Improve Certificate Policy tests#130269
Conversation
|
Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security |
There was a problem hiding this comment.
Pull request overview
This PR expands X.509 certificate policy test coverage by generating more nuanced certificate chains (including a 4-cert chain with per-intermediate extensions) and validating chain-policy behavior across platforms. It also fixes a policy constraint depth accounting bug in the CertificatePolicy implementation.
Changes:
- Extend
TestDataGenerator.MakeTestChainto support per-intermediate extension sets for longer chains. - Add table-driven certificate policy mapping/constraint test cases and a 4-cert chain test helper in
DynamicChainTests. - Fix incorrect depth decrement logic in
CertificatePolicy.ReadPoliciesfor policy mapping inhibition.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/libraries/System.Security.Cryptography/tests/X509Certificates/TestDataGenerator.cs | Adds a new MakeTestChain overload for per-intermediate extensions and refactors chain generation. |
| src/libraries/System.Security.Cryptography/tests/X509Certificates/DynamicChainTests.cs | Adds new certificate policy test cases and a TestChain4 helper (and extends TestChain3). |
| src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificatePolicy.cs | Fixes policy-mapping inhibition depth tracking during policy processing. |
|
Tests passed on main platforms, I'll push the whitespace change then trigger it for extra platforms |
|
/azp run runtime-extra-platforms |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run runtime-extra-platforms |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
The Android failures were all the same "hey, Android seems to have changed how policies are processed" bug as #128890, so I marked the new test(s) ActiveIssue. or Full Log Snippet |
This change adds several new certificate policy tests to better cover edge cases.
Since this is one of the areas that is just a thin projection above the Windows OS APIs on .NET Framework, the de facto answers are "our Windows behavior is right".