Merge pull request #7893 from gojimmypi/pr-asn-allow-zero-serial

Introduce WOLFSSL_ASN_ALLOW_0_SERIAL
wolfSSL · Aug 24, 2024 · 3f0ba97 · 3f0ba97
2 parents 1d34b56 + 8baf393
commit 3f0ba97
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -56,6 +56,8 @@ ASN Options:
  * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
  * WOLFSSL_NO_ASN_STRICT: Disable strict RFC compliance checks to
  restore 3.13.0 behavior.
+ * WOLFSSL_ASN_ALLOW_0_SERIAL: Even if WOLFSSL_NO_ASN_STRICT is not defined,
+ allow a length=1, but zero value serial numnber.
  * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
  must still be trusted)
  * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert
@@ -13987,7 +13989,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
  }
 
  #ifndef WOLFSSL_NO_ASN_STRICT
- /* RFC 5280 section 4.1.2.4 lists a DirecotryString as being
+ /* RFC 5280 section 4.1.2.4 lists a DirectoryString as being
  * 1..MAX in length */
  if (strLen < 1) {
  WOLFSSL_MSG("Non conforming DirectoryString of length 0 was"
@@ -14629,7 +14631,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
  GetASN_GetRef(&dataASN[RDNASN_IDX_ATTR_VAL], &str, &strLen);
 
  #ifndef WOLFSSL_NO_ASN_STRICT
- /* RFC 5280 section 4.1.2.4 lists a DirecotryString as being
+ /* RFC 5280 section 4.1.2.4 lists a DirectoryString as being
  * 1..MAX in length */
  if (ret == 0 && strLen < 1) {
  WOLFSSL_MSG("Non conforming DirectoryString of length 0 was"
@@ -21895,8 +21897,8 @@ static int CheckDate(ASNGetData *dataASN, int dateType)
  * @param [in] verify Whether to verify dates before and after now.
  * @param [out] criticalExt Critical extension return code.
  * @param [out] badDateRet Bad date return code.
- * @param [in] stopAtPubKey Stop parsing before subkectPublicKeyInfo.
- * @param [in] stopAfterPubKey Stop parsing after subkectPublicKeyInfo.
+ * @param [in] stopAtPubKey Stop parsing before subjectPublicKeyInfo.
+ * @param [in] stopAfterPubKey Stop parsing after subjectPublicKeyInfo.
  * @return 0 on success.
  * @return ASN_CRIT_EXT_E when a critical extension was not recognized.
  * @return ASN_TIME_E when date BER tag is nor UTC or GENERALIZED time.
@@ -22005,7 +22007,8 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
  cert->version = version;
  cert->serialSz = (int)serialSz;
 
- #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON)
+ #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \
+ !defined(WOLFSSL_ASN_ALLOW_0_SERIAL)
  /* RFC 5280 section 4.1.2.2 states that non-conforming CAs may issue
  * a negative or zero serial number and should be handled gracefully.
  * Since it is a non-conforming CA that issues a serial of 0 then we
@@ -22016,6 +22019,11 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
  ret = ASN_PARSE_E;
  }
  #endif
+ if (cert->serialSz == 0) {
+ WOLFSSL_MSG("Error serial size is zero. Should be at least one "
+ "even with no serial number.");
+ ret = ASN_PARSE_E;
+ }
 
  cert->signatureOID = dataASN[X509CERTASN_IDX_TBS_ALGOID_OID].data.oid.sum;
  cert->keyOID = dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID].data.oid.sum;