[gnutls-devel] GnuTLS | RFC 5280 compliance:GnuTLS incorrectly parsed the authorityCertSerialNumber value. (#1700)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Apr 16 11:04:38 CEST 2025
One happy person created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1700
## Description of problem:
Hello Developer,
I have a CRL file, and its AKI extension's authorityCertSerialNumber field value is -36. However, when I use GnuTLS to parse this CRL file, GnuTLS parses the authorityCertSerialNumber as dc,which is 220 in decimal. Is this a parsing error?
## Version of gnutls used:
GnuTLS 3.8.9
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
certtool --crl-info --inder --infile crl_aki_serial-36.der
## Actual results:
The GnuTLS successfully printed this CRL, but the value of the authorityCertSerialNumber is "dc", which is 220 in decimal.
## Expected results:
RFC5280 specifies that the certificate serial number should be a positive integer, so -36 is an invalid authorityCertSerialNumber. GnuTLS should likely reject the authorityCertSerialNumber field with an error or correctly parse the valid authorityCertSerialNumber value.
[crl_aki_serial-36.der](/uploads/039c21422cc7e556ac560e7208965d3b/crl_aki_serial-36.der)
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1700
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250416/230dd9c4/attachment.html>
More information about the Gnutls-devel
mailing list