Google Git
Sign in
boringssl / boringssl.git / 90ceeb021579cdec2c1dd663a5f993e7161f5082 / . / pki / name_constraints_unittest.cc
blob: 569bbec071284dc45d8ee44a5e27cc5acf7a4be2 [file] [log] [blame]
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1// Copyright 2015 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "name_constraints.h"
6
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]7#include <array>
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]8#include <memory>
9
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]10#include <gtest/gtest.h>
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]11#include "common_cert_errors.h"
12#include "test_helpers.h"
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]13
14namespace bssl {
15namespace {
16
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]17::testing::AssertionResult LoadTestData(const char *token,
18 const std::string &basename,
19 std::string *result) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]20 std::string path = "testdata/name_constraints_unittest/" + basename;
21
22 const PemBlockMapping mappings[] = {
23 {token, result},
24 };
25
26 return ReadTestDataFromPemFile(path, mappings);
27}
28
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]29::testing::AssertionResult LoadTestName(const std::string &basename,
30 std::string *result) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]31 return LoadTestData("NAME", basename, result);
32}
33
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]34::testing::AssertionResult LoadTestNameConstraint(const std::string &basename,
35 std::string *result) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]36 return LoadTestData("NAME CONSTRAINTS", basename, result);
37}
38
39::testing::AssertionResult LoadTestSubjectAltNameData(
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]40 const std::string &basename, std::string *result) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]41 return LoadTestData("SUBJECT ALTERNATIVE NAME", basename, result);
42}
43
44::testing::AssertionResult LoadTestSubjectAltName(
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]45 const std::string &basename, std::unique_ptr<GeneralNames> *result,
46 std::string *result_der) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]47 ::testing::AssertionResult load_result =
48 LoadTestSubjectAltNameData(basename, result_der);
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]49 if (!load_result) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]50 return load_result;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]51 }
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]52 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]53 *result = GeneralNames::Create(der::Input(*result_der), &errors);
54 if (!*result) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]55 return ::testing::AssertionFailure() << "Create failed";
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]56 }
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]57 return ::testing::AssertionSuccess();
58}
59
60::testing::AssertionResult IsPermittedCert(
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]61 const NameConstraints *name_constraints,
62 const der::Input &subject_rdn_sequence,
63 const GeneralNames *subject_alt_names) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]64 CertErrors errors;
65 name_constraints->IsPermittedCert(subject_rdn_sequence, subject_alt_names,
66 &errors);
Bob Beck6beabf32023-11-21 09:43:52 -0700[diff] [blame]67 if (!errors.ContainsAnyErrorWithSeverity(CertError::SEVERITY_HIGH)) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]68 return ::testing::AssertionSuccess();
Bob Beck6beabf32023-11-21 09:43:52 -0700[diff] [blame]69 }
70 if (!errors.ContainsError(cert_errors::kNotPermittedByNameConstraints)) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]71 ADD_FAILURE() << "unexpected error " << errors.ToDebugString();
Bob Beck6beabf32023-11-21 09:43:52 -0700[diff] [blame]72 }
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]73 return ::testing::AssertionFailure();
74}
75
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]76std::array<uint8_t, 4> IPAddress(uint8_t b0, uint8_t b1, uint8_t b2,
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]77 uint8_t b3) {
78 return {b0, b1, b2, b3};
79}
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]80std::array<uint8_t, 16> IPAddress(uint8_t b0, uint8_t b1, uint8_t b2,
81 uint8_t b3, uint8_t b4, uint8_t b5,
82 uint8_t b6, uint8_t b7, uint8_t b8,
83 uint8_t b9, uint8_t b10, uint8_t b11,
84 uint8_t b12, uint8_t b13, uint8_t b14,
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]85 uint8_t b15) {
86 return {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15};
87}
88
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]89} // namespace
90
91class ParseNameConstraints
92 : public ::testing::TestWithParam<::testing::tuple<bool>> {
93 public:
94 bool is_critical() const { return ::testing::get<0>(GetParam()); }
95};
96
97// Run the tests with the name constraints marked critical and non-critical. For
98// supported name types, the results should be the same for both.
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]99INSTANTIATE_TEST_SUITE_P(InstantiationName, ParseNameConstraints,
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]100 ::testing::Values(true, false));
101
102TEST_P(ParseNameConstraints, DNSNames) {
103 std::string a;
104 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
105
106 CertErrors errors;
107 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]108 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]109 ASSERT_TRUE(name_constraints);
110
111 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
112 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com."));
113 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com"));
114 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com"));
115 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com."));
116 EXPECT_TRUE(
117 name_constraints->IsPermittedDNSName("alsopermitted.example.com"));
118 EXPECT_FALSE(
119 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
120 EXPECT_FALSE(
121 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
122 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
123 "stillnotpermitted.excluded.permitted.example.com"));
124 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
125 "a.stillnotpermitted.excluded.permitted.example.com"));
126 EXPECT_FALSE(
127 name_constraints->IsPermittedDNSName("extraneousexclusion.example.com"));
128 EXPECT_FALSE(name_constraints->IsPermittedDNSName(
129 "a.extraneousexclusion.example.com"));
130 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.example.com"));
131 EXPECT_FALSE(name_constraints->IsPermittedDNSName("other.com"));
132
133 // Wildcard names:
134 // Pattern could match excluded.permitted.example.com, thus should not be
135 // allowed.
136 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.permitted.example.com"));
137 // Entirely within excluded name, obviously not allowed.
138 EXPECT_FALSE(
139 name_constraints->IsPermittedDNSName("*.excluded.permitted.example.com"));
140 // Within permitted.example.com and cannot match any exclusion, thus these are
141 // allowed.
142 EXPECT_TRUE(
143 name_constraints->IsPermittedDNSName("*.foo.permitted.example.com"));
144 EXPECT_TRUE(
145 name_constraints->IsPermittedDNSName("*.alsopermitted.example.com"));
146 // Matches permitted.example2.com, but also matches other .example2.com names
147 // which are not in either permitted or excluded, so not allowed.
148 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.example2.com"));
149 // Partial wildcards are not supported, so these name are permitted even if
150 // it seems like they shouldn't be. It's fine, since certificate verification
151 // won't treat them as wildcard names either.
152 EXPECT_TRUE(
153 name_constraints->IsPermittedDNSName("*xcluded.permitted.example.com"));
154 EXPECT_TRUE(
155 name_constraints->IsPermittedDNSName("exclude*.permitted.example.com"));
156 EXPECT_TRUE(
157 name_constraints->IsPermittedDNSName("excl*ded.permitted.example.com"));
158 // Garbage wildcard data.
159 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*."));
160 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.*"));
161 EXPECT_FALSE(name_constraints->IsPermittedDNSName(".*"));
162 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*"));
163 // Matches SAN with trailing dot.
164 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com"));
165 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com."));
166 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com"));
167 EXPECT_TRUE(
168 name_constraints->IsPermittedDNSName("a.permitted.example3.com."));
169
170 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->constrained_name_types());
171
172 std::string san_der;
173 std::unique_ptr<GeneralNames> san;
174 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
175 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
176
177 ASSERT_TRUE(
178 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
179 EXPECT_FALSE(
180 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
181
182 ASSERT_TRUE(
183 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
184 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
185
186 ASSERT_TRUE(
187 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
188 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
189}
190
191TEST_P(ParseNameConstraints,
192 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) {
193 std::string a;
194 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
195 CertErrors errors;
196 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]197 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]198 ASSERT_TRUE(name_constraints);
199
200 // Matches permitted exactly.
201 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
202 // Contained within permitted and doesn't match excluded (foo.bar.com).
203 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
204 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com"));
205 // Matches excluded exactly.
206 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
207 // Contained within excluded.
208 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com"));
209
210 // Cannot match anything within excluded.
211 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com"));
212 // Wildcard hostnames only match a single label, so cannot match excluded
213 // which has two labels before .com.
214 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
215
216 // Partial match of foo.bar.com.
217 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
218 // All expansions of wildcard are within excluded.
219 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
220}
221
222TEST_P(ParseNameConstraints, DNSNamesPermittedWithLeadingDot) {
223 std::string a;
224 ASSERT_TRUE(
225 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
226 CertErrors errors;
227 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]228 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]229 ASSERT_TRUE(name_constraints);
230
231 // A permitted dNSName constraint of ".bar.com" should only match subdomains
232 // of .bar.com, but not bar.com itself.
233 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
234 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
235 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foobar.com"));
236 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.bar.com"));
237 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.bar.com"));
238}
239
240TEST_P(ParseNameConstraints, DNSNamesExcludedWithLeadingDot) {
241 std::string a;
242 ASSERT_TRUE(
243 LoadTestNameConstraint("dnsname-excluded_with_leading_dot.pem", &a));
244 CertErrors errors;
245 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]246 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]247 ASSERT_TRUE(name_constraints);
248
249 // An excluded dNSName constraint of ".bar.com" should only match subdomains
250 // of .bar.com, but not bar.com itself.
251 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
252 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
253 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foobar.com"));
254 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
255 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
256}
257
258TEST_P(ParseNameConstraints, DNSNamesPermittedTwoDot) {
259 std::string a;
260 ASSERT_TRUE(LoadTestNameConstraint("dnsname-permitted_two_dot.pem", &a));
261 CertErrors errors;
262 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]263 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]264 ASSERT_TRUE(name_constraints);
265
266 // A dNSName constraint of ".." isn't meaningful. Shouldn't match anything.
267 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
268 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com."));
269 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
270 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.com"));
271}
272
273TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
274 std::string a;
275 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
276
277 CertErrors errors;
278 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]279 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]280 ASSERT_TRUE(name_constraints);
281
282 // Only "excluded.permitted.example.com" is excluded, and since permitted is
283 // empty, any dNSName outside that is allowed.
284 EXPECT_TRUE(name_constraints->IsPermittedDNSName(""));
285 EXPECT_TRUE(name_constraints->IsPermittedDNSName("foo.com"));
286 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
287 EXPECT_FALSE(
288 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
289 EXPECT_FALSE(
290 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
291}
292
293TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
294 std::string a;
295 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
296
297 CertErrors errors;
298 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]299 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]300 ASSERT_TRUE(name_constraints);
301
302 // "permitted.example.com" is in the permitted section, but since "" is
303 // excluded, nothing is permitted.
304 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
305 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
306 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
307 EXPECT_FALSE(
308 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
309}
310
311TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
312 std::string a;
313 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a));
314
315 CertErrors errors;
316 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]317 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]318 ASSERT_TRUE(name_constraints);
319
320 // "." is excluded, which should match nothing.
321 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
322 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
323 EXPECT_TRUE(
324 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
325}
326
327TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
328 std::string a;
329 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
330
331 size_t replace_location = a.find("permitted.example2.com");
332 ASSERT_NE(std::string::npos, replace_location);
333 a.replace(replace_location, 1, 1, -1);
334
335 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]336 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]337}
338
339TEST_P(ParseNameConstraints, DirectoryNames) {
340 std::string constraints_der;
341 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
342
343 std::string name_us;
344 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
345 std::string name_us_ca;
346 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
347 std::string name_us_ca_mountain_view;
348 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
349 &name_us_ca_mountain_view));
350 std::string name_us_az;
351 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
352 std::string name_jp;
353 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
354 std::string name_jp_tokyo;
355 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo));
356 std::string name_de;
357 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de));
358 std::string name_ca;
359 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca));
360
361 CertErrors errors;
362 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]363 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]364 ASSERT_TRUE(name_constraints);
365
366 // Not in any permitted subtree.
367 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]368 SequenceValueFromString(name_ca)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]369 // Within the permitted C=US subtree.
370 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]371 SequenceValueFromString(name_us)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]372 // Within the permitted C=US subtree.
373 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]374 SequenceValueFromString(name_us_az)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]375 // Within the permitted C=US subtree, however the excluded C=US,ST=California
376 // subtree takes priority.
377 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]378 SequenceValueFromString(name_us_ca)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]379 // Within the permitted C=US subtree as well as the permitted
380 // C=US,ST=California,L=Mountain View subtree, however the excluded
381 // C=US,ST=California subtree still takes priority.
382 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]383 SequenceValueFromString(name_us_ca_mountain_view)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]384 // Not in any permitted subtree, and also inside the extraneous excluded C=DE
385 // subtree.
386 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]387 SequenceValueFromString(name_de)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]388 // Not in any permitted subtree.
389 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]390 SequenceValueFromString(name_jp)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]391 // Within the permitted C=JP,ST=Tokyo subtree.
392 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]393 SequenceValueFromString(name_jp_tokyo)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]394
395 EXPECT_EQ(GENERAL_NAME_DIRECTORY_NAME,
396 name_constraints->constrained_name_types());
397
398 // Within the permitted C=US subtree.
399 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]400 SequenceValueFromString(name_us),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]401 nullptr /* subject_alt_names */));
402 // Within the permitted C=US subtree, however the excluded C=US,ST=California
403 // subtree takes priority.
