Allow serial number 0 for root CA certificates#9567
Conversation
kareem-wolfssl
left a comment
kareem-wolfssl
left a comment
There was a problem hiding this comment.
Changes look good.
Can you add some test cases with a CA and leaf cert with a serial of 0?
|
@kareem-wolfssl it looks like the failures are looking for an expected failure due to a self-signed CA certificate with serial number 0. |
Yes, you will need to update the failing test |
|
@jackctj117 looks like some valid unit test failures you will need to look into. All related to |
|
Jenkins retest this please. History lost. |
1 similar comment
|
Jenkins retest this please. History lost. |
|
Jenkins retest this please |
1 similar comment
|
Jenkins retest this please |
|
Jenkins retest this |
|
Jenkins retest this please |
|
Jenkins retest this please |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
wolfcrypt/src/asn.c:23904
- The log message for
cert->serialSz == 0is confusing: it suggests a certificate might legitimately have “no serial number”, but X.509 certificates always have a serial number and RFC 5280 requires it to be present. Consider rewording to clearly state that an empty/zero-length serial is invalid, and (if appropriate in this file) emit the verbose error macro consistently with other parse failures.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #9567
Scan targets checked: wolfcrypt-api_misuse, wolfcrypt-bugs, wolfcrypt-compliance, wolfcrypt-concurrency, wolfcrypt-consttime, wolfcrypt-defaults, wolfcrypt-mutation, wolfcrypt-portability, wolfcrypt-proptest, wolfcrypt-src, wolfcrypt-zeroize
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
|
|
@jackctj117 please fix merge conflicts. Thanks |
…l-open on forged isC
|
Please resolve all comments. |
|
@SparkiDev All comments resolved. |
Fixes #8615
This pull request updates the logic for validating X.509 certificate serial numbers in
wolfcrypt/src/asn.c. The main change is to improve compliance with RFC 5280 while allowing for real-world exceptions involving root CAs. The previous strict check for zero serial numbers is now more nuanced, permitting serial number 0 for self-signed CA certificates but still rejecting it for other certificates.Certificate serial number validation improvements:
Testing
Tested with certificates generated using OpenSSL to verify all scenarios: