1 The following certs do not fail because parse failures in non-critical extensions are ignored.
2 The certificate merely marks those extensions as not present.
3 parse_fail_keyusage_extra_bit.cer
4 -the length field says 2 but there are 2 bytes in the bitstring (plus unused bits field which makes 3)
5 -we happily skip the extra byte
6 parse_fail_length_63.cer
9 -tag field in EKU (seq)
11 -tag field in EKU (oid)
17 parse_fail_too_big.cer succeeds because we ignore extra data after the cert.
19 parse_fail_basic_constraints_notCA_pathlen.cer
20 We don’t enforce (from RFC 5280):
21 CAs MUST NOT include the pathLenConstraint field unless the cA
22 boolean is asserted and the key usage extension asserts the
25 parse_fail_ec_not_on_curve.cer
26 We don’t check that the point is on the curve until we use the key (e.g. for verifying a signature).
29 SecECPublicKeyInit doesn’t read the parameters of the algorithm ID.