nss-3.73/nss/tests/chains/scenarios/nameconstraints.cfg - manifest_repos/nss - Git at Google

 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 scenario TrustAnchors

 db trustanchors

 import NameConstraints.ca:x:CT,C,C
 # Name Constrained CA:  Name constrained to permited DNSName ".example"
 import NameConstraints.ncca:x:CT,C,C
 import NameConstraints.dcisscopy:x:CT,C,C
 import NameConstraints.ipaca:x:CT,C,C

 # Intermediate 1: Name constrained to permited DNSName ".example"

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
 # altDNS: test.invalid
 #   Fail: CN not in name constraints, altDNS not in name constraints
 verify NameConstraints.server1:x
   cert NameConstraints.intermediate:x
   result fail

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
 #   Fail: CN not in name constraints
 verify NameConstraints.server2:x
   cert NameConstraints.intermediate:x
   result fail

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
 # altDNS: test.example
 verify NameConstraints.server3:x
   cert NameConstraints.intermediate:x
   result pass

 # Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
 # altDNS: test.invalid
 #   Fail: CN not in name constraints, altDNS not in name constraints
 verify NameConstraints.server4:x
   cert NameConstraints.intermediate2:x
   cert NameConstraints.intermediate:x
   result fail

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
 #   Fail: CN not in name constraints
 verify NameConstraints.server5:x
   cert NameConstraints.intermediate2:x
   cert NameConstraints.intermediate:x
   result fail

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
 # altDNS: test.example
 verify NameConstraints.server6:x
   cert NameConstraints.intermediate2:x
   cert NameConstraints.intermediate:x
   result pass

 # Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
 #                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
 #                 and a permitted DNSName of "foo.example"

 # Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
 #                 No name constraints present
 #                 Signed by Intermediate 3 (inherits name constraints)

 # Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
 verify NameConstraints.server7:x
   cert NameConstraints.intermediate4:x
   cert NameConstraints.intermediate3:x
   result pass

 # Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
 verify NameConstraints.server8:x
   cert NameConstraints.intermediate4:x
   cert NameConstraints.intermediate3:x
   result pass

 # Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
 #  Fail: ST is missing in the DirectoryName, thus not matching name constraints
 verify NameConstraints.server9:x
   cert NameConstraints.intermediate4:x
   cert NameConstraints.intermediate3:x
   result fail

 # Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
 #  Fail: CN not in name constraints
 verify NameConstraints.server10:x
   cert NameConstraints.intermediate4:x
   cert NameConstraints.intermediate3:x
   result fail

 # Subject: "C=US, ST=CA, O=Foo, CN=site.example"
 # altDNS:foo.example
 #   Pass: Ignores CN constraint name violation because SAN is present
 verify NameConstraints.server11:x
   cert NameConstraints.intermediate4:x
   cert NameConstraints.intermediate3:x
   result pass

 # Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
 #   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
 verify NameConstraints.server12:x
   cert NameConstraints.intermediate4:x
   cert NameConstraints.intermediate3:x
   result fail

 # Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
 #                 No name constraints present
 #                 Signed by Intermediate 3.
 #                 Intermediate 5's subject is not in Intermediate 3's permitted
 #                 names, so all certs issued by it are invalid.

 # Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
 #   Fail: Org matches Intermediate 5's name constraints, but does not match
 #         Intermediate 3' name constraints
 verify NameConstraints.server13:x
   cert NameConstraints.intermediate5:x
   cert NameConstraints.intermediate3:x
   result fail

 # Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
 #  Fail: Matches Intermediate 5's name constraints, but fails because
 #        Intermediate 5 does not match Intermediate 3's name constraints
 verify NameConstraints.server14:x
   cert NameConstraints.intermediate5:x
   cert NameConstraints.intermediate3:x
   result fail

 # Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
 #                 No name constraints present
 #                 Signed by Named Constrained CA (inherits root name constraints)

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
 # altDNS: testfoo.invalid
 #   Fail: CN not in name constraints, altDNS not in name constraints
 verify NameConstraints.server15:x
   cert NameConstraints.intermediate6:x
   result fail

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
 #   Fail: CN not in name constraints
 verify NameConstraints.server16:x
   cert NameConstraints.intermediate6:x
   result fail

 # Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
 # altDNS: test4.example
 verify NameConstraints.server17:x
   cert NameConstraints.intermediate6:x
   result pass

 # Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
 verify NameConstraints.dcissblocked:x
   result fail

 # Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
 verify NameConstraints.dcissallowed:x
   result pass

 # Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC"
 # EKUs: OCSPSigning,ipsecUser
 #
 # This tests that a non server certificate (i.e. id-kp-serverAuth
 # not present in EKU) does *NOT* have CN treated as dnsName for
 # purposes of Name Constraints validation (certificateUsageStatusResponder)
 # https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650
 verify NameConstraints.ocsp1:x
   usage 10
   result pass

 # This tests that a non server certificate (i.e. id-kp-serverAuth
 # not present in EKU) does *NOT* have CN treated as dnsName for
 # purposes of Name Constraints validation (certificateUsageIPsec)
 verify NameConstraints.ocsp1:x
  usage 12
  result pass
	# This Source Code Form is subject to the terms of the Mozilla Public
	# License, v. 2.0. If a copy of the MPL was not distributed with this
	# file, You can obtain one at http://mozilla.org/MPL/2.0/.

	scenario TrustAnchors

	db trustanchors

	import NameConstraints.ca:x:CT,C,C
	# Name Constrained CA: Name constrained to permited DNSName ".example"
	import NameConstraints.ncca:x:CT,C,C
	import NameConstraints.dcisscopy:x:CT,C,C
	import NameConstraints.ipaca:x:CT,C,C

	# Intermediate 1: Name constrained to permited DNSName ".example"

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
	# altDNS: test.invalid
	# Fail: CN not in name constraints, altDNS not in name constraints
	verify NameConstraints.server1:x
	cert NameConstraints.intermediate:x
	result fail

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
	# Fail: CN not in name constraints
	verify NameConstraints.server2:x
	cert NameConstraints.intermediate:x
	result fail

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
	# altDNS: test.example
	verify NameConstraints.server3:x
	cert NameConstraints.intermediate:x
	result pass

	# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
	# altDNS: test.invalid
	# Fail: CN not in name constraints, altDNS not in name constraints
	verify NameConstraints.server4:x
	cert NameConstraints.intermediate2:x
	cert NameConstraints.intermediate:x
	result fail

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
	# Fail: CN not in name constraints
	verify NameConstraints.server5:x
	cert NameConstraints.intermediate2:x
	cert NameConstraints.intermediate:x
	result fail

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
	# altDNS: test.example
	verify NameConstraints.server6:x
	cert NameConstraints.intermediate2:x
	cert NameConstraints.intermediate:x
	result pass

	# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
	# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
	# and a permitted DNSName of "foo.example"

	# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
	# No name constraints present
	# Signed by Intermediate 3 (inherits name constraints)

	# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
	verify NameConstraints.server7:x
	cert NameConstraints.intermediate4:x
	cert NameConstraints.intermediate3:x
	result pass

	# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
	verify NameConstraints.server8:x
	cert NameConstraints.intermediate4:x
	cert NameConstraints.intermediate3:x
	result pass

	# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
	# Fail: ST is missing in the DirectoryName, thus not matching name constraints
	verify NameConstraints.server9:x
	cert NameConstraints.intermediate4:x
	cert NameConstraints.intermediate3:x
	result fail

	# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
	# Fail: CN not in name constraints
	verify NameConstraints.server10:x
	cert NameConstraints.intermediate4:x
	cert NameConstraints.intermediate3:x
	result fail

	# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
	# altDNS:foo.example
	# Pass: Ignores CN constraint name violation because SAN is present
	verify NameConstraints.server11:x
	cert NameConstraints.intermediate4:x
	cert NameConstraints.intermediate3:x
	result pass

	# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
	# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
	verify NameConstraints.server12:x
	cert NameConstraints.intermediate4:x
	cert NameConstraints.intermediate3:x
	result fail

	# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
	# No name constraints present
	# Signed by Intermediate 3.
	# Intermediate 5's subject is not in Intermediate 3's permitted
	# names, so all certs issued by it are invalid.

	# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
	# Fail: Org matches Intermediate 5's name constraints, but does not match
	# Intermediate 3' name constraints
	verify NameConstraints.server13:x
	cert NameConstraints.intermediate5:x
	cert NameConstraints.intermediate3:x
	result fail

	# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
	# Fail: Matches Intermediate 5's name constraints, but fails because
	# Intermediate 5 does not match Intermediate 3's name constraints
	verify NameConstraints.server14:x
	cert NameConstraints.intermediate5:x
	cert NameConstraints.intermediate3:x
	result fail

	# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
	# No name constraints present
	# Signed by Named Constrained CA (inherits root name constraints)

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
	# altDNS: testfoo.invalid
	# Fail: CN not in name constraints, altDNS not in name constraints
	verify NameConstraints.server15:x
	cert NameConstraints.intermediate6:x
	result fail

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
	# Fail: CN not in name constraints
	verify NameConstraints.server16:x
	cert NameConstraints.intermediate6:x
	result fail

	# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
	# altDNS: test4.example
	verify NameConstraints.server17:x
	cert NameConstraints.intermediate6:x
	result pass

	# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
	verify NameConstraints.dcissblocked:x
	result fail

	# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
	verify NameConstraints.dcissallowed:x
	result pass

	# Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC"
	# EKUs: OCSPSigning,ipsecUser
	#
	# This tests that a non server certificate (i.e. id-kp-serverAuth
	# not present in EKU) does NOT have CN treated as dnsName for
	# purposes of Name Constraints validation (certificateUsageStatusResponder)
	# https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650
	verify NameConstraints.ocsp1:x
	usage 10
	result pass

	# This tests that a non server certificate (i.e. id-kp-serverAuth
	# not present in EKU) does NOT have CN treated as dnsName for
	# purposes of Name Constraints validation (certificateUsageIPsec)
	verify NameConstraints.ocsp1:x
	usage 12
	result pass