mozilla-inbound: changeset 220047:64e991d62eeb23a9d283dcf0ce25e174658ced4d

author	Brian Smith <brian@briansmith.org>
	Thu, 30 Oct 2014 16:48:31 -0700
changeset 220047	64e991d62eeb23a9d283dcf0ce25e174658ced4d
parent 220046	fbd204c775be57600382235d83aef8cc1564f4bf
child 220048	dfb46363d636325d38b85fe811224084724d8fcc
push id	52988
push user	brian@briansmith.org
push date	Tue, 16 Dec 2014 23:38:24 +0000
treeherder	mozilla-inbound@64e991d62eeb [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	keeler
bugs	1111392
milestone	37.0a1
first release with	nightly linux32 b7eb1ce0237d / 37.0a1 / 20141217030202 / files nightly linux64 b7eb1ce0237d / 37.0a1 / 20141217030202 / files nightly mac b7eb1ce0237d / 37.0a1 / 20141217030202 / files nightly win32 b7eb1ce0237d / 37.0a1 / 20141217030202 / files nightly win64 b7eb1ce0237d / 37.0a1 / 20141217030202 / files
last release without	nightly linux32 b836016d82b5 / 37.0a1 / 20141216030203 / files nightly linux64 b836016d82b5 / 37.0a1 / 20141216030203 / files nightly mac b836016d82b5 / 37.0a1 / 20141216030203 / files nightly win32 b836016d82b5 / 37.0a1 / 20141216030203 / files nightly win64 b836016d82b5 / 37.0a1 / 20141216030203 / files

--- a/security/pkix/test/gtest/pkixnames_tests.cpp
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@@ -1712,16 +1712,50 @@ static ByteString
 GeneralSubtree(const ByteString& base)
 {
   return TLV(der::SEQUENCE, base);
 }
 
 static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] =
 {
   /////////////////////////////////////////////////////////////////////////////
+  // XXX: Malformed name constraints for supported types of names are ignored
+  // when there are no names of that type to constrain.
+  { ByteString(), NO_SAN,
+    GeneralSubtree(DNSName("!")),
+    Success, Success
+  },
+  { // DirectoryName constraints are an exception, because *every* certificate
+    // has at least one DirectoryName (tbsCertificate.subject).
+    ByteString(), NO_SAN,
+    GeneralSubtree(Name(ByteString(reinterpret_cast<const uint8_t*>("!"), 1))),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(RFC822Name("!")),
+    Success, Success
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
   // Edge cases of name constraint absolute vs. relative and subdomain matching
   // that are not clearly explained in RFC 5280. (See the long comment above
   // PresentedDNSIDMatchesReferenceDNSID.)
 
   // Q: Does a presented identifier equal (case insensitive) to the name
   //    constraint match the constraint? For example, does the presented
   //    ID "host.example.com" match a "host.example.com" constraint?
   { ByteString(), DNSName("host.example.com"),