Chain building in certificate validation

[avzuquete]

Hi,

I'm using certvalidator 0.11.1.

It cannot build a chain with the attached certificates for the one in me.der.
However, it should work, as the chain was extracted from a Windows tools that examines certificate chains.
me.zip

The traceback gives:
File "/usr/local/lib/python3.8/site-packages/certvalidator/init.py", line 193, in validate_usage
self._validate_path()
File "/usr/local/lib/python3.8/site-packages/certvalidator/init.py", line 108, in _validate_path
paths = self._context.certificate_registry.build_paths(self._certificate)
File "/usr/local/lib/python3.8/site-packages/certvalidator/registry.py", line 314, in build_paths
raise PathBuildingError(pretty_message(
certvalidator.errors.PathBuildingError: Unable to build a validation path for the certificate "Common Name: ANDRÉ VENTURA DA CRUZ MARNÔTO ZÚQUETE; Serial Number: BI068540477; Given Name: ANDRÉ; Surname: VENTURA DA CRUZ MARNÔTO ZÚQUETE; Organizational Unit: Cidadão Português, Assinatura Qualificada do Cidadão; Organization: Cartão de Cidadão; Country: PT" - no issuer matching "Common Name: ECRaizEstado 002, Organization: Sistema de Certificação Eletrónica do Estado, Country: PT" was found

[wbond]

Please post the PEM encoded certs in a comment here.

My hunch is that the certificate isn’t using properly encoded strings, as the error message includes what appears to be UTF-8 represented as Latin encoding.

[avzuquete]

Dear Will Bond, You have all the certs in DER format. It's very unlikely that the certs have errors, they are part of the Portuguese identity certification chains. And yes, it's quite natural to have UTF-8 text on them, Portuguese has several diacritics. Regards,

[wbond]

You have all the certs in DER format.

The issue is, I don't have time and you want help, so I am asking you do leg work. Downloading, extracting certs, converging them so that I confirm is my hunch is true is a bunch of work.

It's very unlikely that the certs have errors, they are part of the
Portuguese identity certification chains.

My experience with certs is that plenty of software puts improperly encoded data into them. This is just a hunch, based on the mojibake in the error message.

And yes, it's quite natural to have UTF-8 text on them, Portuguese has
several diacritics.

UTF-8 is good. The issue here is that the error message implies the certs have UTF-8 in an ASN.1 encoding that is not designed for UTF-8.

---

However, this is all my hunch. Once the data is laid out, it will be easier to confirm.

[avzuquete]

PEM files attached.
me.zip

I've checked the chain step by step with openssl and it says it is good.

[wbond]

Can you post the PEM inline here so we can just copy paste to https://lapo.it/asn1js/?

[wbond]

I've checked the chain step by step with openssl and it says it is good.

That doesn't really help in this situation, as we don't use OpenSSL's chain building, nor validation code.

[avzuquete]

PEM certificates inline. First certificate is leaf, last is root, rest are chain aligned.

-----BEGIN CERTIFICATE-----
MIIJQDCCByigAwIBAgIIV0SmOgMR7iQwDQYJKoZIhvcNAQELBQAwgcExCzAJBgNV
BAYTAlBUMTMwMQYDVQQKDCpJbnN0aXR1dG8gZG9zIFJlZ2lzdG9zIGUgZG8gTm90
YXJpYWRvIEkuUC4xHDAaBgNVBAsME0NhcnTDo28gZGUgQ2lkYWTDo28xFDASBgNV
BAsMC3N1YkVDRXN0YWRvMUkwRwYDVQQDDEBFQyBkZSBBc3NpbmF0dXJhIERpZ2l0
YWwgUXVhbGlmaWNhZGEgZG8gQ2FydMOjbyBkZSBDaWRhZMOjbyAwMDE1MB4XDTE5
MDgwNjE2NTMzNloXDTI0MDgwNjIxNTkwMFowgewxCzAJBgNVBAYTAlBUMRwwGgYD
VQQKDBNDYXJ0w6NvIGRlIENpZGFkw6NvMSswKQYDVQQLDCJBc3NpbmF0dXJhIFF1
YWxpZmljYWRhIGRvIENpZGFkw6NvMRwwGgYDVQQLDBNDaWRhZMOjbyBQb3J0dWd1
w6pzMR0wGwYDVQQEDBRET1MgU0FOVE9TIFJPRFJJR1VFUzEUMBIGA1UEKgwLSk/D
g08gUEVEUk8xFDASBgNVBAUTC0JJMTUxNTQwNDQ2MSkwJwYDVQQDDCBKT8ODTyBQ
RURSTyBET1MgU0FOVE9TIFJPRFJJR1VFUzCCAaIwDQYJKoZIhvcNAQEBBQADggGP
ADCCAYoCggGBANFgEJIN4JA2SgZaNFFgST4RkmK1MfTUIqCx9jvANhRdOtkcfuSd
GGzL+SM2dVw8TyRGLW9/WsAnhBgQaWkDHZ5s9pHA/SIWHbT8dJLNKrCb3kjwsmKm
ZVYVTI2uOa8WeZcVx79ZPsN6uFMgW2Y6W06LpSqEbYq8ffhLcBpuAHy0AXsMWENP
TorldxS0VxkBb3uTjjUDGajRRqGV+vNaNrspl2tGWgj1fn5yKEHwytE8U0g/llTr
m10vZqAM0QwnwjfoO9uoptRI8GIAOOoThXl3wKLZ943E15IZA8ltxf/Ox3OsFqH7
kzU5Rk6ilDlrAmhROlx6hLIaH2lJ2MZROD3PSB0E9n4LkrTBCzpPja7JKY9KlLaf
oYJqNJMHDOLLXtNH4N2SEG25Crkl1wBJts5gkySJ4Eoa7i/KaY4TckGe0IFq0PWN
dWCKS7IJNC4x7FgzT09sjZmYNt4YSdSN1KDTPqygRSd00epR5sJmrVn8EBa6Lezk
zopMHDgalR4YrwIDAQABo4IDjTCCA4kwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
gBSm0O/UgAwFq6Y+Ujb0iRjHy8cHhjBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUH
MAGGL2h0dHA6Ly9vY3NwLmFzYy5jYXJ0YW9kZWNpZGFkYW8ucHQvcHVibGljby9v
Y3NwMG8GA1UdLgRoMGYwZKBioGCGXmh0dHA6Ly9wa2kuY2FydGFvZGVjaWRhZGFv
LnB0L3B1YmxpY28vbHJjL2NjX3N1Yi1lY19jaWRhZGFvX2Fzc2luYXR1cmFfY3Js
MDAxNV9kZWx0YV9wMDAwOS5jcmwwggEFBgNVHSAEgf0wgfowNQYIYIRsAQEBAgow
KTAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuc2NlZS5nb3YucHQvcmVwMAkGBwQA
i+xAAQIwVQYMYIRsAQEBAgQBAAEBMEUwQwYIKwYBBQUHAgEWN2h0dHA6Ly9wa2ku
Y2FydGFvZGVjaWRhZGFvLnB0L3B1YmxpY28vcG9saXRpY2FzL2NwLmh0bWwwCAYG
BACPegECMFUGC2CEbAEBAQIEAQAHMEYwRAYIKwYBBQUHAgEWOGh0dHA6Ly9wa2ku
Y2FydGFvZGVjaWRhZGFvLnB0L3B1YmxpY28vcG9saXRpY2FzL2Nwcy5odG1sMCgG
A1UdCQQhMB8wHQYIKwYBBQUHCQExERgPMTk5NjExMDUxMjAwMDBaMIHMBggrBgEF
BQcBAwSBvzCBvDAIBgYEAI5GAQEwCAYGBACORgEEMFoGBwQAjkYBBgEMT0NlcnRp
ZmljYXRlIGZvciBlbGVjdHJvbmljIHNpZ25hdHVyZXMgYXMgZGVmaW5lZCBpbiBS
ZWd1bGF0aW9uIChFVSkgTm8gOTEwLzIwMTQwSgYGBACORgEFMEAwPhY4aHR0cDov
L3BraS5jYXJ0YW9kZWNpZGFkYW8ucHQvcHVibGljby9wb2xpdGljYXMvY3BzLmh0
bWwTAlBUMGkGA1UdHwRiMGAwXqBcoFqGWGh0dHA6Ly9wa2kuY2FydGFvZGVjaWRh
ZGFvLnB0L3B1YmxpY28vbHJjL2NjX3N1Yi1lY19jaWRhZGFvX2Fzc2luYXR1cmFf
Y3JsMDAxNV9wMDAwOS5jcmwwHQYDVR0OBBYEFLrF2/nufX4NB++TAh11QPZ3tLbT
MA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAgEAIkLpTukH4D00sRw5
FeJamsVsOYIOsF6uNy9CXAETyRMxWecs+vpc8pIgDVeWrQoY1dQTZjtwYEerpT+L
rBBFKh8YTvVoV0U36twaz1b1iTkz/QrurA9BkbzI8MIR1iTn2U1uLcUm3NgEbQOZ
SjnkRBmN3MjBVL8AVwjeTSkvxIrH9NJJXz9Tx3/b92TTmRan4sOdEsPnB3KVyhUB
l7NI6qLSDvMhCdTGT4L9f97sl89UGO8TbNeNw6DN9DogXyWQGHAqCXW2mMU+GiKP
O3bwGLEpR/Dray6Igskb3QqDmZfCgPQPP64KzClIrJORzOMT5UnSq9kYg8nmjIFT
TCLGnsahzqoqym+o8QztdTjH4E1mbIQtqxARRWWto9vy19fST2/KxpJX+jIl6iOP
Om4d3bo0m53eXb5rpOdAJGTFphFeCDdDU6E9KCraTX7MjcStE7k+n9qBna/IlCk1
rJIQd/sGBXF3rSUnezhxfGXG957AeKd1IB80TPhnbJ1SXNc1gGPXjnD+O172V8eB
8G4gbYD+PTO6XnH5La6e0G96Vn//NmfX8lmqP7WyndMHt43zcD3PXNJe381QX4w9
sQ8j+13wvzNjKNQUCdnf5DvDHAtElXzQ1Oi5+LZ+zK0FLIYZMbEIdwv6hHrOY6HG
j94nWA3YtePdc5rYES5X4tFvxic=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIH9zCCBd+gAwIBAgIIdKUDoFaXz/AwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNV
BAYTAlBUMUAwPgYDVQQKDDdTQ0VFIC0gU2lzdGVtYSBkZSBDZXJ0aWZpY2HDp8Oj
byBFbGVjdHLDs25pY2EgZG8gRXN0YWRvMREwDwYDVQQLDAhFQ0VzdGFkbzEgMB4G
A1UEAwwXQ2FydMOjbyBkZSBDaWRhZMOjbyAwMDQwHhcNMTgwNjI3MTI1MzMwWhcN
MzAwNjI3MTI1MzMwWjCBwTELMAkGA1UEBhMCUFQxMzAxBgNVBAoMKkluc3RpdHV0
byBkb3MgUmVnaXN0b3MgZSBkbyBOb3RhcmlhZG8gSS5QLjEcMBoGA1UECwwTQ2Fy
dMOjbyBkZSBDaWRhZMOjbzEUMBIGA1UECwwLc3ViRUNFc3RhZG8xSTBHBgNVBAMM
QEVDIGRlIEFzc2luYXR1cmEgRGlnaXRhbCBRdWFsaWZpY2FkYSBkbyBDYXJ0w6Nv
IGRlIENpZGFkw6NvIDAwMTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC5SoMBzWnnpeZ9CiW90wV/6uNWhNwsUwCID0CpykMQ7rt0W9O5bIsNIXkpptPq
W6VnSvvzWjINSvIOYKAc3puVquAp77CA2+0kAfs0nayZgo734EOi0nYwc5Kr3Du1
yLH3CQZTwMB/ubHE3ccSQHwMGh3i/mIQGzHQI4q8vEAYZel9IkA8RY0SX7H44i+5
ahhiNHLi8ys+3/sMmrOEBLo/Nt1OdWdLDd4gODXJIW0QHzwunhjTXifS6ckvf2lD
ilgEGuIeLmg7j2ixiEuFbePPPv4ZkNLXzJ4ny2UCBjr4OvbhcNfrKLk00107lhmh
cgB8K0iPF+WOJvJ1OLkMldZfroLHrfMBMU/6fdGAwlzvfRMjK6+IEZDZXxNiD/Sc
cQPCXu1mJtgeuCLmu+cDnFzPswGgFstu6QLWOKrqumido2bGei7lOK1AM5QORhY5
FKRbtTPHAFsMTnGHjNUfq0NmoZ8CjXOtz6uqDL4Fl/Gtqb4/c+kGuPrraLtAkCnh
9LbZLhQf63fN1WUwcGpI0K6gvlYtFg2dDw7zYpbDP5MaRLSu20VPjDTyEzP/9b9w
ApbLhrVYtWRvzaDFMfTlxLEOFF5q1nmT1mQkpdUwlK0X3AvETKzypGPePhrTV9AK
lpF2mvP9pLTwk9dRPzfiXRFNSGhPll1GDJSqKlMpynLhAQIDAQABo4ICLDCCAigw
TAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBodHRwOi8vb2NzcC5yb290LmNh
cnRhb2RlY2lkYWRhby5wdC9wdWJsaWNvL29jc3AwHQYDVR0OBBYEFKbQ79SADAWr
pj5SNvSJGMfLxweGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUGXYM
rv4BYWlEtkHrz6Q4c8L7nTowggEZBgNVHSAEggEQMIIBDDBmBgpghGwBAQECBAAH
MFgwVgYIKwYBBQUHAgEWSmh0dHA6Ly9wa2kuY2FydGFvZGVjaWRhZGFvLnB0L3B1
YmxpY28vcG9saXRpY2FzL2RwYy9jY19lY19jaWRhZGFvX2RwYy5odG1sMG4GC2CE
bAEBAQIEAAECMF8wXQYIKwYBBQUHAgEWUWh0dHA6Ly9wa2kuY2FydGFvZGVjaWRh
ZGFvLnB0L3B1YmxpY28vcG9saXRpY2FzL3BjL2NjX3N1Yi1lY19jaWRhZGFvX2Fz
c3FfcGMuaHRtbDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHA6Ly93d3cuc2Nl
ZS5nb3YucHQvcGNlcnQwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL3BraS5jYXJ0
YW9kZWNpZGFkYW8ucHQvcHVibGljby9scmMvY2NfZWNfY2lkYWRhb19jcmwwMDRf
Y3JsLmNybDAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIRW2USZ
kcNCwlcADbAw/vQfvGHGp+vECDlqFuYaJ7a3ZkCWRM6/s1gulz7H6xgnthOvqvFL
wca9HiI9V+so+05Tc/26lhY1KT3q0R1ExX4yymZQm2H+W+hTCBs3P4OQmxMloHjC
T84Q6x2VIUNtgrTlTkAMjhnMAJJiF4DEqFPUWXv8uwArWu1EaJblh5EaFPn3GGFF
7Omwxc15ZTuPakaZRL9X3hlDlG3XfRZppzyRqtvQo+znNFpbNuVuhSy7dy9Qqgib
NcyntrePvM/0BJWpOgZXo8Z4HnzGLpQ1n5SHcnfqK/xB6C4zwES9MxbBRW1wGE0w
99XpEpiZs+gwcc/KcIx7Fsmvx6NOAQjBhej9aUGJNziXkGFyN6rW+St8sOc2eAFU
BBLvS73hWQpC6uLTwjY2p1ZhbPy1mroEd9lbinQSUf7j39IUQWJwOwI3GjezS0qD
E62cX5WpdJACu8yavjFy+ki30brdCOPrvE+z7YjW0WEEd0Xu0JZ/nPpLD0ATvNg/
iS31hQW5uajdLw9+YaUHB335qjVCJc1JyI5CnCuglgcu+qNCHyKaXl62jfd5oURY
woEMtHw+/LCLgFx157akvjUtXv3QGk6lW3MCuCfDm+vy0IlNoScXWjSLWEvX4CV5
Cx9UyBoTAgS0UmAw5ZiNq0K/9U0gSPcrKq74
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGgzCCBGugAwIBAgIQIGZ/j4MKsNZZu+pRKWZYRjANBgkqhkiG9w0BAQsFADAz
MQswCQYDVQQGEwJQVDENMAsGA1UECgwEU0NFRTEVMBMGA1UEAwwMRUNSYWl6RXN0
YWRvMB4XDTE3MDkxNTE0NTcyMVoXDTI5MDkxNTE0NTcyMVowgYQxCzAJBgNVBAYT
AlBUMUAwPgYDVQQKDDdTQ0VFIC0gU2lzdGVtYSBkZSBDZXJ0aWZpY2HDp8OjbyBF
bGVjdHLDs25pY2EgZG8gRXN0YWRvMREwDwYDVQQLDAhFQ0VzdGFkbzEgMB4GA1UE
AwwXQ2FydMOjbyBkZSBDaWRhZMOjbyAwMDQwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDE7EnPxshWE2Bq9IafH1QfPgG/BMuA8/g51WSrYUBYWUVaoSEO
hloxVvUdIuUw+/HiHMWdgHyT0VgOGp2EelRb3uGxsdORqAIMDeBmsTwYM6/s5OEP
meluWlF6ytZya+EUdY4YKNeXeO7lQg91oVcNBLEW3wS62GPko43jajnuMvRvB1DR
2uHcijonDklI72SVQq9SRHuwbkPmr1QssyQoVr1EofUV1MShaF6TpfpZdw3YSmaD
zr2NViYFBa4jPa3a/98mntak5rEc96wUtVqgdiiIqFKXwYuK3dDJV9OL71mvJgPG
01bLBm6/RCOJJQqibq0UuX7wmpVB5r3eYrS9b5kGAwO37jfvLsZiJDyvg9ZNkU4A
/UvVdAHzL5d5l54OMZoV/BGsRrNw5aBl4M3X3L5n/m8XnT05cdyhFxVBvCGZbbgX
JhohxmU+SCIv/CxNi44ISvvnBuWHV4YJqXhC62pgOg8EQ5zzqEyS5yQjjrWNPzT7
+biJFN4iImlCtHJo5Atypbz5PqPF0njAWHT1POeB+Aw+XOsWz8uthnAENLbKuksW
x+P4wYnZw+yvbUSag96AKLECLvim7CfBO0yP2IoOowdCBC4wKnWuljOcXUPFgwVp
RlC+sxJewAqi14J1crboV7i3HCfJJulwxgpkr76aakeZTap/QHkEbZch8wIDAQAB
o4IBPzCCATswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGXYMrv4BYWlEtkHr
z6Q4c8L7nTowHwYDVR0jBBgwFoAUcX813vV3cW0dEpzhkKS68KmDj4AwDgYDVR0P
AQH/BAQDAgEGMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vd3d3LmVjZWUuZ292LnB0L2RwYzBkBggrBgEFBQcBAQRYMFYwIwYIKwYBBQUH
MAGGF2h0dHA6Ly9vY3NwLmVjZWUuZ292LnB0MC8GCCsGAQUFBzAChiNodHRwOi8v
dHJ1c3QuZWNlZS5nb3YucHQvZWNyYWl6LmNydDA1BgNVHR8ELjAsMCqgKKAmhiRo
dHRwOi8vY3Jscy5lY2VlLmdvdi5wdC9jcmxzL0FSTC5jcmwwDQYJKoZIhvcNAQEL
BQADggIBADYaqZHmOWUZuyhQEm5l5wQuk5hvMMxuikA4FhewCx3aEoSFnBKAGXTh
0ST891bcSukfSDHsEc1S2PYURmQq4d+KuXK0Xd0CsH6bmQW5J67qGefrJTtKx0bM
i8isPQX26ANL37ZVNsDm07dw+XrDJQ3NY7gEbZ+GNxV8hXCTZMgHA9Gy2NmYqPhZ
ZDdLpdH7acpNC3AnorqRWPvmTEU/BlKLb2APlFJ/d4F2lD7DUiO5yxNV5opKhVwA
5Ddpx8ubqG2u01KzCnUaTv11YmfvaZdAbmdYXirLV1unh38mqFs6ZLh2B1BZ4e9/
9fDrKnOUQ+BgG3gfsbCmfhwnGzWaZtXAES9gHIDv0g3EHprA09DYd1cICdlxrlCj
v3AHuGxqd+kjj19RwxbIJX2KZ9jeFqlmiXiFXvjX9KwUa3uY2MXr8MBNiX6oTSPt
AeLJDnitpF+a365BrNoffjwhnjE9JFF4LUCw40CCeesx0o9O6QpXJiNuqNLP5a3+
k12TpJI664tFnwbvLoHQk3mQJHToY6zVgAOYduZBZTdIiit6y8/q7hxe2ada39TF
Li8JZVG0QSvhJ+jZDoO+ZRqP9C9dfGECNacrL91u7LORVw45sgApqC1MVC/f+PUY
vUhF7ez7xG+RH+G6hpW+oIKYAJiJRTp/X5HYknDzYaHtxv0GfWCL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFhTCCBG2gAwIBAgIEByfTSzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE1MDkwOTE3NDAxMloX
DTIyMDkzMDE3MzkxMVowMzELMAkGA1UEBhMCUFQxDTALBgNVBAoMBFNDRUUxFTAT
BgNVBAMMDEVDUmFpekVzdGFkbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANvvokNuyKn9btffrKKShKHIWaAMmlP+767MGQ1yiqTCMyPv5wZy6m1LOkFS
D8lIDi3numTuojpMY1xmKYvfqYjFvejx945L/AE8RBI5KnCiwNvFot9fx0vGqNw9
YXxKWMFEMpPecJmhIyZWP6Ph6l8wRth49TCjlgmJsD3xhpMFthJqGI3wpWQ7K4dk
Xj0Xjgtu5pjMlzg4IIxwWmkrvWWNzTdZXGzRcnRZBk7ItwHXd7/wSIaosxpdQdQ3
FxEQX0pujXXFA0B9Ia4A8Nv8n2w6ZqTf98rfgGZa2dh/FKImGfSuCyHgyj4F3RbY
flnaobBpw500E/plSTmH7nYvjb08JxkDTq0OCyssxi5xEzUpV+lw3BtR6s2X8ZWN
sob6JgYvgBqV8Zg77vblhqXOGwHl9Okzyg9VRF9oiizHW2Yo3ZZLg51eHX4Y1f6y
YPuaUWjDlowfaEtQUgs25jEn5NcpDBvaGy/hBFO41HlJsDuBXgiIInfiKcCucqqr
tHJSvWy79bp42Zy4IG8wjUqdMvn0AeZieZhCQAV6bxwqP7X7380YQI7lEMQ5W1bx
PFcFq9I5TT/4iyPHa7lAseL+/7McCmkfm4wPtB/gCt5I/Y1fj5n1AXYFNl2O3DOO
UW4R4kH9zLeNKl8+kuXyseCkI+Kit8aNGJspStFGf/RkIBjdAgMBAAGjggF4MIIB
dDASBgNVHRMBAf8ECDAGAQH/AgECMIGFBgNVHSAEfjB8MEgGCSsGAQQBsT4BADA7
MDkGCCsGAQUFBwIBFi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVw
b3NpdG9yeS5jZm0wMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVj
ZWUuZ292LnB0L2RwYzBCBggrBgEFBQcBAQQ2MDQwMgYIKwYBBQUHMAGGJmh0dHA6
Ly9vY3NwLm9tbmlyb290LmNvbS9iYWx0aW1vcmVyb290MA4GA1UdDwEB/wQEAwIB
BjAfBgNVHSMEGDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDeg
NaAzhjFodHRwOi8vY2RwMS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIw
MjUuY3JsMB0GA1UdDgQWBBRxfzXe9XdxbR0SnOGQpLrwqYOPgDANBgkqhkiG9w0B
AQsFAAOCAQEAVdI4Tzjt9OeY0EM41ZFr1Mk7M2sONPgvkW76GuNAgljUE2tBA/38
iZ9Escb5JMt1AiwCQ6qC+egj9jQQ5NPpyIQsXCHOQrPN/JUlUqYD7eB3FkGF1O0A
nIBjWlFbGWV8Q2FPjUGQmfbZZYVnS3rCZyEPlw3y8WohBQwqVQ85KxnPZD8Sica+
SBN3m7W5du1W0rI6xUGuxoyDM3BRm6M2FhvwXy+2aXZcgXc8v3/e0ab14wNBE2FF
RFZcOVzBypKv9FB9VKSiyloqdDiRO/+YJKItMm11vj4yxISLc2EQe/E3FoBW0oDX
