summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/chains/scenarios/nameconstraints.cfg
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests/chains/scenarios/nameconstraints.cfg')
-rw-r--r--security/nss/tests/chains/scenarios/nameconstraints.cfg161
1 files changed, 161 insertions, 0 deletions
diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg
new file mode 100644
index 000000000..6eda441ce
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -0,0 +1,161 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+db trustanchors
+
+import NameConstraints.ca:x:CT,C,C
+# Name Constrained CA: Name constrained to permited DNSName ".example"
+import NameConstraints.ncca:x:CT,C,C
+import NameConstraints.dcisscopy:x:CT,C,C
+
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server1:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server3:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server5:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+# and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+# Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+# Fail: CN not in name constraints
+verify NameConstraints.server10:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+# Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3.
+# Intermediate 5's subject is not in Intermediate 3's permitted
+# names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+# Fail: Org matches Intermediate 5's name constraints, but does not match
+# Intermediate 3' name constraints
+verify NameConstraints.server13:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+# Fail: Matches Intermediate 5's name constraints, but fails because
+# Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+# No name constraints present
+# Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server16:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+ cert NameConstraints.intermediate6:x
+ result pass
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+ result fail
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+ result pass
+
+