As defined in RFC 5280 section 4.2.1.5. In practice I don't believe this is commonly used in Web PKI, and isn't a minimum requirement for RFC 5280's profile of supported extensions. Documenting this as a low priority feature.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/36dfaf4598059fdb20b71e81264f795c3781282f commit 36dfaf4598059fdb20b71e81264f795c3781282f Author: eroman <eroman@chromium.org> Date: Fri May 26 00:13:02 2017 Add parsing for RFC 5280's PolicyMappings certificate extension. Also wires inhibitAnyPolicy to ParsedCertificate. BUG= 634456 Review-Url: https://codereview.chromium.org/2907523002 Cr-Commit-Position: refs/heads/master@{#474848} [modify] https://crrev.com/36dfaf4598059fdb20b71e81264f795c3781282f/net/cert/internal/certificate_policies.cc [modify] https://crrev.com/36dfaf4598059fdb20b71e81264f795c3781282f/net/cert/internal/certificate_policies.h [modify] https://crrev.com/36dfaf4598059fdb20b71e81264f795c3781282f/net/cert/internal/parsed_certificate.cc [modify] https://crrev.com/36dfaf4598059fdb20b71e81264f795c3781282f/net/cert/internal/parsed_certificate.h [modify] https://crrev.com/36dfaf4598059fdb20b71e81264f795c3781282f/net/cert/internal/parsed_certificate_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c95383ac0847a949d9b54964d0c2cd7c2b253a31 commit c95383ac0847a949d9b54964d0c2cd7c2b253a31 Author: eroman <eroman@chromium.org> Date: Fri May 26 19:37:30 2017 Add generated PKITS tests relating to certificate policies. This adds stubs for all tests under: 4.8 (Certificate Policies) 4.9 (Require Explicit Policy) 4.10 (Policy Mappings) 4.11 (Inhibit Policy Mapping) 4.12 (Inhibit Any Policy) Note that this CL does not *run* the tests yet, it just updates the generators. BUG= 634456 , 634453 , 634452 Review-Url: https://codereview.chromium.org/2903633005 Cr-Commit-Position: refs/heads/master@{#475089} [modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/BUILD.gn [add] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/nist_pkits_unittest.cc [modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/nist_pkits_unittest.h [modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/path_builder_pkits_unittest.cc [modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/cert/internal/verify_certificate_chain_pkits_unittest.cc [modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/third_party/nist-pkits/generate_tests.py [modify] https://crrev.com/c95383ac0847a949d9b54964d0c2cd7c2b253a31/net/third_party/nist-pkits/pkits_testcases-inl.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8cb1774575276a4e506ffed6270b5f14415c6f6a commit 8cb1774575276a4e506ffed6270b5f14415c6f6a Author: eroman <eroman@chromium.org> Date: Thu Jun 01 01:57:46 2017 Update PKITs test data to include "user_constrained_policy_set". BUG= 634456 , 634453 Review-Url: https://codereview.chromium.org/2907353002 Cr-Commit-Position: refs/heads/master@{#476145} [modify] https://crrev.com/8cb1774575276a4e506ffed6270b5f14415c6f6a/net/cert/internal/nist_pkits_unittest.cc [modify] https://crrev.com/8cb1774575276a4e506ffed6270b5f14415c6f6a/net/cert/internal/nist_pkits_unittest.h [modify] https://crrev.com/8cb1774575276a4e506ffed6270b5f14415c6f6a/net/cert/internal/path_builder_pkits_unittest.cc [modify] https://crrev.com/8cb1774575276a4e506ffed6270b5f14415c6f6a/net/cert/internal/verify_certificate_chain_pkits_unittest.cc [modify] https://crrev.com/8cb1774575276a4e506ffed6270b5f14415c6f6a/net/third_party/nist-pkits/generate_tests.py [modify] https://crrev.com/8cb1774575276a4e506ffed6270b5f14415c6f6a/net/third_party/nist-pkits/pkits_testcases-inl.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bcca0368ac116828cecc6c68a381bfc5147f8c98 commit bcca0368ac116828cecc6c68a381bfc5147f8c98 Author: eroman <eroman@chromium.org> Date: Fri Jun 02 01:27:06 2017 Add policies support to VerifyCertificateChain(). Support is compliant with RFC 5280 and supports all the policy extensions specified therein: * Inhibit Any Policy * Policy Constraints * Policies * Policy Mappings Testing is done solely using the PKITS test suite, which has fairly good coverage of these extensions: 4.8 (Certificate Policies) 4.9 (Require Explicit Policy) 4.10 (Policy Mappings) 4.11 (Inhibit Policy Mapping) 4.12 (Inhibit Any Policy) BUG= 634456 , 634453 , 634452 Review-Url: https://codereview.chromium.org/2903283002 Cr-Commit-Position: refs/heads/master@{#476513} [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/nist_pkits_unittest.cc [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/nist_pkits_unittest.h [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/path_builder.cc [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/test_helpers.cc [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/test_helpers.h [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain.cc [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain.h [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain_pkits_unittest.cc [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/cert/internal/verify_certificate_chain_unittest.cc [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/third_party/nist-pkits/generate_tests.py [modify] https://crrev.com/bcca0368ac116828cecc6c68a381bfc5147f8c98/net/third_party/nist-pkits/pkits_testcases-inl.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/854d102a9172d20548a8e8a1b5310e02dfeb9759 commit 854d102a9172d20548a8e8a1b5310e02dfeb9759 Author: yoichio <yoichio@chromium.org> Date: Fri Jun 02 04:29:42 2017 Revert of Add policies support to VerifyCertificateChain(). (patchset #9 id:160001 of https://codereview.chromium.org/2903283002/ ) Reason for revert: This patch causes VerifyCertificateChain test failure on linux: https://uberchromegw.corp.google.com/i/chromium.chromiumos/builders/Linux%20ChromiumOS%20Tests%20%28dbg%29%281%29/builds/26805 Original issue's description: > Add policies support to VerifyCertificateChain(). > > Support is compliant with RFC 5280 and supports all the policy > extensions specified therein: > > * Inhibit Any Policy > * Policy Constraints > * Policies > * Policy Mappings > > Testing is done solely using the PKITS test suite, which has fairly good > coverage of these extensions: > > 4.8 (Certificate Policies) > 4.9 (Require Explicit Policy) > 4.10 (Policy Mappings) > 4.11 (Inhibit Policy Mapping) > 4.12 (Inhibit Any Policy) > > BUG= 634456 , 634453 , 634452 > > Review-Url: https://codereview.chromium.org/2903283002 > Cr-Commit-Position: refs/heads/master@{#476513} > Committed: https://chromium.googlesource.com/chromium/src/+/bcca0368ac116828cecc6c68a381bfc5147f8c98 TBR=mattm@chromium.org,eroman@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 634456 , 634453 , 634452 Review-Url: https://codereview.chromium.org/2918063002 Cr-Commit-Position: refs/heads/master@{#476562} [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/nist_pkits_unittest.cc [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/nist_pkits_unittest.h [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/path_builder.cc [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/test_helpers.cc [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/test_helpers.h [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain.cc [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain.h [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain_pkits_unittest.cc [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/cert/internal/verify_certificate_chain_unittest.cc [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/third_party/nist-pkits/generate_tests.py [modify] https://crrev.com/854d102a9172d20548a8e8a1b5310e02dfeb9759/net/third_party/nist-pkits/pkits_testcases-inl.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0507e9f17c57e79a10f61eee6c815368977ade54 commit 0507e9f17c57e79a10f61eee6c815368977ade54 Author: eroman <eroman@chromium.org> Date: Fri Jun 02 20:39:20 2017 Add policies support to VerifyCertificateChain(). Support is compliant with RFC 5280 and supports all the policy extensions specified therein: * Inhibit Any Policy * Policy Constraints * Policies * Policy Mappings Testing is done solely using the PKITS test suite, which has fairly good coverage of these extensions: 4.8 (Certificate Policies) 4.9 (Require Explicit Policy) 4.10 (Policy Mappings) 4.11 (Inhibit Policy Mapping) 4.12 (Inhibit Any Policy) This is a re-land of: https://codereview.chromium.org/2903283002 BUG= 634456 , 634453 , 634452 Review-Url: https://codereview.chromium.org/2920013003 Cr-Commit-Position: refs/heads/master@{#476773} [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/nist_pkits_unittest.cc [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/nist_pkits_unittest.h [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/path_builder.cc [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/test_helpers.cc [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/test_helpers.h [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain.cc [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain.h [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain_pkits_unittest.cc [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/cert/internal/verify_certificate_chain_unittest.cc [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/third_party/nist-pkits/generate_tests.py [modify] https://crrev.com/0507e9f17c57e79a10f61eee6c815368977ade54/net/third_party/nist-pkits/pkits_testcases-inl.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa commit e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa Author: eroman <eroman@chromium.org> Date: Fri Jun 02 22:56:10 2017 Wire up certificate policies support in PathBuilder. BUG= 634456 , 634453 , 634452 Review-Url: https://codereview.chromium.org/2898303005 Cr-Commit-Position: refs/heads/master@{#476827} [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/components/cast_certificate/cast_cert_validator.cc [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/components/cast_certificate/cast_crl.cc [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/cert_verify_proc_builtin.cc [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder.cc [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder.h [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder_pkits_unittest.cc [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder_unittest.cc [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc [modify] https://crrev.com/e0b219a58b5fa18ad52b6b9dbeca8d08d55fccfa/net/tools/cert_verify_tool/verify_using_path_builder.cc
Comment 1 by eroman@chromium.org
, May 24 2017Status: Started (was: Untriaged)