1
0
mirror of https://github.com/golang/go synced 2024-11-27 00:51:26 -07:00

crypto/x509: permit serial numbers to be negative.

Some software that produces certificates doesn't encode integers
correctly and, about half the time, ends up producing certificates with
serial numbers that are actually negative.

This buggy software, sadly, appears to be common enough that we should
let these errors pass. This change allows a Certificate.SerialNumber to
be negative.

Fixes #8265.

Change-Id: Ief35dae23988fb6d5e2873e3c521366fb03c6af4
Reviewed-on: https://go-review.googlesource.com/17247
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Adam Langley 2015-11-27 13:50:36 -08:00
parent 85bfa33fdc
commit a0ea93dea5
2 changed files with 5 additions and 5 deletions

View File

@ -909,10 +909,6 @@ func parseCertificate(in *certificate) (*Certificate, error) {
return nil, err return nil, err
} }
if in.TBSCertificate.SerialNumber.Sign() < 0 {
return nil, errors.New("x509: negative serial number")
}
out.Version = in.TBSCertificate.Version + 1 out.Version = in.TBSCertificate.Version + 1
out.SerialNumber = in.TBSCertificate.SerialNumber out.SerialNumber = in.TBSCertificate.SerialNumber

View File

@ -343,7 +343,11 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
for _, test := range tests { for _, test := range tests {
commonName := "test.example.com" commonName := "test.example.com"
template := Certificate{ template := Certificate{
SerialNumber: big.NewInt(1), // SerialNumber is negative to ensure that negative
// values are parsed. This is due to the prevalence of
// buggy code that produces certificates with negative
// serial numbers.
SerialNumber: big.NewInt(-1),
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: commonName, CommonName: commonName,
Organization: []string{"Σ Acme Co"}, Organization: []string{"Σ Acme Co"},