crypto/x509: permit serial numbers to be negative.

Some software that produces certificates doesn't encode integers correctly and, about half the time, ends up producing certificates with serial numbers that are actually negative. This buggy software, sadly, appears to be common enough that we should let these errors pass. This change allows a Certificate.SerialNumber to be negative. Fixes #8265. Change-Id: Ief35dae23988fb6d5e2873e3c521366fb03c6af4 Reviewed-on: https://go-review.googlesource.com/17247 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-09-29 22:14:29 -06:00 · 2015-11-27 13:50:36 -08:00 · 2015-11-27 13:50:36 -08:00 · a0ea93dea5
commit a0ea93dea5
parent 85bfa33fdc
2 changed files with 5 additions and 5 deletions
--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
@ -909,10 +909,6 @@ func parseCertificate(in *certificate) (*Certificate, error) {
 		return nil, err
 	}

-	if in.TBSCertificate.SerialNumber.Sign() < 0 {
-		return nil, errors.New("x509: negative serial number")
-	}
-
 	out.Version = in.TBSCertificate.Version + 1
 	out.SerialNumber = in.TBSCertificate.SerialNumber

--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@ -343,7 +343,11 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
 	for _, test := range tests {
 		commonName := "test.example.com"
 		template := Certificate{
-			SerialNumber: big.NewInt(1),
+			// SerialNumber is negative to ensure that negative
+			// values are parsed. This is due to the prevalence of
+			// buggy code that produces certificates with negative
+			// serial numbers.
+			SerialNumber: big.NewInt(-1),
 			Subject: pkix.Name{
 				CommonName:   commonName,
 				Organization: []string{"Σ Acme Co"},