404 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]405 SequenceValueFromString(name_us_ca),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]406 nullptr /* subject_alt_names */));
407
408 std::string san_der;
409 std::unique_ptr<GeneralNames> san;
410 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
411 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
412
413 ASSERT_TRUE(
414 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
415 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
416
417 ASSERT_TRUE(
418 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
419 EXPECT_FALSE(
420 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
421
422 ASSERT_TRUE(
423 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
424 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
425}
426
427TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
428 std::string constraints_der;
429 ASSERT_TRUE(
430 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
431 CertErrors errors;
432 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]433 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]434 ASSERT_TRUE(name_constraints);
435
436 std::string name_empty;
437 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
438 std::string name_us;
439 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
440 std::string name_us_ca;
441 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
442 std::string name_us_ca_mountain_view;
443 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
444 &name_us_ca_mountain_view));
445
446 // Only "C=US,ST=California" is excluded, and since permitted is empty,
447 // any directoryName outside that is allowed.
448 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]449 SequenceValueFromString(name_empty)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]450 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]451 SequenceValueFromString(name_us)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]452 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]453 SequenceValueFromString(name_us_ca)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]454 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]455 SequenceValueFromString(name_us_ca_mountain_view)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]456}
457
458TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
459 std::string constraints_der;
460 ASSERT_TRUE(
461 LoadTestNameConstraint("directoryname-excludeall.pem", &constraints_der));
462 CertErrors errors;
463 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]464 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]465 ASSERT_TRUE(name_constraints);
466
467 std::string name_empty;
468 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
469 std::string name_us;
470 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
471 std::string name_us_ca;
472 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
473 std::string name_us_ca_mountain_view;
474 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
475 &name_us_ca_mountain_view));
476 std::string name_jp;
477 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
478
479 // "C=US" is in the permitted section, but since an empty
480 // directoryName is excluded, nothing is permitted.
481 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]482 SequenceValueFromString(name_empty)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]483 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]484 SequenceValueFromString(name_us)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]485 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]486 SequenceValueFromString(name_us_ca)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]487 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]488 SequenceValueFromString(name_jp)));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]489}
490
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]491TEST_P(ParseNameConstraints, IPAddresses) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]492 std::string a;
493 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
494
495 CertErrors errors;
496 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]497 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]498 ASSERT_TRUE(name_constraints);
499
500 // IPv4 tests:
501
502 // Not in any permitted range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]503 EXPECT_FALSE(
504 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 169, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]505
506 // Within the permitted 192.168.0.0/255.255.0.0 range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]507 EXPECT_TRUE(
508 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]509
510 // Within the permitted 192.168.0.0/255.255.0.0 range, however the
511 // excluded 192.168.5.0/255.255.255.0 takes priority.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]512 EXPECT_FALSE(
513 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]514
515 // Within the permitted 192.168.0.0/255.255.0.0 range as well as the
516 // permitted 192.168.5.32/255.255.255.224 range, however the excluded
517 // 192.168.5.0/255.255.255.0 still takes priority.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]518 EXPECT_FALSE(
519 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 33))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]520
521 // Not in any permitted range. (Just outside the
522 // 192.167.5.32/255.255.255.224 range.)
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]523 EXPECT_FALSE(
524 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 31))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]525
526 // Within the permitted 192.167.5.32/255.255.255.224 range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]527 EXPECT_TRUE(
528 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 32))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]529
530 // Within the permitted 192.167.5.32/255.255.255.224 range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]531 EXPECT_TRUE(
532 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 63))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]533
534 // Not in any permitted range. (Just outside the
535 // 192.167.5.32/255.255.255.224 range.)
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]536 EXPECT_FALSE(
537 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 64))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]538
539 // Not in any permitted range, and also inside the extraneous excluded
540 // 192.166.5.32/255.255.255.224 range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]541 EXPECT_FALSE(
542 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 166, 5, 32))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]543
544 // IPv6 tests:
545
546 // Not in any permitted range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]547 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
548 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]549
550 // Within the permitted
551 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]552 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
553 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]554
555 // Within the permitted
556 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range, however
557 // the excluded
558 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
559 // priority.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]560 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
561 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]562
563 // Within the permitted
564 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range as well
565 // as the permitted
566 // 102:304:506:708:90a:b0c:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0,
567 // however the excluded
568 // 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
569 // priority.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]570 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
571 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]572
573 // Not in any permitted range. (Just outside the
574 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
575 // range.)
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]576 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
577 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]578
579 // Within the permitted
580 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]581 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
582 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]583
584 // Within the permitted
585 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]586 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
587 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]588
589 // Not in any permitted range. (Just outside the
590 // 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
591 // range.)
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]592 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
593 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]594
595 // Not in any permitted range, and also inside the extraneous excluded
596 // 102:304:506:708:90a:b0a:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]597 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
598 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]599
600 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS,
601 name_constraints->constrained_name_types());
602
603 std::string san_der;
604 std::unique_ptr<GeneralNames> san;
605 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san, &san_der));
606 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
607
608 ASSERT_TRUE(
609 LoadTestSubjectAltName("san-excluded-dnsname.pem", &san, &san_der));
610 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
611
612 ASSERT_TRUE(
613 LoadTestSubjectAltName("san-excluded-directoryname.pem", &san, &san_der));
614 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
615
616 ASSERT_TRUE(
617 LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san, &san_der));
618 EXPECT_FALSE(
619 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
620}
621
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]622TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]623 std::string a;
624 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
625
626 CertErrors errors;
627 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]628 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]629 ASSERT_TRUE(name_constraints);
630
631 // Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
632 // any iPAddress outside that is allowed.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]633 EXPECT_TRUE(
634 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
635 EXPECT_FALSE(
636 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
637 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
638 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]639}
640
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]641TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]642 std::string a;
643 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
644
645 CertErrors errors;
646 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]647 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]648 ASSERT_TRUE(name_constraints);
649
650 // 192.168.0.0/255.255.0.0 and
651 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
652 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]653 EXPECT_FALSE(
654 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
655 EXPECT_FALSE(
656 name_constraints->IsPermittedIP(der::Input(IPAddress(1, 1, 1, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]657 EXPECT_FALSE(name_constraints->IsPermittedIP(
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]658 der::Input(IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))));
659 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
660 IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]661}
662
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]663TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]664 std::string a;
665 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
666
667 CertErrors errors;
668 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]669 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]670 ASSERT_TRUE(name_constraints);
671
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]672 EXPECT_FALSE(
673 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
674 EXPECT_FALSE(
675 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
676 EXPECT_FALSE(
677 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
678 EXPECT_TRUE(
679 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
680 EXPECT_FALSE(
681 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
682 EXPECT_FALSE(name_constraints->IsPermittedIP(
683 der::Input(IPAddress(255, 255, 255, 255))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]684}
685
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]686TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]687 std::string a;
688 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
689
690 CertErrors errors;
691 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]692 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]693 ASSERT_TRUE(name_constraints);
694
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]695 EXPECT_FALSE(
696 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
697 EXPECT_FALSE(
698 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
699 EXPECT_TRUE(
700 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
701 EXPECT_TRUE(
702 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
703 EXPECT_FALSE(
704 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
705 EXPECT_FALSE(
706 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 5))));
707 EXPECT_FALSE(name_constraints->IsPermittedIP(
708 der::Input(IPAddress(255, 255, 255, 255))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]709}
710
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]711TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]712 std::string a;
713 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
714
715 CertErrors errors;
716 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]717 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]718 ASSERT_TRUE(name_constraints);
719
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]720 EXPECT_FALSE(
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]721 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
722 EXPECT_FALSE(name_constraints->IsPermittedIP(
723 der::Input(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]724 EXPECT_TRUE(
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]725 name_constraints->IsPermittedIP(der::Input(IPAddress(0x80, 0, 0, 0))));
726 EXPECT_TRUE(name_constraints->IsPermittedIP(
727 der::Input(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]728}
729
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]730TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]731 std::string a;
732 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
733
734 CertErrors errors;
735 std::unique_ptr<NameConstraints> name_constraints(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]736 NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]737 ASSERT_TRUE(name_constraints);
738
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]739 EXPECT_TRUE(
740 name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
741 EXPECT_TRUE(
742 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
743 EXPECT_TRUE(name_constraints->IsPermittedIP(
744 der::Input(IPAddress(255, 255, 255, 255))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]745}
746
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]747TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]748 std::string a;
749 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
750
751 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]752 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]753}
754
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]755TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidMaskNotContiguous) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]756 std::string a;
757 ASSERT_TRUE(LoadTestNameConstraint(
758 "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
759 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]760 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]761
762 ASSERT_TRUE(LoadTestNameConstraint(
763 "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]764 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]765
766 ASSERT_TRUE(LoadTestNameConstraint(
767 "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]768 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]769
770 ASSERT_TRUE(LoadTestNameConstraint(
771 "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]772 EXPECT_FALSE(NameConstraints::Create(der::Input(a), is_critical(), &errors));
773}
774
775// Test that v4/v6 mapping is not applied when evaluating name constraints.
776TEST_P(ParseNameConstraints, IPAddressesMapped) {
777 std::string a;
778 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-mapped_addrs.pem", &a));
779
780 CertErrors errors;
781 std::unique_ptr<NameConstraints> name_constraints(
782 NameConstraints::Create(der::Input(a), is_critical(), &errors));
783 ASSERT_TRUE(name_constraints);
784
785 // 192.168.1.0/24 is a permitted subtree.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]786 EXPECT_TRUE(
787 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 0))));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]788 // This does not cover ::ffff:192.168.1.0.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]789 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
790 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0))));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]791 // 192.168.1.1 is excluded.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]792 EXPECT_FALSE(
793 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]794 // ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]795 EXPECT_TRUE(
796 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]797
798 // ::ffff:192.168.2.0/120 is a permitted subtree.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]799 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
800 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0))));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]801 // This does not cover 192.168.2.0.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]802 EXPECT_FALSE(
803 name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 2, 0))));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]804 // ::ffff:192.168.2.1 is excluded.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]805 EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
806 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1))));
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]807 // 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
Bob Beck8e7025e2023-09-05 17:05:26 -0600[diff] [blame]808 EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
809 IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2))));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]810}
811
812TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
813 std::string constraints_der;
814 ASSERT_TRUE(
815 LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
816 CertErrors errors;
817 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]818 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]819 ASSERT_TRUE(name_constraints);
820
821 if (is_critical()) {
822 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
823 name_constraints->constrained_name_types());
824 } else {
825 EXPECT_EQ(0, name_constraints->constrained_name_types());
826 }
827
828 std::string san_der;
829 std::unique_ptr<GeneralNames> san;
830 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
831 EXPECT_EQ(!is_critical(),
832 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
833}
834
835TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
836 std::string constraints_der;
837 ASSERT_TRUE(
838 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
839 CertErrors errors;
840 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]841 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]842 ASSERT_TRUE(name_constraints);
843
844 if (is_critical()) {
845 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
846 name_constraints->constrained_name_types());
847 } else {
848 EXPECT_EQ(0, name_constraints->constrained_name_types());
849 }
850
851 std::string san_der;
852 std::unique_ptr<GeneralNames> san;
853 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san, &san_der));
854 EXPECT_EQ(!is_critical(),
855 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
856}
857
858TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
859 std::string constraints_der;
860 ASSERT_TRUE(
861 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
862 CertErrors errors;
863 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]864 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]865 ASSERT_TRUE(name_constraints);
866
867 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
868 name_constraints->constrained_name_types());
869
870 std::string san_der;
871 std::unique_ptr<GeneralNames> san;
872
873 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
874 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
875
876 ASSERT_TRUE(
877 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
878 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
879
880 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
881 &san_der));
882 EXPECT_FALSE(
883 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
884
885 ASSERT_TRUE(
886 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
887 EXPECT_FALSE(
888 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
889
890 ASSERT_TRUE(
891 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
892 EXPECT_FALSE(
893 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
894
895 ASSERT_TRUE(
896 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
897 EXPECT_FALSE(
898 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
899
900 ASSERT_TRUE(
901 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
902 // `"foo"@example.com` and `foo@example.com` are the same address, but we
903 // don't support quoted address at all.
904 EXPECT_FALSE(
905 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
906
907 ASSERT_TRUE(
908 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
909 EXPECT_FALSE(
910 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
911
912 ASSERT_TRUE(
913 LoadTestSubjectAltName("san-rfc822name-multiple.pem", &san, &san_der));
914 // SAN contains multiple email addresses, only the first matches the
915 // permitted constraint.
916 EXPECT_FALSE(
917 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
918}
919
920TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
921 std::string constraints_der;
922 ASSERT_TRUE(
923 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
924 CertErrors errors;
925 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]926 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]927 ASSERT_TRUE(name_constraints);
928
929 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
930 name_constraints->constrained_name_types());
931
932 std::string san_der;
933 std::unique_ptr<GeneralNames> san;
934
935 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
936 EXPECT_FALSE(
937 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
938
939 ASSERT_TRUE(
940 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
941 EXPECT_FALSE(
942 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
943
944 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
945 &san_der));
946 // Excluded names are matched case-sensitive in the local-part for addresses
947 // from subjectAlternativeName, so this is allowed.
948 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
949
950 ASSERT_TRUE(
951 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
952 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
953
954 ASSERT_TRUE(
955 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
956 EXPECT_FALSE(
957 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
958
959 ASSERT_TRUE(
960 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
961 EXPECT_FALSE(
962 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
963
964 ASSERT_TRUE(
965 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
966 EXPECT_FALSE(
967 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
968}
969
970TEST_P(ParseNameConstraints, Rfc822NameHostnameInPermitted) {
971 std::string constraints_der;
972 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostname.pem",
973 &constraints_der));
974 CertErrors errors;
975 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]976 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]977 ASSERT_TRUE(name_constraints);
978
979 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
980 name_constraints->constrained_name_types());
981
982 std::string san_der;
983 std::unique_ptr<GeneralNames> san;
984
985 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
986 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
987
988 ASSERT_TRUE(
989 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
990 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
991
992 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
993 &san_der));
994 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
995
996 ASSERT_TRUE(
997 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
998 EXPECT_FALSE(
999 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1000
1001 ASSERT_TRUE(
1002 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1003 EXPECT_FALSE(
1004 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1005
1006 ASSERT_TRUE(
1007 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1008 EXPECT_FALSE(
1009 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1010
1011 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1012 &san_der));
1013 EXPECT_FALSE(
1014 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1015
1016 ASSERT_TRUE(
1017 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1018 // `"foo"@example.com` would match `example.com` hostname, but we don't
1019 // support quoted address at all.
1020 EXPECT_FALSE(
1021 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1022
1023 ASSERT_TRUE(
1024 LoadTestSubjectAltName("san-rfc822name-multiple.pem", &san, &san_der));
1025 // SAN contains multiple email addresses, all match the permitted hostname.
1026 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1027}
1028
1029TEST_P(ParseNameConstraints, Rfc822NameHostnameInExcluded) {
1030 std::string constraints_der;
1031 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-hostname.pem",
1032 &constraints_der));
1033 CertErrors errors;
1034 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1035 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1036 ASSERT_TRUE(name_constraints);
1037
1038 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1039 name_constraints->constrained_name_types());
1040
1041 std::string san_der;
1042 std::unique_ptr<GeneralNames> san;
1043
1044 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1045 EXPECT_FALSE(
1046 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1047
1048 ASSERT_TRUE(
1049 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1050 EXPECT_FALSE(
1051 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1052
1053 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1054 &san_der));
1055 EXPECT_FALSE(
1056 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1057
1058 ASSERT_TRUE(
1059 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1060 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1061
1062 ASSERT_TRUE(
1063 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1064 EXPECT_FALSE(
1065 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1066
1067 ASSERT_TRUE(
1068 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1069 EXPECT_FALSE(
1070 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1071
1072 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1073 &san_der));
1074 EXPECT_FALSE(
1075 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1076}
1077
1078TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInPermitted) {
1079 std::string constraints_der;
1080 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostnamewithat.pem",
1081 &constraints_der));
1082 CertErrors errors;
1083 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1084 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1085 ASSERT_TRUE(name_constraints);
1086
1087 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1088 name_constraints->constrained_name_types());
1089
1090 std::string san_der;
1091 std::unique_ptr<GeneralNames> san;
1092
1093 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1094 &san_der));
1095 EXPECT_FALSE(
1096 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1097
1098 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1099 EXPECT_FALSE(
1100 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1101
1102 ASSERT_TRUE(
1103 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1104 EXPECT_FALSE(
1105 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1106
1107 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1108 &san_der));
1109 EXPECT_FALSE(
1110 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1111
1112 ASSERT_TRUE(
1113 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1114 EXPECT_FALSE(
1115 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1116
1117 ASSERT_TRUE(
1118 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1119 EXPECT_FALSE(
1120 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1121
1122 ASSERT_TRUE(
1123 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1124 EXPECT_FALSE(
1125 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1126}
1127
1128TEST_P(ParseNameConstraints, Rfc822NameHostnameWithAtInExcluded) {
1129 std::string constraints_der;
1130 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-hostnamewithat.pem",
1131 &constraints_der));
1132 CertErrors errors;
1133 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1134 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1135 ASSERT_TRUE(name_constraints);
1136
1137 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1138 name_constraints->constrained_name_types());
1139
1140 std::string san_der;
1141 std::unique_ptr<GeneralNames> san;
1142
1143 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-empty-localpart.pem", &san,
1144 &san_der));
1145 EXPECT_FALSE(
1146 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1147
1148 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1149 EXPECT_FALSE(
1150 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1151
1152 ASSERT_TRUE(
1153 LoadTestSubjectAltName("san-rfc822name-domaincase.pem", &san, &san_der));
1154 EXPECT_FALSE(
1155 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1156
1157 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-localpartcase.pem", &san,
1158 &san_der));
1159 EXPECT_FALSE(
1160 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1161
1162 ASSERT_TRUE(
1163 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1164 EXPECT_FALSE(
1165 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1166
1167 ASSERT_TRUE(
1168 LoadTestSubjectAltName("san-rfc822name-no-at.pem", &san, &san_der));
1169 EXPECT_FALSE(
1170 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1171
1172 ASSERT_TRUE(
1173 LoadTestSubjectAltName("san-rfc822name-two-ats.pem", &san, &san_der));
1174 EXPECT_FALSE(
1175 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1176}
1177
1178TEST_P(ParseNameConstraints, Rfc822NameSubdomainInPermitted) {
1179 std::string constraints_der;
1180 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-subdomains.pem",
1181 &constraints_der));
1182 CertErrors errors;
1183 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1184 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1185 ASSERT_TRUE(name_constraints);
1186
1187 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1188 name_constraints->constrained_name_types());
1189
1190 std::string san_der;
1191 std::unique_ptr<GeneralNames> san;
1192
1193 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1194 EXPECT_FALSE(
1195 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1196
1197 ASSERT_TRUE(
1198 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1199 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1200
1201 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomaincase.pem", &san,
1202 &san_der));
1203 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1204
1205 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-no-at.pem", &san,
1206 &san_der));
1207 EXPECT_FALSE(
1208 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1209
1210 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-two-ats.pem",
1211 &san, &san_der));
1212 EXPECT_FALSE(
1213 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1214}
1215
1216TEST_P(ParseNameConstraints, Rfc822NameSubdomainInExcluded) {
1217 std::string constraints_der;
1218 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-subdomains.pem",
1219 &constraints_der));
1220 CertErrors errors;
1221 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1222 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1223 ASSERT_TRUE(name_constraints);
1224
1225 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1226 name_constraints->constrained_name_types());
1227
1228 std::string san_der;
1229 std::unique_ptr<GeneralNames> san;
1230
1231 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1232 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1233
1234 ASSERT_TRUE(
1235 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1236 EXPECT_FALSE(
1237 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1238
1239 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomaincase.pem", &san,
1240 &san_der));
1241 EXPECT_FALSE(
1242 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1243
1244 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-no-at.pem", &san,
1245 &san_der));
1246 EXPECT_FALSE(
1247 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1248
1249 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name-subdomain-two-ats.pem",
1250 &san, &san_der));
1251 EXPECT_FALSE(
1252 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1253}
1254
1255TEST_P(ParseNameConstraints, Rfc822NameEmptyPermitted) {
1256 std::string constraints_der;
1257 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-empty.pem",
1258 &constraints_der));
1259 CertErrors errors;
1260 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1261 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1262 ASSERT_TRUE(name_constraints);
1263
1264 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1265 name_constraints->constrained_name_types());
1266
1267 std::string san_der;
1268 std::unique_ptr<GeneralNames> san;
1269
1270 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1271 EXPECT_FALSE(
1272 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1273
1274 ASSERT_TRUE(
1275 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1276 EXPECT_FALSE(
1277 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1278}
1279
1280TEST_P(ParseNameConstraints, Rfc822NameEmptyExcluded) {
1281 std::string constraints_der;
1282 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-empty.pem",
1283 &constraints_der));
1284 CertErrors errors;
1285 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1286 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1287 ASSERT_TRUE(name_constraints);
1288
1289 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1290 name_constraints->constrained_name_types());
1291
1292 std::string san_der;
1293 std::unique_ptr<GeneralNames> san;
1294
1295 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1296 EXPECT_FALSE(
1297 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1298
1299 ASSERT_TRUE(
1300 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1301 EXPECT_FALSE(
1302 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1303}
1304
1305TEST_P(ParseNameConstraints, Rfc822NameIPv4Permitted) {
1306 std::string constraints_der;
1307 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-ipv4.pem",
1308 &constraints_der));
1309 CertErrors errors;
1310 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1311 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1312 ASSERT_TRUE(name_constraints);
1313
1314 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1315 name_constraints->constrained_name_types());
1316
1317 std::string san_der;
1318 std::unique_ptr<GeneralNames> san;
1319
1320 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1321 EXPECT_FALSE(
1322 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1323
1324 ASSERT_TRUE(
1325 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1326 EXPECT_FALSE(
1327 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1328
1329 ASSERT_TRUE(
1330 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
1331 EXPECT_FALSE(
1332 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1333}
1334
1335TEST_P(ParseNameConstraints, Rfc822NameIPv4Excluded) {
1336 std::string constraints_der;
1337 ASSERT_TRUE(
1338 LoadTestNameConstraint("rfc822name-excluded-ipv4.pem", &constraints_der));
1339 CertErrors errors;
1340 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1341 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1342 ASSERT_TRUE(name_constraints);
1343
1344 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
1345 name_constraints->constrained_name_types());
1346
1347 std::string san_der;
1348 std::unique_ptr<GeneralNames> san;
1349
1350 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san, &san_der));
1351 EXPECT_FALSE(
1352 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1353
1354 ASSERT_TRUE(
1355 LoadTestSubjectAltName("san-rfc822name-empty.pem", &san, &san_der));
1356 EXPECT_FALSE(
1357 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1358
1359 ASSERT_TRUE(
1360 LoadTestSubjectAltName("san-rfc822name-ipv4.pem", &san, &san_der));
1361 EXPECT_FALSE(
1362 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1363}
1364
1365TEST_P(ParseNameConstraints, QuotedRfc822SanWithNoRfc822Constraints) {
1366 // Load an unrelated (non-rfc822) constraint.
1367 std::string constraints_der;
1368 ASSERT_TRUE(
1369 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
1370 CertErrors errors;
1371 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1372 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1373 ASSERT_TRUE(name_constraints);
1374
1375 std::string san_der;
1376 std::unique_ptr<GeneralNames> san;
1377 ASSERT_TRUE(
1378 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1379 // A rfc822 in SAN with quotes should be allowed since we only try to parse
1380 // the name if we are enforcing a constraint against it.
1381 EXPECT_TRUE(IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1382}
1383
1384TEST_P(ParseNameConstraints, QuotedRfc822SanMatchesQuotedPermitted) {
1385 std::string constraints_der;
1386 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-quoted.pem",
1387 &constraints_der));
1388 CertErrors errors;
1389 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1390 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1391 ASSERT_TRUE(name_constraints);
1392
1393 std::string san_der;
1394 std::unique_ptr<GeneralNames> san;
1395 ASSERT_TRUE(
1396 LoadTestSubjectAltName("san-rfc822name-quoted.pem", &san, &san_der));
1397 // Both SAN and constraint are `"foo"@example.com`, but we don't support
1398 // quoted address at all.
1399 EXPECT_FALSE(
1400 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1401}
1402
1403TEST_P(ParseNameConstraints, UnquotedRfc822SanNotMatchingQuotedExcluded) {
1404 std::string constraints_der;
1405 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-excluded-quoted.pem",
1406 &constraints_der));
1407 CertErrors errors;
1408 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1409 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1410 ASSERT_TRUE(name_constraints);
1411
1412 std::string san_der;
1413 std::unique_ptr<GeneralNames> san;
1414 ASSERT_TRUE(
1415 LoadTestSubjectAltName("san-rfc822name-subdomain.pem", &san, &san_der));
1416 // The name `foo@subdomain.example.com` should be allowed since it doesn't
1417 // match an exclude of `"foo"@example.com`, but we don't support quoted
1418 // address at all so this is not allowed.
1419 EXPECT_FALSE(
1420 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1421}
1422
1423TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
1424 std::string constraints_der;
1425 ASSERT_TRUE(
1426 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
1427 CertErrors errors;
1428 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1429 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1430 ASSERT_TRUE(name_constraints);
1431
1432 if (is_critical()) {
1433 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
1434 name_constraints->constrained_name_types());
1435 } else {
1436 EXPECT_EQ(0, name_constraints->constrained_name_types());
1437 }
1438
1439 std::string san_der;
1440 std::unique_ptr<GeneralNames> san;
1441 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
1442 EXPECT_EQ(!is_critical(),
1443 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1444}
1445
1446TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
1447 std::string constraints_der;
1448 ASSERT_TRUE(
1449 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
1450 CertErrors errors;
1451 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1452 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1453 ASSERT_TRUE(name_constraints);
1454
1455 if (is_critical()) {
1456 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
1457 name_constraints->constrained_name_types());
1458 } else {
1459 EXPECT_EQ(0, name_constraints->constrained_name_types());
1460 }
1461
1462 std::string san_der;
1463 std::unique_ptr<GeneralNames> san;
1464 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san, &san_der));
1465 EXPECT_EQ(!is_critical(),
1466 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1467}
1468
1469TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
1470 std::string constraints_der;
1471 ASSERT_TRUE(
1472 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
1473 CertErrors errors;
1474 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1475 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1476 ASSERT_TRUE(name_constraints);
1477
1478 if (is_critical()) {
1479 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
1480 name_constraints->constrained_name_types());
1481 } else {
1482 EXPECT_EQ(0, name_constraints->constrained_name_types());
1483 }
1484
1485 std::string san_der;
1486 std::unique_ptr<GeneralNames> san;
1487 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
1488 EXPECT_EQ(!is_critical(),
1489 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1490}
1491
1492TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
1493 std::string constraints_der;
1494 ASSERT_TRUE(
1495 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
1496 CertErrors errors;
1497 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1498 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1499 ASSERT_TRUE(name_constraints);
1500
1501 if (is_critical()) {
1502 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
1503 name_constraints->constrained_name_types());
1504 } else {
1505 EXPECT_EQ(0, name_constraints->constrained_name_types());
1506 }
1507
1508 std::string san_der;
1509 std::unique_ptr<GeneralNames> san;
1510 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san, &san_der));
1511 EXPECT_EQ(!is_critical(),
1512 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1513}
1514
1515TEST_P(ParseNameConstraints, URIsInPermitted) {
1516 std::string constraints_der;
1517 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
1518 CertErrors errors;
1519 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1520 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1521 ASSERT_TRUE(name_constraints);
1522
1523 if (is_critical()) {
1524 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
1525 name_constraints->constrained_name_types());
1526 } else {
1527 EXPECT_EQ(0, name_constraints->constrained_name_types());
1528 }
1529
1530 std::string san_der;
1531 std::unique_ptr<GeneralNames> san;
1532 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
1533 EXPECT_EQ(!is_critical(),
1534 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1535}
1536
1537TEST_P(ParseNameConstraints, URIsInExcluded) {
1538 std::string constraints_der;
1539 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
1540 CertErrors errors;
1541 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1542 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1543 ASSERT_TRUE(name_constraints);
1544
1545 if (is_critical()) {
1546 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
1547 name_constraints->constrained_name_types());
1548 } else {
1549 EXPECT_EQ(0, name_constraints->constrained_name_types());
1550 }
1551
1552 std::string san_der;
1553 std::unique_ptr<GeneralNames> san;
1554 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san, &san_der));
1555 EXPECT_EQ(!is_critical(),
1556 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1557}
1558
1559TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
1560 std::string constraints_der;
1561 ASSERT_TRUE(
1562 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
1563 CertErrors errors;
1564 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1565 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1566 ASSERT_TRUE(name_constraints);
1567
1568 if (is_critical()) {
1569 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1570 name_constraints->constrained_name_types());
1571 } else {
1572 EXPECT_EQ(0, name_constraints->constrained_name_types());
1573 }
1574
1575 std::string san_der;
1576 std::unique_ptr<GeneralNames> san;
1577 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
1578 EXPECT_EQ(!is_critical(),
1579 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1580}
1581
1582TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
1583 std::string constraints_der;
1584 ASSERT_TRUE(
1585 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
1586 CertErrors errors;
1587 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1588 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1589 ASSERT_TRUE(name_constraints);
1590
1591 if (is_critical()) {
1592 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1593 name_constraints->constrained_name_types());
1594 } else {
1595 EXPECT_EQ(0, name_constraints->constrained_name_types());
1596 }
1597
1598 std::string san_der;
1599 std::unique_ptr<GeneralNames> san;
1600 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san, &san_der));
1601 EXPECT_EQ(!is_critical(),
1602 IsPermittedCert(name_constraints.get(), der::Input(), san.get()));
1603}
1604
1605TEST_P(ParseNameConstraints,
1606 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) {
1607 std::string constraints_der;
1608 ASSERT_TRUE(
1609 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der));
1610 // The value should not be in the DER encoding if it is the default. But this
1611 // could be changed to allowed if there are buggy encoders out there that
1612 // include it anyway.
1613 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1614 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1615 is_critical(), &errors));
1616}
1617
1618TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
1619 std::string constraints_der;
1620 ASSERT_TRUE(
1621 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
1622 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1623 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1624 is_critical(), &errors));
1625}
1626
1627TEST_P(ParseNameConstraints,
1628 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) {
1629 std::string constraints_der;
1630 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
1631 &constraints_der));
1632 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1633 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1634 is_critical(), &errors));
1635}
1636
1637TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
1638 std::string constraints_der;
1639 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
1640 &constraints_der));
1641 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1642 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1643 is_critical(), &errors));
1644}
1645
1646TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
1647 std::string constraints_der;
1648 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
1649 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1650 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1651 is_critical(), &errors));
1652}
1653
1654TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
1655 std::string constraints_der = "";
1656 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1657 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1658 is_critical(), &errors));
1659}
1660
1661TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
1662 std::string constraints_der;
1663 ASSERT_TRUE(
1664 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
1665 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1666 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1667 is_critical(), &errors));
1668}
1669
1670TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
1671 std::string constraints_der;
1672 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
1673 &constraints_der));
1674 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1675 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1676 is_critical(), &errors));
1677}
1678
1679TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
1680 std::string constraints_der;
1681 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
1682 &constraints_der));
1683 CertErrors errors;
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1684 EXPECT_FALSE(NameConstraints::Create(der::Input(constraints_der),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1685 is_critical(), &errors));
1686}
1687
1688TEST_P(ParseNameConstraints,
1689 IsPermittedCertSubjectEmailAddressNoEmailConstraint) {
1690 std::string constraints_der;
1691 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
1692 CertErrors errors;
1693 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1694 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1695 ASSERT_TRUE(name_constraints);
1696
1697 std::string name;
1698 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1699 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1700 // allowed regardless.
1701 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1702 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1703 /*subject_alt_names=*/nullptr));
1704
1705 ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
1706 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1707 // allowed regardless.
1708 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1709 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1710 /*subject_alt_names=*/nullptr));
1711}
1712
1713TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
1714 std::string constraints_der;
1715 ASSERT_TRUE(LoadTestNameConstraint("rfc822name-permitted-hostname.pem",
1716 &constraints_der));
1717 CertErrors errors;
1718 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1719 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1720 ASSERT_TRUE(name_constraints);
1721
1722 std::string name;
1723 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1724
1725 // Name constraints contain rfc822Name, and the address matches the
1726 // constraint (which is all addresses on the hostname.)
1727 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1728 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1729 /*subject_alt_names=*/nullptr));
1730
1731 ASSERT_TRUE(LoadTestName("name-us-arizona-email-invalidstring.pem", &name));
1732 // The bytes of the name string match, but the string type is VISIBLESTRING
1733 // which is not supported, so this should fail.
1734 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1735 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1736 /*subject_alt_names=*/nullptr));
1737
1738 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1739 // Subject contains multiple rfc822Names, and they all match the constraint
1740 // (which is all addresses on the hostname.)
1741 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1742 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1743 /*subject_alt_names=*/nullptr));
1744}
1745
1746TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
1747 std::string constraints_der;
1748 ASSERT_TRUE(
1749 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
1750 CertErrors errors;
1751 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1752 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1753 ASSERT_TRUE(name_constraints);
1754
1755 std::string name;
1756 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1757
1758 // Name constraints contain rfc822Name, and the address does not match the
1759 // constraint.
1760 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1761 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1762 /*subject_alt_names=*/nullptr));
1763
1764 // Address is a case-insensitive match, but name constraints (permitted) are
1765 // case-sensitive, so this fails.
1766 ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
1767 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1768 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1769 /*subject_alt_names=*/nullptr));
1770
1771 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1772 // Subject contains multiple rfc822Names, and only the first one matches the
1773 // constraint.
1774 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1775 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1776 /*subject_alt_names=*/nullptr));
1777}
1778
1779TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressExcluded) {
1780 std::string constraints_der;
1781 ASSERT_TRUE(
1782 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
1783 CertErrors errors;
1784 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1785 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1786 ASSERT_TRUE(name_constraints);
1787
1788 std::string name;
1789 ASSERT_TRUE(LoadTestName("name-us-arizona-email.pem", &name));
1790
1791 // Name constraints contain excluded rfc822Name, and the address does not
1792 // match the constraint.
1793 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1794 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1795 /*subject_alt_names=*/nullptr));
1796
1797 // Name constraints for excluded are done case-insensitive in the local part,
1798 // so this is not allowed.
1799 ASSERT_TRUE(LoadTestName("name-us-arizona-email-localpartcase.pem", &name));
1800 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1801 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1802 /*subject_alt_names=*/nullptr));
1803
1804 ASSERT_TRUE(LoadTestName("name-us-arizona-email-multiple.pem", &name));
1805 // Subject contains multiple rfc822Names, and one of them is excluded by the
1806 // constraint.
1807 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1808 SequenceValueFromString(name),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1809 /*subject_alt_names=*/nullptr));
1810}
1811
1812// Hostname in commonName is not allowed (crbug.com/308330), so these are tests
1813// are not particularly interesting, just verifying that the commonName is
1814// ignored for dNSName constraints.
1815TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
1816 std::string constraints_der;
1817 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem",
1818 &constraints_der));
1819 CertErrors errors;
1820 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1821 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1822 ASSERT_TRUE(name_constraints);
1823
1824 std::string name_us_az_foocom;
1825 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom));
1826 // The subject is within permitted directoryName constraints, so permitted.
1827 // (The commonName hostname is not within permitted dNSName constraints, so
1828 // this would not be permitted if hostnames in commonName were checked.)
1829 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1830 SequenceValueFromString(name_us_az_foocom),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1831 nullptr /* subject_alt_names */));
1832
1833 std::string name_us_az_permitted;
1834 ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem",
1835 &name_us_az_permitted));
1836 // The subject is in permitted directoryName and the commonName is within
1837 // permitted dNSName constraints, so this should be permitted regardless if
1838 // hostnames in commonName are checked or not.
1839 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1840 SequenceValueFromString(name_us_az_permitted),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1841 nullptr /* subject_alt_names */));
1842
1843 std::string name_us_ca_permitted;
1844 ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem",
1845 &name_us_ca_permitted));
1846 // The subject is within the excluded C=US,ST=California directoryName, so
1847 // this should not be allowed, regardless of checking the
1848 // permitted.example.com in commonName.
1849 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1850 SequenceValueFromString(name_us_ca_permitted),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1851 nullptr /* subject_alt_names */));
1852}
1853
1854// IP addresses in commonName are not allowed (crbug.com/308330), so these are
1855// tests are not particularly interesting, just verifying that the commonName is
1856// ignored for iPAddress constraints.
1857TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
1858 std::string constraints_der;
1859 ASSERT_TRUE(LoadTestNameConstraint(
1860 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
1861 CertErrors errors;
1862 std::unique_ptr<NameConstraints> name_constraints(NameConstraints::Create(
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1863 der::Input(constraints_der), is_critical(), &errors));
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1864 ASSERT_TRUE(name_constraints);
1865
1866 std::string name_us_az_1_1_1_1;
1867 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1));
1868 // The subject is within permitted directoryName constraints, so permitted.
1869 // (The commonName IP address is not within permitted iPAddresses constraints,
1870 // so this would not be permitted if IP addresses in commonName were checked.)
1871 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1872 SequenceValueFromString(name_us_az_1_1_1_1),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1873 nullptr /* subject_alt_names */));
1874
1875 std::string name_us_az_192_168_1_1;
1876 ASSERT_TRUE(
1877 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1));
1878 // The subject is in permitted directoryName and the commonName is within
1879 // permitted iPAddress constraints, so this should be permitted regardless if
1880 // IP addresses in commonName are checked or not.
1881 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1882 SequenceValueFromString(name_us_az_192_168_1_1),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1883 nullptr /* subject_alt_names */));
1884
1885 std::string name_us_ca_192_168_1_1;
1886 ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem",
1887 &name_us_ca_192_168_1_1));
1888 // The subject is within the excluded C=US,ST=California directoryName, so
1889 // this should not be allowed, regardless of checking the
1890 // IP address in commonName.
1891 EXPECT_FALSE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1892 SequenceValueFromString(name_us_ca_192_168_1_1),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1893 nullptr /* subject_alt_names */));
1894
1895 std::string name_us_az_ipv6;
1896 ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6));
1897 // The subject is within permitted directoryName constraints, so permitted.
1898 // (The commonName is an ipv6 address which wasn't supported in the past, but
1899 // since commonName checking is ignored entirely, this is permitted.)
1900 EXPECT_TRUE(IsPermittedCert(name_constraints.get(),
Bob Beck2e119172023-08-14 11:06:38 -0600[diff] [blame]1901 SequenceValueFromString(name_us_az_ipv6),
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1902 nullptr /* subject_alt_names */));
1903}
1904
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]1905} // namespace bssl