GnuTLS accepts a certificate whose validity is not in the range of its CA certificate's without any warning
Description of problem:
As for a certificate, its validity should be in the range of its CA certificate's in logic. For example, if a CA certificate's validity is from Aug 15 10:28:44 2016 GMT to Aug 15 10:28:44 2017 GMT, the validity of a certificate which is issued by this CA should not be from Aug 1 12:12:12 2008 GMT to Nov 3 12:12:12 2018 GMT or from Sep 3 12:12:12 2016 GMT to Nov 3 12:12:12 2018 GMT. GnuTLS should reject such certificates or give warnings in logic, instead of depending on CRL or OCSP.
Version of gnutls used:
v3.3.25, v3.4.16, and v3.5.5
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu 1604 x64
How reproducible:
Steps to Reproduce:
- one certtool --verify --load-ca-certificate=ca.pem < 3.pem
- two certtool --verify --load-ca-certificate=ca.pem < 4.pem
Actual results:
The certificate is trusted.
Expected results:
Reject them or give warnings.