x509 error parsing asn1 value: ParseError

[jason-s]

There's a cert extension in a certificate that causes the extensions property to cause a ValueError parsing asn1 value BasicConstraints::ca. The code here seems to be brittle; I am interested in a different extension but can't access any of them because of the "bad" extension.

Could the cryptography library be a little more robust to this and just fail on accessing the one particular "bad" extension?

$ python
Python 3.14.3 | packaged by conda-forge | (main, Feb  9 2026, 22:17:37) [Clang 20.1.8 ] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import cryptography.x509
>>> cryptography.__version__
'46.0.5'
>>> with open('65213.crt','rb') as f:
        cert_raw = f.read()
    cert = cryptography.x509.load_pem_x509_certificate(cert_raw)
    cert
 
<Certificate(subject=<Name(O=secure.blueemporia.com,OU=Domain Control Validated,CN=secure.blueemporia.com)>, ...)>
>>> cert.extensions
Traceback (most recent call last):
  File "<python-input-3>", line 1, in <module>
    cert.extensions
ValueError: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["BasicConstraints::ca"] }

65213.crt (from crt.sh)

-----BEGIN CERTIFICATE-----
MIIFfTCCBGWgAwIBAgIHKwiHYaSJhjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTEwMjExMTc0MzM1WhcNMTQwMjExMTc0MzM1WjBlMR8wHQYDVQQKExZz
ZWN1cmUuYmx1ZWVtcG9yaWEuY29tMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQxHzAdBgNVBAMTFnNlY3VyZS5ibHVlZW1wb3JpYS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwod+kmBvmGA4ZuQ42ps3NSbOHKi6d
icEvGTYvQJ8JZX0CiAj/8nCsOb2+kGvIdF3EMKhiEnZeYIoDd+xefnGZ7YrkzYre
BE5ea8FjHUiFxQk3gLsOPbJuVSoL0UMh7oQO41oOINzed5l4juhCfptdW+XqkgYd
rXbxHNajkCHIcCm22WF0z7WCm+eF0bVfSXJzxZQrp3kegc4i/jWXErC7ziyZLDNX
viC/cj/J//NFqIzOKAn95A0cahpxK5X6VaCh6AfQHVCxUMr3U6sTWnI12Vxpx580
lCUIWhcr6smVGKXWcxAYx0gHZegavArf8nt5tosWQnN+Opt49yPAI57rAgMBAAGj
ggHKMIIBxjAPBgNVHRMBAf8EBTADAQEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov
L2NybC5nb2RhZGR5LmNvbS9nZHMxLTMwLmNybDBNBgNVHSAERjBEMEIGC2CGSAGG
/W0BBxcBMDMwMQYIKwYBBQUHAgEWJWh0dHBzOi8vY2VydHMuZ29kYWRkeS5jb20v
cmVwb3NpdG9yeS8wgYAGCCsGAQUFBwEBBHQwcjAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuZ29kYWRkeS5jb20vMEoGCCsGAQUFBzAChj5odHRwOi8vY2VydGlmaWNh
dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50ZXJtZWRpYXRlLmNydDAf
BgNVHSMEGDAWgBT9rGEyk2xF1uLuhV+auud2mWjM5zA9BgNVHREENjA0ghZzZWN1
cmUuYmx1ZWVtcG9yaWEuY29tghp3d3cuc2VjdXJlLmJsdWVlbXBvcmlhLmNvbTAd
BgNVHQ4EFgQUjiY9pNW44d7QDPb0hWrhLlYbh0owDQYJKoZIhvcNAQEFBQADggEB
AIe8H25P3y1iUpyvjm6AE/oyB1dUmdRo3Z8LcDVdP0/ML+2YC0UpH8gqaLxmHI+o
ABw833YycKRTT7vPLCRvos2RDc0uKZswoOYM26X++3foGVIZK8h22z+cp6SqbxCy
ialqN1Wmzai5zJYUoPKVuvMiQo1HkvVB7ODAze1MA/YfERd19ZsR5t75DmIwWCfA
Ji52nGg+x3yUP9lzy39Ote6+oyLSBq+QCB+KVIk7pqV13U5T1Dkr081JQcr5iO3Y
iB7Fn7SVrtQusPHeGuHGZz2A2P0JgZuGEE/aaI6udNo/V7vhRyiquyDaVI9hDk+X
LXWCLiOTQT4hXAhmmySgws0=
-----END CERTIFICATE-----

But openssl seems to do just fine:

$ openssl x509 -in 65213.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12112801550338438 (0x2b088761a48986)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority, serialNumber=07969287
        Validity
            Not Before: Feb 11 17:43:35 2011 GMT
            Not After : Feb 11 17:43:35 2014 GMT
        Subject: O=secure.blueemporia.com, OU=Domain Control Validated, CN=secure.blueemporia.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:a1:df:a4:98:1b:e6:18:0e:19:b9:0e:36:a6:
                    cd:cd:49:b3:87:2a:2e:9d:89:c1:2f:19:36:2f:40:
                    9f:09:65:7d:02:88:08:ff:f2:70:ac:39:bd:be:90:
                    6b:c8:74:5d:c4:30:a8:62:12:76:5e:60:8a:03:77:
                    ec:5e:7e:71:99:ed:8a:e4:cd:8a:de:04:4e:5e:6b:
                    c1:63:1d:48:85:c5:09:37:80:bb:0e:3d:b2:6e:55:
                    2a:0b:d1:43:21:ee:84:0e:e3:5a:0e:20:dc:de:77:
                    99:78:8e:e8:42:7e:9b:5d:5b:e5:ea:92:06:1d:ad:
                    76:f1:1c:d6:a3:90:21:c8:70:29:b6:d9:61:74:cf:
                    b5:82:9b:e7:85:d1:b5:5f:49:72:73:c5:94:2b:a7:
                    79:1e:81:ce:22:fe:35:97:12:b0:bb:ce:2c:99:2c:
                    33:57:be:20:bf:72:3f:c9:ff:f3:45:a8:8c:ce:28:
                    09:fd:e4:0d:1c:6a:1a:71:2b:95:fa:55:a0:a1:e8:
                    07:d0:1d:50:b1:50:ca:f7:53:ab:13:5a:72:35:d9:
                    5c:69:c7:9f:34:94:25:08:5a:17:2b:ea:c9:95:18:
                    a5:d6:73:10:18:c7:48:07:65:e8:1a:bc:0a:df:f2:
                    7b:79:b6:8b:16:42:73:7e:3a:9b:78:f7:23:c0:23:
                    9e:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.godaddy.com/gds1-30.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: https://certs.godaddy.com/repository/
            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt
            X509v3 Authority Key Identifier: 
                FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
            X509v3 Subject Alternative Name: 
                DNS:secure.blueemporia.com, DNS:www.secure.blueemporia.com
            X509v3 Subject Key Identifier: 
                8E:26:3D:A4:D5:B8:E1:DE:D0:0C:F6:F4:85:6A:E1:2E:56:1B:87:4A
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        87:bc:1f:6e:4f:df:2d:62:52:9c:af:8e:6e:80:13:fa:32:07:
        57:54:99:d4:68:dd:9f:0b:70:35:5d:3f:4f:cc:2f:ed:98:0b:
        45:29:1f:c8:2a:68:bc:66:1c:8f:a8:00:1c:3c:df:76:32:70:
        a4:53:4f:bb:cf:2c:24:6f:a2:cd:91:0d:cd:2e:29:9b:30:a0:
        e6:0c:db:a5:fe:fb:77:e8:19:52:19:2b:c8:76:db:3f:9c:a7:
        a4:aa:6f:10:b2:89:a9:6a:37:55:a6:cd:a8:b9:cc:96:14:a0:
        f2:95:ba:f3:22:42:8d:47:92:f5:41:ec:e0:c0:cd:ed:4c:03:
        f6:1f:11:17:75:f5:9b:11:e6:de:f9:0e:62:30:58:27:c0:26:
        2e:76:9c:68:3e:c7:7c:94:3f:d9:73:cb:7f:4e:b5:ee:be:a3:
        22:d2:06:af:90:08:1f:8a:54:89:3b:a6:a5:75:dd:4e:53:d4:
        39:2b:d3:cd:49:41:ca:f9:88:ed:d8:88:1e:c5:9f:b4:95:ae:
        d4:2e:b0:f1:de:1a:e1:c6:67:3d:80:d8:fd:09:81:9b:86:10:
        4f:da:68:8e:ae:74:da:3f:57:bb:e1:47:28:aa:bb:20:da:54:
        8f:61:0e:4f:97:2d:75:82:2e:23:93:41:3e:21:5c:08:66:9b:
        24:a0:c2:cd
-----BEGIN CERTIFICATE-----
MIIFfTCCBGWgAwIBAgIHKwiHYaSJhjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTEwMjExMTc0MzM1WhcNMTQwMjExMTc0MzM1WjBlMR8wHQYDVQQKExZz
ZWN1cmUuYmx1ZWVtcG9yaWEuY29tMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQxHzAdBgNVBAMTFnNlY3VyZS5ibHVlZW1wb3JpYS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwod+kmBvmGA4ZuQ42ps3NSbOHKi6d
icEvGTYvQJ8JZX0CiAj/8nCsOb2+kGvIdF3EMKhiEnZeYIoDd+xefnGZ7YrkzYre
BE5ea8FjHUiFxQk3gLsOPbJuVSoL0UMh7oQO41oOINzed5l4juhCfptdW+XqkgYd
rXbxHNajkCHIcCm22WF0z7WCm+eF0bVfSXJzxZQrp3kegc4i/jWXErC7ziyZLDNX
viC/cj/J//NFqIzOKAn95A0cahpxK5X6VaCh6AfQHVCxUMr3U6sTWnI12Vxpx580
lCUIWhcr6smVGKXWcxAYx0gHZegavArf8nt5tosWQnN+Opt49yPAI57rAgMBAAGj
ggHKMIIBxjAPBgNVHRMBAf8EBTADAQEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov
L2NybC5nb2RhZGR5LmNvbS9nZHMxLTMwLmNybDBNBgNVHSAERjBEMEIGC2CGSAGG
/W0BBxcBMDMwMQYIKwYBBQUHAgEWJWh0dHBzOi8vY2VydHMuZ29kYWRkeS5jb20v
cmVwb3NpdG9yeS8wgYAGCCsGAQUFBwEBBHQwcjAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuZ29kYWRkeS5jb20vMEoGCCsGAQUFBzAChj5odHRwOi8vY2VydGlmaWNh
dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50ZXJtZWRpYXRlLmNydDAf
BgNVHSMEGDAWgBT9rGEyk2xF1uLuhV+auud2mWjM5zA9BgNVHREENjA0ghZzZWN1
cmUuYmx1ZWVtcG9yaWEuY29tghp3d3cuc2VjdXJlLmJsdWVlbXBvcmlhLmNvbTAd
BgNVHQ4EFgQUjiY9pNW44d7QDPb0hWrhLlYbh0owDQYJKoZIhvcNAQEFBQADggEB
AIe8H25P3y1iUpyvjm6AE/oyB1dUmdRo3Z8LcDVdP0/ML+2YC0UpH8gqaLxmHI+o
ABw833YycKRTT7vPLCRvos2RDc0uKZswoOYM26X++3foGVIZK8h22z+cp6SqbxCy
ialqN1Wmzai5zJYUoPKVuvMiQo1HkvVB7ODAze1MA/YfERd19ZsR5t75DmIwWCfA
Ji52nGg+x3yUP9lzy39Ote6+oyLSBq+QCB+KVIk7pqV13U5T1Dkr081JQcr5iO3Y
iB7Fn7SVrtQusPHeGuHGZz2A2P0JgZuGEE/aaI6udNo/V7vhRyiquyDaVI9hDk+X
LXWCLiOTQT4hXAhmmySgws0=
-----END CERTIFICATE-----

[jason-s]

I've found 243 of these so far. They're all "historic" certificates in the crt.sh logs with a Not Before date from 2010 - 2013, and almost all of them are from GoDaddy.com or Starfield Technologies (spinoff of GoDaddy), but there are a few others.

https://crt.sh/?id=3615557

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6824754026372266691 (0x5eb665a0bd55fac3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = ES, emailAddress = info@camerfirma.com, L = Madrid (see current address at www.camerfirma.com/address), serialNumber = A82743287, OU = http://www.camerfirma.com, O = AC Camerfirma SA, CN = AC Camerfirma Express Corporate Server v3
        Validity
            Not Before: Dec 20 16:00:21 2012 GMT
            Not After : Dec 20 16:00:21 2015 GMT
        Subject: C = ES, CN = iecs.ecolum.es, O = FUNDACION ECOLUM, emailAddress = administracion@ecolum.es, serialNumber = G84171362
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e7:bd:1e:a2:0c:b3:7c:9e:6a:48:5f:1e:30:19:
                    91:08:68:32:85:3b:ef:1b:6d:e8:47:53:7b:1b:a0:
                    87:68:67:b5:db:2c:09:88:94:7d:22:a3:a0:14:6c:
                    ea:7a:ca:5a:74:d2:19:14:45:b4:87:a4:4c:87:f2:
                    bf:40:6b:2b:e3:ce:4d:77:b0:56:a3:3d:c7:00:5d:
                    3e:15:9e:07:be:16:85:85:fd:f8:c3:5b:15:3a:d2:
                    3f:a7:e5:d5:82:52:f0:00:7b:8c:02:b0:12:1c:31:
                    68:4f:bb:4e:ac:a2:75:a9:1c:38:c4:a0:2b:ed:e1:
                    47:fd:c2:43:ee:04:c1:d6:e1:81:ae:b8:a7:0b:12:
                    dd:ac:f8:8c:b4:5d:59:b7:c5:8f:18:6a:5f:cf:3e:
                    cc:6b:1c:35:a2:e3:44:03:64:96:8c:f7:7d:40:39:
                    f8:9c:52:3e:fb:39:c9:96:a8:8c:38:37:5d:dd:34:
                    7d:da:55:0f:67:81:5b:88:fd:99:97:c1:22:6e:1c:
                    09:ca:24:66:f6:77:2f:00:a3:0f:50:f2:ba:8b:fc:
                    1e:04:43:22:c5:c2:d1:86:94:60:31:43:ca:c1:3e:
                    00:68:d8:f7:8c:11:45:bb:ef:15:95:c5:19:94:22:
                    4b:42:7c:06:85:62:a9:0b:7b:8e:f5:80:cc:1c:32:
                    97:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                2F:35:A8:C2:6D:79:0A:97:CE:45:72:A2:34:00:05:C5:A2:7C:CC:75
            X509v3 Authority Key Identifier: 
                keyid:0A:4A:C0:CA:98:12:EF:97:59:DD:F7:A4:AF:B0:14:A4:39:AE:AE:4A
                DirName:/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http:\/\/www.chambersign.org/CN=Chambers of Commerce Root
                serial:0A
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            Authority Information Access: 
                CA Issuers - URI:http://www.camerfirma.com/certs/CMFECS_v3.crt
                OCSP - URI:http://ocsp.camerfirma.com
            X509v3 Subject Alternative Name: 
                email:administracion@ecolum.es
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.camerfirma.com/cmfecs_v3.crl
                Full Name:
                  URI:http://crl1.camerfirma.com/cmfecs_v3.crl
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.17326.10.11.2
                  CPS: https://policy.camerfirma.com
                  User Notice:
                    Explicit Text: Certificado de Servidor Seguro Camerfirma Express Corporate Server perteneciente a la entidad con identificaciÛn fiscal CIF=G84171362.
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        1e:76:15:c4:b1:99:e5:4e:88:2f:4b:ae:75:79:e4:e0:55:ec:
        13:32:3a:f1:a7:3e:20:03:a4:67:57:c5:60:44:94:1b:79:7c:
        c4:8a:3e:76:ff:48:b0:1b:ba:88:bc:bf:70:67:1f:7f:e0:3e:
        a4:03:c2:f1:2c:d5:f1:1c:9a:73:e0:b9:5f:0f:22:36:f5:f6:
        03:45:dd:4d:88:9a:05:93:4c:4e:2f:09:31:3b:ab:d2:eb:2b:
        a8:bd:ca:ad:4d:f2:99:25:e5:cd:01:86:c6:4c:d2:0e:43:80:
        c0:3b:31:53:b7:1e:d9:06:b0:4b:eb:77:5d:b5:13:ef:ea:96:
        6d:e1:ec:64:90:8c:19:f1:10:a0:0e:29:06:d4:cc:6e:32:f9:
        97:e9:ad:10:e2:8d:93:c9:45:6d:2d:43:f4:e6:e9:d4:fd:c6:
        dc:94:66:d7:67:27:18:d0:f7:e9:39:ca:a3:b9:07:d5:5d:5b:
        84:84:5f:f9:40:3e:f3:23:ec:9f:51:62:4e:fb:16:c3:cd:98:
        89:3e:ed:88:3d:bd:81:c7:63:84:65:91:d6:c9:ca:36:11:ae:
        fa:74:3d:5a:3d:1d:33:19:ea:98:b0:e5:89:ab:af:1d:3d:9d:
        94:de:f0:65:61:48:3e:b3:76:ea:76:cb:d1:80:a3:dd:61:1b:
        f5:60:16:e2
-----BEGIN CERTIFICATE-----
MIIG6DCCBdCgAwIBAgIIXrZloL1V+sMwDQYJKoZIhvcNAQEFBQAwgf0xCzAJBgNV
BAYTAkVTMSIwIAYJKoZIhvcNAQkBFhNpbmZvQGNhbWVyZmlybWEuY29tMUMwQQYD
VQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmly
bWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxIjAgBgNVBAsTGWh0
dHA6Ly93d3cuY2FtZXJmaXJtYS5jb20xGTAXBgNVBAoTEEFDIENhbWVyZmlybWEg
U0ExMjAwBgNVBAMTKUFDIENhbWVyZmlybWEgRXhwcmVzcyBDb3Jwb3JhdGUgU2Vy
dmVyIHYzMB4XDTEyMTIyMDE2MDAyMVoXDTE1MTIyMDE2MDAyMVowfjELMAkGA1UE
BhMCRVMxFzAVBgNVBAMTDmllY3MuZWNvbHVtLmVzMRkwFwYDVQQKExBGVU5EQUNJ
T04gRUNPTFVNMScwJQYJKoZIhvcNAQkBFhhhZG1pbmlzdHJhY2lvbkBlY29sdW0u
ZXMxEjAQBgNVBAUTCUc4NDE3MTM2MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOe9HqIMs3yeakhfHjAZkQhoMoU77xtt6EdTexugh2hntdssCYiUfSKj
oBRs6nrKWnTSGRRFtIekTIfyv0BrK+POTXewVqM9xwBdPhWeB74WhYX9+MNbFTrS
P6fl1YJS8AB7jAKwEhwxaE+7TqyidakcOMSgK+3hR/3CQ+4Ewdbhga64pwsS3az4
jLRdWbfFjxhqX88+zGscNaLjRANkloz3fUA5+JxSPvs5yZaojDg3Xd00fdpVD2eB
W4j9mZfBIm4cCcokZvZ3LwCjD1Dyuov8HgRDIsXC0YaUYDFDysE+AGjY94wRRbvv
FZXFGZQiS0J8BoViqQt7jvWAzBwyl8sCAwEAAaOCAugwggLkMAkGA1UdEwQCMAAw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQvNajCbXkKl85FcqI0AAXFonzMdTCB
qwYDVR0jBIGjMIGggBQKSsDKmBLvl1nd96SvsBSkOa6uSqGBhKSBgTB/MQswCQYD
VQQGEwJFVTEnMCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgyNzQzMjg3
MSMwIQYDVQQLExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEiMCAGA1UEAxMZ
Q2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdIIBCjATBgNVHSUEDDAKBggrBgEFBQcD
ATBxBggrBgEFBQcBAQRlMGMwOQYIKwYBBQUHMAKGLWh0dHA6Ly93d3cuY2FtZXJm
aXJtYS5jb20vY2VydHMvQ01GRUNTX3YzLmNydDAmBggrBgEFBQcwAYYaaHR0cDov
L29jc3AuY2FtZXJmaXJtYS5jb20wIwYDVR0RBBwwGoEYYWRtaW5pc3RyYWNpb25A
ZWNvbHVtLmVzMGgGA1UdHwRhMF8wLaAroCmGJ2h0dHA6Ly9jcmwuY2FtZXJmaXJt
YS5jb20vY21mZWNzX3YzLmNybDAuoCygKoYoaHR0cDovL2NybDEuY2FtZXJmaXJt
YS5jb20vY21mZWNzX3YzLmNybDCB4gYDVR0gBIHaMIHXMIHUBgsrBgEEAYGHLgoL
AjCBxDApBggrBgEFBQcCARYdaHR0cHM6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20w
gZYGCCsGAQUFBwICMIGJGoGGQ2VydGlmaWNhZG8gZGUgU2Vydmlkb3IgU2VndXJv
IENhbWVyZmlybWEgRXhwcmVzcyBDb3Jwb3JhdGUgU2VydmVyIHBlcnRlbmVjaWVu
dGUgYSBsYSBlbnRpZGFkIGNvbiBpZGVudGlmaWNhY2nzbiBmaXNjYWwgQ0lGPUc4
NDE3MTM2Mi4wDQYJKoZIhvcNAQEFBQADggEBAB52FcSxmeVOiC9LrnV55OBV7BMy
OvGnPiADpGdXxWBElBt5fMSKPnb/SLAbuoi8v3BnH3/gPqQDwvEs1fEcmnPguV8P
Ijb19gNF3U2ImgWTTE4vCTE7q9LrK6i9yq1N8pkl5c0BhsZM0g5DgMA7MVO3HtkG
sEvrd121E+/qlm3h7GSQjBnxEKAOKQbUzG4y+ZfprRDijZPJRW0tQ/Tm6dT9xtyU
ZtdnJxjQ9+k5yqO5B9VdW4SEX/lAPvMj7J9RYk77FsPNmIk+7Yg9vYHHY4RlkdbJ
yjYRrvp0PVo9HTMZ6piw5Ymrrx09nZTe8GVhSD6zdup2y9GAo91hG/VgFuI=
-----END CERTIFICATE-----

[alex]

This is working as intended, encoding a field's default value is a violation of the DER specification.

[jason-s]

I figured someone would say that.

It may be the case, but there are hundreds of certificates out there that have this property. What's the workaround? Use another library? I'm trying to get at a different extension, and this invalid extension content is blocking me from accessing other data with the cryptography library.