summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorCamilo Viecco <cviecco@mozilla.com>2014-02-05 17:26:57 -0800
committerCamilo Viecco <cviecco@mozilla.com>2014-02-05 17:26:57 -0800
commit94e17823a8a4281ae48f4819b541b187e5085249 (patch)
tree9b7826178868f94532d21cb59dcb77d6a815fb4e /tests
parenta49cb1a1025fe038f4f2ce925d018edb60328b87 (diff)
downloadnss-hg-94e17823a8a4281ae48f4819b541b187e5085249.tar.gz
Bug 743700: Enforce name constriants for root certificates, r=rsleeviNSS_3_16_BETA1
Diffstat (limited to 'tests')
-rw-r--r--tests/chains/scenarios/nameconstraints.cfg25
-rw-r--r--tests/libpkix/certs/NameConstraints.ca.certbin626 -> 626 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.intermediate.certbin662 -> 662 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.intermediate2.certbin644 -> 644 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.intermediate3.certbin716 -> 716 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.intermediate4.certbin607 -> 607 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.intermediate5.certbin612 -> 612 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.intermediate6.certbin0 -> 611 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.ncca.certbin0 -> 672 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server1.certbin660 -> 660 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server10.certbin560 -> 560 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server11.certbin585 -> 585 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server12.certbin562 -> 562 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server13.certbin574 -> 574 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server14.certbin574 -> 574 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server15.certbin0 -> 634 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server16.certbin0 -> 612 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server17.certbin0 -> 630 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server2.certbin643 -> 643 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server3.certbin660 -> 660 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server4.certbin663 -> 663 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server5.certbin646 -> 646 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server6.certbin663 -> 663 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server7.certbin578 -> 578 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server8.certbin564 -> 564 bytes
-rw-r--r--tests/libpkix/certs/NameConstraints.server9.certbin551 -> 551 bytes
-rwxr-xr-xtests/libpkix/certs/make-nc89
27 files changed, 114 insertions, 0 deletions
diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
index 9bc3db3b1..55f9acf55 100644
--- a/tests/chains/scenarios/nameconstraints.cfg
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -7,6 +7,8 @@ scenario TrustAnchors
db trustanchors
import NameConstraints.ca:x:CT,C,C
+import NameConstraints.ncca:x:CT,C,C
+# Name Constrained CA: Name constrained to permited DNSName ".example"
# Intermediate 1: Name constrained to permited DNSName ".example"
@@ -124,5 +126,28 @@ verify NameConstraints.server14:x
cert NameConstraints.intermediate3:x
result fail
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+# No name constraints present
+# Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server16:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+ cert NameConstraints.intermediate6:x
+ result pass
+
diff --git a/tests/libpkix/certs/NameConstraints.ca.cert b/tests/libpkix/certs/NameConstraints.ca.cert
index 7c1032a30..6d2e8469d 100644
--- a/tests/libpkix/certs/NameConstraints.ca.cert
+++ b/tests/libpkix/certs/NameConstraints.ca.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.intermediate.cert b/tests/libpkix/certs/NameConstraints.intermediate.cert
index d04c932d7..a310aa1ac 100644
--- a/tests/libpkix/certs/NameConstraints.intermediate.cert
+++ b/tests/libpkix/certs/NameConstraints.intermediate.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.intermediate2.cert b/tests/libpkix/certs/NameConstraints.intermediate2.cert
index 16d176038..fc4b7c1c1 100644
--- a/tests/libpkix/certs/NameConstraints.intermediate2.cert
+++ b/tests/libpkix/certs/NameConstraints.intermediate2.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.intermediate3.cert b/tests/libpkix/certs/NameConstraints.intermediate3.cert
index 4ffe9741d..051e55e56 100644
--- a/tests/libpkix/certs/NameConstraints.intermediate3.cert
+++ b/tests/libpkix/certs/NameConstraints.intermediate3.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.intermediate4.cert b/tests/libpkix/certs/NameConstraints.intermediate4.cert
index 638cbd502..6e7efd53e 100644
--- a/tests/libpkix/certs/NameConstraints.intermediate4.cert
+++ b/tests/libpkix/certs/NameConstraints.intermediate4.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.intermediate5.cert b/tests/libpkix/certs/NameConstraints.intermediate5.cert
index 79abbee16..823eccc05 100644
--- a/tests/libpkix/certs/NameConstraints.intermediate5.cert
+++ b/tests/libpkix/certs/NameConstraints.intermediate5.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.intermediate6.cert b/tests/libpkix/certs/NameConstraints.intermediate6.cert
new file mode 100644
index 000000000..a2f17054e
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.intermediate6.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.ncca.cert b/tests/libpkix/certs/NameConstraints.ncca.cert
new file mode 100644
index 000000000..ecb24c7d5
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.ncca.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server1.cert b/tests/libpkix/certs/NameConstraints.server1.cert
index 2419cb858..60e8a1c69 100644
--- a/tests/libpkix/certs/NameConstraints.server1.cert
+++ b/tests/libpkix/certs/NameConstraints.server1.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server10.cert b/tests/libpkix/certs/NameConstraints.server10.cert
index 1ae9ceb64..21d9e8767 100644
--- a/tests/libpkix/certs/NameConstraints.server10.cert
+++ b/tests/libpkix/certs/NameConstraints.server10.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server11.cert b/tests/libpkix/certs/NameConstraints.server11.cert
index 5575f7f70..c458c8ce7 100644
--- a/tests/libpkix/certs/NameConstraints.server11.cert
+++ b/tests/libpkix/certs/NameConstraints.server11.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server12.cert b/tests/libpkix/certs/NameConstraints.server12.cert
index cebdbd6da..1a4e6fec2 100644
--- a/tests/libpkix/certs/NameConstraints.server12.cert
+++ b/tests/libpkix/certs/NameConstraints.server12.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server13.cert b/tests/libpkix/certs/NameConstraints.server13.cert
index 47862e03f..8b7295fb2 100644
--- a/tests/libpkix/certs/NameConstraints.server13.cert
+++ b/tests/libpkix/certs/NameConstraints.server13.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server14.cert b/tests/libpkix/certs/NameConstraints.server14.cert
index ef9da849f..8a989f996 100644
--- a/tests/libpkix/certs/NameConstraints.server14.cert
+++ b/tests/libpkix/certs/NameConstraints.server14.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server15.cert b/tests/libpkix/certs/NameConstraints.server15.cert
new file mode 100644
index 000000000..69d057c9a
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.server15.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server16.cert b/tests/libpkix/certs/NameConstraints.server16.cert
new file mode 100644
index 000000000..0b24d7abb
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.server16.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server17.cert b/tests/libpkix/certs/NameConstraints.server17.cert
new file mode 100644
index 000000000..2fc9437cd
--- /dev/null
+++ b/tests/libpkix/certs/NameConstraints.server17.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server2.cert b/tests/libpkix/certs/NameConstraints.server2.cert
index 1da581fdb..1c6e5510d 100644
--- a/tests/libpkix/certs/NameConstraints.server2.cert
+++ b/tests/libpkix/certs/NameConstraints.server2.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server3.cert b/tests/libpkix/certs/NameConstraints.server3.cert
index 6b1c1dab7..bd93572dd 100644
--- a/tests/libpkix/certs/NameConstraints.server3.cert
+++ b/tests/libpkix/certs/NameConstraints.server3.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server4.cert b/tests/libpkix/certs/NameConstraints.server4.cert
index 06cc8e262..ca9d1b1c3 100644
--- a/tests/libpkix/certs/NameConstraints.server4.cert
+++ b/tests/libpkix/certs/NameConstraints.server4.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server5.cert b/tests/libpkix/certs/NameConstraints.server5.cert
index ee5b9c316..1798de766 100644
--- a/tests/libpkix/certs/NameConstraints.server5.cert
+++ b/tests/libpkix/certs/NameConstraints.server5.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server6.cert b/tests/libpkix/certs/NameConstraints.server6.cert
index 898c15c5c..5698f8ebd 100644
--- a/tests/libpkix/certs/NameConstraints.server6.cert
+++ b/tests/libpkix/certs/NameConstraints.server6.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server7.cert b/tests/libpkix/certs/NameConstraints.server7.cert
index 0a89f8fe8..3cf85d047 100644
--- a/tests/libpkix/certs/NameConstraints.server7.cert
+++ b/tests/libpkix/certs/NameConstraints.server7.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server8.cert b/tests/libpkix/certs/NameConstraints.server8.cert
index 4cceda663..f0694ed03 100644
--- a/tests/libpkix/certs/NameConstraints.server8.cert
+++ b/tests/libpkix/certs/NameConstraints.server8.cert
Binary files differ
diff --git a/tests/libpkix/certs/NameConstraints.server9.cert b/tests/libpkix/certs/NameConstraints.server9.cert
index bec8ee9a5..517c0ae31 100644
--- a/tests/libpkix/certs/NameConstraints.server9.cert
+++ b/tests/libpkix/certs/NameConstraints.server9.cert
Binary files differ
diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc
index 9493d126b..28080eba7 100755
--- a/tests/libpkix/certs/make-nc
+++ b/tests/libpkix/certs/make-nc
@@ -340,6 +340,90 @@ y
n
CERTSCRIPT
+certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
certutil -d . -L -n ca -r > NameConstraints.ca.cert
certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
certutil -d . -L -n server1 -r > NameConstraints.server1.cert
@@ -361,5 +445,10 @@ certutil -d . -L -n server12 -r > NameConstraints.server12.cert
certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert
certutil -d . -L -n server13 -r > NameConstraints.server13.cert
certutil -d . -L -n server14 -r > NameConstraints.server14.cert
+certutil -d . -L -n ncca -r > NameConstraints.ncca.cert
+certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
+certutil -d . -L -n server15 -r > NameConstraints.server15.cert
+certutil -d . -L -n server16 -r > NameConstraints.server16.cert
+certutil -d . -L -n server17 -r > NameConstraints.server17.cert
echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"
View Lorry Controller Status