On August 10, 2017 at 9:44:01 PM, Jakob Bohm via dev-security-policy (
On 11/08/2017 00:29, Jonathan Rudenberg wrote:
>> On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy <
>> Can anyone point out a real world X.509 framework that gets confused by
>> a redundant pathlen:0 in a CA:FALSE certificate? (Merely to assess the
>> seriousness of the issue, given that the certificate was already
> Yes, the cryptography Python package:
Reading that issue, the text in comment #0 is unclear. Does the python
code reject such certificates, or somehow skip extensions and declaring
possibly invalid uses to be valid?
As of the current release pyca/cryptography raises an exception during
parsing for certificates that contain a pathLength and are CA:FALSE. This
immediately halts parsing and prevents the user from viewing any extensions.
dev-security-policy mailing list