-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deviations from RFC5280 #256
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a big list of unsorted, unprioritised issues found from x509test cases. I'm not making any particular claim that these are important issues, or even issues we want to fix. For example, some of the RFC assertions are requirements on issuers, not verifiers.
duplicate extensions are not rejected for extensions webpki does not support
illegal subjectAltName extensions not rejected
empty OID is not rejected inside extKeyUsage extension
certain CA-only extensions not rejected if basic constraints cA=false
end entity subject public key validation seems not to happen during parsing/chain/name validation -- (maybe that is deferred to
verify_signature
? in which case ignore these)missing validations during trust anchor parsing(?)
comparison of string encodings in subject/issuer
optional subjectUniqueID causes parse failure
policy constraint extension (probably no advantage to implementing this, but listed here for completeness)
The text was updated successfully, but these errors were encountered: