OSX/shared_regressions/si-18-certificate-parse/TODOFailureCerts/TODODescriptions.txt

   1 The following certs do not fail because parse failures in non-critical extensions are ignored.
   2 The certificate merely marks those extensions as not present.
   3 parse_fail_keyusage_extra_bit.cer
   4         -the length field says 2 but there are 2 bytes in the bitstring (plus unused bits field which makes 3)
   5         -we happily skip the extra byte
   6 parse_fail_length_63.cer
   7         -length field in AKID
   8 parse_fail_tag_27.cer
   9         -tag field in EKU (seq)
  10 parse_fail_tag_28.cer
  11         -tag field in EKU (oid)
  12 parse_fail_tag_32.cer
  13         -tag field in SKID
  14 parse_fail_tag_36.cer
  15         -tag field in AKID
  16
  17 parse_fail_too_big.cer succeeds because we ignore extra data after the cert.
  18
  19 parse_fail_basic_constraints_notCA_pathlen.cer
  20 We don’t enforce (from RFC 5280):
  21    CAs MUST NOT include the pathLenConstraint field unless the cA
  22    boolean is asserted and the key usage extension asserts the
  23    keyCertSign bit.
  24
  25 parse_fail_ec_not_on_curve.cer
  26 We don’t check that the point is on the curve until we use the key (e.g. for verifying a signature).
  27
  28 spki_fail_tag_4.cer
  29 SecECPublicKeyInit doesn’t read the parameters of the algorithm ID.