cert ipv4/v6: segregation
This commit is contained in:
parent
4c52f23b9d
commit
f71c868246
@ -90,4 +90,4 @@ optional = true
|
|||||||
|
|
||||||
[features]
|
[features]
|
||||||
default = []
|
default = []
|
||||||
std = [ "simple_logger", "rand", "hex-literal" ]
|
std = [ "rand", "hex-literal", "simple_logger" ]
|
||||||
|
@ -170,7 +170,7 @@ pub enum ExtensionValue<'a> {
|
|||||||
|
|
||||||
// Embedded value might be empty (&[])
|
// Embedded value might be empty (&[])
|
||||||
// This means a reject-all/accept-none condition
|
// This means a reject-all/accept-none condition
|
||||||
#[derive(Debug, Clone, Eq, PartialEq)]
|
#[derive(Clone, Eq, PartialEq)]
|
||||||
pub enum GeneralName<'a> {
|
pub enum GeneralName<'a> {
|
||||||
OtherName {
|
OtherName {
|
||||||
type_id: &'a [u8],
|
type_id: &'a [u8],
|
||||||
@ -189,6 +189,60 @@ pub enum GeneralName<'a> {
|
|||||||
RegisteredID(&'a [u8]),
|
RegisteredID(&'a [u8]),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl<'a> core::fmt::Debug for GeneralName<'a> {
|
||||||
|
fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
|
||||||
|
match self {
|
||||||
|
Self::OtherName {type_id, value} => {
|
||||||
|
f.debug_struct("OtherName")
|
||||||
|
.field("type_id", type_id)
|
||||||
|
.field("value", value)
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::RFC822Name(name) => {
|
||||||
|
f.debug_tuple("RFC822Name")
|
||||||
|
.field(&core::str::from_utf8(name).unwrap())
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::DNSName(name) => {
|
||||||
|
f.debug_tuple("DNSName")
|
||||||
|
.field(&core::str::from_utf8(name).unwrap())
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::X400Address(name) => {
|
||||||
|
f.debug_tuple("X400Address")
|
||||||
|
.field(&core::str::from_utf8(name).unwrap())
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::DirectoryName(name) => {
|
||||||
|
f.debug_tuple("DirectoryName")
|
||||||
|
.field(name)
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::EDIPartyName {name_assigner, party_name} => {
|
||||||
|
f.debug_struct("EDIPartyName")
|
||||||
|
.field("name_assigner", name_assigner)
|
||||||
|
.field("party_name", party_name)
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::URI(name) => {
|
||||||
|
f.debug_tuple("URI")
|
||||||
|
.field(&core::str::from_utf8(name).unwrap())
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::IPAddress(name) => {
|
||||||
|
f.debug_tuple("IPAddress")
|
||||||
|
.field(name)
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
Self::RegisteredID(name) => {
|
||||||
|
f.debug_tuple("RegisteredID")
|
||||||
|
.field(name)
|
||||||
|
.finish()
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Set operation for General Name (X is a subset of Y, where X, Y are the same variant)
|
// Set operation for General Name (X is a subset of Y, where X, Y are the same variant)
|
||||||
// Will not handle `OtherName`, `X400Address`, `EDIPartyName`, `RegisteredID`,
|
// Will not handle `OtherName`, `X400Address`, `EDIPartyName`, `RegisteredID`,
|
||||||
// as these restrictions of these variants are not suggested
|
// as these restrictions of these variants are not suggested
|
||||||
@ -1160,21 +1214,32 @@ fn get_subtree_intersection<'a>(
|
|||||||
cert_subtree: &Vec<GeneralName<'a>>
|
cert_subtree: &Vec<GeneralName<'a>>
|
||||||
) {
|
) {
|
||||||
// 1. Determine the variants that need to be preserved (i.e. body-count)
|
// 1. Determine the variants that need to be preserved (i.e. body-count)
|
||||||
|
// This is to preserve general names that does not have any matching variant
|
||||||
|
// Intersecting or unioning onceself return the input value (by identity law)
|
||||||
let mut has_self_uri_tree = false;
|
let mut has_self_uri_tree = false;
|
||||||
let mut has_other_uri_tree = false;
|
let mut has_other_uri_tree = false;
|
||||||
let mut has_self_rfc_822_name_tree = false;
|
let mut has_self_rfc_822_name_tree = false;
|
||||||
let mut has_other_rfc_822_name_tree = false;
|
let mut has_other_rfc_822_name_tree = false;
|
||||||
let mut has_self_dns_name_tree = false;
|
let mut has_self_dns_name_tree = false;
|
||||||
let mut has_other_dns_name_tree = false;
|
let mut has_other_dns_name_tree = false;
|
||||||
let mut has_self_ip_address_tree = false;
|
let mut has_self_ipv4_address_tree = false;
|
||||||
let mut has_other_ip_address_tree = false;
|
let mut has_other_ipv4_address_tree = false;
|
||||||
|
let mut has_self_ipv6_address_tree = false;
|
||||||
|
let mut has_other_ipv6_address_tree = false;
|
||||||
|
|
||||||
for general_name in state_subtree.iter() {
|
for general_name in state_subtree.iter() {
|
||||||
match general_name {
|
match general_name {
|
||||||
GeneralName::URI(..) => has_self_uri_tree = true,
|
GeneralName::URI(..) => has_self_uri_tree = true,
|
||||||
GeneralName::RFC822Name(..) => has_self_rfc_822_name_tree = true,
|
GeneralName::RFC822Name(..) => has_self_rfc_822_name_tree = true,
|
||||||
GeneralName::DNSName(..) => has_self_dns_name_tree = true,
|
GeneralName::DNSName(..) => has_self_dns_name_tree = true,
|
||||||
GeneralName::IPAddress(..) => has_self_ip_address_tree = true,
|
GeneralName::IPAddress(self_ip) => {
|
||||||
|
if self_ip.len() == 8 || self_ip.len() == 0 {
|
||||||
|
has_self_ipv4_address_tree = true;
|
||||||
|
}
|
||||||
|
if self_ip.len() == 32 || self_ip.len() == 0 {
|
||||||
|
has_self_ipv6_address_tree = true;
|
||||||
|
}
|
||||||
|
},
|
||||||
// Other general_name variants should not appear in this subtree
|
// Other general_name variants should not appear in this subtree
|
||||||
_ => {},
|
_ => {},
|
||||||
}
|
}
|
||||||
@ -1185,7 +1250,14 @@ fn get_subtree_intersection<'a>(
|
|||||||
GeneralName::URI(..) => has_other_uri_tree = true,
|
GeneralName::URI(..) => has_other_uri_tree = true,
|
||||||
GeneralName::RFC822Name(..) => has_other_rfc_822_name_tree = true,
|
GeneralName::RFC822Name(..) => has_other_rfc_822_name_tree = true,
|
||||||
GeneralName::DNSName(..) => has_other_dns_name_tree = true,
|
GeneralName::DNSName(..) => has_other_dns_name_tree = true,
|
||||||
GeneralName::IPAddress(..) => has_other_ip_address_tree = true,
|
GeneralName::IPAddress(other_ip) => {
|
||||||
|
if other_ip.len() == 8 || other_ip.len() == 0 {
|
||||||
|
has_other_ipv4_address_tree = true;
|
||||||
|
}
|
||||||
|
if other_ip.len() == 32 || other_ip.len() == 0 {
|
||||||
|
has_other_ipv6_address_tree = true;
|
||||||
|
}
|
||||||
|
},
|
||||||
// Other general_name variants should not appear in this subtree
|
// Other general_name variants should not appear in this subtree
|
||||||
_ => {},
|
_ => {},
|
||||||
}
|
}
|
||||||
@ -1205,17 +1277,20 @@ fn get_subtree_intersection<'a>(
|
|||||||
if !has_other_rfc_822_name_tree {
|
if !has_other_rfc_822_name_tree {
|
||||||
preserved_subtrees.push((*general_name).clone());
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
GeneralName::DNSName(..) => {
|
GeneralName::DNSName(..) => {
|
||||||
if !has_other_dns_name_tree {
|
if !has_other_dns_name_tree {
|
||||||
preserved_subtrees.push((*general_name).clone());
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
GeneralName::IPAddress(..) => {
|
GeneralName::IPAddress(ip) => {
|
||||||
if !has_other_ip_address_tree {
|
if !has_other_ipv4_address_tree && ip.len() == 8 {
|
||||||
preserved_subtrees.push((*general_name).clone());
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
else if !has_other_ipv6_address_tree && ip.len() == 32 {
|
||||||
|
preserved_subtrees.push((*general_name).clone());
|
||||||
|
}
|
||||||
|
},
|
||||||
// Other general_name variants should not appear in this subtree
|
// Other general_name variants should not appear in this subtree
|
||||||
_ => {},
|
_ => {},
|
||||||
}
|
}
|
||||||
@ -1232,17 +1307,20 @@ fn get_subtree_intersection<'a>(
|
|||||||
if !has_self_rfc_822_name_tree {
|
if !has_self_rfc_822_name_tree {
|
||||||
preserved_subtrees.push((*general_name).clone());
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
GeneralName::DNSName(..) => {
|
GeneralName::DNSName(..) => {
|
||||||
if !has_self_dns_name_tree {
|
if !has_self_dns_name_tree {
|
||||||
preserved_subtrees.push((*general_name).clone());
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
