diff options
author | Camilo Viecco <cviecco@mozilla.com> | 2014-02-05 17:26:57 -0800 |
---|---|---|
committer | Camilo Viecco <cviecco@mozilla.com> | 2014-02-05 17:26:57 -0800 |
commit | 94e17823a8a4281ae48f4819b541b187e5085249 (patch) | |
tree | 9b7826178868f94532d21cb59dcb77d6a815fb4e /tests | |
parent | a49cb1a1025fe038f4f2ce925d018edb60328b87 (diff) | |
download | nss-hg-94e17823a8a4281ae48f4819b541b187e5085249.tar.gz |
Bug 743700: Enforce name constriants for root certificates, r=rsleeviNSS_3_16_BETA1
Diffstat (limited to 'tests')
27 files changed, 114 insertions, 0 deletions
diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg index 9bc3db3b1..55f9acf55 100644 --- a/tests/chains/scenarios/nameconstraints.cfg +++ b/tests/chains/scenarios/nameconstraints.cfg @@ -7,6 +7,8 @@ scenario TrustAnchors db trustanchors import NameConstraints.ca:x:CT,C,C +import NameConstraints.ncca:x:CT,C,C +# Name Constrained CA: Name constrained to permited DNSName ".example" # Intermediate 1: Name constrained to permited DNSName ".example" @@ -124,5 +126,28 @@ verify NameConstraints.server14:x cert NameConstraints.intermediate3:x result fail +# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6" +# No name constraints present +# Signed by Named Constrained CA (inherits root name constraints) + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid" +# altDNS: testfoo.invalid +# Fail: CN not in name constraints, altDNS not in name constraints +verify NameConstraints.server15:x + cert NameConstraints.intermediate6:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN +# Fail: CN not in name constraints +verify NameConstraints.server16:x + cert NameConstraints.intermediate6:x + result fail + +# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example" +# altDNS: test4.example +verify NameConstraints.server17:x + cert NameConstraints.intermediate6:x + result pass + diff --git a/tests/libpkix/certs/NameConstraints.ca.cert b/tests/libpkix/certs/NameConstraints.ca.cert Binary files differindex 7c1032a30..6d2e8469d 100644 --- a/tests/libpkix/certs/NameConstraints.ca.cert +++ b/tests/libpkix/certs/NameConstraints.ca.cert diff --git a/tests/libpkix/certs/NameConstraints.intermediate.cert b/tests/libpkix/certs/NameConstraints.intermediate.cert Binary files differindex d04c932d7..a310aa1ac 100644 --- a/tests/libpkix/certs/NameConstraints.intermediate.cert +++ b/tests/libpkix/certs/NameConstraints.intermediate.cert diff --git a/tests/libpkix/certs/NameConstraints.intermediate2.cert b/tests/libpkix/certs/NameConstraints.intermediate2.cert Binary files differindex 16d176038..fc4b7c1c1 100644 --- a/tests/libpkix/certs/NameConstraints.intermediate2.cert +++ b/tests/libpkix/certs/NameConstraints.intermediate2.cert diff --git a/tests/libpkix/certs/NameConstraints.intermediate3.cert b/tests/libpkix/certs/NameConstraints.intermediate3.cert Binary files differindex 4ffe9741d..051e55e56 100644 --- a/tests/libpkix/certs/NameConstraints.intermediate3.cert +++ b/tests/libpkix/certs/NameConstraints.intermediate3.cert diff --git a/tests/libpkix/certs/NameConstraints.intermediate4.cert b/tests/libpkix/certs/NameConstraints.intermediate4.cert Binary files differindex 638cbd502..6e7efd53e 100644 --- a/tests/libpkix/certs/NameConstraints.intermediate4.cert +++ b/tests/libpkix/certs/NameConstraints.intermediate4.cert diff --git a/tests/libpkix/certs/NameConstraints.intermediate5.cert b/tests/libpkix/certs/NameConstraints.intermediate5.cert Binary files differindex 79abbee16..823eccc05 100644 --- a/tests/libpkix/certs/NameConstraints.intermediate5.cert +++ b/tests/libpkix/certs/NameConstraints.intermediate5.cert diff --git a/tests/libpkix/certs/NameConstraints.intermediate6.cert b/tests/libpkix/certs/NameConstraints.intermediate6.cert Binary files differnew file mode 100644 index 000000000..a2f17054e --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.intermediate6.cert diff --git a/tests/libpkix/certs/NameConstraints.ncca.cert b/tests/libpkix/certs/NameConstraints.ncca.cert Binary files differnew file mode 100644 index 000000000..ecb24c7d5 --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.ncca.cert diff --git a/tests/libpkix/certs/NameConstraints.server1.cert b/tests/libpkix/certs/NameConstraints.server1.cert Binary files differindex 2419cb858..60e8a1c69 100644 --- a/tests/libpkix/certs/NameConstraints.server1.cert +++ b/tests/libpkix/certs/NameConstraints.server1.cert diff --git a/tests/libpkix/certs/NameConstraints.server10.cert b/tests/libpkix/certs/NameConstraints.server10.cert Binary files differindex 1ae9ceb64..21d9e8767 100644 --- a/tests/libpkix/certs/NameConstraints.server10.cert +++ b/tests/libpkix/certs/NameConstraints.server10.cert diff --git a/tests/libpkix/certs/NameConstraints.server11.cert b/tests/libpkix/certs/NameConstraints.server11.cert Binary files differindex 5575f7f70..c458c8ce7 100644 --- a/tests/libpkix/certs/NameConstraints.server11.cert +++ b/tests/libpkix/certs/NameConstraints.server11.cert diff --git a/tests/libpkix/certs/NameConstraints.server12.cert b/tests/libpkix/certs/NameConstraints.server12.cert Binary files differindex cebdbd6da..1a4e6fec2 100644 --- a/tests/libpkix/certs/NameConstraints.server12.cert +++ b/tests/libpkix/certs/NameConstraints.server12.cert diff --git a/tests/libpkix/certs/NameConstraints.server13.cert b/tests/libpkix/certs/NameConstraints.server13.cert Binary files differindex 47862e03f..8b7295fb2 100644 --- a/tests/libpkix/certs/NameConstraints.server13.cert +++ b/tests/libpkix/certs/NameConstraints.server13.cert diff --git a/tests/libpkix/certs/NameConstraints.server14.cert b/tests/libpkix/certs/NameConstraints.server14.cert Binary files differindex ef9da849f..8a989f996 100644 --- a/tests/libpkix/certs/NameConstraints.server14.cert +++ b/tests/libpkix/certs/NameConstraints.server14.cert diff --git a/tests/libpkix/certs/NameConstraints.server15.cert b/tests/libpkix/certs/NameConstraints.server15.cert Binary files differnew file mode 100644 index 000000000..69d057c9a --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.server15.cert diff --git a/tests/libpkix/certs/NameConstraints.server16.cert b/tests/libpkix/certs/NameConstraints.server16.cert Binary files differnew file mode 100644 index 000000000..0b24d7abb --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.server16.cert diff --git a/tests/libpkix/certs/NameConstraints.server17.cert b/tests/libpkix/certs/NameConstraints.server17.cert Binary files differnew file mode 100644 index 000000000..2fc9437cd --- /dev/null +++ b/tests/libpkix/certs/NameConstraints.server17.cert diff --git a/tests/libpkix/certs/NameConstraints.server2.cert b/tests/libpkix/certs/NameConstraints.server2.cert Binary files differindex 1da581fdb..1c6e5510d 100644 --- a/tests/libpkix/certs/NameConstraints.server2.cert +++ b/tests/libpkix/certs/NameConstraints.server2.cert diff --git a/tests/libpkix/certs/NameConstraints.server3.cert b/tests/libpkix/certs/NameConstraints.server3.cert Binary files differindex 6b1c1dab7..bd93572dd 100644 --- a/tests/libpkix/certs/NameConstraints.server3.cert +++ b/tests/libpkix/certs/NameConstraints.server3.cert diff --git a/tests/libpkix/certs/NameConstraints.server4.cert b/tests/libpkix/certs/NameConstraints.server4.cert Binary files differindex 06cc8e262..ca9d1b1c3 100644 --- a/tests/libpkix/certs/NameConstraints.server4.cert +++ b/tests/libpkix/certs/NameConstraints.server4.cert diff --git a/tests/libpkix/certs/NameConstraints.server5.cert b/tests/libpkix/certs/NameConstraints.server5.cert Binary files differindex ee5b9c316..1798de766 100644 --- a/tests/libpkix/certs/NameConstraints.server5.cert +++ b/tests/libpkix/certs/NameConstraints.server5.cert diff --git a/tests/libpkix/certs/NameConstraints.server6.cert b/tests/libpkix/certs/NameConstraints.server6.cert Binary files differindex 898c15c5c..5698f8ebd 100644 --- a/tests/libpkix/certs/NameConstraints.server6.cert +++ b/tests/libpkix/certs/NameConstraints.server6.cert diff --git a/tests/libpkix/certs/NameConstraints.server7.cert b/tests/libpkix/certs/NameConstraints.server7.cert Binary files differindex 0a89f8fe8..3cf85d047 100644 --- a/tests/libpkix/certs/NameConstraints.server7.cert +++ b/tests/libpkix/certs/NameConstraints.server7.cert diff --git a/tests/libpkix/certs/NameConstraints.server8.cert b/tests/libpkix/certs/NameConstraints.server8.cert Binary files differindex 4cceda663..f0694ed03 100644 --- a/tests/libpkix/certs/NameConstraints.server8.cert +++ b/tests/libpkix/certs/NameConstraints.server8.cert diff --git a/tests/libpkix/certs/NameConstraints.server9.cert b/tests/libpkix/certs/NameConstraints.server9.cert Binary files differindex bec8ee9a5..517c0ae31 100644 --- a/tests/libpkix/certs/NameConstraints.server9.cert +++ b/tests/libpkix/certs/NameConstraints.server9.cert diff --git a/tests/libpkix/certs/make-nc b/tests/libpkix/certs/make-nc index 9493d126b..28080eba7 100755 --- a/tests/libpkix/certs/make-nc +++ b/tests/libpkix/certs/make-nc @@ -340,6 +340,90 @@ y n CERTSCRIPT +certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT +5 +6 +9 +n +y + +n +3 +.example +1 +n +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT +5 +6 +9 +n +y + +n +5 +6 +7 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + +certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT +0 +2 +3 +4 +9 +n +n + +y +0 +1 +9 +n +CERTSCRIPT + + certutil -d . -L -n ca -r > NameConstraints.ca.cert certutil -d . -L -n ica -r > NameConstraints.intermediate.cert certutil -d . -L -n server1 -r > NameConstraints.server1.cert @@ -361,5 +445,10 @@ certutil -d . -L -n server12 -r > NameConstraints.server12.cert certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert certutil -d . -L -n server13 -r > NameConstraints.server13.cert certutil -d . -L -n server14 -r > NameConstraints.server14.cert +certutil -d . -L -n ncca -r > NameConstraints.ncca.cert +certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert +certutil -d . -L -n server15 -r > NameConstraints.server15.cert +certutil -d . -L -n server16 -r > NameConstraints.server16.cert +certutil -d . -L -n server17 -r > NameConstraints.server17.cert echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert" |