Skip to content

Commit

Permalink
validation/policy: breakout test changes (#9872)
Browse files Browse the repository at this point in the history 
Signed-off-by: William Woodruff <[email protected]>
  • Loading branch information
@woodruffw
woodruffw authored Nov 13, 2023
1 parent f89ce7b commit ac9f27b
Showing 1 changed file with 14 additions and 26 deletions.
40 changes: 14 additions & 26 deletions src/rust/cryptography-x509-validation/src/policy/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ use cryptography_x509::name::GeneralName;
use cryptography_x509::oid::{EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID};

use crate::ops::CryptoOps;
use crate::types::{DNSName, DNSPattern, IPAddress, IPConstraint};
use crate::types::{DNSName, DNSPattern, IPAddress};

// SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1.

Expand Down Expand Up @@ -169,7 +169,7 @@ impl Subject<'_> {
DNSPattern::new(pattern.0).map_or(false, |p| p.matches(name))
}
(GeneralName::IPAddress(pattern), Self::IP(name)) => {
IPConstraint::from_bytes(pattern).map_or(false, |p| p.matches(name))
IPAddress::from_bytes(pattern).map_or(false, |addr| addr == *name)
}
_ => false,
}
Expand Down Expand Up @@ -265,7 +265,6 @@ mod tests {
};

use crate::{
ops::tests::NullOps,
policy::{
Subject, SPKI_RSA, SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1,
WEBPKI_PERMITTED_SPKI_ALGORITHMS,
Expand All @@ -274,9 +273,9 @@ mod tests {
};

use super::{
Policy, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256,
RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384,
RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS,
ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384,
RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512,
WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS,
};

#[test]
Expand Down Expand Up @@ -412,26 +411,25 @@ mod tests {

// Single SAN, IP range.
{
// 127.0.0.1/24
let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]);
let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1]);
let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap();
let local_24 = asn1::parse_single::<SubjectAlternativeName<'_>>(&san_der).unwrap();
let localhost = asn1::parse_single::<SubjectAlternativeName<'_>>(&san_der).unwrap();

assert!(ip_sub.matches(&local_24));
assert!(!domain_sub.matches(&local_24));
assert!(ip_sub.matches(&localhost));
assert!(!domain_sub.matches(&localhost));
}

// Multiple SANs, both domain wildcard and IP range.
// Multiple SANs, both domain wildcard and IP address.
{
let domain_gn = GeneralName::DNSName(UnvalidatedIA5String("*.cryptography.io"));
let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]);
let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1]);
let san_der = asn1::write_single(&SequenceOfWriter::new([domain_gn, ip_gn])).unwrap();

let any_cryptography_io_or_local_24 =
let any_cryptography_io_or_localhost =
asn1::parse_single::<SubjectAlternativeName<'_>>(&san_der).unwrap();

assert!(domain_sub.matches(&any_cryptography_io_or_local_24));
assert!(ip_sub.matches(&any_cryptography_io_or_local_24));
assert!(domain_sub.matches(&any_cryptography_io_or_localhost));
assert!(ip_sub.matches(&any_cryptography_io_or_localhost));
}

// Single SAN, invalid domain pattern.
Expand All @@ -443,15 +441,5 @@ mod tests {

assert!(!domain_sub.matches(&any_cryptography_io));
}

// Single SAN, invalid IP range.
{
// 127.0.0.1/24
let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 1, 255, 1, 0]);
let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap();
let local_24 = asn1::parse_single::<SubjectAlternativeName<'_>>(&san_der).unwrap();

assert!(!ip_sub.matches(&local_24));
}
}
}

0 comments on commit ac9f27b

Please sign in to comment.