<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/julia27">julia</a> created an issue:
</p>
<div></div>
<p dir="auto">I recently created a faked certificate, which happens to have an “empty”subject and two subject alternative name instances. The certificate is not rejected during path validation.</p>
<p dir="auto">I can understand that the public key relies on the subject name and the alternative name. The problem is, which subject alternative name needs to be bound to the public key?</p>
<p dir="auto">The version of Gnutls: 3.6.8.</p>
<p dir="auto">The command I used is:<br>
certtool --verify --load-ca-certificate='rootCA_key_cert.pem' < 5009.pem</p>
<p dir="auto">The extension part is:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Alternative Name (critical):
DNSname: motherless.com
Subject Alternative Name (critical):
DNSname: <a href="http://www.flipkart.com" rel="nofollow noreferrer noopener" target="_blank">www.flipkart.com</a>
DNSname: flipkart.com
DNSname: secure.flipkart.com</p>
<p dir="auto">The verification returns:
Loaded CAs (1 available)
Subject: (null)
Issuer: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN
Checked against: CN=DDST CA,O=SJTU DDST,ST=SH,C=CN
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.</p>
<p dir="auto">Chain verification output: Verified. The certificate is trusted.</p>
<p dir="auto">The rootCA_key_cert.pem (self-signed root CA):
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1QUBgnureUishKtOaMYYaI+MXommBYHrdWk5RLhwlBTMRWUN
vb2UkN1dYU8SNQ91DsEM2Vs+eHWLkVvluK3ug2upsJdbG8GmFkScSMz4/oY6Mv59
8ib28uWA8F/ipu/DQhEHG2Nrccss9bBLOW7J0+Haj2UfZPZjQ1gxRwBO4Y4ZRKTw
xcxvEkk5AFsLr89B8kcqn385FrJqgFcnzWSfDNqK32xaoCu1gctpzNH4x76HEGGH
1N37v++HHa73EW6UrrDRsx4FkKOjG4iyXi8I7IUzHRyY6GRihJTLwrxBSDkPkS69
FfjYZqlb/dGszQG9MUGGLh2pyDMlSPzCu1knswIDAQABAoIBAEidADq+dWFOiKBg
1MWaYU+jPzIqsdFGzEClscPfK2EPBeLR47E+IpqPGvnEvmwf7MMuw3aER/M//md6
cABYKenalWmA7qmzhS4qDSwz0tzQXJ5taflVlvCNkzpdNSG6sVCgBVAsv792hsjp
Y3scbOgxIROoYN9FreiS85lEXZ889d+1ytTBSqWf6RpPWibQ+xBCHPW6UoMDJBlV
n+eC6eVTsmzG5QDUvY0FLLuxcyFLO1YUkFQ1jFmR7QuOrG6Bw67Am10QxzGDiiCc
eegqxlWEK6aUWATzN+CVkvWNJm43G+FOicpkbY5N9wlCONFDCD1QFP53EHG6BBle
Sii4M4ECgYEA7IPdz7+fYiWbZnRrOA0OpXUmVVUSDU4MT1zBTlEy/O8SQeWu3PNA
3OAD0Xpc4cypTOrTU+3pPuoK99amr3WkXv8WYimADqHTpYBv6qNp0xxp2Le2+sIe
wKCOCkw8Yt4u0Vas/m+N1Q9yIaIOMyzqlY+/oq7P8L73WAa0BhsKRnECgYEA5pGd
hpHizSG6oCVwn6G1RJrc7zyADZuSc7yR2PfIve/KHxM14m2wJcFr/hIIAtOui34R
aBoK9lNG5WNooR1kVaye245tpju91+FVzmoW3Poz0RUi5SLjiBYzizOq9LLECuLi
bOlzxL3lcHSATM14ipbS2zeo3AAs7f5fP4xXimMCgYAvhY9b3rS3k7bVry6b5IO8
2v0IyD8ITVZL2+c7RTVpfN++PdgUrQurVZduz5c6B1U9DzHG+1aSPZRWl9qGBq0w
KTDmKFCCoCFWb6gNDSiGMn9R/BfX6okjSx8/EnJPqzTc+v1nYiKtXJ0iBN21iqDX
zDpFBbriNHyeQzqIv4YhAQKBgHJeMIEbxCB0ZpoheCf2km+hUY3puKsHTDHUi5PP
9OciFmQrp0LVndZchzDTyN1+GspekkvM/zsIO9Z05OVmKurEYVgO4hze7WA0CdgF
j6m1AhboIRL/p1VNjeuyiU4vjkbIHABiHGauuyx43Vs7YFt+TMEobr4R6Dd1QdHH
z3R5AoGBAL9PGWeOu1ptVs+OHPPBUIqvrZIluWjFEP96wCPcCyEWqcvJ2lCN4z4K
b76PV1S5/dQmLsG98H7NnrH6sstcxh8ylddD10CEEi49C5rb9Ju4YVPeGtdCFNIb
niOb8hgCX3MV/+ypRTaC0bzeQNAPhD+r07zIDkqAtnL+SG+RCMa1
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAJl+82Li87lfMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTSDESMBAGA1UECgwJU0pUVSBERFNUMRAwDgYDVQQD
DAdERFNUIENBMB4XDTE5MDczMDA2NTc1NVoXDTIyMDExNDA2NTc1NVowQDELMAkG
A1UEBhMCQ04xCzAJBgNVBAgMAlNIMRIwEAYDVQQKDAlTSlRVIEREU1QxEDAOBgNV
BAMMB0REU1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVBQGC
e6t5SKyEq05oxhhoj4xeiaYFget1aTlEuHCUFMxFZQ29vZSQ3V1hTxI1D3UOwQzZ
Wz54dYuRW+W4re6Da6mwl1sbwaYWRJxIzPj+hjoy/n3yJvby5YDwX+Km78NCEQcb
Y2txyyz1sEs5bsnT4dqPZR9k9mNDWDFHAE7hjhlEpPDFzG8SSTkAWwuvz0HyRyqf
fzkWsmqAVyfNZJ8M2orfbFqgK7WBy2nM0fjHvocQYYfU3fu/74cdrvcRbpSusNGz
HgWQo6MbiLJeLwjshTMdHJjoZGKElMvCvEFIOQ+RLr0V+NhmqVv90azNAb0xQYYu
HanIMyVI/MK7WSezAgMBAAGjUDBOMB0GA1UdDgQWBBSkoyQbQziu3QnuUSBHdEnP
VAbUszAfBgNVHSMEGDAWgBSkoyQbQziu3QnuUSBHdEnPVAbUszAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADCzh/BOVeuBzYLukXD4WmADAbBLWccunP
0i0m1X8CePPT7OYuZV7ie150ViP55I74D0u9uaqzadXJ6Q8WPJVPv95/boAIJCoe
SHkh3hPAsHfqfjrAquwXsM9I1KpxsHSMUluMJbbty+OpRWRT8sBcdBwFqIxZuEvO
z8M0LDGd7EgQfaXJuWXJggXOtf0Da4l9kJjE6M68ns+rEShK+wenxuJeLEI9FwZA
gSt7PnmJVLz1eXLtZRTsbMuukFH6jDTQyMekxhODyskj5sch5IoiF2KrcQT09LPX
3JzTb6+14WI1YvQm+ve7mnQOWOhdsi9gJ00yfAHOuku7tEyWBN2m
-----END CERTIFICATE-----</p>
<p dir="auto">5009.pem:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6bDHBmJk6NBt2
gBP/xV4wJl1xusclcMLsW3id/6kmZJuW0kDdzqQUn50EeFxbIk1lEcWC1ia7dffs
ZcfAWEPXG63UgAaqUe0R9xYKjCGZG8yk/J4+nvuufxG3Kw9B9r4rd4v9x3X3Wy8/
oWdWeZGuWlNPTa4KTjC19PpC5WqhQhNeiAzqRSQ3ICrnhxuNZv9J4U2GECldnwqE
MxSWOwwLny2VSK6yFOobG0uuf+IfL6+OP4Xj2wqGJwdlDUeoc7z1QiFPpap3UMUm
J9WSPyvsDcnWAnyvriMCJEblES+anCmmzaOoGE4x5syGXlgCEk0cOQJx4QULVDsE
8PQwUmHTAgMBAAECggEABAcibBRn+yH1FfJefEA/cLrjefmXI+/zxjeTu5YyiWnT
EscoL6KvWOK5+ca/+Bgdo/lmUxVdcN9zo9/vGPDPRm6KqvS5MCTlAmZcS44Li8tV
+JqcsK2usm58a4C6q6oxIa9LjwgoPFf0BWPvX6bwxtucwTHkeMSHuOa6IYfjbeh+
GnB8qMtbYwC7zadb3yJNlbt3w/NUHXkpTzj+u/F+7NKWnBP6FRNHpDNo2xQoBFw1
3xtfey0kf9N2TBj18CKEHRv3FcCQx181SCg65DHlvrU7m7Cm7VKxzS5Kqm2RolFY
L6HCf5lzF7Dm0BETrk6vkLKCz4nqIP5+rGhaSx1vQQKBgQDsXgMKY2xLIP3LWwvB
rzdKdtlLW7xTDDmrEp2CwalLhnV/hkbmJAfoVcC3+1pengSTFlWdI62JvB4BOwg/
