Allow serial number 0 for root CA certificates#9567
Allow serial number 0 for root CA certificates#9567jackctj117 wants to merge 14 commits intowolfSSL:masterfrom
Conversation
kareem-wolfssl
left a comment
kareem-wolfssl
left a comment
There was a problem hiding this comment.
Changes look good.
Can you add some test cases with a CA and leaf cert with a serial of 0?
|
@kareem-wolfssl it looks like the failures are looking for an expected failure due to a self-signed CA certificate with serial number 0. |
Yes, you will need to update the failing test |
|
@jackctj117 looks like some valid unit test failures you will need to look into. All related to |
|
Jenkins retest this please. History lost. |
1 similar comment
|
Jenkins retest this please. History lost. |
|
Jenkins retest this please |
1 similar comment
|
Jenkins retest this please |
|
Jenkins retest this |
|
Jenkins retest this please |
|
Jenkins retest this please. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
wolfcrypt/src/asn.c:23904
- The log message for
cert->serialSz == 0is confusing: it suggests a certificate might legitimately have “no serial number”, but X.509 certificates always have a serial number and RFC 5280 requires it to be present. Consider rewording to clearly state that an empty/zero-length serial is invalid, and (if appropriate in this file) emit the verbose error macro consistently with other parse failures.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 21 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
wolfcrypt/src/asn.c:1
- The conditional logic has an unbalanced parenthesis structure. The closing parenthesis on line 25812 closes the inner
ifcondition that starts on line 25807, but the logic flow is confusing. The condition should be restructured for clarity: the exception (root CA check) should be more clearly separated from the CSR check. Consider rewriting as:if (!cert->isCSR && !((type == CA_TYPE || type == TRUSTED_PEER_TYPE) && cert->isCA && cert->selfSigned))
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jackctj117
requested review from
kareem-wolfssl
and removed request for
kareem-wolfssl and
wolfSSL-Bot
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (2)
wolfcrypt/src/asn.c:1
- This introduces an early
returnfromParseCertRelative. If the rest of the function relies on a single-exit pattern for consistent cleanup/logging (common in wolfSSL code), this return can bypass it. Prefer settingret = ASN_PARSE_Eand flowing through the function’s existing error/exit handling (e.g., via the establishedgoto exit;pattern if present).
wolfcrypt/src/asn.c:1 - The updated log message format is inconsistent with nearby wolfSSL messages (it adds an
Error:prefix and includes parenthetical text). Consider aligning with existingWOLFSSL_MSGstyle (e.g., noError:prefix, keep it short, and/or mention the relevant compile-time knob only where actionable) to keep logs consistent and easier to grep.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| ExpectNotNull(cm = wolfSSL_CertManagerNew()); | ||
| ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootNormalFile, NULL), | ||
| WOLFSSL_SUCCESS); | ||
|
|
There was a problem hiding this comment.
If the #if (!defined(NO_WOLFSSL_CLIENT) ... ) block is compiled out, cm allocated in Test 2 is never freed (the only free happens inside that conditional block). Free cm unconditionally after Test 2 (or restructure to scope the allocation to the block) to avoid a configuration-dependent leak in the test.
| if (cm != NULL) { | |
| wolfSSL_CertManagerFree(cm); | |
| cm = NULL; | |
| } |
| ExpectIntNE(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL), | ||
| WOLFSSL_SUCCESS); |
There was a problem hiding this comment.
This assertion only checks LoadCA fails, but LoadCA can fail for reasons unrelated to the new serial-0 logic (e.g., the certificate is CA:FALSE). To specifically cover the behavior added in ParseCertRelative (reject serial 0 for non-root certificates), assert an error that is attributable to serial-0 rejection (e.g., check for ASN_PARSE_E on a code path that parses it as a non-CA/non-trust-anchor certificate), or otherwise tighten the expectation so the test fails if serial 0 is accidentally allowed for non-root certificates.
| ExpectIntNE(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL), | |
| WOLFSSL_SUCCESS); | |
| ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL), | |
| WC_NO_ERR_TRACE(ASN_PARSE_E)); |
|
retest this please |
Fixes #8615
This pull request updates the logic for validating X.509 certificate serial numbers in
wolfcrypt/src/asn.c. The main change is to improve compliance with RFC 5280 while allowing for real-world exceptions involving root CAs. The previous strict check for zero serial numbers is now more nuanced, permitting serial number 0 for self-signed CA certificates but still rejecting it for other certificates.Certificate serial number validation improvements:
Testing
Tested with certificates generated using OpenSSL to verify all scenarios: