mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 13:50:50 +02:00
asn: drop redundant serial-0 check in DecodeCertInternal to avoid fail-open on forged isC
This commit is contained in:
@@ -21390,25 +21390,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
|
||||
}
|
||||
}
|
||||
|
||||
#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \
|
||||
!defined(WOLFSSL_ASN_ALLOW_0_SERIAL)
|
||||
/* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires
|
||||
* positive serial numbers. However, allow zero for self-signed CA
|
||||
* certificates (root CAs) being loaded as trust anchors since they
|
||||
* are explicitly trusted and some legacy root CAs in real-world
|
||||
* trust stores have serial number 0. */
|
||||
if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) {
|
||||
if (!(cert->isCA && cert->selfSigned)
|
||||
#ifdef WOLFSSL_CERT_REQ
|
||||
&& !cert->isCSR
|
||||
#endif
|
||||
) {
|
||||
WOLFSSL_MSG("Error serial number of 0 for non-root certificate");
|
||||
ret = ASN_PARSE_E;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if ((ret == 0) && (!done) && (badDate != 0)) {
|
||||
/* Parsed whole certificate fine but return any date errors. */
|
||||
ret = badDate;
|
||||
|
||||
Reference in New Issue
Block a user