SecurityTests/ssl-policy-certs/TestDescriptions.txt

   1 This file describes the tests for the SSL Trust Policy.
   2
   3 The password for the CA p12 is "Password4TestCA"
   4
   5 Definitions
   6 ----------
   7 CN = Common Name
   8 SAN = Subject Alternative Name (specifically the DNSName general name for these tests)
   9 EKU = Extended Key Usage
  10
  11 Test 1
  12 ----------
  13 Description:    Hostname does not match CN or SAN.
  14 Certificate:    InvalidHostnameTest1.cer
  15 Hostname:       test.apple.com
  16 CN:             bad.apple.com
  17 SAN:            bad.apple.com
  18 Expected Result:FAIL
  19 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 1
  20
  21 Test 2
  22 ---------
  23 Description:    Hostname matches CN but not SAN.
  24 Certificate:    InvalidHostnameTest2.cer
  25 Hostname:       test.apple.com
  26 CN:             test.apple.com
  27 SAN:            bad.apple.com
  28 Expected Result:FAIL
  29 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 2
  30
  31 Test 3
  32 ---------
  33 Description:    Hostname matches CN. SAN extension is not present.
  34 Certificate:    ValidHostnameTest3.cer
  35 Hostname:       test.apple.com
  36 CN:             test.apple.com
  37 SAN not present
  38 Expected Result:SUCCEED
  39 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 3
  40
  41 Test 4
  42 ---------
  43 Description:    Hostname matches SAN but not CN.
  44 Certificate:    ValidHostnameTest4.cer
  45 Hostname:       test.apple.com
  46 CN:             bad.apple.com
  47 SAN:            test.apple.com
  48 Expected Result:SUCCEED
  49 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 4
  50
  51 Test 5
  52 ----------
  53 Description:    Wildcard not in the left-most label. Per RFC 2818, hostname matches. Per RFC 6125 hostname doesn't match.
