-/* $OpenBSD: policy.c,v 1.7 2023/04/28 08:53:20 beck Exp $ */
+/* $OpenBSD: policy.c,v 1.8 2023/04/28 09:02:04 beck Exp $ */
/*
* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
};
struct verify_cert_test verify_cert_tests[] = {
- // Comments here are from boringssl/crypto/x509/x509_test.cc
- // The chain is good for |oid1| and |oid2|, but not |oid3|.
+ /*
+ * Comments here are from boringssl/crypto/x509/x509_test.cc
+ * certs were generated by
+ * boringssl/crypto/x509/test/make_policy_certs.go
+ */
+
+ /* The chain is good for |oid1| and |oid2|, but not |oid3|. */
{
.id = "nothing in 1 and 2",
.root_file = CERTSDIR "/" "policy_root.pem",
.policy_oid_to_check2 = OID3,
.want_chains = 1,
},
- // The policy extension cannot be parsed.
+ /* The policy extension cannot be parsed. */
{
.id = "1 in invalid intermediate poicy",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
.want_legacy_error_depth = 0,
},
- // There is a duplicate policy in the leaf policy extension.
+ /* There is a duplicate policy in the leaf policy extension. */
{
.id = "1 in duplicate policy extension in leaf",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
.want_legacy_error_depth = 0,
},
- // There is a duplicate policy in the intermediate policy extension.
+ /* There is a duplicate policy in the intermediate policy extension. */
{
.id = "1 in duplicate policy extension in intermediate",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
.want_legacy_error_depth = 0,
},
- // Without |X509_V_FLAG_EXPLICIT_POLICY|, the policy tree is built and
- // intersected with user-specified policies, but it is not required to result
- // in any valid policies.
+ /*
+ * Without |X509_V_FLAG_EXPLICIT_POLICY|, the policy tree is built and
+ * intersected with user-specified policies, but it is not required to result
+ * in any valid policies.
+ */
{
.id = "nothing with explicit_policy unset",
.root_file = CERTSDIR "/" "policy_root.pem",
.policy_oid_to_check = OID3,
.want_chains = 1,
},
- // However, a CA with policy constraints can require an explicit policy.
+ /* However, a CA with policy constraints can require an explicit policy. */
{
.id = "oid1 with explicit_policy unset, intermediate requiring policy",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY,
.want_legacy_error_depth = 0,
},
- // requireExplicitPolicy applies even if the application does not configure a
- // user-initial-policy-set. If the validation results in no policies, the
- // chain is invalid.
+ /*
+ * requireExplicitPolicy applies even if the application does not configure a
+ * user-initial-policy-set. If the validation results in no policies, the
+ * chain is invalid.
+ */
{
.id = "nothing explict_policy unset, with intermediate requiring policy",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY,
.want_legacy_error_depth = 0,
},
- // A leaf can also set requireExplicitPolicy but should work with none
+ /* A leaf can also set requireExplicitPolicy but should work with none */
{
.id = "nothing explicit_policy unset, with leaf requiring policy",
.root_file = CERTSDIR "/" "policy_root.pem",
.leaf_file = CERTSDIR "/" "policy_leaf_require.pem",
.want_chains = 1,
},
- // A leaf can also set requireExplicitPolicy but should fail with policy
+ /* A leaf can also set requireExplicitPolicy but should fail with policy */
{
.id = "oid3, explicit policy unset, with leaf requiring policy",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY,
.want_legacy_error_depth = 0,
},
- // requireExplicitPolicy is a count of certificates to skip. If the value is
- // not zero by the end of the chain, it doesn't count.
+ /*
+ * requireExplicitPolicy is a count of certificates to skip. If the value is
+ * not zero by the end of the chain, it doesn't count.
+ */
{
.id = "oid3, with intermediate requiring explicit depth 1",
.root_file = CERTSDIR "/" "policy_root.pem",
.policy_oid_to_check = OID3,
.want_chains = 1,
},
- // If multiple certificates specify the constraint, the more constrained value
- // wins.
+ /*
+ * If multiple certificates specify the constraint, the more constrained value
+ * wins.
+ */
{
.id = "oid3, with leaf and intermediate requiring explicit depth 1",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY,
.want_legacy_error_depth = 0,
},
- // An intermediate that requires an explicit policy, but then specifies no
- // policies should fail verification as a result.
+ /*
+ * An intermediate that requires an explicit policy, but then specifies no
+ * policies should fail verification as a result.
+ */
{
.id = "oid1 with explicit_policy unset, intermediate requiring policy but specifying none",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY,
.want_legacy_error_depth = 0,
},
- // A constrained intermediate's policy extension has a duplicate policy, which
- // is invalid. Historically this, and the above case, leaked memory.
+ /*
+ * A constrained intermediate's policy extension has a duplicate policy, which
+ * is invalid. Historically this, and the above case, leaked memory.
+ */
{
.id = "oid1 with explicit_policy unset, intermediate requiring policy but has duplicate",
.root_file = CERTSDIR "/" "policy_root.pem",
.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
.want_legacy_error_depth = 0,
},
- // The leaf asserts anyPolicy, but the intermediate does not. The resulting
- // valid policies are the intersection.
- // (and vice versa)
+ /*
+ * The leaf asserts anyPolicy, but the intermediate does not. The resulting
+ * valid policies are the intersection.(and vice versa)
+ */
{
.id = "oid1, with explicit_policy set, with leaf asserting any",
.root_file = CERTSDIR "/" "policy_root.pem",
.verify_flags = X509_V_FLAG_EXPLICIT_POLICY,
.want_chains = 1,
},
- // Both assert anyPolicy. All policies are valid.
+ /* Both assert anyPolicy. All policies are valid. */
{
.id = "oid1, with explicit_policy set, with leaf and intermediate asserting any",
.root_file = CERTSDIR "/" "policy_root.pem",
.verify_flags = X509_V_FLAG_EXPLICIT_POLICY,
.want_chains = 1,
},
- // boring tests just a trust anchor but behaves differently in this corner case.
- // for reasons that have nothing to do wiht policy
+ /*
+ * BoringSSL tests just a trust anchor but behaves differently in this corner case.
+ * than libressl for reasons that have nothing to do with policy (because parital
+ * chains and legacy verifier horror)
+ */
};
#define N_VERIFY_CERT_TESTS \
projects / openbsd / commitdiff