Skip to content

Fix CertificatePolicy processing. #121395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix CertificatePolicy processing. #121395

wants to merge 4 commits into from
+120 −14

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Nov 5, 2025

The wrong mapping variable was decremented, which could lead to incorrect AnyPolicy depth matching. This would fail-closed, causing a policy mismatch when it shouldn't.

It should be inhibitPolicyMappingDepth, not inhibitAnyPolicyDepth. The latter is handled on line 190.

@vcsjones
Fix CertificatePolicy processing.
29b584e 
The wrong mapping variable was decremented, which could lead to incorrect AnyPolicy depth matching.
Copilot AI review requested due to automatic review settings November 5, 2025 21:12
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Nov 5, 2025

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed Nov 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a bug in certificate policy validation where the wrong depth counter was being decremented, and adds supporting test infrastructure and a test case to verify the fix.

  • Fixes a bug where inhibitAnyPolicyDepth was incorrectly decremented instead of inhibitPolicyMappingDepth in the certificate policy validation logic
  • Adds a new overload of MakeTestChain4 that allows specifying different extensions for each intermediate certificate independently
  • Adds a test case to verify policy constraints work correctly with multiple intermediate certificates

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
CertificatePolicy.cs Fixes the bug by changing the decremented variable from inhibitAnyPolicyDepth to inhibitPolicyMappingDepth
TestDataGenerator.cs Adds new overload of MakeTestChain4 to support separate extension parameters for two intermediate certificates
DynamicChainTests.cs Adds test case PolicyConstraints_AnyPolicyInhibited_Success and helper method BuildInhibitAnyPolicy

@vcsjones
Apply suggestions from code review
ad66028 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This was referenced Nov 6, 2025
Open
Open
Open
Open
Open
Open
@jkoritzinsky jkoritzinsky mentioned this pull request Nov 6, 2025
Open
@build-analysis build-analysis bot mentioned this pull request Nov 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vcsjones @bartonjs