diff options
| author | mattm <mattm@chromium.org> | 2016-02-10 17:31:16 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-02-11 01:33:10 +0000 |
| commit | 0cb852e886746830b48c09b426705b23c6845d4c (patch) | |
| tree | 9a5394bb4a765b89d7836b49a5f087854c0ff39a | |
| parent | dcaccb9c51299dfdf2cd925fd1a3ea6c480862a7 (diff) | |
| download | chromium_src-0cb852e886746830b48c09b426705b23c6845d4c.zip chromium_src-0cb852e886746830b48c09b426705b23c6845d4c.tar.gz chromium_src-0cb852e886746830b48c09b426705b23c6845d4c.tar.bz2 | |
Fix API mismatch between NameConstraints::IsPermittedCert's subjectAltName param and ParseExtension.
BUG=none
Review URL: https://codereview.chromium.org/1685023002
Cr-Commit-Position: refs/heads/master@{#374826}
16 files changed, 175 insertions, 99 deletions
diff --git a/net/cert/internal/name_constraints.cc b/net/cert/internal/name_constraints.cc index 2873acab..2ad35dd 100644 --- a/net/cert/internal/name_constraints.cc +++ b/net/cert/internal/name_constraints.cc @@ -396,7 +396,8 @@ bool NameConstraints::Parse(const der::Input& extension_value, bool NameConstraints::IsPermittedCert( const der::Input& subject_rdn_sequence, - const der::Input& subject_alt_name_extnvalue_tlv) const { + bool has_subject_alt_name, + const der::Input& subject_alt_name_tlv) const { // Subject Alternative Name handling: // // RFC 5280 section 4.2.1.6: @@ -407,12 +408,7 @@ bool NameConstraints::IsPermittedCert( // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralNames san_names; - if (subject_alt_name_extnvalue_tlv.Length()) { - der::Parser extnvalue_parser(subject_alt_name_extnvalue_tlv); - der::Input subject_alt_name_tlv; - if (!extnvalue_parser.ReadTag(der::kOctetString, &subject_alt_name_tlv)) - return false; - + if (has_subject_alt_name) { der::Parser subject_alt_name_parser(subject_alt_name_tlv); der::Parser san_sequence_parser; if (!subject_alt_name_parser.ReadSequence(&san_sequence_parser)) @@ -466,6 +462,8 @@ bool NameConstraints::IsPermittedCert( if (!IsPermittedIP(ip_address)) return false; } + } else { + DCHECK_EQ(0U, subject_alt_name_tlv.Length()); } // Subject handling: @@ -477,7 +475,7 @@ bool NameConstraints::IsPermittedCert( // form, but the certificate does not include a subject alternative name, the // rfc822Name constraint MUST be applied to the attribute of type emailAddress // in the subject distinguished name. - if (!subject_alt_name_extnvalue_tlv.Length() && + if (!has_subject_alt_name && (ConstrainedNameTypes() & GENERAL_NAME_RFC822_NAME)) { bool contained_email_address = false; if (!NameContainsEmailAddress(subject_rdn_sequence, @@ -496,10 +494,8 @@ bool NameConstraints::IsPermittedCert( // This code assumes that criticality condition is checked by the caller, and // therefore only needs to avoid the IsPermittedDirectoryName check against an // empty subject in such a case. - if (subject_alt_name_extnvalue_tlv.Length() && - subject_rdn_sequence.Length() == 0) { + if (has_subject_alt_name && subject_rdn_sequence.Length() == 0) return true; - } return IsPermittedDirectoryName(subject_rdn_sequence); } diff --git a/net/cert/internal/name_constraints.h b/net/cert/internal/name_constraints.h index 46cb0da..ed05de0 100644 --- a/net/cert/internal/name_constraints.h +++ b/net/cert/internal/name_constraints.h @@ -86,13 +86,15 @@ class NET_EXPORT NameConstraints { // Tests if a certificate is allowed by the name constraints. // |subject_rdn_sequence| should be the DER-encoded value of the subject's // RDNSequence (not including Sequence tag), and may be an empty ASN.1 - // sequence. |subject_alt_name_extnvalue_tlv| should be the extnValue of the - // subjectAltName extension (including the OCTET STRING tag & length), or - // empty if the cert did not have a subjectAltName extension. + // sequence. |subject_alt_name_tlv| should be the extnValue of the + // subjectAltName extension (not including the OCTET STRING tag & length). If + // the cert did not have a subjectAltName extension, |has_subject_alt_name| + // should be false and |subject_alt_name_tlv| should be empty. // Note that this method does not check hostname or IP address in commonName, // which is deprecated (crbug.com/308330). bool IsPermittedCert(const der::Input& subject_rdn_sequence, - const der::Input& subject_alt_name_extnvalue_tlv) const; + bool has_subject_alt_name, + const der::Input& subject_alt_name_tlv) const; // Returns true if the ASCII hostname |name| is permitted. // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com" diff --git a/net/cert/internal/name_constraints_unittest.cc b/net/cert/internal/name_constraints_unittest.cc index cb8facd..2b2b356 100644 --- a/net/cert/internal/name_constraints_unittest.cc +++ b/net/cert/internal/name_constraints_unittest.cc @@ -123,19 +123,19 @@ TEST_P(ParseNameConstraints, DNSNames) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); EXPECT_FALSE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, @@ -307,28 +307,28 @@ TEST_P(ParseNameConstraints, DirectoryNames) { // Within the permitted C=US subtree. EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us), der::Input())); + SequenceValueFromString(&name_us), false, der::Input())); // Within the permitted C=US subtree, however the excluded C=US,ST=California // subtree takes priority. EXPECT_FALSE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_ca), der::Input())); + SequenceValueFromString(&name_us_ca), false, der::Input())); std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); EXPECT_FALSE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { @@ -544,19 +544,19 @@ TEST_P(ParseNameConstraints, IPAdresses) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); EXPECT_TRUE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); EXPECT_FALSE( - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + name_constraints->IsPermittedCert(der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { @@ -802,8 +802,8 @@ TEST_P(ParseNameConstraints, OtherNamesInPermitted) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, OtherNamesInExcluded) { @@ -823,8 +823,8 @@ TEST_P(ParseNameConstraints, OtherNamesInExcluded) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { @@ -844,8 +844,8 @@ TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { @@ -865,8 +865,8 @@ TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, X400AddresssInPermitted) { @@ -886,8 +886,8 @@ TEST_P(ParseNameConstraints, X400AddresssInPermitted) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, X400AddresssInExcluded) { @@ -907,8 +907,8 @@ TEST_P(ParseNameConstraints, X400AddresssInExcluded) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { @@ -928,8 +928,8 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { @@ -949,8 +949,8 @@ TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, URIsInPermitted) { @@ -969,8 +969,8 @@ TEST_P(ParseNameConstraints, URIsInPermitted) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, URIsInExcluded) { @@ -989,8 +989,8 @@ TEST_P(ParseNameConstraints, URIsInExcluded) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { @@ -1010,8 +1010,8 @@ TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { @@ -1031,8 +1031,8 @@ TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert(der::Input(), der::Input(&san))); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + der::Input(), true, der::Input(&san))); } TEST_P(ParseNameConstraints, @@ -1123,7 +1123,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) { // Name constraints don't contain rfc822Name, so emailAddress in subject is // allowed regardless. EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_arizona_email), der::Input())); + SequenceValueFromString(&name_us_arizona_email), false, der::Input())); } TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { @@ -1140,9 +1140,9 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { // Name constraints contain rfc822Name, so emailAddress in subject is not // allowed if the constraints were critical. - EXPECT_EQ(!is_critical(), - name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_arizona_email), der::Input())); + EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( + SequenceValueFromString(&name_us_arizona_email), + false, der::Input())); } // Hostname in commonName is not allowed (crbug.com/308330), so these are tests @@ -1162,7 +1162,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { // (The commonName hostname is not within permitted dNSName constraints, so // this would not be permitted if hostnames in commonName were checked.) EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az_foocom), der::Input())); + SequenceValueFromString(&name_us_az_foocom), false, der::Input())); std::string name_us_az_permitted; ASSERT_TRUE(LoadTestName("name-us-arizona-permitted.example.com.pem", @@ -1171,7 +1171,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { // permitted dNSName constraints, so this should be permitted regardless if // hostnames in commonName are checked or not. EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az_permitted), der::Input())); + SequenceValueFromString(&name_us_az_permitted), false, der::Input())); std::string name_us_ca_permitted; ASSERT_TRUE(LoadTestName("name-us-california-permitted.example.com.pem", @@ -1180,7 +1180,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { // this should not be allowed, regardless of checking the // permitted.example.com in commonName. EXPECT_FALSE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_ca_permitted), der::Input())); + SequenceValueFromString(&name_us_ca_permitted), false, der::Input())); } // IP addresses in commonName are not allowed (crbug.com/308330), so these are @@ -1200,7 +1200,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // (The commonName IP address is not within permitted iPAddresses constraints, // so this would not be permitted if IP addresses in commonName were checked.) EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az_1_1_1_1), der::Input())); + SequenceValueFromString(&name_us_az_1_1_1_1), false, der::Input())); std::string name_us_az_192_168_1_1; ASSERT_TRUE( @@ -1209,7 +1209,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // permitted iPAddress constraints, so this should be permitted regardless if // IP addresses in commonName are checked or not. EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); + SequenceValueFromString(&name_us_az_192_168_1_1), false, der::Input())); std::string name_us_ca_192_168_1_1; ASSERT_TRUE(LoadTestName("name-us-california-192.168.1.1.pem", @@ -1218,7 +1218,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // this should not be allowed, regardless of checking the // IP address in commonName. EXPECT_FALSE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_ca_192_168_1_1), der::Input())); + SequenceValueFromString(&name_us_ca_192_168_1_1), false, der::Input())); std::string name_us_az_ipv6; ASSERT_TRUE(LoadTestName("name-us-arizona-ipv6.pem", &name_us_az_ipv6)); @@ -1226,7 +1226,7 @@ TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { // (The commonName is an ipv6 address which wasn't supported in the past, but // since commonName checking is ignored entirely, this is permitted.) EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az_ipv6), der::Input())); + SequenceValueFromString(&name_us_az_ipv6), false, der::Input())); } TEST_P(ParseNameConstraints, IsPermittedCertFailsOnEmptySubjectAltName) { @@ -1242,13 +1242,13 @@ TEST_P(ParseNameConstraints, IsPermittedCertFailsOnEmptySubjectAltName) { // No constraints on directoryName type, so name_us_az should be allowed when // subjectAltName is not present. EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az), der::Input())); + SequenceValueFromString(&name_us_az), false, der::Input())); std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-empty.pem", &san)); // Should fail if subjectAltName is present but empty. EXPECT_FALSE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az), der::Input(&san))); + SequenceValueFromString(&name_us_az), true, der::Input(&san))); } TEST_P(ParseNameConstraints, IsPermittedCertFailsOnInvalidIpInSubjectAltName) { @@ -1264,13 +1264,14 @@ TEST_P(ParseNameConstraints, IsPermittedCertFailsOnInvalidIpInSubjectAltName) { // Without the invalid subjectAltName, it passes. EXPECT_TRUE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); + SequenceValueFromString(&name_us_az_192_168_1_1), false, der::Input())); std::string san; ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san)); // Should fail if subjectAltName contains an invalid ip address. EXPECT_FALSE(name_constraints->IsPermittedCert( - SequenceValueFromString(&name_us_az_192_168_1_1), der::Input(&san))); + SequenceValueFromString(&name_us_az_192_168_1_1), true, + der::Input(&san))); } } // namespace net diff --git a/net/data/name_constraints_unittest/generate_name_constraints.py b/net/data/name_constraints_unittest/generate_name_constraints.py index 37ed005..cdf5494 100755 --- a/net/data/name_constraints_unittest/generate_name_constraints.py +++ b/net/data/name_constraints_unittest/generate_name_constraints.py @@ -47,7 +47,7 @@ class SubjectAltNameGenerator: self.names.append(general_name) def __str__(self): - s = "asn1 = OCTWRAP,SEQUENCE:subjectAltNameSequence\n" + s = "asn1 = SEQUENCE:subjectAltNameSequence\n" s += "[subjectAltNameSequence]\n" s_suffix = "" for n, name in enumerate(self.names): diff --git a/net/data/name_constraints_unittest/san-edipartyname.pem b/net/data/name_constraints_unittest/san-edipartyname.pem index bf263e5..699aeb5 100644 --- a/net/data/name_constraints_unittest/san-edipartyname.pem +++ b/net/data/name_constraints_unittest/san-edipartyname.pem @@ -1,4 +1,6 @@ - 0:d=0 hl=2 l= 9 prim: OCTET STRING [HEX DUMP]:3007A5058103666F6F + 0:d=0 hl=2 l= 7 cons: SEQUENCE + 2:d=1 hl=2 l= 5 cons: cont [ 5 ] + 4:d=2 hl=2 l= 3 prim: cont [ 1 ] -----BEGIN SUBJECT ALTERNATIVE NAME----- -BAkwB6UFgQNmb28= +MAelBYEDZm9v -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-excluded-directoryname.pem b/net/data/name_constraints_unittest/san-excluded-directoryname.pem index 65e6ab9..cc586ff 100644 --- a/net/data/name_constraints_unittest/san-excluded-directoryname.pem +++ b/net/data/name_constraints_unittest/san-excluded-directoryname.pem @@ -1,6 +1,32 @@ - 0:d=0 hl=3 l= 128 prim: OCTET STRING [HEX DUMP]:307E82157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E61A43C303A310B30090603550406130255533113301106035504080C0A43616C69666F726E69613116301406035504070C0D4D6F756E7461696E2056696577 + 0:d=0 hl=2 l= 126 cons: SEQUENCE + 2:d=1 hl=2 l= 21 prim: cont [ 2 ] + 25:d=1 hl=2 l= 4 prim: cont [ 7 ] + 31:d=1 hl=2 l= 33 cons: cont [ 4 ] + 33:d=2 hl=2 l= 31 cons: SEQUENCE + 35:d=3 hl=2 l= 11 cons: SET + 37:d=4 hl=2 l= 9 cons: SEQUENCE + 39:d=5 hl=2 l= 3 prim: OBJECT :countryName + 44:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US + 48:d=3 hl=2 l= 16 cons: SET + 50:d=4 hl=2 l= 14 cons: SEQUENCE + 52:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName + 57:d=5 hl=2 l= 7 prim: UTF8STRING :Arizona + 66:d=1 hl=2 l= 60 cons: cont [ 4 ] + 68:d=2 hl=2 l= 58 cons: SEQUENCE + 70:d=3 hl=2 l= 11 cons: SET + 72:d=4 hl=2 l= 9 cons: SEQUENCE + 74:d=5 hl=2 l= 3 prim: OBJECT :countryName + 79:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US + 83:d=3 hl=2 l= 19 cons: SET + 85:d=4 hl=2 l= 17 cons: SEQUENCE + 87:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName + 92:d=5 hl=2 l= 10 prim: UTF8STRING :California + 104:d=3 hl=2 l= 22 cons: SET + 106:d=4 hl=2 l= 20 cons: SEQUENCE + 108:d=5 hl=2 l= 3 prim: OBJECT :localityName + 113:d=5 hl=2 l= 13 prim: UTF8STRING :Mountain View -----BEGIN SUBJECT ALTERNATIVE NAME----- -BIGAMH6CFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYD -VQQIDAdBcml6b25hpDwwOjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV -BAcMDU1vdW50YWluIFZpZXc= +MH6CFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI +DAdBcml6b25hpDwwOjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DU1vdW50YWluIFZpZXc= -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-excluded-dnsname.pem b/net/data/name_constraints_unittest/san-excluded-dnsname.pem index 80ed2b9..4476b9c 100644 --- a/net/data/name_constraints_unittest/san-excluded-dnsname.pem +++ b/net/data/name_constraints_unittest/san-excluded-dnsname.pem @@ -1,6 +1,19 @@ - 0:d=0 hl=2 l= 120 prim: OCTET STRING [HEX DUMP]:307682157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E618234666F6F2E7374696C6C6E6F747065726D69747465642E6578636C756465642E7065726D69747465642E6578616D706C652E636F6D + 0:d=0 hl=2 l= 118 cons: SEQUENCE + 2:d=1 hl=2 l= 21 prim: cont [ 2 ] + 25:d=1 hl=2 l= 4 prim: cont [ 7 ] + 31:d=1 hl=2 l= 33 cons: cont [ 4 ] + 33:d=2 hl=2 l= 31 cons: SEQUENCE + 35:d=3 hl=2 l= 11 cons: SET + 37:d=4 hl=2 l= 9 cons: SEQUENCE + 39:d=5 hl=2 l= 3 prim: OBJECT :countryName + 44:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US + 48:d=3 hl=2 l= 16 cons: SET + 50:d=4 hl=2 l= 14 cons: SEQUENCE + 52:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName + 57:d=5 hl=2 l= 7 prim: UTF8STRING :Arizona + 66:d=1 hl=2 l= 52 prim: cont [ 2 ] -----BEGIN SUBJECT ALTERNATIVE NAME----- -BHgwdoIVcGVybWl0dGVkLmV4YW1wbGUuY29thwTAqAECpCEwHzELMAkGA1UEBhMCVVMxEDAOBgNV -BAgMB0FyaXpvbmGCNGZvby5zdGlsbG5vdHBlcm1pdHRlZC5leGNsdWRlZC5wZXJtaXR0ZWQuZXhh -bXBsZS5jb20= +MHaCFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI +DAdBcml6b25hgjRmb28uc3RpbGxub3RwZXJtaXR0ZWQuZXhjbHVkZWQucGVybWl0dGVkLmV4YW1w +bGUuY29t -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-excluded-ipaddress.pem b/net/data/name_constraints_unittest/san-excluded-ipaddress.pem index 80d1f3f..3616e7c 100644 --- a/net/data/name_constraints_unittest/san-excluded-ipaddress.pem +++ b/net/data/name_constraints_unittest/san-excluded-ipaddress.pem @@ -1,5 +1,18 @@ - 0:d=0 hl=2 l= 72 prim: OCTET STRING [HEX DUMP]:304682157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E618704C0A80505 + 0:d=0 hl=2 l= 70 cons: SEQUENCE + 2:d=1 hl=2 l= 21 prim: cont [ 2 ] + 25:d=1 hl=2 l= 4 prim: cont [ 7 ] + 31:d=1 hl=2 l= 33 cons: cont [ 4 ] + 33:d=2 hl=2 l= 31 cons: SEQUENCE + 35:d=3 hl=2 l= 11 cons: SET + 37:d=4 hl=2 l= 9 cons: SEQUENCE + 39:d=5 hl=2 l= 3 prim: OBJECT :countryName + 44:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US + 48:d=3 hl=2 l= 16 cons: SET + 50:d=4 hl=2 l= 14 cons: SEQUENCE + 52:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName + 57:d=5 hl=2 l= 7 prim: UTF8STRING :Arizona + 66:d=1 hl=2 l= 4 prim: cont [ 7 ] -----BEGIN SUBJECT ALTERNATIVE NAME----- -BEgwRoIVcGVybWl0dGVkLmV4YW1wbGUuY29thwTAqAECpCEwHzELMAkGA1UEBhMCVVMxEDAOBgNV -BAgMB0FyaXpvbmGHBMCoBQU= +MEaCFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI +DAdBcml6b25hhwTAqAUF -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-invalid-empty.pem b/net/data/name_constraints_unittest/san-invalid-empty.pem index 684007c..905d9fc 100644 --- a/net/data/name_constraints_unittest/san-invalid-empty.pem +++ b/net/data/name_constraints_unittest/san-invalid-empty.pem @@ -1,4 +1,4 @@ - 0:d=0 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 + 0:d=0 hl=2 l= 0 cons: SEQUENCE -----BEGIN SUBJECT ALTERNATIVE NAME----- -BAIwAA== +MAA= -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-invalid-ipaddress.pem b/net/data/name_constraints_unittest/san-invalid-ipaddress.pem index 2a45350..02e4e62 100644 --- a/net/data/name_constraints_unittest/san-invalid-ipaddress.pem +++ b/net/data/name_constraints_unittest/san-invalid-ipaddress.pem @@ -1,4 +1,5 @@ - 0:d=0 hl=2 l= 9 prim: OCTET STRING [HEX DUMP]:30078705C0A8000500 + 0:d=0 hl=2 l= 7 cons: SEQUENCE + 2:d=1 hl=2 l= 5 prim: cont [ 7 ] -----BEGIN SUBJECT ALTERNATIVE NAME----- -BAkwB4cFwKgABQA= +MAeHBcCoAAUA -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-othername.pem b/net/data/name_constraints_unittest/san-othername.pem index 21edf43..b00dcfe 100644 --- a/net/data/name_constraints_unittest/san-othername.pem +++ b/net/data/name_constraints_unittest/san-othername.pem @@ -1,4 +1,7 @@ - 0:d=0 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:300EA00C06042A0304050404DEADBEEF + 0:d=0 hl=2 l= 14 cons: SEQUENCE + 2:d=1 hl=2 l= 12 cons: cont [ 0 ] + 4:d=2 hl=2 l= 4 prim: OBJECT :1.2.3.4.5 + 10:d=2 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:DEADBEEF -----BEGIN SUBJECT ALTERNATIVE NAME----- -BBAwDqAMBgQqAwQFBATerb7v +MA6gDAYEKgMEBQQE3q2+7w== -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-permitted.pem b/net/data/name_constraints_unittest/san-permitted.pem index 1110ef6..098340f 100644 --- a/net/data/name_constraints_unittest/san-permitted.pem +++ b/net/data/name_constraints_unittest/san-permitted.pem @@ -1,5 +1,17 @@ - 0:d=0 hl=2 l= 66 prim: OCTET STRING [HEX DUMP]:304082157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E61 + 0:d=0 hl=2 l= 64 cons: SEQUENCE + 2:d=1 hl=2 l= 21 prim: cont [ 2 ] + 25:d=1 hl=2 l= 4 prim: cont [ 7 ] + 31:d=1 hl=2 l= 33 cons: cont [ 4 ] + 33:d=2 hl=2 l= 31 cons: SEQUENCE + 35:d=3 hl=2 l= 11 cons: SET + 37:d=4 hl=2 l= 9 cons: SEQUENCE + 39:d=5 hl=2 l= 3 prim: OBJECT :countryName + 44:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US + 48:d=3 hl=2 l= 16 cons: SET + 50:d=4 hl=2 l= 14 cons: SEQUENCE + 52:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName + 57:d=5 hl=2 l= 7 prim: UTF8STRING :Arizona -----BEGIN SUBJECT ALTERNATIVE NAME----- -BEIwQIIVcGVybWl0dGVkLmV4YW1wbGUuY29thwTAqAECpCEwHzELMAkGA1UEBhMCVVMxEDAOBgNV -BAgMB0FyaXpvbmE= +MECCFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI +DAdBcml6b25h -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-registeredid.pem b/net/data/name_constraints_unittest/san-registeredid.pem index 11870ff..f408fb6 100644 --- a/net/data/name_constraints_unittest/san-registeredid.pem +++ b/net/data/name_constraints_unittest/san-registeredid.pem @@ -1,4 +1,5 @@ - 0:d=0 hl=2 l= 7 prim: OCTET STRING [HEX DUMP]:300588032A0304 + 0:d=0 hl=2 l= 5 cons: SEQUENCE + 2:d=1 hl=2 l= 3 prim: cont [ 8 ] -----BEGIN SUBJECT ALTERNATIVE NAME----- -BAcwBYgDKgME +MAWIAyoDBA== -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-rfc822name.pem b/net/data/name_constraints_unittest/san-rfc822name.pem index 5d5f514..d69c035 100644 --- a/net/data/name_constraints_unittest/san-rfc822name.pem +++ b/net/data/name_constraints_unittest/san-rfc822name.pem @@ -1,4 +1,5 @@ - 0:d=0 hl=2 l= 19 prim: OCTET STRING [HEX DUMP]:3011810F666F6F406578616D706C652E636F6D + 0:d=0 hl=2 l= 17 cons: SEQUENCE + 2:d=1 hl=2 l= 15 prim: cont [ 1 ] -----BEGIN SUBJECT ALTERNATIVE NAME----- -BBMwEYEPZm9vQGV4YW1wbGUuY29t +MBGBD2Zvb0BleGFtcGxlLmNvbQ== -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-uri.pem b/net/data/name_constraints_unittest/san-uri.pem index 5bb3119..fdf79bb 100644 --- a/net/data/name_constraints_unittest/san-uri.pem +++ b/net/data/name_constraints_unittest/san-uri.pem @@ -1,4 +1,5 @@ - 0:d=0 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:30148612687474703A2F2F6578616D706C652E636F6D + 0:d=0 hl=2 l= 20 cons: SEQUENCE + 2:d=1 hl=2 l= 18 prim: cont [ 6 ] -----BEGIN SUBJECT ALTERNATIVE NAME----- -BBYwFIYSaHR0cDovL2V4YW1wbGUuY29t +MBSGEmh0dHA6Ly9leGFtcGxlLmNvbQ== -----END SUBJECT ALTERNATIVE NAME----- diff --git a/net/data/name_constraints_unittest/san-x400address.pem b/net/data/name_constraints_unittest/san-x400address.pem index 8984b4a..26ba77d 100644 --- a/net/data/name_constraints_unittest/san-x400address.pem +++ b/net/data/name_constraints_unittest/san-x400address.pem @@ -1,4 +1,8 @@ - 0:d=0 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300AA3083006610413025553 + 0:d=0 hl=2 l= 10 cons: SEQUENCE + 2:d=1 hl=2 l= 8 cons: cont [ 3 ] + 4:d=2 hl=2 l= 6 cons: SEQUENCE + 6:d=3 hl=2 l= 4 cons: appl [ 1 ] + 8:d=4 hl=2 l= 2 prim: PRINTABLESTRING :US -----BEGIN SUBJECT ALTERNATIVE NAME----- -BAwwCqMIMAZhBBMCVVM= +MAqjCDAGYQQTAlVT -----END SUBJECT ALTERNATIVE NAME----- |