Golang crypto/x509: certificate verification should fail when policy doesn't map with CA's mappings

Go version

go1.24.4 Linux and Windows

Output of go env in your module/workspace:

go env

What did you do?

While doing Policy Mapping validation, we used the following mappings in the certificates: 1. subCA.pem (to be set as trusted certificate) This has policy mapping as below:

        X509v3 Certificate Policies: critical
            Policy: 1.3.6.1.4.1.1139.1.2.3.4.5
        X509v3 Policy Mappings: critical
            1.3.6.1.4.1.1139.1.2.3.4.5:1.3.6.1.4.1.106.1.2.3.4.5
        X509v3 Policy Constraints: critical
            Require Explicit Policy:0
        X509v3 Inhibit Any Policy: critical
            0

1. leaf.pem (end entity certificate) This has policy mapping as below but it doesn't match with CA's mapping

      X509v3 Certificate Policies: critical
            Policy: 1.3.6.1.4.1.8888.1.2.3.4.5

Using the x509.Verify() function we tried to verify leaf.pem (end entity certificate) by setting the subCA as trusted certificate.

What did you see happen?

x509.Verify() does NOT return policy validation error.

What did you expect to see?

x509.Verify() should return policy validation error.

Comment From: cagedmantis

@FiloSottile @rolandshoemaker @cpu @golang/security