  54 Certificate:    InvalidWildcardTest5Test6.cer
  55 Hostname:       test.bad.apple.com
  56 CN:             Test5 Test6
  57 SAN:            test.*.apple.com
  58 Expected Result:FAIL
  59 Actual Result:  FAIL
  60 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 1
  61
  62 Test 6
  63 ---------
  64 Description:    Wildcard not in left-most label. Hostname doesn't match.
  65 Certificate:    InvalidWildcardTest5Test6.cer
  66 Hostname:       test.apple.com
  67 CN:             Test5 Test6
  68 SAN:            test.*.apple.com
  69 Expected Result:FAIL
  70
  71 Test 7
  72 ----------
  73 Description:    Wildcard in left-most label. Hostname matches.
  74 Certificate:    ValidWildcardTest7Test8Test9.cer
  75 Hostname:       good.test.apple.com
  76 CN:             Test7 Test8 Test9
  77 SAN:            *.test.apple.com
  78 Expected Result:SUCCEED
  79 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
  80
  81 Test 8
  82 ----------
  83 Description:    Wildcard in left-most label. Hostname doesn't contain label for wildcard.
  84 Certificate:    ValidWildcardTest7Test8Test9.cer
  85 Hostname:       test.apple.com
  86 CN:             Test7 Test8 Test9
  87 SAN:            *.test.apple.com
  88 Expected Result:FAIL
  89 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
  90
  91 Test 9
  92 ---------
  93 Description:    Wildcard in left-most label. Hostname contains 2 labels for wildcard.
  94 Certificate:    ValidWildcardTest7Test8Test9.cer
  95 Hostname:       one.bad.test.apple.com
  96 CN:             Test7 Test8 Test9
  97 SAN:            *.test.apple.com
  98 Expected Result:FAIL
  99 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
 100
 101 Test 10
 102 ----------
 103 Description:    Wildcard immediately preceding top-level-domain.
 104 Certificate:    InvalidWildcardTest10.cer
 105 Hostname:       apple.com
 106 CN:             Test10
 107 SAN:            *.com
 108 Expected Result:FAIL
 109 Actual Result:  FAIL
 110 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
 111
 112 Test 11
 113 ----------
 114 Description:    Wildcard immediately preceding a public suffix with 2 domain levels.
 115 Certificate:    InvalidWildcardTest11.cer
 116 Hostname:       apple.co.uk
 117 CN:             Test11
 118 SAN:            *.co.uk
 119 Expected Result:FAIL
 120 Actual Result:  SUCCEED
 121 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
 122
 123 Test 12
 124 ----------
 125 Description:    Wildcard in the middle of a label.
 126 Certificate:    InvalidWildcardTest12.cer
 127 Hostname:       test.apple.com
 128 CN:             Test12
 129 SAN:            t*t.apple.com
 130 Expected Result:FAIL
 131
 132 Test 13
 133 ----------
 134 Description:    Wildcard at the end of a label. Hostname has no letter for wildcard.
 135 Certificate:    InvalidWildcardTest13Test14.cer
 136 Hostname:       apple.com
 137 CN:             Test13 Test14
 138 SAN:            apple*.com
 139 Expected Result:FAIL
 140 Actual Result:  FAIL
 141 Notes:          Technically this is allowed per specifications, but we think this allows evil.
 142
 143 Test 14
 144 ----------
 145 Description:    Wildcard at the end of a label. Hostname has letters for the wildcard.
 146 Certificate:    InvalidWildcardTest13Test14.cer
 147 Hostname:       appleseed.com
 148 CN:             Test13 Test14
 149 SAN:            apple*.com
 150 Expected Result:FAIL
 151 Actual Result:  FAIL
 152 Notes:          Not clear whether we should really allow this.
 153
 154 Test 15
 155 ----------
 156 Description:    Multiple wildcards in the DNSName.
 157 Certificate:    InvalidWildcardTest15.cer
 158 Hostname:       one.bad.apple.com
 159 CN:             Test15
 160 SAN:            *.*.apple.com
 161 Expected Result:FAIL
 162
 163 Test 16
 164 ----------
 165 Description:    EKU present but no Server Authentication OID.
 166 Certificate:    InvalidEKUTest16.cer
 167 Hostname:       test.apple.com
 168 CN:             Test16
 169 SAN:            test.apple.com
 170 EKU:            Email Protection
 171 Expected Result:FAIL
 172 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.1, Assurance Activity Test 2
 173
 174 Test 17
 175 ----------
 176 Description:    No EKU present.
 177 Certificate:    ValidEKUTest17.cer
 178 Hostname:       test.apple.com
 179 CN:             Test17
 180 SAN:            test.apple.com
 181 EKU not present
 182 Expected Result:SUCCEED
 183
 184 Test 18
 185 ----------
 186 Description:    Hostname has trailing label.
 187 Certificate:    ValidHostnameTest18Test19Test20.cer
 188 Hostname:       test.apple.com.test
 189 CN:             Test18 Test19 Test20
 190 SAN:            test.apple.com
 191 Expected Result:FAIL
 192
 193 Test 19
 194 ----------
 195 Description:    Hostname has trailing '.'.
 196 Certificate:    ValidHostnameTest18Test19Test20.cer
 197 Hostname:       test.apple.com.
 198 CN:             Test18 Test19 Test20
 199 SAN:            test.apple.com
 200 Expected Result:FAIL
 201
 202 Test 20
 203 ----------
 204 Description:    Hostname has preceding '.'.
 205 Certificate:    ValidHostnameTest18Test19Test20.cer
 206 Hostname:       .test.apple.com
 207 CN:             Test18 Test19 Test20
 208 SAN:            test.apple.com
 209 Expected Result:FAIL
 210
 211 Test 21
 212 ----------
 213 Description:    SAN has trailing label.
 214 Certificate:    ValidHostnameTest21.cer
 215 Hostname:       test.apple.com
 216 CN:             Test21
 217 SAN:            test.apple.com.test
 218 Expected Result:FAIL
 219
 220 Test 22
 221 ----------
 222 Description:    SAN extension is present but doesn't contain DNSName.
 223 Certificate:    InvalidHostnameTest22.cer
 224 Hostname:       test.apple.com
 225 CN:             Test22
 226 SAN:            RFC822Name:test@apple.com
 227 Expected Result:FAIL
 228
 229 Test 23
 230 ----------
 231 Description:    SAN has trailing '.'.
 232 Certificate:    InvalidHostnameTest23.cer
 233 Hostname:       test.apple.com
 234 CN:             Test23
 235 SAN:            test.apple.com.
 236 Expected Result:FAIL
 237
 238 Test 24
 239 ----------
 240 Description:    SAN has preceding '.'.
 241 Certificate:    InvalidHostnameTest24.cer
 242 Hostname:       test.apple.com
 243 CN:             Test24
 244 SAN:            .test.apple.com
 245 Expected Result:FAIL
 246
 247 Test 25
 248 ----------
 249 Description:    Wildcard at the beginning of label. Hostname has letter for wildcard.
 250 Certificate:    InvalidWildcardTest25Test26.cer
 251 Hostname:       test.apple.com
 252 CN:             Test25 Test26
 253 SAN:            *est.apple.com
 254 Expected Result:FAIL
 255
 256 Test 26
 257 ---------
 258 Description:    Wilcard at the beginning of label. Hostname has no letter for wildcard.
 259 Certificate:    InvalidWildcardTest25Test26.cer
 260 Hostname:       est.apple.com
 261 CN:             Test25 Test26
 262 SAN:            *est.apple.com
 263 Expected Result:FAIL
 264