted subtree, and also inside the extraneous excluded C=DE
372 // subtree.
373 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
374 SequenceValueFromString(&name_de)));
375 // Not in any permitted subtree.
376 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
377 SequenceValueFromString(&name_jp)));
378 // Within the permitted C=JP,ST=Tokyo subtree.
379 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
380 SequenceValueFromString(&name_jp_tokyo)));
381
382 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
383 name_constraints->constrained_name_types());
384
385 // Within the permitted C=US subtree.
386 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
387 SequenceValueFromString(&name_us),
388 nullptr /* subject_alt_names */));
389 // Within the permitted C=US subtree, however the excluded C=US,ST=California
390 // subtree takes priority.
391 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
392 SequenceValueFromString(&name_us_ca),
393 nullptr /* subject_alt_names */));
394
395 std::string san_der;
396 std::unique_ptr<GeneralNames> san;
397 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
398 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
399
400 ASSERT_TRUE(
401 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
402 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
403
404 ASSERT_TRUE(
405 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
406 EXPECT_FALSE(
407 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
408
409 ASSERT_TRUE(
410 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
411 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
412 }
413
TEST_P(ParseNameConstraints,DirectoryNamesExcludeOnly)414 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
415 std::string constraints_der;
416 ASSERT_TRUE(
417 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
418 CertErrors errors;
419 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
420 der::Input(&constraints_der), is_critical(), &errors));
421 ASSERT_TRUE(name_constraints);
422
423 std::string name_empty;
424 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
425 std::string name_us;
426 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
427 std::string name_us_ca;
428 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
429 std::string name_us_ca_mountain_view;
430 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
431 &name_us_ca_mountain_view));
432
433 // Only "C=US,ST=California" is excluded, and since permitted is empty,
434 // any directoryName outside that is allowed.
435 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
436 SequenceValueFromString(&name_empty)));
437 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
438 SequenceValueFromString(&name_us)));
439 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
440 SequenceValueFromString(&name_us_ca)));
441 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
442 SequenceValueFromString(&name_us_ca_mountain_view)));
443 }
444
TEST_P(ParseNameConstraints,DirectoryNamesExcludeAll)445 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
446 std::string constraints_der;
447 ASSERT_TRUE(
448 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
449 CertErrors errors;
450 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
451 der::Input(&constraints_der), is_critical(), &errors));
452 ASSERT_TRUE(name_constraints);
453
454 std::string name_empty;
455 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
456 std::string name_us;
457 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
458 std::string name_us_ca;
459 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
460 std::string name_us_ca_mountain_view;
461 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
462 &name_us_ca_mountain_view));
463 std::string name_jp;
464 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
465
466 // "C=US" is in the permitted section, but since an empty
467 // directoryName is excluded, nothing is permitted.
468 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
469 SequenceValueFromString(&name_empty)));
470 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
471 SequenceValueFromString(&name_us)));
472 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
473 SequenceValueFromString(&name_us_ca)));
474 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
475 SequenceValueFromString(&name_jp)));
476 }
477
TEST_P(ParseNameConstraints,IPAdresses)478 TEST_P(ParseNameConstraints, IPAdresses) {
479 std::string a;
480 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
481
482 CertErrors errors;
483 std::unique_ptr<NameConstraints> name_constraints(
484 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
485 ASSERT_TRUE(name_constraints);
486
487 // IPv4 tests:
488
489 // Not in any permitted range.
490 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 169, 0, 1)));
491
492 // Within the permitted 192.168.0.0/255.255.0.0 range.
493 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1)));
494
495 // Within the permitted 192.168.0.0/255.255.0.0 range, however the
496 // excluded 192.168.5.0/255.255.255.0 takes priority.
497 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 5, 1)));
498
499 // Within the permitted 192.168.0.0/255.255.0.0 range as well as the
500 // permitted 192.168.5.32/255.255.255.224 range, however the excluded
501 // 192.168.5.0/255.255.255.0 still takes priority.
502 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 5, 33)));
503
504 // Not in any permitted range. (Just outside the
505 // 192.167.5.32/255.255.255.224 range.)
506 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 167, 5, 31)));
507
508 // Within the permitted 192.167.5.32/255.255.255.224 range.
509 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 167, 5, 32)));
510
511 // Within the permitted 192.167.5.32/255.255.255.224 range.
512 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 167, 5, 63)));
513
514 // Not in any permitted range. (Just outside the
515 // 192.167.5.32/255.255.255.224 range.)
516 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 167, 5, 64)));
517
518 // Not in any permitted range, and also inside the extraneous excluded
519 // 192.166.5.32/255.255.255.224 range.
520 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 166, 5, 32)));
521
522 // IPv6 tests:
523
524 // Not in any permitted range.
525 EXPECT_FALSE(name_constraints->IsPermittedIP(
526 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
527
528 // Within the permitted
529 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range.
530 EXPECT_TRUE(name_constraints->IsPermittedIP(
531 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1)));
532
533 // Within the permitted
534 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range, however
535 // the excluded
536 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
537 // priority.
538 EXPECT_FALSE(name_constraints->IsPermittedIP(
539 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1)));
540
541 // Within the permitted
542 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range as well
543 // as the permitted
544 // 102:304:506:708:90a:b0c:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0,
545 // however the excluded
546 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
547 // priority.
548 EXPECT_FALSE(name_constraints->IsPermittedIP(
549 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1)));
550
551 // Not in any permitted range. (Just outside the
552 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
553 // range.)
554 EXPECT_FALSE(name_constraints->IsPermittedIP(
555 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255)));
556
557 // Within the permitted
558 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
559 EXPECT_TRUE(name_constraints->IsPermittedIP(
560 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0)));
561
562 // Within the permitted
563 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
564 EXPECT_TRUE(name_constraints->IsPermittedIP(
565 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255)));
566
567 // Not in any permitted range. (Just outside the
568 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
569 // range.)
570 EXPECT_FALSE(name_constraints->IsPermittedIP(
571 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0)));
572
573 // Not in any permitted range, and also inside the extraneous excluded
574 // 102:304:506:708:90a:b0a:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
575 EXPECT_FALSE(name_constraints->IsPermittedIP(
576 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1)));
577
578 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS,
579 name_constraints->constrained_name_types());
580
581 std::string san_der;
582 std::unique_ptr<GeneralNames> san;
583 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
584 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
585
586 ASSERT_TRUE(
587 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
588 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
589
590 ASSERT_TRUE(
591 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
592 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
593
594 ASSERT_TRUE(
595 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
596 EXPECT_FALSE(
597 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
598 }
599
TEST_P(ParseNameConstraints,IPAdressesExcludeOnly)600 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
601 std::string a;
602 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
603
604 CertErrors errors;
605 std::unique_ptr<NameConstraints> name_constraints(
606 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
607 ASSERT_TRUE(name_constraints);
608
609 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
610 // any iPAddress outside that is allowed.
611 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1)));
612 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 5, 1)));
613 EXPECT_TRUE(name_constraints->IsPermittedIP(
614 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
615 }
616
TEST_P(ParseNameConstraints,IPAdressesExcludeAll)617 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
618 std::string a;
619 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
620
621 CertErrors errors;
622 std::unique_ptr<NameConstraints> name_constraints(
623 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
624 ASSERT_TRUE(name_constraints);
625
626 // 192.168.0.0/255.255.0.0 and
627 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
628 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
629 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 0, 1)));
630 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(1, 1, 1, 1)));
631 EXPECT_FALSE(name_constraints->IsPermittedIP(
632 IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)));
633 EXPECT_FALSE(name_constraints->IsPermittedIP(
634 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
635 }
636
TEST_P(ParseNameConstraints,IPAdressesNetmaskPermitSingleHost)637 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
638 std::string a;
639 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
640
641 CertErrors errors;
642 std::unique_ptr<NameConstraints> name_constraints(
643 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
644 ASSERT_TRUE(name_constraints);
645
646 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
647 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1)));
648 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2)));
649 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3)));
650 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4)));
651 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255)));
652 }
653
TEST_P(ParseNameConstraints,IPAdressesNetmaskPermitPrefixLen31)654 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
655 std::string a;
656 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
657
658 CertErrors errors;
659 std::unique_ptr<NameConstraints> name_constraints(
660 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
661 ASSERT_TRUE(name_constraints);
662
663 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
664 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1)));
665 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 2)));
666 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 3)));
667 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 4)));
668 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 5)));
669 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255)));
670 }
671
TEST_P(ParseNameConstraints,IPAdressesNetmaskPermitPrefixLen1)672 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
673 std::string a;
674 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
675
676 CertErrors errors;
677 std::unique_ptr<NameConstraints> name_constraints(
678 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
679 ASSERT_TRUE(name_constraints);
680
681 EXPECT_FALSE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
682 EXPECT_FALSE(
683 name_constraints->IsPermittedIP(IPAddress(0x7F, 0xFF, 0xFF, 0xFF)));
684 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(0x80, 0, 0, 0)));
685 EXPECT_TRUE(
686 name_constraints->IsPermittedIP(IPAddress(0xFF, 0xFF, 0xFF, 0xFF)));
687 }
688
TEST_P(ParseNameConstraints,IPAdressesNetmaskPermitAll)689 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
690 std::string a;
691 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
692
693 CertErrors errors;
694 std::unique_ptr<NameConstraints> name_constraints(
695 NameConstraints::Create(der::Input(&a), is_critical(), &errors));
696 ASSERT_TRUE(name_constraints);
697
698 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress::IPv4AllZeros()));
699 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(192, 168, 1, 1)));
700 EXPECT_TRUE(name_constraints->IsPermittedIP(IPAddress(255, 255, 255, 255)));
701 }
702
TEST_P(ParseNameConstraints,IPAdressesFailOnInvalidAddr)703 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) {
704 std::string a;
705 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
706
707 CertErrors errors;
708 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
709 }
710
TEST_P(ParseNameConstraints,IPAdressesFailOnInvalidMaskNotContiguous)711 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) {
712 std::string a;
713 ASSERT_TRUE(LoadTestNameConstraint(
714 "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
715 CertErrors errors;
716 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
717
718 ASSERT_TRUE(LoadTestNameConstraint(
719 "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
720 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
721
722 ASSERT_TRUE(LoadTestNameConstraint(
723 "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
724 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
725
726 ASSERT_TRUE(LoadTestNameConstraint(
727 "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
728 EXPECT_FALSE(NameConstraints::Create(der::Input(&a), is_critical(), &errors));
729 }
730
TEST_P(ParseNameConstraints,OtherNamesInPermitted)731 TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
732 std::string constraints_der;
733 ASSERT_TRUE(
734 LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
735 CertErrors errors;
736 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
737 der::Input(&constraints_der), is_critical(), &errors));
738 ASSERT_TRUE(name_constraints);
739
740 if (is_critical()) {
741 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
742 name_constraints->constrained_name_types());
743 } else {
744 EXPECT_EQ(0, name_constraints->constrained_name_types());
745 }
746
747 std::string san_der;
748 std::unique_ptr<GeneralNames> san;
749 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
750 EXPECT_EQ(!is_critical(),
751 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
752 }
753
TEST_P(ParseNameConstraints,OtherNamesInExcluded)754 TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
755 std::string constraints_der;
756 ASSERT_TRUE(
757 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
758 CertErrors errors;
759 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
760 der::Input(&constraints_der), is_critical(), &errors));
761 ASSERT_TRUE(name_constraints);
762
763 if (is_critical()) {
764 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
765 name_constraints->constrained_name_types());
766 } else {
767 EXPECT_EQ(0, name_constraints->constrained_name_types());
768 }
769
770 std::string san_der;
771 std::unique_ptr<GeneralNames> san;
772 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
773 EXPECT_EQ(!is_critical(),
774 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
775 }
776
TEST_P(ParseNameConstraints,Rfc822NamesInPermitted)777 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
778 std::string constraints_der;
779 ASSERT_TRUE(
780 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
781 CertErrors errors;
782 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
783 der::Input(&constraints_der), is_critical(), &errors));
784 ASSERT_TRUE(name_constraints);
785
786 if (is_critical()) {
787 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
788 name_constraints->constrained_name_types());
789 } else {
790 EXPECT_EQ(0, name_constraints->constrained_name_types());
791 }
792
793 std::string san_der;
794 std::unique_ptr<GeneralNames> san;
795 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
796 EXPECT_EQ(!is_critical(),
797 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
798 }
799
TEST_P(ParseNameConstraints,Rfc822NamesInExcluded)800 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
801 std::string constraints_der;
802 ASSERT_TRUE(
803 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
804 CertErrors errors;
805 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
806 der::Input(&constraints_der), is_critical(), &errors));
807 ASSERT_TRUE(name_constraints);
808
809 if (is_critical()) {
810 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
811 name_constraints->constrained_name_types());
812 } else {
813 EXPECT_EQ(0, name_constraints->constrained_name_types());
814 }
815
816 std::string san_der;
817 std::unique_ptr<GeneralNames> san;
818 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
819 EXPECT_EQ(!is_critical(),
820 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
821 }
822
TEST_P(ParseNameConstraints,X400AddresssInPermitted)823 TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
824 std::string constraints_der;
825 ASSERT_TRUE(
826 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
827 CertErrors errors;
828 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
829 der::Input(&constraints_der), is_critical(), &errors));
830 ASSERT_TRUE(name_constraints);
831
832 if (is_critical()) {
833 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
834 name_constraints->constrained_name_types());
835 } else {
836 EXPECT_EQ(0, name_constraints->constrained_name_types());
837 }
838
839 std::string san_der;
840 std::unique_ptr<GeneralNames> san;
841 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
842 EXPECT_EQ(!is_critical(),
843 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
844 }
845
TEST_P(ParseNameConstraints,X400AddresssInExcluded)846 TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
847 std::string constraints_der;
848 ASSERT_TRUE(
849 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
850 CertErrors errors;
851 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
852 der::Input(&constraints_der), is_critical(), &errors));
853 ASSERT_TRUE(name_constraints);
854
855 if (is_critical()) {
856 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
857 name_constraints->constrained_name_types());
858 } else {
859 EXPECT_EQ(0, name_constraints->constrained_name_types());
860 }
861
862 std::string san_der;
863 std::unique_ptr<GeneralNames> san;
864 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
865 EXPECT_EQ(!is_critical(),
866 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
867 }
868
TEST_P(ParseNameConstraints,EdiPartyNamesInPermitted)869 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
870 std::string constraints_der;
871 ASSERT_TRUE(
872 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
873 CertErrors errors;
874 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
875 der::Input(&constraints_der), is_critical(), &errors));
876 ASSERT_TRUE(name_constraints);
877
878 if (is_critical()) {
879 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
880 name_constraints->constrained_name_types());
881 } else {
882 EXPECT_EQ(0, name_constraints->constrained_name_types());
883 }
884
885 std::string san_der;
886 std::unique_ptr<GeneralNames> san;
887 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
888 EXPECT_EQ(!is_critical(),
889 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
890 }
891
TEST_P(ParseNameConstraints,EdiPartyNamesInExcluded)892 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
893 std::string constraints_der;
894 ASSERT_TRUE(
895 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
896 CertErrors errors;
897 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
898 der::Input(&constraints_der), is_critical(), &errors));
899 ASSERT_TRUE(name_constraints);
900
901 if (is_critical()) {
902 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
903 name_constraints->constrained_name_types());
904 } else {
905 EXPECT_EQ(0, name_constraints->constrained_name_types());
906 }
907
908 std::string san_der;
909 std::unique_ptr<GeneralNames> san;
910 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
911 EXPECT_EQ(!is_critical(),
912 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
913 }
914
TEST_P(ParseNameConstraints,URIsInPermitted)915 TEST_P(ParseNameConstraints, URIsInPermitted) {
916 std::string constraints_der;
917 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
918 CertErrors errors;
919 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
920 der::Input(&constraints_der), is_critical(), &errors));
921 ASSERT_TRUE(name_constraints);
922
923 if (is_critical()) {
924 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
925 name_constraints->constrained_name_types());
926 } else {
927 EXPECT_EQ(0, name_constraints->constrained_name_types());
928 }
929
930 std::string san_der;
931 std::unique_ptr<GeneralNames> san;
932 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
933 EXPECT_EQ(!is_critical(),
934 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
935 }
936
TEST_P(ParseNameConstraints,URIsInExcluded)937 TEST_P(ParseNameConstraints, URIsInExcluded) {
938 std::string constraints_der;
939 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
940 CertErrors errors;
941 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
942 der::Input(&constraints_der), is_critical(), &errors));
943 ASSERT_TRUE(name_constraints);
944
945 if (is_critical()) {
946 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
947 name_constraints->constrained_name_types());
948 } else {
949 EXPECT_EQ(0, name_constraints->constrained_name_types());
950 }
951
952 std::string san_der;
953 std::unique_ptr<GeneralNames> san;
954 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
955 EXPECT_EQ(!is_critical(),
956 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
957 }
958
TEST_P(ParseNameConstraints,RegisteredIDsInPermitted)959 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
960 std::string constraints_der;
961 ASSERT_TRUE(
962 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
963 CertErrors errors;
964 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
965 der::Input(&constraints_der), is_critical(), &errors));
966 ASSERT_TRUE(name_constraints);
967
968 if (is_critical()) {
969 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
970 name_constraints->constrained_name_types());
971 } else {
972 EXPECT_EQ(0, name_constraints->constrained_name_types());
973 }
974
975 std::string san_der;
976 std::unique_ptr<GeneralNames> san;
977 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
978 EXPECT_EQ(!is_critical(),
979 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
980 }
981
TEST_P(ParseNameConstraints,RegisteredIDsInExcluded)982 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
983 std::string constraints_der;
984 ASSERT_TRUE(
985 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
986 CertErrors errors;
987 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
988 der::Input(&constraints_der), is_critical(), &errors));
989 ASSERT_TRUE(name_constraints);
990
991 if (is_critical()) {
992 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
993 name_constraints->constrained_name_types());
994 } else {
995 EXPECT_EQ(0, name_constraints->constrained_name_types());
996 }
997
998 std::string san_der;
999 std::unique_ptr<GeneralNames> san;
1000 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
1001 EXPECT_EQ(!is_critical(),
1002 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1003 }
1004
TEST_P(ParseNameConstraints,failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily)1005 TEST_P(ParseNameConstraints,
1006 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) {
1007 std::string constraints_der;
1008 ASSERT_TRUE(
1009 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der));
1010 // The value should not be in the DER encoding if it is the default. But this
1011 // could be changed to allowed if there are buggy encoders out there that
1012 // include it anyway.
1013 CertErrors errors;
1014 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1015 is_critical(), &errors));
1016 }
1017
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMinimum)1018 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
1019 std::string constraints_der;
1020 ASSERT_TRUE(
1021 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
1022 CertErrors errors;
1023 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1024 is_critical(), &errors));
1025 }
1026
TEST_P(ParseNameConstraints,failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum)1027 TEST_P(ParseNameConstraints,
1028 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) {
1029 std::string constraints_der;
1030 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
1031 &constraints_der));
1032 CertErrors errors;
1033 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1034 is_critical(), &errors));
1035 }
1036
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMinimumAndMaximum)1037 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
1038 std::string constraints_der;
1039 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
1040 &constraints_der));
1041 CertErrors errors;
1042 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1043 is_critical(), &errors));
1044 }
1045
TEST_P(ParseNameConstraints,FailsOnGeneralSubtreeWithMaximum)1046 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
1047 std::string constraints_der;
1048 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
1049 CertErrors errors;
1050 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1051 is_critical(), &errors));
1052 }
1053
TEST_P(ParseNameConstraints,FailsOnEmptyExtensionValue)1054 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
1055 std::string constraints_der = "";
1056 CertErrors errors;
1057 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1058 is_critical(), &errors));
1059 }
1060
TEST_P(ParseNameConstraints,FailsOnNoPermittedAndExcluded)1061 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
1062 std::string constraints_der;
1063 ASSERT_TRUE(
1064 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
1065 CertErrors errors;
1066 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1067 is_critical(), &errors));
1068 }
1069
TEST_P(ParseNameConstraints,FailsOnEmptyPermitted)1070 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
1071 std::string constraints_der;
1072 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
1073 &constraints_der));
1074 CertErrors errors;
1075 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1076 is_critical(), &errors));
1077 }
1078
TEST_P(ParseNameConstraints,FailsOnEmptyExcluded)1079 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
1080 std::string constraints_der;
1081 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
1082 &constraints_der));
1083 CertErrors errors;
1084 EXPECT_FALSE(NameConstraints::Create(der::Input(&constraints_der),
1085 is_critical(), &errors));
1086 }
1087
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressIsOk)1088 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
1089 std::string constraints_der;
1090 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
1091 CertErrors errors;
1092 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1093 der::Input(&constraints_der), is_critical(), &errors));
1094 ASSERT_TRUE(name_constraints);
1095
1096 std::string name_us_arizona_email;
1097 ASSERT_TRUE(
1098 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
1099
1100 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1101 // allowed regardless.
1102 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1103 SequenceValueFromString(&name_us_arizona_email),
1104 nullptr /* subject_alt_names */));
1105 }
1106
TEST_P(ParseNameConstraints,IsPermittedCertSubjectEmailAddressIsNotOk)1107 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
1108 std::string constraints_der;
1109 ASSERT_TRUE(
1110 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
1111 CertErrors errors;
1112 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1113 der::Input(&constraints_der), is_critical(), &errors));
1114 ASSERT_TRUE(name_constraints);
1115
1116 std::string name_us_arizona_email;
1117 ASSERT_TRUE(
1118 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
1119
1120 // Name constraints contain rfc822Name, so emailAddress in subject is not
1121 // allowed if the constraints were critical.
1122 EXPECT_EQ(!is_critical(),
1123 IsPermittedCert(name_constraints.get(),
1124 SequenceValueFromString(&name_us_arizona_email),
1125 nullptr /* subject_alt_names */));
1126 }
1127
1128 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests
1129 // are not particularly interesting, just verifying that the commonName is
1130 // ignored for dNSName constraints.
TEST_P(ParseNameConstraints,IsPermittedCertSubjectDnsNames)1131 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
1132 std::string constraints_der;
1133 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem",
1134 &constraints_der));
1135 CertErrors errors;
1136 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1137 der::Input(&constraints_der), is_critical(), &errors));
1138 ASSERT_TRUE(name_constraints);
1139
1140 std::string name_us_az_foocom;
1141 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom));
1142 // The subject is within permitted directoryName constraints, so permitted.
1143 // (The commonName hostname is not within permitted dNSName constraints, so
1144 // this would not be permitted if hostnames in commonName were checked.)
1145 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1146 SequenceValueFromString(&name_us_az_foocom),
1147 nullptr /* subject_alt_names */));
1148
1149 std::string name_us_az_permitted;
1150 ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem",
1151 &name_us_az_permitted));
1152 // The subject is in permitted directoryName and the commonName is within
1153 // permitted dNSName constraints, so this should be permitted regardless if
1154 // hostnames in commonName are checked or not.
1155 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1156 SequenceValueFromString(&name_us_az_permitted),
1157 nullptr /* subject_alt_names */));
1158
1159 std::string name_us_ca_permitted;
1160 ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem",
1161 &name_us_ca_permitted));
1162 // The subject is within the excluded C=US,ST=California directoryName, so
1163 // this should not be allowed, regardless of checking the
1164 // permitted.example.com in commonName.
1165 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1166 SequenceValueFromString(&name_us_ca_permitted),
1167 nullptr /* subject_alt_names */));
1168 }
1169
1170 // IP addresses in commonName are not allowed (crbug.com/308330), so these are
1171 // tests are not particularly interesting, just verifying that the commonName is
1172 // ignored for iPAddress constraints.
TEST_P(ParseNameConstraints,IsPermittedCertSubjectIpAddresses)1173 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
1174 std::string constraints_der;
1175 ASSERT_TRUE(LoadTestNameConstraint(
1176 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
1177 CertErrors errors;
1178 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
1179 der::Input(&constraints_der), is_critical(), &errors));
1180 ASSERT_TRUE(name_constraints);
1181
1182 std::string name_us_az_1_1_1_1;
1183 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1));
1184 // The subject is within permitted directoryName constraints, so permitted.
1185 // (The commonName IP address is not within permitted iPAddresses constraints,
1186 // so this would not be permitted if IP addresses in commonName were checked.)
1187 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1188 SequenceValueFromString(&name_us_az_1_1_1_1),
1189 nullptr /* subject_alt_names */));
1190
1191 std::string name_us_az_192_168_1_1;
1192 ASSERT_TRUE(
1193 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1));
1194 // The subject is in permitted directoryName and the commonName is within
1195 // permitted iPAddress constraints, so this should be permitted regardless if
1196 // IP addresses in commonName are checked or not.
1197 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1198 SequenceValueFromString(&name_us_az_192_168_1_1),
1199 nullptr /* subject_alt_names */));
1200
1201 std::string name_us_ca_192_168_1_1;
1202 ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem",
1203 &name_us_ca_192_168_1_1));
1204 // The subject is within the excluded C=US,ST=California directoryName, so
1205 // this should not be allowed, regardless of checking the
1206 // IP address in commonName.
1207 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
1208 SequenceValueFromString(&name_us_ca_192_168_1_1),
1209 nullptr /* subject_alt_names */));
1210
1211 std::string name_us_az_ipv6;
1212 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6));
1213 // The subject is within permitted directoryName constraints, so permitted.
1214 // (The commonName is an ipv6 address which wasn't supported in the past, but
1215 // since commonName checking is ignored entirely, this is permitted.)
1216 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
1217 SequenceValueFromString(&name_us_az_ipv6),
1218 nullptr /* subject_alt_names */));
1219 }
1220
1221 } // namespace net
1222