[gnutls-devel] GnuTLS | `certtool` permits creation of certificates "negative" serial numbers (#1237)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu May 13 01:25:13 CEST 2021

Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1237

over on the IETF's [LAMPS WG's mailing list](https://www.ietf.org/mailman/listinfo/spasm), [David A. Cooper writes](https://mailarchive.ietf.org/arch/msg/spasm/fy6ilJRnqBaXiZctVyHJELQMmK8/):

[The certificates] contain negative serial numbers. While 
this is permitted by X.509, Section of RFC 5280 requires 
conforming CAs to use positive integers as serial numbers.

While the `certtool` template used to generate the certificate does contain hex that would be read as a negative number (e.g. `serial = 0xdebecc44907bab1df99acd6d1568fbb61df2e6`), certtool probably shouldn't embed it in non-compliant form.  Two different ways that GnuTLS could approach this would be:

 - prefix such a serial number with a leading 0x00 octet, thereby making it compliant, or
 - reject it as malformed and refuse to generate the cert (as it would if it saw a template line `serial = nan`) 

I suspect this is also the case for generating certificate requests, but i've only encountered it when generating certificates.

This concerns [draft-ietf-lamps-samples](https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/), which contains certificates being generated by `certtool`.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1237
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210512/f2883190/attachment.html>

More information about the Gnutls-devel mailing list