2018-05-04 16:08:28 +02:00
|
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
|
|
|
|
scenario TrustAnchors
|
|
|
|
|
|
|
|
db trustanchors
|
|
|
|
|
|
|
|
import NameConstraints.ca:x:CT,C,C
|
cherry-picked mozilla NSS upstream changes (to rev f7a4c771997e, which is on par with 3.16.1 but without windows rand() changes):
9934c8faef29, 3c3b381c4865, 5a67f6beee9a, 1b1eb6d77728, a8b668fd72f7, bug962760, bug743700, bug857304, bug972653, bug972450, bug971358, bug903885, bug977073, bug976111, bug949939, bug947653, bug947572, bug903885, bug979106, bug966596, bug979004, bug979752, bug980848, bug938369, bug981170, bug668130, bug974693, bug975056, bug979132, bug370717, bug979070, bug985070, bug900067, bug977673, bug519255, bug989558, bug557299, bug987263, bug369802, a751a5146718, bug992343, bug952572, bug979703, bug994883, bug994869, bug993489, bug984608, bug977869, bug667371, bug672828, bug793347, bug977869
2018-07-10 17:07:31 +02:00
|
|
|
# Name Constrained CA: Name constrained to permited DNSName ".example"
|
cherry-picked mozilla NSS upstream changes (to rev 902bc119dcdb, which is on par with 3.17.2):
bug920719, bug1026148, bug1028647, bug963150, bug1030486, bug1025729, bug836658, bug1028582, bug1038728, bug1038526, bug1042634, bug1047210, bug1043891, bug1043108, bug1046735, bug1043082, bug1036735, bug1046718, bug1050107, bug1054625, bug1057465, bug1057476, bug1041326, bug1058933, bug1064636, bug1057161, bug1078669, bug1049435, bug1070493, bug1083360, bug1028764, bug1065990, bug1073330, bug1064670, bug1094650
2018-07-11 15:35:15 +02:00
|
|
|
import NameConstraints.ncca:x:CT,C,C
|
cherry-picked mozilla NSS upstream changes (to rev f7a4c771997e, which is on par with 3.16.1 but without windows rand() changes):
9934c8faef29, 3c3b381c4865, 5a67f6beee9a, 1b1eb6d77728, a8b668fd72f7, bug962760, bug743700, bug857304, bug972653, bug972450, bug971358, bug903885, bug977073, bug976111, bug949939, bug947653, bug947572, bug903885, bug979106, bug966596, bug979004, bug979752, bug980848, bug938369, bug981170, bug668130, bug974693, bug975056, bug979132, bug370717, bug979070, bug985070, bug900067, bug977673, bug519255, bug989558, bug557299, bug987263, bug369802, a751a5146718, bug992343, bug952572, bug979703, bug994883, bug994869, bug993489, bug984608, bug977869, bug667371, bug672828, bug793347, bug977869
2018-07-10 17:07:31 +02:00
|
|
|
import NameConstraints.dcisscopy:x:CT,C,C
|
2018-05-04 16:08:28 +02:00
|
|
|
|
cherry-picked mozilla NSS upstream changes (to rev f7a4c771997e, which is on par with 3.16.1 but without windows rand() changes):
9934c8faef29, 3c3b381c4865, 5a67f6beee9a, 1b1eb6d77728, a8b668fd72f7, bug962760, bug743700, bug857304, bug972653, bug972450, bug971358, bug903885, bug977073, bug976111, bug949939, bug947653, bug947572, bug903885, bug979106, bug966596, bug979004, bug979752, bug980848, bug938369, bug981170, bug668130, bug974693, bug975056, bug979132, bug370717, bug979070, bug985070, bug900067, bug977673, bug519255, bug989558, bug557299, bug987263, bug369802, a751a5146718, bug992343, bug952572, bug979703, bug994883, bug994869, bug993489, bug984608, bug977869, bug667371, bug672828, bug793347, bug977869
2018-07-10 17:07:31 +02:00
|
|
|
# Intermediate 1: Name constrained to permited DNSName ".example"
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
|
|
|
|
# altDNS: test.invalid
|
|
|
|
# Fail: CN not in name constraints, altDNS not in name constraints
|
2018-05-04 16:08:28 +02:00
|
|
|
verify NameConstraints.server1:x
|
|
|
|
cert NameConstraints.intermediate:x
|
|
|
|
result fail
|
