Bug 1111392: Add tests for malformed name constraints where there are no names of the constrained type, r=keeler
authorBrian Smith <brian@briansmith.org>
Thu, 30 Oct 2014 16:48:31 -0700
changeset 220047 64e991d62eeb23a9d283dcf0ce25e174658ced4d
parent 220046 fbd204c775be57600382235d83aef8cc1564f4bf
child 220048 dfb46363d636325d38b85fe811224084724d8fcc
push id52988
push userbrian@briansmith.org
push dateTue, 16 Dec 2014 23:38:24 +0000
treeherdermozilla-inbound@64e991d62eeb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1111392
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1111392: Add tests for malformed name constraints where there are no names of the constrained type, r=keeler
security/pkix/test/gtest/pkixnames_tests.cpp
--- a/security/pkix/test/gtest/pkixnames_tests.cpp
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@@ -1712,16 +1712,50 @@ static ByteString
 GeneralSubtree(const ByteString& base)
 {
   return TLV(der::SEQUENCE, base);
 }
 
 static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] =
 {
   /////////////////////////////////////////////////////////////////////////////
+  // XXX: Malformed name constraints for supported types of names are ignored
+  // when there are no names of that type to constrain.
+  { ByteString(), NO_SAN,
+    GeneralSubtree(DNSName("!")),
+    Success, Success
+  },
+  { // DirectoryName constraints are an exception, because *every* certificate
+    // has at least one DirectoryName (tbsCertificate.subject).
+    ByteString(), NO_SAN,
+    GeneralSubtree(Name(ByteString(reinterpret_cast<const uint8_t*>("!"), 1))),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(RFC822Name("!")),
+    Success, Success
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
   // Edge cases of name constraint absolute vs. relative and subdomain matching
   // that are not clearly explained in RFC 5280. (See the long comment above
   // PresentedDNSIDMatchesReferenceDNSID.)
 
   // Q: Does a presented identifier equal (case insensitive) to the name
   //    constraint match the constraint? For example, does the presented
   //    ID "host.example.com" match a "host.example.com" constraint?
   { ByteString(), DNSName("host.example.com"),