Enable policy checking by default now that we are DAG implementation based.

This ensures that we will no longer silently ignore a certificate with a critical policy extention by default. ok tb@
author: beck <> 2023-04-28 16:50:16 +0000
committer: beck <> 2023-04-28 16:50:16 +0000
commit: 894a54df05aae48b1ccfb4d0acd6170e67c7bd80 (patch)
tree: c1ffb128d53575a3341638cccf75fcf2d6427d05 /src/regress/lib
parent: 1ce60b4afbf4cde527424c04352d010e0bafb51b (diff)
download: openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.gz
openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.bz2
openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.zip
1 files changed, 12 insertions, 1 deletions
diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c
index 289f96db78..70f60af0a3 100644
--- a/src/regress/lib/libcrypto/x509/policy/policy.c
+++ b/src/regress/lib/libcrypto/x509/policy/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.9 2023/04/28 14:45:51 tb Exp $ */
+/* $OpenBSD: policy.c,v 1.10 2023/04/28 16:50:16 beck Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org>
@@ -328,6 +328,17 @@ struct verify_cert_test verify_cert_tests[] = {
                .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
                .want_legacy_error_depth = 0,
        },
+        {
+                .id = "invalid leaf without explicit policy",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
+                .want_chains = 0,
+                .want_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
+                .want_error_depth = 0,
+                .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
+                .want_legacy_error_depth = 0,
+        },
        /*  There is a duplicate policy in the leaf policy extension. */
        {
                .id = "1 in duplicate policy extension in leaf",
author	beck <>	2023-04-28 16:50:16 +0000
committer	beck <>	2023-04-28 16:50:16 +0000
commit	894a54df05aae48b1ccfb4d0acd6170e67c7bd80 (patch)
tree	c1ffb128d53575a3341638cccf75fcf2d6427d05 /src/regress/lib
parent	1ce60b4afbf4cde527424c04352d010e0bafb51b (diff)
download	openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.gz openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.tar.bz2 openbsd-894a54df05aae48b1ccfb4d0acd6170e67c7bd80.zip

diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c index 289f96db78..70f60af0a3 100644 --- a/src/regress/lib/libcrypto/x509/policy/policy.c +++ b/src/regress/lib/libcrypto/x509/policy/policy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: policy.c,v 1.9 2023/04/28 14:45:51 tb Exp $ */	1	/* $OpenBSD: policy.c,v 1.10 2023/04/28 16:50:16 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org>
@@ -328,6 +328,17 @@ struct verify_cert_test verify_cert_tests[] = {
328	.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,	328	.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
329	.want_legacy_error_depth = 0,	329	.want_legacy_error_depth = 0,
330	},	330	},
		331	{
		332	.id = "invalid leaf without explicit policy",
		333	.root_file = CERTSDIR "/" "policy_root.pem",
		334	.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
		335	.leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
		336	.want_chains = 0,
		337	.want_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
		338	.want_error_depth = 0,
		339	.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
		340	.want_legacy_error_depth = 0,
		341	},
331	/* There is a duplicate policy in the leaf policy extension. */	342	/* There is a duplicate policy in the leaf policy extension. */
332	{	343	{
333	.id = "1 in duplicate policy extension in leaf",	344	.id = "1 in duplicate policy extension in leaf",