x509 verification not possible with critical extension X509v3 Certificate Policies

[CharlotteDodd]

x509 certificate verification with does not seem to be possible with certificates marking the X509v3 Certificate Policies extension as critical.

Due to this extension policy match statement, any extension marked as critical not in:
[AUTHORITY_INFORMATION_ACCESS, AUTHORITY_KEY_IDENTIFIER, SUBJECT_KEY_IDENTIFIER, KEY_USAGE, SUBJECT_ALTERNATIVE_NAME, BASIC_CONSTRAINTS, NAME_CONSTRAINTS, EXTENDED_KEY_USAGE]
cause a ValidationError.

My specific use case is a certificate following the GlobalSign Private hierarchy 1.3.6.1.4.1.4146.11.1.3: Customer Branded Certificates policy with the Certificate Policies extension marked as critical.
My certificate contains the following:

$ openssl x509 -text -in certificate
Certificate:
    Data:
        Version: 3 (0x2)
        ...
        X509v3 extensions:
            ...
            X509v3 Certificate Policies: critical
                Policy: 1.3.6.1.4.1.4146.11.1.3
                  CPS: https://www.globalsign.com/repository/
            ...
        ...

See https://www.globalsign.com/en/repository/GlobalSign-CPS-v10.4-final.pdf, page 19 for details of this policy.

I believe this is a use case for and will be resolved by #11165.

• Versions of Python: cryptography=43.0.3, cffi=1.17.1, pip=24.3.1, and setuptools=75.3.0
• cryptography installed using uv

[alex]

Yes, you are correct that this is currently being worked on as a part of #11165. I'm optimistic this will be in our next release. I'm going to close this as a duplicate for now.