diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/regress/lib/libcrypto/x509/policy/policy.c | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c index 1bb03d1faf..5524be2b05 100644 --- a/src/regress/lib/libcrypto/x509/policy/policy.c +++ b/src/regress/lib/libcrypto/x509/policy/policy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: policy.c,v 1.6 2023/04/28 08:50:08 beck Exp $ */ | 1 | /* $OpenBSD: policy.c,v 1.7 2023/04/28 08:53:20 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> |
| @@ -131,7 +131,6 @@ verify_cert(const char *roots_file, const char *intermediate_file, | |||
| 131 | *error = 0; | 131 | *error = 0; |
| 132 | *error_depth = 0; | 132 | *error_depth = 0; |
| 133 | 133 | ||
| 134 | |||
| 135 | if (!certs_from_file(roots_file, &roots)) | 134 | if (!certs_from_file(roots_file, &roots)) |
| 136 | errx(1, "failed to load roots from '%s'", roots_file); | 135 | errx(1, "failed to load roots from '%s'", roots_file); |
| 137 | if (!certs_from_file(leaf_file, &bundle)) | 136 | if (!certs_from_file(leaf_file, &bundle)) |
| @@ -154,7 +153,7 @@ verify_cert(const char *roots_file, const char *intermediate_file, | |||
| 154 | int flags = X509_V_FLAG_POLICY_CHECK; | 153 | int flags = X509_V_FLAG_POLICY_CHECK; |
| 155 | flags |= verify_flags; | 154 | flags |= verify_flags; |
| 156 | if (mode == MODE_LEGACY_VFY) | 155 | if (mode == MODE_LEGACY_VFY) |
| 157 | flags |= X509_V_FLAG_LEGACY_VERIFY; | 156 | flags |= X509_V_FLAG_LEGACY_VERIFY; |
| 158 | X509_STORE_CTX_set_flags(xsc, flags); | 157 | X509_STORE_CTX_set_flags(xsc, flags); |
| 159 | 158 | ||
| 160 | if (verbose) | 159 | if (verbose) |
| @@ -162,13 +161,13 @@ verify_cert(const char *roots_file, const char *intermediate_file, | |||
| 162 | X509_STORE_CTX_set0_trusted_stack(xsc, roots); | 161 | X509_STORE_CTX_set0_trusted_stack(xsc, roots); |
| 163 | 162 | ||
| 164 | if (policy_oid != NULL) { | 163 | if (policy_oid != NULL) { |
| 165 | X509_VERIFY_PARAM * param = X509_STORE_CTX_get0_param(xsc); | 164 | X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(xsc); |
| 166 | ASN1_OBJECT * copy = OBJ_dup(policy_oid); | 165 | ASN1_OBJECT *copy = OBJ_dup(policy_oid); |
| 167 | X509_VERIFY_PARAM_add0_policy(param, copy); | 166 | X509_VERIFY_PARAM_add0_policy(param, copy); |
| 168 | } | 167 | } |
| 169 | if (policy_oid2 != NULL) { | 168 | if (policy_oid2 != NULL) { |
| 170 | X509_VERIFY_PARAM * param = X509_STORE_CTX_get0_param(xsc); | 169 | X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(xsc); |
| 171 | ASN1_OBJECT * copy = OBJ_dup(policy_oid2); | 170 | ASN1_OBJECT *copy = OBJ_dup(policy_oid2); |
| 172 | X509_VERIFY_PARAM_add0_policy(param, copy); | 171 | X509_VERIFY_PARAM_add0_policy(param, copy); |
| 173 | } | 172 | } |
| 174 | 173 | ||
| @@ -388,7 +387,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 388 | .want_chains = 0, | 387 | .want_chains = 0, |
| 389 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 388 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 390 | .want_error_depth = 0, | 389 | .want_error_depth = 0, |
| 391 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 390 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 392 | .want_legacy_error_depth = 0, | 391 | .want_legacy_error_depth = 0, |
| 393 | }, | 392 | }, |
| 394 | // requireExplicitPolicy applies even if the application does not configure a | 393 | // requireExplicitPolicy applies even if the application does not configure a |
| @@ -402,7 +401,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 402 | .want_chains = 0, | 401 | .want_chains = 0, |
| 403 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 402 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 404 | .want_error_depth = 0, | 403 | .want_error_depth = 0, |
| 405 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 404 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 406 | .want_legacy_error_depth = 0, | 405 | .want_legacy_error_depth = 0, |
| 407 | }, | 406 | }, |
| 408 | // A leaf can also set requireExplicitPolicy but should work with none | 407 | // A leaf can also set requireExplicitPolicy but should work with none |
| @@ -413,7 +412,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 413 | .leaf_file = CERTSDIR "/" "policy_leaf_require.pem", | 412 | .leaf_file = CERTSDIR "/" "policy_leaf_require.pem", |
| 414 | .want_chains = 1, | 413 | .want_chains = 1, |
| 415 | }, | 414 | }, |
| 416 | // A leaf can also set requireExplicitPolicy but should fail with policy | 415 | // A leaf can also set requireExplicitPolicy but should fail with policy |
