SecurityTests/ssl-policy-certs/TestDescriptions.txt

   1 This file describes the tests for the SSL Trust Policy.
   2
   3 Definitions
   4 ----------
   5 CN = Common Name
   6 SAN = Subject Alternative Name (specifically the DNSName general name for these tests)
   7 EKU = Extended Key Usage
   8
   9 Test 1
  10 ----------
  11 Description:    Hostname does not match CN or SAN.
  12 Certificate:    InvalidHostnameTest1.cer
  13 Hostname:       test.apple.com
  14 CN:             bad.apple.com
  15 SAN:            bad.apple.com
  16 Expected Result:FAIL
  17 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 1
  18
  19 Test 2
  20 ---------
  21 Description:    Hostname matches CN but not SAN.
  22 Certificate:    InvalidHostnameTest2.cer
  23 Hostname:       test.apple.com
  24 CN:             test.apple.com
  25 SAN:            bad.apple.com
  26 Expected Result:FAIL
  27 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 2
  28
  29 Test 3
  30 ---------
  31 Description:    Hostname matches CN. SAN extension is not present.
  32 Certificate:    ValidHostnameTest3.cer
  33 Hostname:       test.apple.com
  34 CN:             test.apple.com
  35 SAN not present
  36 Expected Result:FAIL
  37 Notes:          <rdar://problem/31562470>, https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 3
  38
  39 Test 4
  40 ---------
  41 Description:    Hostname matches SAN but not CN.
  42 Certificate:    ValidHostnameTest4.cer
  43 Hostname:       test.apple.com
  44 CN:             bad.apple.com
  45 SAN:            test.apple.com
  46 Expected Result:SUCCEED
  47 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 4
  48
  49 Test 5
  50 ----------
  51 Description:    Wildcard not in the left-most label. Per RFC 2818, hostname matches. Per RFC 6125 hostname doesn't match.
