This is https://github.com/pyca/cryptography/issues/3856
The cert inside the PKCS7 you gave has both CA False and a path length (of 0) set. That is technically invalid according to the RFC so the parser rejects it. We've talked about how to resolve this in https://github.com/pyca/cryptography/pull/3862 but I haven't finished it because at the time I decided the more elegant solution within the context of our APIs would be to have an x509 hazmat layer that the recipe layer consumed. I could maybe be convinced that moving the logic as in 3862 is a good solution though since parsing a cert is not a validation step. Refusing to generate bad certs + (some day) having a verifier that will reject junk we've parsed is possibly a decent solution. -Paul On December 29, 2018 at 12:20:27 AM, Robert Simmons (rsimmo...@gmail.com) wrote: I also am having trouble parsing the extensions of the attached cert using the code above: Traceback (most recent call last): File "./extract_sigs.py", line 65, in <module> for extension in cert.extensions: File "/root/sigs/lib/python3.7/site-packages/cryptography/utils.py", line 162, in inner result = func(instance) File "/root/sigs/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 137, in extensions self._backend, self._x509 File "/root/sigs/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 252, in parse value = handler(backend, ext_data) File "/root/sigs/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 342, in _decode_basic_constraints return x509.BasicConstraints(ca, path_length) File "/root/sigs/lib/python3.7/site-packages/cryptography/x509/extensions.py", line 345, in __init__ raise ValueError("path_length must be None when ca is False") ValueError: path_length must be None when ca is False
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
