SecurityTests/ssl-policy-certs/TestDescriptions.txt

   1 This file describes the tests for the SSL Trust Policy.
   2
   3 The password for the CA p12 is "Password4TestCA"
   4
   5 Definitions
   6 ----------
   7 CN = Common Name
   8 SAN = Subject Alternative Name (specifically the DNSName general name for these tests)
   9 EKU = Extended Key Usage
  10
  11 Test 1
  12 ----------
  13 Description:    Hostname does not match CN or SAN.
  14 Certificate:    InvalidHostnameTest1.cer
  15 Hostname:       test.apple.com
  16 CN:             bad.apple.com
  17 SAN:            bad.apple.com
  18 Expected Result:FAIL
  19 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 1
  20
  21 Test 2
  22 ---------
  23 Description:    Hostname matches CN but not SAN.
  24 Certificate:    InvalidHostnameTest2.cer
  25 Hostname:       test.apple.com
  26 CN:             test.apple.com
  27 SAN:            bad.apple.com
  28 Expected Result:FAIL
  29 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 2
  30
  31 Test 3
  32 ---------
  33 Description:    Hostname matches CN. SAN extension is not present.
  34 Certificate:    ValidHostnameTest3.cer
  35 Hostname:       test.apple.com
  36 CN:             test.apple.com
  37 SAN not present
  38 Expected Result:SUCCEED
  39 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 3
  40
  41 Test 4
  42 ---------
  43 Description:    Hostname matches SAN but not CN.
  44 Certificate:    ValidHostnameTest4.cer
  45 Hostname:       test.apple.com
  46 CN:             bad.apple.com
  47 SAN:            test.apple.com
  48 Expected Result:SUCCEED
  49 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 4
  50
  51 Test 5
  52 ----------
  53 Description:    Wildcard not in the left-most label. Per RFC 2818, hostname matches. Per RFC 6125 hostname doesn't match.
  54 Certificate:    InvalidWildcardTest5Test6.cer
  55 Hostname:       test.bad.apple.com
  56 CN:             Test5 Test6
  57 SAN:            test.*.apple.com
  58 Expected Result:FAIL
  59 Actual Result:  FAIL
  60 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 1
  61
  62 Test 6
  63 ---------
  64 Description:    Wildcard not in left-most label. Hostname doesn't match.
  65 Certificate:    InvalidWildcardTest5Test6.cer
  66 Hostname:       test.apple.com
  67 CN:             Test5 Test6
  68 SAN:            test.*.apple.com
  69 Expected Result:FAIL
  70
  71 Test 7
  72 ----------
  73 Description:    Wildcard in left-most label. Hostname matches.
  74 Certificate:    ValidWildcardTest7Test8Test9.cer
  75 Hostname:       good.test.apple.com
  76 CN:             Test7 Test8 Test9
  77 SAN:            *.test.apple.com
  78 Expected Result:SUCCEED
  79 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
  80
  81 Test 8
  82 ----------
  83 Description:    Wildcard in left-most label. Hostname doesn't contain label for wildcard.
  84 Certificate:    ValidWildcardTest7Test8Test9.cer
  85 Hostname:       test.apple.com
  86 CN:             Test7 Test8 Test9
  87 SAN:            *.test.apple.com
  88 Expected Result:FAIL
  89 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
  90
  91 Test 9
  92 ---------
  93 Description:    Wildcard in left-most label. Hostname contains 2 labels for wildcard.
  94 Certificate:    ValidWildcardTest7Test8Test9.cer
  95 Hostname:       one.bad.test.apple.com
  96 CN:             Test7 Test8 Test9
  97 SAN:            *.test.apple.com
  98 Expected Result:FAIL
  99 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
 100
 101 Test 10
 102 ----------
 103 Description:    Wildcard immediately preceding top-level-domain.
 104 Certificate:    InvalidWildcardTest10.cer
 105 Hostname:       apple.com
 106 CN:             Test10
 107 SAN:            *.com
 108 Expected Result:FAIL
 109 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
 110
 111 Test 11
 112 ----------
 113 Description:    Wildcard immediately preceding a public suffix with 2 domain levels.
 114 Certificate:    InvalidWildcardTest11.cer
 115 Hostname:       apple.co.uk
 116 CN:             Test11
 117 SAN:            *.co.uk
 118 Expected Result:FAIL
 119 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
 120
 121 Test 12
 122 ----------
 123 Description:    Wildcard in the middle of a label.
 124 Certificate:    InvalidWildcardTest12.cer
 125 Hostname:       test.apple.com
 126 CN:             Test12
 127 SAN:            t*t.apple.com
 128 Expected Result:FAIL
 129 Notes:          Technically this is allowed per specifications.
 130
 131 Test 13
 132 ----------
 133 Description:    Wildcard at the end of a label preceding top-level domain. Hostname has no letter for wildcard.
 134 Certificate:    InvalidWildcardTest13Test14.cer
 135 Hostname:       apple.com
 136 CN:             Test13 Test14
 137 SAN:            apple*.com
 138 Expected Result:FAIL
 139 Notes:          Technically this is allowed per specifications, but we think this allows evil.
 140
 141 Test 14
 142 ----------
 143 Description:    Wildcard at the end of a label preceding top-level domain. Hostname has letters for the wildcard.
 144 Certificate:    InvalidWildcardTest13Test14.cer
 145 Hostname:       appleseed.com
 146 CN:             Test13 Test14
 147 SAN:            apple*.com
 148 Expected Result:FAIL
 149 Notes:          Technically this is allowed per specifications.
 150
 151 Test 15
 152 ----------
 153 Description:    Multiple wildcards in the DNSName.
 154 Certificate:    InvalidWildcardTest15.cer
 155 Hostname:       one.bad.apple.com
 156 CN:             Test15
 157 SAN:            *.*.apple.com
 158 Expected Result:FAIL
 159
 160 Test 16
 161 ----------
 162 Description:    EKU present but no Server Authentication OID.
 163 Certificate:    InvalidEKUTest16.cer
 164 Hostname:       test.apple.com
 165 CN:             Test16
 166 SAN:            test.apple.com
 167 EKU:            Email Protection
 168 Expected Result:FAIL
 169 Notes:          https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.1, Assurance Activity Test 2
 170
 171 Test 17
 172 ----------
 173 Description:    No EKU present.
 174 Certificate:    ValidEKUTest17.cer
 175 Hostname:       test.apple.com
 176 CN:             Test17
 177 SAN:            test.apple.com
 178 EKU not present
 179 Expected Result:SUCCEED
 180
 181 Test 18
 182 ----------
 183 Description:    Hostname has trailing label.
 184 Certificate:    ValidHostnameTest18Test19Test20.cer
 185 Hostname:       test.apple.com.test
 186 CN:             Test18 Test19 Test20
 187 SAN:            test.apple.com
 188 Expected Result:FAIL
 189
 190 Test 19
 191 ----------
 192 Description:    Hostname has trailing '.'.
 193 Certificate:    ValidHostnameTest18Test19Test20.cer
 194 Hostname:       test.apple.com.
 195 CN:             Test18 Test19 Test20
 196 SAN:            test.apple.com
 197 Expected Result:SUCCEED
 198 Notes:          Allowed as a mechanism to force TLS renegotiation.
 199
 200 Test 20
 201 ----------
 202 Description:    Hostname has preceding '.'.
 203 Certificate:    ValidHostnameTest18Test19Test20.cer
 204 Hostname:       .test.apple.com
 205 CN:             Test18 Test19 Test20
 206 SAN:            test.apple.com
 207 Expected Result:FAIL
 208
 209 Test 21
 210 ----------
 211 Description:    SAN has trailing label.
 212 Certificate:    ValidHostnameTest21.cer
 213 Hostname:       test.apple.com
 214 CN:             Test21
 215 SAN:            test.apple.com.test
 216 Expected Result:FAIL
 217
 218 Test 22
 219 ----------
 220 Description:    SAN extension is present but doesn't contain DNSName.
 221 Certificate:    InvalidHostnameTest22.cer
 222 Hostname:       test.apple.com
 223 CN:             Test22
 224 SAN:            RFC822Name:test@apple.com
 225 Expected Result:FAIL
 226
 227 Test 23
 228 ----------
 229 Description:    SAN has trailing '.'.
 230 Certificate:    InvalidHostnameTest23.cer
 231 Hostname:       test.apple.com
 232 CN:             Test23
 233 SAN:            test.apple.com.
 234 Expected Result:FAIL
 235
 236 Test 24
 237 ----------
 238 Description:    SAN has preceding '.'.
 239 Certificate:    InvalidHostnameTest24.cer
 240 Hostname:       test.apple.com
 241 CN:             Test24
 242 SAN:            .test.apple.com
 243 Expected Result:FAIL
 244
 245 Test 25
 246 ----------
 247 Description:    Wildcard at the beginning of label. Hostname has letter for wildcard.
 248 Certificate:    InvalidWildcardTest25Test26.cer
 249 Hostname:       test.apple.com
 250 CN:             Test25 Test26
 251 SAN:            *est.apple.com
 252 Expected Result:FAIL
 253 Notes:          Technically this is allowed per specifications.
 254
 255 Test 26
 256 ---------
 257 Description:    Wilcard at the beginning of label. Hostname has no letter for wildcard.
 258 Certificate:    InvalidWildcardTest25Test26.cer
 259 Hostname:       est.apple.com
 260 CN:             Test25 Test26
 261 SAN:            *est.apple.com
 262 Expected Result:FAIL
 263 Notes:          Technically this is allowed per specifications.
 264
 265 Test 27
 266 ----------
 267 Description:    Wildcard at the end of label. Hostname has letter for wildcard.
 268 Certificate:    InvalidWildcardTest27Test28.cer
 269 Hostname:       test.apple.com
 270 CN:             Test27 Test28
 271 SAN:            tes*.apple.com
 272 Expected Result:FAIL
 273 Notes:          We used to have an inconsistent approach to partial-label wildcards
 274                 (see Tests 12, 13, 14, 25, and 26); now, we disallow all partial-label
 275                 wildcards.
 276
 277 Test 28
 278 ---------
 279 Description:    Wildcard at the end of label. Hostname has not letter for wildcard.
 280 Certificate:    InvalidWildcardTest27Test28.cer
 281 Hostname:       tes.apple.com
 282 CN:             Test27 Test28
 283 SAN:            tes*.apple.com
 284 Expected Result:FAIL
 285 Notes:          See notes for Test 27.
 286
 287 Test 29
 288 ---------
 289 Description:    Hostname matches CN, case insensitive
 290 Certificate:    ValidHostnameTest3.cer
 291 Hostname:       TEST.apple.com
 292 CN:             test.apple.com
 293 SAN not present
 294 Expected Result:SUCCEED
 295 Notes:      <rdar://problem/26555272>
 296
 297 Test 30
 298 ---------
 299 Description:    Wildcards only - 1 label.
 300 Certificate:    InvalidWildcardTest30.cer
 301 Hostname:       apple
 302 CN:             Test30
 303 SAN:            *
 304 Expected Result:FAIL
 305
 306 Test 31
 307 ---------
 308 Description:    Wildcards only - 2 labels
 309 Certificate:    InvalidWildcardTest31.cer
 310 Hostname:       apple.com
 311 CN:             Test31
 312 SAN:            *.*
 313 Expected Result:FAIL
 314
 315 Test 32
 316 ---------
 317 Description:    Wildcards only - 3 labels
 318 Certificate:    InvalidWildcardTest32.cer
 319 Hostname:       test.apple.com
 320 CN:             Test32
 321 SAN:            *.*.*
 322 Expected Result:FAIL
 323
 324 Test 33
 325 ---------
 326 Description:    Wildcards only - 1 label, trailing '.'
 327 Certificate:    InvalidWildcardTest33.cer
 328 Hostname:       apple
 329 CN:             Test33
 330 SAN:            *.
 331 Expected Result:FAIL
 332
 333 Test 34
 334 ---------
 335 Description:    Wildcards only - 1 label, preceding '.'
 336 Certificate:    InvalidWildcardTest34.cer
 337 Hostname:       apple
 338 CN:             Test34
 339 SAN:            .*
 340 Expected Result:FAIL
 341
 342 Test 35
 343 ---------
 344 Description:    Wildcards only - 1 label to 2 labels
 345 Certificate:    InvalidWildcardTest30.cer
 346 Hostname:       apple.com
 347 CN:             Test30
 348 SAN:            *
 349 Expected Result:FAIL
 350
 351 Test 36
 352 ---------
 353 Description:    Wildcards only - 1 label to 2 labels, trailing '.'
 354 Certificate:    InvalidWildcardTest33.cer
 355 Hostname:       apple.com
 356 CN:             Test33
 357 SAN:            *.
 358 Expected Result:FAIL
 359
 360 Test 37
 361 ---------
 362 Description:    Wildcards only - 1 label to 2 labels, preceding '.'
 363 Certificate:    InvalidWildcardTest34.cer
 364 Hostname:       apple.com
 365 CN:             Test34
 366 SAN:            .*
 367 Expected Result:FAIL