[gnutls-devel] GnuTLS | `certtool` permits creation of certificates "negative" serial numbers (#1237)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu May 13 01:25:13 CEST 2021
Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1237
over on the IETF's [LAMPS WG's mailing list](https://www.ietf.org/mailman/listinfo/spasm), [David A. Cooper writes](https://mailarchive.ietf.org/arch/msg/spasm/fy6ilJRnqBaXiZctVyHJELQMmK8/):
[The certificates] contain negative serial numbers. While
this is permitted by X.509, Section 188.8.131.52 of RFC 5280 requires
conforming CAs to use positive integers as serial numbers.
While the `certtool` template used to generate the certificate does contain hex that would be read as a negative number (e.g. `serial = 0xdebecc44907bab1df99acd6d1568fbb61df2e6`), certtool probably shouldn't embed it in non-compliant form. Two different ways that GnuTLS could approach this would be:
- prefix such a serial number with a leading 0x00 octet, thereby making it compliant, or
- reject it as malformed and refuse to generate the cert (as it would if it saw a template line `serial = nan`)
I suspect this is also the case for generating certificate requests, but i've only encountered it when generating certificates.
This concerns [draft-ietf-lamps-samples](https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/), which contains certificates being generated by `certtool`.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1237
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel