That's two lines that were not covered in verify_child()
Added tests to validate that certificates signed using SHA-1 are rejected by default, but accepted if SHA-1 is explicitly enabled.
With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile.