I have a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate has extension fields and its version is 1. Clearly, leaf certificate violate Section 4.1.2.1, RFC5280: “When extensions are used, as expected in this profile, version MUST be 3 (value is 2). ”. Meanwhile, the chain can still pass certificate verification with certvalidator0.12.0.dev1 version.
To Reproduce:
import sys
from certvalidator import CertificateValidator, ValidationContext
def main():
if len(sys.argv) < 3:
sys.exit(1)
ca_path = sys.argv[1]
seed_path = sys.argv[2]
with open(ca_path, "rb") as f:
ca_bytes = f.read()
with open(seed_path, "rb") as f:
seed_bytes = f.read()
context = ValidationContext(
trust_roots=[ca_bytes],
allow_fetching=False,
crls=[],
ocsps=[]
)
validator = CertificateValidator(seed_bytes, validation_context=context)
validator.validate_usage(key_usage=set())
print("ok!")
if __name__ == "__main__":
main()
python3 verify.py ca.pem seed.pem
Expected behavior:
According to RFC 5280, it should be rejected.
test.zip
I have a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate has extension fields and its version is 1. Clearly, leaf certificate violate Section 4.1.2.1, RFC5280: “When extensions are used, as expected in this profile, version MUST be 3 (value is 2). ”. Meanwhile, the chain can still pass certificate verification with certvalidator0.12.0.dev1 version.
To Reproduce:
python3 verify.py ca.pem seed.pem
Expected behavior:
According to RFC 5280, it should be rejected.
test.zip