mirror of
https://github.com/golang/go.git
synced 2026-04-02 09:20:29 +09:00
crypto/x509: add more test cases for name constraints.
This version of the code passes the tests, however, Go 1.25 currently fails. See I747e51edc16c1111f6a114de33af35f618793c90 for a backport of the test cases to Go 1.25 and a fix for the issue discovered there. Found as part of https://issues.chromium.org/issues/488306305 and related to issue #77968. Change-Id: I60fba0d635f23d53f2146cb64b9f6a29755712e3 Reviewed-on: https://go-review.googlesource.com/c/go/+/750560 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Rudolf Polzer
committed by
Gopher Robot
Gopher Robot
parent
51a8f213cd
commit
bf84b002d6
@@ -1656,6 +1656,174 @@ var nameConstraintsTests = []nameConstraintsTest{
|
||||
sans: []string{"dns:"},
|
||||
},
|
||||
},
|
||||
|
||||
{
|
||||
name: "subdomain excluded constraints preclude outer wildcard names",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
bad: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.example.com"},
|
||||
},
|
||||
expectedError: "\"*.example.com\" is excluded by constraint \"foo.example.com\"",
|
||||
},
|
||||
{
|
||||
name: "subdomain excluded constraints do not preclude far outer wildcard names",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
bad: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.com"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "subdomain excluded constraints preclude inner wildcard names",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
bad: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.foo.example.com"},
|
||||
},
|
||||
expectedError: "\"*.foo.example.com\" is excluded by constraint \"foo.example.com\"",
|
||||
},
|
||||
{
|
||||
name: "subdomain excluded constraints preclude far inner wildcard names",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
bad: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.bar.foo.example.com"},
|
||||
},
|
||||
expectedError: "\"*.bar.foo.example.com\" is excluded by constraint \"foo.example.com\"",
|
||||
},
|
||||
{
|
||||
name: "outer wildcard names are not matched by subdomain permitted constraints",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
ok: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.example.com"},
|
||||
},
|
||||
expectedError: "\"*.example.com\" is not permitted",
|
||||
},
|
||||
{
|
||||
name: "far outer wildcard names are not matched by subdomain permitted constraints",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
ok: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.com"},
|
||||
},
|
||||
expectedError: "\"*.com\" is not permitted",
|
||||
},
|
||||
{
|
||||
name: "inner wildcard names are matched by subdomain permitted constraints",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
ok: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.foo.example.com"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "far inner wildcard names are matched by subdomain permitted constraints",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
ok: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.bar.foo.example.com"},
|
||||
},
|
||||
},
|
||||
|
||||
{
|
||||
name: "cross include should not match",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
ok: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.bar.example.com"},
|
||||
},
|
||||
expectedError: "\"*.bar.example.com\" is not permitted by any constraint",
|
||||
},
|
||||
{
|
||||
name: "cross exclude should not match",
|
||||
roots: []constraintsSpec{
|
||||
{
|
||||
bad: []string{"dns:foo.example.com"},
|
||||
},
|
||||
},
|
||||
intermediates: [][]constraintsSpec{
|
||||
{
|
||||
{},
|
||||
},
|
||||
},
|
||||
leaf: leafSpec{
|
||||
sans: []string{"dns:*.bar.example.com"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
|
||||
|
||||
Reference in New Issue
Block a user