This file describes the tests for the SSL Trust Policy. The password for the CA p12 is "Password4TestCA" Definitions ---------- CN = Common Name SAN = Subject Alternative Name (specifically the DNSName general name for these tests) EKU = Extended Key Usage Test 1 ---------- Description: Hostname does not match CN or SAN. Certificate: InvalidHostnameTest1.cer Hostname: test.apple.com CN: bad.apple.com SAN: bad.apple.com Expected Result:FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 1 Test 2 --------- Description: Hostname matches CN but not SAN. Certificate: InvalidHostnameTest2.cer Hostname: test.apple.com CN: test.apple.com SAN: bad.apple.com Expected Result:FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 2 Test 3 --------- Description: Hostname matches CN. SAN extension is not present. Certificate: ValidHostnameTest3.cer Hostname: test.apple.com CN: test.apple.com SAN not present Expected Result:SUCCEED Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 3 Test 4 --------- Description: Hostname matches SAN but not CN. Certificate: ValidHostnameTest4.cer Hostname: test.apple.com CN: bad.apple.com SAN: test.apple.com Expected Result:SUCCEED Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 4 Test 5 ---------- Description: Wildcard not in the left-most label. Per RFC 2818, hostname matches. Per RFC 6125 hostname doesn't match. Certificate: InvalidWildcardTest5Test6.cer Hostname: test.bad.apple.com CN: Test5 Test6 SAN: test.*.apple.com Expected Result:FAIL Actual Result: FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 1 Test 6 --------- Description: Wildcard not in left-most label. Hostname doesn't match. Certificate: InvalidWildcardTest5Test6.cer Hostname: test.apple.com CN: Test5 Test6 SAN: test.*.apple.com Expected Result:FAIL Test 7 ---------- Description: Wildcard in left-most label. Hostname matches. Certificate: ValidWildcardTest7Test8Test9.cer Hostname: good.test.apple.com CN: Test7 Test8 Test9 SAN: *.test.apple.com Expected Result:SUCCEED Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2 Test 8 ---------- Description: Wildcard in left-most label. Hostname doesn't contain label for wildcard. Certificate: ValidWildcardTest7Test8Test9.cer Hostname: test.apple.com CN: Test7 Test8 Test9 SAN: *.test.apple.com Expected Result:FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2 Test 9 --------- Description: Wildcard in left-most label. Hostname contains 2 labels for wildcard. Certificate: ValidWildcardTest7Test8Test9.cer Hostname: one.bad.test.apple.com CN: Test7 Test8 Test9 SAN: *.test.apple.com Expected Result:FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2 Test 10 ---------- Description: Wildcard immediately preceding top-level-domain. Certificate: InvalidWildcardTest10.cer Hostname: apple.com CN: Test10 SAN: *.com Expected Result:FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3 Test 11 ---------- Description: Wildcard immediately preceding a public suffix with 2 domain levels. Certificate: InvalidWildcardTest11.cer Hostname: apple.co.uk CN: Test11 SAN: *.co.uk Expected Result:FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3 Test 12 ---------- Description: Wildcard in the middle of a label. Certificate: InvalidWildcardTest12.cer Hostname: test.apple.com CN: Test12 SAN: t*t.apple.com Expected Result:FAIL Notes: Technically this is allowed per specifications. Test 13 ---------- Description: Wildcard at the end of a label preceding top-level domain. Hostname has no letter for wildcard. Certificate: InvalidWildcardTest13Test14.cer Hostname: apple.com CN: Test13 Test14 SAN: apple*.com Expected Result:FAIL Notes: Technically this is allowed per specifications, but we think this allows evil. Test 14 ---------- Description: Wildcard at the end of a label preceding top-level domain. Hostname has letters for the wildcard. Certificate: InvalidWildcardTest13Test14.cer Hostname: appleseed.com CN: Test13 Test14 SAN: apple*.com Expected Result:FAIL Notes: Technically this is allowed per specifications. Test 15 ---------- Description: Multiple wildcards in the DNSName. Certificate: InvalidWildcardTest15.cer Hostname: one.bad.apple.com CN: Test15 SAN: *.*.apple.com Expected Result:FAIL Test 16 ---------- Description: EKU present but no Server Authentication OID. Certificate: InvalidEKUTest16.cer Hostname: test.apple.com CN: Test16 SAN: test.apple.com EKU: Email Protection Expected Result:FAIL Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.1, Assurance Activity Test 2 Test 17 ---------- Description: No EKU present. Certificate: ValidEKUTest17.cer Hostname: test.apple.com CN: Test17 SAN: test.apple.com EKU not present Expected Result:SUCCEED Test 18 ---------- Description: Hostname has trailing label. Certificate: ValidHostnameTest18Test19Test20.cer Hostname: test.apple.com.test CN: Test18 Test19 Test20 SAN: test.apple.com Expected Result:FAIL Test 19 ---------- Description: Hostname has trailing '.'. Certificate: ValidHostnameTest18Test19Test20.cer Hostname: test.apple.com. CN: Test18 Test19 Test20 SAN: test.apple.com Expected Result:SUCCEED Notes: Allowed as a mechanism to force TLS renegotiation. Test 20 ---------- Description: Hostname has preceding '.'. Certificate: ValidHostnameTest18Test19Test20.cer Hostname: .test.apple.com CN: Test18 Test19 Test20 SAN: test.apple.com Expected Result:FAIL Test 21 ---------- Description: SAN has trailing label. Certificate: ValidHostnameTest21.cer Hostname: test.apple.com CN: Test21 SAN: test.apple.com.test Expected Result:FAIL Test 22 ---------- Description: SAN extension is present but doesn't contain DNSName. Certificate: InvalidHostnameTest22.cer Hostname: test.apple.com CN: Test22 SAN: RFC822Name:test@apple.com Expected Result:FAIL Test 23 ---------- Description: SAN has trailing '.'. Certificate: InvalidHostnameTest23.cer Hostname: test.apple.com CN: Test23 SAN: test.apple.com. Expected Result:FAIL Test 24 ---------- Description: SAN has preceding '.'. Certificate: InvalidHostnameTest24.cer Hostname: test.apple.com CN: Test24 SAN: .test.apple.com Expected Result:FAIL Test 25 ---------- Description: Wildcard at the beginning of label. Hostname has letter for wildcard. Certificate: InvalidWildcardTest25Test26.cer Hostname: test.apple.com CN: Test25 Test26 SAN: *est.apple.com Expected Result:FAIL Notes: Technically this is allowed per specifications. Test 26 --------- Description: Wilcard at the beginning of label. Hostname has no letter for wildcard. Certificate: InvalidWildcardTest25Test26.cer Hostname: est.apple.com CN: Test25 Test26 SAN: *est.apple.com Expected Result:FAIL Notes: Technically this is allowed per specifications. Test 27 ---------- Description: Wildcard at the end of label. Hostname has letter for wildcard. Certificate: InvalidWildcardTest27Test28.cer Hostname: test.apple.com CN: Test27 Test28 SAN: tes*.apple.com Expected Result:FAIL Notes: We used to have an inconsistent approach to partial-label wildcards (see Tests 12, 13, 14, 25, and 26); now, we disallow all partial-label wildcards. Test 28 --------- Description: Wildcard at the end of label. Hostname has not letter for wildcard. Certificate: InvalidWildcardTest27Test28.cer Hostname: tes.apple.com CN: Test27 Test28 SAN: tes*.apple.com Expected Result:FAIL Notes: See notes for Test 27. Test 29 --------- Description: Hostname matches CN, case insensitive Certificate: ValidHostnameTest3.cer Hostname: TEST.apple.com CN: test.apple.com SAN not present Expected Result:SUCCEED Notes: Test 30 --------- Description: Wildcards only - 1 label. Certificate: InvalidWildcardTest30.cer Hostname: apple CN: Test30 SAN: * Expected Result:FAIL Test 31 --------- Description: Wildcards only - 2 labels Certificate: InvalidWildcardTest31.cer Hostname: apple.com CN: Test31 SAN: *.* Expected Result:FAIL Test 32 --------- Description: Wildcards only - 3 labels Certificate: InvalidWildcardTest32.cer Hostname: test.apple.com CN: Test32 SAN: *.*.* Expected Result:FAIL Test 33 --------- Description: Wildcards only - 1 label, trailing '.' Certificate: InvalidWildcardTest33.cer Hostname: apple CN: Test33 SAN: *. Expected Result:FAIL Test 34 --------- Description: Wildcards only - 1 label, preceding '.' Certificate: InvalidWildcardTest34.cer Hostname: apple CN: Test34 SAN: .* Expected Result:FAIL Test 35 --------- Description: Wildcards only - 1 label to 2 labels Certificate: InvalidWildcardTest30.cer Hostname: apple.com CN: Test30 SAN: * Expected Result:FAIL Test 36 --------- Description: Wildcards only - 1 label to 2 labels, trailing '.' Certificate: InvalidWildcardTest33.cer Hostname: apple.com CN: Test33 SAN: *. Expected Result:FAIL Test 37 --------- Description: Wildcards only - 1 label to 2 labels, preceding '.' Certificate: InvalidWildcardTest34.cer Hostname: apple.com CN: Test34 SAN: .* Expected Result:FAIL