Hi, all, I recently created a certificate chain, on which some certificates happen to have “empty” issuers/subjects. Clearly, these certificates violate Section 4.1.2.4, RFC5280: “The issuer field MUST contain a non-empty distinguished name (DN)”. Meanwhile, the chain can still pass certificate verification. Does openssl have a bug here? (Or do I have some misunderstandings on openssl in its parsing or verification procedure?) Will it cause any further problems in certificate verification? The command I used is: openssl verify --show_chain --CAfile 5009_root.pem 5009_leaf.pem 5009_root.pem (it contains two certificates inside): -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1QUBgnureUishKtOaMYYaI+MXommBYHrdWk5RLhwlBTMRWUN vb2UkN1dYU8SNQ91DsEM2Vs+eHWLkVvluK3ug2upsJdbG8GmFkScSMz4/oY6Mv59 8ib28uWA8F/ipu/DQhEHG2Nrccss9bBLOW7J0+Haj2UfZPZjQ1gxRwBO4Y4ZRKTw xcxvEkk5AFsLr89B8kcqn385FrJqgFcnzWSfDNqK32xaoCu1gctpzNH4x76HEGGH 1N37v++HHa73EW6UrrDRsx4FkKOjG4iyXi8I7IUzHRyY6GRihJTLwrxBSDkPkS69 FfjYZqlb/dGszQG9MUGGLh2pyDMlSPzCu1knswIDAQABAoIBAEidADq+dWFOiKBg 1MWaYU+jPzIqsdFGzEClscPfK2EPBeLR47E+IpqPGvnEvmwf7MMuw3aER/M//md6 cABYKenalWmA7qmzhS4qDSwz0tzQXJ5taflVlvCNkzpdNSG6sVCgBVAsv792hsjp Y3scbOgxIROoYN9FreiS85lEXZ889d+1ytTBSqWf6RpPWibQ+xBCHPW6UoMDJBlV n+eC6eVTsmzG5QDUvY0FLLuxcyFLO1YUkFQ1jFmR7QuOrG6Bw67Am10QxzGDiiCc eegqxlWEK6aUWATzN+CVkvWNJm43G+FOicpkbY5N9wlCONFDCD1QFP53EHG6BBle Sii4M4ECgYEA7IPdz7+fYiWbZnRrOA0OpXUmVVUSDU4MT1zBTlEy/O8SQeWu3PNA 3OAD0Xpc4cypTOrTU+3pPuoK99amr3WkXv8WYimADqHTpYBv6qNp0xxp2Le2+sIe wKCOCkw8Yt4u0Vas/m+N1Q9yIaIOMyzqlY+/oq7P8L73WAa0BhsKRnECgYEA5pGd hpHizSG6oCVwn6G1RJrc7zyADZuSc7yR2PfIve/KHxM14m2wJcFr/hIIAtOui34R aBoK9lNG5WNooR1kVaye245tpju91+FVzmoW3Poz0RUi5SLjiBYzizOq9LLECuLi bOlzxL3lcHSATM14ipbS2zeo3AAs7f5fP4xXimMCgYAvhY9b3rS3k7bVry6b5IO8 2v0IyD8ITVZL2+c7RTVpfN++PdgUrQurVZduz5c6B1U9DzHG+1aSPZRWl9qGBq0w KTDmKFCCoCFWb6gNDSiGMn9R/BfX6okjSx8/EnJPqzTc+v1nYiKtXJ0iBN21iqDX zDpFBbriNHyeQzqIv4YhAQKBgHJeMIEbxCB0ZpoheCf2km+hUY3puKsHTDHUi5PP 9OciFmQrp0LVndZchzDTyN1+GspekkvM/zsIO9Z05OVmKurEYVgO4hze7WA0CdgF j6m1AhboIRL/p1VNjeuyiU4vjkbIHABiHGauuyx43Vs7YFt+TMEobr4R6Dd1QdHH z3R5AoGBAL9PGWeOu1ptVs+OHPPBUIqvrZIluWjFEP96wCPcCyEWqcvJ2lCN4z4K b76PV1S5/dQmLsG98H7NnrH6sstcxh8ylddD10CEEi49C5rb9Ju4YVPeGtdCFNIb niOb8hgCX3MV/+ypRTaC0bzeQNAPhD+r07zIDkqAtnL+SG+RCMa1 -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIC0jCCAbqgAwIBAgIBATANBgkqhkiG9w0BAQ4FADBAMQswCQYDVQQGEwJDTjEL MAkGA1UECAwCU0gxEjAQBgNVBAoMCVNKVFUgRERTVDEQMA4GA1UEAwwHRERTVCBD QTAiGA8xOTk2MDgwMTAwMDAwMFoYDzIwMjAxMjMxMjM1OTU5WjAAMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5aM8KCuLHVK0mpFLfbvBaFNx6uDHWM0 ksxXTQDXAeqaakymmOnpZGwf8GhWSCg3xSdId2/kCBJaQMkgMTjUqiTeiHFhB7T4 zOj3d+R8gbYjPw5oHK+aXk7B0fSUTVLXnlidu/EuwRTU9dERBzN1EtrptNzUJZJa ZUbUjTV14amSJ9HOJvVghEiZ1CWPdhfI0I8om6AqO3akBpdwx4h1MT26lxTIAEj8 vUa33OM/Ac933q9cgoii6EmVwOfe9riFFwRFzZh0ygzVhsd83ujvBRLT2dDl7oxE 6himl1D/iSOQv7VxosVdca3k/5iXEDeENncNNCWoCZwZRsDQwKZ6DwIDAQABoxMw ETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDgUAA4IBAQAiQvULr9pFxgIJ yjtxVHxY9dPKRumSnjQnUfd86mICk/XD1ywQM/amRyVrIInUxP6Gg2xCnYr7gNuG FeYf3EqtlEZYqfWLIClJSU62mKbCXwfRIldh1ihSiH5+IV0Put4SAvjamQ5xnSAm KG4TH/v8d+cmx2vC/gyRe1uH60g1o7yOgwzP5UYe6WeGx3lIRW2Av9u/roYMmegv lXUBbMSpqpp/nGoAn9IxaNticZWlz4pkYXTWn0NFoaDDz7855zeXJ3IBBrfR5R1O sK6jmqhXPfGGAtS0+Wz8bnl1pHeNtNI5gqjamji6NOutR0oZv/FzDcfds3erBBD2 AktONs4U -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIJAJl+82Li87lfMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJTSDESMBAGA1UECgwJU0pUVSBERFNUMRAwDgYDVQQD DAdERFNUIENBMB4XDTE5MDczMDA2NTc1NVoXDTIyMDExNDA2NTc1NVowQDELMAkG A1UEBhMCQ04xCzAJBgNVBAgMAlNIMRIwEAYDVQQKDAlTSlRVIEREU1QxEDAOBgNV BAMMB0REU1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVBQGC e6t5SKyEq05oxhhoj4xeiaYFget1aTlEuHCUFMxFZQ29vZSQ3V1hTxI1D3UOwQzZ Wz54dYuRW+W4re6Da6mwl1sbwaYWRJxIzPj+hjoy/n3yJvby5YDwX+Km78NCEQcb Y2txyyz1sEs5bsnT4dqPZR9k9mNDWDFHAE7hjhlEpPDFzG8SSTkAWwuvz0HyRyqf fzkWsmqAVyfNZJ8M2orfbFqgK7WBy2nM0fjHvocQYYfU3fu/74cdrvcRbpSusNGz HgWQo6MbiLJeLwjshTMdHJjoZGKElMvCvEFIOQ+RLr0V+NhmqVv90azNAb0xQYYu HanIMyVI/MK7WSezAgMBAAGjUDBOMB0GA1UdDgQWBBSkoyQbQziu3QnuUSBHdEnP VAbUszAfBgNVHSMEGDAWgBSkoyQbQziu3QnuUSBHdEnPVAbUszAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADCzh/BOVeuBzYLukXD4WmADAbBLWccunP 0i0m1X8CePPT7OYuZV7ie150ViP55I74D0u9uaqzadXJ6Q8WPJVPv95/boAIJCoe SHkh3hPAsHfqfjrAquwXsM9I1KpxsHSMUluMJbbty+OpRWRT8sBcdBwFqIxZuEvO z8M0LDGd7EgQfaXJuWXJggXOtf0Da4l9kJjE6M68ns+rEShK+wenxuJeLEI9FwZA gSt7PnmJVLz1eXLtZRTsbMuukFH6jDTQyMekxhODyskj5sch5IoiF2KrcQT09LPX 3JzTb6+14WI1YvQm+ve7mnQOWOhdsi9gJ00yfAHOuku7tEyWBN2m -----END CERTIFICATE----- 5009_leaf.pem: -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGK3/TkVnaeeEy RE2fo8QPH8uH1aSmwt3PqaFfYjl+r5+Ksp0O2WH2kBAInVZ9JySiQpiscAmtNlqE EvolOZCDOEgRVn7UeqZkpKo1kYObrPbDDPtQA3ZVszsBSHvVBhjQv/qYtNFOdDBz ko5Qg7Razz5sWu6JkIHWvW7jJWr7AJPstYJsZOrtG/kuXS4wZGnRWCedhGatYk+s My3lwPHlwZEmSBEaK1mrL72YrsVa5oqdSPvvKhrXTJslKk1+OSqytwhV+1hsAaCA uO93cmHeE+fNZkCJILdzxWJqWJM+r/PBIcYasdlARF/xND7XSbzzKR5UJs5xGjjy t5YiO5ljAgMBAAECggEBALK64NsMKSIm8rjHacslhNqvLn4gbhQJhMyajXTdvkVI WHhbh9Ows+4RGKTsYukVuLCvp8s+cTvL3e9ovjt8o5310OnyPQmeZRw4d1tBFpX9 dcGNn8wWk0/QCtOpcCY9DXyY6Yd47Z34pQpXkAuF/dA5Qm+vw5xGvRPUXoJ3aPlf gPVr17UceSK9jyM+Q0set+kOW/0FkJYTVoG+debpFJbqn29LW0vZ/Q6Pd9SFXVOG J3tjOhoF/5xqWgrnTrFevWkaVuyRFSUp1inAOSwtY+nImPIpn9F6dU69BKrjegR/ BrfIp9wwQX2UKno7foNIWxgL9o2TVM/ekeU8TayVsUECgYEA78Xa/P0EdLVS4Vvu eNg8vkSy8GkLESI1giAP5yvGOGmIJ2KlSP18ntCtz7m8SOPAd+4zTJgNvXybK0xe 89wMyGVZniNGlZrbryuvkoLgt0tf3IhZOvza99si1KJi88sNfRLzIdujtpyQwzDW snzSX2ZCCbo7J4Tgf2BTgpcC+UsCgYEA05Tb4oxyMSq+/CJpjVY0uC4Cui3DRFee U3V9qIQJQwFCp3KL4pqtEBYZv5A0FcN7Qq7C2fPTREaSOa+XbCrfYhPiXFxafpEx DOoDuFbAaBqF4WcHpIBlP8XgMivH71ni5VFp6Mb7BPjyaZC3HHqXHEVgAnTE7AzD V0H6zUFwqUkCgYAmydE1YBEaeELiJicb8Y9SEHcKIVQi/2+8j0dDVHeKpLfb9z9Z 4XgJkSStGBT3jbCTNjuiRm7imofXp1EtDgobWRn4VSiUBytG2UBb6URFIrJtULlu q30Y36Bw2Zw8aDrUYv5mGcwQPJ/Gk94Hnd3ChR5lyHTNXdebg4++7oMSpQKBgClf T0vSaLXihOvqkrc3ZyGopZHgRvGDLItnSwX7o4/9nBoAFQhfdH3TxH8n5Hdo/R5B 7AoQWnxcTFWJV1OoYnvcJYQn7u4W1/+NduLB2+e/X/R+YAkzrhi1Sayl0PelnO94 ZvxEhGspfsVTreqcshWuHyL70FHUARJ77V3bcPs5AoGAdeMMaTvRYkw33h0WLafW O0bpnTOQLr5fEMryt3XSWNqJlESf8XHu5pEEbzgT1aQS++33tuAl/JBS/nhSi46/ O1cekxLmmV0lq8M++jalv4BoK02hyqU1Hy7e6Y3XzV5iqgPySra/5dK8XFYbDlDS CM1Kmd5p/V9GsOmAEL9Yh7A= -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDGTCCAgGgAwIBAgIBADANBgkqhkiG9w0BAQ4FADAAMCIYDzIwMDkwNDA4MDQ1 NjQ3WhgPMjAyOTA0MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJK YXBhbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1 cmVTaWduIFJvb3RDQTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA xit/05FZ2nnhMkRNn6PEDx/Lh9WkpsLdz6mhX2I5fq+firKdDtlh9pAQCJ1WfSck okKYrHAJrTZahBL6JTmQgzhIEVZ+1HqmZKSqNZGDm6z2wwz7UAN2VbM7AUh71QYY 0L/6mLTRTnQwc5KOUIO0Ws8+bFruiZCB1r1u4yVq+wCT7LWCbGTq7Rv5Ll0uMGRp 0VgnnYRmrWJPrDMt5cDx5cGRJkgRGitZqy+9mK7FWuaKnUj77yoa10ybJSpNfjkq srcIVftYbAGggLjvd3Jh3hPnzWZAiSC3c8VialiTPq/zwSHGGrHZQERf8TQ+10m8 8ykeVCbOcRo48reWIjuZYwIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFj mqC+CfZXt94wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI hvcNAQEOBQADggEBAHcwO3SSQ/dFuU8oTKGGaHEXtWdwgbHm1KxIxDXrzJ6YLJok yYG55c7U90Cn87WV+IKF0QXz+GhIakCX0KoddKvJc/SaJzY/9S6LQExlwi+cUXG2 gETlVWRo8e4Cv4RF2Bnb8iTMoh/ysxpdDJ6KQvmyip7iEANV9BUtiJ0scbMSyS/z TrwOmCqZ7hpAOimnMNjqZ9h9LAKDqMGkaMn8O6aH8R1E2TE6LAmW0w5Sn909AkFL 2TpLr+8iq5d68ieZMdpSWDV4VvczsIJK8+r4qfx69tBuf1IufbgzYWzESLuobugP TIklQXJwo6WL0vuJtZVod092EZh5KyXwEE3UP5w= -----END CERTIFICATE----- The verification returns ok Chain: depth=0: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 (untrusted) depth=1: depth=2: C = CN, ST = SH, O = SJTU DDST, CN = DDST CA Regards, Jiayu
Attachment:
5009_leaf.pem
Description: application/x509-ca-cert
Attachment:
5009_root.pem
Description: application/x509-ca-cert
