diff options
Diffstat (limited to 'security/nss/tests/chains/scenarios/nameconstraints.cfg')
-rw-r--r-- | security/nss/tests/chains/scenarios/nameconstraints.cfg | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg new file mode 100644 index 000000000..6eda441ce --- /dev/null +++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg @@ -0,0 +1,161 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario TrustAnchors + +db trustanchors + +import NameConstraints.ca:x:CT,C,C +# Name Constrained CA: Name constrained to permited DNSName ".example" +import NameConstraints.ncca:x:CT,C,C +import NameConstraints.dcisscopy:x:CT,C,C + +# Intermediate 1: Name constrained to permited DNSName ".example" + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" +# altDNS: test.invalid +# Fail: CN not in name constraints, altDNS not in name constraints +verify NameConstraints.server1:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN +# Fail: CN not in name constraints +verify NameConstraints.server2:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" +# altDNS: test.example +verify NameConstraints.server3:x + cert NameConstraints.intermediate:x + result pass + +# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints) + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid" +# altDNS: test.invalid +# Fail: CN not in name constraints, altDNS not in name constraints +verify NameConstraints.server4:x + cert NameConstraints.intermediate2:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN +# Fail: CN not in name constraints +verify NameConstraints.server5:x + cert NameConstraints.intermediate2:x + cert NameConstraints.intermediate:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example" +# altDNS: test.example +verify NameConstraints.server6:x + cert NameConstraints.intermediate2:x + cert NameConstraints.intermediate:x + result pass + +# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3" +# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo" +# and a permitted DNSName of "foo.example" + +# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2" +# No name constraints present +# Signed by Intermediate 3 (inherits name constraints) + +# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN +verify NameConstraints.server7:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result pass + +# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN +verify NameConstraints.server8:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result pass + +# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN +# Fail: ST is missing in the DirectoryName, thus not matching name constraints +verify NameConstraints.server9:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result fail + +# Subject: "C=US, ST=CA, O=Foo, CN=bar.example" +# Fail: CN not in name constraints +verify NameConstraints.server10:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result fail + +# Subject: "C=US, ST=CA, O=Foo, CN=site.example" +# altDNS:foo.example +# Pass: Ignores CN constraint name violation because SAN is present +verify NameConstraints.server11:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result pass + +# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed" +# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped' +verify NameConstraints.server12:x + cert NameConstraints.intermediate4:x + cert NameConstraints.intermediate3:x + result fail + +# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2" +# No name constraints present +# Signed by Intermediate 3. +# Intermediate 5's subject is not in Intermediate 3's permitted +# names, so all certs issued by it are invalid. + +# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example" +# Fail: Org matches Intermediate 5's name constraints, but does not match +# Intermediate 3' name constraints +verify NameConstraints.server13:x + cert NameConstraints.intermediate5:x + cert NameConstraints.intermediate3:x + result fail + +# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example" +# Fail: Matches Intermediate 5's name constraints, but fails because +# Intermediate 5 does not match Intermediate 3's name constraints +verify NameConstraints.server14:x + cert NameConstraints.intermediate5:x + cert NameConstraints.intermediate3:x + result fail + +# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6" +# No name constraints present +# Signed by Named Constrained CA (inherits root name constraints) + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid" +# altDNS: testfoo.invalid +# Fail: CN not in name constraints, altDNS not in name constraints +verify NameConstraints.server15:x + cert NameConstraints.intermediate6:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN +# Fail: CN not in name constraints +verify NameConstraints.server16:x + cert NameConstraints.intermediate6:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example" +# altDNS: test4.example +verify NameConstraints.server17:x + cert NameConstraints.intermediate6:x + result pass + +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com" +verify NameConstraints.dcissblocked:x + result fail + +# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr" +verify NameConstraints.dcissallowed:x + result pass + + |