Parsing basicConstraints extension without CA tag but with pathLength specified. #18
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I found myself in a situation where an OPCUA server is offering me a certificate with the basicConstraints extension specifying
pathLength
but notCA
field. This is probably due to a malformed certificate but it is still correctly parsed by popular tools like openssl etc etc.The client then fails because the function
readBasicConstraint2_5_29_19
expects theCA
field to be encountered first and thepathLength
second, possibly.Honestly, the literature and the real world examples are often misleading about the correct structure of this extension.
I don't know if my suggestion is fully compliant with the specs but I hope it should provide a less stringent and more accepted approach for parsing
basicConstraints
extensions.