diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index cb8ea5fa5c..7f4c611dc7 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -21390,25 +21390,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, } } -#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ - !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) - /* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires - * positive serial numbers. However, allow zero for self-signed CA - * certificates (root CAs) being loaded as trust anchors since they - * are explicitly trusted and some legacy root CAs in real-world - * trust stores have serial number 0. */ - if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) { - if (!(cert->isCA && cert->selfSigned) -#ifdef WOLFSSL_CERT_REQ - && !cert->isCSR -#endif - ) { - WOLFSSL_MSG("Error serial number of 0 for non-root certificate"); - ret = ASN_PARSE_E; - } - } -#endif - if ((ret == 0) && (!done) && (badDate != 0)) { /* Parsed whole certificate fine but return any date errors. */ ret = badDate;