sRf1Cmk2vC9KIBFtbPDode8/OMMUFraEtEDnzqgynotRpg25Hat1+60axepElR/1
DFX9j3Sb7VPV+J/mzdDtFlY3DQKBgQDJ6C/W57+BKDENZk49Nr4KJrpb8VyA1vNV
P/4TG2XX9yYqrxTrE5cAayFBiEwBPd9/qk9oSjB0Uf89NEcxtjERv3F4AXJNjMOQ
Prn9qqIDu25zDKDUMKXL2z3qM62hOuNR/Hzpc0xXX7GXrUlHl0vhvZElD/2yKbue
5k6LiWbEXwKBgQDQK7Az2wKKXGEJU4NULrPccjXIB+AhqDe18iwk99jZOm+LQ8B3
ei44siWMI+QgRr0yqc33GnABSVuHq+0E4zx9RJELcsuXVgzjObomkY+HN7+flq1i
zLoJLlm2UynSXBPkADx9KY34cWx0wH2nvRiSu2Bw36EhZtm1VXj3BeAilQKBgQCa
VhG7hIquf7p/M6S6xg2eVNw/S9AZ7DU1BSWCFX9UBmf2WL70spTKjRlurnDqwhEF
1Xm9jnhbchJZBo0lQs9fcaeaxABLpz4WFNy3Oqd9kthquUx25njVy1EYpUgj5o+9
K/OPv8KrR0rJVnydbNlkRTOd0QtsFNqGLCX+I5maoQKBgEWpJPLIwIQZlCbe4E2+
mMUpj3UlMbx1rO9t5unsh8hQSiAd54uI4y0tNanQoNnzVoHQgdVLxTbS78iXSdTS
RPZL51HeYehXDwaeQ9LL9JuoyCRri0IAjC+XLntYpf02RH/IvJcVhc92+xkTeWFJ
l1t0lQs0V36HcC8i+g2AsMWj
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDMzCCAhugAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCU0gxEjAQBgNVBAoMCVNKVFUgRERTVDEQMA4GA1UEAwwHRERTVCBD
QTAiGA8xOTk2MDgwMTAwMDAwMFoYDzIwMjAxMjMxMjM1OTU5WjAAMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumwxwZiZOjQbdoAT/8VeMCZdcbrHJXDC
7Ft4nf+pJmSbltJA3c6kFJ+dBHhcWyJNZRHFgtYmu3X37GXHwFhD1xut1IAGqlHt
EfcWCowhmRvMpPyePp77rn8RtysPQfa+K3eL/cd191svP6FnVnmRrlpTT02uCk4w
tfT6QuVqoUITXogM6kUkNyAq54cbjWb/SeFNhhApXZ8KhDMUljsMC58tlUiushTq
GxtLrn/iHy+vjj+F49sKhicHZQ1HqHO89UIhT6Wqd1DFJifVkj8r7A3J1gJ8r64j
AiRG5REvmpwpps2jqBhOMebMhl5YAhJNHDkCceEFC1Q7BPD0MFJh0wIDAQABo3Qw
cjAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQEB/wQSMBCCDm1vdGhlcmxlc3MuY29t
MEEGA1UdEQEB/wQ3MDWCEHd3dy5mbGlwa2FydC5jb22CDGZsaXBrYXJ0LmNvbYIT
c2VjdXJlLmZsaXBrYXJ0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAcBlUfXcKN+qz
HV3uMVkqBYlCoM4Mrp83rFWgGbzggcu1Q9RLRHe+N5N4QQZUTUOaP/ZtbrGBjJfE
GoFJaJ0KBfjyaSotSj9W4tVQGtVt9c3kGWVSi8AQ5peaLQn3jmOQXrvHP2/behkm
40Ino7R5wbpGQ8V+2EhQufaBf9nfgCveBHvfY+QWSCrmKdZEKbQjCcAXMcRWRzCS
H8Y8eKKuna7cgndXudcQY7JQYhzB7Rf2F1k15JeSShhe4CbfpP+rjAVaewnJogS2
R8Y2tYnD/VVXR9p74S/M/MEXRMQb56gQsfw1V709M42/WDqHyU0z59P/nASQMQD/
zTFdEaCLtQ==
-----END CERTIFICATE-----</p>
<p dir="auto"><a href="https://gitlab.com/gnutls/gnutls/uploads/ea3d5695fb35f7d2fed38916b8563992/rootCA_key_cert.pem">rootCA_key_cert.pem</a>
<a href="https://gitlab.com/gnutls/gnutls/uploads/3cb189d2c81df6123378d6ea080200ad/5009.pem">5009.pem</a></p>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/872">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/3d71f001c0728f2c91fae7e47f1c4b65/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/872"}}</script>
</p>
</div>
</body>
</html>