Bring in the core of chromium certificate verifier as libpki
Initially this leaves the canonical source in chrome, Additions
and fillins are committed directly, the chrome files are coverted
using the IMPORT script run from the pki directory for the moment.
The intention here is to continue frequent automatic conversion
(and avoid wholesale cosmetic changes in here for now) until
chrome converts to use these files in place of it's versions.
At that point these will become the definiative files, and the
IMPORT script can be tossed out.
A middle step along the way will be to change google3's verify.cc
in third_party/chromium_certificate_verifier to use this instead
of it's own extracted copy.
Status (and what is not done yet) being roughly tracked in README.md
Bug: chromium:1322914
Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/chain.pem b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/chain.pem
new file mode 100644
index 0000000..7d3a7a7
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/chain.pem
@@ -0,0 +1,279 @@
+[Created by: ./generate-chains.py]
+
+Certificate chain with inhibitPolicyMapping=0 on the root, and an
+intermediate that uses policy mappings. Should fail if the policyConstraints on
+the root are enforced.
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 0b:76:f9:f2:35:f7:48:df:97:9c:e1:ca:67:ce:c0:01:f9:fb:00:81
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Intermediate
+ Validity
+ Not Before: Oct 5 12:00:00 2021 GMT
+ Not After : Oct 5 12:00:00 2022 GMT
+ Subject: CN=Target
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:f0:76:27:78:8b:e7:3d:f6:6c:ce:3e:88:0b:
+ 6a:fb:6d:7e:b0:d8:0b:45:91:ce:e5:d3:3f:70:3b:
+ 0e:f7:c1:92:d6:a5:9d:53:5a:91:93:f5:53:c3:8b:
+ 92:b5:f9:14:56:be:b7:81:c9:45:6f:a5:75:bf:5a:
+ e1:48:ba:03:eb:73:d6:50:27:de:f7:95:81:64:12:
+ 54:53:3c:75:da:39:8d:47:2a:f4:00:fb:22:bd:96:
+ c6:5f:10:85:b4:80:8b:f3:05:f4:6e:5d:a7:4a:6a:
+ b7:c8:10:73:e0:d5:7d:20:18:86:79:64:41:1b:76:
+ da:5f:10:ea:f2:b1:f5:f2:dc:81:66:9e:0e:ae:4d:
+ 01:bd:ac:76:96:d4:39:67:39:09:59:5e:71:7a:23:
+ 6d:8f:e1:23:92:48:ca:43:94:3f:7f:f3:a0:fb:60:
+ 2b:09:3c:e0:23:52:29:71:29:d3:c7:ba:31:28:61:
+ dd:d5:56:d8:b4:e8:c0:4a:b7:be:e9:39:c1:18:5e:
+ 61:8f:b4:6b:9b:30:c1:f7:a0:c9:fb:9d:ce:50:6d:
+ 57:39:9c:77:40:b8:eb:0a:63:76:eb:ca:d3:9c:b8:
+ b1:e5:46:9f:14:40:17:a2:98:3a:59:42:77:d6:b7:
+ e5:d9:78:cb:42:47:9b:dd:d2:05:ca:ef:24:78:66:
+ 99:fb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 12:B8:54:52:BE:E6:8E:00:AF:96:42:DB:BB:3E:B0:86:0F:D6:4D:08
+ X509v3 Authority Key Identifier:
+ 7C:76:D4:23:43:F9:F8:0B:19:60:61:1F:7B:E9:3C:20:0A:0C:43:DC
+ Authority Information Access:
+ CA Issuers - URI:http://url-for-aia/Intermediate.cer
+ X509v3 CRL Distribution Points:
+ Full Name:
