// PolicyInformation ::= SEQUENCE { // policyIdentifier CertPolicyId, // policyQualifiers SEQUENCE SIZE (1..MAX) OF // PolicyQualifierInfo OPTIONAL } inline der::Result CheckPolicyInformation(der::Input& input, EndEntityOrCA endEntityOrCA, const CertPolicyId& requiredPolicy, /*in/out*/ bool& found) { if (input.MatchTLV(der::OIDTag, requiredPolicy.numBytes, requiredPolicy.bytes)) { found = true; } else if (endEntityOrCA == EndEntityOrCA::MustBeCA && input.MatchTLV(der::OIDTag, CertPolicyId::anyPolicy.numBytes, CertPolicyId::anyPolicy.bytes)) { found = true; } // RFC 5280 Section 4.2.1.4 says "Optional qualifiers, which MAY be present, // are not expected to change the definition of the policy." Also, it seems // that Section 6, which defines validation, does not require any matching of // qualifiers. Thus, doing anything with the policy qualifiers would be a // waste of time and a source of potential incompatibilities, so we just // ignore them. // Skip unmatched OID and/or policyQualifiers input.SkipToEnd(); return der::Success; }