pathlen🔗
pathlen::ee-with-intermediate-pathlen-0🔗
Produces the following valid chain:
root -> intermediate (pathlen:0) -> EE
This is a "trivial" verification: the intermediate has a pathlen:0
constraint, but the leaf is an end entity and is therefore allowed.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
pathlen::ee-with-intermediate-pathlen-1🔗
Produces the following valid chain:
root -> intermediate (pathlen:1) -> EE
This is a "trivial" verification: the intermediate has a pathlen:1
constraint, but the leaf is an end entity and is therefore allowed.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
pathlen::ee-with-intermediate-pathlen-2🔗
Produces the following valid chain:
root -> intermediate (pathlen:2) -> EE
This is a "trivial" verification: the intermediate has a pathlen:2
constraint, but the leaf is an end entity and is therefore allowed.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
pathlen::validation-ignores-pathlen-in-leaf🔗
Produces the following valid chain:
root -> intermediate (pathlen:0) -> intermediate (pathlen:0)
This is, unintuitively, a valid chain construction: RFC 5280 4.2.1.9 notes that the leaf certificate in a validation path is definitionally not an intermediate, meaning that it is not included in the maximum number of intermediate certificates that may follow a path length constrained CA certificate:
Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
❌ (unexpected failure) | The X.509 certificate provided is not valid for securing TLS connections |
pyca-cryptography-43.0.1 |
🚧 | testcase skipped (explicitly unsupported case) |
rustls-webpki |
❌ (unexpected failure) | CaUsedAsEndEntity |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
❌ (unexpected failure) | CaUsedAsEndEntity |
openssl-1.1 |
✅ | N/A |
pathlen::intermediate-violates-pathlen-0🔗
Produces the following invalid chain:
root -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE
This violates the first intermediate's pathlen:0
constraint,
which requires that any subsequent certificate be an end-entity and not
a CA itself.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
FAILURE | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
❌ (unexpected success) | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | The path could not be validated because it exceeds the maximum path length |
pyca-cryptography-43.0.1 |
✅ | validation failed: CandidatesExhausted(Other("path length constraint violated")) |
rustls-webpki |
✅ | PathLenConstraintViolated |
openssl-3.2.3 |
✅ | path length constraint exceeded |
openssl-3.0.15 |
✅ | path length constraint exceeded |
openssl-3.3.2 |
✅ | path length constraint exceeded |
openssl-3.1.7 |
✅ | path length constraint exceeded |
openssl-3.4.0 |
✅ | path length constraint exceeded |
rust-webpki |
✅ | UnknownIssuer |
openssl-1.1 |
✅ | path length constraint exceeded |
pathlen::intermediate-pathlen-may-increase🔗
Produces the following valid chain:
root -> intermediate (pathlen:1) -> intermediate (pathlen:2) -> EE
This is a less straightforward case as the second intermediate's pathlen:2
constraint seems to contradict the first intermediate's pathlen:1
constraint.
RFC 5280 permits this as part of supporting multiple validation paths.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
pathlen::intermediate-pathlen-too-long🔗
Produces the following invalid chain:
root -> intermediate (pathlen:1) -> intermediate (pathlen:0) -> intermediate (pathlen:0) -> EE
This violates the second intermediate's pathlen:0
constraint, which
forbids any subsequent issuing certificates (which the third intermediate
is).
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
FAILURE | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
✅ | N/A |
gnutls-certtool-3.7.3 |
❌ (unexpected success) | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | The path could not be validated because it exceeds the maximum path length |
pyca-cryptography-43.0.1 |
✅ | validation failed: CandidatesExhausted(Other("path length constraint violated")) |
rustls-webpki |
✅ | PathLenConstraintViolated |
openssl-3.2.3 |
✅ | path length constraint exceeded |
openssl-3.0.15 |
✅ | path length constraint exceeded |
openssl-3.3.2 |
✅ | path length constraint exceeded |
openssl-3.1.7 |
✅ | path length constraint exceeded |
openssl-3.4.0 |
✅ | path length constraint exceeded |
rust-webpki |
✅ | UnknownIssuer |
openssl-1.1 |
✅ | path length constraint exceeded |
pathlen::self-issued-certs-pathlen🔗
Produces the following valid chain:
root -> ICA' (pathlen:1) -> ICA' (pathlen:1) -> ICA'' (pathlen:0) -> EE
The second ICA' intermediate is a self-issued certificate. Self-issued certificates are certificates with identical issuers and subjects. While this chain trivially seems to violate the assigned path length constraints, the RFC 5280 4.2.1.9 states that self issued certificates should not be counted.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | N/A | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
❌ (unexpected failure) | validation: x509: too many intermediates for path length constraint |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
🚧 | testcase skipped (explicitly unsupported case) |
rustls-webpki |
❌ (unexpected failure) | InvalidSignatureForPublicKey |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
❌ (unexpected failure) | UnknownIssuer |
openssl-1.1 |
✅ | N/A |
pathlen::max-chain-depth-0🔗
Produces the following valid chain:
root -> leaf
When validating with a maximum chain depth of 0, there may not be any intermediates.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | max-chain-depth | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
🚧 | max chain depth not supported |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
✅ | N/A |
rustls-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-1.1 |
✅ | N/A |
pathlen::max-chain-depth-0-exhausted🔗
Produces the following invalid chain:
root -> ICA' -> leaf
When validating with a maximum chain depth of 0, there may not be any intermediates.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
FAILURE | SERVER | N/A | max-chain-depth | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
🚧 | max chain depth not supported |
gnutls-certtool-3.7.3 |
❌ (unexpected success) | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
❌ (unexpected success) | N/A |
pyca-cryptography-43.0.1 |
❌ (unexpected success) | N/A |
rustls-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-3.2.3 |
✅ | certificate chain too long |
openssl-3.0.15 |
✅ | certificate chain too long |
openssl-3.3.2 |
✅ | certificate chain too long |
openssl-3.1.7 |
✅ | certificate chain too long |
openssl-3.4.0 |
✅ | certificate chain too long |
rust-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-1.1 |
✅ | certificate chain too long |
pathlen::max-chain-depth-1🔗
Produces the following valid chain:
root -> ICA' -> leaf
When validating with a maximum chain depth of 1, there may only be one logical intermediate.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | max-chain-depth | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
🚧 | max chain depth not supported |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
✅ | N/A |
rustls-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-3.2.3 |
✅ | N/A |
openssl-3.0.15 |
✅ | N/A |
openssl-3.3.2 |
✅ | N/A |
openssl-3.1.7 |
✅ | N/A |
openssl-3.4.0 |
✅ | N/A |
rust-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-1.1 |
✅ | N/A |
pathlen::max-chain-depth-1-exhausted🔗
Produces the following invalid chain:
root -> ICA' -> ICA'' -> leaf
When validating with a maximum chain depth of 1, there may only be one logical intermediate.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
FAILURE | SERVER | N/A | max-chain-depth | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
🚧 | max chain depth not supported |
gnutls-certtool-3.7.3 |
❌ (unexpected success) | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
❌ (unexpected success) | N/A |
pyca-cryptography-43.0.1 |
✅ | validation failed: CandidatesExhausted(Other("chain construction exceeds max depth")) |
rustls-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-3.2.3 |
✅ | certificate chain too long |
openssl-3.0.15 |
✅ | certificate chain too long |
openssl-3.3.2 |
✅ | certificate chain too long |
openssl-3.1.7 |
✅ | certificate chain too long |
openssl-3.4.0 |
✅ | certificate chain too long |
rust-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-1.1 |
✅ | certificate chain too long |
pathlen::max-chain-depth-1-self-issued🔗
Produces the following valid chain:
root -> ICA' -> ICA' -> leaf
When validating with a maximum chain depth of 1, there may only be one logical intermediate.
Expected result | Validation kind | Validation time | Features | Importance | Conflicts | Download |
---|---|---|---|---|---|---|
SUCCESS | SERVER | N/A | max-chain-depth | undetermined | N/A | PEM bundle |
Harness | Result | Context |
---|---|---|
gocryptox509-go1.22.7 |
🚧 | max chain depth not supported |
gnutls-certtool-3.7.3 |
✅ | Chain verification output: Verified. The certificate is trusted. |
certvalidator-0.11.1 |
✅ | N/A |
pyca-cryptography-43.0.1 |
🚧 | testcase skipped (explicitly unsupported case) |
rustls-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-3.2.3 |
❌ (unexpected failure) | certificate chain too long |
openssl-3.0.15 |
❌ (unexpected failure) | certificate chain too long |
openssl-3.3.2 |
❌ (unexpected failure) | certificate chain too long |
openssl-3.1.7 |
❌ (unexpected failure) | certificate chain too long |
openssl-3.4.0 |
❌ (unexpected failure) | certificate chain too long |
rust-webpki |
🚧 | max-chain-depth testcases are not supported by this API |
openssl-1.1 |
❌ (unexpected failure) | certificate chain too long |