Until a few minutes ago, the new validator checked policies by default.
The legacy validator and OpenSSL don't do so. Let's explicitly enable
policy checks for all these validators (X509_V_FLAG_EXPLICIT_POLICY is
not enough - our X509_VERIFY_PARAM_set_flags() manual even calls out
that trap).
Index: validate.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
retrieving revision 1.52
diff -u -p -r1.52 validate.c
--- validate.c 4 Jan 2023 14:22:43 -0000 1.52
+++ validate.c 4 Jan 2023 21:42:10 -0000
@@ -396,6 +396,7 @@ valid_x509(char *file, X509_STORE_CTX *s
cryptoerrx("X509_VERIFY_PARAM_add0_policy");
flags = X509_V_FLAG_CRL_CHECK;
+ flags |= X509_V_FLAG_POLICY_CHECK;
flags |= X509_V_FLAG_EXPLICIT_POLICY;
flags |= X509_V_FLAG_INHIBIT_MAP;
X509_STORE_CTX_set_flags(store_ctx, flags);
