Chain building in certificate validation

[avzuquete]

Hi,

I'm using certvalidator 0.11.1.

It cannot build a chain with the attached certificates for the one in me.der. However, it should work, as the chain was extracted from a Windows tools that examines certificate chains. me.zip

The traceback gives: File "/usr/local/lib/python3.8/site-packages/certvalidator/init.py", line 193, in validate_usage self._validate_path() File "/usr/local/lib/python3.8/site-packages/certvalidator/init.py", line 108, in _validate_path paths = self._context.certificate_registry.build_paths(self._certificate) File "/usr/local/lib/python3.8/site-packages/certvalidator/registry.py", line 314, in build_paths raise PathBuildingError(pretty_message( certvalidator.errors.PathBuildingError: Unable to build a validation path for the certificate "Common Name: ANDRÉ VENTURA DA CRUZ MARNÔTO ZÚQUETE; Serial Number: BI068540477; Given Name: ANDRÉ; Surname: VENTURA DA CRUZ MARNÔTO ZÚQUETE; Organizational Unit: Cidadão Português, Assinatura Qualificada do Cidadão; Organization: Cartão de Cidadão; Country: PT" - no issuer matching "Common Name: ECRaizEstado 002, Organization: Sistema de Certificação Eletrónica do Estado, Country: PT" was found

[wbond]

Please post the PEM encoded certs in a comment here.

My hunch is that the certificate isn’t using properly encoded strings, as the error message includes what appears to be UTF-8 represented as Latin encoding.

[avzuquete]

Dear Will Bond,

You have all the certs in DER format.

It's very unlikely that the certs have errors, they are part of the Portuguese identity certification chains.

And yes, it's quite natural to have UTF-8 text on them, Portuguese has several diacritics.

Regards,

[wbond]

You have all the certs in DER format.

The issue is, I don't have time and you want help, so I am asking you do leg work. Downloading, extracting certs, converging them so that I confirm is my hunch is true is a bunch of work.

It's very unlikely that the certs have errors, they are part of the Portuguese identity certification chains.

My experience with certs is that plenty of software puts improperly encoded data into them. This is just a hunch, based on the mojibake in the error message.

And yes, it's quite natural to have UTF-8 text on them, Portuguese has several diacritics.

UTF-8 is good. The issue here is that the error message implies the certs have UTF-8 in an ASN.1 encoding that is not designed for UTF-8.

---

However, this is all my hunch. Once the data is laid out, it will be easier to confirm.

[avzuquete]

PEM files attached. me.zip

I've checked the chain step by step with openssl and it says it is good.

[wbond]

Can you post the PEM inline here so we can just copy paste to https://lapo.it/asn1js/?

[wbond]

I've checked the chain step by step with openssl and it says it is good.

That doesn't really help in this situation, as we don't use OpenSSL's chain building, nor validation code.

[avzuquete]

PEM certificates inline. First certificate is leaf, last is root, rest are chain aligned.

-----BEGIN CERTIFICATE----- MIIJQDCCByigAwIBAgIIV0SmOgMR7iQwDQYJKoZIhvcNAQELBQAwgcExCzAJBgNV BAYTAlBUMTMwMQYDVQQKDCpJbnN0aXR1dG8gZG9zIFJlZ2lzdG9zIGUgZG8gTm90 YXJpYWRvIEkuUC4xHDAaBgNVBAsME0NhcnTDo28gZGUgQ2lkYWTDo28xFDASBgNV BAsMC3N1YkVDRXN0YWRvMUkwRwYDVQQDDEBFQyBkZSBBc3NpbmF0dXJhIERpZ2l0 YWwgUXVhbGlmaWNhZGEgZG8gQ2FydMOjbyBkZSBDaWRhZMOjbyAwMDE1MB4XDTE5 MDgwNjE2NTMzNloXDTI0MDgwNjIxNTkwMFowgewxCzAJBgNVBAYTAlBUMRwwGgYD VQQKDBNDYXJ0w6NvIGRlIENpZGFkw6NvMSswKQYDVQQLDCJBc3NpbmF0dXJhIFF1 YWxpZmljYWRhIGRvIENpZGFkw6NvMRwwGgYDVQQLDBNDaWRhZMOjbyBQb3J0dWd1 w6pzMR0wGwYDVQQEDBRET1MgU0FOVE9TIFJPRFJJR1VFUzEUMBIGA1UEKgwLSk/D g08gUEVEUk8xFDASBgNVBAUTC0JJMTUxNTQwNDQ2MSkwJwYDVQQDDCBKT8ODTyBQ RURSTyBET1MgU0FOVE9TIFJPRFJJR1VFUzCCAaIwDQYJKoZIhvcNAQEBBQADggGP ADCCAYoCggGBANFgEJIN4JA2SgZaNFFgST4RkmK1MfTUIqCx9jvANhRdOtkcfuSd GGzL+SM2dVw8TyRGLW9/WsAnhBgQaWkDHZ5s9pHA/SIWHbT8dJLNKrCb3kjwsmKm ZVYVTI2uOa8WeZcVx79ZPsN6uFMgW2Y6W06LpSqEbYq8ffhLcBpuAHy0AXsMWENP TorldxS0VxkBb3uTjjUDGajRRqGV+vNaNrspl2tGWgj1fn5yKEHwytE8U0g/llTr m10vZqAM0QwnwjfoO9uoptRI8GIAOOoThXl3wKLZ943E15IZA8ltxf/Ox3OsFqH7 kzU5Rk6ilDlrAmhROlx6hLIaH2lJ2MZROD3PSB0E9n4LkrTBCzpPja7JKY9KlLaf oYJqNJMHDOLLXtNH4N2SEG25Crkl1wBJts5gkySJ4Eoa7i/KaY4TckGe0IFq0PWN dWCKS7IJNC4x7FgzT09sjZmYNt4YSdSN1KDTPqygRSd00epR5sJmrVn8EBa6Lezk zopMHDgalR4YrwIDAQABo4IDjTCCA4kwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW gBSm0O/UgAwFq6Y+Ujb0iRjHy8cHhjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUH MAGGL2h0dHA6Ly9vY3NwLmFzYy5jYXJ0YW9kZWNpZGFkYW8ucHQvcHVibGljby9v Y3NwMG8GA1UdLgRoMGYwZKBioGCGXmh0dHA6Ly9wa2kuY2FydGFvZGVjaWRhZGFv LnB0L3B1YmxpY28vbHJjL2NjX3N1Yi1lY19jaWRhZGFvX2Fzc2luYXR1cmFfY3Js MDAxNV9kZWx0YV9wMDAwOS5jcmwwggEFBgNVHSAEgf0wgfowNQYIYIRsAQEBAgow KTAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuc2NlZS5nb3YucHQvcmVwMAkGBwQA i+xAAQIwVQYMYIRsAQEBAgQBAAEBMEUwQwYIKwYBBQUHAgEWN2h0dHA6Ly9wa2ku Y2FydGFvZGVjaWRhZGFvLnB0L3B1YmxpY28vcG9saXRpY2FzL2NwLmh0bWwwCAYG BACPegECMFUGC2CEbAEBAQIEAQAHMEYwRAYIKwYBBQUHAgEWOGh0dHA6Ly9wa2ku Y2FydGFvZGVjaWRhZGFvLnB0L3B1YmxpY28vcG9saXRpY2FzL2Nwcy5odG1sMCgG A1UdCQQhMB8wHQYIKwYBBQUHCQExERgPMTk5NjExMDUxMjAwMDBaMIHMBggrBgEF BQcBAwSBvzCBvDAIBgYEAI5GAQEwCAYGBACORgEEMFoGBwQAjkYBBgEMT0NlcnRp ZmljYXRlIGZvciBlbGVjdHJvbmljIHNpZ25hdHVyZXMgYXMgZGVmaW5lZCBpbiBS ZWd1bGF0aW9uIChFVSkgTm8gOTEwLzIwMTQwSgYGBACORgEFMEAwPhY4aHR0cDov L3BraS5jYXJ0YW9kZWNpZGFkYW8ucHQvcHVibGljby9wb2xpdGljYXMvY3BzLmh0 bWwTAlBUMGkGA1UdHwRiMGAwXqBcoFqGWGh0dHA6Ly9wa2kuY2FydGFvZGVjaWRh ZGFvLnB0L3B1YmxpY28vbHJjL2NjX3N1Yi1lY19jaWRhZGFvX2Fzc2luYXR1cmFf Y3JsMDAxNV9wMDAwOS5jcmwwHQYDVR0OBBYEFLrF2/nufX4NB++TAh11QPZ3tLbT MA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAgEAIkLpTukH4D00sRw5 FeJamsVsOYIOsF6uNy9CXAETyRMxWecs+vpc8pIgDVeWrQoY1dQTZjtwYEerpT+L rBBFKh8YTvVoV0U36twaz1b1iTkz/QrurA9BkbzI8MIR1iTn2U1uLcUm3NgEbQOZ SjnkRBmN3MjBVL8AVwjeTSkvxIrH9NJJXz9Tx3/b92TTmRan4sOdEsPnB3KVyhUB l7NI6qLSDvMhCdTGT4L9f97sl89UGO8TbNeNw6DN9DogXyWQGHAqCXW2mMU+GiKP O3bwGLEpR/Dray6Igskb3QqDmZfCgPQPP64KzClIrJORzOMT5UnSq9kYg8nmjIFT TCLGnsahzqoqym+o8QztdTjH4E1mbIQtqxARRWWto9vy19fST2/KxpJX+jIl6iOP Om4d3bo0m53eXb5rpOdAJGTFphFeCDdDU6E9KCraTX7MjcStE7k+n9qBna/IlCk1 rJIQd/sGBXF3rSUnezhxfGXG957AeKd1IB80TPhnbJ1SXNc1gGPXjnD+O172V8eB 8G4gbYD+PTO6XnH5La6e0G96Vn//NmfX8lmqP7WyndMHt43zcD3PXNJe381QX4w9 sQ8j+13wvzNjKNQUCdnf5DvDHAtElXzQ1Oi5+LZ+zK0FLIYZMbEIdwv6hHrOY6HG j94nWA3YtePdc5rYES5X4tFvxic= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIH9zCCBd+gAwIBAgIIdKUDoFaXz/AwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNV BAYTAlBUMUAwPgYDVQQKDDdTQ0VFIC0gU2lzdGVtYSBkZSBDZXJ0aWZpY2HDp8Oj byBFbGVjdHLDs25pY2EgZG8gRXN0YWRvMREwDwYDVQQLDAhFQ0VzdGFkbzEgMB4G A1UEAwwXQ2FydMOjbyBkZSBDaWRhZMOjbyAwMDQwHhcNMTgwNjI3MTI1MzMwWhcN MzAwNjI3MTI1MzMwWjCBwTELMAkGA1UEBhMCUFQxMzAxBgNVBAoMKkluc3RpdHV0 byBkb3MgUmVnaXN0b3MgZSBkbyBOb3RhcmlhZG8gSS5QLjEcMBoGA1UECwwTQ2Fy dMOjbyBkZSBDaWRhZMOjbzEUMBIGA1UECwwLc3ViRUNFc3RhZG8xSTBHBgNVBAMM QEVDIGRlIEFzc2luYXR1cmEgRGlnaXRhbCBRdWFsaWZpY2FkYSBkbyBDYXJ0w6Nv IGRlIENpZGFkw6NvIDAwMTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQC5SoMBzWnnpeZ9CiW90wV/6uNWhNwsUwCID0CpykMQ7rt0W9O5bIsNIXkpptPq W6VnSvvzWjINSvIOYKAc3puVquAp77CA2+0kAfs0nayZgo734EOi0nYwc5Kr3Du1 yLH3CQZTwMB/ubHE3ccSQHwMGh3i/mIQGzHQI4q8vEAYZel9IkA8RY0SX7H44i+5 ahhiNHLi8ys+3/sMmrOEBLo/Nt1OdWdLDd4gODXJIW0QHzwunhjTXifS6ckvf2lD ilgEGuIeLmg7j2ixiEuFbePPPv4ZkNLXzJ4ny2UCBjr4OvbhcNfrKLk00107lhmh cgB8K0iPF+WOJvJ1OLkMldZfroLHrfMBMU/6fdGAwlzvfRMjK6+IEZDZXxNiD/Sc cQPCXu1mJtgeuCLmu+cDnFzPswGgFstu6QLWOKrqumido2bGei7lOK1AM5QORhY5 FKRbtTPHAFsMTnGHjNUfq0NmoZ8CjXOtz6uqDL4Fl/Gtqb4/c+kGuPrraLtAkCnh 9LbZLhQf63fN1WUwcGpI0K6gvlYtFg2dDw7zYpbDP5MaRLSu20VPjDTyEzP/9b9w ApbLhrVYtWRvzaDFMfTlxLEOFF5q1nmT1mQkpdUwlK0X3AvETKzypGPePhrTV9AK lpF2mvP9pLTwk9dRPzfiXRFNSGhPll1GDJSqKlMpynLhAQIDAQABo4ICLDCCAigw TAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBodHRwOi8vb2NzcC5yb290LmNh cnRhb2RlY2lkYWRhby5wdC9wdWJsaWNvL29jc3AwHQYDVR0OBBYEFKbQ79SADAWr pj5SNvSJGMfLxweGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUGXYM rv4BYWlEtkHrz6Q4c8L7nTowggEZBgNVHSAEggEQMIIBDDBmBgpghGwBAQECBAAH MFgwVgYIKwYBBQUHAgEWSmh0dHA6Ly9wa2kuY2FydGFvZGVjaWRhZGFvLnB0L3B1 YmxpY28vcG9saXRpY2FzL2RwYy9jY19lY19jaWRhZGFvX2RwYy5odG1sMG4GC2CE bAEBAQIEAAECMF8wXQYIKwYBBQUHAgEWUWh0dHA6Ly9wa2kuY2FydGFvZGVjaWRh ZGFvLnB0L3B1YmxpY28vcG9saXRpY2FzL3BjL2NjX3N1Yi1lY19jaWRhZGFvX2Fz c3FfcGMuaHRtbDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHA6Ly93d3cuc2Nl ZS5nb3YucHQvcGNlcnQwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL3BraS5jYXJ0 YW9kZWNpZGFkYW8ucHQvcHVibGljby9scmMvY2NfZWNfY2lkYWRhb19jcmwwMDRf Y3JsLmNybDAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIRW2USZ kcNCwlcADbAw/vQfvGHGp+vECDlqFuYaJ7a3ZkCWRM6/s1gulz7H6xgnthOvqvFL wca9HiI9V+so+05Tc/26lhY1KT3q0R1ExX4yymZQm2H+W+hTCBs3P4OQmxMloHjC T84Q6x2VIUNtgrTlTkAMjhnMAJJiF4DEqFPUWXv8uwArWu1EaJblh5EaFPn3GGFF 7Omwxc15ZTuPakaZRL9X3hlDlG3XfRZppzyRqtvQo+znNFpbNuVuhSy7dy9Qqgib NcyntrePvM/0BJWpOgZXo8Z4HnzGLpQ1n5SHcnfqK/xB6C4zwES9MxbBRW1wGE0w 99XpEpiZs+gwcc/KcIx7Fsmvx6NOAQjBhej9aUGJNziXkGFyN6rW+St8sOc2eAFU BBLvS73hWQpC6uLTwjY2p1ZhbPy1mroEd9lbinQSUf7j39IUQWJwOwI3GjezS0qD E62cX5WpdJACu8yavjFy+ki30brdCOPrvE+z7YjW0WEEd0Xu0JZ/nPpLD0ATvNg/ iS31hQW5uajdLw9+YaUHB335qjVCJc1JyI5CnCuglgcu+qNCHyKaXl62jfd5oURY woEMtHw+/LCLgFx157akvjUtXv3QGk6lW3MCuCfDm+vy0IlNoScXWjSLWEvX4CV5 Cx9UyBoTAgS0UmAw5ZiNq0K/9U0gSPcrKq74 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGgzCCBGugAwIBAgIQIGZ/j4MKsNZZu+pRKWZYRjANBgkqhkiG9w0BAQsFADAz MQswCQYDVQQGEwJQVDENMAsGA1UECgwEU0NFRTEVMBMGA1UEAwwMRUNSYWl6RXN0 YWRvMB4XDTE3MDkxNTE0NTcyMVoXDTI5MDkxNTE0NTcyMVowgYQxCzAJBgNVBAYT AlBUMUAwPgYDVQQKDDdTQ0VFIC0gU2lzdGVtYSBkZSBDZXJ0aWZpY2HDp8OjbyBF bGVjdHLDs25pY2EgZG8gRXN0YWRvMREwDwYDVQQLDAhFQ0VzdGFkbzEgMB4GA1UE AwwXQ2FydMOjbyBkZSBDaWRhZMOjbyAwMDQwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDE7EnPxshWE2Bq9IafH1QfPgG/BMuA8/g51WSrYUBYWUVaoSEO hloxVvUdIuUw+/HiHMWdgHyT0VgOGp2EelRb3uGxsdORqAIMDeBmsTwYM6/s5OEP meluWlF6ytZya+EUdY4YKNeXeO7lQg91oVcNBLEW3wS62GPko43jajnuMvRvB1DR 2uHcijonDklI72SVQq9SRHuwbkPmr1QssyQoVr1EofUV1MShaF6TpfpZdw3YSmaD zr2NViYFBa4jPa3a/98mntak5rEc96wUtVqgdiiIqFKXwYuK3dDJV9OL71mvJgPG 01bLBm6/RCOJJQqibq0UuX7wmpVB5r3eYrS9b5kGAwO37jfvLsZiJDyvg9ZNkU4A /UvVdAHzL5d5l54OMZoV/BGsRrNw5aBl4M3X3L5n/m8XnT05cdyhFxVBvCGZbbgX JhohxmU+SCIv/CxNi44ISvvnBuWHV4YJqXhC62pgOg8EQ5zzqEyS5yQjjrWNPzT7 +biJFN4iImlCtHJo5Atypbz5PqPF0njAWHT1POeB+Aw+XOsWz8uthnAENLbKuksW x+P4wYnZw+yvbUSag96AKLECLvim7CfBO0yP2IoOowdCBC4wKnWuljOcXUPFgwVp RlC+sxJewAqi14J1crboV7i3HCfJJulwxgpkr76aakeZTap/QHkEbZch8wIDAQAB o4IBPzCCATswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGXYMrv4BYWlEtkHr z6Q4c8L7nTowHwYDVR0jBBgwFoAUcX813vV3cW0dEpzhkKS68KmDj4AwDgYDVR0P AQH/BAQDAgEGMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRw Oi8vd3d3LmVjZWUuZ292LnB0L2RwYzBkBggrBgEFBQcBAQRYMFYwIwYIKwYBBQUH MAGGF2h0dHA6Ly9vY3NwLmVjZWUuZ292LnB0MC8GCCsGAQUFBzAChiNodHRwOi8v dHJ1c3QuZWNlZS5nb3YucHQvZWNyYWl6LmNydDA1BgNVHR8ELjAsMCqgKKAmhiRo dHRwOi8vY3Jscy5lY2VlLmdvdi5wdC9jcmxzL0FSTC5jcmwwDQYJKoZIhvcNAQEL BQADggIBADYaqZHmOWUZuyhQEm5l5wQuk5hvMMxuikA4FhewCx3aEoSFnBKAGXTh 0ST891bcSukfSDHsEc1S2PYURmQq4d+KuXK0Xd0CsH6bmQW5J67qGefrJTtKx0bM i8isPQX26ANL37ZVNsDm07dw+XrDJQ3NY7gEbZ+GNxV8hXCTZMgHA9Gy2NmYqPhZ ZDdLpdH7acpNC3AnorqRWPvmTEU/BlKLb2APlFJ/d4F2lD7DUiO5yxNV5opKhVwA 5Ddpx8ubqG2u01KzCnUaTv11YmfvaZdAbmdYXirLV1unh38mqFs6ZLh2B1BZ4e9/ 9fDrKnOUQ+BgG3gfsbCmfhwnGzWaZtXAES9gHIDv0g3EHprA09DYd1cICdlxrlCj v3AHuGxqd+kjj19RwxbIJX2KZ9jeFqlmiXiFXvjX9KwUa3uY2MXr8MBNiX6oTSPt AeLJDnitpF+a365BrNoffjwhnjE9JFF4LUCw40CCeesx0o9O6QpXJiNuqNLP5a3+ k12TpJI664tFnwbvLoHQk3mQJHToY6zVgAOYduZBZTdIiit6y8/q7hxe2ada39TF Li8JZVG0QSvhJ+jZDoO+ZRqP9C9dfGECNacrL91u7LORVw45sgApqC1MVC/f+PUY vUhF7ez7xG+RH+G6hpW+oIKYAJiJRTp/X5HYknDzYaHtxv0GfWCL -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFhTCCBG2gAwIBAgIEByfTSzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE1MDkwOTE3NDAxMloX DTIyMDkzMDE3MzkxMVowMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9 YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3 FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggF4MIIB dDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7 MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj ZWUuZ292LnB0L2RwYzBCBggrBgEFBQcBAQQ2MDQwMgYIKwYBBQUHMAGGJmh0dHA6 Ly9vY3NwLm9tbmlyb290LmNvbS9iYWx0aW1vcmVyb290MA4GA1UdDwEB/wQEAwIB BjAfBgNVHSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDeg NaAzhjFodHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIw MjUuY3JsMB0GA1UdDgQWBBRxfzXe9XdxbR0SnOGQpLrwqYOPgDANBgkqhkiG9w0B AQsFAAOCAQEAVdI4Tzjt9OeY0EM41ZFr1Mk7M2sONPgvkW76GuNAgljUE2tBA/38 iZ9Escb5JMt1AiwCQ6qC+egj9jQQ5NPpyIQsXCHOQrPN/JUlUqYD7eB3FkGF1O0A nIBjWlFbGWV8Q2FPjUGQmfbZZYVnS3rCZyEPlw3y8WohBQwqVQ85KxnPZD8Sica+ SBN3m7W5du1W0rI6xUGuxoyDM3BRm6M2FhvwXy+2aXZcgXc8v3/e0ab14wNBE2FF RFZcOVzBypKv9FB9VKSiyloqdDiRO/+YJKItMm11vj4yxISLc2EQe/E3FoBW0oDX xBeu+JTgwWd9Xuy7diyPKFMi6sWJkatakg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIHADCCBOigAwIBAgIIf5WhfCWeQ2UwDQYJKoZIhvcNAQELBQAwgYUxCzAJBgNV BAYTAlBUMUIwQAYDVQQKDDlNVUxUSUNFUlQgLSBTZXJ2acOnb3MgZGUgQ2VydGlm aWNhw6fDo28gRWxlY3Ryw7NuaWNhIFMuQS4xMjAwBgNVBAMMKU1VTFRJQ0VSVCBS b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDAxMB4XDTE2MTEyOTE3NTEwOFoX DTIwMTEyODE3NTEwOFowgbcxCzAJBgNVBAYTAlBUMUIwQAYDVQQKDDlNVUxUSUNF UlQgLSBTZXJ2acOnb3MgZGUgQ2VydGlmaWNhw6fDo28gRWxlY3Ryw7NuaWNhIFMu QS4xLzAtBgNVBAsMJkVudGlkYWRlIGRlIENlcnRpZmljYcOnw6NvIENyZWRlbmNp YWRhMTMwMQYDVQQDDCpNVUxUSUNFUlQgLSBFbnRpZGFkZSBkZSBDZXJ0aWZpY2HD p8OjbyAwMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCV8akRYT1d fNnFVQZ4O3k9Vc90fm0YPfO9sf8tpiXmrFGAzD3iFXUxiZbfULl0+xjAw8ia7qd8 J7V/B1y0F/cK1rscyD/xxN3Sqy/9p5f1HKy4/vq6J5gaI+LbarQOJE16/1PtjX9F aCfGccZa7dc8Run0FmEwmqp5b8nZNdyfLgyB2SOWCquCUJpgP18JgU1LvwTcYsdk auBajMPIslG0Fzf3wRTSX17ACbj5Hc5QuReFAfuEDlqO2oBJliIc2vqA3Jw7PdzV dh8n8WIXfrLb9oCsfhBFFJ49Ct68pafeugrnejocOBE5+pYhI+GzyhupG6OYEG92 QLrauSe7AW23GLtkxoBNmIrzAIDXZnNxRB5CgmnWBfwNBCdfX8SxqrBtarvF9JZE KVpMV/eQ+2muZKICcJFdUnRNnW/0SESBqO3jsCwvqxtPVqK/89NAjkb7ttBzUzHb Q2e/vzHUqgzfsN3iz0YF1WfhEervPaXBqsGDYRitVcg/nAaQrWHS4616NXhWQg1H EiFoshMzuluInYNqu8eHscG52TndlFPc5GtgCxCn3Hjx0Ra3aXRSCsb4lIjcQRbi lOraqUUzyWLnk61EIsdYixmP/KzeFtzAoXtg6SjYFS3k8iFwaF/KglxU02DJuR7l GW4knWng4vnbT5KU7SV2xzxgDxX7vwfupQIDAQABo4IBPjCCATowOgYIKwYBBQUH AQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5tdWx0aWNlcnQuY29tL29j c3AwHQYDVR0OBBYEFH8zcn9M2jTIDqd1yy6DmBsGuKaQMBIGA1UdEwEB/wQIMAYB Af8CAQAwHwYDVR0jBBgwFoAU1TkcnFtvBKqilUzvIN0pdKTFRXEwVQYDVR0gBE4w TDBKBg0rBgEEAYHDbgEBAQAHMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9wa2lyb290 Lm11bHRpY2VydC5jb20vcG9sL2luZGV4Lmh0bWwwQQYDVR0fBDowODA2oDSgMoYw aHR0cDovL3BraXJvb3QubXVsdGljZXJ0LmNvbS9jcmwvcm9vdF9tY19jcmwuY3Js MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAIyiu4XwaaopV7JWH ytYA+uZghYMGU9ZN0lf1A6XAu6XZ25gzpYvGWBiPzE7YmT4hiRjSgA0EfoOJK7ny MiaIIitO9FbN5HeYGaXi5uzd6tHjCgYmPXJ/wssz9+IfTszE6ib4BSlnGL0BTj3m 6eQSuNpxGIyXjAPdg/LITjg8QFbCmAauXct6NmBrJAmZyEaPilWCRg0ZJDNe2Pjd IxorpGy9Eo4EV0ujo5a9yFgyJSj/EmMSiRZp+tf66Pc9B5ntWi7vD4cuLGP5t7IS dxcmdLNtqBkWxwFLkoca0xphDAREnrz2vznwNCPykeTMA2ifktgnOzFZV3H7v2bp Kuc+EIW9GrWbjn83AlWFMW8iWPQ/RR9yi4OzRmqlbLxM1cPT6eTZ5vWddr34cKbJ UPq4WncVBRyFcunANtQ6aHc8hxWSm2iBWov4FCb56j+x5x1c4Zskl4HKqyjJEu1S +K1RVFT+9MLA4Vu4lDJsUH8UWHXcDji6P3zYFzLnxpFd3/lg8QNOixmd4B4KmaPh ZWBvcg7/QsEsklkmWDBsgtkWiofXo/QghQFHm7QH4RjVyYrOCE0CzgAK791V7InU bc4v1mvbTsadenCYaR43L3YbdwDNoONOSUavOqOPrN45MQZMwlizRcwj23cMNKo5 3/axtMg0XPkxOiXqmGztR+O4DG4= -----END CERTIFICATE-----

[avzuquete]

I've checked the chain step by step with openssl and it says it is good.

That doesn't really help in this situation, as we don't use OpenSSL's chain building, nor validation code.

I though so. But my comment was not in that direction.

I knew that that chain is correctly found (and presented) by the standard Windows certificate presenter. I just checked if openssl would behave likewise; and it does. And, as such, this reduces he probability of having encoding problems on the certificates. They may exist, though, I don't know enough of ASN.1 to discuss that with you, but it is very unlikely, given the results of those two tools.

Regards,

[wbond]

Can you provide the code that resulted in the backtrace?

So far it looks like the encoding on the leaf is good, so it is like that the encoding corruption is from wherever the exception was printed.

[avzuquete]

Can you provide the code that resulted in the backtrace?

So far it looks like the encoding on the leaf is good, so it is like that the encoding corruption is from wherever the exception was printed.

Sure. First parameter is certificate to check, second is year, them month, them day, then the rest of the certificates in the chain.

!/usr/bin/python3

import os import sys from certvalidator import CertificateValidator, ValidationContext, errors from datetime import datetime from asn1crypto.util import timezone

import sys

def main(): if len(sys.argv) < 6: print( "Usage: %s certificate year month day chain_certificate [chain_certificate]\n" % sys.argv[0], file=sys.stderr ) sys.exit( 1 )

# vc = ValidationContext( moment=datetime.now(timezone.utc) )
d = datetime(year=int(sys.argv[2]), month=int(sys.argv[3]), day=int(sys.argv[4]), tzinfo=timezone.utc )
vc = ValidationContext( moment=d )

pki = []
for i in range(5, len(sys.argv)):
    cf = open( sys.argv[i], 'rb' )
    pki.append( cf.read() )
    cf.close()

cf = open( sys.argv[1], 'rb' )
validator = CertificateValidator( cf.read(), pki, validation_context=vc )
cf.close()

for usage in ['digital_signature','non_repudiation','key_encypherment','key_agreement','key_cert_sign','crl_sign','encipher_only','decipher_only']:
    try:
        validator.validate_usage(set([usage]))
        print( "YES: %s" % (usage) )
    except (errors.PathValidationError):
        print( "NO: %s" % (usage) )
        # Print something

if name == "main": main()

[3lixy]

The current chain that is posted in the message https://github.com/wbond/certvalidator/issues/32#issuecomment-730719529 looks to be:

Subject: <Name(C=PT,O=Cartão de Cidadão,OU=Assinatura Qualificada do Cidadão,OU=Cidadão Português,2.5.4.4=DOS SANTOS RODRIGUES,2.5.4.42=JOÃO PEDRO,2.5.4.5=BI151540446,CN=JOÃO PEDRO DOS SANTOS RODRIGUES)> Issuer: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)> AKI BA:C5:DB:F9:EE:7D:7E:0D:07:EF:93:02:1D:75:40:F6:77:B4:B6:D3 SKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86

Subject: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)> Issuer: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)> AKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86 SKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A

Subject: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)> Issuer: <Name(C=PT,O=SCEE,CN=ECRaizEstado)> AKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A SKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80

Subject: <Name(C=PT,O=SCEE,CN=ECRaizEstado)> Issuer: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)> AKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80 SKI E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0

Subject: <Name(C=PT,O=MULTICERT - Serviços de Certificação Electrónica S.A.,OU=Entidade de Certificação Credenciada,CN=MULTICERT - Entidade de Certificação 001)> Issuer: <Name(C=PT,O=MULTICERT - Serviços de Certificação Electrónica S.A.,CN=MULTICERT Root Certification Authority 01)> AKI 7F:33:72:7F:4C:DA:34:C8:0E:A7:75:CB:2E:83:98:1B:06:B8:A6:90 SKI D5:39:1C:9C:5B:6F:04:AA:A2:95:4C:EF:20:DD:29:74:A4:C5:45:71

As you can see the root cert provided is not suiteable for the chain.

This is the chain that works for me but with Root Cert (https://crt.sh/?id=76) instead of the Root Cert provided.

