Basic Constraint Extension
The basic constraint is an X.509 certificate v3 extension. This extension describes whether the certificate is a CA certificate or an end entity certificate.
In the certificate shown above, basic constraints extension is selected and the Subject Type = CA means it is CA certificate.
In the above certificate, the Subject Type = End Entity shows that it is an end entity certificate.
If the certificate is a v3 certificate and the basic constraint extension is not present then it will be an end entity certificate.
The path length constraint is only applicable to CA certificates. It has nothing to do with the end entity certificates. Path length gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path.
In the above certificate chain, the certificate at (1) specifies a path length constraint 2 that means there could be at max 2 CA certificates down in the hierarchy of this certificate excluding the end entity certificate. This condition evaluates to true because there are two certificates down in the hierarchy of certificate (1) i.e. certificate (2) and (3). Certificate (4) is not included in this constraint because it is an end entity certificate.
Now start from certificate (2) which specifies the path length constraint 1. This condition also evaluates to true because there is only one CA certificate down in the hierarchy of this certificate i.e. (3) and entity certificate (4) do not come under this restriction.
At certificate (3), the path length constraint is 0 that means there must not be any CA certificate under this CA certificate. This condition also evaluates to true.
At certificate (4), the path length constraint restriction is not applicable as it is an end entity certificate.
All of the certificates in the path meets the path length constraint restrictions so the chain can be considered valid. There are also other validation checks for the certificate path but at the moment we are considering only basic constraint extension checks.
In the above certificate chain, the certificate (1) has a path length constraint value 6 and there are only two CA certificates down in the hierarchy i.e. certificate (2) and (3). This is also valid because the value 6 means at max 6 CA certificates could be under this hierarchy excluding the end entity certificate. Currently, it is 2 which is less than 6.
In the above certificate chain, the certificate (1) has a path length constraint value None which means there is no restrictions in the CA certificates down in the hierarchy. The certificate (2) and (3) still has a restriction and it will work in the same way as explained before.
In the above certificate chain, the path length constraint for certificate (2) is 0 that means there must not be any CA under this certificate but the CA certificate (3) exists so it is not a valid certificate path.