What will it happen when a certificate has an empty issuer?

朱佳宇 joky27 at sjtu.edu.cn
Thu Dec 5 05:19:44 UTC 2019


Hi, all,
 
I recently created a certificate chain, on which some certificates 
happen to have “empty” issuers/subjects. Clearly, these certificates 
violate Section 4.1.2.4, RFC5280: “The issuer field MUST contain 
a non-empty distinguished name (DN)”. Meanwhile, the chain can 
still pass certificate verification. Does openssl have a bug here? 
(Or do I have some misunderstandings on openssl in its parsing or 
verification procedure?) Will it cause any further problems in 
certificate verification?
 
The command I used is:  
openssl verify --show_chain --CAfile 5009_root.pem 5009_leaf.pem

5009_root.pem (it contains two certificates inside):
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1QUBgnureUishKtOaMYYaI+MXommBYHrdWk5RLhwlBTMRWUN
vb2UkN1dYU8SNQ91DsEM2Vs+eHWLkVvluK3ug2upsJdbG8GmFkScSMz4/oY6Mv59
8ib28uWA8F/ipu/DQhEHG2Nrccss9bBLOW7J0+Haj2UfZPZjQ1gxRwBO4Y4ZRKTw
xcxvEkk5AFsLr89B8kcqn385FrJqgFcnzWSfDNqK32xaoCu1gctpzNH4x76HEGGH
1N37v++HHa73EW6UrrDRsx4FkKOjG4iyXi8I7IUzHRyY6GRihJTLwrxBSDkPkS69
FfjYZqlb/dGszQG9MUGGLh2pyDMlSPzCu1knswIDAQABAoIBAEidADq+dWFOiKBg
1MWaYU+jPzIqsdFGzEClscPfK2EPBeLR47E+IpqPGvnEvmwf7MMuw3aER/M//md6
cABYKenalWmA7qmzhS4qDSwz0tzQXJ5taflVlvCNkzpdNSG6sVCgBVAsv792hsjp
Y3scbOgxIROoYN9FreiS85lEXZ889d+1ytTBSqWf6RpPWibQ+xBCHPW6UoMDJBlV
n+eC6eVTsmzG5QDUvY0FLLuxcyFLO1YUkFQ1jFmR7QuOrG6Bw67Am10QxzGDiiCc
eegqxlWEK6aUWATzN+CVkvWNJm43G+FOicpkbY5N9wlCONFDCD1QFP53EHG6BBle
Sii4M4ECgYEA7IPdz7+fYiWbZnRrOA0OpXUmVVUSDU4MT1zBTlEy/O8SQeWu3PNA
3OAD0Xpc4cypTOrTU+3pPuoK99amr3WkXv8WYimADqHTpYBv6qNp0xxp2Le2+sIe
wKCOCkw8Yt4u0Vas/m+N1Q9yIaIOMyzqlY+/oq7P8L73WAa0BhsKRnECgYEA5pGd
hpHizSG6oCVwn6G1RJrc7zyADZuSc7yR2PfIve/KHxM14m2wJcFr/hIIAtOui34R
aBoK9lNG5WNooR1kVaye245tpju91+FVzmoW3Poz0RUi5SLjiBYzizOq9LLECuLi
bOlzxL3lcHSATM14ipbS2zeo3AAs7f5fP4xXimMCgYAvhY9b3rS3k7bVry6b5IO8
2v0IyD8ITVZL2+c7RTVpfN++PdgUrQurVZduz5c6B1U9DzHG+1aSPZRWl9qGBq0w
KTDmKFCCoCFWb6gNDSiGMn9R/BfX6okjSx8/EnJPqzTc+v1nYiKtXJ0iBN21iqDX
zDpFBbriNHyeQzqIv4YhAQKBgHJeMIEbxCB0ZpoheCf2km+hUY3puKsHTDHUi5PP
9OciFmQrp0LVndZchzDTyN1+GspekkvM/zsIO9Z05OVmKurEYVgO4hze7WA0CdgF
j6m1AhboIRL/p1VNjeuyiU4vjkbIHABiHGauuyx43Vs7YFt+TMEobr4R6Dd1QdHH
z3R5AoGBAL9PGWeOu1ptVs+OHPPBUIqvrZIluWjFEP96wCPcCyEWqcvJ2lCN4z4K
b76PV1S5/dQmLsG98H7NnrH6sstcxh8ylddD10CEEi49C5rb9Ju4YVPeGtdCFNIb
niOb8hgCX3MV/+ypRTaC0bzeQNAPhD+r07zIDkqAtnL+SG+RCMa1
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC0jCCAbqgAwIBAgIBATANBgkqhkiG9w0BAQ4FADBAMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCU0gxEjAQBgNVBAoMCVNKVFUgRERTVDEQMA4GA1UEAwwHRERTVCBD
QTAiGA8xOTk2MDgwMTAwMDAwMFoYDzIwMjAxMjMxMjM1OTU5WjAAMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5aM8KCuLHVK0mpFLfbvBaFNx6uDHWM0
ksxXTQDXAeqaakymmOnpZGwf8GhWSCg3xSdId2/kCBJaQMkgMTjUqiTeiHFhB7T4
zOj3d+R8gbYjPw5oHK+aXk7B0fSUTVLXnlidu/EuwRTU9dERBzN1EtrptNzUJZJa
ZUbUjTV14amSJ9HOJvVghEiZ1CWPdhfI0I8om6AqO3akBpdwx4h1MT26lxTIAEj8
vUa33OM/Ac933q9cgoii6EmVwOfe9riFFwRFzZh0ygzVhsd83ujvBRLT2dDl7oxE
6himl1D/iSOQv7VxosVdca3k/5iXEDeENncNNCWoCZwZRsDQwKZ6DwIDAQABoxMw
ETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDgUAA4IBAQAiQvULr9pFxgIJ
yjtxVHxY9dPKRumSnjQnUfd86mICk/XD1ywQM/amRyVrIInUxP6Gg2xCnYr7gNuG
FeYf3EqtlEZYqfWLIClJSU62mKbCXwfRIldh1ihSiH5+IV0Put4SAvjamQ5xnSAm
KG4TH/v8d+cmx2vC/gyRe1uH60g1o7yOgwzP5UYe6WeGx3lIRW2Av9u/roYMmegv
lXUBbMSpqpp/nGoAn9IxaNticZWlz4pkYXTWn0NFoaDDz7855zeXJ3IBBrfR5R1O
sK6jmqhXPfGGAtS0+Wz8bnl1pHeNtNI5gqjamji6NOutR0oZv/FzDcfds3erBBD2
AktONs4U
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAJl+82Li87lfMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTSDESMBAGA1UECgwJU0pUVSBERFNUMRAwDgYDVQQD
DAdERFNUIENBMB4XDTE5MDczMDA2NTc1NVoXDTIyMDExNDA2NTc1NVowQDELMAkG
A1UEBhMCQ04xCzAJBgNVBAgMAlNIMRIwEAYDVQQKDAlTSlRVIEREU1QxEDAOBgNV
BAMMB0REU1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVBQGC
e6t5SKyEq05oxhhoj4xeiaYFget1aTlEuHCUFMxFZQ29vZSQ3V1hTxI1D3UOwQzZ
Wz54dYuRW+W4re6Da6mwl1sbwaYWRJxIzPj+hjoy/n3yJvby5YDwX+Km78NCEQcb
Y2txyyz1sEs5bsnT4dqPZR9k9mNDWDFHAE7hjhlEpPDFzG8SSTkAWwuvz0HyRyqf
fzkWsmqAVyfNZJ8M2orfbFqgK7WBy2nM0fjHvocQYYfU3fu/74cdrvcRbpSusNGz
HgWQo6MbiLJeLwjshTMdHJjoZGKElMvCvEFIOQ+RLr0V+NhmqVv90azNAb0xQYYu
HanIMyVI/MK7WSezAgMBAAGjUDBOMB0GA1UdDgQWBBSkoyQbQziu3QnuUSBHdEnP
VAbUszAfBgNVHSMEGDAWgBSkoyQbQziu3QnuUSBHdEnPVAbUszAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADCzh/BOVeuBzYLukXD4WmADAbBLWccunP
0i0m1X8CePPT7OYuZV7ie150ViP55I74D0u9uaqzadXJ6Q8WPJVPv95/boAIJCoe
SHkh3hPAsHfqfjrAquwXsM9I1KpxsHSMUluMJbbty+OpRWRT8sBcdBwFqIxZuEvO
z8M0LDGd7EgQfaXJuWXJggXOtf0Da4l9kJjE6M68ns+rEShK+wenxuJeLEI9FwZA
gSt7PnmJVLz1eXLtZRTsbMuukFH6jDTQyMekxhODyskj5sch5IoiF2KrcQT09LPX
3JzTb6+14WI1YvQm+ve7mnQOWOhdsi9gJ00yfAHOuku7tEyWBN2m
-----END CERTIFICATE-----


5009_leaf.pem:
 -----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGK3/TkVnaeeEy
RE2fo8QPH8uH1aSmwt3PqaFfYjl+r5+Ksp0O2WH2kBAInVZ9JySiQpiscAmtNlqE
EvolOZCDOEgRVn7UeqZkpKo1kYObrPbDDPtQA3ZVszsBSHvVBhjQv/qYtNFOdDBz
ko5Qg7Razz5sWu6JkIHWvW7jJWr7AJPstYJsZOrtG/kuXS4wZGnRWCedhGatYk+s
My3lwPHlwZEmSBEaK1mrL72YrsVa5oqdSPvvKhrXTJslKk1+OSqytwhV+1hsAaCA
uO93cmHeE+fNZkCJILdzxWJqWJM+r/PBIcYasdlARF/xND7XSbzzKR5UJs5xGjjy
t5YiO5ljAgMBAAECggEBALK64NsMKSIm8rjHacslhNqvLn4gbhQJhMyajXTdvkVI
WHhbh9Ows+4RGKTsYukVuLCvp8s+cTvL3e9ovjt8o5310OnyPQmeZRw4d1tBFpX9
dcGNn8wWk0/QCtOpcCY9DXyY6Yd47Z34pQpXkAuF/dA5Qm+vw5xGvRPUXoJ3aPlf
gPVr17UceSK9jyM+Q0set+kOW/0FkJYTVoG+debpFJbqn29LW0vZ/Q6Pd9SFXVOG
J3tjOhoF/5xqWgrnTrFevWkaVuyRFSUp1inAOSwtY+nImPIpn9F6dU69BKrjegR/
BrfIp9wwQX2UKno7foNIWxgL9o2TVM/ekeU8TayVsUECgYEA78Xa/P0EdLVS4Vvu
eNg8vkSy8GkLESI1giAP5yvGOGmIJ2KlSP18ntCtz7m8SOPAd+4zTJgNvXybK0xe
89wMyGVZniNGlZrbryuvkoLgt0tf3IhZOvza99si1KJi88sNfRLzIdujtpyQwzDW
snzSX2ZCCbo7J4Tgf2BTgpcC+UsCgYEA05Tb4oxyMSq+/CJpjVY0uC4Cui3DRFee
U3V9qIQJQwFCp3KL4pqtEBYZv5A0FcN7Qq7C2fPTREaSOa+XbCrfYhPiXFxafpEx
DOoDuFbAaBqF4WcHpIBlP8XgMivH71ni5VFp6Mb7BPjyaZC3HHqXHEVgAnTE7AzD
V0H6zUFwqUkCgYAmydE1YBEaeELiJicb8Y9SEHcKIVQi/2+8j0dDVHeKpLfb9z9Z
4XgJkSStGBT3jbCTNjuiRm7imofXp1EtDgobWRn4VSiUBytG2UBb6URFIrJtULlu
q30Y36Bw2Zw8aDrUYv5mGcwQPJ/Gk94Hnd3ChR5lyHTNXdebg4++7oMSpQKBgClf
T0vSaLXihOvqkrc3ZyGopZHgRvGDLItnSwX7o4/9nBoAFQhfdH3TxH8n5Hdo/R5B
7AoQWnxcTFWJV1OoYnvcJYQn7u4W1/+NduLB2+e/X/R+YAkzrhi1Sayl0PelnO94
ZvxEhGspfsVTreqcshWuHyL70FHUARJ77V3bcPs5AoGAdeMMaTvRYkw33h0WLafW
O0bpnTOQLr5fEMryt3XSWNqJlESf8XHu5pEEbzgT1aQS++33tuAl/JBS/nhSi46/
O1cekxLmmV0lq8M++jalv4BoK02hyqU1Hy7e6Y3XzV5iqgPySra/5dK8XFYbDlDS
CM1Kmd5p/V9GsOmAEL9Yh7A=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIBADANBgkqhkiG9w0BAQ4FADAAMCIYDzIwMDkwNDA4MDQ1
NjQ3WhgPMjAyOTA0MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJK
YXBhbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1
cmVTaWduIFJvb3RDQTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xit/05FZ2nnhMkRNn6PEDx/Lh9WkpsLdz6mhX2I5fq+firKdDtlh9pAQCJ1WfSck
okKYrHAJrTZahBL6JTmQgzhIEVZ+1HqmZKSqNZGDm6z2wwz7UAN2VbM7AUh71QYY
0L/6mLTRTnQwc5KOUIO0Ws8+bFruiZCB1r1u4yVq+wCT7LWCbGTq7Rv5Ll0uMGRp
0VgnnYRmrWJPrDMt5cDx5cGRJkgRGitZqy+9mK7FWuaKnUj77yoa10ybJSpNfjkq
srcIVftYbAGggLjvd3Jh3hPnzWZAiSC3c8VialiTPq/zwSHGGrHZQERf8TQ+10m8
8ykeVCbOcRo48reWIjuZYwIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFj
mqC+CfZXt94wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQEOBQADggEBAHcwO3SSQ/dFuU8oTKGGaHEXtWdwgbHm1KxIxDXrzJ6YLJok
yYG55c7U90Cn87WV+IKF0QXz+GhIakCX0KoddKvJc/SaJzY/9S6LQExlwi+cUXG2
gETlVWRo8e4Cv4RF2Bnb8iTMoh/ysxpdDJ6KQvmyip7iEANV9BUtiJ0scbMSyS/z
TrwOmCqZ7hpAOimnMNjqZ9h9LAKDqMGkaMn8O6aH8R1E2TE6LAmW0w5Sn909AkFL
2TpLr+8iq5d68ieZMdpSWDV4VvczsIJK8+r4qfx69tBuf1IufbgzYWzESLuobugP
TIklQXJwo6WL0vuJtZVod092EZh5KyXwEE3UP5w=
-----END CERTIFICATE-----

The verification returns ok
Chain:
depth=0: C = JP, O = "Japan Certification Services, Inc.", CN = SecureSign RootCA11 (untrusted)
depth=1: 
depth=2: C = CN, ST = SH, O = SJTU DDST, CN = DDST CA

Regards,
Jiayu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5009_leaf.pem
Type: application/x-x509-ca-cert
Size: 2884 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191205/0448b834/attachment.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5009_root.pem
Type: application/x-x509-ca-cert
Size: 3990 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191205/0448b834/attachment-0001.crt>


More information about the openssl-users mailing list