Closed themighty1 closed 3 years ago
themighty1
commented
3 years ago To provide some more info. I created a trusted cert and a leaf cert signed directly by it. (no intermediate certs) With those certs .verify() returns "certificatePath" which has both leaf and root.
So, after all, under certain circumstances the whole chain is returned but like I said above when the intermediate cert was supplied, the leaf cert was NOT returned.
themighty1
commented
3 years ago Here are the certs: leaf:
-----BEGIN CERTIFICATE----- MIIFVzCCBD+gAwIBAgISA8Y46Vhjk7eF3YeFPNVK//dLMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMTQxNzQ5MTlaFw0y MTAyMTIxNzQ5MTlaMBoxGDAWBgNVBAMMDyoudGhyaWxsaXN0LmNvbTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALhOm3hUQ8nejk3RzeV3YDb7oKE20bAg iAxOTmt2d+yhGT4Q8ZF1mB//oLlL0rOyPuAZf2xGt4V68To0+73wlOWYTx7GZARO OjtgQvxjkp855vWBPbF2vf53UetByiqqReeJdnPsIVuH+ZeGi425qZzH3KwgAJzT oOArZONIoVJ0GGf44PdxpWCcsL7impw2Vfs230r6nCMN+Ch+Sqof8WW3V8fqFj6l v54oKsWtgOFaTjoGsyFISDRrAtvcOqnMBYjfsji4tDNqmxv8gkiGuX78Rpnwh0E2 L0f+ctAzB189S5iUOnNnl24zSs9QFrCu5Jd89OZhbzV7CD2MLBbp6oMCAwEAAaOC AmUwggJhMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU183V3sGMELqkGg8oSc1s3HKh smIwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu b3JnLzAaBgNVHREEEzARgg8qLnRocmlsbGlzdC5jb20wTAYDVR0gBEUwQzAIBgZn gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s ZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBc3EOS/uar RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXXIFxxtAAAEAwBHMEUCIQCsUH7q F9/eB9f93V+atK61OV38WEXUfjgO6+y4Wcp6iQIgNyl2NQHKvooxhD1J331iUWMk D/JJsICcypO7PbCLEl0AdwB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw 1wAAAXXIFxyvAAAEAwBIMEYCIQDZ2hem87t8d5e0iitjsrTv8bU+I5Qx2JEDyB+K UekuogIhAOgsq4BtFI0X+ieO4sHMvxKmLIAA6WI6ItQH/MqCBpYJMA0GCSqGSIb3 DQEBCwUAA4IBAQA2FhdK8lUH3rvP2+Bavyvh4nY6dvFbc0Thlnu6N9i0gjjMAm0a 5TvHjV+SbEJBc79LjQsKM+JLKXi2tcZLm2dHhvwg//FmVCY38nx/C1b2TvtVzlTo 6d3EjuKvLq+jVZ2Li0n+hJrN27Dbn30CbQCqqNWzXoi58uTI7hyIdl8BsZh2sy8W nU6fOBTw4IPC1dIsO4U1FbInB4/Xy84xhinughVtuhnN8bn/irCcNZ3zzR6VHLwj nJpxM5NM0GZlAffXtuz1G7EJb7/CAoTk1n9UWLYrxUzYrkLkYBADyKGGfmFIH2cS s57eCgmZ7ptMUNdKETE2cYQHyon/EOg9f3hy -----END CERTIFICATE-----
intermediate:
-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
root:
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
YuryStrozhevsky
commented
3 years ago @themighty1 When you are using CertificateChainValidationEngine class you directly point which user certificate you need to build chain for. It is the least certificate in input array of certificates. So I do not think it is even necessary to put this already known certificate as an output.
themighty1
commented
3 years ago @YuryStrozhevsky , thanks. However, I'm experiencing situations where the least certificate ( i.e. with zero index [0] ) is NOT selected for the certificatePath.
For example, I have 3 certs: rootCert (CommonName: TRUSTED_ROOT) and 2 leaf certs signed by rootCert (cert1's /CN=127.0.0.1 and cert2's /CN=example.com)
When I do:
var ccve = new CertificateChainValidationEngine({
trustedCerts: [rootCert],
certs: [cert1, cert2],
});
var rv = await ccve.verify()then rv.certificatePath returns [cert2, rootCert]
When I swap them around and do:
var ccve = new CertificateChainValidationEngine({
trustedCerts: [rootCert],
certs: [cert2, cert1],
});
var rv = await ccve.verify()then rv.certificatePath returns [cert1, rootCert]
(You'll have to look at the Common Name value to distinguish which cert is returned in rv.certificatePath)
rootCert.pem
-----BEGIN CERTIFICATE-----
MIIFDzCCAvegAwIBAgIUaUbA0g3GYwcs2XcYZrLOkqGl2EEwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMVFJVU1RFRF9ST09UMB4XDTIwMTExNzExMzc1MVoXDTIz
MDkwNzExMzc1MVowFzEVMBMGA1UEAwwMVFJVU1RFRF9ST09UMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAwwv6FfrCErIeIWTZ3e42ux+cFoN+CNyfhQ6g
NLS98aRXON44zOEvIpY1D69g5yqwYhJshVb5SEIi+jSyRSZWqQS826huS7YMzal/
zvetPTZibD9B4gXBeibm64d7MfXeAesUZ7fAM3uRn0ch+i7lONSO16XxmdGhW4bW
wLxJeiekv3zd7UhMPwQroFCMF+pyAl7BrW+hXYnLHy0KkXugd7iLv5at0AY90oO/
kiPgYgTagdpTD6w5Y6tNtHRwzVN43zE2l5Gzg6Tm9S7PRIw8AX8R+cqpKWS1VZYF
dCIZnffxU/ZdFNLlKJak3+zqDYvlDkD6lBDfBKAiA7Sh0Y6V4owyhsbH8Ybli3Cf
6UDFrLOmFz7pLHmqrcMV3wCGlWjUODXyDF1zgJeikUCPGJWMW7a3ZiMtiN0nKWQP
DQMskhrcG6HtkZ3+I3x4eZ2rW8JvygErzfbEYSVIB5OK/P/tSrHlb3WUTolBwgzQ
ne/qIoO71gzo291GCHR2B29saJJz9axx+tJTnWSnji97QWqgqNfKkO1Qrn8JE3vS
+792W9R8S2JR5Xpc67UP7Pf7IgmdKLC8TFmWmzkbkugDp+797NwTanvKxs9v4WEI
37ebohCd56HsoXuI+SNeUxJQHuBAFh/sVPtGp/tXx5K8OsljxLTjX3wqWGA34EOt
XmqL7tUCAwEAAaNTMFEwHQYDVR0OBBYEFDqCbJVkBykqX51Drs0qlptEMWL6MB8G
A1UdIwQYMBaAFDqCbJVkBykqX51Drs0qlptEMWL6MA8GA1UdEwEB/wQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggIBALFKxy9OiuTA5o8D37kgYgZ7vNB+KezOAe70cl7m
pCHGI1p7RHs48nkuSJJbqHY+DP+VqHuUTPkxsCBITgBf6MaqrFJHD28uSNbLyVCM
jbRq4DF4LlK1Y6lqwWlahk5NguS7RWK/R+gly/wEWOuNzAInqoYnBfRv3aBzyLO7
6zwlVnuzC3vGtqtCTBh0qnSp16iT4B73MSM0N+rSlGOkqHr4ebbzsj3wgyW/qjO1
uU+iyJtSbfSmhcjr/95G5/p+y73G2VcvtWy8IkCa7rNv1U/wbhn2qPJaIjQbISFt
9PI+6zS6ok3v7S3BfBz59Jtap8aDQI/u1KyVdhuLNER/rsVqBozeFfyHSeqZkFW1
bhYC99azhO+nx5At2YpNXaK8sKXyH5NdM/2q8nZ5DKYuRrkg8SGz2twNqA2ZcLsA
roQ8KCCimf2hRFD8NGufzzKIJ/jBQZVXOcW6QP3YLJN/Gqj0HkwVIye2wPevgiXG
dEFcAumq/kqksfi1xpqOA6lbwUBAFIfPVb0ew7Cit3IvDEC5zi+cMGqfctKpG6dL
eWGj7j2fSknegV34dlwXt7r/iWh4Gt81lcXHyu8bd4gjxZnW8D4QImd508V/vlI9
/fU9AznsGCPbzVXic0iVzUoSSa48WvjpdLGodN5Q1ChuYQDypDIYIvqcSW7c0k2x
0cT5
-----END CERTIFICATE-----cert1.pem
-----BEGIN CERTIFICATE-----
MIIDsjCCAZoCFEaGPZIC0KEqiC/bDLDIaqI3D5vRMA0GCSqGSIb3DQEBCwUAMBcx
FTATBgNVBAMMDFRSVVNURURfUk9PVDAeFw0yMDExMTcxMTM3NTJaFw0yMzA5MDcx
MTM3NTJaMBQxEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMLQpWOih7fwZoqnqr1BDlTqiCx9olhvAQ5UeWPL7K5wrjoj
HLx2sHuUUP/6S8A7R8s7U+g390AKMp6PGCqD6HHmsgDL7AqlmcoLBRuWg1RBtPYv
MSE5HMpWkmMafLjnr1y8j6hob9PS+ZgNqCjEZjXqGPkiX6qquxaGMFdsgSMk2ek5
g2LBtR6W9D/srg7/Mx+4UFzDSfrUaGTCy5D9qobgH3AIL7k7f1Cn3yuvEOWAdEaE
ikWZa2hpl/op4ZEthNwZn9yz9d9Q4qFTXnDklt6wMIsdUF5M0A31XB+VYGuysPi1
RIiqwToUvL8cCHCzz1kTSOl6TWzqNFAHs1qY/LsCAwEAATANBgkqhkiG9w0BAQsF
AAOCAgEAsh2TAK0Wu2FqCR7k06yr+iTpnDBKvz8hHJFuau266jq/NP0noAYi3vgz
59cJnDMbboFAJgPInoXtW6q4AGfjE0gQU9T4QdL4tBGlXNcKVkD2liSyKxYwWp1n
xJeTZJouVRQmtPO1NyoFkw0sRBBFWZjgxIETiytUBQymTaoGl7tG6b6fqzE77ARf
HixeU7KHkJDNn0YXagENskDDvJ4fzFIPPRAM8vp65EOjN+k+8yYd8zvR5uUd4wA5
zhT5u0pyE7wAHtSCukRPpIhb4b7BWZuloyS0Fd4pLfOHjDFw4pVeSV5Fwv6w4l9I
OSW8Ocgdx6SQJQbdaGnJs1P/oAnac7erFnpKTdYamrPzi4mTlSuVts6XKpd5fW7e
l3hnPownPvOvpmrICZQPl5M/5RiUaewTDVgM1VsXj0ueRUU59IbSns3JgRFmETi0
COE2XfBnCl5qvE17ngrk4mQ6fi2HdfSfiLjzN8zVdV8L/+cunCNAnTr/P+fn2rsv
8pscLaCNLLeTur8urMP1L7NEPddxG1eG9uIjqXznnHIiBok11tYgRimyXcIY8qJC
c2B8Dag92kjdhvN9SXvteXx8ndxSwyM2kWP2YBhLkenCKF75nQtqiqz77cCrEksY
ROrJhmFNqhBvfWr4UJ9m+ADFymycK84z0gEdM//xQK0dl3xEwAw=
-----END CERTIFICATE-----cert2.pem
-----BEGIN CERTIFICATE-----
MIIDtDCCAZwCFEaGPZIC0KEqiC/bDLDIaqI3D5vSMA0GCSqGSIb3DQEBCwUAMBcx
FTATBgNVBAMMDFRSVVNURURfUk9PVDAeFw0yMDExMTcxMTM3NTNaFw0yMzA5MDcx
MTM3NTNaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAqwE1Qe/d9nKG45pUExitvVLYp13+MELIPV4DwCnpTs6o
J607TmtAG2VndFosLToFGxhx+NS/2+B1Iu5XfYuhkiuMkV0c3/0vffHK8yjymNd+
JM/oNDiNgvMYUR9BGwVIZwpcxDT5MHO0j9FIOq/ynr98SiCnF4zLBo1Txv23VvR0
9VXE/5Fznl+5wkU8SrGJAWj5KHG7laYL8Xpv5dJAIbYFzEfuJcwZ9rQ6zQSI6KCG
qDI/CESs/jRHiI6PH83jv6CXTul8dhP4+oT8QMsHwg86Id/8QIeHTy7UZYU18YDH
8aqZ0suBbQjPfycoMDo6q/9QU+iyzZvgWI/MSIuFyQIDAQABMA0GCSqGSIb3DQEB
CwUAA4ICAQCIItcoqqgAAH8+5PSnvfCa0O0tz+AlFNuHNR574vvOdrW18ZCRrGuJ
7DiLlez0avqcKoQyApp/HsdwFmz2msW/7j4Y4b9vAzK1v3A7Pw64frlwQ47QspVS
aHNkuShU8Jhj8xfyUbZb1eEKTUcAz1MiIGebGVLRzFV8/alNjdiWN/w/qjSWOdsn
7PLFijtKQMF4XdMX/82BLMDREwcdGGimywaAWVtcmGjLZDpMdOcn2QFnZmUTXL53
fHlQ9Qh7atWuyMgnEvs40nbIXlyqAft6SJ/1ckkY8J9PWI8EoM9ed3FhDJmJ8wEt
o/L7Mbh5rXkDNUSbY6WBwDa0LcfqWWLYVz37Mnk38tXN1U/Z8OPCZHG5C+5WIgNh
1lZkT3+vsXe/itPX5elYLbdhjRBhthTSYk6FXG5U57uJrty2WvSG6JOJQHy/RtXU
EZOuiFWLVhKepY16+mjYCEPaYMAGDHtrDNOSM3O1OlvT/cRM6KVUZBnq+3WCqjPR
sK4dQQeeX5aawQLO9K/bdS8Y4WhURC1gT4fsZPblYrE+97nOChgGkyh7c0zPvhCH
5O5PBWhQGmFsbGQUQ/fx0tMh+fhFOOepsNGFxBJoKTL1x6I1whSWhtrf3IJ3Wyye
0Ugmt8+KrnJ08tKfhAvEuPb8XsD2GY5gvDxAPOR9jo6DH3qaSryvVg==
