CWE-299: Improper Certificate Validation (Basic Constraints)

Overview

Improper validation of certificate basic constraints occurs when applications fail to verify that a certificate is authorized to sign other certificates (CA flag) or is restricted to specific purposes. The X.509 Basic Constraints extension defines whether a certificate is a Certificate Authority (CA=TRUE) that can issue certificates or an end-entity certificate (CA=FALSE). Without proper validation, attackers can use end-entity certificates to sign fraudulent certificates, creating fake certificate chains that bypass trust validation.

OWASP Classification

A07:2025 - Authentication Failures

Risk

High: Allows attackers to create fraudulent certificate chains using compromised end-entity certificates, enabling man-in-the-middle attacks even when victim validates certificate chains. Particularly dangerous when combined with other certificate validation failures.

Remediation Steps

Core principle: Validate the Basic Constraints extension ensuring certificates marked as non-CA cannot be used to sign other certificates in the trust chain.

Use Proper Certificate Validation Libraries

Modern TLS libraries validate basic constraints automatically:

# SECURE - validates basic constraints
import ssl
context = ssl.create_default_context()
# Automatically checks:
# - Basic Constraints (CA flag)
# - Key Usage (digitalSignature, keyEncipherment)  
# - Extended Key Usage (serverAuth, clientAuth)

Verify CA Flag in Certificate Chain

If implementing custom validation, check each certificate:

from cryptography import x509
from cryptography.x509.oid import ExtensionOID

def validate_basic_constraints(cert, is_ca_expected):
    try:
        bc = cert.extensions.get_extension_for_oid(
            ExtensionOID.BASIC_CONSTRAINTS
        )
        if is_ca_expected and not bc.value.ca:
            raise ValueError("Certificate must be CA")
        if not is_ca_expected and bc.value.ca:
            raise ValueError("End-entity cert has CA flag")
    except x509.ExtensionNotFound:
        if is_ca_expected:
            raise ValueError("CA cert missing Basic Constraints")

Validate Path Length Constraints

Check that intermediate CAs respect path length limits:

# Basic Constraints includes pathLenConstraint
# If pathLenConstraint=0, CA can only issue end-entity certs
# If pathLenConstraint=1, CA can issue one level of intermediate CAs
if bc.value.ca and bc.value.path_length is not None:
    if depth > bc.value.path_length:
        raise ValueError("Path length constraint violated")

Reject Certificates Without Basic Constraints

For CA certificates, Basic Constraints extension should be present and critical:

• CA certificates MUST have Basic Constraints extension
• Basic Constraints SHOULD be marked critical
• CA flag MUST be TRUE for certificate authorities
• Path length should be enforced for intermediate CAs

Dynamic Scan Guidance

For guidance on remediating this CWE when detected by dynamic (DAST) scanners:

• Dynamic Scan Guidance - Analyzing DAST findings and mapping to source code

Additional Resources

• CWE-299: Improper Check for Certificate Revocation
• OWASP Top 10 2025 A07: Authentication Failures
• RFC 5280: Basic Constraints