  52 Certificate:    InvalidWildcardTest5Test6.cer
  53 Hostname:       test.bad.apple.com
  54 CN:             Test5 Test6
  55 SAN:            test.*.apple.com
  56 Expected Result:FAIL
  57 Actual Result:  FAIL
  58 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 1
  59
  60 Test 6
  61 ---------
  62 Description:    Wildcard not in left-most label. Hostname doesn't match.
  63 Certificate:    InvalidWildcardTest5Test6.cer
  64 Hostname:       test.apple.com
  65 CN:             Test5 Test6
  66 SAN:            test.*.apple.com
  67 Expected Result:FAIL
  68
  69 Test 7
  70 ----------
  71 Description:    Wildcard in left-most label. Hostname matches.
  72 Certificate:    ValidWildcardTest7Test8Test9.cer
  73 Hostname:       good.test.apple.com
  74 CN:             Test7 Test8 Test9
  75 SAN:            *.test.apple.com
  76 Expected Result:SUCCEED
  77 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
  78
  79 Test 8
  80 ----------
  81 Description:    Wildcard in left-most label. Hostname doesn't contain label for wildcard.
  82 Certificate:    ValidWildcardTest7Test8Test9.cer
  83 Hostname:       test.apple.com
  84 CN:             Test7 Test8 Test9
  85 SAN:            *.test.apple.com
  86 Expected Result:FAIL
  87 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
  88
  89 Test 9
  90 ---------
  91 Description:    Wildcard in left-most label. Hostname contains 2 labels for wildcard.
  92 Certificate:    ValidWildcardTest7Test8Test9.cer
  93 Hostname:       one.bad.test.apple.com
  94 CN:             Test7 Test8 Test9
  95 SAN:            *.test.apple.com
  96 Expected Result:FAIL
  97 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
  98
  99 Test 10
 100 ----------
 101 Description:    Wildcard immediately preceding top-level-domain.
 102 Certificate:    InvalidWildcardTest10.cer
 103 Hostname:       apple.com
 104 CN:             Test10
 105 SAN:            *.com
 106 Expected Result:FAIL
 107 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
 108
 109 Test 11
 110 ----------
 111 Description:    Wildcard immediately preceding a public suffix with 2 domain levels.
 112 Certificate:    InvalidWildcardTest11.cer
 113 Hostname:       apple.co.uk
 114 CN:             Test11
 115 SAN:            *.co.uk
 116 Expected Result:FAIL
 117 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
 118
 119 Test 12
 120 ----------
 121 Description:    Wildcard in the middle of a label.
 122 Certificate:    InvalidWildcardTest12.cer
 123 Hostname:       test.apple.com
 124 CN:             Test12
 125 SAN:            t*t.apple.com
 126 Expected Result:FAIL
 127 Notes:          Technically this is allowed per specifications.
 128
 129 Test 13
 130 ----------
 131 Description:    Wildcard at the end of a label preceding top-level domain. Hostname has no letter for wildcard.
 132 Certificate:    InvalidWildcardTest13Test14.cer
 133 Hostname:       apple.com
 134 CN:             Test13 Test14
 135 SAN:            apple*.com
 136 Expected Result:FAIL
 137 Notes:          Technically this is allowed per specifications, but we think this allows evil.
 138
 139 Test 14
 140 ----------
 141 Description:    Wildcard at the end of a label preceding top-level domain. Hostname has letters for the wildcard.
 142 Certificate:    InvalidWildcardTest13Test14.cer
 143 Hostname:       appleseed.com
 144 CN:             Test13 Test14
 145 SAN:            apple*.com
 146 Expected Result:FAIL
 147 Notes:          Technically this is allowed per specifications.
 148
 149 Test 15
 150 ----------
 151 Description:    Multiple wildcards in the DNSName.
 152 Certificate:    InvalidWildcardTest15.cer
 153 Hostname:       one.bad.apple.com
 154 CN:             Test15
 155 SAN:            *.*.apple.com
 156 Expected Result:FAIL
 157
 158 Test 16
 159 ----------
 160 Description:    EKU present but no Server Authentication OID.
 161 Certificate:    InvalidEKUTest16.cer
 162 Hostname:       test.apple.com
 163 CN:             Test16
 164 SAN:            test.apple.com
 165 EKU:            Email Protection
 166 Expected Result:FAIL
 167 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.1, Assurance Activity Test 2
 168
 169 Test 17
 170 ----------
 171 Description:    No EKU present.
 172 Certificate:    ValidEKUTest17.cer
 173 Hostname:       test.apple.com
 174 CN:             Test17
 175 SAN:            test.apple.com
 176 EKU not present
 177 Expected Result:SUCCEED
 178
 179 Test 18
 180 ----------
 181 Description:    Hostname has trailing label.
 182 Certificate:    ValidHostnameTest18Test19Test20.cer
 183 Hostname:       test.apple.com.test
 184 CN:             Test18 Test19 Test20
 185 SAN:            test.apple.com
 186 Expected Result:FAIL
 187
 188 Test 19
 189 ----------
 190 Description:    Hostname has trailing '.'.
 191 Certificate:    ValidHostnameTest18Test19Test20.cer
 192 Hostname:       test.apple.com.
 193 CN:             Test18 Test19 Test20
 194 SAN:            test.apple.com
 195 Expected Result:SUCCEED
 196 Notes:          Allowed as a mechanism to force TLS renegotiation.
 197
 198 Test 20
 199 ----------
 200 Description:    Hostname has preceding '.'.
 201 Certificate:    ValidHostnameTest18Test19Test20.cer
 202 Hostname:       .test.apple.com
 203 CN:             Test18 Test19 Test20
 204 SAN:            test.apple.com
 205 Expected Result:FAIL
 206
 207 Test 21
 208 ----------
 209 Description:    SAN has trailing label.
 210 Certificate:    ValidHostnameTest21.cer
 211 Hostname:       test.apple.com
 212 CN:             Test21
 213 SAN:            test.apple.com.test
 214 Expected Result:FAIL
 215
 216 Test 22
 217 ----------
 218 Description:    SAN extension is present but doesn't contain DNSName.
 219 Certificate:    InvalidHostnameTest22.cer
 220 Hostname:       test.apple.com
 221 CN:             Test22
 222 SAN:            RFC822Name:test@apple.com
 223 Expected Result:FAIL
 224
 225 Test 23
 226 ----------
 227 Description:    SAN has trailing '.'.
 228 Certificate:    InvalidHostnameTest23.cer
 229 Hostname:       test.apple.com
 230 CN:             Test23
 231 SAN:            test.apple.com.
 232 Expected Result:FAIL
 233
 234 Test 24
 235 ----------
 236 Description:    SAN has preceding '.'.
 237 Certificate:    InvalidHostnameTest24.cer
 238 Hostname:       test.apple.com
 239 CN:             Test24
 240 SAN:            .test.apple.com
 241 Expected Result:FAIL
 242
 243 Test 25
 244 ----------
 245 Description:    Wildcard at the beginning of label. Hostname has letter for wildcard.
 246 Certificate:    InvalidWildcardTest25Test26.cer
 247 Hostname:       test.apple.com
 248 CN:             Test25 Test26
 249 SAN:            *est.apple.com
 250 Expected Result:FAIL
 251 Notes:          Technically this is allowed per specifications.
 252
 253 Test 26
 254 ---------
 255 Description:    Wilcard at the beginning of label. Hostname has no letter for wildcard.
 256 Certificate:    InvalidWildcardTest25Test26.cer
 257 Hostname:       est.apple.com
 258 CN:             Test25 Test26
 259 SAN:            *est.apple.com
 260 Expected Result:FAIL
 261 Notes:          Technically this is allowed per specifications.
 262
 263 Test 27
 264 ----------
 265 Description:    Wildcard at the end of label. Hostname has letter for wildcard.
 266 Certificate:    InvalidWildcardTest27Test28.cer
 267 Hostname:       test.apple.com
 268 CN:             Test27 Test28
 269 SAN:            tes*.apple.com
 270 Expected Result:FAIL
 271 Notes:          We used to have an inconsistent approach to partial-label wildcards
 272                 (see Tests 12, 13, 14, 25, and 26); now, we disallow all partial-label
 273                 wildcards.
 274
 275 Test 28
 276 ---------
 277 Description:    Wildcard at the end of label. Hostname has not letter for wildcard.
 278 Certificate:    InvalidWildcardTest27Test28.cer
 279 Hostname:       tes.apple.com
 280 CN:             Test27 Test28
 281 SAN:            tes*.apple.com
 282 Expected Result:FAIL
 283 Notes:          See notes for Test 27.
 284
 285 Test 29
 286 ---------
 287 Description:    Hostname matches CN, case insensitive
 288 Certificate:    ValidHostnameTest3.cer
 289 Hostname:       TEST.apple.com
 290 CN:             test.apple.com
 291 SAN not present
 292 Expected Result:FAIL
 293 Notes:      <rdar://problem/26555272>, <rdar://problem/31562470>
 294
 295 Test 30
 296 ---------
 297 Description:    Wildcards only - 1 label.
 298 Certificate:    InvalidWildcardTest30.cer
 299 Hostname:       apple
 300 CN:             Test30
 301 SAN:            *
 302 Expected Result:FAIL
 303
 304 Test 31
 305 ---------
 306 Description:    Wildcards only - 2 labels
 307 Certificate:    InvalidWildcardTest31.cer
 308 Hostname:       apple.com
 309 CN:             Test31
 310 SAN:            *.*
 311 Expected Result:FAIL
 312
 313 Test 32
 314 ---------
 315 Description:    Wildcards only - 3 labels
 316 Certificate:    InvalidWildcardTest32.cer
 317 Hostname:       test.apple.com
 318 CN:             Test32
 319 SAN:            *.*.*
 320 Expected Result:FAIL
 321
 322 Test 33
 323 ---------
 324 Description:    Wildcards only - 1 label, trailing '.'
 325 Certificate:    InvalidWildcardTest33.cer
 326 Hostname:       apple
 327 CN:             Test33
 328 SAN:            *.
 329 Expected Result:FAIL
 330
 331 Test 34
 332 ---------
 333 Description:    Wildcards only - 1 label, preceding '.'
 334 Certificate:    InvalidWildcardTest34.cer
 335 Hostname:       apple
 336 CN:             Test34
 337 SAN:            .*
 338 Expected Result:FAIL
 339
 340 Test 35
 341 ---------
 342 Description:    Wildcards only - 1 label to 2 labels
 343 Certificate:    InvalidWildcardTest30.cer
 344 Hostname:       apple.com
 345 CN:             Test30
 346 SAN:            *
 347 Expected Result:FAIL
 348
 349 Test 36
 350 ---------
 351 Description:    Wildcards only - 1 label to 2 labels, trailing '.'
 352 Certificate:    InvalidWildcardTest33.cer
 353 Hostname:       apple.com
 354 CN:             Test33
 355 SAN:            *.
 356 Expected Result:FAIL
 357
 358 Test 37
 359 ---------
 360 Description:    Wildcards only - 1 label to 2 labels, preceding '.'
 361 Certificate:    InvalidWildcardTest34.cer
 362 Hostname:       apple.com
 363 CN:             Test34
 364 SAN:            .*
 365 Expected Result:FAIL