Description
Some shapes of X.509 Chain cause Windows to validate the structure of the chain policy, independent of asking the chain policy questions. When this validation fails, Windows reports NoIssuanceChainPolicy. That code doesn't appear on any of the other OSes.
Reproduction Steps
There are a few tests in the tree (and some being added in parallel) that demonstrate this, but the easiest one to explain looks like:
- Root Certificate
- Basic Constraints: CA:true
- Policy Constraints: Inhibit Mapping, SkipCerts=0
- Intermediate Certificate:
- Basic Constraints: CA:true
- Policy Constraints: Require Explicit Policy, SkipCerts=0
- Certificate Policies: PolicyA
- Certificate Policy Mappings: PolicyA=>PolicyB
- EE Certificate:
- Basic Constraints: CA:false
- Certificate Policies: PolicyB
The Require Explicit Policy seems to trigger Windows into validating the chain structure. Since there are non-zero policies in the EE certificate that successfully trace up to the root without the mapping, and that mapping was forbidden, NoIssuanceChainPolicy is reported. (If the intermediate has PolicyA and PolicyC, and gives the EE PolicyB and PolicyC, the error is not raised.)
Expected behavior
NoIssuanceChainPolicy
Actual behavior
NoError
Regression?
No response
Known Workarounds
No response
Configuration
No response
Other information
No response
Description
Some shapes of X.509 Chain cause Windows to validate the structure of the chain policy, independent of asking the chain policy questions. When this validation fails, Windows reports NoIssuanceChainPolicy. That code doesn't appear on any of the other OSes.
Reproduction Steps
There are a few tests in the tree (and some being added in parallel) that demonstrate this, but the easiest one to explain looks like:
The Require Explicit Policy seems to trigger Windows into validating the chain structure. Since there are non-zero policies in the EE certificate that successfully trace up to the root without the mapping, and that mapping was forbidden, NoIssuanceChainPolicy is reported. (If the intermediate has PolicyA and PolicyC, and gives the EE PolicyB and PolicyC, the error is not raised.)
Expected behavior
NoIssuanceChainPolicy
Actual behavior
NoError
Regression?
No response
Known Workarounds
No response
Configuration
No response
Other information
No response