Reject certificates that contain unknown policy qualifiers if the

net/cert/internal/certificate_policies.h

Index: net/cert/internal/certificate_policies.h
diff --git a/net/cert/internal/certificate_policies.h b/net/cert/internal/certificate_policies.h
index ab9af9f40f0f1aa473287d39f6c51f8a5e7e62e6..15e8bfb6cd2d326f2c2abdeb4056d7e22c5b243a 100644
--- a/net/cert/internal/certificate_policies.h
+++ b/net/cert/internal/certificate_policies.h
@@ -34,15 +34,21 @@ NET_EXPORT der::Input InhibitAnyPolicyOid();
 NET_EXPORT der::Input PolicyMappingsOid();
 
 // Parses a certificatePolicies extension and stores the policy OIDs in
-// |*policies|, in sorted order. If policyQualifiers are present,
-// they are ignored. (RFC 5280 section 4.2.1.4 says "optional qualifiers, which
-// MAY be present, are not expected to change the definition of the policy.",
-// furthermore policyQualifiers do not affect the success or failure of the
-// section 6 Certification Path Validation algorithm.)
+// |*policies|, in sorted order.
+//
+// If policyQualifiers for User Notice or CPS are present then they are
+// ignored (RFC 5280 section 4.2.1.4 says "optional qualifiers, which MAY
+// be present, are not expected to change the definition of the policy."
+//
+// If a policy qualifier other than User Notice/CPS is present, parsing
+// will fail if |fail_parsing_unknown_qualifier_oids| was set to true,
+// otherwise the unrecognized qualifiers wil be skipped and not parsed
+// any further.
 //
 // The returned values is only valid as long as |extension_value| is.
 NET_EXPORT bool ParseCertificatePoliciesExtension(
     const der::Input& extension_value,
+    bool fail_parsing_unknown_qualifier_oids,
     std::vector<der::Input>* policies);
 
 struct ParsedPolicyConstraints {