error message may not right

[JeyJeyGao]

In line 67 of the code, if i == 0 which is the leaf cert, the error message still says that it is the intermediate certificate, so the error message may not right. It may need to return the CommonName of the cert to help use identify the invalid cert.

notation-core-go/x509/cert_validations.go

Lines 56 to 78 in 0cb6e75

	for i, cert := range certChain {
	if signingTime != nil && (signingTime.Before(cert.NotBefore) || signingTime.After(cert.NotAfter)) {
	return fmt.Errorf("certificate with subject %q was not valid at signing time of %s", cert.Subject, signingTime.UTC())
	}
	if i == len(certChain)-1 {
	if !isSelfSigned(cert) {
	return errors.New("certificate chain must end with a root certificate (root certificates are self-signed)")
	}
	} else {
	// This is to avoid extra/redundant multiple root cert at the end of certificate-chain
	if isSelfSigned(cert) {
	return errors.New("certificate chain must not contain self-signed intermediate certificates")
	} else if nextCert := certChain[i+1]; !isIssuedBy(cert, nextCert) {
	return fmt.Errorf("certificate with subject %q is not issued by %q", cert.Subject, nextCert.Subject)
	}
	}
	if i == 0 {
	if err := validateLeafCertificate(cert, expectedLeafEku); err != nil {
	return err
	}
	} else {

[patrickzheng200]

Nice catch. And instead of the CommonName, we could show the Subject of the cert.