Skip to content

pem: do not exclude self-signed certificates when encoding X509 chain #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

pem: do not exclude self-signed certificates when encoding X509 chain #134

wants to merge 1 commit into from

Conversation

lrascao
Copy link
Contributor

@lrascao lrascao commented Aug 27, 2025

Description

RFC 5246 states that:

      Because certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority MAY be omitted from the chain, under the
      assumption that the remote end must already possess it in order to
      validate it in any case.

Since it's not saying they MUST be omitted we can keep the self-signed certs and keep symmetry in the encode/decode functions.

@lrascao lrascao requested review from a team as code owners August 27, 2025 10:11
@lrascao lrascao force-pushed the fix-encode-x509-chain branch from 2e39212 to b8bc78a Compare August 27, 2025 10:11
@lrascao lrascao mentioned this pull request Aug 27, 2025
Open
@lrascao lrascao closed this Aug 27, 2025
@lrascao lrascao deleted the fix-encode-x509-chain branch August 27, 2025 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lrascao