Bug 1111392: Add tests for malformed name constraints where there are no names of the constrained type, r=keeler

--HG-- extra : rebase_source : 048619553c7725eee1cb73df64faae8c8890c995
2024-09-13 09:24:08 -07:00 · 2014-10-30 16:48:31 -07:00 · 2014-10-30 16:48:31 -07:00 · c2c84b2d85
commit c2c84b2d85
parent 711e0958fb
1 changed files with 34 additions and 0 deletions
--- a/security/pkix/test/gtest/pkixnames_tests.cpp
+++ b/security/pkix/test/gtest/pkixnames_tests.cpp
@ -1716,6 +1716,40 @@ GeneralSubtree(const ByteString& base)

 static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] =
 {
+  /////////////////////////////////////////////////////////////////////////////
+  // XXX: Malformed name constraints for supported types of names are ignored
+  // when there are no names of that type to constrain.
+  { ByteString(), NO_SAN,
+    GeneralSubtree(DNSName("!")),
+    Success, Success
+  },
+  { // DirectoryName constraints are an exception, because *every* certificate
+    // has at least one DirectoryName (tbsCertificate.subject).
+    ByteString(), NO_SAN,
+    GeneralSubtree(Name(ByteString(reinterpret_cast<const uint8_t*>("!"), 1))),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(RFC822Name("!")),
+    Success, Success
+  },
+
  /////////////////////////////////////////////////////////////////////////////
  // Edge cases of name constraint absolute vs. relative and subdomain matching
  // that are not clearly explained in RFC 5280. (See the long comment above