Start of an x509 policy regress test. test cases from BoringSSL.

Still a work in progress adapting tests from boringssl x509_test.cc but dropping in here for tb to be able to look at and run as well since the new stuff still has bugs.
author: beck <> 2023-04-27 12:23:31 +0000
committer: beck <> 2023-04-27 12:23:31 +0000
commit: 7b678b64a90656d9c04739ffc2f8c85b2ea90eb0 (patch)
tree: 8fffe22bc6d897496bead069665f5d254dfe326e /src
parent: 84c2a4f21376506adbc6a4c7c8b8d4a4d0878a53 (diff)
download: openbsd-7b678b64a90656d9c04739ffc2f8c85b2ea90eb0.tar.gz
openbsd-7b678b64a90656d9c04739ffc2f8c85b2ea90eb0.tar.bz2
openbsd-7b678b64a90656d9c04739ffc2f8c85b2ea90eb0.zip
29 files changed, 801 insertions, 0 deletions
diff --git a/src/regress/lib/libcrypto/x509/policy/Makefile b/src/regress/lib/libcrypto/x509/policy/Makefile
new file mode 100644
index 0000000000..b365499412
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/Makefile
@@ -0,0 +1,22 @@
+#       $OpenBSD: Makefile,v 1.1 2023/04/27 12:23:31 beck Exp $
+PROGS =         policy
+LDADD = -lcrypto
+DPADD = ${LIBCRYPTO}
+LDADD_policy = ${CRYPTO_INT}
+WARNINGS =      Yes
+CFLAGS +=       -DLIBRESSL_INTERNAL -Wall -Werror
+CFLAGS +=       -I${.CURDIR}/../../../../../lib/libcrypto/x509
+CFLAGS +=       -I${.CURDIR}/../../../../../lib/libcrypto/bytestring
+CFLAGS +=       -DCERTSDIR=\"${.CURDIR}/../../../libcrypto/x509/policy\"
+REGRESS_TARGETS =  policy-test
+policy-test:    policy
+        ./policy 
+.include "../../Makefile.inc"
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/x509/policy/policy.c b/src/regress/lib/libcrypto/x509/policy/policy.c
new file mode 100644
index 0000000000..c2f96599e6
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy.c
@@ -0,0 +1,463 @@
+/* $OpenBSD: policy.c,v 1.1 2023/04/27 12:23:31 beck Exp $ */
+/*
+ * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <err.h>
+#include <string.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include "x509_verify.h"
+#define MODE_MODERN_VFY         0
+#define MODE_MODERN_VFY_DIR     1
+#define MODE_LEGACY_VFY         2
+#define MODE_VERIFY             3
+static int verbose = 1;
+#define OID1 "1.2.840.113554.4.1.72585.2.1"
+#define OID2 "1.2.840.113554.4.1.72585.2.2"
+#define OID3 "1.2.840.113554.4.1.72585.2.3"
+#define OID4 "1.2.840.113554.4.1.72585.2.4"
+#define OID5 "1.2.840.113554.4.1.72585.2.5"
+#ifndef CERTSDIR
+#define CERTSDIR "."
+#endif
+static int
+passwd_cb(char *buf, int size, int rwflag, void *u)
+{
+        memset(buf, 0, size);
+        return (0);
+}
+static int
+certs_from_file(const char *filename, STACK_OF(X509) **certs)
+{
+        STACK_OF(X509_INFO) *xis = NULL;
+        STACK_OF(X509) *xs = NULL;
+        BIO *bio = NULL;
+        X509 *x;
+        int i;
+        if (*certs == NULL) {
+                if ((xs = sk_X509_new_null()) == NULL)
+                        errx(1, "failed to create X509 stack");
+        } else {
+                xs = *certs;
+        }
+        if ((bio = BIO_new_file(filename, "r")) == NULL) {
+                ERR_print_errors_fp(stderr);
+                errx(1, "failed to create bio");
+        }
+        if ((xis = PEM_X509_INFO_read_bio(bio, NULL, passwd_cb, NULL)) == NULL)
+                errx(1, "failed to read PEM");
+        for (i = 0; i < sk_X509_INFO_num(xis); i++) {
+                if ((x = sk_X509_INFO_value(xis, i)->x509) == NULL)
+                        continue;
+                if (!sk_X509_push(xs, x))
+                        errx(1, "failed to push X509");
+                X509_up_ref(x);
+        }
+        *certs = xs;
+        xs = NULL;
+        sk_X509_INFO_pop_free(xis, X509_INFO_free);
+        sk_X509_pop_free(xs, X509_free);
+        BIO_free(bio);
+        return 1;
+}
+static int
+verify_cert_cb(int ok, X509_STORE_CTX *xsc)
+{
+        X509 *current_cert;
+        int verify_err;
+        current_cert = X509_STORE_CTX_get_current_cert(xsc);
+        if (current_cert != NULL) {
+                X509_NAME_print_ex_fp(stderr,
+                    X509_get_subject_name(current_cert), 0,
+                    XN_FLAG_ONELINE);
+                fprintf(stderr, "\n");
+        }
+        verify_err = X509_STORE_CTX_get_error(xsc);
+        if (verify_err != X509_V_OK) {
+                fprintf(stderr, "verify error at depth %d: %s\n",
+                    X509_STORE_CTX_get_error_depth(xsc),
+                    X509_verify_cert_error_string(verify_err));
+        }
+        return ok;
+}
+static void
+verify_cert(const char *roots_file, const char *intermediate_file,
+    const char *leaf_file, int *chains, int *error, int *error_depth,
+    int mode, ASN1_OBJECT *policy_oid, ASN1_OBJECT *policy_oid2)
+{
+        STACK_OF(X509) *roots = NULL, *bundle = NULL;
+        X509_STORE_CTX *xsc = NULL;
+        X509_STORE *store = NULL;
+        X509 *leaf = NULL;
+        int ret;
+        *chains = 0;
+        *error = 0;
+        *error_depth = 0;
+        if (!certs_from_file(roots_file, &roots))
+                errx(1, "failed to load roots from '%s'", roots_file);
+        if (!certs_from_file(leaf_file, &bundle))
+                errx(1, "failed to load leaf from '%s'", leaf_file);
+        if (intermediate_file != NULL && !certs_from_file(intermediate_file,
+            &bundle))
+                errx(1, "failed to load intermediate from '%s'",
+                    intermediate_file);
+        printf ("%d certs %d roots\n", sk_X509_num(bundle), sk_X509_num(roots));
+        if (sk_X509_num(bundle) < 1)
+                errx(1, "not enough certs in bundle");
+        leaf = sk_X509_shift(bundle);
+        if ((xsc = X509_STORE_CTX_new()) == NULL)
+                errx(1, "X509_STORE_CTX");
+        if (!X509_STORE_CTX_init(xsc, store, leaf, bundle)) {
+                ERR_print_errors_fp(stderr);
+                errx(1, "failed to init store context");
+        }
+        int flags = X509_V_FLAG_POLICY_CHECK;
+        flags |= X509_V_FLAG_EXPLICIT_POLICY;
+        //      flags |= X509_V_FLAG_INHIBIT_MAP;
+        if (mode == MODE_LEGACY_VFY)
+                flags |=  X509_V_FLAG_LEGACY_VERIFY;
+        X509_STORE_CTX_set_flags(xsc, flags);
+        if (verbose)
+                X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
+        X509_STORE_CTX_set0_trusted_stack(xsc, roots);
+        if (policy_oid != NULL) {
+                X509_VERIFY_PARAM * param = X509_STORE_CTX_get0_param(xsc);
+                ASN1_OBJECT * copy = OBJ_dup(policy_oid);
+                X509_VERIFY_PARAM_add0_policy(param, copy);
+        }
+        if (policy_oid2 != NULL) {
+                X509_VERIFY_PARAM * param = X509_STORE_CTX_get0_param(xsc);
+                ASN1_OBJECT * copy = OBJ_dup(policy_oid2);
+                X509_VERIFY_PARAM_add0_policy(param, copy);
+        }
+        ret = X509_verify_cert(xsc);
+        *error = X509_STORE_CTX_get_error(xsc);
+        *error_depth = X509_STORE_CTX_get_error_depth(xsc);
+        if (ret == 1) {
+                *chains = 1; /* XXX */
+                goto done;
+        }
+        if (*error == 0)
+                errx(1, "Error unset on failure!\n");
+        fprintf(stderr, "failed to verify at %d: %s\n",
+            *error_depth, X509_verify_cert_error_string(*error));
+ done:
+        sk_X509_pop_free(roots, X509_free);
+        sk_X509_pop_free(bundle, X509_free);
+        X509_STORE_free(store);
+        X509_STORE_CTX_free(xsc);
+        X509_free(leaf);
+}
+static void
+verify_cert_new(const char *roots_file, const char *intermediate_file,
+    const char*leaf_file, int *chains)
+{
+        STACK_OF(X509) *roots = NULL, *bundle = NULL;
+        X509_STORE_CTX *xsc = NULL;
+        X509 *leaf = NULL;
+        struct x509_verify_ctx *ctx;
+        *chains = 0;
+        if (!certs_from_file(roots_file, &roots))
+                errx(1, "failed to load roots from '%s'", roots_file);
+        if (!certs_from_file(leaf_file, &bundle))
+                errx(1, "failed to load leaf from '%s'", leaf_file);
+        if (intermediate_file != NULL && !certs_from_file(intermediate_file,
+            &bundle))
+                errx(1, "failed to load intermediate from '%s'",
+                    intermediate_file);
+        if (sk_X509_num(bundle) < 1)
+                errx(1, "not enough certs in bundle");
+        leaf = sk_X509_shift(bundle);
+        if ((xsc = X509_STORE_CTX_new()) == NULL)
+                errx(1, "X509_STORE_CTX");
+        if (!X509_STORE_CTX_init(xsc, NULL, leaf, bundle)) {