GeneralName::IPAddress(..) => {
|
GeneralName::IPAddress(ip) => {
|
||||||
if !has_self_ip_address_tree {
|
if !has_self_ipv4_address_tree && ip.len() == 8 {
|
||||||
preserved_subtrees.push((*general_name).clone());
|
preserved_subtrees.push((*general_name).clone());
|
||||||
}
|
}
|
||||||
}
|
else if !has_self_ipv6_address_tree && ip.len() == 32 {
|
||||||
|
preserved_subtrees.push((*general_name).clone());
|
||||||
|
}
|
||||||
|
},
|
||||||
// Other general_name variants should not appear in this subtree
|
// Other general_name variants should not appear in this subtree
|
||||||
_ => {},
|
_ => {},
|
||||||
}
|
}
|
||||||
@ -1378,3 +1456,537 @@ pub fn get_subtree_union<'a>(
|
|||||||
|
|
||||||
prune_subset(state_subtree, &mut merged_subtrees);
|
prune_subset(state_subtree, &mut merged_subtrees);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod test {
|
||||||
|
use alloc::vec::Vec;
|
||||||
|
use super::*;
|
||||||
|
|
||||||
|
const DNS_EXAMPLE_COM: GeneralName = GeneralName::DNSName(
|
||||||
|
b"example.com"
|
||||||
|
);
|
||||||
|
const DNS_FOO_EXAMPLE: GeneralName = GeneralName::DNSName(
|
||||||
|
b"foo.example.com"
|
||||||
|
);
|
||||||
|
const DNS_EXAMPLE_NET: GeneralName = GeneralName::DNSName(
|
||||||
|
b"example.net"
|
||||||
|
);
|
||||||
|
const DNS_EMPTY: GeneralName = GeneralName::DNSName(
|
||||||
|
b""
|
||||||
|
);
|
||||||
|
|
||||||
|
// Helper to init logger if necessary
|
||||||
|
fn init() {
|
||||||
|
simple_logger::SimpleLogger::new().init();
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Simple example from RFC 5280, section 6.1.4, page 85, statement (g)
|
||||||
|
*/
|
||||||
|
|
||||||
|
// The intersection between "foo.example.com" and "example.com" shall be
|
||||||
|
// "foo.example.com"
|
||||||
|
#[test]
|
||||||
|
fn test_foo_example_intersection() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(DNS_FOO_EXAMPLE);
|
||||||
|
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
cert_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// The intersection between "example.com" and "example.net" shall be
|
||||||
|
// "" (empty set)
|
||||||
|
#[test]
|
||||||
|
fn test_example_com_net_intersection() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(DNS_EXAMPLE_NET);
|
||||||
|
|
||||||
|
let mut expected_tree_with_empty_entry: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_tree_with_empty_entry.push(DNS_EMPTY);
|
||||||
|
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_tree_with_empty_entry
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// The union between "example.com" and "foo.example.com" shall be "example.com"
|
||||||
|
#[test]
|
||||||
|
fn test_foo_example_union() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(DNS_FOO_EXAMPLE);
|
||||||
|
|
||||||
|
let mut expected_tree: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_tree.push(DNS_EXAMPLE_COM);
|
||||||
|
|
||||||
|
get_subtree_union(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_tree
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// The union between "example.com" and "example.net" shall be both namespaces
|
||||||
|
#[test]
|
||||||
|
fn test_example_com_net_union() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(DNS_EXAMPLE_NET);
|
||||||
|
|
||||||
|
let mut expected_tree: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_tree.push(DNS_EXAMPLE_COM);
|
||||||
|
expected_tree.push(DNS_EXAMPLE_NET);
|
||||||
|
|
||||||
|
get_subtree_union(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_tree
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Behaviour of empty set within intersection and union operations
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Empty set intersects other set
|
||||||
|
// Empty intersects any set gives empty set
|
||||||
|
#[test]
|
||||||
|
fn test_empty_set_intersects_other_set() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(DNS_EMPTY);
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
cert_subtrees.push(DNS_EXAMPLE_NET);
|
||||||
|
cert_subtrees.push(DNS_FOO_EXAMPLE);
|
||||||
|
|
||||||
|
let mut expected_tree: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_tree.push(DNS_EMPTY);
|
||||||
|
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_tree
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Other set intersects empty set
|
||||||
|
// Anything intersects empty set gives empty set
|
||||||
|
#[test]
|
||||||
|
fn test_other_set_intersects_empty_set() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
state_subtrees.push(DNS_FOO_EXAMPLE);
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(DNS_EMPTY);
|
||||||
|
|
||||||
|
let mut expected_tree: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_tree.push(DNS_EMPTY);
|
||||||
|
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_tree
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Behaviour of unspecificed variant
|
||||||
|
*/
|
||||||
|
#[test]
|
||||||
|
fn test_unspecified_DNS() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
state_subtrees.push(DNS_FOO_EXAMPLE);
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
|
||||||
|
let mut expected_tree: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_tree.push(DNS_EXAMPLE_COM);
|
||||||
|
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_tree
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_specifying_DNS_from_unspecified() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(DNS_EXAMPLE_COM);
|
||||||
|
cert_subtrees.push(DNS_FOO_EXAMPLE);
|
||||||
|
|
||||||
|
let mut expected_tree: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_tree.push(DNS_EXAMPLE_COM);
|
||||||
|
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_tree
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Behaviour of IP intersection/union operation
|
||||||
|
*/
|
||||||
|
// 192.168.0.1/24
|
||||||
|
const CIDR_IPv4_1: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[192, 168, 0, 1, 255, 255, 255, 0]
|
||||||
|
);
|
||||||
|
// 192.168.0.1/25
|
||||||
|
const CIDR_IPv4_2: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[192, 168, 0, 1, 255, 255, 255, 128]
|
||||||
|
);
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_ip_24_25_intersection() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_2);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_2);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// 192.168.0.1/31
|
||||||
|
const CIDR_IPv4_3: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[192, 168, 0, 1, 255, 255, 255, 254]
|
||||||
|
);
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_ip_24_31_intersection() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_3);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_3);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
const CIDR_IPv4_4: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[192, 72, 0, 1, 255, 255, 255, 0]
|
||||||
|
);
|
||||||
|
|
||||||
|
const CIDR_IPv4_NONE: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[]
|
||||||
|
);
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_ip_disjoint_intersection() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_4);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_ip_24_25_intersection_reversed() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_2);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_2);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_ip_24_31_intersection_reversed() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_3);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_3);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_ip_disjoint_intersection_reversed() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_4);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Empty set behaviour
|
||||||
|
*/
|
||||||
|
#[test]
|
||||||
|
fn test_ip_empty_intersect() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
|
||||||
|
cert_subtrees.clear();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_2);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
|
||||||
|
cert_subtrees.clear();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_3);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
|
||||||
|
cert_subtrees.clear();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_ip_empty_union() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_1);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_1);
|
||||||
|
get_subtree_union(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_2);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_2);
|
||||||
|
get_subtree_union(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_3);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_3);
|
||||||
|
get_subtree_union(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_NONE);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_4);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_4);
|
||||||
|
get_subtree_union(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
const CIDR_IPv4_5: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[192, 72, 0, 0, 255, 255, 255, 0]
|
||||||
|
);
|
||||||
|
const CIDR_IPv4_6: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[192, 200, 103, 0, 255, 255, 255, 0]
|
||||||
|
);
|
||||||
|
const CIDR_IPv4_7: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[192, 200, 100, 0, 255, 255, 252, 0]
|
||||||
|
);
|
||||||
|
const CIDR_IPv4_8: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[200, 200, 100, 0, 255, 255, 255, 0]
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Multiple IP set behaviour
|
||||||
|
*/
|
||||||
|
#[test]
|
||||||
|
fn test_multiple_ip_intersection() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_5);
|
||||||
|
state_subtrees.push(CIDR_IPv4_6);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_7);
|
||||||
|
cert_subtrees.push(CIDR_IPv4_8);
|
||||||
|
|
||||||
|
// Basically, there are 3 disjoint sets
|
||||||
|
// CIDR_IPv4_5, (CIDR_IPv4_6, CIDR_IPv4_7), CIDR_IPv4_8
|
||||||
|
// The only overlapping area between set 1 and set 2 is CIDR_IPv4_6,
|
||||||
|
// as CIDR_IPv4_6 is a subnet of CIDR_IPv4_7, while other networks
|
||||||
|
// are disjoint
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_6);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_multiple_ip_union() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv4_5);
|
||||||
|
state_subtrees.push(CIDR_IPv4_6);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_7);
|
||||||
|
cert_subtrees.push(CIDR_IPv4_8);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv4_5);
|
||||||
|
expected_subtrees.push(CIDR_IPv4_7);
|
||||||
|
expected_subtrees.push(CIDR_IPv4_8);
|
||||||
|
get_subtree_union(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
const CIDR_IPv6_1: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[0x20, 0x01, 0x0D, 0xB8, 0xAC, 0x10, 0xFE, 0x01,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
|
||||||
|
);
|
||||||
|
const CIDR_IPv6_2: GeneralName = GeneralName::IPAddress(
|
||||||
|
&[0x20, 0x01, 0x0D, 0xB8, 0xAC, 0x10, 0xFE, 0x01,
|
||||||
|
0x12, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
|
||||||
|
);
|
||||||
|
// const CIDR_IPv6_3: GeneralName = GeneralName::IPAddress(
|
||||||
|
// &[192, 200, 100, 0, 255, 255, 252, 0]
|
||||||
|
// );
|
||||||
|
// const CIDR_IPv6_4: GeneralName = GeneralName::IPAddress(
|
||||||
|
// &[200, 200, 100, 0, 255, 255, 255, 0]
|
||||||
|
// );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Heterogeneous IP intersection/union
|
||||||
|
*/
|
||||||
|
#[test]
|
||||||
|
fn test_ipv4_ipv6_mix_intersection() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
let mut state_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
state_subtrees.push(CIDR_IPv6_1);
|
||||||
|
state_subtrees.push(CIDR_IPv6_2);
|
||||||
|
let mut cert_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
cert_subtrees.push(CIDR_IPv4_7);
|
||||||
|
cert_subtrees.push(CIDR_IPv4_6);
|
||||||
|
let mut expected_subtrees: Vec<GeneralName> = Vec::new();
|
||||||
|
expected_subtrees.push(CIDR_IPv6_1);
|
||||||
|
expected_subtrees.push(CIDR_IPv4_7);
|
||||||
|
get_subtree_intersection(&mut state_subtrees, &cert_subtrees);
|
||||||
|
assert_eq!(
|
||||||
|
state_subtrees,
|
||||||
|
expected_subtrees
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user