Skip to content

NoIssuanceChainPolicy is only reported on Windows #130268

Description

@bartonjs

Description

Some shapes of X.509 Chain cause Windows to validate the structure of the chain policy, independent of asking the chain policy questions. When this validation fails, Windows reports NoIssuanceChainPolicy. That code doesn't appear on any of the other OSes.

Reproduction Steps

There are a few tests in the tree (and some being added in parallel) that demonstrate this, but the easiest one to explain looks like:

  • Root Certificate
    • Basic Constraints: CA:true
    • Policy Constraints: Inhibit Mapping, SkipCerts=0
  • Intermediate Certificate:
    • Basic Constraints: CA:true
    • Policy Constraints: Require Explicit Policy, SkipCerts=0
    • Certificate Policies: PolicyA
    • Certificate Policy Mappings: PolicyA=>PolicyB
  • EE Certificate:
    • Basic Constraints: CA:false
    • Certificate Policies: PolicyB

The Require Explicit Policy seems to trigger Windows into validating the chain structure. Since there are non-zero policies in the EE certificate that successfully trace up to the root without the mapping, and that mapping was forbidden, NoIssuanceChainPolicy is reported. (If the intermediate has PolicyA and PolicyC, and gives the EE PolicyB and PolicyC, the error is not raised.)

Expected behavior

NoIssuanceChainPolicy

Actual behavior

NoError

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions