pyopenssl icon indicating copy to clipboard operation
pyopenssl copied to clipboard

Published 20 hours ago verified publisher icon pyca

Does order matter when verifying an X.509 store?

Open kaedenbrinkman opened this issue 1 year ago • 2 comments

I noticed that changing the order of the two intermediate CAs (when one is irrelevant) results in a different verification result:

root_1, chain_1, leaf_1 = generate_chain()  # root, intermediate, leaf
root_2, chain_2, leaf_2 = generate_chain()

r0 = validate_chain(leaf_1, [chain_1], root_1)    # leaf, intermediates, root
r1 = validate_chain(leaf_1, [chain_1, chain_2], root_1)
r2 = validate_chain(leaf_1, [chain_2, chain_1], root_1)

print(r0, r1, r2) # True True False

I was under the impression that the order that certs are added to an X.509 store did not matter. I also didn't seem to find anything in the OpenSSL documentation about this. Can anyone clarify?

Example (source): https://gist.github.com/kaedenbrinkman/c5f2b7d05034999cd55821a4f3403720

PyOpenSSL v23.2.0, Python v3.7.7

kaedenbrinkman avatar Aug 08 '23 16:08 kaedenbrinkman

I fear my answer will be unsatisfying: this simply does whatever OpenSSL does :-/

alex avatar Aug 08 '23 23:08 alex

I see, any tips on where I should look to figure this out?

kaedenbrinkman avatar Aug 09 '23 02:08 kaedenbrinkman