Test that policy checking always succeeds with just a trust anchor
Change-Id: I88354719ccefbe8750bf02e069afbe8ab68b48fb
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56033
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index e7b2536..5ed1405 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -1105,8 +1105,7 @@
X509 *leaf, const std::vector<X509 *> &roots,
const std::vector<X509 *> &intermediates,
const std::vector<X509_CRL *> &crls, unsigned long flags = 0,
- std::function<void(X509_VERIFY_PARAM *)> configure_callback = nullptr,
- int (*verify_callback)(int, X509_STORE_CTX *) = nullptr) {
+ std::function<void(X509_VERIFY_PARAM *)> configure_callback = nullptr) {
bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));
bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(
CertsToStack(intermediates));
@@ -5343,6 +5342,13 @@
set_policies(param, {oid3.get()});
}));
+ // With just a trust anchor, policy checking silently succeeds.
+ EXPECT_EQ(X509_V_OK, Verify(root.get(), {root.get()}, {},
+ /*crls=*/{}, X509_V_FLAG_EXPLICIT_POLICY,
+ [&](X509_VERIFY_PARAM *param) {
+ set_policies(param, {oid1.get()});
+ }));
+
for (bool use_any : {false, true}) {
SCOPED_TRACE(use_any);
X509 *cert =
