TestDescriptions.txt   [plain text]

This file describes the tests for the SSL Trust Policy.

The password for the CA p12 is "Password4TestCA"

Definitions
----------
CN = Common Name
SAN = Subject Alternative Name (specifically the DNSName general name for these tests)
EKU = Extended Key Usage

Test 1
----------
Description: 	Hostname does not match CN or SAN.
Certificate:	InvalidHostnameTest1.cer
Hostname:	test.apple.com
CN:		bad.apple.com
SAN:		bad.apple.com
Expected Result:FAIL
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 1

Test 2
---------
Description:	Hostname matches CN but not SAN.
Certificate:	InvalidHostnameTest2.cer
Hostname:	test.apple.com
CN:		test.apple.com
SAN:		bad.apple.com
Expected Result:FAIL
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 2

Test 3
---------
Description:	Hostname matches CN. SAN extension is not present.
Certificate:	ValidHostnameTest3.cer
Hostname:	test.apple.com
CN:		test.apple.com
SAN not present
Expected Result:SUCCEED
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 3

Test 4
---------
Description:	Hostname matches SAN but not CN.
Certificate:	ValidHostnameTest4.cer
Hostname:	test.apple.com
CN:		bad.apple.com
SAN:		test.apple.com
Expected Result:SUCCEED
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 4

Test 5
----------
Description:	Wildcard not in the left-most label. Per RFC 2818, hostname matches. Per RFC 6125 hostname doesn't match.
Certificate:	InvalidWildcardTest5Test6.cer
Hostname:	test.bad.apple.com
CN:		Test5 Test6
SAN:		test.*.apple.com
Expected Result:FAIL
Actual Result:  FAIL
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 1

Test 6
---------
Description:	Wildcard not in left-most label. Hostname doesn't match.
Certificate:	InvalidWildcardTest5Test6.cer
Hostname:	test.apple.com
CN:		Test5 Test6
SAN:		test.*.apple.com
Expected Result:FAIL

Test 7
----------
Description:	Wildcard in left-most label. Hostname matches.
Certificate:	ValidWildcardTest7Test8Test9.cer
Hostname:	good.test.apple.com
CN:		Test7 Test8 Test9
SAN:		*.test.apple.com
Expected Result:SUCCEED
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2

Test 8
----------
Description:	Wildcard in left-most label. Hostname doesn't contain label for wildcard.
Certificate:    ValidWildcardTest7Test8Test9.cer
Hostname:	test.apple.com
CN:		Test7 Test8 Test9
SAN:		*.test.apple.com
Expected Result:FAIL
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2

Test 9
---------
Description:	Wildcard in left-most label. Hostname contains 2 labels for wildcard.
Certificate:    ValidWildcardTest7Test8Test9.cer
Hostname:	one.bad.test.apple.com
CN:		Test7 Test8 Test9
SAN:		*.test.apple.com
Expected Result:FAIL
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2

Test 10
----------
Description:	Wildcard immediately preceding top-level-domain.
Certificate:	InvalidWildcardTest10.cer
Hostname:	apple.com
CN:		Test10
SAN:		*.com
Expected Result:FAIL
Actual Result:	FAIL
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3

Test 11
----------
Description:	Wildcard immediately preceding a public suffix with 2 domain levels.
Certificate:	InvalidWildcardTest11.cer
Hostname:	apple.co.uk
CN:		Test11
SAN:		*.co.uk
Expected Result:FAIL
Actual Result:	SUCCEED
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3

Test 12
----------
Description:	Wildcard in the middle of a label.
Certificate:	InvalidWildcardTest12.cer
Hostname:	test.apple.com
CN:		Test12
SAN:		t*t.apple.com
Expected Result:FAIL

Test 13
----------
Description:	Wildcard at the end of a label. Hostname has no letter for wildcard.
Certificate:	InvalidWildcardTest13Test14.cer
Hostname:	apple.com
CN:		Test13 Test14
SAN:		apple*.com
Expected Result:FAIL
Actual Result:	FAIL
Notes:		Technically this is allowed per specifications, but we think this allows evil.

Test 14
----------
Description:	Wildcard at the end of a label. Hostname has letters for the wildcard.
Certificate:	InvalidWildcardTest13Test14.cer
Hostname:	appleseed.com
CN:		Test13 Test14
SAN:		apple*.com
Expected Result:FAIL
Actual Result:	FAIL
Notes:		Not clear whether we should really allow this.

Test 15
----------
Description:	Multiple wildcards in the DNSName.
Certificate:	InvalidWildcardTest15.cer
Hostname:	one.bad.apple.com
CN:		Test15
SAN:		*.*.apple.com
Expected Result:FAIL

Test 16
----------
Description:	EKU present but no Server Authentication OID.
Certificate:	InvalidEKUTest16.cer
Hostname:	test.apple.com
CN:		Test16
SAN:		test.apple.com
EKU:		Email Protection
Expected Result:FAIL
Notes:		https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.1, Assurance Activity Test 2

Test 17
----------
Description:	No EKU present.
Certificate:	ValidEKUTest17.cer
Hostname:	test.apple.com
CN:		Test17
SAN:		test.apple.com
EKU not present
Expected Result:SUCCEED

Test 18
----------
Description:	Hostname has trailing label.
Certificate:	ValidHostnameTest18Test19Test20.cer
Hostname:	test.apple.com.test
CN:		Test18 Test19 Test20
SAN:		test.apple.com
Expected Result:FAIL

Test 19
----------
Description:    Hostname has trailing '.'.
Certificate:    ValidHostnameTest18Test19Test20.cer
Hostname:       test.apple.com.
CN:             Test18 Test19 Test20
SAN:            test.apple.com
Expected Result:FAIL

Test 20
----------
Description:	Hostname has preceding '.'.
Certificate:    ValidHostnameTest18Test19Test20.cer
Hostname:	.test.apple.com
CN:		Test18 Test19 Test20
SAN:		test.apple.com
Expected Result:FAIL

Test 21
----------
Description:	SAN has trailing label.
Certificate:	ValidHostnameTest21.cer
Hostname:	test.apple.com
CN:		Test21
SAN:		test.apple.com.test
Expected Result:FAIL

Test 22
----------
Description:	SAN extension is present but doesn't contain DNSName.
Certificate:	InvalidHostnameTest22.cer
Hostname:	test.apple.com
CN:		Test22
SAN:		RFC822Name:test@apple.com
Expected Result:FAIL

Test 23
----------
Description:	SAN has trailing '.'.
Certificate:	InvalidHostnameTest23.cer
Hostname:	test.apple.com
CN:		Test23
SAN:		test.apple.com.
Expected Result:FAIL

Test 24
----------
Description:	SAN has preceding '.'.
Certificate:	InvalidHostnameTest24.cer
Hostname:	test.apple.com
CN:		Test24
SAN:		.test.apple.com
Expected Result:FAIL

Test 25
----------
Description:	Wildcard at the beginning of label. Hostname has letter for wildcard.
Certificate:	InvalidWildcardTest25Test26.cer
Hostname:	test.apple.com
CN:		Test25 Test26
SAN:		*est.apple.com
Expected Result:FAIL

Test 26
---------
Description:	Wilcard at the beginning of label. Hostname has no letter for wildcard.
Certificate:    InvalidWildcardTest25Test26.cer
Hostname:	est.apple.com
CN:		Test25 Test26
SAN:		*est.apple.com
Expected Result:FAIL