kbrin-1372
Reputation: 155
Does order matter when verifying an X.509 store in OpenSSL (Python)?
I noticed that changing the order of the two intermediate CAs (when one is irrelevant) results in a different verification result:
root_1, chain_1, leaf_1 = generate_chain() # root, intermediate, leaf
root_2, chain_2, leaf_2 = generate_chain()
r0 = validate_chain(leaf_1, [chain_1], root_1) # leaf, intermediates, root
r1 = validate_chain(leaf_1, [chain_1, chain_2], root_1)
r2 = validate_chain(leaf_1, [chain_2, chain_1], root_1)
print(r0, r1, r2) # True True False
I was under the impression that the order that certs are added to an X.509 store did not matter. I also didn't seem to find anything in the OpenSSL documentation about this. Can anyone clarify?
Example (source): https://gist.github.com/kaedenbrinkman/c5f2b7d05034999cd55821a4f3403720
Upvotes: 0
Views: 30
Answers (0)
Related Questions
- Does Python have a ternary conditional operator?
- What does the "yield" keyword do in Python?
- What does -> mean in Python function definitions?
- Does Python have an ordered set?
- Does Python have a string 'contains' substring method?
- How does the @property decorator work in Python?
- Using OpenSSL what does "unable to write 'random state'" mean?
- What does the "at" (@) symbol do in Python?
- What does __all__ mean in Python?