x509: Certificate chain with policy mismatch does not throw error while doing x509.Verify() #76219
Description
Go version
go1.24.9
Output of go env in your module/workspace:
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1916020196=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/root/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/root/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/root/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.9'
GOWORK=''
PKG_CONFIG='pkg-config'What did you do?
x509: Certificate chain with policy mismatch does not throw error while doing x509.Verify().
cert chain:
leafCert.pem --> signed by --> interemediateCAcert.pem --signed by --> rootCACert.pem
interemediateCAcert.pem has critical certificate policy(2.5.29.32) as 1.2.3.4
leafCert.pem has critical certificate policy(2.5.29.32) as 4.3.2.1
Then I call x509.Verify() with x509.VerifyOptions -
interemediateCAcert.pem assigned to Roots.
Issue:
There is no error thrown eventhough there is a policy mismatch between intermediate.pem and leafCert.pem
Note:
However when we do the same by adding the rootCert(interemediateCAcert's issuer), then it throws the 'invalid policies' error.
Here in this case - x509.VerifyOptions is defined as
rootCACert.pem assigned to Roots
interemediateCAcert.pem assigned to Intermediates
Cert details:
a. rootCACert.pem: -
no cert policy defined
b. interemediateCAcert.pem:
...
X509v3 Certificate Policies: critical
Policy: 1.2.3.4
X509v3 Policy Constraints: critical
Require Explicit Policy:0
...
c. leafCert.pem:
...
X509v3 Certificate Policies: critical
Policy: 4.3.2.1
...
What did you see happen?
go run certChainVerify.go
What did you expect to see?
Expecting to see the error:
x509: no valid chains built: all candidate chains have invalid policies
Output got:
But found the actual output - cert chain verification successful
Why is the current output incorrect ?
Because leafCert's cert policy (4.3.2.1) did not match the intermediateCACert policy (1.2.3.4) and the cert policies were marked as Critical on both the certs.