mhils
commented
1 month ago OpenSSL.crypto.X509Extension is deprecated and will be removed with one of the next releases.
pyca/cryptography is likely a better choice than using this module. It contains a complete set of cryptographic primitives as well as a significantly better and more powerful X509 API.
Loading the certificate using OpenSSL.crypto.load_certificate(type: int, buffer: bytes) → X509 does not detect the wrong number of extensions. RFC5280 states that "A certificate MUST NOT include more than one instance of a particular extension. For example, a certificate may contain only one authority key identifier extension (Section 4.2.1.1)." Is this a defect? As a comparison, Gnutls throws an error for this case: ASN1 parser error: Duplicate extension in X.509 certificate. Test Cases.zip