certvalidator icon indicating copy to clipboard operation
certvalidator copied to clipboard
verified publisher icon wbond

Supporting SubjectAltName critical extension

Open gaetanww opened this issue 4 years ago • 2 comments

I ran into the following error: The path could not be validated because the end-entity certificate contains the following unsupported critical extension: subject_alt_name SubjectAltName extension must critical if the Subject field is empty (rfc). It is often critical for non-TLS certificate, for example TPM Endorsement Key certificates.

gaetanww avatar Oct 14 '21 15:10 gaetanww

I ran into this same issue and see this as a split of responsibility between this library and the application using it. Meaning something should account for all of the critical extensions but it doesn't need to be this library alone. Maybe critical-but-unhandled extensions could be signaled to the application rather than causing a hard failure like this.

BrianSipos avatar Jan 29 '24 21:01 BrianSipos

Yes, that's a good idea. Maybe it should keep validating the certificate chain and raise an exception at the end to allow the application to catch it and sort it out if needed/possible?

gaetanww avatar Jan 30 '24 09:01 gaetanww