On 8/10/14 7:35 AM, Ben Reser wrote: > There shouldn't be any such certificate that's valid (at least that's using > the > Internet profile for X.509). There are two places that the signature > algorithm > are specified in the certificate. First in the Certificate sequence and again > in the TBSCertificate sequence. According to the X.509 RFC these MUST always > be the same OID (see section 4.1.1.2 and 4.1.2.3 or RFC 5280). > > So yes I'd be interested in seeing the certificate. > > If there really are such certificates we can loosen this check since it's not > really important to how we're using the X.509 parser right now.
Ivan sent me the certificate. This appears to be a bug in the X.509 parser. Haven't worked out what yet though.
