Start of an x509 policy regress test. test cases from BoringSSL.

Still a work in progress adapting tests from boringssl x509_test.cc
but dropping in here for tb to be able to look at and run as well
since the new stuff still has bugs.

29 files changed, 801 insertions, 0 deletions

diff --git a/regress/lib/libcrypto/x509/policy/Makefile b/regress/lib/libcrypto/x509/policy/Makefile
new file mode 100644
index 00000000000..b365499412e
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/Makefile
@@ -0,0 +1,22 @@
+#	$OpenBSD: Makefile,v 1.1 2023/04/27 12:23:31 beck Exp $
+
+PROGS =		policy
+
+LDADD =	-lcrypto
+DPADD =	${LIBCRYPTO}
+
+LDADD_policy = ${CRYPTO_INT}
+
+WARNINGS =	Yes
+CFLAGS +=	-DLIBRESSL_INTERNAL -Wall -Werror
+CFLAGS +=	-I${.CURDIR}/../../../../../lib/libcrypto/x509
+CFLAGS += 	-I${.CURDIR}/../../../../../lib/libcrypto/bytestring
+CFLAGS += 	-DCERTSDIR=\"${.CURDIR}/../../../libcrypto/x509/policy\"
+
+REGRESS_TARGETS =  policy-test
+
+policy-test:	policy
+	./policy 
+
+.include "../../Makefile.inc"
+.include <bsd.regress.mk>
diff --git a/regress/lib/libcrypto/x509/policy/policy.c b/regress/lib/libcrypto/x509/policy/policy.c
new file mode 100644
index 00000000000..c2f96599e66
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy.c
@@ -0,0 +1,463 @@
+/* $OpenBSD: policy.c,v 1.1 2023/04/27 12:23:31 beck Exp $ */
+/*
+ * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <err.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "x509_verify.h"
+
+#define MODE_MODERN_VFY		0
+#define MODE_MODERN_VFY_DIR	1
+#define MODE_LEGACY_VFY		2
+#define MODE_VERIFY		3
+
+static int verbose = 1;
+
+#define OID1 "1.2.840.113554.4.1.72585.2.1"
+#define OID2 "1.2.840.113554.4.1.72585.2.2"
+#define OID3 "1.2.840.113554.4.1.72585.2.3"
+#define OID4 "1.2.840.113554.4.1.72585.2.4"
+#define OID5 "1.2.840.113554.4.1.72585.2.5"
+
+#ifndef CERTSDIR
+#define CERTSDIR "."
+#endif
+
+static int
+passwd_cb(char *buf, int size, int rwflag, void *u)
+{
+	memset(buf, 0, size);
+	return (0);
+}
+
+static int
+certs_from_file(const char *filename, STACK_OF(X509) **certs)
+{
+	STACK_OF(X509_INFO) *xis = NULL;
+	STACK_OF(X509) *xs = NULL;
+	BIO *bio = NULL;
+	X509 *x;
+	int i;
+
+	if (*certs == NULL) {
+		if ((xs = sk_X509_new_null()) == NULL)
+			errx(1, "failed to create X509 stack");
+	} else {
+		xs = *certs;
+	}
+	if ((bio = BIO_new_file(filename, "r")) == NULL) {
+		ERR_print_errors_fp(stderr);
+		errx(1, "failed to create bio");
+	}
+	if ((xis = PEM_X509_INFO_read_bio(bio, NULL, passwd_cb, NULL)) == NULL)
+		errx(1, "failed to read PEM");
+
+	for (i = 0; i < sk_X509_INFO_num(xis); i++) {
+		if ((x = sk_X509_INFO_value(xis, i)->x509) == NULL)
+			continue;
+		if (!sk_X509_push(xs, x))
+			errx(1, "failed to push X509");
+		X509_up_ref(x);
+	}
+
+	*certs = xs;
+	xs = NULL;
+
+	sk_X509_INFO_pop_free(xis, X509_INFO_free);
+	sk_X509_pop_free(xs, X509_free);
+	BIO_free(bio);
+
+	return 1;
+}
+
+static int
+verify_cert_cb(int ok, X509_STORE_CTX *xsc)
+{
+	X509 *current_cert;
+	int verify_err;
+
+	current_cert = X509_STORE_CTX_get_current_cert(xsc);
+	if (current_cert != NULL) {
+		X509_NAME_print_ex_fp(stderr,
+		    X509_get_subject_name(current_cert), 0,
+		    XN_FLAG_ONELINE);
+		fprintf(stderr, "\n");
+	}
+
+	verify_err = X509_STORE_CTX_get_error(xsc);
+	if (verify_err != X509_V_OK) {
+		fprintf(stderr, "verify error at depth %d: %s\n",
+		    X509_STORE_CTX_get_error_depth(xsc),
+		    X509_verify_cert_error_string(verify_err));
+	}
+
+	return ok;
+}
+
+static void
+verify_cert(const char *roots_file, const char *intermediate_file,
+    const char *leaf_file, int *chains, int *error, int *error_depth,
+    int mode, ASN1_OBJECT *policy_oid, ASN1_OBJECT *policy_oid2)
+{
+	STACK_OF(X509) *roots = NULL, *bundle = NULL;
+	X509_STORE_CTX *xsc = NULL;
+	X509_STORE *store = NULL;
+	X509 *leaf = NULL;
+	int ret;
+
+	*chains = 0;
+	*error = 0;
+	*error_depth = 0;
+
+
+	if (!certs_from_file(roots_file, &roots))
+		errx(1, "failed to load roots from '%s'", roots_file);
+	if (!certs_from_file(leaf_file, &bundle))
+		errx(1, "failed to load leaf from '%s'", leaf_file);
+	if (intermediate_file != NULL && !certs_from_file(intermediate_file,
+	    &bundle))
+		errx(1, "failed to load intermediate from '%s'",
+		    intermediate_file);
+	printf ("%d certs %d roots\n", sk_X509_num(bundle), sk_X509_num(roots));
+	if (sk_X509_num(bundle) < 1)
+		errx(1, "not enough certs in bundle");
+	leaf = sk_X509_shift(bundle);
+
+	if ((xsc = X509_STORE_CTX_new()) == NULL)
+		errx(1, "X509_STORE_CTX");
+	if (!X509_STORE_CTX_init(xsc, store, leaf, bundle)) {
+		ERR_print_errors_fp(stderr);
+		errx(1, "failed to init store context");
+	}
+
+	int flags = X509_V_FLAG_POLICY_CHECK;
+	flags |= X509_V_FLAG_EXPLICIT_POLICY;
+	//	flags |= X509_V_FLAG_INHIBIT_MAP;
+	if (mode == MODE_LEGACY_VFY)
+		flags |=  X509_V_FLAG_LEGACY_VERIFY;
+	X509_STORE_CTX_set_flags(xsc, flags);
+
+	if (verbose)
+		X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
+	X509_STORE_CTX_set0_trusted_stack(xsc, roots);
+
+	if (policy_oid != NULL) {
+		X509_VERIFY_PARAM * param = X509_STORE_CTX_get0_param(xsc);
+		ASN1_OBJECT * copy = OBJ_dup(policy_oid);
+		X509_VERIFY_PARAM_add0_policy(param, copy);
+	}
+	if (policy_oid2 != NULL) {
+		X509_VERIFY_PARAM * param = X509_STORE_CTX_get0_param(xsc);
+		ASN1_OBJECT * copy = OBJ_dup(policy_oid2);
+		X509_VERIFY_PARAM_add0_policy(param, copy);
+	}
+
+	ret = X509_verify_cert(xsc);
+
+	*error = X509_STORE_CTX_get_error(xsc);
+	*error_depth = X509_STORE_CTX_get_error_depth(xsc);
+
+	if (ret == 1) {
+		*chains = 1; /* XXX */
+		goto done;
+	}
+
+	if (*error == 0)
+		errx(1, "Error unset on failure!\n");
+
+	fprintf(stderr, "failed to verify at %d: %s\n",
+	    *error_depth, X509_verify_cert_error_string(*error));
+
+ done:
+	sk_X509_pop_free(roots, X509_free);
+	sk_X509_pop_free(bundle, X509_free);
+	X509_STORE_free(store);
+	X509_STORE_CTX_free(xsc);
+	X509_free(leaf);
+}
+
+static void
+verify_cert_new(const char *roots_file, const char *intermediate_file,
+    const char*leaf_file, int *chains)
+{
+	STACK_OF(X509) *roots = NULL, *bundle = NULL;
+	X509_STORE_CTX *xsc = NULL;
+	X509 *leaf = NULL;
+	struct x509_verify_ctx *ctx;
+
+	*chains = 0;
+
+	if (!certs_from_file(roots_file, &roots))
+		errx(1, "failed to load roots from '%s'", roots_file);
+	if (!certs_from_file(leaf_file, &bundle))
+		errx(1, "failed to load leaf from '%s'", leaf_file);
+	if (intermediate_file != NULL && !certs_from_file(intermediate_file,
+	    &bundle))
+		errx(1, "failed to load intermediate from '%s'",
+		    intermediate_file);
+	if (sk_X509_num(bundle) < 1)
+		errx(1, "not enough certs in bundle");
+	leaf = sk_X509_shift(bundle);
+
+        if ((xsc = X509_STORE_CTX_new()) == NULL)
+		errx(1, "X509_STORE_CTX");
+	if (!X509_STORE_CTX_init(xsc, NULL, leaf, bundle)) {
+		ERR_print_errors_fp(stderr);
+		errx(1, "failed to init store context");
+	}
+	if (verbose)
+		X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb);
+
+	if ((ctx = x509_verify_ctx_new(roots)) == NULL)
+		errx(1, "failed to create ctx");
+	if (!x509_verify_ctx_set_intermediates(ctx, bundle))
+		errx(1, "failed to set intermediates");
+
+	if ((*chains = x509_verify(ctx, leaf, NULL)) == 0) {
+		fprintf(stderr, "failed to verify at %lu: %s\n",
+		    x509_verify_ctx_error_depth(ctx),
+		    x509_verify_ctx_error_string(ctx));
+	} else {
+		int c;
+
+		for (c = 0; verbose && c < *chains; c++) {
+			STACK_OF(X509) *chain;
+			int i;
+
+			fprintf(stderr, "Chain %d\n--------\n", c);
+			chain = x509_verify_ctx_chain(ctx, c);
+			for (i = 0; i < sk_X509_num(chain); i++) {
+				X509 *cert = sk_X509_value(chain, i);
+				X509_NAME_print_ex_fp(stderr,
+				    X509_get_subject_name(cert), 0,
+				    XN_FLAG_ONELINE);
+				fprintf(stderr, "\n");
+			}
+		}
+	}
+	sk_X509_pop_free(roots, X509_free);
+	sk_X509_pop_free(bundle, X509_free);
+	X509_free(leaf);
+	X509_STORE_CTX_free(xsc);
+	x509_verify_ctx_free(ctx);
+}
+
+struct verify_cert_test {
+	const char *id;
+	const char *root_file;
+	const char *intermediate_file;
+	const char *leaf_file;
+	const char *policy_oid_to_check;
+	const char *policy_oid_to_check2;
+	int want_chains;
+	int want_error;
+	int want_error_depth;
+	int want_legacy_error;
+	int want_legacy_error_depth;
+	int failing;
+};
+
+struct verify_cert_test verify_cert_tests[] = {
+	// The chain is good for |oid1| and |oid2|, but not |oid3|.
+	{
+		.id = "nothing  in 1 and 2",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.want_chains = 1,
+	},
+	{
+		.id = "1, in 1 and 2",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.policy_oid_to_check = OID1,
+		.want_chains = 1,
+	},
+	{
+		.id = "2, in 1 and 2",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.policy_oid_to_check = OID2,
+		.want_chains = 1,
+	},
+	{
+		.id = "3, in 1 and 2",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.policy_oid_to_check = OID2,
+		.want_chains = 0,
+	},
+	{
+		.id = "1 and 2, in 1 and 2",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.policy_oid_to_check = OID1,
+		.policy_oid_to_check2 = OID2,
+		.want_chains = 1,
+	},
+	{
+		.id = "1 and 3, in 1 and 2",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.policy_oid_to_check = OID1,
+		.policy_oid_to_check2 = OID3,
+		.want_chains = 1,
+	},
+	// The policy extension cannot be parsed.
+	{
+		.id = "1 in invalid intermediate poicy",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate_invalid.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.policy_oid_to_check = OID1,
+		.want_chains = 0,
+	},
+	{
+		.id = "invalid intermediate",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate_invalid.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.want_chains = 0,
+	},
+	{
+		.id = "1 in invalid policy in leaf",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
+		.policy_oid_to_check = OID1,
+		.want_chains = 0,
+	},
+	{
+		.id = "invalid leaf",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
+		.want_chains = 0,
+	},
+	// There is a duplicate policy in the leaf policy extension.
+	{
+		.id = "1 in duplicate policy extension in leaf",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf_duplicate.pem",
+		.policy_oid_to_check = OID1,
+		.want_chains = 0,
+	},
+	// There is a duplicate policy in the intermediate policy extension.
+	{
+		.id = "1 in duplicate policy extension in intermediate",
+		.root_file = CERTSDIR "/" "policy_root.pem",
+		.intermediate_file = CERTSDIR "/" "policy_intermediate_duplicate.pem",
+		.leaf_file = CERTSDIR "/" "policy_leaf.pem",
+		.policy_oid_to_check = OID1,
+		.want_chains = 0,
+	},
+};
+
+#define N_VERIFY_CERT_TESTS \
+    (sizeof(verify_cert_tests) / sizeof(*verify_cert_tests))
+
+static int
+verify_cert_test(int mode)
+{
+	struct verify_cert_test *vct;
+	int chains, error, error_depth;
+	int failed = 0;
+	size_t i;
+
+	for (i = 0; i < N_VERIFY_CERT_TESTS; i++) {
+		vct = &verify_cert_tests[i];
+		ASN1_OBJECT *policy_oid = vct->policy_oid_to_check ?
+		    OBJ_txt2obj(vct->policy_oid_to_check, 1) : NULL;
+		ASN1_OBJECT *policy_oid2 = vct->policy_oid_to_check2 ?
+		    OBJ_txt2obj(vct->policy_oid_to_check2, 1) : NULL;
+
+		error = 0;
+		error_depth = 0;
+
+		fprintf(stderr, "== Test %zu (%s)\n", i, vct->id);
+		if (mode == MODE_VERIFY)
+			verify_cert_new(vct->root_file, vct->intermediate_file,
+			    vct->leaf_file, &chains);
+		else
+			verify_cert(vct->root_file, vct->intermediate_file,
+			    vct->leaf_file, &chains, &error, &error_depth,
+			    mode, policy_oid, policy_oid2);
+
+		if ((mode == MODE_VERIFY && chains == vct->want_chains) ||
+		    (chains == 0 && vct->want_chains == 0) ||
+		    (chains == 1 && vct->want_chains > 0)) {
+			fprintf(stderr, "INFO: Succeeded with %d chains%s\n",
+			    chains, vct->failing ? " (legacy failure)" : "");
+			if (mode == MODE_LEGACY_VFY && vct->failing)
+				failed |= 1;
+		} else {
+			fprintf(stderr, "FAIL: Failed with %d chains%s\n",
+			    chains, vct->failing ? " (legacy failure)" : "");
+			if (!vct->failing)
+				failed |= 1;
+		}
+
+		if (mode == MODE_LEGACY_VFY) {
+			if (error != vct->want_legacy_error) {
+				fprintf(stderr, "FAIL: Got legacy error %d, "
+				    "want %d\n", error, vct->want_legacy_error);
+				failed |= 1;
+			}
+			if (error_depth != vct->want_legacy_error_depth) {
+				fprintf(stderr, "FAIL: Got legacy error depth "
+				    "%d, want %d\n", error_depth,
+				    vct->want_legacy_error_depth);
+				failed |= 1;
+			}
+		}
+		fprintf(stderr, "\n");
+		ASN1_OBJECT_free(policy_oid);
+		ASN1_OBJECT_free(policy_oid2);
+
+	}
+	return failed;
+}
+
+int
+main(int argc, char **argv)
+{
+	int failed = 0;
+
+	fprintf(stderr, "\n\nTesting legacy x509_vfy\n");
+	failed |= verify_cert_test(MODE_LEGACY_VFY);
+	fprintf(stderr, "\n\nTesting modern x509_vfy\n");
+	failed |= verify_cert_test(MODE_MODERN_VFY);
+	// New does not support policy goo at the moment.
+	//	fprintf(stderr, "\n\nTestin x509_verify\n");
+	//	failed |= verify_cert_test(MODE_VERIFY);
+
+	return (failed);
+}
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate.pem
new file mode 100644
index 00000000000..759deb4c43a
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqjCCAVGgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgYUwgYIwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAoGCCqGSM49BAMCA0cAMEQCIFN2ZtknXQ9vz23qD1ecprC9iIo7
+j/SI42Ub64qZQaraAiA+CRCWJz/l+NQ1+TPWYDDWY6Wh2L9Wbddh1Nj5KJEkhQ==
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_any.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_any.pem
new file mode 100644
index 00000000000..0931964f520
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_any.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkDCCATWgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjajBoMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAK
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQ0vf+Du6oawiE
+YcLF6z1QWoBtrjARBgNVHSAECjAIMAYGBFUdIAAwCgYIKoZIzj0EAwIDSQAwRgIh
+AJbyXshUwjsFCiqrJkg91GzJdhZZ+3WXOekCJgi8uEESAiEAhv4sEE0wRRqgHDjl
+vIt26IELfFE2Z/FBF3ihGmi6NoI=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_duplicate.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_duplicate.pem
new file mode 100644
index 00000000000..0eafe8d86a8
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_duplicate.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvDCCAWKgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZYwgZMwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMDwGA1UdIAQ1MDMwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMA8GDSqGSIb3EgQBhLcJAgIwCgYIKoZIzj0EAwIDSAAwRQIgUpG6
+FUeWrC62BtTPHiSlWBdnLWUYH0llS6uYUkpJFJECIQCWfhoZYXvHdMhgBDSI/vzY
+Sw4uNdcMxrC2kP6lIioUSw==
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_invalid.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_invalid.pem
new file mode 100644
index 00000000000..11c95afcea4
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_invalid.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjDCCATKgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjZzBlMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAK
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQ0vf+Du6oawiE
+YcLF6z1QWoBtrjAOBgNVHSAEB0lOVkFMSUQwCgYIKoZIzj0EAwIDSAAwRQIgS2uK
+cYlZ1bxeqgMy3X0Sfi0arAnqpePsAqAeEf+HJHQCIQDwfCnXrWyHET9lM/gJSkfN
+j/JRJvJELDrAMVewCxZWKA==
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped.pem
new file mode 100644
index 00000000000..fa45e604b43
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrjCCAlSgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjggGHMIIBgzAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkNL3/g7u
+qGsIhGHCxes9UFqAba4wXgYDVR0gBFcwVTAPBg0qhkiG9xIEAYS3CQIBMA8GDSqG
+SIb3EgQBhLcJAgIwDwYNKoZIhvcSBAGEtwkCAzAPBg0qhkiG9xIEAYS3CQIEMA8G
+DSqGSIb3EgQBhLcJAgUwgcsGA1UdIQSBwzCBwDAeBg0qhkiG9xIEAYS3CQIDBg0q
+hkiG9xIEAYS3CQIBMB4GDSqGSIb3EgQBhLcJAgMGDSqGSIb3EgQBhLcJAgIwHgYN
+KoZIhvcSBAGEtwkCBAYNKoZIhvcSBAGEtwkCBDAeBg0qhkiG9xIEAYS3CQIEBg0q
+hkiG9xIEAYS3CQIFMB4GDSqGSIb3EgQBhLcJAgUGDSqGSIb3EgQBhLcJAgQwHgYN
+KoZIhvcSBAGEtwkCBQYNKoZIhvcSBAGEtwkCBTAKBggqhkjOPQQDAgNIADBFAiAe
+Ah2vJMZsW/RV35mM7b7/NjsjScjPEIxfDJu49inNXQIhANmGBqyWUogh/gXyVB0/
+IfDro27pANW3R02A+zH34q5k
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_any.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_any.pem
new file mode 100644
index 00000000000..ae47bf45cea
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_any.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICYjCCAgegAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjggE6MIIBNjAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkNL3/g7u
+qGsIhGHCxes9UFqAba4wEQYDVR0gBAowCDAGBgRVHSAAMIHLBgNVHSEEgcMwgcAw
+HgYNKoZIhvcSBAGEtwkCAwYNKoZIhvcSBAGEtwkCATAeBg0qhkiG9xIEAYS3CQID
+Bg0qhkiG9xIEAYS3CQICMB4GDSqGSIb3EgQBhLcJAgQGDSqGSIb3EgQBhLcJAgQw
+HgYNKoZIhvcSBAGEtwkCBAYNKoZIhvcSBAGEtwkCBTAeBg0qhkiG9xIEAYS3CQIF
+Bg0qhkiG9xIEAYS3CQIEMB4GDSqGSIb3EgQBhLcJAgUGDSqGSIb3EgQBhLcJAgUw
+CgYIKoZIzj0EAwIDSQAwRgIhAIOx3GL5xlldQGdTLIvTTAvczm8wiYHzZDAif2yj
+wAjEAiEAg4K02kTYX9x7PC/u1PYdwvo+LVbnGbO6AN6U3K2d7gs=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_oid3.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_oid3.pem
new file mode 100644
index 00000000000..c04a38a48f1
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_mapped_oid3.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICajCCAhCgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjggFDMIIBPzAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkNL3/g7u
+qGsIhGHCxes9UFqAba4wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIDMIHLBgNV
+HSEEgcMwgcAwHgYNKoZIhvcSBAGEtwkCAwYNKoZIhvcSBAGEtwkCATAeBg0qhkiG
+9xIEAYS3CQIDBg0qhkiG9xIEAYS3CQICMB4GDSqGSIb3EgQBhLcJAgQGDSqGSIb3
+EgQBhLcJAgQwHgYNKoZIhvcSBAGEtwkCBAYNKoZIhvcSBAGEtwkCBTAeBg0qhkiG
+9xIEAYS3CQIFBg0qhkiG9xIEAYS3CQIEMB4GDSqGSIb3EgQBhLcJAgUGDSqGSIb3
+EgQBhLcJAgUwCgYIKoZIzj0EAwIDSAAwRQIhAK0bRaGgd5qQlX+zTw3IUynFHxfk
+zRbZagnTzjYtkNNmAiBJ2kOnvRdW930eHAwZPGpc1Hn5hMSOQdUhNZ3XZDASkQ==
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_require.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_require.pem
new file mode 100644
index 00000000000..5cf5d5bfe62
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_require.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV+gAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZMwgZAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAwGA1UdJAQFMAOAAQAwCgYIKoZIzj0EAwIDRwAwRAIgbPUZ9ezH
+SgTqom7VLPOvrQQXwy3b/ijSobs7+SOouKMCIDaqcb9143BG005etqeTvlgUyOGF
+GQDWhiW8bizH+KEl
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_require1.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_require1.pem
new file mode 100644
index 00000000000..7087404b3f1
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_require1.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBujCCAV+gAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZMwgZAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAwGA1UdJAQFMAOAAQEwCgYIKoZIzj0EAwIDSQAwRgIhAIAwvhHB
+GQDN5YXlidd+n3OT/SqoeXfp7RiEonBnCkW4AiEA+iFc47EOBchHb+Gy0gg8F9Po
+RnlpoulWDfbDwx9r4lc=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_require2.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_require2.pem
new file mode 100644
index 00000000000..350f4191987
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_require2.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuTCCAV+gAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgZMwgZAwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMCsGA1UdIAQkMCIwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMAwGA1UdJAQFMAOAAQIwCgYIKoZIzj0EAwIDSAAwRQIgOpliSKKA
++wy/auQnKKl+wwtn/hGw6eZXgIOtFgDmyMYCIQC84zoJL87AE64gsrdX4XSHq6lb
+WhZQp9ZnDaNu88SQLQ==
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_require_duplicate.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_require_duplicate.pem
new file mode 100644
index 00000000000..733087af91c
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_require_duplicate.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIByjCCAXCgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjgaQwgaEwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJDS9/4O7qhr
+CIRhwsXrPVBagG2uMDwGA1UdIAQ1MDMwDwYNKoZIhvcSBAGEtwkCATAPBg0qhkiG
+9xIEAYS3CQICMA8GDSqGSIb3EgQBhLcJAgIwDAYDVR0kBAUwA4ABADAKBggqhkjO
+PQQDAgNIADBFAiA2GxzMRYYo7NNq8u/ZvffXkCj/phqXQ8I64tEDd0X8pgIhAOJJ
+e+dzzf4vbWfMlYkOQ4kf6ei5Zf+J2PL6VrqVrHQa
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_intermediate_require_no_policies.pem b/regress/lib/libcrypto/x509/policy/policy_intermediate_require_no_policies.pem
new file mode 100644
index 00000000000..1e81e0c1165
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_intermediate_require_no_policies.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBizCCATCgAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowHjEcMBoGA1UE
+AxMTUG9saWN5IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BOI6fKiM3jFLkLyAn88cvlw4SwxuygRjopP3FFBKHyUQvh3VVvfqSpSCSmp50Qia
+jQ6Dg7CTpVZVVH+bguT7JTCjZTBjMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAK
+BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQ0vf+Du6oawiE
+YcLF6z1QWoBtrjAMBgNVHSQEBTADgAEAMAoGCCqGSM49BAMCA0kAMEYCIQDJYPgf
+50fFDVho5TFeqkNVONx0ArVNgULPB27yPDHLrwIhAN+eua6oM4Q/O0jUESQ4VAKt
+ts7ZCquTZbvgRgyqtjuT
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf.pem b/regress/lib/libcrypto/x509/policy/policy_leaf.pem
new file mode 100644
index 00000000000..fb70306c8a6
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCAU2gAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo34wfDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wKwYDVR0gBCQwIjAPBg0qhkiG9xIEAYS3CQIBMA8GDSqGSIb3EgQB
+hLcJAgIwCgYIKoZIzj0EAwIDSAAwRQIgBEOriD1N3/cqoAofxEtf73M7Wi4UfjFK
+jiU9nQhwnnoCIQD1v/XDp2BkWNHxNq7TaPnil3xXTvMX97yUbkUg8IRo0w==
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_any.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_any.pem
new file mode 100644
index 00000000000..d2c1b9e9555
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_any.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATOgAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo2QwYjAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wEQYDVR0gBAowCDAGBgRVHSAAMAoGCCqGSM49BAMCA0gAMEUCIQC4
+UwAf1R4HefSzyO8lyQ3fmMjkptVEhFBee0a7N12IvwIgJMYZgQ52VTbqXyXqraJ8
+V+y+o7eHds7NewqnyuLbc78=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_duplicate.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_duplicate.pem
new file mode 100644
index 00000000000..bdeb13cbd68
