Skip to content

Does order matter when verifying an X.509 store? #1237

New issue
New issue
Open
Open
Does order matter when verifying an X.509 store?#1237
@kaedenbrinkman

Description

@kaedenbrinkman
kaedenbrinkman
opened on Aug 8, 2023

I noticed that changing the order of the two intermediate CAs (when one is irrelevant) results in a different verification result:

root_1, chain_1, leaf_1 = generate_chain()  # root, intermediate, leaf
root_2, chain_2, leaf_2 = generate_chain()

r0 = validate_chain(leaf_1, [chain_1], root_1)    # leaf, intermediates, root
r1 = validate_chain(leaf_1, [chain_1, chain_2], root_1)
r2 = validate_chain(leaf_1, [chain_2, chain_1], root_1)

print(r0, r1, r2) # True True False

I was under the impression that the order that certs are added to an X.509 store did not matter. I also didn't seem to find anything in the OpenSSL documentation about this. Can anyone clarify?

Example (source): https://gist.github.com/kaedenbrinkman/c5f2b7d05034999cd55821a4f3403720

PyOpenSSL v23.2.0, Python v3.7.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions