pkcs1-pad self-check fails?

Nikos Mavrogiannopoulos nmav at
Tue Mar 16 22:43:00 CET 2010

Simon Josefsson wrote:

> Thanks.  I think the problem is that the PKIX chain used to be rejected
> (in 2.8.x) because the signature validation fails, but now the entire
> chain is accepted.  Presumably the particular signature is no longer
> validated.  That could be wrong, or there is a problem in that self
> test.

I cannot understand why this chain shouldn't be validated... What was
the reason for the test? It is now accepted because the verification
procedure detects the same certificate being verified and trusted and
thus considers it ok.

As a side-effect I noticed that that gnutls_x509_crt_verify() behaves
different than gnutls_x509_crt_list_verify() - i.e. no date checks,
which shouldn't occur.


More information about the Gnutls-devel mailing list