<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777;">

<a href="https://gitlab.com/julia27">julia</a> created an issue:

</p>

<div></div>

<p dir="auto">I recently created a faked certificate, which happens to have an “empty”subject and two subject alternative name instances. The certificate is not rejected during path validation.</p>

<p dir="auto">I can understand that the public key relies on the subject name and the alternative name. The problem is, which subject alternative name needs to be bound to the public key?</p>

<p dir="auto">The version of Gnutls: 3.6.8.</p>

<p dir="auto">The command I used is:<br>

certtool --verify --load-ca-certificate='rootCA_key_cert.pem' < 5009.pem</p>

<p dir="auto">The extension part is:

Basic Constraints (critical):

Certificate Authority (CA): TRUE

Subject Alternative Name (critical):

DNSname: motherless.com

Subject Alternative Name (critical):

DNSname: <a href="http://www.flipkart.com" rel="nofollow noreferrer noopener" target="_blank">www.flipkart.com</a>

DNSname: flipkart.com

DNSname: secure.flipkart.com</p>

<p dir="auto">The verification returns:

Loaded CAs (1 available)

Subject: (null)

Issuer: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN

Checked against: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN

Signature algorithm: RSA-SHA256

Output: Verified. The certificate is trusted.</p>

<p dir="auto">Chain verification output: Verified. The certificate is trusted.</p>

<p dir="auto">The rootCA_key_cert.pem (self-signed root CA):

-----BEGIN RSA PRIVATE KEY-----

MIIEowIBAAKCAQEA1QUBgnureUishKtOaMYYaI+MXommBYHrdWk5RLhwlBTMRWUN

vb2UkN1dYU8SNQ91DsEM2Vs+eHWLkVvluK3ug2upsJdbG8GmFkScSMz4/oY6Mv59

8ib28uWA8F/ipu/DQhEHG2Nrccss9bBLOW7J0+Haj2UfZPZjQ1gxRwBO4Y4ZRKTw

xcxvEkk5AFsLr89B8kcqn385FrJqgFcnzWSfDNqK32xaoCu1gctpzNH4x76HEGGH

1N37v++HHa73EW6UrrDRsx4FkKOjG4iyXi8I7IUzHRyY6GRihJTLwrxBSDkPkS69

FfjYZqlb/dGszQG9MUGGLh2pyDMlSPzCu1knswIDAQABAoIBAEidADq+dWFOiKBg

1MWaYU+jPzIqsdFGzEClscPfK2EPBeLR47E+IpqPGvnEvmwf7MMuw3aER/M//md6

cABYKenalWmA7qmzhS4qDSwz0tzQXJ5taflVlvCNkzpdNSG6sVCgBVAsv792hsjp

Y3scbOgxIROoYN9FreiS85lEXZ889d+1ytTBSqWf6RpPWibQ+xBCHPW6UoMDJBlV

n+eC6eVTsmzG5QDUvY0FLLuxcyFLO1YUkFQ1jFmR7QuOrG6Bw67Am10QxzGDiiCc

eegqxlWEK6aUWATzN+CVkvWNJm43G+FOicpkbY5N9wlCONFDCD1QFP53EHG6BBle

Sii4M4ECgYEA7IPdz7+fYiWbZnRrOA0OpXUmVVUSDU4MT1zBTlEy/O8SQeWu3PNA

3OAD0Xpc4cypTOrTU+3pPuoK99amr3WkXv8WYimADqHTpYBv6qNp0xxp2Le2+sIe

wKCOCkw8Yt4u0Vas/m+N1Q9yIaIOMyzqlY+/oq7P8L73WAa0BhsKRnECgYEA5pGd

hpHizSG6oCVwn6G1RJrc7zyADZuSc7yR2PfIve/KHxM14m2wJcFr/hIIAtOui34R

aBoK9lNG5WNooR1kVaye245tpju91+FVzmoW3Poz0RUi5SLjiBYzizOq9LLECuLi

bOlzxL3lcHSATM14ipbS2zeo3AAs7f5fP4xXimMCgYAvhY9b3rS3k7bVry6b5IO8

2v0IyD8ITVZL2+c7RTVpfN++PdgUrQurVZduz5c6B1U9DzHG+1aSPZRWl9qGBq0w

KTDmKFCCoCFWb6gNDSiGMn9R/BfX6okjSx8/EnJPqzTc+v1nYiKtXJ0iBN21iqDX

zDpFBbriNHyeQzqIv4YhAQKBgHJeMIEbxCB0ZpoheCf2km+hUY3puKsHTDHUi5PP

9OciFmQrp0LVndZchzDTyN1+GspekkvM/zsIO9Z05OVmKurEYVgO4hze7WA0CdgF

j6m1AhboIRL/p1VNjeuyiU4vjkbIHABiHGauuyx43Vs7YFt+TMEobr4R6Dd1QdHH

z3R5AoGBAL9PGWeOu1ptVs+OHPPBUIqvrZIluWjFEP96wCPcCyEWqcvJ2lCN4z4K

b76PV1S5/dQmLsG98H7NnrH6sstcxh8ylddD10CEEi49C5rb9Ju4YVPeGtdCFNIb

niOb8hgCX3MV/+ypRTaC0bzeQNAPhD+r07zIDkqAtnL+SG+RCMa1

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIDUzCCAjugAwIBAgIJAJl+82Li87lfMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV

BAYTAkNOMQswCQYDVQQIDAJTSDESMBAGA1UECgwJU0pUVSBERFNUMRAwDgYDVQQD

DAdERFNUIENBMB4XDTE5MDczMDA2NTc1NVoXDTIyMDExNDA2NTc1NVowQDELMAkG

A1UEBhMCQ04xCzAJBgNVBAgMAlNIMRIwEAYDVQQKDAlTSlRVIEREU1QxEDAOBgNV

BAMMB0REU1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVBQGC

e6t5SKyEq05oxhhoj4xeiaYFget1aTlEuHCUFMxFZQ29vZSQ3V1hTxI1D3UOwQzZ

Wz54dYuRW+W4re6Da6mwl1sbwaYWRJxIzPj+hjoy/n3yJvby5YDwX+Km78NCEQcb

Y2txyyz1sEs5bsnT4dqPZR9k9mNDWDFHAE7hjhlEpPDFzG8SSTkAWwuvz0HyRyqf

fzkWsmqAVyfNZJ8M2orfbFqgK7WBy2nM0fjHvocQYYfU3fu/74cdrvcRbpSusNGz

HgWQo6MbiLJeLwjshTMdHJjoZGKElMvCvEFIOQ+RLr0V+NhmqVv90azNAb0xQYYu

HanIMyVI/MK7WSezAgMBAAGjUDBOMB0GA1UdDgQWBBSkoyQbQziu3QnuUSBHdEnP

VAbUszAfBgNVHSMEGDAWgBSkoyQbQziu3QnuUSBHdEnPVAbUszAMBgNVHRMEBTAD

AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADCzh/BOVeuBzYLukXD4WmADAbBLWccunP

0i0m1X8CePPT7OYuZV7ie150ViP55I74D0u9uaqzadXJ6Q8WPJVPv95/boAIJCoe

SHkh3hPAsHfqfjrAquwXsM9I1KpxsHSMUluMJbbty+OpRWRT8sBcdBwFqIxZuEvO

z8M0LDGd7EgQfaXJuWXJggXOtf0Da4l9kJjE6M68ns+rEShK+wenxuJeLEI9FwZA

gSt7PnmJVLz1eXLtZRTsbMuukFH6jDTQyMekxhODyskj5sch5IoiF2KrcQT09LPX

3JzTb6+14WI1YvQm+ve7mnQOWOhdsi9gJ00yfAHOuku7tEyWBN2m

-----END CERTIFICATE-----</p>

<p dir="auto">5009.pem:

-----BEGIN PRIVATE KEY-----

MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6bDHBmJk6NBt2

gBP/xV4wJl1xusclcMLsW3id/6kmZJuW0kDdzqQUn50EeFxbIk1lEcWC1ia7dffs

ZcfAWEPXG63UgAaqUe0R9xYKjCGZG8yk/J4+nvuufxG3Kw9B9r4rd4v9x3X3Wy8/

oWdWeZGuWlNPTa4KTjC19PpC5WqhQhNeiAzqRSQ3ICrnhxuNZv9J4U2GECldnwqE

MxSWOwwLny2VSK6yFOobG0uuf+IfL6+OP4Xj2wqGJwdlDUeoc7z1QiFPpap3UMUm

J9WSPyvsDcnWAnyvriMCJEblES+anCmmzaOoGE4x5syGXlgCEk0cOQJx4QULVDsE

8PQwUmHTAgMBAAECggEABAcibBRn+yH1FfJefEA/cLrjefmXI+/zxjeTu5YyiWnT

EscoL6KvWOK5+ca/+Bgdo/lmUxVdcN9zo9/vGPDPRm6KqvS5MCTlAmZcS44Li8tV

+JqcsK2usm58a4C6q6oxIa9LjwgoPFf0BWPvX6bwxtucwTHkeMSHuOa6IYfjbeh+

GnB8qMtbYwC7zadb3yJNlbt3w/NUHXkpTzj+u/F+7NKWnBP6FRNHpDNo2xQoBFw1

3xtfey0kf9N2TBj18CKEHRv3FcCQx181SCg65DHlvrU7m7Cm7VKxzS5Kqm2RolFY

L6HCf5lzF7Dm0BETrk6vkLKCz4nqIP5+rGhaSx1vQQKBgQDsXgMKY2xLIP3LWwvB

rzdKdtlLW7xTDDmrEp2CwalLhnV/hkbmJAfoVcC3+1pengSTFlWdI62JvB4BOwg/

sRf1Cmk2vC9KIBFtbPDode8/OMMUFraEtEDnzqgynotRpg25Hat1+60axepElR/1

DFX9j3Sb7VPV+J/mzdDtFlY3DQKBgQDJ6C/W57+BKDENZk49Nr4KJrpb8VyA1vNV

P/4TG2XX9yYqrxTrE5cAayFBiEwBPd9/qk9oSjB0Uf89NEcxtjERv3F4AXJNjMOQ

Prn9qqIDu25zDKDUMKXL2z3qM62hOuNR/Hzpc0xXX7GXrUlHl0vhvZElD/2yKbue

5k6LiWbEXwKBgQDQK7Az2wKKXGEJU4NULrPccjXIB+AhqDe18iwk99jZOm+LQ8B3

ei44siWMI+QgRr0yqc33GnABSVuHq+0E4zx9RJELcsuXVgzjObomkY+HN7+flq1i

zLoJLlm2UynSXBPkADx9KY34cWx0wH2nvRiSu2Bw36EhZtm1VXj3BeAilQKBgQCa

VhG7hIquf7p/M6S6xg2eVNw/S9AZ7DU1BSWCFX9UBmf2WL70spTKjRlurnDqwhEF

1Xm9jnhbchJZBo0lQs9fcaeaxABLpz4WFNy3Oqd9kthquUx25njVy1EYpUgj5o+9

K/OPv8KrR0rJVnydbNlkRTOd0QtsFNqGLCX+I5maoQKBgEWpJPLIwIQZlCbe4E2+

mMUpj3UlMbx1rO9t5unsh8hQSiAd54uI4y0tNanQoNnzVoHQgdVLxTbS78iXSdTS

RPZL51HeYehXDwaeQ9LL9JuoyCRri0IAjC+XLntYpf02RH/IvJcVhc92+xkTeWFJ

l1t0lQs0V36HcC8i+g2AsMWj

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIDMzCCAhugAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJDTjEL

MAkGA1UECAwCU0gxEjAQBgNVBAoMCVNKVFUgRERTVDEQMA4GA1UEAwwHRERTVCBD

QTAiGA8xOTk2MDgwMTAwMDAwMFoYDzIwMjAxMjMxMjM1OTU5WjAAMIIBIjANBgkq

hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumwxwZiZOjQbdoAT/8VeMCZdcbrHJXDC

7Ft4nf+pJmSbltJA3c6kFJ+dBHhcWyJNZRHFgtYmu3X37GXHwFhD1xut1IAGqlHt

EfcWCowhmRvMpPyePp77rn8RtysPQfa+K3eL/cd191svP6FnVnmRrlpTT02uCk4w

tfT6QuVqoUITXogM6kUkNyAq54cbjWb/SeFNhhApXZ8KhDMUljsMC58tlUiushTq

GxtLrn/iHy+vjj+F49sKhicHZQ1HqHO89UIhT6Wqd1DFJifVkj8r7A3J1gJ8r64j

AiRG5REvmpwpps2jqBhOMebMhl5YAhJNHDkCceEFC1Q7BPD0MFJh0wIDAQABo3Qw

cjAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQEB/wQSMBCCDm1vdGhlcmxlc3MuY29t

MEEGA1UdEQEB/wQ3MDWCEHd3dy5mbGlwa2FydC5jb22CDGZsaXBrYXJ0LmNvbYIT

c2VjdXJlLmZsaXBrYXJ0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcBlUfXcKN+qz

HV3uMVkqBYlCoM4Mrp83rFWgGbzggcu1Q9RLRHe+N5N4QQZUTUOaP/ZtbrGBjJfE

GoFJaJ0KBfjyaSotSj9W4tVQGtVt9c3kGWVSi8AQ5peaLQn3jmOQXrvHP2/behkm

40Ino7R5wbpGQ8V+2EhQufaBf9nfgCveBHvfY+QWSCrmKdZEKbQjCcAXMcRWRzCS

H8Y8eKKuna7cgndXudcQY7JQYhzB7Rf2F1k15JeSShhe4CbfpP+rjAVaewnJogS2

R8Y2tYnD/VVXR9p74S/M/MEXRMQb56gQsfw1V709M42/WDqHyU0z59P/nASQMQD/

zTFdEaCLtQ==

-----END CERTIFICATE-----</p>

<p dir="auto"><a href="https://gitlab.com/gnutls/gnutls/uploads/ea3d5695fb35f7d2fed38916b8563992/rootCA_key_cert.pem">rootCA_key_cert.pem</a>

<a href="https://gitlab.com/gnutls/gnutls/uploads/3cb189d2c81df6123378d6ea080200ad/5009.pem">5009.pem</a></p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/872">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/3d71f001c0728f2c91fae7e47f1c4b65/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/872"}}</script>

</p>

</div>

</body>

</html>