<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/llqll">llqll</a> created an issue:
</p>
<div></div>
<p dir="auto">I recently created a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate containing two Subject Key Identifier fields. Clearly, leaf certificate violate Section 4.2, RFC5280: “A certificate MUST NOT include more than one instance of a particular extension. ”. Meanwhile, the chain can still pass certificate verification with gnutls3.6.11.</p>
<p dir="auto">The command I used is:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">certtool --verify --load-ca-certificate 1.pem --infile leaf.pem</span></code></pre>
<p dir="auto">The verification returns:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Chain verification output: Verified. The certificate is trusted.</span></code></pre>
<p dir="auto">1.pem (it contains two certificates inside):</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>
<span id="LC2" class="line" lang="plaintext">MIIGBjCCA+6gAwIBAgIQY8Mi35RmHbQSpWR8XD7V9DANBgkqhkiG9w0BAQsFADBt</span>
<span id="LC3" class="line" lang="plaintext">MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV</span>
<span id="LC4" class="line" lang="plaintext">BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm</span>
<span id="LC5" class="line" lang="plaintext">cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUwMzBaFw0zOTA1MjQxMTUwMzBaMG0x</span>
<span id="LC6" class="line" lang="plaintext">CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE</span>
<span id="LC7" class="line" lang="plaintext">CwwLYmVpeWFuZ3l1YW4xCzAJBgNVBAMMAkNTMR8wHQYJKoZIhvcNAQkBFhBsamZw</span>
<span id="LC8" class="line" lang="plaintext">b3dlckAxNjMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7nKX</span>
<span id="LC9" class="line" lang="plaintext">zAyRuE6cWnJCT9h1QsQu8Ee+Kk0DtZM7wBQK+bSqpg5m0N1qnfrPStvsvBkXsYlZ</span>
<span id="LC10" class="line" lang="plaintext">nUCf1Pg9Oz/BGSHVmwFAJCC16uSdq9n/ifB8YK3CdVpSsnjsccQW5Ti+ga/4O/wg</span>
<span id="LC11" class="line" lang="plaintext">euauD23asZaedDoa1LkdI2DYAT/P/wFnC/wQGhnAObeIgvgAbYiF151ymBLzkvSw</span>
<span id="LC12" class="line" lang="plaintext">ZobKzWqyIRrxwntetxRWQx3ZJrnx5plrKrui8A5BaETiu14vi38NJ8A42rWC0q0d</span>
<span id="LC13" class="line" lang="plaintext">qDoXSrZtSXzfzIm2SAiBbBwQxePAcGbJegrGH43Oe+hoIky7P5zoRt6ZZsxFbbCG</span>
<span id="LC14" class="line" lang="plaintext">7OPyVS0rmlojFjJJ5L95DBhvGqfn8jOPsq/23BvwAg+1yUmeWFZfqHPYFXco876I</span>
<span id="LC15" class="line" lang="plaintext">XkMX+tW7Zyl4lVSb9zeavPmwUo/rnksZdGELb4Io8caUakJ5liy+oE0UvX7vAc5+</span>
<span id="LC16" class="line" lang="plaintext">uUGRbk2uCOqOJUcKHa4wu3V3Iy8phSRvA+FzlkZs2CpBSlIs9lBevBv5vWA3GfxO</span>
<span id="LC17" class="line" lang="plaintext">VDEOwE/yQZYOBXF82p1y/K744+wc/lyodkVS98+RAWnoP6awPpyN0EuzbZHF7A40</span>
<span id="LC18" class="line" lang="plaintext">wiGEJAYpm8IzNDyT/0tNaFiOv4/WyGfxuULXItkzvMXxoCZZ1PuoNxdANA1UygRb</span>
<span id="LC19" class="line" lang="plaintext">WDkZxtg54aI7v5TZbnNgtglqTgvRxzzuENlrJmcCAwEAAaOBoTCBnjAdBgNVHQ4E</span>
<span id="LC20" class="line" lang="plaintext">FgQUI6MIq57hXlN/cyhNYKHXior5n0IwHwYDVR0jBBgwFoAUI6MIq57hXlN/cyhN</span>
<span id="LC21" class="line" lang="plaintext">YKHXior5n0IwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwOwYDVR0R</span>
<span id="LC22" class="line" lang="plaintext">BDQwMoIHYWJjLmNvbYIJKi5hYmMuY29tggd4eXouY29tgg13d3cuYmFpZHUuY29t</span>
<span id="LC23" class="line" lang="plaintext">hwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQAkfysmRAf0RNZ3bre37+Yz2xufFAtd</span>
<span id="LC24" class="line" lang="plaintext">xpOOP2d85sO1HVY82acVuzEcLUQtfdnxyFe1Zk9wqqlSXI0Md5gD9Wc1J5BMZULC</span>
<span id="LC25" class="line" lang="plaintext">Bwma/iFb53ijNQuEz81Fzea0KIggdnQpajDbd1mZDH/dRqTRvXhFDazZy1LGSMne</span>
<span id="LC26" class="line" lang="plaintext">BwTlH9GGVYoc2s6YbPDL8GyARhdR5ad4h3+/WisIT6ZdlK1H+vSy/KfDRh514Ibo</span>
<span id="LC27" class="line" lang="plaintext">zE0rI7ArHjQwh3i6NM14ImSUf6SjkMvHlzvCyJtQ5yDygt7OQWmX4u1eLQ4n4xom</span>
<span id="LC28" class="line" lang="plaintext">BI/oPSA0/ioDoICIvl4KzGiGtFu2LqRu6YPqxe1D1bmbX3Yrskyzcy/uT4t4DuZn</span>
<span id="LC29" class="line" lang="plaintext">ps8yR9ihpliSGWu2euf9GwUa58fJCExUrzksyzDGaqTxKvi7ThOlB30Lq712CTUw</span>
<span id="LC30" class="line" lang="plaintext">e9JwGZ/BE7S++4lVC0J2GKuoHZR/moXQCaWrASkWEttWxYSWCd+RZaruox9JnRDS</span>
<span id="LC31" class="line" lang="plaintext">jmcRFHt+Oogr1oH1W7UVeiGs5BuRqDgo5KOAm9ZvlxQ8L1rsx2UewLFGEH4LLUin</span>
<span id="LC32" class="line" lang="plaintext">6D/b5PW3GS+A51qsd+/Y/08TXL4TdlIOa54CF7rMl9UH05Z9ooEY6i2KtmBw5Gwt</span>
<span id="LC33" class="line" lang="plaintext">8XyUiz5L49tT4IlR2MDDXx0aJXB3roQGnHP/IgqcQbWZyM9ZvfQbx1Mnyohnbj2J</span>
<span id="LC34" class="line" lang="plaintext">FBtJbqU4k1PhAg==</span>
<span id="LC35" class="line" lang="plaintext">-----END CERTIFICATE-----</span>
<span id="LC36" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>
<span id="LC37" class="line" lang="plaintext">MIIGCzCCA/OgAwIBAgIQY8Mi35RmHbQSpWR8XD7V9TANBgkqhkiG9w0BAQsFADBt</span>
<span id="LC38" class="line" lang="plaintext">MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV</span>
<span id="LC39" class="line" lang="plaintext">BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm</span>
<span id="LC40" class="line" lang="plaintext">cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUzMDdaFw0yOTA1MjYxMTUzMDdaMG8x</span>
<span id="LC41" class="line" lang="plaintext">CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE</span>
<span id="LC42" class="line" lang="plaintext">CwwLYmVpeWFuZ3l1YW4xDTALBgNVBAMMBGIzMjYxHzAdBgkqhkiG9w0BCQEWEGxq</span>
<span id="LC43" class="line" lang="plaintext">ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH</span>
<span id="LC44" class="line" lang="plaintext">dTYsTjtslYOmt04a7neg5paT2TEqVCt+bp1C0OSRy/UrvEkiKdAHu2UKSoOYEbxE</span>
<span id="LC45" class="line" lang="plaintext">rib4JFL+7Cm3YGwHbXuEkP8sWwekVkt/BuBbMLq0577NMiU6rBrGP78DYrxxVmwo</span>
<span id="LC46" class="line" lang="plaintext">ndIFHVwwe9MjMIglPtgwtxiqHrYGraiG2b7KxLl0vp/iHF0LwuwhGJ4qTImDpHOF</span>
<span id="LC47" class="line" lang="plaintext">Df3TkunOzqcW6UjlzR8ciEaIQJrsJt4MStw983Ui9kYwSdzdOJM2giZ2m7fsh5M2</span>
<span id="LC48" class="line" lang="plaintext">lQv02cEJJRVdE5atftFLF0tQj4wIltXI/Q3t+KgSsj3spveXzBUN0l9zJbl0gPKt</span>
<span id="LC49" class="line" lang="plaintext">Dy411ZaZBRwwZaq/oJaUkowEhUJ6XrQk/JqvVKTt4j2XiI5vbDsJUGF3JiuMPYod</span>
<span id="LC50" class="line" lang="plaintext">wVUJDnvSsm1AG+Be8CxhDDSvTJPz29XW6YNdEGyg51KTtZ7ujrpPisdeuZT0r5t2</span>
<span id="LC51" class="line" lang="plaintext">gSMz9t0i2ooccKzERcZpRoLt4GikWzcU10LxpnJhse/IR6jsaYohK+BI5RCkAIrK</span>
<span id="LC52" class="line" lang="plaintext">J7x64YX9dRD5sIf9TvY4SXdimGZkVBERan/MAgZvo1BhSoSo1oTRYKD6nNpA90Hg</span>
<span id="LC53" class="line" lang="plaintext">4HLddGEtkQNPEzPUjMidMyVUOVpzVpXoOIW8ASgm1EPAeAw/VZ/HEm6P1y93mlOU</span>
<span id="LC54" class="line" lang="plaintext">N4RXjLPfyJzxvTC/HM4xaYlZzKt/dUUKW2v5J3a3mQIDAQABo4GkMIGhMB0GA1Ud</span>
<span id="LC55" class="line" lang="plaintext">DgQWBBTtLYj/I3LedKqEcgWmczrb9dYceDAfBgNVHSMEGDAWgBQjowirnuFeU39z</span>
<span id="LC56" class="line" lang="plaintext">KE1godeKivmfQjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7</span>
<span id="LC57" class="line" lang="plaintext">BgNVHREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlk</span>
<span id="LC58" class="line" lang="plaintext">dS5jb22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBADv9HtThzbHoHmo57sEL09TY</span>
<span id="LC59" class="line" lang="plaintext">ISKbdzsghNkZYK3QwlLxAak/Zp4JRQcqwm0XM2xPOQOw1K04qYGmwBqIH9ANqUvb</span>
<span id="LC60" class="line" lang="plaintext">rU/78uL6GfIUSqQ6sHdlxj9tQFmEtopWofvtRcMwawgSL9XQOyQU8A0kYm0HI4k0</span>
<span id="LC61" class="line" lang="plaintext">9JHA1Xc3mxE/MGn6LBdbVsNW1jqUKhfQ+F0UWKueG3nV3TA2DwdahGm20Gk0M3SA</span>
<span id="LC62" class="line" lang="plaintext">nU+vc5a6aj2d7EjJvR+0xVK1Jy+khpJhDxng1Mxiavvgi7k5HVJDLgo4ALHFdfNP</span>
<span id="LC63" class="line" lang="plaintext">Pt267ufdcajgrWchbgxWUdu3hzwGsvxJu79dpR3pz42n3fHWokoS6ONmyxlJtAiO</span>
<span id="LC64" class="line" lang="plaintext">FYfgJ4J1Hu51GEkNb498Y8TBRPkuMCGY5QbIEiiCBRB8I6OtSHw+mWBHZVEiBvBr</span>
<span id="LC65" class="line" lang="plaintext">IUjSVvn1+KrxrxJ8Bn6sn+Rj+MEyIneSEtLJ3gkn4P7UZHtdMpIEojlIf2v5UbR9</span>
<span id="LC66" class="line" lang="plaintext">xDPkbayWJiYloETDpafuaeK46x9UvPFt957cbqKEChrkReaEnJzxOQMUwBR3uHyy</span>
<span id="LC67" class="line" lang="plaintext">GFjM1EwOzN6SdBQ1sTDea4+TEcdHSzOC4pfaR1jKKCdInI7/Adiqs7YqM48nx504</span>
<span id="LC68" class="line" lang="plaintext">JsLsy76DnUI0GFlWz8n0Ybz6qFWq6ckz9JLQ1N7TQJjSfZxDEEGwE6+wpjVyzCpB</span>
<span id="LC69" class="line" lang="plaintext">CfPgBs5qw8HWtxrvsirH</span>
<span id="LC70" class="line" lang="plaintext">-----END CERTIFICATE-----</span></code></pre>
<p dir="auto">leaf.pem:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>
<span id="LC2" class="line" lang="plaintext">MIIFiDCCA3CgAwIBAgIRAPABuQ6DmexEq0k9QQaewLcwDQYJKoZIhvcNAQELBQAw</span>
<span id="LC3" class="line" lang="plaintext">bzELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD</span>
<span id="LC4" class="line" lang="plaintext">VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEfMB0GCSqGSIb3DQEJARYQ</span>
<span id="LC5" class="line" lang="plaintext">bGpmcG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTU2NDBaFw0yOTA0MDYxMTU2NDBa</span>
<span id="LC6" class="line" lang="plaintext">MHsxCzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxCzAJBgNVBAcMAlRKMQwwCgYD</span>
<span id="LC7" class="line" lang="plaintext">VQQKDANUSlUxFDASBgNVBAsMC2JlaXlhbmd5dWFuMQwwCgYDVQQDDANMUUwxHzAd</span>
<span id="LC8" class="line" lang="plaintext">BgkqhkiG9w0BCQEWEGxqZnBvd2VyQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUA</span>
<span id="LC9" class="line" lang="plaintext">A4IBDwAwggEKAoIBAQDNKbU4xRcAGOyzHWgEQw0/smt+BJaLtbIvKdPKPTDzDxSl</span>
<span id="LC10" class="line" lang="plaintext">Rud0rf1GWzG5vKhEzn3ruNwFs23JTu4OcXlkqp4sGqC5SQ06qVhe+eWhK+pjsCll</span>
<span id="LC11" class="line" lang="plaintext">AG9ZQ40kNdsE5Bt9gbl38tdykM/a5bU4+h8S9P5XP+Vr/xGuB1aqw07NqaUsOs3+</span>
<span id="LC12" class="line" lang="plaintext">McH/ZFZQgSv8NDXl9eok5XEfaDZoRf29nAH/I+Ottbw37oW7omvMaC39CVKKmYMA</span>
<span id="LC13" class="line" lang="plaintext">rdRJR/JrICsOKKnmEf6oLNErBGs3TLXo9/CiQJz/KeV9mHT/BfPumAbSlIXo6en8</span>
<span id="LC14" class="line" lang="plaintext">AVyA0V+N1bwUiBu58m9B+z0GlaxeQlxSvTn2wUx5AgMBAAGjggERMIIBDTAJBgNV</span>
<span id="LC15" class="line" lang="plaintext">HRMEAjAAMB0GA1UdDgQWBBR/7mRMJ+8WoDdxiWO1eCLw0xH+0DAdBgNVHQ4EFgQU</span>
<span id="LC16" class="line" lang="plaintext">f+5kTCfvFqA3cYljtXgi8NMR/tAwHwYDVR0jBBgwFoAU7S2I/yNy3nSqhHIFpnM6</span>
<span id="LC17" class="line" lang="plaintext">2/XWHHgwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF</span>
<span id="LC18" class="line" lang="plaintext">BQcDBDAYBgNVHREEETAPgQ1oaEBiYi5hZGRyZXNzMBgGA1UdEgQRMA+CDWFiY2V3</span>
<span id="LC19" class="line" lang="plaintext">d3J3dC5jb20wMAYIKwYBBQUHAQEEJDAiMCAGCCsGAQUFBzAChhRodHRwOi8vbXku</span>
<span id="LC20" class="line" lang="plaintext">Y2EvY2EuaHRtbDAMBgNVHSQEBTADgAEDMA0GCSqGSIb3DQEBCwUAA4ICAQCopPaM</span>
<span id="LC21" class="line" lang="plaintext">SMElD42TZYn1+SnACRnH4YWH/gfG3utPeGVPkBmvV5Je7/gNMlhAQJL5YKdDYa4o</span>
<span id="LC22" class="line" lang="plaintext">S1zjkNrRSlamH6akX4KyOm19tKRkU7dvtcTRF5CwXGcE2Yte6hc1gWeGzsx5taZL</span>
<span id="LC23" class="line" lang="plaintext">y2yan7jhCHMqtN5R8AMTDdK4ORPu+sSrghAwkS6KSR0VlVmgbrJQ0WAxRk5bKm7v</span>
<span id="LC24" class="line" lang="plaintext">R402pLhH2MjsJV48XqvaRTjyT96nbAZ4tdSoyJoHXRvUv9QpFtHSddlnPbEgxJWT</span>
<span id="LC25" class="line" lang="plaintext">3OLbr+kIpWuaaZNjntLOqe9aPkLEhpw07sGLpT23dYqdehZd12O5+3olULXVBOgg</span>
<span id="LC26" class="line" lang="plaintext">h8uF4Q9kRtJDpLCd70hUoiyovCxgPbFYUjvmtpCtmNkSCq/txWc3YqOwR+HPe83j</span>
<span id="LC27" class="line" lang="plaintext">aAsIDnEO6cY6M3uqM1xradU5jzDeMKHJV7XDdXsq9nyQoZ8ytKlKcgM5kNoaqAkT</span>
<span id="LC28" class="line" lang="plaintext">zeutyjGtQCkJr5V+5Te0JJinVL+xafpwP6749VRUaEWHWk2crkTKxu7/lUK6lgnS</span>
<span id="LC29" class="line" lang="plaintext">70gLDO1QEJ/edPDC143eRP+dF/d7bN2UF1l+G0F4AcW7kB5mKgOBIWTZSnTmByz5</span>
<span id="LC30" class="line" lang="plaintext">+HI1touSh9dDcDDuZ7z6k2Obl0fuPY7ROLZQT3BaYGU4M2FGT4sJa6P6VtfufzEB</span>
<span id="LC31" class="line" lang="plaintext">MHcS14u+3EvHBxhcI8N4WTrBE36FBzPk6R0g+A==</span>
<span id="LC32" class="line" lang="plaintext">-----END CERTIFICATE-----</span></code></pre>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/887">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/e9a103e964f9030c083e74a085c54d48/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/887"}}</script>


</p>
</div>
</body>
</html>