asn: drop redundant serial-0 check in DecodeCertInternal to avoid fail-open on forged isC

This commit is contained in:
jackctj117
2026-04-13 10:52:22 -06:00
parent ee744b1f0b
commit f31ef9e233
-19
View File
@@ -21390,25 +21390,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
}
}
#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \
!defined(WOLFSSL_ASN_ALLOW_0_SERIAL)
/* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires
* positive serial numbers. However, allow zero for self-signed CA
* certificates (root CAs) being loaded as trust anchors since they
* are explicitly trusted and some legacy root CAs in real-world
* trust stores have serial number 0. */
if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) {
if (!(cert->isCA && cert->selfSigned)
#ifdef WOLFSSL_CERT_REQ
&& !cert->isCSR
#endif
) {
WOLFSSL_MSG("Error serial number of 0 for non-root certificate");
ret = ASN_PARSE_E;
}
}
#endif
if ((ret == 0) && (!done) && (badDate != 0)) {
/* Parsed whole certificate fine but return any date errors. */
ret = badDate;