Bug 970542, Part 7: More CN-ID name constraint tests, r=keeler

--HG-- extra : rebase_source : 7a3d1d31cdc08ea1b989428cfc85f60a00528c72
2024-11-28 07:13:20 +00:00 · 2014-12-03 21:35:29 -08:00 · 2014-12-03 21:35:29 -08:00 · 5fac205908
commit 5fac205908
parent ac1c16b716
1 changed files with 84 additions and 3 deletions
--- a/security/pkix/test/gtest/pkixnames_tests.cpp
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@ -1029,6 +1029,9 @@ static const uint8_t ipv4_addr_bytes[] = {
 };
 static const uint8_t ipv4_addr_bytes_as_str[] = "\x01\x02\x03\x04";
 static const uint8_t ipv4_addr_str[] = "1.2.3.4";
+static const uint8_t ipv4_addr_bytes_FFFFFFFF[8] = {
+  1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff
+};

 static const uint8_t ipv4_compatible_ipv6_addr_bytes[] = {
  0, 0, 0, 0,
@ -1061,6 +1064,14 @@ static const uint8_t ipv6_addr_bytes_as_str[] =
 static const uint8_t ipv6_addr_str[] =
  "1122:3344:5566:7788:99aa:bbcc:ddee:ff11";

+static const uint8_t ipv4_other_addr_bytes[] = {
+  5, 6, 7, 8
+};
+static const uint8_t ipv4_other_addr_str[] = "5.6.7.8";
+static const uint8_t ipv4_other_addr_bytes_FFFFFFFF[] = {
+  5, 6, 7, 8, 0xff, 0xff, 0xff, 0xff
+};
+
 // Note that, for DNSNames, these test cases in CHECK_CERT_HOSTNAME_PARAMS are
 // mostly about testing different scenerios regarding the structure of entries
 // in the subjectAltName and subject of the certificate, than about the how
@ -1716,6 +1727,76 @@ static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] =
  { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
  },
+  { // Empty SAN is rejected
+    RDN(CN("a.example.com")), ByteString(),
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // DNSName CN-ID match is detected when there is a SAN w/o any DNSName or
+    // IPAddress
+    RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // DNSName CN-ID mismatch is detected when there is a SAN w/o any DNSName
+    // or IPAddress
+    RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+    GeneralSubtree(DNSName("b.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID match not reported when there is a DNSName SAN
+    RDN(CN("a.example.com")), DNSName("b.example.com"),
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID mismatch not reported when there is a DNSName SAN
+    RDN(CN("a.example.com")), DNSName("b.example.com"),
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+  },
+  { // DNSName CN-ID match not reported when there is an IPAddress SAN
+    RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // DNSName CN-ID mismatch not reported when there is an IPAddress SAN
+    RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Success
+  },
+
+  { // IPAddress CN-ID match is detected when there is a SAN w/o any DNSName or
+    // IPAddress
+    RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // IPAddress CN-ID mismatch is detected when there is a SAN w/o any DNSName
+    // or IPAddress
+    RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+    GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // IPAddress CN-ID match not reported when there is a DNSName SAN
+    RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Success
+  },
+  { // IPAddress CN-ID mismatch not reported when there is a DNSName SAN
+    RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Success
+  },
+  { // IPAddress CN-ID match not reported when there is an IPAddress SAN
+    RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // IPAddress CN-ID mismatch not reported when there is an IPAddress SAN
+    RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },

  /////////////////////////////////////////////////////////////////////////////
  // Test that constraints are applied to the most specific (last) CN, and only
@ -1798,9 +1879,9 @@ TEST_P(pkixnames_CheckNameConstraints,
    ASSERT_EQ(Success,
              nameConstraints.Init(nameConstraintsDER.data(),
                                   nameConstraintsDER.length()));
-    ASSERT_EQ((param.expectedPermittedSubtreesResult == Success &&
-               param.expectedExcludedSubtreesResult == Success)
-                ? Success
+    ASSERT_EQ((param.expectedPermittedSubtreesResult ==
+               param.expectedExcludedSubtreesResult)
+                ? param.expectedExcludedSubtreesResult
                : Result::ERROR_CERT_NOT_IN_NAME_SPACE,
              CheckNameConstraints(nameConstraints, cert,
                                   KeyPurposeId::id_kp_serverAuth));