Description
I recently created a certificate chain [rootCA,intermediate certificate,leaf certificate], which leaf certificate has not keyIdentifier field of authorityKeyIdentifier extension . Clearly, leaf certificate violate Section 4.2.1.1, RFC5280: “The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction. ”. Meanwhile, the chain can still pass certificate verification with OpenSSL 1.1.1d.
the Authority Key Identifier of leaf.pem is
X509v3 extensions:
......
X509v3 Authority Key Identifier:
0.
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
....
The command I used is:
openssl verify -CAfile 1.pem leaf.pem
The verification returns:
ok
1.pem (it contains two certificates inside):
-----BEGIN CERTIFICATE-----
MIIGBjCCA+6gAwIBAgIQY8Mi35RmHbQSpWR8XD7V9DANBgkqhkiG9w0BAQsFADBt
MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUwMzBaFw0zOTA1MjQxMTUwMzBaMG0x
CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE
CwwLYmVpeWFuZ3l1YW4xCzAJBgNVBAMMAkNTMR8wHQYJKoZIhvcNAQkBFhBsamZw
b3dlckAxNjMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7nKX
zAyRuE6cWnJCT9h1QsQu8Ee+Kk0DtZM7wBQK+bSqpg5m0N1qnfrPStvsvBkXsYlZ
nUCf1Pg9Oz/BGSHVmwFAJCC16uSdq9n/ifB8YK3CdVpSsnjsccQW5Ti+ga/4O/wg
euauD23asZaedDoa1LkdI2DYAT/P/wFnC/wQGhnAObeIgvgAbYiF151ymBLzkvSw
ZobKzWqyIRrxwntetxRWQx3ZJrnx5plrKrui8A5BaETiu14vi38NJ8A42rWC0q0d
qDoXSrZtSXzfzIm2SAiBbBwQxePAcGbJegrGH43Oe+hoIky7P5zoRt6ZZsxFbbCG
7OPyVS0rmlojFjJJ5L95DBhvGqfn8jOPsq/23BvwAg+1yUmeWFZfqHPYFXco876I
XkMX+tW7Zyl4lVSb9zeavPmwUo/rnksZdGELb4Io8caUakJ5liy+oE0UvX7vAc5+
uUGRbk2uCOqOJUcKHa4wu3V3Iy8phSRvA+FzlkZs2CpBSlIs9lBevBv5vWA3GfxO
VDEOwE/yQZYOBXF82p1y/K744+wc/lyodkVS98+RAWnoP6awPpyN0EuzbZHF7A40
wiGEJAYpm8IzNDyT/0tNaFiOv4/WyGfxuULXItkzvMXxoCZZ1PuoNxdANA1UygRb
WDkZxtg54aI7v5TZbnNgtglqTgvRxzzuENlrJmcCAwEAAaOBoTCBnjAdBgNVHQ4E
FgQUI6MIq57hXlN/cyhNYKHXior5n0IwHwYDVR0jBBgwFoAUI6MIq57hXlN/cyhN
YKHXior5n0IwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwOwYDVR0R
BDQwMoIHYWJjLmNvbYIJKi5hYmMuY29tggd4eXouY29tgg13d3cuYmFpZHUuY29t
hwR/AAABMA0GCSqGSIb3DQEBCwUAA4ICAQAkfysmRAf0RNZ3bre37+Yz2xufFAtd
xpOOP2d85sO1HVY82acVuzEcLUQtfdnxyFe1Zk9wqqlSXI0Md5gD9Wc1J5BMZULC
Bwma/iFb53ijNQuEz81Fzea0KIggdnQpajDbd1mZDH/dRqTRvXhFDazZy1LGSMne
BwTlH9GGVYoc2s6YbPDL8GyARhdR5ad4h3+/WisIT6ZdlK1H+vSy/KfDRh514Ibo
zE0rI7ArHjQwh3i6NM14ImSUf6SjkMvHlzvCyJtQ5yDygt7OQWmX4u1eLQ4n4xom
BI/oPSA0/ioDoICIvl4KzGiGtFu2LqRu6YPqxe1D1bmbX3Yrskyzcy/uT4t4DuZn
ps8yR9ihpliSGWu2euf9GwUa58fJCExUrzksyzDGaqTxKvi7ThOlB30Lq712CTUw
e9JwGZ/BE7S++4lVC0J2GKuoHZR/moXQCaWrASkWEttWxYSWCd+RZaruox9JnRDS
jmcRFHt+Oogr1oH1W7UVeiGs5BuRqDgo5KOAm9ZvlxQ8L1rsx2UewLFGEH4LLUin
6D/b5PW3GS+A51qsd+/Y/08TXL4TdlIOa54CF7rMl9UH05Z9ooEY6i2KtmBw5Gwt
8XyUiz5L49tT4IlR2MDDXx0aJXB3roQGnHP/IgqcQbWZyM9ZvfQbx1Mnyohnbj2J
FBtJbqU4k1PhAg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCzCCA/OgAwIBAgIQY8Mi35RmHbQSpWR8XD7V9TANBgkqhkiG9w0BAQsFADBt
MQswCQYDVQQGEwJDTjEMMAoGA1UECAwDVEo1MQwwCgYDVQQKDANUSlUxFDASBgNV
BAsMC2JlaXlhbmd5dWFuMQswCQYDVQQDDAJDUzEfMB0GCSqGSIb3DQEJARYQbGpm
cG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTUzMDdaFw0yOTA1MjYxMTUzMDdaMG8x
CzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxDDAKBgNVBAoMA1RKVTEUMBIGA1UE
CwwLYmVpeWFuZ3l1YW4xDTALBgNVBAMMBGIzMjYxHzAdBgkqhkiG9w0BCQEWEGxq
ZnBvd2VyQDE2My5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH
dTYsTjtslYOmt04a7neg5paT2TEqVCt+bp1C0OSRy/UrvEkiKdAHu2UKSoOYEbxE
rib4JFL+7Cm3YGwHbXuEkP8sWwekVkt/BuBbMLq0577NMiU6rBrGP78DYrxxVmwo
ndIFHVwwe9MjMIglPtgwtxiqHrYGraiG2b7KxLl0vp/iHF0LwuwhGJ4qTImDpHOF
Df3TkunOzqcW6UjlzR8ciEaIQJrsJt4MStw983Ui9kYwSdzdOJM2giZ2m7fsh5M2
lQv02cEJJRVdE5atftFLF0tQj4wIltXI/Q3t+KgSsj3spveXzBUN0l9zJbl0gPKt
Dy411ZaZBRwwZaq/oJaUkowEhUJ6XrQk/JqvVKTt4j2XiI5vbDsJUGF3JiuMPYod
wVUJDnvSsm1AG+Be8CxhDDSvTJPz29XW6YNdEGyg51KTtZ7ujrpPisdeuZT0r5t2
gSMz9t0i2ooccKzERcZpRoLt4GikWzcU10LxpnJhse/IR6jsaYohK+BI5RCkAIrK
J7x64YX9dRD5sIf9TvY4SXdimGZkVBERan/MAgZvo1BhSoSo1oTRYKD6nNpA90Hg
4HLddGEtkQNPEzPUjMidMyVUOVpzVpXoOIW8ASgm1EPAeAw/VZ/HEm6P1y93mlOU
N4RXjLPfyJzxvTC/HM4xaYlZzKt/dUUKW2v5J3a3mQIDAQABo4GkMIGhMB0GA1Ud
DgQWBBTtLYj/I3LedKqEcgWmczrb9dYceDAfBgNVHSMEGDAWgBQjowirnuFeU39z
KE1godeKivmfQjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjA7
BgNVHREENDAyggdhYmMuY29tggkqLmFiYy5jb22CB3h5ei5jb22CDXd3dy5iYWlk
dS5jb22HBH8AAAEwDQYJKoZIhvcNAQELBQADggIBADv9HtThzbHoHmo57sEL09TY
ISKbdzsghNkZYK3QwlLxAak/Zp4JRQcqwm0XM2xPOQOw1K04qYGmwBqIH9ANqUvb
rU/78uL6GfIUSqQ6sHdlxj9tQFmEtopWofvtRcMwawgSL9XQOyQU8A0kYm0HI4k0
9JHA1Xc3mxE/MGn6LBdbVsNW1jqUKhfQ+F0UWKueG3nV3TA2DwdahGm20Gk0M3SA
nU+vc5a6aj2d7EjJvR+0xVK1Jy+khpJhDxng1Mxiavvgi7k5HVJDLgo4ALHFdfNP
Pt267ufdcajgrWchbgxWUdu3hzwGsvxJu79dpR3pz42n3fHWokoS6ONmyxlJtAiO
FYfgJ4J1Hu51GEkNb498Y8TBRPkuMCGY5QbIEiiCBRB8I6OtSHw+mWBHZVEiBvBr
IUjSVvn1+KrxrxJ8Bn6sn+Rj+MEyIneSEtLJ3gkn4P7UZHtdMpIEojlIf2v5UbR9
xDPkbayWJiYloETDpafuaeK46x9UvPFt957cbqKEChrkReaEnJzxOQMUwBR3uHyy
GFjM1EwOzN6SdBQ1sTDea4+TEcdHSzOC4pfaR1jKKCdInI7/Adiqs7YqM48nx504
JsLsy76DnUI0GFlWz8n0Ybz6qFWq6ckz9JLQ1N7TQJjSfZxDEEGwE6+wpjVyzCpB
CfPgBs5qw8HWtxrvsirH
-----END CERTIFICATE-----
leaf.pem:
-----BEGIN CERTIFICATE-----
MIIFUTCCAzmgAwIBAgIRAPABuQ6DmexEq0k9QQaewLcwDQYJKoZIhvcNAQELBQAw
bzELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1RKNTEMMAoGA1UECgwDVEpVMRQwEgYD
VQQLDAtiZWl5YW5neXVhbjENMAsGA1UEAwwEYjMyNjEfMB0GCSqGSIb3DQEJARYQ
bGpmcG93ZXJAMTYzLmNvbTAeFw0xOTA1MjkxMTU2NDBaFw0yOTA0MDYxMTU2NDBa
MHsxCzAJBgNVBAYTAkNOMQwwCgYDVQQIDANUSjUxCzAJBgNVBAcMAlRKMQwwCgYD
VQQKDANUSlUxFDASBgNVBAsMC2JlaXlhbmd5dWFuMQwwCgYDVQQDDANMUUwxHzAd
BgkqhkiG9w0BCQEWEGxqZnBvd2VyQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDNKbU4xRcAGOyzHWgEQw0/smt+BJaLtbIvKdPKPTDzDxSl
Rud0rf1GWzG5vKhEzn3ruNwFs23JTu4OcXlkqp4sGqC5SQ06qVhe+eWhK+pjsCll
AG9ZQ40kNdsE5Bt9gbl38tdykM/a5bU4+h8S9P5XP+Vr/xGuB1aqw07NqaUsOs3+
McH/ZFZQgSv8NDXl9eok5XEfaDZoRf29nAH/I+Ottbw37oW7omvMaC39CVKKmYMA
rdRJR/JrICsOKKnmEf6oLNErBGs3TLXo9/CiQJz/KeV9mHT/BfPumAbSlIXo6en8
AVyA0V+N1bwUiBu58m9B+z0GlaxeQlxSvTn2wUx5AgMBAAGjgdswgdgwCQYDVR0T
BAIwADAdBgNVHQ4EFgQUf+5kTCfvFqA3cYljtXgi8NMR/tAwCQYDVR0jBAIwADAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMEMBgG
A1UdEQQRMA+BDWhoQGJiLmFkZHJlc3MwGAYDVR0SBBEwD4INYWJjZXd3cnd0LmNv
bTAwBggrBgEFBQcBAQQkMCIwIAYIKwYBBQUHMAKGFGh0dHA6Ly9teS5jYS9jYS5o
dG1sMAwGA1UdJAQFMAOAAQMwDQYJKoZIhvcNAQELBQADggIBAAL124j72Q94decM
r/W98Aiwd8pVcJZJmpVlRafxgo6y7Z7H2davAcSJ6CQMKnS8QsCz9MUpTvd16gC9
APBZEyLtJFvb0q7VbFUoflLtz8w5Z00mKNOFHcOkariDnrkz5qIvr1pIVvKsOM+l
sDN8dn+hH1Xin33p16Fdzzk2YLQEdeD6t2QfrUoTZCngQcF1hPphqubERERk1xGm
5vntydN1kAg2wQWZ0kfAD241BhT9E+3XxVyjkZ5AAjoF3gqt7O/7jUvkVZ0sEfMl
eA8FYRYYPd5QboJH2XlEPI/eQHm7SyG9Nfc3RkhavFGFPLGjn6YN2stvjaL9ZE1R
6rDlw8DYbiPwCQYz6XeIRXe6Sz5wATmp0tK7ELy9X+4/51FaWZrZhWZO9TJb24kU
5iM6FUh98Q8geLLvAGeezWGJNUDLXr5KC96xBJmuSL+eeMWWp0ymYGf29H/kl1Kl
wJ0qjrpH4HrK2RIHm5RvdT1OabtjBlX0v05yZGLZnFMKcktJEJegfRR0O4PjItG4
ZIzcJxH/MSJUjLq9G3PX4a+60vpHs+3EasJQFGrJzPMSZVkJuGpiJ9IFwqfK7z8L
UyPF16lalmYxo1JBOy+e0iwoNjt0ZaVVuJrUU2hBv74CGAMZxkK5qj5+2ETPsCkh
l/SItoZuKgp5AF8JJP9OZ25OLmEt
-----END CERTIFICATE-----