1 This file describes the tests for the SSL Trust Policy.
6 SAN = Subject Alternative Name (specifically the DNSName general name for these tests)
7 EKU = Extended Key Usage
11 Description: Hostname does not match CN or SAN.
12 Certificate: InvalidHostnameTest1.cer
13 Hostname: test.apple.com
17 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 1
21 Description: Hostname matches CN but not SAN.
22 Certificate: InvalidHostnameTest2.cer
23 Hostname: test.apple.com
27 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 2
31 Description: Hostname matches CN. SAN extension is not present.
32 Certificate: ValidHostnameTest3.cer
33 Hostname: test.apple.com
37 Notes: <rdar://problem/31562470>, https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 3
41 Description: Hostname matches SAN but not CN.
42 Certificate: ValidHostnameTest4.cer
43 Hostname: test.apple.com
46 Expected Result:SUCCEED
47 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 4
51 Description: Wildcard not in the left-most label. Per RFC 2818, hostname matches. Per RFC 6125 hostname doesn't match.
52 Certificate: InvalidWildcardTest5Test6.cer
53 Hostname: test.bad.apple.com
58 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 1
62 Description: Wildcard not in left-most label. Hostname doesn't match.
63 Certificate: InvalidWildcardTest5Test6.cer
64 Hostname: test.apple.com
71 Description: Wildcard in left-most label. Hostname matches.
72 Certificate: ValidWildcardTest7Test8Test9.cer
73 Hostname: good.test.apple.com
76 Expected Result:SUCCEED
77 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
81 Description: Wildcard in left-most label. Hostname doesn't contain label for wildcard.
82 Certificate: ValidWildcardTest7Test8Test9.cer
83 Hostname: test.apple.com
87 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
91 Description: Wildcard in left-most label. Hostname contains 2 labels for wildcard.
92 Certificate: ValidWildcardTest7Test8Test9.cer
93 Hostname: one.bad.test.apple.com
97 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
101 Description: Wildcard immediately preceding top-level-domain.
102 Certificate: InvalidWildcardTest10.cer
107 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
111 Description: Wildcard immediately preceding a public suffix with 2 domain levels.
112 Certificate: InvalidWildcardTest11.cer
113 Hostname: apple.co.uk
117 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
121 Description: Wildcard in the middle of a label.
122 Certificate: InvalidWildcardTest12.cer
123 Hostname: test.apple.com
127 Notes: Technically this is allowed per specifications.
131 Description: Wildcard at the end of a label preceding top-level domain. Hostname has no letter for wildcard.
132 Certificate: InvalidWildcardTest13Test14.cer
137 Notes: Technically this is allowed per specifications, but we think this allows evil.
141 Description: Wildcard at the end of a label preceding top-level domain. Hostname has letters for the wildcard.
142 Certificate: InvalidWildcardTest13Test14.cer
143 Hostname: appleseed.com
147 Notes: Technically this is allowed per specifications.
151 Description: Multiple wildcards in the DNSName.
152 Certificate: InvalidWildcardTest15.cer
153 Hostname: one.bad.apple.com
160 Description: EKU present but no Server Authentication OID.
161 Certificate: InvalidEKUTest16.cer
162 Hostname: test.apple.com
165 EKU: Email Protection
167 Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.1, Assurance Activity Test 2
171 Description: No EKU present.
172 Certificate: ValidEKUTest17.cer
173 Hostname: test.apple.com
177 Expected Result:SUCCEED
181 Description: Hostname has trailing label.
182 Certificate: ValidHostnameTest18Test19Test20.cer
183 Hostname: test.apple.com.test
184 CN: Test18 Test19 Test20
190 Description: Hostname has trailing '.'.
191 Certificate: ValidHostnameTest18Test19Test20.cer
192 Hostname: test.apple.com.
193 CN: Test18 Test19 Test20
195 Expected Result:SUCCEED
196 Notes: Allowed as a mechanism to force TLS renegotiation.
200 Description: Hostname has preceding '.'.
201 Certificate: ValidHostnameTest18Test19Test20.cer
202 Hostname: .test.apple.com
203 CN: Test18 Test19 Test20
209 Description: SAN has trailing label.
210 Certificate: ValidHostnameTest21.cer
211 Hostname: test.apple.com
213 SAN: test.apple.com.test
218 Description: SAN extension is present but doesn't contain DNSName.
219 Certificate: InvalidHostnameTest22.cer
220 Hostname: test.apple.com
222 SAN: RFC822Name:test@apple.com
227 Description: SAN has trailing '.'.
228 Certificate: InvalidHostnameTest23.cer
229 Hostname: test.apple.com
236 Description: SAN has preceding '.'.
237 Certificate: InvalidHostnameTest24.cer
238 Hostname: test.apple.com
245 Description: Wildcard at the beginning of label. Hostname has letter for wildcard.
246 Certificate: InvalidWildcardTest25Test26.cer
247 Hostname: test.apple.com
251 Notes: Technically this is allowed per specifications.
255 Description: Wilcard at the beginning of label. Hostname has no letter for wildcard.
256 Certificate: InvalidWildcardTest25Test26.cer
257 Hostname: est.apple.com
261 Notes: Technically this is allowed per specifications.
265 Description: Wildcard at the end of label. Hostname has letter for wildcard.
266 Certificate: InvalidWildcardTest27Test28.cer
267 Hostname: test.apple.com
271 Notes: We used to have an inconsistent approach to partial-label wildcards
272 (see Tests 12, 13, 14, 25, and 26); now, we disallow all partial-label
277 Description: Wildcard at the end of label. Hostname has not letter for wildcard.
278 Certificate: InvalidWildcardTest27Test28.cer
279 Hostname: tes.apple.com
283 Notes: See notes for Test 27.
287 Description: Hostname matches CN, case insensitive
288 Certificate: ValidHostnameTest3.cer
289 Hostname: TEST.apple.com
293 Notes: <rdar://problem/26555272>, <rdar://problem/31562470>
297 Description: Wildcards only - 1 label.
298 Certificate: InvalidWildcardTest30.cer
306 Description: Wildcards only - 2 labels
307 Certificate: InvalidWildcardTest31.cer
315 Description: Wildcards only - 3 labels
316 Certificate: InvalidWildcardTest32.cer
317 Hostname: test.apple.com
324 Description: Wildcards only - 1 label, trailing '.'
325 Certificate: InvalidWildcardTest33.cer
333 Description: Wildcards only - 1 label, preceding '.'
334 Certificate: InvalidWildcardTest34.cer
342 Description: Wildcards only - 1 label to 2 labels
343 Certificate: InvalidWildcardTest30.cer
351 Description: Wildcards only - 1 label to 2 labels, trailing '.'
352 Certificate: InvalidWildcardTest33.cer
360 Description: Wildcards only - 1 label to 2 labels, preceding '.'
361 Certificate: InvalidWildcardTest34.cer