Hodie III Kal. Sep. MMX, Goran Rakic scripsit:
> I read the other messages in this thread, but I am not an expert in the
> field so I do not know if openssl should add a support for "incorrect"
> serial numbers. In RFC 3280 there is a note about "Non-conforming CAs"
> where section " Serial number" is saying that "certificate users
> SHOULD be prepared to gracefully handle such certificates". Maybe the
> note can apply in this case?
> What I do know is that without a patch openssl can not be used with
> certificates issued on a Serbian national eID card. At least one other
> Serbian CA is hit by the same problem (http://ca.pks.rs/certs/) where
> PKI solution was provided by a same company.

These are not X.509 certificates, since they're not correctly encoded
(not DER, not even BER).

The paragraph you're mentioning is about the value of the serial
number (strictly positive, no more than 20 bytes), not about its
encoding. A serial number can be negative, or larger than 20 bytes
when encoded, if your only goal is to be X.509 compliant, and not
RFC5280 compliant. Whence, "non-conforming CAs" here is to be
understood as "non-RFC5280-conforming CAs".

Those certificates should have been rejected by any correct validator
(human or machine) before going into production. The serial number is
encoded using 4 bytes as its value, it should be 1 byte only.

Erwann ABALEA <erwann.aba...@keynectis.com>
D├ępartement R&D
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to