Test policy mappings from invalid policies.
Such mappings should be ignored.
Change-Id: Ic75d3c17e3f2d25da75b15d59e38177f9bc1c044
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56034
Reviewed-by: Matt Mueller <mattm@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/test/make_policy_certs.go b/crypto/x509/test/make_policy_certs.go
index b22dc37..bec2ace 100644
--- a/crypto/x509/test/make_policy_certs.go
+++ b/crypto/x509/test/make_policy_certs.go
@@ -227,6 +227,9 @@
intermediateMapped.template.PolicyIdentifiers = []asn1.ObjectIdentifier{anyPolicyOID}
mustGenerateCertificate("policy_intermediate_mapped_any.pem", &intermediateMapped, &root)
+ intermediateMapped.template.PolicyIdentifiers = []asn1.ObjectIdentifier{testOID3}
+ mustGenerateCertificate("policy_intermediate_mapped_oid3.pem", &intermediateMapped, &root)
+
// Leaves which assert more specific OIDs, to test intermediate_mapped.
leafSingle := leaf
leafSingle.template.PolicyIdentifiers = []asn1.ObjectIdentifier{testOID1}
diff --git a/crypto/x509/test/policy_intermediate_mapped_oid3.pem b/crypto/x509/test/policy_intermediate_mapped_oid3.pem
new file mode 100644
index 0000000..c04a38a
--- /dev/null
+++ b/crypto/x509/test/policy_intermediate_mapped_oid3.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICajCCAhCgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjggFDMIIBPzAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkNL3/g7u
+qGsIhGHCxes9UFqAba4wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIDMIHLBgNV
+HSEEgcMwgcAwHgYNKoZIhvcSBAGEtwkCAwYNKoZIhvcSBAGEtwkCATAeBg0qhkiG
+9xIEAYS3CQIDBg0qhkiG9xIEAYS3CQICMB4GDSqGSIb3EgQBhLcJAgQGDSqGSIb3
+EgQBhLcJAgQwHgYNKoZIhvcSBAGEtwkCBAYNKoZIhvcSBAGEtwkCBTAeBg0qhkiG
+9xIEAYS3CQIFBg0qhkiG9xIEAYS3CQIEMB4GDSqGSIb3EgQBhLcJAgUGDSqGSIb3
+EgQBhLcJAgUwCgYIKoZIzj0EAwIDSAAwRQIhAK0bRaGgd5qQlX+zTw3IUynFHxfk
+zRbZagnTzjYtkNNmAiBJ2kOnvRdW930eHAwZPGpc1Hn5hMSOQdUhNZ3XZDASkQ==
+-----END CERTIFICATE-----
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 5ed1405..a1005d7 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -5136,6 +5136,10 @@
GetTestData("crypto/x509/test/policy_intermediate_mapped_any.pem")
.c_str()));
ASSERT_TRUE(intermediate_mapped_any);
+ bssl::UniquePtr<X509> intermediate_mapped_oid3(CertFromPEM(
+ GetTestData("crypto/x509/test/policy_intermediate_mapped_oid3.pem")
+ .c_str()));
+ ASSERT_TRUE(intermediate_mapped_oid3);
bssl::UniquePtr<X509> intermediate_require(CertFromPEM(
GetTestData("crypto/x509/test/policy_intermediate_require.pem").c_str()));
ASSERT_TRUE(intermediate_require);
@@ -5429,6 +5433,22 @@
set_policies(param, {oid4.get(), oid5.get()});
}));
}
+
+ // Although |intermediate_mapped_oid3| contains many mappings, it only accepts
+ // OID3. Nodes should not be created for the other mappings.
+ EXPECT_EQ(X509_V_OK, Verify(leaf_oid1.get(), {root.get()},
+ {intermediate_mapped_oid3.get()},
+ /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY,
+ [&](X509_VERIFY_PARAM *param) {
+ set_policies(param, {oid3.get()});
+ }));
+ EXPECT_EQ(
+ X509_V_ERR_NO_EXPLICIT_POLICY,
+ Verify(leaf_oid4.get(), {root.get()}, {intermediate_mapped_oid3.get()},
+ /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY,
+ [&](X509_VERIFY_PARAM *param) {
+ set_policies(param, {oid4.get()});
+ }));
}
TEST(X509Test, ExtensionFromConf) {
diff --git a/sources.cmake b/sources.cmake
index d6ed84c..c35299e 100644
--- a/sources.cmake
+++ b/sources.cmake
@@ -117,6 +117,7 @@
crypto/x509/test/policy_intermediate_invalid.pem
crypto/x509/test/policy_intermediate_mapped.pem
crypto/x509/test/policy_intermediate_mapped_any.pem
+ crypto/x509/test/policy_intermediate_mapped_oid3.pem
crypto/x509/test/policy_intermediate_require.pem
crypto/x509/test/policy_intermediate_require_duplicate.pem
crypto/x509/test/policy_intermediate_require_no_policies.pem
