certvalidator
certvalidator copied to clipboard
wbond
Python library for validating X.509 certificates and paths
Allows the presence of (version 3) extensions even if the certificate version is 1 or 2. Allow the presence of extensions even if the version is greater than 3. What...
This is a standard extension documented in RFC 5280, essential for hostname verification. When Subject field contains an empty sequence, CAs can mark this extension as critical as well.
You should not allow 0 (zero) as certificate serial number. RFC 5280 says, "The serial number MUST be a positive integer assigned by the CA to each cer- tificate...CAs MUST...
The library allows empty DirectoryString (e.g., "") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant). Minimum length should be 1.
Hi there! I'm opening this to help root-cause a handful of anomalous path-building results [observed](https://x509-limbo.com/anomalous-results/certvalidator-0.11.1/) with `certvalidator`, which we found with [x509-limbo](https://x509-limbo.com/). As a disclaimer: many of these are likely...
I ran into the following error: `The path could not be validated because the end-entity certificate contains the following unsupported critical extension: subject_alt_name` SubjectAltName extension must critical if the Subject...
Hey! I am the maintainer of your project on Debian. We recently migrated to python 3.12. And some tests failed. I had to make a patch to run some tests:...
Hey! I decided to keep your package in the Debian project. It is already under analysis. Soon it will be in the official distribution repositories. As dependencies undergo constant updates,...
Validation of no-subject.badssl.com certificate chain causes the following Python traceback. ``` Traceback (most recent call last): File "//no-subject.py", line 151, in cert_validator.validate_usage(set()) File "/usr/local/lib/python3.11/site-packages/certvalidator/__init__.py", line 193, in validate_usage self._validate_path() File...
Currently, certvalidator only supports RSASSA-PKCS1 v1.5. As described in [RFC 3447](https://tools.ietf.org/html/rfc3447#page-27), RSASSA-PSS (PKCS1 v2.1) is recommended over v.1.5. Many recently issued certificates use it already. **This commit adds support for...
