The CA/Browser baseline requirements for TLS certs in Section 7.1.2.7.12 "Subscriber Certificate Subject Alternative Name" requires that if a certificate contains an empty Subject then the Subject Alternative Name extension must be marked as critical.
When such a certificate is constructed, it fails to validate because the SAN extension is not present in this list:
|
supported_extensions = set([ |
|
'authority_information_access', |
|
'authority_key_identifier', |
|
'basic_constraints', |
|
'crl_distribution_points', |
|
'extended_key_usage', |
|
'freshest_crl', |
|
'key_identifier', |
|
'key_usage', |
|
'ocsp_no_check', |
|
'certificate_policies', |
|
'policy_mappings', |
|
'policy_constraints', |
|
'inhibit_any_policy', |
|
]) |
What is the reason for having this restricted list in the first place? It seems to conflict with the API docs for validate_path() here:
|
Critical extensions on the end-entity certificate are not validated |
|
and are left up to the consuming application to process and/or fail on. |
The CA/Browser baseline requirements for TLS certs in Section 7.1.2.7.12 "Subscriber Certificate Subject Alternative Name" requires that if a certificate contains an empty Subject then the Subject Alternative Name extension must be marked as critical.
When such a certificate is constructed, it fails to validate because the SAN extension is not present in this list:
certvalidator/certvalidator/validate.py
Lines 667 to 681 in c594f0e
What is the reason for having this restricted list in the first place? It seems to conflict with the API docs for
validate_path()here:certvalidator/certvalidator/validate.py
Lines 31 to 32 in c594f0e