Hodie III Kal. Sep. MMX, Goran Rakic scripsit: [...] > I read the other messages in this thread, but I am not an expert in the > field so I do not know if openssl should add a support for "incorrect" > serial numbers. In RFC 3280 there is a note about "Non-conforming CAs" > where section "220.127.116.11 Serial number" is saying that "certificate users > SHOULD be prepared to gracefully handle such certificates". Maybe the > note can apply in this case? > > What I do know is that without a patch openssl can not be used with > certificates issued on a Serbian national eID card. At least one other > Serbian CA is hit by the same problem (http://ca.pks.rs/certs/) where > PKI solution was provided by a same company.
These are not X.509 certificates, since they're not correctly encoded (not DER, not even BER). The paragraph you're mentioning is about the value of the serial number (strictly positive, no more than 20 bytes), not about its encoding. A serial number can be negative, or larger than 20 bytes when encoded, if your only goal is to be X.509 compliant, and not RFC5280 compliant. Whence, "non-conforming CAs" here is to be understood as "non-RFC5280-conforming CAs". Those certificates should have been rejected by any correct validator (human or machine) before going into production. The serial number is encoded using 4 bytes as its value, it should be 1 byte only. -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List firstname.lastname@example.org Automated List Manager majord...@openssl.org