This makes sense. Also, my goal is parsing rather than validation in the step I'm working on. It's all potentially malware, so it may have malformed data.
On Sat, Dec 29, 2018, 09:29 Paul Kehrer <paul.l.keh...@gmail.com wrote: > This is https://github.com/pyca/cryptography/issues/3856 > > The cert inside the PKCS7 you gave has both CA False and a path length (of > 0) set. That is technically invalid according to the RFC so the parser > rejects it. We've talked about how to resolve this in > https://github.com/pyca/cryptography/pull/3862 but I haven't finished it > because at the time I decided the more elegant solution within the context > of our APIs would be to have an x509 hazmat layer that the recipe layer > consumed. I could maybe be convinced that moving the logic as in 3862 is a > good solution though since parsing a cert is not a validation step. > Refusing to generate bad certs + (some day) having a verifier that will > reject junk we've parsed is possibly a decent solution. > > -Paul > > > On December 29, 2018 at 12:20:27 AM, Robert Simmons (rsimmo...@gmail.com) > wrote: > > I also am having trouble parsing the extensions of the attached cert using > the code above: > > Traceback (most recent call last): > File "./extract_sigs.py", line 65, in <module> > for extension in cert.extensions: > File "/root/sigs/lib/python3.7/site-packages/cryptography/utils.py", > line 162, in inner > > result = func(instance) > File > "/root/sigs/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", > line 137, in extensions > self._backend, self._x509 > File > "/root/sigs/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", > line 252, in parse > value = handler(backend, ext_data) > File > "/root/sigs/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", > line 342, in _decode_basic_constraints > return x509.BasicConstraints(ca, path_length) > File > "/root/sigs/lib/python3.7/site-packages/cryptography/x509/extensions.py", > line 345, in __init__ > raise ValueError("path_length must be None when ca is False") > ValueError: path_length must be None when ca is False > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev