From 25154fcff0f8ce5c0094e365920a2d7ce3bccdc9 Mon Sep 17 00:00:00 2001
From: Martin Ukrop <mukrop@redhat.com>
Date: Thu, 23 Jun 2016 12:33:15 +0200
Subject: tests: Add corner case tests for name constraints, improve doc

- Added corner case test suite for DNS name constraints.
- Documentation update in chain tests.

Signed-off-by: Martin Ukrop <mukrop@redhat.com>
---
 tests/name-constraints.c | 19 +++++++++++++++++++
 tests/test-chains.h      |  7 ++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/tests/name-constraints.c b/tests/name-constraints.c
index 455acd4374..64e82ad35d 100644
--- a/tests/name-constraints.c
+++ b/tests/name-constraints.c
@@ -307,6 +307,25 @@ void doit(void)
 	gnutls_x509_name_constraints_deinit(nc);
 	gnutls_x509_crt_deinit(crt);
 
+	/* 4: corner cases */
+
+	/* 4a: empty excluded name (works as wildcard) */
+
+	ret = gnutls_x509_name_constraints_init(&nc);
+	check_for_error(ret);
+
+	set_name("", &name);
+	ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, &name);
+	check_for_error(ret);
+
+	set_name("example.net", &name);
+	ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name);
+	check_test_result(ret, NAME_REJECTED, &name);
+
+	gnutls_x509_name_constraints_deinit(nc);
+
+	// Test suite end.
+
 	if (debug)
 		success("Test success.\n");
 }
diff --git a/tests/test-chains.h b/tests/test-chains.h
index 42f02df740..72ca19dc4b 100644
--- a/tests/test-chains.h
+++ b/tests/test-chains.h
@@ -412,6 +412,7 @@ static const char *nc_bad0[] = {
   NULL
 };
 
+/* Name constraints: Empty excluded DNSname, empty Common name */
 static const char *nc_bad1[] = {
 /* DNSname: localhost
    DNSname: www.example.com
@@ -436,7 +437,8 @@ static const char *nc_bad1[] = {
 "nci6MKXViEdeHbPLcZe9+vzSSpFh5u/l47w+2B1oz7mndFFpxkw37zDaVH5yAFxK\n"
 "+5VijiKxH6nmniLUX8Zsv82YBaO0liNb2fOZopxQGQ==\n"
 "-----END CERTIFICATE-----\n",
-/* Name Constraints (critical): (empty) */
+/* Name Constraints (critical):
+ * Excluded DNSname: (empty) */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDFTCCAf2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
 "MCIYDzIwMTQwODI2MTEwODUyWhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
@@ -477,6 +479,7 @@ static const char *nc_bad1[] = {
 NULL
 };
 
+/* Name constraints: Multiple-level constraints, intersection empty */
 static const char *nc_bad2[] = {
 /* DNSname: www.example.com */
 "-----BEGIN CERTIFICATE-----\n"
@@ -585,6 +588,7 @@ static const char *nc_bad2[] = {
 NULL
 };
 
+/* Name constraints: DNSname in excluded range */
 static const char *nc_bad3[] = {
 /* CN=www.example.com */
 "-----BEGIN CERTIFICATE-----\n"
@@ -649,6 +653,7 @@ static const char *nc_bad3[] = {
 NULL
 };
 
+/* Name constraints: Multiple-level constraints, different subdomains */
 static const char *nc_bad4[] = {
 /* DNSname: sub2.example.org */
 "-----BEGIN CERTIFICATE-----\n"
-- 
cgit v1.2.1