-----END CERTIFICATE-----@themighty1 Not sure that I understood you correctly. Or maybe you did not. So, as I said your chain would be built for least certificate in the certs array. And you described completely correct output. What do you need here?
YuryStrozhevsky
commented
3 years ago @themighty1 Or maybe you are "testing" our certificate verification engine? In this case take a look at this example - here I made a test for complete set of test cases for NIST PKITS (PKI Test Suite).
themighty1
commented
3 years ago @YuryStrozhevsky, I just want to make sure that I understand what is "the least certificate in an input array" e.g. if the input array is [cert1, cert2] then the least certificate is cert1, is that correct?
YuryStrozhevsky
commented
3 years ago @themighty1 Frankly speaking I am Russian and English is not my native, but I had a vision that "least = certificate in very end of array". So for this case:
[
cert1,
cert2
]the "least = cert2". And for this case"
[
cert2,
cert1
]the "least = cert1".
themighty1
commented
3 years ago @YuryStrozhevsky , thanks for explaining, it makes sense now.
Going back to the rv.certificatePath matter:
when I supply 4 certs like this [cert1, intermediate1, intermediate2, root] then rv.certificatePath returns [intermediate2, root]]
It seems like certificatePath returns only 2 certificates, no matter what the length of the actual chain is.
themighty1
commented
3 years ago Just to clarify: cert1 is signed by intermediate1 intermediate1 is signed by intermediate2 intermediate2 is signed by root
YuryStrozhevsky
commented
3 years ago @themighty1 Put cert1 at the place where least should be. The "leaf" cert MUST be least.
YuryStrozhevsky
commented
3 years ago The "root" must be in a separate parameter "trustedCertificates". Like in example:
it.skip("4.15.10 Invalid delta-CRL Test10", simpleVerification({
trustedCertificates: [
"TrustAnchorRootCertificate.crt"
],
certificates: [
"deltaCRLCA3Cert.crt",
"InvaliddeltaCRLTest10EE.crt"
],
crls: [
"TrustAnchorRootCRL.crl",
"deltaCRLCA3CRL.crl",
"deltaCRLCA3deltaCRL.crl"
],
successExpected: false
}));Thank you, finally all my woes came to an end after placing the leaf cert last in the array of certs. For bonus points, certificatePath now returns FULL path from leaf to root. Just what I needed. Thank you for your time.
Hi, I'm trying to find a way of seeing the exact cert chain which was chosen out of the certs supplied to CertificateChainValidationEngine. I was hoping to see the whole chain from leaf to root in the returned value "certificatePath" but it only shows the intermediate and the root cert. It does not show the leaf cert.
Is this by design? Is there a way I could find out which cert was chosen as the leaf cert?
Thank you.