libressl accepts a certificate containing two subject keys

Question

libressl accepts a certificate containing two subject keys

llllmllll opened this issue a year ago · 2 comments

When I used libressl for digital certificate validation, I found that libressl validated a certificate with two subject key fields.This violates rfc5280 which states that a certificate "may not contain multiple instances of a particular extension".
The command I use is：openssl verify -CAfile root.pem leaf.pem
leaf.txt
root.txt

Answer 1 · 2023-06-16T20:35:24.000Z

This is not reproducible here:

$ openssl version
LibreSSL 3.8.1
$ openssl verify -CAfile root.txt leaf.txt
C = CN, ST = TJ5, L = TJ, O = TJU, OU = beiyangyuan, CN = LQL, emailAddress = ljfpower@163.com
error 20 at 0 depth lookup:unable to get local issuer certificate
leaf.txt: verification failed: 20 (unable to get local issuer certificate)

Answer 2 · 2023-07-08T12:54:19.000Z

Should be fixed in libressl/openbsd@8d08c87