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_duplicate.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsTCCAVigAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkSrY
+vFVtkZJmvirfY0JDDYrZQrNJecPLt0ksJux2URL5nAQiQY1SERGnEaiNLpoc0dle
+TS8wQT/cjw/wPgoeV6OBkDCBjTAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhhbXBsZS5j
+b20wPAYDVR0gBDUwMzAPBg0qhkiG9xIEAYS3CQIBMA8GDSqGSIb3EgQBhLcJAgIw
+DwYNKoZIhvcSBAGEtwkCAjAKBggqhkjOPQQDAgNHADBEAiBjYDwsWcs35hU/wPqa
+5gf0QUMvV/8z5LPX14fB2y4RGQIgMw0ekrt9K5UcgkvFupV/XXIjLRFQvc8URA3C
+/+w+2/4=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_invalid.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_invalid.pem
new file mode 100644
index 00000000000..de7a5e9b20f
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_invalid.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgjCCASigAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
+AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkSrY
+vFVtkZJmvirfY0JDDYrZQrNJecPLt0ksJux2URL5nAQiQY1SERGnEaiNLpoc0dle
+TS8wQT/cjw/wPgoeV6NhMF8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
+MA4GA1UdIAQHSU5WQUxJRDAKBggqhkjOPQQDAgNIADBFAiAgfcDIeqmV+u5YtUe4
+aBnj13tZAJAQh6ttum1xZ+xHEgIhAJqvGX5c0/d1qYelBlm/jE3UuivijdEjVsLX
+GVH+X1VA
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_none.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_none.pem
new file mode 100644
index 00000000000..13ad7cec017
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_none.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBezCCASCgAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo1EwTzAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAIDFeeYJ8nmYo09OnJFpNS3A6fYO
+ZliHkAqOsg193DTnAiEA3OSHLCczcvRjMG+qd/FI61u2sKU1hhHh7uHtD/YO/dA=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_oid1.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_oid1.pem
new file mode 100644
index 00000000000..94cd1a77b45
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_oid1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlTCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIBMAoGCCqGSM49BAMC
+A0cAMEQCIHh4Bo8l/HVJhLMWcYusPOE0arqoDrJ5E0M6nEi3nRhgAiAArK8bBohG
+fZ3DmVMq/2BJtQZwRRj+50VKWuf9mBSflQ==
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_oid2.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_oid2.pem
new file mode 100644
index 00000000000..10adf86c521
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_oid2.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQICMAoGCCqGSM49BAMC
+A0kAMEYCIQDvW7rdL6MSW/0BPNET4hEeECO6LWmZZHKCHIu6o33dsAIhAPwgm6lD
+KV2hMOxkE6rBDQzlCr+zAkQrxSzQZqJp5p+W
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_oid3.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_oid3.pem
new file mode 100644
index 00000000000..e5c103151bd
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_oid3.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIDMAoGCCqGSM49BAMC
+A0kAMEYCIQDBPnPpRsOH20ncg8TKUdlONfbO62WafQj9SKgyi/nGBQIhAMhT8J7f
+fTEou6jlAilaIQwlAgZzVKRqgghIHezFY86T
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_oid4.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_oid4.pem
new file mode 100644
index 00000000000..7dd7a547af2
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_oid4.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIEMAoGCCqGSM49BAMC
+A0kAMEYCIQD2gnpCTMxUalCtEV52eXzqeJgsKMYvEpJTuU/VqH5KwQIhAPEavAkt
+cSJsgMgJcJnbBzAdSrbOgHXF2etDHmFbg0hz
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_oid5.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_oid5.pem
new file mode 100644
index 00000000000..2a9aee73b59
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_oid5.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo20wazAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg93d3cuZXhh
+bXBsZS5jb20wGgYDVR0gBBMwETAPBg0qhkiG9xIEAYS3CQIFMAoGCCqGSM49BAMC
+A0kAMEYCIQDDFVjhlQ1Wu0KITcRX8kELpVDeYSKSlvEbZc3rn1QjkQIhAMPthqBi
+I0acz8DPQcdFmHXV0xR2xyC1yuen0gES5WLR
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_require.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_require.pem
