Test that policy checking always succeeds with just a trust anchor

Change-Id: I88354719ccefbe8750bf02e069afbe8ab68b48fb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56033 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
2 years ago · 1f2529d99d
parent 0d9208e889
commit 1f2529d99d
1 changed files with 8 additions and 2 deletions
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@ -1105,8 +1105,7 @@ static int Verify(
    X509 *leaf, const std::vector<X509 *> &roots,
    const std::vector<X509 *> &intermediates,
    const std::vector<X509_CRL *> &crls, unsigned long flags = 0,
-    std::function<void(X509_VERIFY_PARAM *)> configure_callback = nullptr,
-    int (*verify_callback)(int, X509_STORE_CTX *) = nullptr) {
+    std::function<void(X509_VERIFY_PARAM *)> configure_callback = nullptr) {
  bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));
  bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(
      CertsToStack(intermediates));
@ -5343,6 +5342,13 @@ TEST(X509Test, Policy) {
                     set_policies(param, {oid3.get()});
                   }));

+  // With just a trust anchor, policy checking silently succeeds.
+  EXPECT_EQ(X509_V_OK, Verify(root.get(), {root.get()}, {},
+                              /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY,
+                              [&](X509_VERIFY_PARAM *param) {
+                                set_policies(param, {oid1.get()});
+                              }));
+
  for (bool use_any : {false, true}) {
    SCOPED_TRACE(use_any);
    X509 *cert =