From 23a4cbeb3ad80da3830f760f624599f24236bc38 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 7 Mar 2023 17:07:57 +0000
Subject: [PATCH] Add a Certificate Policies Test

Test that a valid certificate policy is accepted and that an invalid
certificate policy is rejected. Specifically we are checking that a
leaf certificate with an invalid policy is detected.

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20588)
---
 test/recipes/25-test_verify.t | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index ffa48ed20bb..e7e352df0bf 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 146;
+plan tests => 148;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -409,3 +409,14 @@ SKIP: {
        "ED25519 signature");
 
 }
+
+# Certificate Policies
+ok(verify("ee-cert-policies", "sslserver", ["root-cert"], ["ca-pol-cert"],
+          "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
+          "-explicit_policy"),
+   "Certificate policy");
+
+ok(!verify("ee-cert-policies-bad", "sslserver", ["root-cert"], ["ca-pol-cert"],
+           "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
+           "-explicit_policy"),
+   "Bad certificate policy");
-- 
2.47.2