Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does order matter when verifying an X.509 store? #1237

Open
kaedenbrinkman opened this issue Aug 8, 2023 · 2 comments
Open

Does order matter when verifying an X.509 store? #1237

kaedenbrinkman opened this issue Aug 8, 2023 · 2 comments

Comments

@kaedenbrinkman
Copy link

I noticed that changing the order of the two intermediate CAs (when one is irrelevant) results in a different verification result:

root_1, chain_1, leaf_1 = generate_chain()  # root, intermediate, leaf
root_2, chain_2, leaf_2 = generate_chain()

r0 = validate_chain(leaf_1, [chain_1], root_1)    # leaf, intermediates, root
r1 = validate_chain(leaf_1, [chain_1, chain_2], root_1)
r2 = validate_chain(leaf_1, [chain_2, chain_1], root_1)

print(r0, r1, r2) # True True False

I was under the impression that the order that certs are added to an X.509 store did not matter. I also didn't seem to find anything in the OpenSSL documentation about this. Can anyone clarify?

Example (source): https://gist.github.com/kaedenbrinkman/c5f2b7d05034999cd55821a4f3403720

PyOpenSSL v23.2.0, Python v3.7.7
@alex
Copy link
Member

alex commented Aug 8, 2023

I fear my answer will be unsatisfying: this simply does whatever OpenSSL does :-/

@kaedenbrinkman
Copy link
Author

I see, any tips on where I should look to figure this out?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex @kaedenbrinkman