Reject certificates that contain unknown policy qualifiers if the

net/data/verify_certificate_chain_unittest/unknown-critical-policy-qualifier/chain.pem

+[Created by: generate-chains.py]
+
+The intermediate has a policies extension marked as critical, which contains
+an unknown qualifer (1.2.3.4).
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Intermediate
+        Validity
+            Not Before: Jan  1 12:00:00 2015 GMT
+            Not After : Jan  1 12:00:00 2016 GMT
+        Subject: CN=Target
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:03:58:01:b1:2f:7b:fb:b2:71:dc:49:d0:cb:
+                    06:76:30:64:f7:61:bf:da:55:93:73:29:49:0f:cb:
+                    0a:33:bd:41:0b:28:03:45:35:72:a9:b4:4b:a7:ec:
+                    52:77:3a:8c:ba:cb:87:56:28:3b:39:8d:47:7b:70:
+                    7f:5a:8f:76:8c:7e:13:e8:61:17:19:1d:72:e3:6e:
+                    69:20:bc:83:f7:5b:11:85:6e:1a:b8:fb:7b:f8:fe:
+                    2b:e2:d2:bd:1a:0a:65:62:b0:84:a7:0a:ac:75:ea:
+                    e6:74:c4:1d:2c:e8:04:62:76:4b:4d:04:b6:52:2f:
+                    a6:ba:66:bb:fe:45:d6:6a:21:05:16:e5:f3:25:ae:
+                    94:fd:17:84:80:2f:ac:62:d9:83:e3:17:b0:03:1c:
+                    01:02:8b:47:7f:65:2e:f9:40:cf:ad:92:33:07:8a:
+                    14:44:5e:c2:ed:68:48:a4:d1:f0:7b:f9:67:91:28:
+                    d9:9f:2c:f0:5e:12:92:52:92:97:27:7b:12:dd:c5:
+                    d5:7f:32:8c:9b:26:05:eb:47:e1:26:99:ea:6a:a9:
+                    25:93:64:31:e5:6c:f4:cf:02:27:29:b3:9f:17:94:
+                    0d:38:9c:54:f1:80:ef:b9:b0:4b:6a:12:eb:ca:53:
+                    91:2a:95:ee:16:bf:12:9f:8a:32:a7:8a:81:dd:4c:
+                    02:91
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                EF:56:67:1C:5E:24:60:78:3E:F2:35:40:2E:1A:58:65:4D:B3:4E:BE
+            X509v3 Authority Key Identifier: 
+                keyid:47:8C:F1:C9:1E:F8:EC:25:A8:31:F3:1C:CE:BC:C5:70:9F:11:87:63
+
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Intermediate.cer
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://url-for-crl/Intermediate.crl
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+    Signature Algorithm: sha256WithRSAEncryption
+         7a:5d:ae:ba:54:c3:87:ef:ea:dc:b3:8f:03:b2:82:c0:0b:1c:
+         a2:ce:b4:a6:ab:2c:ec:04:28:3f:f9:25:3d:cc:34:f2:5c:e0:
+         a1:8a:65:56:d8:23:f2:c0:56:d4:39:15:eb:5a:0c:c4:db:8e:
+         8f:1b:1e:d7:d0:64:e8:fe:ec:35:3f:da:68:35:26:84:3d:91:
+         a0:f2:d6:b7:24:cd:1d:fb:65:39:20:15:55:74:f5:04:52:71:
+         be:6d:fb:40:04:1d:f8:4a:3c:87:2b:b9:10:f3:10:c1:67:f1:
+         ea:2c:f6:c3:08:54:fc:56:ba:2d:70:2f:d4:d6:03:a5:60:05:
+         0b:74:f8:9c:3e:7a:50:ac:5e:6e:4f:e2:25:78:16:00:bc:a2:
+         3a:28:48:01:94:09:9e:4a:51:35:1f:de:87:6c:9e:4b:1b:07:
+         02:48:1f:f3:c4:af:21:08:51:ac:a4:b7:0d:2f:d2:dc:3c:a5:
+         d5:e7:35:e4:dc:bb:db:80:2e:79:fd:72:3f:42:c6:d2:04:43:
+         8e:db:6f:bf:45:7d:23:31:cb:c4:0d:2a:bb:15:e2:8d:87:ef:
+         3b:32:bc:76:3c:53:64:7e:01:ab:81:16:8b:ee:bd:88:21:f8:
+         82:1f:37:b8:70:7e:df:4a:3b:38:96:ee:e7:0d:12:9c:65:90:
+         b3:53:10:d5
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxJbnRl
+cm1lZGlhdGUwHhcNMTUwMTAxMTIwMDAwWhcNMTYwMTAxMTIwMDAwWjARMQ8wDQYD
+VQQDDAZUYXJnZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBA1gB
+sS97+7Jx3EnQywZ2MGT3Yb/aVZNzKUkPywozvUELKANFNXKptEun7FJ3Ooy6y4dW
+KDs5jUd7cH9aj3aMfhPoYRcZHXLjbmkgvIP3WxGFbhq4+3v4/ivi0r0aCmVisISn
+Cqx16uZ0xB0s6ARidktNBLZSL6a6Zrv+RdZqIQUW5fMlrpT9F4SAL6xi2YPjF7AD
+HAECi0d/ZS75QM+tkjMHihREXsLtaEik0fB7+WeRKNmfLPBeEpJSkpcnexLdxdV/
+MoybJgXrR+EmmepqqSWTZDHlbPTPAicps58XlA04nFTxgO+5sEtqEuvKU5Eqle4W
+vxKfijKnioHdTAKRAgMBAAGjgekwgeYwHQYDVR0OBBYEFO9WZxxeJGB4PvI1QC4a
+WGVNs06+MB8GA1UdIwQYMBaAFEeM8cke+OwlqDHzHM68xXCfEYdjMD8GCCsGAQUF
+BwEBBDMwMTAvBggrBgEFBQcwAoYjaHR0cDovL3VybC1mb3ItYWlhL0ludGVybWVk
+aWF0ZS5jZXIwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL3VybC1mb3ItY3JsL0lu
+dGVybWVkaWF0ZS5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAel2uulTDh+/q3LOPA7KC
+wAscos60pqss7AQoP/klPcw08lzgoYplVtgj8sBW1DkV61oMxNuOjxse19Bk6P7s
+NT/aaDUmhD2RoPLWtyTNHftlOSAVVXT1BFJxvm37QAQd+Eo8hyu5EPMQwWfx6iz2
+wwhU/Fa6LXAv1NYDpWAFC3T4nD56UKxebk/iJXgWALyiOihIAZQJnkpRNR/eh2ye
+SxsHAkgf88SvIQhRrKS3DS/S3Dyl1ec15Ny724Auef1yP0LG0gRDjttvv0V9IzHL
+xA0quxXijYfvOzK8djxTZH4Bq4EWi+69iCH4gh83uHB+30o7OJbu5w0SnGWQs1MQ
+1Q==
+-----END CERTIFICATE-----
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root
+        Validity
+            Not Before: Jan  1 12:00:00 2015 GMT
+            Not After : Jan  1 12:00:00 2016 GMT
+        Subject: CN=Intermediate
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:0f:08:80:56:6b:27:51:76:78:18:c5:92:b1:
+                    b4:d1:7a:4f:8f:57:6a:6a:96:70:e3:ca:4a:68:9d:
+                    0b:5d:2e:fd:34:1b:2a:d7:f2:a0:e0:3d:98:f8:2c:
+                    88:d1:7e:25:5d:80:80:30:f0:1c:65:a5:e4:60:ed:
+                    7a:31:df:97:20:c3:0c:4e:d0:2a:d8:93:54:d2:21:
+                    fe:9f:85:7d:fe:9d:45:fc:66:14:10:a5:6a:38:e7:
+                    e0:1e:71:fa:fe:9a:c0:79:73:98:87:80:17:a8:e3:
+                    c8:84:cb:9a:a8:db:d2:59:d5:26:40:cc:8b:29:03:
+                    8a:75:3d:05:01:ed:bf:05:57:27:94:e2:a3:7e:2e:
+                    06:95:8b:a2:99:8d:69:d3:3a:86:35:2b:23:19:cd:
+                    53:92:55:fe:7e:75:43:08:4c:05:51:db:1a:14:5d:
+                    6c:bb:4f:de:ef:7f:24:53:b1:e6:fc:90:a0:8a:39:
+                    22:f1:1d:1f:4a:3b:5b:c0:df:ca:a9:57:f2:c8:16:
+                    f5:e0:f4:fa:79:77:9b:93:0d:b8:5a:9d:9b:48:98:
+                    69:75:11:0f:2d:b9:8e:cd:34:4c:06:62:f8:a2:de:
+                    07:d8:7e:a0:5a:88:b0:d1:72:0b:49:67:42:5c:08:
+                    3b:bc:10:60:01:c2:15:ab:f8:31:8f:5d:bb:a2:e6:
+                    da:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                47:8C:F1:C9:1E:F8:EC:25:A8:31:F3:1C:CE:BC:C5:70:9F:11:87:63
+            X509v3 Authority Key Identifier: 
+                keyid:BD:1A:91:15:D9:48:10:F5:7E:D3:B8:CE:06:D8:29:10:AE:43:CE:42
+
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Root.cer
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://url-for-crl/Root.crl
+
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Certificate Policies: critical
+                Policy: 1.2.3
+                    Unknown Qualifier: 1.2.3.4
+
+    Signature Algorithm: sha256WithRSAEncryption
+         18:0e:35:f6:08:db:43:5e:71:33:33:da:79:70:bc:f1:ed:97:
+         2c:49:55:fa:52:12:6a:a2:b6:9a:51:9c:56:5d:f3:6c:ec:91:
+         2e:b7:2b:09:59:a8:1e:02:dd:b1:0d:b8:0d:46:21:ff:41:5b:
+         41:76:94:f3:ea:ed:63:b9:f0:32:f6:2f:b5:1f:ea:f7:74:c3:
+         d8:0d:61:5e:46:04:06:00:41:88:a0:e5:39:4b:5d:eb:a5:9d:
+         31:33:b3:1b:8e:eb:0d:2d:43:17:a0:d1:45:5a:85:b9:a5:5b:
+         a6:a7:f2:0a:1f:43:4a:65:93:0b:6e:44:de:e1:99:a5:0e:4f:
+         9e:30:ac:29:71:15:69:9f:e2:e2:b7:d9:db:6f:96:3d:a5:4f:
+         06:0e:d1:3c:55:54:36:34:10:0e:19:8b:1d:19:0b:88:57:51:
+         ac:b6:77:45:0e:b4:8e:31:59:42:ee:0d:2f:26:80:6e:92:1d:
+         d7:22:fe:7d:99:08:f6:ae:f2:9b:9d:c5:29:57:b3:45:4b:a1:
+         bf:8f:e6:bd:d8:b7:91:13:46:c2:4e:fb:ac:8e:f3:b4:73:83:
+         5e:a7:af:4b:c4:76:01:2e:42:a2:bc:ce:a0:99:89:29:01:32:
+         2f:ee:c1:a2:14:5d:ef:3d:3c:6e:af:83:8b:3e:90:dd:de:90:
+         8d:38:57:d5
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MB4XDTE1MDEwMTEyMDAwMFoXDTE2MDEwMTEyMDAwMFowFzEVMBMGA1UEAwwMSW50
+ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAug8IgFZr
+J1F2eBjFkrG00XpPj1dqapZw48pKaJ0LXS79NBsq1/Kg4D2Y+CyI0X4lXYCAMPAc
+ZaXkYO16Md+XIMMMTtAq2JNU0iH+n4V9/p1F/GYUEKVqOOfgHnH6/prAeXOYh4AX
+qOPIhMuaqNvSWdUmQMyLKQOKdT0FAe2/BVcnlOKjfi4GlYuimY1p0zqGNSsjGc1T
+klX+fnVDCEwFUdsaFF1su0/e738kU7Hm/JCgijki8R0fSjtbwN/KqVfyyBb14PT6
+eXebkw24Wp2bSJhpdREPLbmOzTRMBmL4ot4H2H6gWoiw0XILSWdCXAg7vBBgAcIV
+q/gxj127ouba+wIDAQABo4HsMIHpMB0GA1UdDgQWBBRHjPHJHvjsJagx8xzOvMVw
+nxGHYzAfBgNVHSMEGDAWgBS9GpEV2UgQ9X7TuM4G2CkQrkPOQjA3BggrBgEFBQcB
+AQQrMCkwJwYIKwYBBQUHMAKGG2h0dHA6Ly91cmwtZm9yLWFpYS9Sb290LmNlcjAs
+BgNVHR8EJTAjMCGgH6AdhhtodHRwOi8vdXJsLWZvci1jcmwvUm9vdC5jcmwwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0gAQH/BBUwEzARBgIq
+AzALMAkGAyoDBAwCaGkwDQYJKoZIhvcNAQELBQADggEBABgONfYI20NecTMz2nlw
+vPHtlyxJVfpSEmqitppRnFZd82zskS63KwlZqB4C3bENuA1GIf9BW0F2lPPq7WO5
+8DL2L7Uf6vd0w9gNYV5GBAYAQYig5TlLXeulnTEzsxuO6w0tQxeg0UVahbmlW6an
+8gofQ0plkwtuRN7hmaUOT54wrClxFWmf4uK32dtvlj2lTwYO0TxVVDY0EA4Zix0Z
+C4hXUay2d0UOtI4xWULuDS8mgG6SHdci/n2ZCPau8pudxSlXs0VLob+P5r3Yt5ET
+RsJO+6yO87Rzg16nr0vEdgEuQqK8zqCZiSkBMi/uwaIUXe89PG6vg4s+kN3ekI04
+V9U=
+-----END CERTIFICATE-----
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Root
+        Validity
+            Not Before: Jan  1 12:00:00 2015 GMT
+            Not After : Jan  1 12:00:00 2016 GMT
+        Subject: CN=Root
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:3d:c2:46:f3:d5:1b:65:5e:43:a3:bc:db:43:
+                    94:e9:9c:20:e1:ea:84:98:c6:65:51:6d:1c:1d:5f:
+                    8d:f9:81:47:1a:06:18:d9:7c:57:8f:6c:55:5c:36:
+                    63:c2:c6:db:be:47:61:5c:35:46:30:ec:e1:e5:0e:
+                    10:4f:9d:d4:62:58:56:83:00:3a:63:f0:cb:b2:50:
+                    e5:50:52:27:60:41:3e:db:07:61:92:db:d6:60:c2:
+                    66:f8:89:b6:aa:99:cb:5e:9d:74:db:cc:bc:3e:7d:
+                    0b:13:87:29:b8:fa:32:11:e9:fc:9a:e9:77:0d:7c:
+                    03:15:f7:7c:85:6c:f0:2c:2b:b0:32:5b:d9:6f:f8:
+                    f0:82:71:9e:f4:63:5c:6d:98:c9:ea:12:ad:d3:66:
+                    22:da:67:26:3c:ae:b3:23:0e:68:91:b7:28:65:81:
+                    b8:2c:04:34:92:bb:a0:00:39:51:06:53:14:c7:e9:
+                    ae:31:ef:5a:d7:21:28:44:9f:ca:53:cf:ac:4f:60:
+                    56:a9:f4:92:20:ee:c0:db:46:da:83:bd:28:b4:dd:
+                    d2:73:af:93:b5:31:84:55:e8:80:a0:6f:c5:f6:0c:
+                    54:50:dc:3d:b4:26:71:f9:fd:16:3f:62:b1:96:c9:
+                    de:45:b4:28:86:8d:8e:34:ce:aa:41:7c:66:e4:04:
+                    72:bb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                BD:1A:91:15:D9:48:10:F5:7E:D3:B8:CE:06:D8:29:10:AE:43:CE:42
+            X509v3 Authority Key Identifier: 
+                keyid:BD:1A:91:15:D9:48:10:F5:7E:D3:B8:CE:06:D8:29:10:AE:43:CE:42
+
+            Authority Information Access: 
+                CA Issuers - URI:http://url-for-aia/Root.cer
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://url-for-crl/Root.crl
+
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         40:13:b4:c9:ca:a2:93:7e:e0:bd:1a:07:4b:d7:77:5d:52:b3:
+         f8:4d:a8:29:7c:21:5a:04:96:15:97:cf:77:69:b0:d8:71:e3:
+         5a:bb:9b:fa:6d:79:10:a2:bb:8d:ce:9f:ac:6c:91:51:7e:77:
+         8a:0f:2f:39:1b:39:1e:78:52:d9:80:f6:27:a0:c5:5a:41:c7:
+         9d:28:f2:3e:6f:cb:57:55:a8:df:94:8a:e3:ce:0c:fb:9d:74:
+         22:ce:51:0b:bf:5a:3a:17:dc:7d:59:ce:f9:1c:e0:92:7f:53:
+         7d:92:36:a2:b8:e6:16:fc:c3:e2:52:1c:fe:2d:d1:29:9e:e7:
+         f4:89:eb:14:f0:db:5a:39:14:4e:1e:26:44:0b:90:91:4c:88:
+         00:b9:4b:b3:53:9a:f3:7d:96:5a:2b:a3:e9:40:7c:e7:de:f7:
+         56:93:79:e5:b3:a3:ea:17:58:72:ad:05:86:c6:e7:84:17:94:
+         10:ee:e7:61:18:6c:c4:46:d9:f3:c0:48:1f:18:15:30:3a:93:
+         dd:b0:c4:6b:92:f5:ac:c6:d1:c0:bf:9b:02:0f:f9:20:3d:f7:
+         ee:af:f0:44:4f:1b:cb:7b:6f:ae:bb:97:65:b2:d9:a8:be:50:
+         a7:3e:59:b6:a2:da:41:48:50:1e:38:7d:97:37:a8:41:21:b0:
+         5b:18:03:f1
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MB4XDTE1MDEwMTEyMDAwMFoXDTE2MDEwMTEyMDAwMFowDzENMAsGA1UEAwwEUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALo9wkbz1RtlXkOjvNtD
+lOmcIOHqhJjGZVFtHB1fjfmBRxoGGNl8V49sVVw2Y8LG275HYVw1RjDs4eUOEE+d
+1GJYVoMAOmPwy7JQ5VBSJ2BBPtsHYZLb1mDCZviJtqqZy16ddNvMvD59CxOHKbj6
+MhHp/Jrpdw18AxX3fIVs8CwrsDJb2W/48IJxnvRjXG2YyeoSrdNmItpnJjyusyMO
+aJG3KGWBuCwENJK7oAA5UQZTFMfprjHvWtchKESfylPPrE9gVqn0kiDuwNtG2oO9
+KLTd0nOvk7UxhFXogKBvxfYMVFDcPbQmcfn9Fj9isZbJ3kW0KIaNjjTOqkF8ZuQE
+crsCAwEAAaOByzCByDAdBgNVHQ4EFgQUvRqRFdlIEPV+07jOBtgpEK5DzkIwHwYD
+VR0jBBgwFoAUvRqRFdlIEPV+07jOBtgpEK5DzkIwNwYIKwYBBQUHAQEEKzApMCcG
+CCsGAQUFBzAChhtodHRwOi8vdXJsLWZvci1haWEvUm9vdC5jZXIwLAYDVR0fBCUw
+IzAhoB+gHYYbaHR0cDovL3VybC1mb3ItY3JsL1Jvb3QuY3JsMA4GA1UdDwEB/wQE
+AwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBAE7TJyqKT
+fuC9GgdL13ddUrP4TagpfCFaBJYVl893abDYceNau5v6bXkQoruNzp+sbJFRfneK
+Dy85GzkeeFLZgPYnoMVaQcedKPI+b8tXVajflIrjzgz7nXQizlELv1o6F9x9Wc75
+HOCSf1N9kjaiuOYW/MPiUhz+LdEpnuf0iesU8NtaORROHiZEC5CRTIgAuUuzU5rz
+fZZaK6PpQHzn3vdWk3nls6PqF1hyrQWGxueEF5QQ7udhGGzERtnzwEgfGBUwOpPd
+sMRrkvWsxtHAv5sCD/kgPffur/BETxvLe2+uu5dlstmovlCnPlm2otpBSFAeOH2X
+N6hBIbBbGAPx
+-----END CERTIFICATE-----