new file mode 100644
index 00000000000..169b8444199
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_require.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV2gAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GNMIGKMA4GA1UdDwEB/wQEAwICBDATBgNV
+HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3d3dy5l
+eGFtcGxlLmNvbTArBgNVHSAEJDAiMA8GDSqGSIb3EgQBhLcJAgEwDwYNKoZIhvcS
+BAGEtwkCAjAMBgNVHSQEBTADgAEAMAoGCCqGSM49BAMCA0kAMEYCIQDrNQPi/mdK
+l7Nd/YmMXWYTHJBWWin1zA64Ohkd7z4jGgIhAJpw/umk5MxS1MwSi+YTkkcSQKpl
+YROQH6+T53DauoW6
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_leaf_require1.pem b/regress/lib/libcrypto/x509/policy/policy_leaf_require1.pem
new file mode 100644
index 00000000000..261ef954f12
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_leaf_require1.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV2gAwIBAgIBAzAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNQb2xpY3kg
+SW50ZXJtZWRpYXRlMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAa
+MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASRKti8VW2Rkma+Kt9jQkMNitlCs0l5w8u3SSwm7HZREvmcBCJBjVIREacR
+qI0umhzR2V5NLzBBP9yPD/A+Ch5Xo4GNMIGKMA4GA1UdDwEB/wQEAwICBDATBgNV
+HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3d3dy5l
+eGFtcGxlLmNvbTArBgNVHSAEJDAiMA8GDSqGSIb3EgQBhLcJAgEwDwYNKoZIhvcS
+BAGEtwkCAjAMBgNVHSQEBTADgAEBMAoGCCqGSM49BAMCA0kAMEYCIQCtXENGJrKv
+IOeLHO/3Nu/SMRXc69Vb3q+4b/uHBFbuqwIhAK22Wfh/ZIHKu3FwbjL+sN0Z39pf
+Dsak6fp1y4tqNuvK
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_root.pem b/regress/lib/libcrypto/x509/policy/policy_root.pem
new file mode 100644
index 00000000000..595f8a132a5
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_root.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBdTCCARqgAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
+Um9vdDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
+AxMLUG9saWN5IFJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQmdqXYl1Gv
+Y7y3jcTTK6MVXIQr44TqChRYI6IeV9tIB6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAP
+EPSJwPndjolto1cwVTAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0GnnoB+yeN63WMthnh6Uh1HH
+dRIwCgYIKoZIzj0EAwIDSQAwRgIhAKVxVAaJnmvt+q4SqegGS23QSzKPM9Yakw9e
+bOUU9+52AiEAjXPRBdd90YDey4VFu4f/78yVe0cxMK30lll7lLl7TTA=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_root2.pem b/regress/lib/libcrypto/x509/policy/policy_root2.pem
new file mode 100644
index 00000000000..1350035fd46
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_root2.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBeDCCAR6gAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1Qb2xpY3kg
+Um9vdCAyMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAYMRYwFAYD
+VQQDEw1Qb2xpY3kgUm9vdCAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJnal
+2JdRr2O8t43E0yujFVyEK+OE6goUWCOiHlfbSAeoyLDmPkKJdW5PMf+wORRjp1Fh
+VSxADxD0icD53Y6JbaNXMFUwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNBp56Afsnjet1jLYZ4e
+lIdRx3USMAoGCCqGSM49BAMCA0gAMEUCIQDm9rw9ODVtJUPBn2lWoK8s7ElbyY4/
+Gc2thHR50UUzbgIgKRenEDhKiBR6cGC77RaIiaaafW8b7HMd7obuZdDU/58=
+-----END CERTIFICATE-----
diff --git a/regress/lib/libcrypto/x509/policy/policy_root_cross_inhibit_mapping.pem b/regress/lib/libcrypto/x509/policy/policy_root_cross_inhibit_mapping.pem
new file mode 100644
index 00000000000..9273a53086f
--- /dev/null
+++ b/regress/lib/libcrypto/x509/policy/policy_root_cross_inhibit_mapping.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAT2gAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1Qb2xpY3kg
+Um9vdCAyMCAXDTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAWMRQwEgYD
+VQQDEwtQb2xpY3kgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCZ2pdiX
+Ua9jvLeNxNMroxVchCvjhOoKFFgjoh5X20gHqMiw5j5CiXVuTzH/sDkUY6dRYVUs
+QA8Q9InA+d2OiW2jeDB2MA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTQaeegH7J43rdYy2GeHpSH
+Ucd1EjARBgNVHSAECjAIMAYGBFUdIAAwDAYDVR0kBAUwA4EBADAKBggqhkjOPQQD
+AgNHADBEAiBzR3JGEf9PITYuiXTx+vx9gXji5idGsVog9wRUbY98wwIgVVeYNQQb
+x+RN2wYp3kmm8iswUOrqiI6J4PSzT8CYP8Q=
+-----END CERTIFICATE-----