Certificate chain verification

[abhishek-ram]

I am trying to setup certificate verification and I am seeing strange behaviour here. Please loot at the following scenarios:

CertificateValidator(end_entity_cert).validate_usage(set([])) # Fails as no issuer is found
CertificateValidator(end_entity_cert, [intemediate_cerficate]).validate_usage(set([])) # Fails again as no issuer is found
CertificateValidator(end_entity_cert, [root_cerficate]).validate_usage(set([])) # Succeeds even though the intermediate is not provided, openssl fails this
CertificateValidator(end_entity_cert, [root_cerficate, intemediate_cerficate]).validate_usage(set([])) # Succeeds and is correct

Also there is another strange behaviour that I have noted, suppose in this same scenario I use a ValidationContext and just add the end_entity_cert to trusted_roots (no root and intermediate certs added) it seems to pass the validation. I am not sure if this is intended.

[wbond]

I'd have to look at your specific certs and OS trust store to figure out what is happening with the first situation. I am wondering if the intermediate is somehow available from your OS trust store? The fact that is works by providing a root cert as an intermediate without the real intermediate seems odd.

If you trust the end-entity certificate as a root, then validation will implicitly pass. It constructs a path to a trusted root, which ends up being the end-entity certificate. It then validates that path and sees that the end-entity certificate is a root, and succeeds.

[abhishek-ram]

Yes I see your point and it looks like it was an issue with my OS Trust Store.

I see another issue now here. I have a self signed certificate and in order to validate it I have added it to the trust store. It gets validated, but the issue is that if I use an expired certificate it also gets validated. what could be the reason for this?