Issue 634452 link

Starred by 3 users

Issue metadata

Status:	Fixed
Owner:	eroman@chromium.org
Closed:	Jun 2017
Components:	Internals>Network>Certificate
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Blocking:
issue 410574

[PKI library] Process policy constraints extension

Project Member Reported by eroman@chromium.org, Aug 4 2016

Issue description

This is part or RFC 5280 (Section 4.2.1.11), and is required in order to be compliant with RFC 5280's profile:

   At a minimum, applications conforming to this profile MUST recognize
   the following extensions:  ....  policy constraints (Section 4.2.1.11)

In practice I do not believe it is widely used in Web PKI. According to RFC 5280 it should be marked as critical.

Project Member

Comment 1 by bugdroid1@chromium.org, May 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190

commit 25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190
Author: eroman <eroman@chromium.org>
Date: Sat May 13 06:44:58 2017

Add parsing code for RFC 5280 PolicyConstraints.

BUG= 634452 

Review-Url: https://codereview.chromium.org/2872113002
Cr-Commit-Position: refs/heads/master@{#471572}

[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/BUILD.gn
[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/cert/internal/certificate_policies.cc
[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/cert/internal/certificate_policies.h
[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/cert/internal/certificate_policies_unittest.cc
[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/cert/internal/parse_certificate.cc
[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/cert/internal/parsed_certificate.cc
[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/cert/internal/parsed_certificate.h
[modify] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/cert/internal/parsed_certificate_unittest.cc
[add] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/data/parse_certificate_unittest/policy_constraints_empty.pem
[add] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/data/parse_certificate_unittest/policy_constraints_inhibit.pem
[add] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/data/parse_certificate_unittest/policy_constraints_inhibit_require.pem
[add] https://crrev.com/25ead1bcf8bae5dc3f1876d63fe81b3bfd3a9190/net/data/parse_certificate_unittest/policy_constraints_require.pem

Comment 2 by eroman@chromium.org, May 24 2017

Owner: eroman@chromium.org
Status: Started (was: Available)

Project Member

Comment 3 by bugdroid1@chromium.org, May 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c95383ac0847a949d9b54964d0c2cd7c2b253a31

commit c95383ac0847a949d9b54964d0c2cd7c2b253a31
Author: eroman <eroman@chromium.org>
Date: Fri May 26 19:37:30 2017

Add generated PKITS tests relating to certificate policies.

This adds stubs for all tests under:

  4.8 (Certificate Policies)
  4.9 (Require Explicit Policy)
  4.10 (Policy Mappings)
  4.11 (Inhibit Policy Mapping)
  4.12 (Inhibit Any Policy)

Note that this CL does not *run* the tests yet, it just updates the
generators.

BUG= 634456 , 634453 , 634452 

Review-Url: https://codereview.chromium.org/2903633005
Cr-Commit-Position: refs/heads/master@{#475089}

[modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/BUILD.gn
[add] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/nist_pkits_unittest.cc
[modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/nist_pkits_unittest.h
[modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/path_builder_pkits_unittest.cc
[modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
[modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/third_party/nist-pkits/generate_tests.py
[modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/third_party/nist-pkits/pkits_testcases-inl.h

Project Member

Comment 4 by bugdroid1@chromium.org, Jun 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bcca0368ac116828cecc6c68a381bfc5147f8c98

commit bcca0368ac116828cecc6c68a381bfc5147f8c98
Author: eroman <eroman@chromium.org>
Date: Fri Jun 02 01:27:06 2017

Add policies support to VerifyCertificateChain().

Support is compliant with RFC 5280 and supports all the policy
extensions specified therein:

 * Inhibit Any Policy
 * Policy Constraints
 * Policies
 * Policy Mappings

Testing is done solely using the PKITS test suite, which has fairly good
coverage of these extensions:

  4.8 (Certificate Policies)
  4.9 (Require Explicit Policy)
  4.10 (Policy Mappings)
  4.11 (Inhibit Policy Mapping)
  4.12 (Inhibit Any Policy)

BUG= 634456 , 634453 , 634452 

Review-Url: https://codereview.chromium.org/2903283002
Cr-Commit-Position: refs/heads/master@{#476513}

[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/nist_pkits_unittest.cc
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/nist_pkits_unittest.h
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/path_builder.cc
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/test_helpers.cc
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/test_helpers.h
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain.cc
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain.h
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain_unittest.cc
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/third_party/nist-pkits/generate_tests.py
[modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/third_party/nist-pkits/pkits_testcases-inl.h

Project Member

Comment 5 by bugdroid1@chromium.org, Jun 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/854d102a9172d20548a8e8a1b5310e02dfeb9759

commit 854d102a9172d20548a8e8a1b5310e02dfeb9759
Author: yoichio <yoichio@chromium.org>
Date: Fri Jun 02 04:29:42 2017

Revert of Add policies support to VerifyCertificateChain(). (patchset #9 id:160001 of https://codereview.chromium.org/2903283002/ )

Reason for revert:
This patch causes VerifyCertificateChain test failure on linux:
https://uberchromegw.corp.google.com/i/chromium.chromiumos/builders/Linux%20ChromiumOS%20Tests%20%28dbg%29%281%29/builds/26805

Original issue's description:
> Add policies support to VerifyCertificateChain().
>
> Support is compliant with RFC 5280 and supports all the policy
> extensions specified therein:
>
>  * Inhibit Any Policy
>  * Policy Constraints
>  * Policies
>  * Policy Mappings
>
> Testing is done solely using the PKITS test suite, which has fairly good
> coverage of these extensions:
>
>   4.8 (Certificate Policies)
>   4.9 (Require Explicit Policy)
>   4.10 (Policy Mappings)
>   4.11 (Inhibit Policy Mapping)
>   4.12 (Inhibit Any Policy)
>
> BUG= 634456 , 634453 , 634452 
>
> Review-Url: https://codereview.chromium.org/2903283002
> Cr-Commit-Position: refs/heads/master@{#476513}
> Committed: https://chromium.googlesource.com/chromium/src/+/bcca0368ac116828cecc6c68a381bfc5147f8c98

TBR=mattm@chromium.org,eroman@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 634456 , 634453 , 634452 

Review-Url: https://codereview.chromium.org/2918063002
Cr-Commit-Position: refs/heads/master@{#476562}

[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/nist_pkits_unittest.cc
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/nist_pkits_unittest.h
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/path_builder.cc
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/test_helpers.cc
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/test_helpers.h
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain.cc
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain.h
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain_unittest.cc
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/third_party/nist-pkits/generate_tests.py
[modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/third_party/nist-pkits/pkits_testcases-inl.h

Project Member

Comment 6 by bugdroid1@chromium.org, Jun 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0507e9f17c57e79a10f61eee6c815368977ade54

commit 0507e9f17c57e79a10f61eee6c815368977ade54
Author: eroman <eroman@chromium.org>
Date: Fri Jun 02 20:39:20 2017

Add policies support to VerifyCertificateChain().

Support is compliant with RFC 5280 and supports all the policy
extensions specified therein:

 * Inhibit Any Policy
 * Policy Constraints
 * Policies
 * Policy Mappings

Testing is done solely using the PKITS test suite, which has fairly good
coverage of these extensions:

  4.8 (Certificate Policies)
  4.9 (Require Explicit Policy)
  4.10 (Policy Mappings)
  4.11 (Inhibit Policy Mapping)
  4.12 (Inhibit Any Policy)

This is a re-land of: https://codereview.chromium.org/2903283002

BUG= 634456 ,  634453 ,  634452 

Review-Url: https://codereview.chromium.org/2920013003
Cr-Commit-Position: refs/heads/master@{#476773}

[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/nist_pkits_unittest.cc
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/nist_pkits_unittest.h
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/path_builder.cc
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/test_helpers.cc
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/test_helpers.h
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain.cc
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain.h
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain_pkits_unittest.cc
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain_unittest.cc
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/third_party/nist-pkits/generate_tests.py
[modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/third_party/nist-pkits/pkits_testcases-inl.h

Project Member

Comment 7 by bugdroid1@chromium.org, Jun 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa

commit e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa
Author: eroman <eroman@chromium.org>
Date: Fri Jun 02 22:56:10 2017

Wire up certificate policies support in PathBuilder.

BUG= 634456 ,  634453 ,  634452 

Review-Url: https://codereview.chromium.org/2898303005
Cr-Commit-Position: refs/heads/master@{#476827}

[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/components/cast_certificate/cast_cert_validator.cc
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/components/cast_certificate/cast_crl.cc
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/cert_verify_proc_builtin.cc
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder.cc
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder.h
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder_pkits_unittest.cc
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder_unittest.cc
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc
[modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/tools/cert_verify_tool/verify_using_path_builder.cc

Comment 8 by eroman@chromium.org, Jun 2 2017

Status: Fixed (was: Started)

►

Issue 634452 link

Issue metadata

[PKI library] Process policy constraints extension

Issue description

Comment 1 by bugdroid1@chromium.org, May 13 2017

Comment 1 Deleted

Comment 2 by eroman@chromium.org, May 24 2017

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, May 26 2017

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Jun 2 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Jun 2 2017

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Jun 2 2017

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Jun 2 2017

Comment 7 Deleted

Comment 8 by eroman@chromium.org, Jun 2 2017

Comment 8 Deleted

Sign in to add a comment