TODODescriptions.txt   [plain text]

The following certs do not fail because parse failures in non-critical extensions are ignored.
The certificate merely marks those extensions as not present.
parse_fail_keyusage_extra_bit.cer
	-the length field says 2 but there are 2 bytes in the bitstring (plus unused bits field which makes 3)
	-we happily skip the extra byte
parse_fail_length_63.cer
	-length field in AKID
parse_fail_tag_27.cer
	-tag field in EKU (seq)
parse_fail_tag_28.cer
	-tag field in EKU (oid)
parse_fail_tag_32.cer
	-tag field in SKID
parse_fail_tag_36.cer
	-tag field in AKID

parse_fail_too_big.cer succeeds because we ignore extra data after the cert.

parse_fail_basic_constraints_notCA_pathlen.cer
We don’t enforce (from RFC 5280):
   CAs MUST NOT include the pathLenConstraint field unless the cA
   boolean is asserted and the key usage extension asserts the
   keyCertSign bit.

parse_fail_ec_not_on_curve.cer
We don’t check that the point is on the curve until we use the key (e.g. for verifying a signature).

spki_fail_tag_4.cer
SecECPublicKeyInit doesn’t read the parameters of the algorithm ID.