|
|
|
|
cherry-picked mozilla NSS upstream changes (to rev f7a4c771997e, which is on par with 3.16.1 but without windows rand() changes):
9934c8faef29, 3c3b381c4865, 5a67f6beee9a, 1b1eb6d77728, a8b668fd72f7, bug962760, bug743700, bug857304, bug972653, bug972450, bug971358, bug903885, bug977073, bug976111, bug949939, bug947653, bug947572, bug903885, bug979106, bug966596, bug979004, bug979752, bug980848, bug938369, bug981170, bug668130, bug974693, bug975056, bug979132, bug370717, bug979070, bug985070, bug900067, bug977673, bug519255, bug989558, bug557299, bug987263, bug369802, a751a5146718, bug992343, bug952572, bug979703, bug994883, bug994869, bug993489, bug984608, bug977869, bug667371, bug672828, bug793347, bug977869
2018-07-10 17:07:31 +02:00
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
|
|
|
|
# Fail: CN not in name constraints
|
2018-05-04 16:08:28 +02:00
|
|
|
verify NameConstraints.server2:x
|
|
|
|
cert NameConstraints.intermediate:x
|
|
|
|
result fail
|
|
|
|
|
cherry-picked mozilla NSS upstream changes (to rev f7a4c771997e, which is on par with 3.16.1 but without windows rand() changes):
9934c8faef29, 3c3b381c4865, 5a67f6beee9a, 1b1eb6d77728, a8b668fd72f7, bug962760, bug743700, bug857304, bug972653, bug972450, bug971358, bug903885, bug977073, bug976111, bug949939, bug947653, bug947572, bug903885, bug979106, bug966596, bug979004, bug979752, bug980848, bug938369, bug981170, bug668130, bug974693, bug975056, bug979132, bug370717, bug979070, bug985070, bug900067, bug977673, bug519255, bug989558, bug557299, bug987263, bug369802, a751a5146718, bug992343, bug952572, bug979703, bug994883, bug994869, bug993489, bug984608, bug977869, bug667371, bug672828, bug793347, bug977869
2018-07-10 17:07:31 +02:00
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
|
|
|
|
# altDNS: test.example
|
2018-05-04 16:08:28 +02:00
|
|
|
verify NameConstraints.server3:x
|
|
|
|
cert NameConstraints.intermediate:x
|
|
|
|
result pass
|
|
|
|
|
cherry-picked mozilla NSS upstream changes (to rev f7a4c771997e, which is on par with 3.16.1 but without windows rand() changes):
9934c8faef29, 3c3b381c4865, 5a67f6beee9a, 1b1eb6d77728, a8b668fd72f7, bug962760, bug743700, bug857304, bug972653, bug972450, bug971358, bug903885, bug977073, bug976111, bug949939, bug947653, bug947572, bug903885, bug979106, bug966596, bug979004, bug979752, bug980848, bug938369, bug981170, bug668130, bug974693, bug975056, bug979132, bug370717, bug979070, bug985070, bug900067, bug977673, bug519255, bug989558, bug557299, bug987263, bug369802, a751a5146718, bug992343, bug952572, bug979703, bug994883, bug994869, bug993489, bug984608, bug977869, bug667371, bug672828, bug793347, bug977869
2018-07-10 17:07:31 +02:00
|
|
|
# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
|
|
|
|
# altDNS: test.invalid
|
|
|
|
# Fail: CN not in name constraints, altDNS not in name constraints
|
|
|
|
verify NameConstraints.server4:x
|
|
|
|
cert NameConstraints.intermediate2:x
|
|
|
|
cert NameConstraints.intermediate:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
|
|
|
|
# Fail: CN not in name constraints
|
|
|
|
verify NameConstraints.server5:x
|
|
|
|
cert NameConstraints.intermediate2:x
|
|
|
|
cert NameConstraints.intermediate:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
|
|
|
|
# altDNS: test.example
|
|
|
|
verify NameConstraints.server6:x
|
|
|
|
cert NameConstraints.intermediate2:x
|
|
|
|
cert NameConstraints.intermediate:x
|
|
|
|
result pass
|
|
|
|
|
|
|
|
# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
|
|
|
|
# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
|
|
|
|
# and a permitted DNSName of "foo.example"
|
|
|
|
|
|
|
|
# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
|
|
|
|
# No name constraints present
|
|
|
|
# Signed by Intermediate 3 (inherits name constraints)
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
|
|
|
|
verify NameConstraints.server7:x
|
|
|
|
cert NameConstraints.intermediate4:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result pass
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
|
|
|
|
verify NameConstraints.server8:x
|
|
|
|
cert NameConstraints.intermediate4:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result pass
|
|
|
|
|
|
|
|
# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
|
|
|
|
# Fail: ST is missing in the DirectoryName, thus not matching name constraints
|
|
|
|
verify NameConstraints.server9:x
|
|
|
|
cert NameConstraints.intermediate4:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
|
|
|
|
# Fail: CN not in name constraints
|
|
|
|
verify NameConstraints.server10:x
|
|
|
|
cert NameConstraints.intermediate4:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
|
|
|
|
# altDNS:foo.example
|
|
|
|
# Pass: Ignores CN constraint name violation because SAN is present
|
|
|
|
verify NameConstraints.server11:x
|
|
|
|
cert NameConstraints.intermediate4:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result pass
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
|
|
|
|
# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
|
|
|
|
verify NameConstraints.server12:x
|
|
|
|
cert NameConstraints.intermediate4:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
|
|
|
|
# No name constraints present
|
|
|
|
# Signed by Intermediate 3.
|
|
|
|
# Intermediate 5's subject is not in Intermediate 3's permitted
|
|
|
|
# names, so all certs issued by it are invalid.
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
|
|
|
|
# Fail: Org matches Intermediate 5's name constraints, but does not match
|
|
|
|
# Intermediate 3' name constraints
|
|
|
|
verify NameConstraints.server13:x
|
|
|
|
cert NameConstraints.intermediate5:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
|
|
|
|
# Fail: Matches Intermediate 5's name constraints, but fails because
|
|
|
|
# Intermediate 5 does not match Intermediate 3's name constraints
|
|
|
|
verify NameConstraints.server14:x
|
|
|
|
cert NameConstraints.intermediate5:x
|
|
|
|
cert NameConstraints.intermediate3:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
|
|
|
|
# No name constraints present
|
|
|
|
# Signed by Named Constrained CA (inherits root name constraints)
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
|
|
|
|
# altDNS: testfoo.invalid
|
|
|
|
# Fail: CN not in name constraints, altDNS not in name constraints
|
|
|
|
verify NameConstraints.server15:x
|
|
|
|
cert NameConstraints.intermediate6:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
|
|
|
|
# Fail: CN not in name constraints
|
|
|
|
verify NameConstraints.server16:x
|
|
|
|
cert NameConstraints.intermediate6:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
|
|
|
|
# altDNS: test4.example
|
|
|
|
verify NameConstraints.server17:x
|
|
|
|
cert NameConstraints.intermediate6:x
|
|
|
|
result pass
|
|
|
|
|
|
|
|
# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
|
|
|
|
verify NameConstraints.dcissblocked:x
|
|
|
|
result fail
|
|
|
|
|
|
|
|
# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
|
|
|
|
verify NameConstraints.dcissallowed:x
|
|
|
|
result pass
|
|
|
|
|
|
|
|
|