Subject: <Name(C=PT,O=Cartão de Cidadão,OU=Assinatura Qualificada do Cidadão,OU=Cidadão Português,2.5.4.4=DOS SANTOS RODRIGUES,2.5.4.42=JOÃO PEDRO,2.5.4.5=BI151540446,CN=JOÃO PEDRO DOS SANTOS RODRIGUES)> Issuer: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)> AKI BA:C5:DB:F9:EE:7D:7E:0D:07:EF:93:02:1D:75:40:F6:77:B4:B6:D3 SKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86

Subject: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)> Issuer: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)> AKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86 SKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A

Subject: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)> Issuer: <Name(C=PT,O=SCEE,CN=ECRaizEstado)> AKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A SKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80

Subject: <Name(C=PT,O=SCEE,CN=ECRaizEstado)> Issuer: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)> AKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80 SKI E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0

Subject: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)> Issuer: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)> AKI E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0 SKI

However when using this correct ROOT cert you will encounter the issue fixed in https://github.com/wbond/certvalidator/pull/28.

[chrisdlangton]

I'm also having trouble validating the cert chain and am happy to open a separate issue if needed but i'll add to this one until asked to make a separate specific issue for my scenario.

To make things easy, i'll test against badssl.com so we can avoid zipping certs or posting walls of text. choose any host you like for this problem, they all have a chain.

the chain obtained using:

def get_peer_certificate_chain(domain_name):
    peer_certificate_chain = []
    for method in [SSL.TLSv1_2_METHOD, SSL.TLSv1_1_METHOD, SSL.TLSv1_METHOD, SSL.SSLv23_METHOD]:
        context = SSL.Context(method=method)
        for bundle in [requests.certs.where()]:
            context.load_verify_locations(cafile=bundle)
        sock = SSL.Connection(context=context, socket=socket(AF_INET, SOCK_STREAM))
        sock.settimeout(5)
        sock.set_tlsext_host_name(domain_name.encode())
        try:
            sock.connect((domain_name, 443))
            sock.setblocking(1)
            sock.do_handshake()
            for (_, cert) in enumerate(sock.get_peer_cert_chain()):
                peer_certificate_chain.append(cert)
            sock.shutdown()
            sock.close()
            break
        except Exception as ex:
            logger.exception(ex)
            sock.shutdown()
            sock.close()
    return peer_certificate_chain

but CertificateValidator takes 3 other types for intermediate_certs - and I chose pem encoding:

intermediate_certs = []
for cert in peer_certificate_chain(host):
    intermediate_certs.append(dump_certificate(FILETYPE_PEM, cert))

okay on with the example;

ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
der = sock.getpeercert(True) # should be self explanatory how to create a socket using get_peer_certificate_chain example
x509 = self.server_certificate.to_cryptography() # I use the cryptography lib extensively
# later, I have access to the cryptography lib but CertificateValidator requires the der
der = x509.tbs_certificate_bytes
validator = CertificateValidator(der, validation_context=ctx, intermediate_certs=intermediate_certs)
validator.validate_usage(
    key_usage=set(['digital_signature', 'crl_sign']),
    extended_key_usage=set(['ocsp_signing']),
)

this is the error I get: Error parsing asn1crypto.algos.SignedDigestAlgorithm - method should have been constructed, but primitive was found\n while parsing asn1crypto.x509.Certificate

The trace:

  File "/srv/app/.local/lib/python3.8/site-packages/certvalidator/__init__.py", line 193, in validate_usage
    self._validate_path()
  File "/srv/app/.local/lib/python3.8/site-packages/certvalidator/__init__.py", line 98, in _validate_path
    if self._certificate.hash_algo in self._context.weak_hash_algos:
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/x509.py", line 2524, in hash_algo
    return self['signature_algorithm'].hash_algo
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 3536, in __getitem__
    raise e
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 3531, in __getitem__
    return self._lazy_child(key)
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 3478, in _lazy_child
    child = self.children[index] = _build(*child)
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 5551, in _build

I have refactored to remove the usage of cryptography lib entirely, i.e.

# create sock using get_peer_certificate_chain example
host = 'mozilla-modern.badssl.com'
intermediate_certs = []
for cert in get_peer_certificate_chain(host):
    intermediate_certs.append(dump_certificate(FILETYPE_PEM, cert))
ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
der = sock.getpeercert(True)
validator = CertificateValidator(der, validation_context=ctx, intermediate_certs=intermediate_certs)
validator.validate_usage(
    key_usage=set(['digital_signature', 'crl_sign']),
    extended_key_usage=set(['ocsp_signing']),
)

But no change, the same exception occurs. I've spent over 12 hours on this, the scenario is pretty complete now, am at a loss what to try next so I'm keen for any advice at all.

[wbond]

@stof What version of asn1crypto are you using? The error message indicates that asn1crypto is finding an ASN.1 construction it doesn't expect in one of the certificates.

[stof]

@wbond you mentioned the wrong person

[wbond]

Sorry about that!

[wbond]

@chrisdlangton See above ^