| 417 | { | 416 | { |
| 418 | .id = "oid3, explicit policy unset, with leaf requiring policy", | 417 | .id = "oid3, explicit policy unset, with leaf requiring policy", |
| 419 | .root_file = CERTSDIR "/" "policy_root.pem", | 418 | .root_file = CERTSDIR "/" "policy_root.pem", |
| @@ -423,7 +422,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 423 | .want_chains = 0, | 422 | .want_chains = 0, |
| 424 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 423 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 425 | .want_error_depth = 0, | 424 | .want_error_depth = 0, |
| 426 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 425 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 427 | .want_legacy_error_depth = 0, | 426 | .want_legacy_error_depth = 0, |
| 428 | }, | 427 | }, |
| 429 | // requireExplicitPolicy is a count of certificates to skip. If the value is | 428 | // requireExplicitPolicy is a count of certificates to skip. If the value is |
| @@ -438,7 +437,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 438 | .want_chains = 0, | 437 | .want_chains = 0, |
| 439 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 438 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 440 | .want_error_depth = 0, | 439 | .want_error_depth = 0, |
| 441 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 440 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 442 | .want_legacy_error_depth = 0, | 441 | .want_legacy_error_depth = 0, |
| 443 | }, | 442 | }, |
| 444 | { | 443 | { |
| @@ -469,7 +468,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 469 | .want_chains = 0, | 468 | .want_chains = 0, |
| 470 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 469 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 471 | .want_error_depth = 0, | 470 | .want_error_depth = 0, |
| 472 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 471 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 473 | .want_legacy_error_depth = 0, | 472 | .want_legacy_error_depth = 0, |
| 474 | }, | 473 | }, |
| 475 | { | 474 | { |
| @@ -482,7 +481,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 482 | .want_chains = 0, | 481 | .want_chains = 0, |
| 483 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 482 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 484 | .want_error_depth = 0, | 483 | .want_error_depth = 0, |
| 485 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 484 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 486 | .want_legacy_error_depth = 0, | 485 | .want_legacy_error_depth = 0, |
| 487 | }, | 486 | }, |
| 488 | // An intermediate that requires an explicit policy, but then specifies no | 487 | // An intermediate that requires an explicit policy, but then specifies no |
| @@ -496,7 +495,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 496 | .want_chains = 0, | 495 | .want_chains = 0, |
| 497 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 496 | .want_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 498 | .want_error_depth = 0, | 497 | .want_error_depth = 0, |
| 499 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, | 498 | .want_legacy_error = X509_V_ERR_NO_EXPLICIT_POLICY, |
| 500 | .want_legacy_error_depth = 0, | 499 | .want_legacy_error_depth = 0, |
| 501 | }, | 500 | }, |
| 502 | // A constrained intermediate's policy extension has a duplicate policy, which | 501 | // A constrained intermediate's policy extension has a duplicate policy, which |
| @@ -510,7 +509,7 @@ struct verify_cert_test verify_cert_tests[] = { | |||
| 510 | .want_chains = 0, | 509 | .want_chains = 0, |
| 511 | .want_error = X509_V_ERR_INVALID_POLICY_EXTENSION, | 510 | .want_error = X509_V_ERR_INVALID_POLICY_EXTENSION, |
| 512 | .want_error_depth = 0, | 511 | .want_error_depth = 0, |
| 513 | .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION, | 512 | .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION, |
| 514 | .want_legacy_error_depth = 0, | 513 | .want_legacy_error_depth = 0, |
| 515 | }, | 514 | }, |
| 516 | // The leaf asserts anyPolicy, but the intermediate does not. The resulting | 515 | // The leaf asserts anyPolicy, but the intermediate does not. The resulting |
| @@ -612,7 +611,6 @@ verify_cert_test(int mode) | |||
| 612 | fprintf(stderr, "\n"); | 611 | fprintf(stderr, "\n"); |
| 613 | ASN1_OBJECT_free(policy_oid); | 612 | ASN1_OBJECT_free(policy_oid); |
| 614 | ASN1_OBJECT_free(policy_oid2); | 613 | ASN1_OBJECT_free(policy_oid2); |
| 615 | |||
| 616 | } | 614 | } |
| 617 | return failed; | 615 | return failed; |
| 618 | } | 616 | } |