Can't connect to websites with the certificate "TWCA Global Root CA" in the chain due to missing subject key identifier

Description of problem:

Programs using GnuTLS, including gnutls-cli and WebKitGTK-based browsers (e.g., GNOME epiphany), can't connect to websites with the certificate "TWCA Global Root CA" in the chain.

Take www.ntu.edu.tw as an example. In the server-provided certificate chain, the first intermediate CA "TWCA Secure SSL Certification Authority" has authority key identifier 48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50. The second intermediate CA in the chain "TWCA Global Root CA" has the matching subject key identifier 48:db:cd:de:8e:e9:49:72:5a:88:e8:b1:d8:3d:07:b3:b9:6b:66:50, so ideally there are no problems.

The problem is, on Arch Linux, GnuTLS is configured to use p11-kit for checking certificate chains [1]. Also, certdata.txt from Mozilla NSS is used as the default trust store. In certdata.txt, the certificate "TWCA Global Root CA" is also included as a trusted CA, and the corresponding certificate does not have a subject key identifier. As a result, _gnutls_check_valid_key_id() fails.

A workaround is removing "TWCA Global Root CA" from the system trust store. After that all GnuTLS-based programs work just fine.

[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnutls#n36

Version of gnutls used:

3.5.19

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Arch Linux

How reproducible:

Steps to Reproduce:

• P11_KIT_DEBUG=all gnutls-cli -d 3 www.ntu.edu.tw
• P11_KIT_DEBUG=all gnutls-cli -d 3 www.citi.sinica.edu.tw
• P11_KIT_DEBUG=all gnutls-cli -d 3 www.twca.com.tw

Actual results:

Output for www.ntu.edu.tw: output.txt

The other two websites yields similar results.

Expected results:

gnutls-cli connects to the specified website and waits for input.