+ URI:http://url-for-crl/Intermediate.crl
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication, TLS Web Client Authentication
+ X509v3 Certificate Policies: critical
+ Policy: 1.2.3.5
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ 8a:21:24:c8:76:6f:95:f9:3c:76:f0:be:90:20:74:dd:ef:6f:
+ 23:2b:c0:a8:71:64:47:7a:a2:e5:57:c7:3c:9b:4d:e5:56:0f:
+ a6:ab:17:0c:1f:7b:c7:b9:92:86:01:ef:79:8c:cd:71:72:ff:
+ 7c:e0:8e:b2:13:bf:70:56:4e:5d:e3:26:22:39:62:5c:a5:d6:
+ ef:a4:de:fa:b6:2c:0f:53:f9:d1:50:98:04:05:83:80:04:af:
+ d5:8c:9d:e5:85:5a:ba:f9:ca:29:0b:a4:90:3f:c6:74:e2:e5:
+ 89:dd:23:1b:f1:83:32:0c:e4:d1:10:e2:c1:0e:3d:b7:66:cb:
+ aa:a5:76:aa:9b:68:21:c6:6c:75:b1:37:4f:98:85:6e:23:56:
+ 09:58:d1:bf:ea:ff:ba:d0:82:43:2e:3a:7d:85:c3:17:5a:05:
+ 79:cb:dc:6e:62:c6:64:b5:2b:84:0b:bb:eb:e7:2b:92:14:7b:
+ 46:f2:2f:74:21:7b:8b:4d:3f:aa:46:b2:cd:57:ae:14:0a:a9:
+ a2:c3:7c:c2:1f:6e:33:76:df:8a:38:dc:07:7c:de:4d:82:3f:
+ 3f:2a:74:7f:49:65:63:8f:d0:13:fd:db:bf:1f:17:27:1a:3b:
+ 8d:5d:57:6a:26:91:b1:af:6d:42:8d:e8:8c:33:31:3d:ef:96:
+ 5a:28:f9:44
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUC3b58jX3SN+XnOHKZ87AAfn7AIEwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMSW50ZXJtZWRpYXRlMB4XDTIxMTAwNTEyMDAwMFoXDTIy
+MTAwNTEyMDAwMFowETEPMA0GA1UEAwwGVGFyZ2V0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAq/B2J3iL5z32bM4+iAtq+21+sNgLRZHO5dM/cDsO98GS
+1qWdU1qRk/VTw4uStfkUVr63gclFb6V1v1rhSLoD63PWUCfe95WBZBJUUzx12jmN
+Ryr0APsivZbGXxCFtICL8wX0bl2nSmq3yBBz4NV9IBiGeWRBG3baXxDq8rH18tyB
+Zp4Ork0Bvax2ltQ5ZzkJWV5xeiNtj+EjkkjKQ5Q/f/Og+2ArCTzgI1IpcSnTx7ox
+KGHd1VbYtOjASre+6TnBGF5hj7RrmzDB96DJ+53OUG1XOZx3QLjrCmN268rTnLix
+5UafFEAXopg6WUJ31rfl2XjLQkeb3dIFyu8keGaZ+wIDAQABo4H+MIH7MB0GA1Ud
+DgQWBBQSuFRSvuaOAK+WQtu7PrCGD9ZNCDAfBgNVHSMEGDAWgBR8dtQjQ/n4Cxlg
+YR976TwgCgxD3DA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKGI2h0dHA6Ly91
+cmwtZm9yLWFpYS9JbnRlcm1lZGlhdGUuY2VyMDQGA1UdHwQtMCswKaAnoCWGI2h0
+dHA6Ly91cmwtZm9yLWNybC9JbnRlcm1lZGlhdGUuY3JsMA4GA1UdDwEB/wQEAwIF
+oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEwYDVR0gAQH/BAkwBzAF
+BgMqAwUwDQYJKoZIhvcNAQELBQADggEBAIohJMh2b5X5PHbwvpAgdN3vbyMrwKhx
+ZEd6ouVXxzybTeVWD6arFwwfe8e5koYB73mMzXFy/3zgjrITv3BWTl3jJiI5Ylyl
+1u+k3vq2LA9T+dFQmAQFg4AEr9WMneWFWrr5yikLpJA/xnTi5YndIxvxgzIM5NEQ
+4sEOPbdmy6qldqqbaCHGbHWxN0+YhW4jVglY0b/q/7rQgkMuOn2FwxdaBXnL3G5i
+xmS1K4QLu+vnK5IUe0byL3Qhe4tNP6pGss1XrhQKqaLDfMIfbjN234o43Ad83k2C
+Pz8qdH9JZWOP0BP9278fFycaO41dV2omkbGvbUKN6IwzMT3vlloo+UQ=
+-----END CERTIFICATE-----
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 0f:95:30:fc:3e:17:6a:62:ed:40:f3:c7:a6:75:62:19:01:11:d6:c3
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Root
+ Validity
+ Not Before: Oct 5 12:00:00 2021 GMT
+ Not After : Oct 5 12:00:00 2022 GMT
+ Subject: CN=Intermediate
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:97:4a:5c:fd:3a:bc:0a:ca:ac:d4:f4:32:8a:03:
+ 0b:e2:23:d7:6c:51:ef:77:db:00:49:ea:ae:5c:80:
+ 14:57:78:fb:d2:90:ed:56:07:6c:79:8f:d7:7f:2d:
+ e5:bc:f9:52:33:f7:b4:6f:55:49:68:10:cb:f2:50:
+ 27:86:b7:2e:a3:a0:78:f9:03:99:e2:dc:dd:52:3b:
+ 0d:6c:9d:b6:a0:c6:17:13:cb:9d:d1:1d:f9:f5:67:
+ 64:89:42:af:4f:26:76:bf:26:23:5c:5e:90:8f:23:
+ 97:4e:82:bf:10:cb:80:74:29:a1:07:b4:55:f8:75:
+ db:32:5d:fe:f6:ce:02:fb:16:a0:40:d8:40:85:ad:
+ 1b:17:33:e1:4f:91:fd:80:43:89:5d:37:b6:fd:ae:
+ fa:e9:d6:04:5d:9a:d7:66:b4:74:c9:7f:ad:21:1a:
+ 04:be:1b:5e:dc:7f:f6:e0:fe:9b:f7:44:60:2c:81:
+ 82:13:e7:09:2c:78:16:42:35:22:16:1b:31:90:5d:
+ a4:7b:cf:9a:50:3d:64:c9:f8:40:85:1d:49:4c:93:
+ 06:22:00:2f:3a:83:ee:fb:e8:ea:6d:cc:42:62:09:
+ 99:72:6c:92:e7:a0:11:9d:4a:a1:3f:35:f6:bb:70:
+ 34:c1:88:8b:2d:a4:7d:6e:d9:67:75:64:3b:98:f0:
+ 27:4b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 7C:76:D4:23:43:F9:F8:0B:19:60:61:1F:7B:E9:3C:20:0A:0C:43:DC
+ X509v3 Authority Key Identifier:
+ 4C:F1:50:9D:B8:49:6B:D6:E6:96:99:11:02:34:1F:FB:7D:51:F8:D1
+ Authority Information Access:
+ CA Issuers - URI:http://url-for-aia/Root.cer
+ X509v3 CRL Distribution Points:
+ Full Name:
+ URI:http://url-for-crl/Root.crl
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Policy Constraints: critical
+ Require Explicit Policy:0
+ X509v3 Certificate Policies: critical
+ Policy: 1.2.3.4
+ X509v3 Policy Mappings: critical
+ 1.2.3.4:1.2.3.5
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ c3:ed:96:d8:4c:4e:77:b3:6a:52:a7:93:d9:6a:02:b3:38:3e:
+ 61:3f:dc:ad:bd:8c:2c:16:d8:4e:ec:2f:d7:de:06:d1:01:8a:
+ a2:ac:eb:83:f4:30:62:5f:ef:c2:48:51:f9:60:bf:73:c4:2f:
+ 1a:9d:91:c8:fa:7a:5f:7c:b2:c2:72:b2:b8:f2:62:48:53:3d:
+ be:f2:1c:0e:1a:59:d0:fc:2e:38:99:40:7d:72:90:e1:58:35:
+ 97:35:0a:65:18:3d:e3:12:a9:e7:43:2a:aa:47:05:76:e3:e0:
+ 4e:6d:87:a4:95:65:04:52:33:e0:ef:53:5c:42:71:2b:06:15:
+ 09:b2:cf:0c:9b:57:6e:2c:95:1d:b5:e4:cd:f0:68:83:14:ed:
+ f4:27:39:81:1e:45:fc:a0:d7:c5:22:e4:42:53:a4:3d:9e:0f:
+ 8b:76:39:8c:c1:db:25:b9:b5:6e:40:44:24:71:44:db:16:e8:
+ 02:c6:56:e1:81:5f:2e:43:7e:31:9e:6d:e2:ff:ca:66:6f:7c:
+ e3:36:34:fc:dc:63:cd:b5:db:39:7f:0a:6b:30:77:ed:6a:16:
+ 0d:8f:ff:27:1d:cd:d1:d7:6a:30:0e:18:18:34:96:b8:aa:e7:
+ 73:21:27:37:41:b7:5c:2a:e1:4d:9e:fa:46:2a:57:81:ab:f9:
+ a8:cd:14:52
+-----BEGIN CERTIFICATE-----
+MIIDwjCCAqqgAwIBAgIUD5Uw/D4XamLtQPPHpnViGQER1sMwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0yMTEwMDUxMjAwMDBaFw0yMjEwMDUxMjAw
+MDBaMBcxFTATBgNVBAMMDEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAJdKXP06vArKrNT0MooDC+Ij12xR73fbAEnqrlyAFFd4+9KQ
+7VYHbHmP138t5bz5UjP3tG9VSWgQy/JQJ4a3LqOgePkDmeLc3VI7DWydtqDGFxPL
+ndEd+fVnZIlCr08mdr8mI1xekI8jl06CvxDLgHQpoQe0Vfh12zJd/vbOAvsWoEDY
+QIWtGxcz4U+R/YBDiV03tv2u+unWBF2a12a0dMl/rSEaBL4bXtx/9uD+m/dEYCyB
+ghPnCSx4FkI1IhYbMZBdpHvPmlA9ZMn4QIUdSUyTBiIALzqD7vvo6m3MQmIJmXJs
+kuegEZ1KoT819rtwNMGIiy2kfW7ZZ3VkO5jwJ0sCAwEAAaOCAQwwggEIMB0GA1Ud
+DgQWBBR8dtQjQ/n4CxlgYR976TwgCgxD3DAfBgNVHSMEGDAWgBRM8VCduElr1uaW
+mRECNB/7fVH40TA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAKGG2h0dHA6Ly91
+cmwtZm9yLWFpYS9Sb290LmNlcjAsBgNVHR8EJTAjMCGgH6AdhhtodHRwOi8vdXJs
+LWZvci1jcmwvUm9vdC5jcmwwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wDwYDVR0kAQH/BAUwA4ABADATBgNVHSABAf8ECTAHMAUGAyoDBDAYBgNVHSEB
+Af8EDjAMMAoGAyoDBAYDKgMFMA0GCSqGSIb3DQEBCwUAA4IBAQDD7ZbYTE53s2pS
+p5PZagKzOD5hP9ytvYwsFthO7C/X3gbRAYqirOuD9DBiX+/CSFH5YL9zxC8anZHI
++npffLLCcrK48mJIUz2+8hwOGlnQ/C44mUB9cpDhWDWXNQplGD3jEqnnQyqqRwV2
+4+BObYeklWUEUjPg71NcQnErBhUJss8Mm1duLJUdteTN8GiDFO30JzmBHkX8oNfF
+IuRCU6Q9ng+LdjmMwdslubVuQEQkcUTbFugCxlbhgV8uQ34xnm3i/8pmb3zjNjT8
+3GPNtds5fwprMHftahYNj/8nHc3R12owDhgYNJa4qudzISc3QbdcKuFNnvpGKleB
+q/mozRRS
+-----END CERTIFICATE-----
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 0f:95:30:fc:3e:17:6a:62:ed:40:f3:c7:a6:75:62:19:01:11:d6:c2
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Root
+ Validity
+ Not Before: Oct 5 12:00:00 2021 GMT
+ Not After : Oct 5 12:00:00 2022 GMT
+ Subject: CN=Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ce:ca:2d:79:43:c4:eb:2a:86:64:22:6d:de:81:
+ 34:8b:20:fc:0f:d5:60:89:76:9f:af:4f:95:c7:fe:
+ 45:0f:fe:ab:93:a9:9d:02:08:f8:b1:ac:e2:d6:d0:
+ 1a:ac:73:7b:a1:bf:cc:21:b5:96:52:94:97:b7:47:
+ 16:eb:26:1f:7a:bd:72:2e:18:74:b6:39:67:26:b2:
+ bc:fa:06:17:72:f0:fd:62:48:cd:e2:0f:96:ad:f2:
+ 02:d1:28:d9:67:2f:3f:0f:99:92:fe:12:3e:71:bc:
+ 59:f6:3d:82:60:cd:65:b2:07:84:84:f2:2d:75:3c:
+ dd:07:00:43:89:ef:f4:97:01:b7:2b:a5:1b:1b:dd:
+ 03:81:ba:b6:22:c6:ba:3b:67:82:5d:c9:27:3a:e0:
+ ea:82:90:b0:d3:25:e0:a0:79:22:d6:ed:2c:76:3e:
+ 4b:b0:04:78:99:ae:6d:1c:c7:de:af:b2:34:46:86:
+ ff:f0:d4:35:2c:32:fe:ea:c5:19:45:73:a7:df:29:
+ 8b:15:92:ca:6f:5e:2e:15:f4:bd:ad:64:36:94:c8:
+ 8e:f7:32:e2:ef:60:df:fa:ac:d0:ff:3d:ba:36:8e:
+ ff:28:a5:bc:6a:2b:54:c3:d6:a6:6d:47:a4:48:2a:
+ b8:55:65:b3:7f:13:c4:58:86:fd:c1:f3:58:4f:51:
+ dc:2f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 4C:F1:50:9D:B8:49:6B:D6:E6:96:99:11:02:34:1F:FB:7D:51:F8:D1
+ X509v3 Authority Key Identifier:
+ 4C:F1:50:9D:B8:49:6B:D6:E6:96:99:11:02:34:1F:FB:7D:51:F8:D1
+ Authority Information Access:
+ CA Issuers - URI:http://url-for-aia/Root.cer
+ X509v3 CRL Distribution Points:
+ Full Name:
+ URI:http://url-for-crl/Root.crl
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Policy Constraints: critical
+ Inhibit Policy Mapping:0
+ Signature Algorithm: sha256WithRSAEncryption
+ Signature Value:
+ b9:d6:0f:a0:e7:d9:ed:fb:ba:ab:bf:ea:c8:68:04:58:9a:8a:
+ cc:8f:e5:3d:28:c1:f8:68:ad:26:cb:72:dc:5d:a3:b5:3d:50:
+ 1d:44:2c:72:5a:3a:c2:8a:fe:11:63:0b:d2:0d:f8:ea:df:d5:
+ ef:35:78:e7:0c:40:ef:a7:d4:a6:37:c7:2f:ba:d6:20:57:24:
+ b1:5e:b1:20:81:7d:b2:47:9a:31:86:39:e2:51:b3:dc:a6:47:
+ 14:f9:82:25:45:fc:9e:7b:38:de:02:db:d9:3b:fb:79:5b:f9:
+ 5a:40:f9:6e:f6:6b:8a:77:14:36:7e:53:90:6f:ec:40:c1:ec:
+ b5:f2:84:24:70:3a:30:95:8c:92:c5:a3:33:50:44:a8:04:ca:
+ bb:bf:1b:e6:ca:6b:7e:3a:29:54:c7:ba:d7:8f:b0:41:e6:d7:
+ be:c0:c7:d3:1f:a3:6f:d4:c2:29:ac:04:f6:be:46:1d:d2:ce:
+ 25:8f:41:d0:d8:a8:9f:40:e3:93:63:b7:d0:f5:8a:53:37:02:
+ f2:02:d1:f3:8d:52:8a:35:41:e7:96:3f:07:3a:d9:01:cb:19:
+ 1e:ab:9b:93:b0:10:e1:35:aa:56:eb:36:40:7a:b4:f3:54:60:
+ 09:b4:d0:ed:a5:b6:63:ea:8c:b8:35:22:83:d4:a8:33:a6:98:
+ 5f:14:5e:77
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUD5Uw/D4XamLtQPPHpnViGQER1sIwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEUm9vdDAeFw0yMTEwMDUxMjAwMDBaFw0yMjEwMDUxMjAw
+MDBaMA8xDTALBgNVBAMMBFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDOyi15Q8TrKoZkIm3egTSLIPwP1WCJdp+vT5XH/kUP/quTqZ0CCPixrOLW
+0Bqsc3uhv8whtZZSlJe3RxbrJh96vXIuGHS2OWcmsrz6Bhdy8P1iSM3iD5at8gLR
+KNlnLz8PmZL+Ej5xvFn2PYJgzWWyB4SE8i11PN0HAEOJ7/SXAbcrpRsb3QOBurYi
+xro7Z4JdySc64OqCkLDTJeCgeSLW7Sx2PkuwBHiZrm0cx96vsjRGhv/w1DUsMv7q
+xRlFc6ffKYsVkspvXi4V9L2tZDaUyI73MuLvYN/6rND/Pbo2jv8opbxqK1TD1qZt
+R6RIKrhVZbN/E8RYhv3B81hPUdwvAgMBAAGjgdwwgdkwHQYDVR0OBBYEFEzxUJ24
+SWvW5paZEQI0H/t9UfjRMB8GA1UdIwQYMBaAFEzxUJ24SWvW5paZEQI0H/t9UfjR
+MDcGCCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAoYbaHR0cDovL3VybC1mb3ItYWlh
+L1Jvb3QuY2VyMCwGA1UdHwQlMCMwIaAfoB2GG2h0dHA6Ly91cmwtZm9yLWNybC9S
+b290LmNybDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHSQB
+Af8EBTADgQEAMA0GCSqGSIb3DQEBCwUAA4IBAQC51g+g59nt+7qrv+rIaARYmorM
+j+U9KMH4aK0my3LcXaO1PVAdRCxyWjrCiv4RYwvSDfjq39XvNXjnDEDvp9SmN8cv
+utYgVySxXrEggX2yR5oxhjniUbPcpkcU+YIlRfyeezjeAtvZO/t5W/laQPlu9muK
+dxQ2flOQb+xAwey18oQkcDowlYySxaMzUESoBMq7vxvmymt+OilUx7rXj7BB5te+
+wMfTH6Nv1MIprAT2vkYd0s4lj0HQ2KifQOOTY7fQ9YpTNwLyAtHzjVKKNUHnlj8H
+OtkByxkeq5uTsBDhNapW6zZAerTzVGAJtNDtpbZj6oy4NSKD1KgzpphfFF53
+-----END CERTIFICATE-----
diff --git a/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/generate-chains.py b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/generate-chains.py
new file mode 100755
index 0000000..3c5f501
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/generate-chains.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+# Copyright 2023 The Chromium Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"""Certificate chain with inhibitPolicyMapping=0 on the root, and an
+intermediate that uses policy mappings. Should fail if the policyConstraints on
+the root are enforced."""
+
+import sys
+sys.path += ['../..']
+
+import gencerts
+
+# Self-signed root certificate.
+root = gencerts.create_self_signed_root_certificate('Root')
+root.get_extensions().set_property('policyConstraints',
+ 'critical,inhibitPolicyMapping:0')
+
+# Intermediate certificate.
+intermediate = gencerts.create_intermediate_certificate('Intermediate', root)
+intermediate.get_extensions().set_property('policyConstraints',
+ 'critical,requireExplicitPolicy:0')
+
+intermediate.get_extensions().set_property('certificatePolicies',
+ 'critical,1.2.3.4')
+
+intermediate.get_extensions().set_property('policyMappings',
+ 'critical,@policy_mappings')
+policy_mappings = intermediate.config.get_section('policy_mappings')
+policy_mappings.set_property('1.2.3.4', '1.2.3.5')
+
+# Target certificate.
+target = gencerts.create_end_entity_certificate('Target', intermediate)
+target.get_extensions().set_property('certificatePolicies', 'critical,1.2.3.5')
+
+chain = [target, intermediate, root]
+gencerts.write_chain(__doc__, chain, 'chain.pem')
diff --git a/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Intermediate.key b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Intermediate.key
new file mode 100644
index 0000000..6a3bd6f
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Intermediate.key
@@ -0,0 +1,29 @@
+openssl genrsa 2048
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCXSlz9OrwKyqzU
+9DKKAwviI9dsUe932wBJ6q5cgBRXePvSkO1WB2x5j9d/LeW8+VIz97RvVUloEMvy
+UCeGty6joHj5A5ni3N1SOw1snbagxhcTy53RHfn1Z2SJQq9PJna/JiNcXpCPI5dO
+gr8Qy4B0KaEHtFX4ddsyXf72zgL7FqBA2ECFrRsXM+FPkf2AQ4ldN7b9rvrp1gRd
+mtdmtHTJf60hGgS+G17cf/bg/pv3RGAsgYIT5wkseBZCNSIWGzGQXaR7z5pQPWTJ
++ECFHUlMkwYiAC86g+776OptzEJiCZlybJLnoBGdSqE/Nfa7cDTBiIstpH1u2Wd1
+ZDuY8CdLAgMBAAECggEAPO/R5plqtjoORTQayyYQ+kQPd+zEtJT8V8lz84QPLXBo
+ldaUEeupkIkUdoBpIaWWq6HhBlrm10i0rOQGF6fe3D89mqcNq6fkaUOp047uyXEg
+SHPiHCGj1WmQwAyhChNnDvTwlzrrpQvj3Nai2MPu+FrwJmdHnWzzHiVoFcbCwpkq
+rD55JaON/rHPfneAGJockJZ2SY03lqdtyJxEbhJlXWb3NccMUIrvZRrYjy7ZOv7x
+3hP6xqisku3CQf2QK7EbIEGwP2cWpLEbKcr3OPV/piP+T0l4Rzd1mtWEdUXEmVtK
+HCAV7E/t7SItIhNNHPjIr5UAq03Anm6HNm+4cDzkIQKBgQC6cEUazd5NugSMFV+r
+nvXpTehZ8XoGl2LfCC7Sa9X5gIwmpozRtmZh4JFHc6JplY/E2/cZnNp00fTFpoxm
+k5pBdUD6gMJqd2/V3Fssv19Z8k2U7pB6zMTr60wLxM2j0CL3DyVC3J8h37rzDKKw
+lUt4yA04wU2oXIou0fhAMDaukQKBgQDPvOpWwpNYzOsTeMJFxqGqx3JxTovlb9C8
+2KVkkhBOWJdPYu8rGd56KB/HuHe+uVXoBrD6jPPlSa7+QSOYhEQaiojwJTStUB7q
+tjKSpy0jCYJZ9iz++JsNogi/j3oOxoEcQmtrCd7TeFDm+jI5PPvDY9fvpTbbx+KR
+R3IpNCreGwKBgEOhCCBB/1rYmF+sPSkHH5MC1L8Trj0H2zCmSj3AKj04WR6IGdrU
+vGzSxkBR/N8qBp3VYNwknsXzh0PPN2zaLAGEpA56eIugSawdI+GmhdMd5vCYXUZ+
+Uwx1LP+z4xiCHrzZ/J01ZHAoNSuHMNi3P0pP3yPwUtg4wVNcjR3Tn3JRAoGAEtGp
+ZPyxfnzp2tS4vLt2z9LLokocUEel4EW8DfVRdtd9tZpf0kbAqc5SurQSXPvLNX7N
+r5TvT1kyeiQKhnmM9d6Q8zhboku80UR6JmDwrNjiryWnA94fpceFBV2JECeZcKbv
+tj2pqvyeT55gyGCm6hd0a2hLJPPhqYmQZP0t2PsCgYA1tFRNTbj6Nk35i7j5T39D
+2aEUHrWMlBLM0fZ0u//y4ErWgMStFHLpxH2EnVD45/R2uj+IjTi1BHFdsfOGKTcF
+USQKKwuiQVZFZbrptHupfwLKLwEFJgGwrsKbJ8BKFYra0Wg4qEo+KjHMyCrRl4sd
+/pKBBM1ePhun0EtH0B5zvg==
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Root.key b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Root.key
new file mode 100644
index 0000000..99c3974
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Root.key
@@ -0,0 +1,29 @@
+openssl genrsa 2048
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDOyi15Q8TrKoZk
+Im3egTSLIPwP1WCJdp+vT5XH/kUP/quTqZ0CCPixrOLW0Bqsc3uhv8whtZZSlJe3
+RxbrJh96vXIuGHS2OWcmsrz6Bhdy8P1iSM3iD5at8gLRKNlnLz8PmZL+Ej5xvFn2
+PYJgzWWyB4SE8i11PN0HAEOJ7/SXAbcrpRsb3QOBurYixro7Z4JdySc64OqCkLDT
+JeCgeSLW7Sx2PkuwBHiZrm0cx96vsjRGhv/w1DUsMv7qxRlFc6ffKYsVkspvXi4V
+9L2tZDaUyI73MuLvYN/6rND/Pbo2jv8opbxqK1TD1qZtR6RIKrhVZbN/E8RYhv3B
+81hPUdwvAgMBAAECggEAOMRpvVtsSH6RDBYjgSyJBxST/ai+6p2k8pRvcsqLnPt1
+kIDEeFWMKAJk90GDwQmmy92CJVLbJGpkR8z9Lqp1g9VT7fGKwKd7eLUiiaR4dXZQ
+qNWBp2hOHgxM16xWGixvLFIldxf9Cm4BaEa0buyT2U6VA4YUEpYVuyFIaSp1Q6qX
+kc68+yoTNDTDeOaYfzSOg5Vnzk4Av/KdfneFkAEHKS9cFB6s9q1O3uecCYmwfi39
+rZZ3wAV2xSqUZ282zoKS6Xfb9cg9T5N2xXx+avKURuLv/mbacgQYN0Z+8xrh2lx5
+UpDz45Qcx6FdTc46jONxeix1Dg+ZtL+sNRUIH3PmkQKBgQDmo7eFEPszdN8juw+l
+gxkPx2AWc+gHSwmwMMLqr54W4CLpZpwLD5oC9VLv8NttimsbMisqa8VuJTZCiFta
+AfESICSwWYP5kpoB50a/4sES4ssEx6f16fnz6u6HrygPX3A+I8GbMnGlMTd8100v
+iOlVa6elahpa21rqi5Q5jthR1wKBgQDlhxzUnDvktQyGf/1MC+OISQhM7cOcthPw
+EfkJf6rHSktun92oo1feRG461RJVki6jx2PiECV9jWDcDwjbK96oL9FztH/PSRjy
+LyyFHti1roBLfIaLn4bK4zzwQdCkNLr0M5LcCpNccth3BPzw7MLMB9agNbiLOMQv
+8eWHC8ataQKBgGa+agO6Q91xY/Ib4+V8mE6CJ9j4u1V8ZQ17O2mm4EsagBLvpfX7
+dkV5GgBPkMCkmAAegkI8jk/5/cj3y5I2KTlE3nM8/WDRoQ/WApt6nT4XkA9KDhWr
+rLCvaKFDMxpeDrdv4FCN0TigyzIvC3Bwkll+QsmakbEF5ON1WIunidAzAoGBAM9r
+AgrABP/w/JivIN+P/tYx6WZbluIPSIUyOLL0xAfEg9Y8cbrroYQiotpXonHh4HPw
+w7qOjNKg6F701zP4uQWT8Nt2yekwTXLOXpUOAxhr0VRl+9BBITZHk9IqJ7m8TRZR
+ZO2kQPbScftcbpfp3T8z9ihhY5useN464wjfA3PBAoGAN192op7AonONsIHmemLQ
+NxeQZM6Q6aSlAlr13eD2SA9MaqiI/7ZGaH+mGettF4qpL41pIsL2V38BPNbKVdA3
+pNhZTnayyr/5jZNxoE3Y5HPsWA88rWjGpZx56WaN0IdKxEuEmZSWmktNsQLUYqep
+ZT/A8b4jHRGMvBMUt8/Exkc=
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Target.key b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Target.key
new file mode 100644
index 0000000..911b521
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/keys/Target.key
@@ -0,0 +1,29 @@
+openssl genrsa 2048
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCr8HYneIvnPfZs
+zj6IC2r7bX6w2AtFkc7l0z9wOw73wZLWpZ1TWpGT9VPDi5K1+RRWvreByUVvpXW/
+WuFIugPrc9ZQJ973lYFkElRTPHXaOY1HKvQA+yK9lsZfEIW0gIvzBfRuXadKarfI
+EHPg1X0gGIZ5ZEEbdtpfEOrysfXy3IFmng6uTQG9rHaW1DlnOQlZXnF6I22P4SOS
+SMpDlD9/86D7YCsJPOAjUilxKdPHujEoYd3VVti06MBKt77pOcEYXmGPtGubMMH3
+oMn7nc5QbVc5nHdAuOsKY3brytOcuLHlRp8UQBeimDpZQnfWt+XZeMtCR5vd0gXK
+7yR4Zpn7AgMBAAECgf9zyeIuTDMeU885dt4/Jj4YraQ9c6bwZg2761QApvg6R1UC
+BOxUaRAG+mKhs8MZL3DpYFMBFCOupb6l68D+bEad4v4KMALEUlDQrSDpU2ej9LeW
+AopPuGms3Q/tW5l79RV9YIU7Z3AORwMWhMq30dpxwt8y4LdeLd9Hv7Z5U8WA+eKD
+jRwP0Kt7jIKt+y/rZtQn6herB4bJsmY/+l4U9ub4QeE3xzIA6i/tYB3baBYi6yax
+ztBrkvzQ0NRnZuf7kCkFL/uDxTdjLz58C4z31rb+P0A57hUjLMpwAa8Iy/DZxk6b
+/4+XQfatrJdUtijZ6GuQij41FztV2CXrVyxL1AECgYEA5PERUbBAQJqDYUvhvOgs
+nZ+dN/XKsomdjmyGk5JIdWFAkdkXcm/Y767irpGZnHbAP885xRGhf/SoEyRpgTgS
+hZ57GuGU3nRD2B+nSDWWfSKD2/6JBsSPpZRcgqLVzxfnHwqnd7ar1ghy/5DbGJle
+jtWltmbRUTEBjx9C/HMSePsCgYEAwEK2R/YknVqrLB5DdrQ5o58cU61yR3jdcGaI
+3rJJu/ZepGexPWDMycjVk8WK9EhbOTLoFXS6YkT/3dNmbh+HPixz5zJZ3M5sRc5W
+tSHP9HkbAyPwh9i8FoThWq8ACvtw0daavj/aaX4sQQMN2HbdGD5js4ZTfIeUDUud
+d47UkwECgYEAxOMQmujxiN2YyQ8CFnyxCelfwuVtqXcx+W8ZmUW/bLrzVbqWMINB
+1HbZWXm72lRB515mdzU/Z5RXCwdQeKFpRGJTyn1fkqP4SKCIM1BqmDkbnxFadGiM
+hMB/gpVZPN14lTiLZyfAxbPEekbwNUqIiFvyRFhOAP4dMiGXcRXhOAsCgYEAoA1p
+bdLNfGlkol+3TfSPH1Vv4YE8558IyW+ydaH6nA1nkHn6JNyW30zf8Bq9qMsrlhx4
+9JOuLey/DM3WMcrxbaLYAhn6kUUPAbXanQO++QhwolajAJQ/UIfiivmwkXPs4eNE
+AylpC/VLpfuC5Tdeq7YUjfk/OyYq7D6MomE3OgECgYA51l7gVbZ5vSr+mcHX0Drj
+dDPLVuAhQHbRwAYHpk3wrio4N1thQaa8Qpm0Avrw8DV5vkP6B6oNICqBtsNAn/M8
+CMAQvcc8rzzyILFOZQyOF/JULJtCaJhT3LsRz2nUmpE06lEv3h1ccRol3KV11YlG
+UVFeD6vDOER0JVoIazq0Kw==
+-----END PRIVATE KEY-----
diff --git a/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/main.test b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/main.test
new file mode 100644
index 0000000..daaaf49
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/main.test
@@ -0,0 +1,6 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH
+expected_user_constrained_policy_set: 1.2.3.4
+expected_errors:
diff --git a/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/ta-with-constraints.test b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/ta-with-constraints.test
new file mode 100644
index 0000000..add5736
--- /dev/null
+++ b/pki/testdata/verify_certificate_chain_unittest/policies-inhibit-mapping-by-root-fail/ta-with-constraints.test
@@ -0,0 +1,9 @@
+chain: chain.pem
+last_cert_trust: TRUSTED_ANCHOR_WITH_CONSTRAINTS
+utc_time: DEFAULT
+key_purpose: SERVER_AUTH
+expected_errors:
+----- Certificate i=0 (CN=Target) -----
+ERROR: No valid policy
+ERROR: No valid policy
+
