diff options
| author | wolfbeast <mcwerewolf@wolfbeast.com> | 2020-01-02 21:06:40 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2020-01-02 21:06:40 +0100 |
| commit | f4a12fc67689a830e9da1c87fd11afe5bc09deb3 (patch) | |
| tree | 211ae0cd022a6c11b0026ecc7761a550c584583c /security/nss/tests/chains/scenarios | |
| parent | f7d30133221896638f7bf4f66c504255c4b14f48 (diff) | |
| download | UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.gz UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.lz UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.xz UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.zip | |
Issue #1338 - Part 2: Update NSS to 3.48-RTM
Diffstat (limited to 'security/nss/tests/chains/scenarios')
| -rw-r--r-- | security/nss/tests/chains/scenarios/ipsec.cfg | 88 | ||||
| -rw-r--r-- | security/nss/tests/chains/scenarios/nameconstraints.cfg | 9 |
2 files changed, 97 insertions, 0 deletions
diff --git a/security/nss/tests/chains/scenarios/ipsec.cfg b/security/nss/tests/chains/scenarios/ipsec.cfg index 811bf9c09..8c1ef3994 100644 --- a/security/nss/tests/chains/scenarios/ipsec.cfg +++ b/security/nss/tests/chains/scenarios/ipsec.cfg @@ -35,6 +35,58 @@ entity NoMatch issuer CA1 ku keyEncipherment,dataEncipherment,keyAgreement +entity NonCriticalServerAuthEKU + type EE + issuer CA1 + eku serverAuth + +entity NonIPSECEKU + type EE + issuer CA1 + eku codeSigning + +entity CriticalServerAuthEKU + type EE + issuer CA1 + ku digitalSignature + eku critical,serverAuth + +entity EKUIPsecIKE + type EE + issuer CA1 + ku digitalSignature + eku critical,ipsecIKE + +entity EKUIPsecIKEEnd + type EE + issuer CA1 + ku digitalSignature + eku ipsecIKEEnd + +entity EKUIPsecIKEIntermediate + type EE + issuer CA1 + ku digitalSignature + eku codeSigning,serverAuth,ipsecIKEIntermediate + +entity EKUAny + type EE + issuer CA1 + ku digitalSignature + eku x509Any + +entity EKUEmail + type EE + issuer CA1 + ku digitalSignature + eku emailProtection + +entity EKUIPsecUser + type EE + issuer CA1 + ku digitalSignature + eku ipsecUser + db All import Root::C,, @@ -59,3 +111,39 @@ verify DigSigNonRepAndExtra:CA1 verify NoMatch:CA1 usage 12 result fail + +verify NonIPSECEKU:CA1 + usage 12 + result fail + +verify NonCriticalServerAuthEKU:CA1 + usage 12 + result pass + +verify CriticalServerAuthEKU:CA1 + usage 12 + result pass + +verify EKUIPsecIKE:CA1 + usage 12 + result pass + +verify EKUIPsecIKEEnd:CA1 + usage 12 + result pass + +verify EKUIPsecIKEIntermediate:CA1 + usage 12 + result pass + +verify EKUAny:CA1 + usage 12 + result pass + +verify EKUEmail:CA1 + usage 12 + result pass + +verify EKUIPsecUser:CA1 + usage 12 + result pass diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg index 6eda441ce..4a149032b 100644 --- a/security/nss/tests/chains/scenarios/nameconstraints.cfg +++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg @@ -10,6 +10,7 @@ import NameConstraints.ca:x:CT,C,C # Name Constrained CA: Name constrained to permited DNSName ".example" import NameConstraints.ncca:x:CT,C,C import NameConstraints.dcisscopy:x:CT,C,C +import NameConstraints.ipaca:x:CT,C,C # Intermediate 1: Name constrained to permited DNSName ".example" @@ -158,4 +159,12 @@ verify NameConstraints.dcissblocked:x verify NameConstraints.dcissallowed:x result pass +# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" +# +# This tests that a non server certificate (i.e. id-kp-serverAuth +# not present in EKU) does *NOT* have CN treated as dnsName for +# purposes of Name Constraints validation +verify NameConstraints.ocsp1:x + usage 10 + result pass |