Allow serial number 0 for root CA certificates#9567
Allow serial number 0 for root CA certificates#9567jackctj117 wants to merge 8 commits intowolfSSL:masterfrom
Conversation
kareem-wolfssl
left a comment
kareem-wolfssl
left a comment
There was a problem hiding this comment.
Changes look good.
Can you add some test cases with a CA and leaf cert with a serial of 0?
|
@kareem-wolfssl it looks like the failures are looking for an expected failure due to a self-signed CA certificate with serial number 0. |
Yes, you will need to update the failing test |
|
@jackctj117 looks like some valid unit test failures you will need to look into. All related to |
|
Jenkins retest this please. History lost. |
1 similar comment
|
Jenkins retest this please. History lost. |
|
Jenkins retest this please |
1 similar comment
|
Jenkins retest this please |
|
Jenkins retest this |
|
Jenkins retest this please |
tests/api/test_asn.c
Outdated
| ExpectIntNE(wolfSSL_CertManagerVerify(cm, eeSerial0File, | ||
| WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); |
There was a problem hiding this comment.
This should test for the expected error code.
tests/api/test_asn.c
Outdated
| ExpectIntNE(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL), | ||
| WOLFSSL_SUCCESS); |
There was a problem hiding this comment.
Same as above, check for the expected error code.
|
Retest this please |
3 participants
Fixes #8615
This pull request updates the logic for validating X.509 certificate serial numbers in
wolfcrypt/src/asn.c. The main change is to improve compliance with RFC 5280 while allowing for real-world exceptions involving root CAs. The previous strict check for zero serial numbers is now more nuanced, permitting serial number 0 for self-signed CA certificates but still rejecting it for other certificates.Certificate serial number validation improvements:
Testing
Tested with certificates generated using OpenSSL to verify all scenarios: