TestDescriptions.txt [plain text]
This file describes the tests for the SSL Trust Policy.
The password for the CA p12 is "Password4TestCA"
Definitions
----------
CN = Common Name
SAN = Subject Alternative Name (specifically the DNSName general name for these tests)
EKU = Extended Key Usage
Test 1
----------
Description: Hostname does not match CN or SAN.
Certificate: InvalidHostnameTest1.cer
Hostname: test.apple.com
CN: bad.apple.com
SAN: bad.apple.com
Expected Result:FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 1
Test 2
---------
Description: Hostname matches CN but not SAN.
Certificate: InvalidHostnameTest2.cer
Hostname: test.apple.com
CN: test.apple.com
SAN: bad.apple.com
Expected Result:FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 2
Test 3
---------
Description: Hostname matches CN. SAN extension is not present.
Certificate: ValidHostnameTest3.cer
Hostname: test.apple.com
CN: test.apple.com
SAN not present
Expected Result:SUCCEED
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 3
Test 4
---------
Description: Hostname matches SAN but not CN.
Certificate: ValidHostnameTest4.cer
Hostname: test.apple.com
CN: bad.apple.com
SAN: test.apple.com
Expected Result:SUCCEED
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 4
Test 5
----------
Description: Wildcard not in the left-most label. Per RFC 2818, hostname matches. Per RFC 6125 hostname doesn't match.
Certificate: InvalidWildcardTest5Test6.cer
Hostname: test.bad.apple.com
CN: Test5 Test6
SAN: test.*.apple.com
Expected Result:FAIL
Actual Result: FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 1
Test 6
---------
Description: Wildcard not in left-most label. Hostname doesn't match.
Certificate: InvalidWildcardTest5Test6.cer
Hostname: test.apple.com
CN: Test5 Test6
SAN: test.*.apple.com
Expected Result:FAIL
Test 7
----------
Description: Wildcard in left-most label. Hostname matches.
Certificate: ValidWildcardTest7Test8Test9.cer
Hostname: good.test.apple.com
CN: Test7 Test8 Test9
SAN: *.test.apple.com
Expected Result:SUCCEED
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
Test 8
----------
Description: Wildcard in left-most label. Hostname doesn't contain label for wildcard.
Certificate: ValidWildcardTest7Test8Test9.cer
Hostname: test.apple.com
CN: Test7 Test8 Test9
SAN: *.test.apple.com
Expected Result:FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
Test 9
---------
Description: Wildcard in left-most label. Hostname contains 2 labels for wildcard.
Certificate: ValidWildcardTest7Test8Test9.cer
Hostname: one.bad.test.apple.com
CN: Test7 Test8 Test9
SAN: *.test.apple.com
Expected Result:FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 2
Test 10
----------
Description: Wildcard immediately preceding top-level-domain.
Certificate: InvalidWildcardTest10.cer
Hostname: apple.com
CN: Test10
SAN: *.com
Expected Result:FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
Test 11
----------
Description: Wildcard immediately preceding a public suffix with 2 domain levels.
Certificate: InvalidWildcardTest11.cer
Hostname: apple.co.uk
CN: Test11
SAN: *.co.uk
Expected Result:FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.2, Assurance Activity Test 5, Bullet 3
Test 12
----------
Description: Wildcard in the middle of a label.
Certificate: InvalidWildcardTest12.cer
Hostname: test.apple.com
CN: Test12
SAN: t*t.apple.com
Expected Result:FAIL
Notes: Technically this is allowed per specifications.
Test 13
----------
Description: Wildcard at the end of a label preceding top-level domain. Hostname has no letter for wildcard.
Certificate: InvalidWildcardTest13Test14.cer
Hostname: apple.com
CN: Test13 Test14
SAN: apple*.com
Expected Result:FAIL
Notes: Technically this is allowed per specifications, but we think this allows evil.
Test 14
----------
Description: Wildcard at the end of a label preceding top-level domain. Hostname has letters for the wildcard.
Certificate: InvalidWildcardTest13Test14.cer
Hostname: appleseed.com
CN: Test13 Test14
SAN: apple*.com
Expected Result:FAIL
Notes: Technically this is allowed per specifications.
Test 15
----------
Description: Multiple wildcards in the DNSName.
Certificate: InvalidWildcardTest15.cer
Hostname: one.bad.apple.com
CN: Test15
SAN: *.*.apple.com
Expected Result:FAIL
Test 16
----------
Description: EKU present but no Server Authentication OID.
Certificate: InvalidEKUTest16.cer
Hostname: test.apple.com
CN: Test16
SAN: test.apple.com
EKU: Email Protection
Expected Result:FAIL
Notes: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf, FCS_TLSC_EXT.2.1, Assurance Activity Test 2
Test 17
----------
Description: No EKU present.
Certificate: ValidEKUTest17.cer
Hostname: test.apple.com
CN: Test17
SAN: test.apple.com
EKU not present
Expected Result:SUCCEED
Test 18
----------
Description: Hostname has trailing label.
Certificate: ValidHostnameTest18Test19Test20.cer
Hostname: test.apple.com.test
CN: Test18 Test19 Test20
SAN: test.apple.com
Expected Result:FAIL
Test 19
----------
Description: Hostname has trailing '.'.
Certificate: ValidHostnameTest18Test19Test20.cer
Hostname: test.apple.com.
CN: Test18 Test19 Test20
SAN: test.apple.com
Expected Result:SUCCEED
Notes: Allowed as a mechanism to force TLS renegotiation.
Test 20
----------
Description: Hostname has preceding '.'.
Certificate: ValidHostnameTest18Test19Test20.cer
Hostname: .test.apple.com
CN: Test18 Test19 Test20
SAN: test.apple.com
Expected Result:FAIL
Test 21
----------
Description: SAN has trailing label.
Certificate: ValidHostnameTest21.cer
Hostname: test.apple.com
CN: Test21
SAN: test.apple.com.test
Expected Result:FAIL
Test 22
----------
Description: SAN extension is present but doesn't contain DNSName.
Certificate: InvalidHostnameTest22.cer
Hostname: test.apple.com
CN: Test22
SAN: RFC822Name:test@apple.com
Expected Result:FAIL
Test 23
----------
Description: SAN has trailing '.'.
Certificate: InvalidHostnameTest23.cer
Hostname: test.apple.com
CN: Test23
SAN: test.apple.com.
Expected Result:FAIL
Test 24
----------
Description: SAN has preceding '.'.
Certificate: InvalidHostnameTest24.cer
Hostname: test.apple.com
CN: Test24
SAN: .test.apple.com
Expected Result:FAIL
Test 25
----------
Description: Wildcard at the beginning of label. Hostname has letter for wildcard.
Certificate: InvalidWildcardTest25Test26.cer
Hostname: test.apple.com
CN: Test25 Test26
SAN: *est.apple.com
Expected Result:FAIL
Notes: Technically this is allowed per specifications.
Test 26
---------
Description: Wilcard at the beginning of label. Hostname has no letter for wildcard.
Certificate: InvalidWildcardTest25Test26.cer
Hostname: est.apple.com
CN: Test25 Test26
SAN: *est.apple.com
Expected Result:FAIL
Notes: Technically this is allowed per specifications.
Test 27
----------
Description: Wildcard at the end of label. Hostname has letter for wildcard.
Certificate: InvalidWildcardTest27Test28.cer
Hostname: test.apple.com
CN: Test27 Test28
SAN: tes*.apple.com
Expected Result:FAIL
Notes: We used to have an inconsistent approach to partial-label wildcards
(see Tests 12, 13, 14, 25, and 26); now, we disallow all partial-label
wildcards.
Test 28
---------
Description: Wildcard at the end of label. Hostname has not letter for wildcard.
Certificate: InvalidWildcardTest27Test28.cer
Hostname: tes.apple.com
CN: Test27 Test28
SAN: tes*.apple.com
Expected Result:FAIL
Notes: See notes for Test 27.
Test 29
---------
Description: Hostname matches CN, case insensitive
Certificate: ValidHostnameTest3.cer
Hostname: TEST.apple.com
CN: test.apple.com
SAN not present
Expected Result:SUCCEED
Notes: <rdar://problem/26555272>
Test 30
---------
Description: Wildcards only - 1 label.
Certificate: InvalidWildcardTest30.cer
Hostname: apple
CN: Test30
SAN: *
Expected Result:FAIL
Test 31
---------
Description: Wildcards only - 2 labels
Certificate: InvalidWildcardTest31.cer
Hostname: apple.com
CN: Test31
SAN: *.*
Expected Result:FAIL
Test 32
---------
Description: Wildcards only - 3 labels
Certificate: InvalidWildcardTest32.cer
Hostname: test.apple.com
CN: Test32
SAN: *.*.*
Expected Result:FAIL
Test 33
---------
Description: Wildcards only - 1 label, trailing '.'
Certificate: InvalidWildcardTest33.cer
Hostname: apple
CN: Test33
SAN: *.
Expected Result:FAIL
Test 34
---------
Description: Wildcards only - 1 label, preceding '.'
Certificate: InvalidWildcardTest34.cer
Hostname: apple
CN: Test34
SAN: .*
Expected Result:FAIL
Test 35
---------
Description: Wildcards only - 1 label to 2 labels
Certificate: InvalidWildcardTest30.cer
Hostname: apple.com
CN: Test30
SAN: *
Expected Result:FAIL
Test 36
---------
Description: Wildcards only - 1 label to 2 labels, trailing '.'
Certificate: InvalidWildcardTest33.cer
Hostname: apple.com
CN: Test33
SAN: *.
Expected Result:FAIL
Test 37
---------
Description: Wildcards only - 1 label to 2 labels, preceding '.'
Certificate: InvalidWildcardTest34.cer
Hostname: apple.com
CN: Test34
SAN: .*
Expected Result:FAIL