xBeu+JTgwWd9Xuy7diyPKFMi6sWJkatakg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHADCCBOigAwIBAgIIf5WhfCWeQ2UwDQYJKoZIhvcNAQELBQAwgYUxCzAJBgNV
BAYTAlBUMUIwQAYDVQQKDDlNVUxUSUNFUlQgLSBTZXJ2acOnb3MgZGUgQ2VydGlm
aWNhw6fDo28gRWxlY3Ryw7NuaWNhIFMuQS4xMjAwBgNVBAMMKU1VTFRJQ0VSVCBS
b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDAxMB4XDTE2MTEyOTE3NTEwOFoX
DTIwMTEyODE3NTEwOFowgbcxCzAJBgNVBAYTAlBUMUIwQAYDVQQKDDlNVUxUSUNF
UlQgLSBTZXJ2acOnb3MgZGUgQ2VydGlmaWNhw6fDo28gRWxlY3Ryw7NuaWNhIFMu
QS4xLzAtBgNVBAsMJkVudGlkYWRlIGRlIENlcnRpZmljYcOnw6NvIENyZWRlbmNp
YWRhMTMwMQYDVQQDDCpNVUxUSUNFUlQgLSBFbnRpZGFkZSBkZSBDZXJ0aWZpY2HD
p8OjbyAwMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCV8akRYT1d
fNnFVQZ4O3k9Vc90fm0YPfO9sf8tpiXmrFGAzD3iFXUxiZbfULl0+xjAw8ia7qd8
J7V/B1y0F/cK1rscyD/xxN3Sqy/9p5f1HKy4/vq6J5gaI+LbarQOJE16/1PtjX9F
aCfGccZa7dc8Run0FmEwmqp5b8nZNdyfLgyB2SOWCquCUJpgP18JgU1LvwTcYsdk
auBajMPIslG0Fzf3wRTSX17ACbj5Hc5QuReFAfuEDlqO2oBJliIc2vqA3Jw7PdzV
dh8n8WIXfrLb9oCsfhBFFJ49Ct68pafeugrnejocOBE5+pYhI+GzyhupG6OYEG92
QLrauSe7AW23GLtkxoBNmIrzAIDXZnNxRB5CgmnWBfwNBCdfX8SxqrBtarvF9JZE
KVpMV/eQ+2muZKICcJFdUnRNnW/0SESBqO3jsCwvqxtPVqK/89NAjkb7ttBzUzHb
Q2e/vzHUqgzfsN3iz0YF1WfhEervPaXBqsGDYRitVcg/nAaQrWHS4616NXhWQg1H
EiFoshMzuluInYNqu8eHscG52TndlFPc5GtgCxCn3Hjx0Ra3aXRSCsb4lIjcQRbi
lOraqUUzyWLnk61EIsdYixmP/KzeFtzAoXtg6SjYFS3k8iFwaF/KglxU02DJuR7l
GW4knWng4vnbT5KU7SV2xzxgDxX7vwfupQIDAQABo4IBPjCCATowOgYIKwYBBQUH
AQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5tdWx0aWNlcnQuY29tL29j
c3AwHQYDVR0OBBYEFH8zcn9M2jTIDqd1yy6DmBsGuKaQMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHwYDVR0jBBgwFoAU1TkcnFtvBKqilUzvIN0pdKTFRXEwVQYDVR0gBE4w
TDBKBg0rBgEEAYHDbgEBAQAHMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9wa2lyb290
Lm11bHRpY2VydC5jb20vcG9sL2luZGV4Lmh0bWwwQQYDVR0fBDowODA2oDSgMoYw
aHR0cDovL3BraXJvb3QubXVsdGljZXJ0LmNvbS9jcmwvcm9vdF9tY19jcmwuY3Js
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAIyiu4XwaaopV7JWH
ytYA+uZghYMGU9ZN0lf1A6XAu6XZ25gzpYvGWBiPzE7YmT4hiRjSgA0EfoOJK7ny
MiaIIitO9FbN5HeYGaXi5uzd6tHjCgYmPXJ/wssz9+IfTszE6ib4BSlnGL0BTj3m
6eQSuNpxGIyXjAPdg/LITjg8QFbCmAauXct6NmBrJAmZyEaPilWCRg0ZJDNe2Pjd
IxorpGy9Eo4EV0ujo5a9yFgyJSj/EmMSiRZp+tf66Pc9B5ntWi7vD4cuLGP5t7IS
dxcmdLNtqBkWxwFLkoca0xphDAREnrz2vznwNCPykeTMA2ifktgnOzFZV3H7v2bp
Kuc+EIW9GrWbjn83AlWFMW8iWPQ/RR9yi4OzRmqlbLxM1cPT6eTZ5vWddr34cKbJ
UPq4WncVBRyFcunANtQ6aHc8hxWSm2iBWov4FCb56j+x5x1c4Zskl4HKqyjJEu1S
+K1RVFT+9MLA4Vu4lDJsUH8UWHXcDji6P3zYFzLnxpFd3/lg8QNOixmd4B4KmaPh
ZWBvcg7/QsEsklkmWDBsgtkWiofXo/QghQFHm7QH4RjVyYrOCE0CzgAK791V7InU
bc4v1mvbTsadenCYaR43L3YbdwDNoONOSUavOqOPrN45MQZMwlizRcwj23cMNKo5
3/axtMg0XPkxOiXqmGztR+O4DG4=
-----END CERTIFICATE-----

[avzuquete]

I've checked the chain step by step with openssl and it says it is good.

That doesn't really help in this situation, as we don't use OpenSSL's chain building, nor validation code.

I though so. But my comment was not in that direction.

I knew that that chain is correctly found (and presented) by the standard Windows certificate presenter. I just checked if openssl would behave likewise; and it does. And, as such, this reduces he probability of having encoding problems on the certificates. They may exist, though, I don't know enough of ASN.1 to discuss that with you, but it is very unlikely, given the results of those two tools.

Regards,

[wbond]

Can you provide the code that resulted in the backtrace?

So far it looks like the encoding on the leaf is good, so it is like that the encoding corruption is from wherever the exception was printed.

[avzuquete]

Can you provide the code that resulted in the backtrace?

So far it looks like the encoding on the leaf is good, so it is like that the encoding corruption is from wherever the exception was printed.

Sure. First parameter is certificate to check, second is year, them month, them day, then the rest of the certificates in the chain.

#!/usr/bin/python3

import os
import sys
from certvalidator import CertificateValidator, ValidationContext, errors
from datetime import datetime
from asn1crypto.util import timezone

import sys

def main():
if len(sys.argv) < 6:
print( "Usage: %s certificate year month day chain_certificate [chain_certificate]\n" % sys.argv[0], file=sys.stderr )
sys.exit( 1 )

# vc = ValidationContext( moment=datetime.now(timezone.utc) )
d = datetime(year=int(sys.argv[2]), month=int(sys.argv[3]), day=int(sys.argv[4]), tzinfo=timezone.utc )
vc = ValidationContext( moment=d )

pki = []
for i in range(5, len(sys.argv)):
    cf = open( sys.argv[i], 'rb' )
    pki.append( cf.read() )
    cf.close()

cf = open( sys.argv[1], 'rb' )
validator = CertificateValidator( cf.read(), pki, validation_context=vc )
cf.close()

for usage in ['digital_signature','non_repudiation','key_encypherment','key_agreement','key_cert_sign','crl_sign','encipher_only','decipher_only']:
    try:
        validator.validate_usage(set([usage]))
        print( "YES: %s" % (usage) )
    except (errors.PathValidationError):
        print( "NO: %s" % (usage) )
        # Print something

if name == "main":
main()

[3lixy]

The current chain that is posted in the message #32 (comment) looks to be:

Subject: <Name(C=PT,O=Cartão de Cidadão,OU=Assinatura Qualificada do Cidadão,OU=Cidadão Português,2.5.4.4=DOS SANTOS RODRIGUES,2.5.4.42=JOÃO PEDRO,2.5.4.5=BI151540446,CN=JOÃO PEDRO DOS SANTOS RODRIGUES)>
Issuer: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)>
AKI BA:C5:DB:F9:EE:7D:7E:0D:07:EF:93:02:1D:75:40:F6:77:B4:B6:D3
SKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86

Subject: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)>
Issuer: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)>
AKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86
SKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A

Subject: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)>
Issuer: <Name(C=PT,O=SCEE,CN=ECRaizEstado)>
AKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A
SKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80

Subject: <Name(C=PT,O=SCEE,CN=ECRaizEstado)>
Issuer: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)>
AKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80
SKI E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0

Subject: <Name(C=PT,O=MULTICERT - Serviços de Certificação Electrónica S.A.,OU=Entidade de Certificação Credenciada,CN=MULTICERT - Entidade de Certificação 001)>
Issuer: <Name(C=PT,O=MULTICERT - Serviços de Certificação Electrónica S.A.,CN=MULTICERT Root Certification Authority 01)>
AKI 7F:33:72:7F:4C:DA:34:C8:0E:A7:75:CB:2E:83:98:1B:06:B8:A6:90
SKI D5:39:1C:9C:5B:6F:04:AA:A2:95:4C:EF:20:DD:29:74:A4:C5:45:71

As you can see the root cert provided is not suiteable for the chain.

This is the chain that works for me but with Root Cert (https://crt.sh/?id=76) instead of the Root Cert provided.

Subject: <Name(C=PT,O=Cartão de Cidadão,OU=Assinatura Qualificada do Cidadão,OU=Cidadão Português,2.5.4.4=DOS SANTOS RODRIGUES,2.5.4.42=JOÃO PEDRO,2.5.4.5=BI151540446,CN=JOÃO PEDRO DOS SANTOS RODRIGUES)>
Issuer: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)>
AKI BA:C5:DB:F9:EE:7D:7E:0D:07:EF:93:02:1D:75:40:F6:77:B4:B6:D3
SKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86

Subject: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)>
Issuer: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)>
AKI A6:D0:EF:D4:80:0C:05:AB:A6:3E:52:36:F4:89:18:C7:CB:C7:07:86
SKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A

Subject: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)>
Issuer: <Name(C=PT,O=SCEE,CN=ECRaizEstado)>
AKI 19:76:0C:AE:FE:01:61:69:44:B6:41:EB:CF:A4:38:73:C2:FB:9D:3A
SKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80

Subject: <Name(C=PT,O=SCEE,CN=ECRaizEstado)>
Issuer: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)>
AKI 71:7F:35:DE:F5:77:71:6D:1D:12:9C:E1:90:A4:BA:F0:A9:83:8F:80
SKI E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0

Subject: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)>
Issuer: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)>
AKI E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
SKI

However when using this correct ROOT cert you will encounter the issue fixed in #28.

[chrisdlangton]

I'm also having trouble validating the cert chain and am happy to open a separate issue if needed but i'll add to this one until asked to make a separate specific issue for my scenario.

To make things easy, i'll test against badssl.com so we can avoid zipping certs or posting walls of text. choose any host you like for this problem, they all have a chain.

the chain obtained using:

def get_peer_certificate_chain(domain_name):
    peer_certificate_chain = []
    for method in [SSL.TLSv1_2_METHOD, SSL.TLSv1_1_METHOD, SSL.TLSv1_METHOD, SSL.SSLv23_METHOD]:
        context = SSL.Context(method=method)
        for bundle in [requests.certs.where()]:
            context.load_verify_locations(cafile=bundle)
        sock = SSL.Connection(context=context, socket=socket(AF_INET, SOCK_STREAM))
        sock.settimeout(5)
        sock.set_tlsext_host_name(domain_name.encode())
        try:
            sock.connect((domain_name, 443))
            sock.setblocking(1)
            sock.do_handshake()
            for (_, cert) in enumerate(sock.get_peer_cert_chain()):
                peer_certificate_chain.append(cert)
            sock.shutdown()
            sock.close()
            break
        except Exception as ex:
            logger.exception(ex)
            sock.shutdown()
            sock.close()
    return peer_certificate_chain

but CertificateValidator takes 3 other types for intermediate_certs - and I chose pem encoding:

intermediate_certs = []
for cert in peer_certificate_chain(host):
    intermediate_certs.append(dump_certificate(FILETYPE_PEM, cert))

okay on with the example;

ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
der = sock.getpeercert(True) # should be self explanatory how to create a socket using get_peer_certificate_chain example
x509 = self.server_certificate.to_cryptography() # I use the cryptography lib extensively
# later, I have access to the cryptography lib but CertificateValidator requires the der
der = x509.tbs_certificate_bytes
validator = CertificateValidator(der, validation_context=ctx, intermediate_certs=intermediate_certs)
validator.validate_usage(
    key_usage=set(['digital_signature', 'crl_sign']),
    extended_key_usage=set(['ocsp_signing']),
)

this is the error I get: Error parsing asn1crypto.algos.SignedDigestAlgorithm - method should have been constructed, but primitive was found\n while parsing asn1crypto.x509.Certificate

The trace:

  File "/srv/app/.local/lib/python3.8/site-packages/certvalidator/__init__.py", line 193, in validate_usage
    self._validate_path()
  File "/srv/app/.local/lib/python3.8/site-packages/certvalidator/__init__.py", line 98, in _validate_path
    if self._certificate.hash_algo in self._context.weak_hash_algos:
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/x509.py", line 2524, in hash_algo
    return self['signature_algorithm'].hash_algo
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 3536, in __getitem__
    raise e
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 3531, in __getitem__
    return self._lazy_child(key)
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 3478, in _lazy_child
    child = self.children[index] = _build(*child)
  File "/srv/app/.local/lib/python3.8/site-packages/asn1crypto/core.py", line 5551, in _build

I have refactored to remove the usage of cryptography lib entirely, i.e.

# create sock using get_peer_certificate_chain example
host = 'mozilla-modern.badssl.com'
intermediate_certs = []
for cert in get_peer_certificate_chain(host):
    intermediate_certs.append(dump_certificate(FILETYPE_PEM, cert))
ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
der = sock.getpeercert(True)
validator = CertificateValidator(der, validation_context=ctx, intermediate_certs=intermediate_certs)
validator.validate_usage(
    key_usage=set(['digital_signature', 'crl_sign']),
    extended_key_usage=set(['ocsp_signing']),
)

But no change, the same exception occurs. I've spent over 12 hours on this, the scenario is pretty complete now, am at a loss what to try next so I'm keen for any advice at all.

[wbond]

@stof What version of asn1crypto are you using? The error message indicates that asn1crypto is finding an ASN.1 construction it doesn't expect in one of the certificates.

[stof]

@wbond you mentioned the wrong person

[wbond]

Sorry about that!

[wbond]

@chrisdlangton See above ^