+                ERR_print_errors_fp(stderr);
+                errx(1, "failed to init store context");
+        }
+        if (verbose)
+                X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
+        if ((ctx = x509_verify_ctx_new(roots)) == NULL)
+                errx(1, "failed to create ctx");
+        if (!x509_verify_ctx_set_intermediates(ctx, bundle))
+                errx(1, "failed to set intermediates");
+        if ((*chains = x509_verify(ctx, leaf, NULL)) == 0) {
+                fprintf(stderr, "failed to verify at %lu: %s\n",
+                    x509_verify_ctx_error_depth(ctx),
+                    x509_verify_ctx_error_string(ctx));
+        } else {
+                int c;
+                for (c = 0; verbose && c < *chains; c++) {
+                        STACK_OF(X509) *chain;
+                        int i;
+                        fprintf(stderr, "Chain %d\n--------\n", c);
+                        chain = x509_verify_ctx_chain(ctx, c);
+                        for (i = 0; i < sk_X509_num(chain); i++) {
+                                X509 *cert = sk_X509_value(chain, i);
+                                X509_NAME_print_ex_fp(stderr,
+                                    X509_get_subject_name(cert), 0,
+                                    XN_FLAG_ONELINE);
+                                fprintf(stderr, "\n");
+                        }
+                }
+        }
+        sk_X509_pop_free(roots, X509_free);
+        sk_X509_pop_free(bundle, X509_free);
+        X509_free(leaf);
+        X509_STORE_CTX_free(xsc);
+        x509_verify_ctx_free(ctx);
+}
+struct verify_cert_test {
+        const char *id;
+        const char *root_file;
+        const char *intermediate_file;
+        const char *leaf_file;
+        const char *policy_oid_to_check;
+        const char *policy_oid_to_check2;
+        int want_chains;
+        int want_error;
+        int want_error_depth;
+        int want_legacy_error;
+        int want_legacy_error_depth;
+        int failing;
+};
+struct verify_cert_test verify_cert_tests[] = {
+        // The chain is good for |oid1| and |oid2|, but not |oid3|.
+        {
+                .id = "nothing  in 1 and 2",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .want_chains = 1,
+        },
+        {
+                .id = "1, in 1 and 2",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .policy_oid_to_check = OID1,
+                .want_chains = 1,
+        },
+        {
+                .id = "2, in 1 and 2",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .policy_oid_to_check = OID2,
+                .want_chains = 1,
+        },
+        {
+                .id = "3, in 1 and 2",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .policy_oid_to_check = OID2,
+                .want_chains = 0,
+        },
+        {
+                .id = "1 and 2, in 1 and 2",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .policy_oid_to_check = OID1,
+                .policy_oid_to_check2 = OID2,
+                .want_chains = 1,
+        },
+        {
+                .id = "1 and 3, in 1 and 2",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .policy_oid_to_check = OID1,
+                .policy_oid_to_check2 = OID3,
+                .want_chains = 1,
+        },
+        // The policy extension cannot be parsed.
+        {
+                .id = "1 in invalid intermediate poicy",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate_invalid.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .policy_oid_to_check = OID1,
+                .want_chains = 0,
+        },
+        {
+                .id = "invalid intermediate",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate_invalid.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .want_chains = 0,
+        },
+        {
+                .id = "1 in invalid policy in leaf",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
+                .policy_oid_to_check = OID1,
+                .want_chains = 0,
+        },
+        {
+                .id = "invalid leaf",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
+                .want_chains = 0,
+        },
+        // There is a duplicate policy in the leaf policy extension.
+        {
+                .id = "1 in duplicate policy extension in leaf",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf_duplicate.pem",
+                .policy_oid_to_check = OID1,
+                .want_chains = 0,
+        },
+        // There is a duplicate policy in the intermediate policy extension.
+        {
+                .id = "1 in duplicate policy extension in intermediate",
+                .root_file = CERTSDIR "/" "policy_root.pem",
+                .intermediate_file = CERTSDIR "/" "policy_intermediate_duplicate.pem",
+                .leaf_file = CERTSDIR "/" "policy_leaf.pem",
+                .policy_oid_to_check = OID1,
+                .want_chains = 0,
+        },
+};
+#define N_VERIFY_CERT_TESTS \
+    (sizeof(verify_cert_tests) / sizeof(*verify_cert_tests))
+static int
+verify_cert_test(int mode)
+{
+        struct verify_cert_test *vct;
+        int chains, error, error_depth;
+        int failed = 0;
+        size_t i;
+        for (i = 0; i < N_VERIFY_CERT_TESTS; i++) {
+                vct = &verify_cert_tests[i];
+                ASN1_OBJECT *policy_oid = vct->policy_oid_to_check ?
+                    OBJ_txt2obj(vct->policy_oid_to_check, 1) : NULL;
+                ASN1_OBJECT *policy_oid2 = vct->policy_oid_to_check2 ?
+                    OBJ_txt2obj(vct->policy_oid_to_check2, 1) : NULL;
+                error = 0;
+                error_depth = 0;
+                fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);
+                if (mode == MODE_VERIFY)
+                        verify_cert_new(vct->root_file, vct->intermediate_file,
+                            vct->leaf_file, &chains);
+                else
+                        verify_cert(vct->root_file, vct->intermediate_file,
+                            vct->leaf_file, &chains, &error, &error_depth,
+                            mode, policy_oid, policy_oid2);
+                if ((mode == MODE_VERIFY && chains == vct->want_chains) ||
+                    (chains == 0 && vct->want_chains == 0) ||
+                    (chains == 1 && vct->want_chains > 0)) {
+                        fprintf(stderr, "INFO: Succeeded with %d chains%s\n",
+                            chains, vct->failing ? " (legacy failure)" : "");
+                        if (mode == MODE_LEGACY_VFY && vct->failing)
+                                failed |= 1;
+                } else {
+                        fprintf(stderr, "FAIL: Failed with %d chains%s\n",
+                            chains, vct->failing ? " (legacy failure)" : "");
+                        if (!vct->failing)
+                                failed |= 1;
+                }
+                if (mode == MODE_LEGACY_VFY) {
+                        if (error != vct->want_legacy_error) {
+                                fprintf(stderr, "FAIL: Got legacy error %d, "
+                                    "want %d\n", error, vct->want_legacy_error);
+                                failed |= 1;
+                        }
+                        if (error_depth != vct->want_legacy_error_depth) {
+                                fprintf(stderr, "FAIL: Got legacy error depth "
+                                    "%d, want %d\n", error_depth,
+                                    vct->want_legacy_error_depth);
+                                failed |= 1;
+                        }
+                }
+                fprintf(stderr, "\n");
+                ASN1_OBJECT_free(policy_oid);
+                ASN1_OBJECT_free(policy_oid2);
+        }
+        return failed;
+}
+int
+main(int argc, char **argv)
+{
+        int failed = 0;
+        fprintf(stderr, "\n\nTesting legacy x509_vfy\n");
+        failed |= verify_cert_test(MODE_LEGACY_VFY);
+        fprintf(stderr, "\n\nTesting modern x509_vfy\n");
+        failed |= verify_cert_test(MODE_MODERN_VFY);
+        // New does not support policy goo at the moment.
+        //      fprintf(stderr, "\n\nTestin x509_verify\n");
+        //      failed |= verify_cert_test(MODE_VERIFY);
+        return (failed);
+}
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate.pem
new file mode 100644
index 0000000000..759deb4c43
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqjCCAVGgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgYUwgYIwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAoGCCqGSM49BAMCA0cAMEQCIFN2ZtknXQ9vz23qD1ecprC9iIo7
+j/SI42Ub64qZQaraAiA+CRCWJz/l+NQ1+TPWYDDWY6Wh2L9Wbddh1Nj5KJEkhQ==
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_any.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_any.pem
new file mode 100644
index 0000000000..0931964f52
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_any.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkDCCATWgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjajBoMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAK
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQ0vf+Du6oawiE
+YcLF6z1QWoBtrjARBgNVHSAECjAIMAYGBFUdIAAwCgYIKoZIzj0EAwIDSQAwRgIh
+AJbyXshUwjsFCiqrJkg91GzJdhZZ+3WXOekCJgi8uEESAiEAhv4sEE0wRRqgHDjl
+vIt26IELfFE2Z/FBF3ihGmi6NoI=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_duplicate.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_duplicate.pem
new file mode 100644
index 0000000000..0eafe8d86a
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_duplicate.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvDCCAWKgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZYwgZMwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMDwGA1UdIAQ1MDMwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMA8GDSqGSIb3EgQBhLcJAgIwCgYIKoZIzj0EAwIDSAAwRQIgUpG6
+FUeWrC62BtTPHiSlWBdnLWUYH0llS6uYUkpJFJECIQCWfhoZYXvHdMhgBDSI/vzY
+Sw4uNdcMxrC2kP6lIioUSw==
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_invalid.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_invalid.pem
new file mode 100644
index 0000000000..11c95afcea
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_invalid.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjDCCATKgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjZzBlMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAK
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQ0vf+Du6oawiE
+YcLF6z1QWoBtrjAOBgNVHSAEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgS2uK
+cYlZ1bxeqgMy3X0Sfi0arAnqpePsAqAeEf+HJHQCIQDwfCnXrWyHET9lM/gJSkfN
+j/JRJvJELDrAMVewCxZWKA==
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped.pem
new file mode 100644
index 0000000000..fa45e604b4
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrjCCAlSgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjggGHMIIBgzAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkNL3/g7u
+qGsIhGHCxes9UFqAba4wXgYDVR0gBFcwVTAPBg0qhkiG9xIEAYS3CQIBMA8GDSqG
+SIb3EgQBhLcJAgIwDwYNKoZIhvcSBAGEtwkCAzAPBg0qhkiG9xIEAYS3CQIEMA8G
+DSqGSIb3EgQBhLcJAgUwgcsGA1UdIQSBwzCBwDAeBg0qhkiG9xIEAYS3CQIDBg0q
+hkiG9xIEAYS3CQIBMB4GDSqGSIb3EgQBhLcJAgMGDSqGSIb3EgQBhLcJAgIwHgYN
+KoZIhvcSBAGEtwkCBAYNKoZIhvcSBAGEtwkCBDAeBg0qhkiG9xIEAYS3CQIEBg0q
+hkiG9xIEAYS3CQIFMB4GDSqGSIb3EgQBhLcJAgUGDSqGSIb3EgQBhLcJAgQwHgYN
+KoZIhvcSBAGEtwkCBQYNKoZIhvcSBAGEtwkCBTAKBggqhkjOPQQDAgNIADBFAiAe
+Ah2vJMZsW/RV35mM7b7/NjsjScjPEIxfDJu49inNXQIhANmGBqyWUogh/gXyVB0/
+IfDro27pANW3R02A+zH34q5k
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_any.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_any.pem
new file mode 100644
index 0000000000..ae47bf45ce
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_any.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICYjCCAgegAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjggE6MIIBNjAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkNL3/g7u
+qGsIhGHCxes9UFqAba4wEQYDVR0gBAowCDAGBgRVHSAAMIHLBgNVHSEEgcMwgcAw
+HgYNKoZIhvcSBAGEtwkCAwYNKoZIhvcSBAGEtwkCATAeBg0qhkiG9xIEAYS3CQID
+Bg0qhkiG9xIEAYS3CQICMB4GDSqGSIb3EgQBhLcJAgQGDSqGSIb3EgQBhLcJAgQw
+HgYNKoZIhvcSBAGEtwkCBAYNKoZIhvcSBAGEtwkCBTAeBg0qhkiG9xIEAYS3CQIF
+Bg0qhkiG9xIEAYS3CQIEMB4GDSqGSIb3EgQBhLcJAgUGDSqGSIb3EgQBhLcJAgUw
+CgYIKoZIzj0EAwIDSQAwRgIhAIOx3GL5xlldQGdTLIvTTAvczm8wiYHzZDAif2yj
+wAjEAiEAg4K02kTYX9x7PC/u1PYdwvo+LVbnGbO6AN6U3K2d7gs=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_oid3.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_oid3.pem
new file mode 100644
index 0000000000..c04a38a48f
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_oid3.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICajCCAhCgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjggFDMIIBPzAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkNL3/g7u
+qGsIhGHCxes9UFqAba4wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIDMIHLBgNV
+HSEEgcMwgcAwHgYNKoZIhvcSBAGEtwkCAwYNKoZIhvcSBAGEtwkCATAeBg0qhkiG
+9xIEAYS3CQIDBg0qhkiG9xIEAYS3CQICMB4GDSqGSIb3EgQBhLcJAgQGDSqGSIb3
+EgQBhLcJAgQwHgYNKoZIhvcSBAGEtwkCBAYNKoZIhvcSBAGEtwkCBTAeBg0qhkiG
+9xIEAYS3CQIFBg0qhkiG9xIEAYS3CQIEMB4GDSqGSIb3EgQBhLcJAgUGDSqGSIb3
+EgQBhLcJAgUwCgYIKoZIzj0EAwIDSAAwRQIhAK0bRaGgd5qQlX+zTw3IUynFHxfk
+zRbZagnTzjYtkNNmAiBJ2kOnvRdW930eHAwZPGpc1Hn5hMSOQdUhNZ3XZDASkQ==
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require.pem
new file mode 100644
index 0000000000..5cf5d5bfe6
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV+gAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZMwgZAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAwGA1UdJAQFMAOAAQAwCgYIKoZIzj0EAwIDRwAwRAIgbPUZ9ezH
+SgTqom7VLPOvrQQXwy3b/ijSobs7+SOouKMCIDaqcb9143BG005etqeTvlgUyOGF
+GQDWhiW8bizH+KEl
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require1.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require1.pem
new file mode 100644
index 0000000000..7087404b3f
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require1.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBujCCAV+gAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZMwgZAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAwGA1UdJAQFMAOAAQEwCgYIKoZIzj0EAwIDSQAwRgIhAIAwvhHB
+GQDN5YXlidd+n3OT/SqoeXfp7RiEonBnCkW4AiEA+iFc47EOBchHb+Gy0gg8F9Po
+RnlpoulWDfbDwx9r4lc=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require2.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require2.pem
new file mode 100644
index 0000000000..350f419198
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require2.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuTCCAV+gAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZMwgZAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAwGA1UdJAQFMAOAAQIwCgYIKoZIzj0EAwIDSAAwRQIgOpliSKKA
+wy/auQnKKl+wwtn/hGw6eZXgIOtFgDmyMYCIQC84zoJL87AE64gsrdX4XSHq6lb
+WhZQp9ZnDaNu88SQLQ==
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require_duplicate.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require_duplicate.pem
new file mode 100644
index 0000000000..733087af91
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require_duplicate.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIByjCCAXCgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgaQwgaEwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMDwGA1UdIAQ1MDMwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMA8GDSqGSIb3EgQBhLcJAgIwDAYDVR0kBAUwA4ABADAKBggqhkjO
+PQQDAgNIADBFAiA2GxzMRYYo7NNq8u/ZvffXkCj/phqXQ8I64tEDd0X8pgIhAOJJ
+e+dzzf4vbWfMlYkOQ4kf6ei5Zf+J2PL6VrqVrHQa
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require_no_policies.pem b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require_no_policies.pem
new file mode 100644
index 0000000000..1e81e0c116
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_intermediate_require_no_policies.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBizCCATCgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjZTBjMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAK
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQ0vf+Du6oawiE
+YcLF6z1QWoBtrjAMBgNVHSQEBTADgAEAMAoGCCqGSM49BAMCA0kAMEYCIQDJYPgf
+50fFDVho5TFeqkNVONx0ArVNgULPB27yPDHLrwIhAN+eua6oM4Q/O0jUESQ4VAKt
+ts7ZCquTZbvgRgyqtjuT
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf.pem
new file mode 100644
index 0000000000..fb70306c8a
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAU2gAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo34wfDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wKwYDVR0gBCQwIjAPBg0qhkiG9xIEAYS3CQIBMA8GDSqGSIb3EgQB
+hLcJAgIwCgYIKoZIzj0EAwIDSAAwRQIgBEOriD1N3/cqoAofxEtf73M7Wi4UfjFK
+jiU9nQhwnnoCIQD1v/XDp2BkWNHxNq7TaPnil3xXTvMX97yUbkUg8IRo0w==
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_any.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_any.pem
new file mode 100644
index 0000000000..d2c1b9e955
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_any.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATOgAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2QwYjAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wEQYDVR0gBAowCDAGBgRVHSAAMAoGCCqGSM49BAMCA0gAMEUCIQC4
+UwAf1R4HefSzyO8lyQ3fmMjkptVEhFBee0a7N12IvwIgJMYZgQ52VTbqXyXqraJ8
+V+y+o7eHds7NewqnyuLbc78=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_duplicate.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_duplicate.pem
new file mode 100644
index 0000000000..bdeb13cbd6
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_duplicate.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsTCCAVigAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkSrY
+vFVtkZJmvirfY0JDDYrZQrNJecPLt0ksJux2URL5nAQiQY1SERGnEaiNLpoc0dle
+TS8wQT/cjw/wPgoeV6OBkDCBjTAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5j
+b20wPAYDVR0gBDUwMzAPBg0qhkiG9xIEAYS3CQIBMA8GDSqGSIb3EgQBhLcJAgIw
+DwYNKoZIhvcSBAGEtwkCAjAKBggqhkjOPQQDAgNHADBEAiBjYDwsWcs35hU/wPqa
+5gf0QUMvV/8z5LPX14fB2y4RGQIgMw0ekrt9K5UcgkvFupV/XXIjLRFQvc8URA3C
+/+w+2/4=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_invalid.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_invalid.pem
new file mode 100644
index 0000000000..de7a5e9b20
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_invalid.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgjCCASigAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkSrY
+vFVtkZJmvirfY0JDDYrZQrNJecPLt0ksJux2URL5nAQiQY1SERGnEaiNLpoc0dle
+TS8wQT/cjw/wPgoeV6NhMF8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
+MA4GA1UdIAQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiAgfcDIeqmV+u5YtUe4
+aBnj13tZAJAQh6ttum1xZ+xHEgIhAJqvGX5c0/d1qYelBlm/jE3UuivijdEjVsLX
+GVH+X1VA
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_none.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_none.pem
new file mode 100644
index 0000000000..13ad7cec01
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_none.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBezCCASCgAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1EwTzAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIDFeeYJ8nmYo09OnJFpNS3A6fYO
+ZliHkAqOsg193DTnAiEA3OSHLCczcvRjMG+qd/FI61u2sKU1hhHh7uHtD/YO/dA=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid1.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid1.pem
new file mode 100644
index 0000000000..94cd1a77b4
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlTCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIBMAoGCCqGSM49BAMC
+A0cAMEQCIHh4Bo8l/HVJhLMWcYusPOE0arqoDrJ5E0M6nEi3nRhgAiAArK8bBohG
+fZ3DmVMq/2BJtQZwRRj+50VKWuf9mBSflQ==
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid2.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid2.pem
new file mode 100644
index 0000000000..10adf86c52
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid2.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQICMAoGCCqGSM49BAMC
+A0kAMEYCIQDvW7rdL6MSW/0BPNET4hEeECO6LWmZZHKCHIu6o33dsAIhAPwgm6lD
+KV2hMOxkE6rBDQzlCr+zAkQrxSzQZqJp5p+W
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid3.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid3.pem
new file mode 100644
index 0000000000..e5c103151b
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid3.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIDMAoGCCqGSM49BAMC
+A0kAMEYCIQDBPnPpRsOH20ncg8TKUdlONfbO62WafQj9SKgyi/nGBQIhAMhT8J7f
+fTEou6jlAilaIQwlAgZzVKRqgghIHezFY86T
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid4.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid4.pem
new file mode 100644
index 0000000000..7dd7a547af
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid4.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIEMAoGCCqGSM49BAMC
+A0kAMEYCIQD2gnpCTMxUalCtEV52eXzqeJgsKMYvEpJTuU/VqH5KwQIhAPEavAkt
+cSJsgMgJcJnbBzAdSrbOgHXF2etDHmFbg0hz
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid5.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid5.pem
new file mode 100644
index 0000000000..2a9aee73b5
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_oid5.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIFMAoGCCqGSM49BAMC
+A0kAMEYCIQDDFVjhlQ1Wu0KITcRX8kELpVDeYSKSlvEbZc3rn1QjkQIhAMPthqBi
+I0acz8DPQcdFmHXV0xR2xyC1yuen0gES5WLR
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_require.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_require.pem
new file mode 100644
index 0000000000..169b844419
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_require.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV2gAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GNMIGKMA4GA1UdDwEB/wQEAwICBDATBgNV
+HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3d3dy5l
+eGFtcGxlLmNvbTArBgNVHSAEJDAiMA8GDSqGSIb3EgQBhLcJAgEwDwYNKoZIhvcS
+BAGEtwkCAjAMBgNVHSQEBTADgAEAMAoGCCqGSM49BAMCA0kAMEYCIQDrNQPi/mdK
+l7Nd/YmMXWYTHJBWWin1zA64Ohkd7z4jGgIhAJpw/umk5MxS1MwSi+YTkkcSQKpl
+YROQH6+T53DauoW6
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_leaf_require1.pem b/src/regress/lib/libcrypto/x509/policy/policy_leaf_require1.pem
new file mode 100644
index 0000000000..261ef954f1
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_leaf_require1.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV2gAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GNMIGKMA4GA1UdDwEB/wQEAwICBDATBgNV
+HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3d3dy5l
+eGFtcGxlLmNvbTArBgNVHSAEJDAiMA8GDSqGSIb3EgQBhLcJAgEwDwYNKoZIhvcS
+BAGEtwkCAjAMBgNVHSQEBTADgAEBMAoGCCqGSM49BAMCA0kAMEYCIQCtXENGJrKv
+IOeLHO/3Nu/SMRXc69Vb3q+4b/uHBFbuqwIhAK22Wfh/ZIHKu3FwbjL+sN0Z39pf
+Dsak6fp1y4tqNuvK
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_root.pem b/src/regress/lib/libcrypto/x509/policy/policy_root.pem
new file mode 100644
index 0000000000..595f8a132a
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_root.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBdTCCARqgAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IFJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQmdqXYl1Gv
+Y7y3jcTTK6MVXIQr44TqChRYI6IeV9tIB6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAP
+EPSJwPndjolto1cwVTAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0GnnoB+yeN63WMthnh6Uh1HH
+dRIwCgYIKoZIzj0EAwIDSQAwRgIhAKVxVAaJnmvt+q4SqegGS23QSzKPM9Yakw9e
+bOUU9+52AiEAjXPRBdd90YDey4VFu4f/78yVe0cxMK30lll7lLl7TTA=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_root2.pem b/src/regress/lib/libcrypto/x509/policy/policy_root2.pem
new file mode 100644
index 0000000000..1350035fd4
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_root2.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBeDCCAR6gAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1Qb2xpY3kg
+Um9vdCAyMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAYMRYwFAYD
+VQQDEw1Qb2xpY3kgUm9vdCAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJnal
+2JdRr2O8t43E0yujFVyEK+OE6goUWCOiHlfbSAeoyLDmPkKJdW5PMf+wORRjp1Fh
+VSxADxD0icD53Y6JbaNXMFUwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNBp56Afsnjet1jLYZ4e
+lIdRx3USMAoGCCqGSM49BAMCA0gAMEUCIQDm9rw9ODVtJUPBn2lWoK8s7ElbyY4/
+Gc2thHR50UUzbgIgKRenEDhKiBR6cGC77RaIiaaafW8b7HMd7obuZdDU/58=
+-----END CERTIFICATE-----
diff --git a/src/regress/lib/libcrypto/x509/policy/policy_root_cross_inhibit_mapping.pem b/src/regress/lib/libcrypto/x509/policy/policy_root_cross_inhibit_mapping.pem
new file mode 100644
index 0000000000..9273a53086
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/policy/policy_root_cross_inhibit_mapping.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAT2gAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1Qb2xpY3kg
+Um9vdCAyMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAWMRQwEgYD
+VQQDEwtQb2xpY3kgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCZ2pdiX
+Ua9jvLeNxNMroxVchCvjhOoKFFgjoh5X20gHqMiw5j5CiXVuTzH/sDkUY6dRYVUs
+QA8Q9InA+d2OiW2jeDB2MA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTQaeegH7J43rdYy2GeHpSH
+Ucd1EjARBgNVHSAECjAIMAYGBFUdIAAwDAYDVR0kBAUwA4EBADAKBggqhkjOPQQD
+AgNHADBEAiBzR3JGEf9PITYuiXTx+vx9gXji5idGsVog9wRUbY98wwIgVVeYNQQb
+x+RN2wYp3kmm8iswUOrqiI6J4PSzT8CYP8Q=
+-----END CERTIFICATE-----
author	beck <>	2023-04-27 12:23:31 +0000
committer	beck <>	2023-04-27 12:23:31 +0000
commit	7b678b64a90656d9c04739ffc2f8c85b2ea90eb0 (patch)
tree	8fffe22bc6d897496bead069665f5d254dfe326e /src
parent	84c2a4f21376506adbc6a4c7c8b8d4a4d0878a53 (diff)
download	openbsd-7b678b64a90656d9c04739ffc2f8c85b2ea90eb0.tar.gz openbsd-7b678b64a90656d9c04739ffc2f8c85b2ea90eb0.tar.bz2 openbsd-7b678b64a90656d9c04739ffc2f8c85b2ea90eb0.zip