<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777;">

<a href="https://gitlab.com/llqll">llqll</a> created an issue:

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">I recently created a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate has an invalid Subject Public Key Info field. Although the subject public key field conforms to the syntax of the bit string, the RSAPublicKey in it does not conform to the syntax. The DER encoded RSAPublicKey is the value of the BIT STRING subjectPublicKey.</p>

<p dir="auto">The structure of RSApublickey described in RFC3279 is:</p>

<p dir="auto">RSAPublicKey ::= SEQUENCE {</p>

<p dir="auto">modulus INTEGER, -- n</p>

<p dir="auto">publicExponent INTEGER } -- e</p>

<p dir="auto">Meanwhile, the chain can still pass certificate verification with Gnutls3.6.7, however,the chain was rejected by openssl.

Does Gnutls3.6.7 have a bug here?

(Or do I have some misunderstandings on Gnutls3.6.7 in its parsing or verification procedure?) Will it cause any further problems in certificate verification?</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">Gnutls3.6.7</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">Ubuntu16.04</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">Steps to Reproduce:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">certtool --verify --load-ca-certificate 1.pem --infile leaf.pem</span></code></pre>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">The verification returns:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Chain verification output: Verified. The certificate is trusted.</span></code></pre>

<p dir="auto">however, the result of openssl:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">error 66 at 0 depth lookup: EE certificate key too weak</span>

<span id="LC2" class="line" lang="plaintext">error leaf.pem: verification failed</span></code></pre>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">Chain verification output: failed.</p>

<p dir="auto">the 1.pem is:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>

<span id="LC2" class="line" lang="plaintext">MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+zANBgkqhkiG9w0BAQsFADBt</span>

<span id="LC3" class="line" lang="plaintext">MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV</span>

<span id="LC4" class="line" lang="plaintext">BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm</span>

<span id="LC5" class="line" lang="plaintext">cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDFaGA82NTY2MDMyMzEyMTIzM1ow</span>

<span id="LC6" class="line" lang="plaintext">ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD</span>

<span id="LC7" class="line" lang="plaintext">VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL</span>

<span id="LC8" class="line" lang="plaintext">bGkxQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDUWAVE</span>

<span id="LC9" class="line" lang="plaintext">VHGqn3tPc+kJTGwXpsiD+pwu287ibcwa7nlcQ8KyrwbS/7dnhK3Mpz3jjkbk9Zqw</span>

<span id="LC10" class="line" lang="plaintext">Ju8R5ku9hEsSX3ZW7KQYj+jqVWVnLNlp5j0a1G2fdB7vn0ORtj9GgFAbKn37cXqo</span>

<span id="LC11" class="line" lang="plaintext">6G2EyQ0NXhpOiwUtQXSnhbMUUJal2jMSaSGSKyyex9lDrZfSzQ164VIvMKz49kPB</span>

<span id="LC12" class="line" lang="plaintext">Z6EupA0E6QkwZ1a8wGthdhQ3tJrHt0jcmBVpJ5mo9zlvX7ErsK4prXgJvBQR/IRc</span>

<span id="LC13" class="line" lang="plaintext">YhqYHxsKLq/mgjezNqy/WoPN313HxDG8YETy8m9BKWI5OLBHIr0kahmBFumttlGa</span>

<span id="LC14" class="line" lang="plaintext">a4rW+w2NZz8jtrnkM8sFSEoegO7xA8JZdO6O3mSedWOiA2zEuT8hQqkSYDSdZxOd</span>

<span id="LC15" class="line" lang="plaintext">J1u/mdyumLErXquenaMTAHb0lviNc7llZqDKMJ8yfROZwv9PDCs3OBGOttr3MMRT</span>

<span id="LC16" class="line" lang="plaintext">JHN5f4ZStqx6unV90Rx8QIh8wstG3c/QrJ4lBS+c72A6bMmxLpiTg1+CjG9ntgvC</span>

<span id="LC17" class="line" lang="plaintext">mspMbVlu710Y7JHcAuq9RSnR0Nv31AGjOZEpKAGpUfzoVf47GYV38VpLskgy0tiA</span>

<span id="LC18" class="line" lang="plaintext">Tesse5g8rUE9ozwgj6B34qfNdPxCmv6UkLYxU/CLpw2cRKT8hShAO8zDfgmU9262</span>

<span id="LC19" class="line" lang="plaintext">ctTdrVU3PsSwMs7F8SlG/9kWq6HgqaBPadCsRwIDAQABo4GkMIGhMB0GA1UdDgQW</span>

<span id="LC20" class="line" lang="plaintext">BBSSPopRSpZMfPAxCvUPCu4TZmh38DAfBgNVHSMEGDAWgBRyFaB24RFh9c9zf0+D</span>

<span id="LC21" class="line" lang="plaintext">YA01twtiWjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7BgNV</span>

<span id="LC22" class="line" lang="plaintext">HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j</span>

<span id="LC23" class="line" lang="plaintext">b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAJwtzZT7z1eImP8a7GTnfbPYu8k4</span>

<span id="LC24" class="line" lang="plaintext">kdbGnWSyrEr8x6UjZQLCa1DXdxKkms84yCW1QM5vdKody/Sz1lvETPeTgpXRLlcO</span>

<span id="LC25" class="line" lang="plaintext">i/75L+Knz1asfz3D+SO/YCSc/VF27GnkKyjFlt7LUmHuFUQoprpCi12wJ0IJP5D6</span>

<span id="LC26" class="line" lang="plaintext">AQarnWuS2AA4op0exLrK1+BonYyqH//QDt5jhUJFEKQVgckHOtVOklHmazplr8bu</span>

<span id="LC27" class="line" lang="plaintext">JzHz0+C7mDtZbLXoBSgZIFaVCSk4uxsf98QWOxKQURUv8gAhHLOo/QlkyqiiFCaN</span>

<span id="LC28" class="line" lang="plaintext">1Se0Zp16pegTxs0qS8qY1pLgw4AO56ifG+LcOmYminbAZtApmiOvtxf8JAw5Twc8</span>

<span id="LC29" class="line" lang="plaintext">6gLRlq2cv/bY55hZde4uvUzC/Te/zENu9rlv7qQqQ9jS5tiWZjZVqhEt275KymBT</span>

<span id="LC30" class="line" lang="plaintext">4855pB+8oGb5Xznl6/AzmxUbOmRX1q5bbv+11ZscRtUp3XD3gA5Y5UYBF5UVICcb</span>

<span id="LC31" class="line" lang="plaintext">zTVUNDgaUjyuXIiF/ZFtbcxX57PfIqKHP3A2XseUhpN3qFSWb29BsTAa7E59s8pL</span>

<span id="LC32" class="line" lang="plaintext">0m/aftSXF1g/8q0IsHFuZRv4l+eyYWJhwtQTY9TTHnjYJbljcwGtVjYuAfMB+eec</span>

<span id="LC33" class="line" lang="plaintext">beH0LdKLVbOKlMPySiqy18cKDkwQ1wTPqoZnz5/mKRr5Hpt/RKSe997NjIeuJZl0</span>

<span id="LC34" class="line" lang="plaintext">W0ebRMo2T0FNhUhm</span>

<span id="LC35" class="line" lang="plaintext">-----END CERTIFICATE-----</span>

<span id="LC36" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>

<span id="LC37" class="line" lang="plaintext">MIIGCDCCA/CgAwIBAgIQY8Mi35RmHbQSpWR8XD7V+jANBgkqhkiG9w0BAQsFADBt</span>

<span id="LC38" class="line" lang="plaintext">MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV</span>

<span id="LC39" class="line" lang="plaintext">BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm</span>

<span id="LC40" class="line" lang="plaintext">cG93ZXJAMTYzLmNvbTAgFw0wMDAxMDEwMTAwMDBaGA85OTk5MTIyMzExMjMzNFow</span>

<span id="LC41" class="line" lang="plaintext">bTELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD</span>

<span id="LC42" class="line" lang="plaintext">VQQLDAtiZWl5YW5neXVhbjELMAkGA1UEAwwCQ1MxHzAdBgkqhkiG9w0BCQEWEGxq</span>

<span id="LC43" class="line" lang="plaintext">ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+</span>

<span id="LC44" class="line" lang="plaintext">WcvCnpCA78zG1ZkRhiIPjPEmFx3PHaX5f+KYod68qvCqsRGsB4n7rQS2ljFUZ7MY</span>

<span id="LC45" class="line" lang="plaintext">4GNWtiMZANdWMuOrnkT0sNmtQ1aXWh+6lMUKLr/690SkKMbKU1y6OTfGBntau6em</span>

<span id="LC46" class="line" lang="plaintext">1djv9Q8fYmapdne3tr5UNTJBvqc5qivWiF98XUQdp8qGKLYfF0NOxkreD6u4Pddo</span>

<span id="LC47" class="line" lang="plaintext">/6PR5pn+nbgCHkDFmVGL+0DtZzC+K/NQbKpmP4/Zpolf1C5wPpxWPpjDl/yRSctC</span>

<span id="LC48" class="line" lang="plaintext">qX1G0WGyB8/w/IR94Gx3rDmA/NkZMP+4tXBFVSoz0XJpdNqCtwxCkl6NqLpMN0gp</span>

<span id="LC49" class="line" lang="plaintext">XrU78ToNnTiUW4zoyIfKBSlXRkPd4srgB8gTO3cHqJkSmzt/gFMnbBP1gNV10R0P</span>

<span id="LC50" class="line" lang="plaintext">KzbNuV/uIHx5wGYJIW8w9fL8hKrCYcO5Yfq3VDGy9Lr3/5QFYI36oPLIw0cZS/i+</span>

<span id="LC51" class="line" lang="plaintext">NyPLYT1TN/o6E8dtnsz1AY+VQyriW44CB6J3tlfrGLigfP81rsaQpcGd+W+0ntyc</span>

<span id="LC52" class="line" lang="plaintext">cWpzRKwwut3I9CJSGjRuwHfz0n6Fk+Hoj+i+Qv6h/y7+KwqjDMMHIrbieBhUwQbm</span>

<span id="LC53" class="line" lang="plaintext">Hlyj25IwyvYc6OOBymAyy8pUByAC7QWw4KxogDol6165iAubaupDxkDQXKr/IMmj</span>

<span id="LC54" class="line" lang="plaintext">pCcTBDmVwhStVBDCD6Lo4HhxDE5a6IA4DSxdWIV2iQIDAQABo4GhMIGeMB0GA1Ud</span>

<span id="LC55" class="line" lang="plaintext">DgQWBBRyFaB24RFh9c9zf0+DYA01twtiWjAfBgNVHSMEGDAWgBRyFaB24RFh9c9z</span>

<span id="LC56" class="line" lang="plaintext">f0+DYA01twtiWjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjA7BgNV</span>

<span id="LC57" class="line" lang="plaintext">HREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlkdS5j</span>

<span id="LC58" class="line" lang="plaintext">b22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBAFYRDs+WyMwr8rPCkzFHnMK0ePfD</span>

<span id="LC59" class="line" lang="plaintext">cWc1O1L02foAePXEicrqQwv7JnsikBsx28E0T+mjqFU+7IIq7K+T0ndlEfax96Gi</span>

<span id="LC60" class="line" lang="plaintext">j3H8zfwAG10JBFMjsFtdo8Hq6Q4CeMu1D83NPhQacZ1lOdCp/ZUdRvlcveeBx5VX</span>

<span id="LC61" class="line" lang="plaintext">hFel6erfsR+6GX6I0b2Z9qIBKwmpxLcsPkY60RuazvkSf7xAd4eNJ18vzdo55J1c</span>

<span id="LC62" class="line" lang="plaintext">x6mJK+c5J63a/IW6rjEd2v6URwwlbOyuRSurXoETMxYwuxs7pBnxA3MRU/OWIaCy</span>

<span id="LC63" class="line" lang="plaintext">fAO+2ao4qn4WNo4oGo1BJBaX+mQJa+NwCw2F+sRqGZ+3ooSq2bjjXrLxiytr4b+o</span>

<span id="LC64" class="line" lang="plaintext">fUBiCzhZLOGaRubJXlWp39dgLf6mo3ajjYPhTUtlqv0ZfX97C7xEXitNY3Dy9aqe</span>

<span id="LC65" class="line" lang="plaintext">NnQn2+u2dkzEMTc+zW5i+xkByRhoSXY5AhYDdyd0Qtuk1T8sRs38TJmavr6/H6hv</span>

<span id="LC66" class="line" lang="plaintext">6FGrmgqFypmsVy1LdRAn80yVBce1t3eWcgVnTND+wSS8mEj9rHS4th4sZbwwpVWJ</span>

<span id="LC67" class="line" lang="plaintext">Z0cJSFnqSLMh7ZrDyzcKFUhgdU7GxuaACxIbBt3f5pCp1QDKffb3kVG333l/OLqN</span>

<span id="LC68" class="line" lang="plaintext">2qYOTP6iFf3JpKttNvaSA9Q+GNk4t/8ozZW6lfyz+uDfmQecEgAv/u1s1brMgQo7</span>

<span id="LC69" class="line" lang="plaintext">TQ/vJrJvgyxVSgOH</span>

<span id="LC70" class="line" lang="plaintext">-----END CERTIFICATE-----</span></code></pre>

<p dir="auto">the leaf.pem is:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>

<span id="LC2" class="line" lang="plaintext">MIIExzCCAq+gAwIBAgIRAPABuQ6DmexEq0k9QQaewMUwDQYJKoZIhvcNAQELBQAw</span>

<span id="LC3" class="line" lang="plaintext">ajELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD</span>

<span id="LC4" class="line" lang="plaintext">VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEaMBgGCSqGSIb3DQEJARYL</span>

<span id="LC5" class="line" lang="plaintext">bGkxQDE2My5jb20wHhcNMDEwMTAxMDEwMDAwWhcNMzUxMjIzMTEyMzM0WjB7MQsw</span>

<span id="LC6" class="line" lang="plaintext">CQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQswCQYDVQQHDAJUSjEMMAoGA1UECgwD</span>

<span id="LC7" class="line" lang="plaintext">VEpVMRQwEgYDVQQLDAtiZWl5YW5neXVhbjEMMAoGA1UEAwwDTExRMR8wHQYJKoZI</span>

<span id="LC8" class="line" lang="plaintext">hvcNAQkBFhBsamZwb3dlckAxNjMuY29tMIGqMA0GCSqGSIb3DQEBAQUAA4GYAHbQ</span>

<span id="LC9" class="line" lang="plaintext">RwFvnLFf2dsnbPBgE8WIDSBIduUcCpXnVRNA0lnlYAAB8igI////f0C4o45iaUQ9</span>

<span id="LC10" class="line" lang="plaintext">Htd8hjYbdaEvM9CPACC/f2pJ6UhanEUpAAAAZOfnSFqcFWtEwcBSzanrkQHH6NP8</span>

<span id="LC11" class="line" lang="plaintext">pknE+fUAGEVFRUUsOaICpqT77ZpO9RZdEOWnf8eR24c4osp/N3/Cn9i7b6os333s</span>

<span id="LC12" class="line" lang="plaintext">hjYBAAGjgc8wgcwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUjQbPWu5jN7z4SYDgxnTo</span>

<span id="LC13" class="line" lang="plaintext">E9TQCyIwHwYDVR0jBBgwFoAUkj6KUUqWTHzwMQr1DwruE2Zod/AwDgYDVR0PAQH/</span>

<span id="LC14" class="line" lang="plaintext">BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDBDAoBgNVHREEITAf</span>

<span id="LC15" class="line" lang="plaintext">ggVhLmNvbYIIKi5hYy5jb22CBnh6LmNvbYcEfwAAATAYBgNVHRIEETAPgg1hYmNl</span>

<span id="LC16" class="line" lang="plaintext">d3dyd3QuY29tMAwGA1UdJAQFMAOAAQMwDQYJKoZIhvcNAQELBQADggIBAIrlxfaD</span>

<span id="LC17" class="line" lang="plaintext">mBSBTXKK9/a00U7ZBFeZCXfaaxO/RbtTdPZtf0UNL4ZuUhkBrCaNvsD0Xp6erM41</span>

<span id="LC18" class="line" lang="plaintext">A/s77syo74IWYh5B0zGsc2jgX6M1xVjrGvDc1Gxr+urhy83MPcT5YGWz1hQrnY9o</span>

<span id="LC19" class="line" lang="plaintext">RYPAmEBMYqInXiW7VZFJQxV+KSprpEHSDInrINipNrBXBs6eMrGSctHfN7T/1Per</span>

<span id="LC20" class="line" lang="plaintext">/NZkufA3abTz34psGai6+6aK+boKy4/EHKO7wCpptu6Pl68lmyVcuFuJRS1fkkcy</span>

<span id="LC21" class="line" lang="plaintext">/kegeq44uL8Fr10J5l10JxW9TvtpBa5WGmduyiMt4noMngxMTRkyyEgAG0nA9yvl</span>

<span id="LC22" class="line" lang="plaintext">Hmr3UgUkCfzMdPbWHbvYhX0/tHCVBm+uP4QNAdqRdnMoSWuQOjO4T1C8k7SPI6t9</span>

<span id="LC23" class="line" lang="plaintext">NOipuWn4Kb/oUzTD1GNVPff6zXey+PAYqjk5yJv+QS+TsEAWfWu59GQcNkbeOpYl</span>

<span id="LC24" class="line" lang="plaintext">MqW4x8W3YzIQ/aDu+SiQ6jo7vpJs0EfopOTRKPRIyJeUWYd780lIRm+CqrHGo824</span>

<span id="LC25" class="line" lang="plaintext">zzG4X5SbFpbVcIh1gDvySy/tOujWfA3CWYu+Rm7CvAAbPMWhFqwB9pYrFxZfjqzo</span>

<span id="LC26" class="line" lang="plaintext">p3bRUvn+y4RlQacQq9fEndLoO8eJHsNfBw1OPHON7fg5xTKTms7CqekoXVv2DLLa</span>

<span id="LC27" class="line" lang="plaintext">mbixAD0Rl9naMfL7Yxc1gns1d3tUq6/3/dMs</span>

<span id="LC28" class="line" lang="plaintext">-----END CERTIFICATE-----</span></code></pre>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/873">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/059dc5538ee84040fdf41d705c95caf5/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/873"}}</script>

</p>

</div>

</body>

</html>