crypto/x509: revert serial length restriction

2025-04-26 20:26:19 +08:00 · 2022-04-22 08:37:49 +08:00 · 2022-04-22 08:37:49 +08:00 · 41d0934ef4
commit 41d0934ef4
parent 64f522ea1b
2 changed files with 7 additions and 4 deletions
--- a/smx509/x509.go
+++ b/smx509/x509.go
@ -1286,9 +1286,13 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,

 	// RFC 5280 Section 4.1.2.2: serial number must positive

+	// We _should_ also restrict serials to <= 20 octets, but it turns out a lot of people
+	// get this wrong, in part because the encoding can itself alter the length of the
+	// serial. For now we accept these non-conformant serials.
 	if template.SerialNumber.Sign() == -1 {
 		return nil, errors.New("x509: serial number must be positive")
 	}
+	
 	if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
 		return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
 	}
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@ -2450,9 +2450,6 @@ func TestOmitEmptyExtensions(t *testing.T) {
 	}
 }

-	}
-}
-
 var negativeSerialCert = `-----BEGIN CERTIFICATE-----
 MIIBBTCBraADAgECAgH/MAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAjopMB4XDTIy
 MDQxNDIzNTYwNFoXDTIyMDQxNTAxNTYwNFowDTELMAkGA1UEAxMCOikwWTATBgcq
@ -2533,3 +2530,5 @@ func TestDuplicateExtensionsCSR(t *testing.T) {
 	_, err := ParseCertificateRequest(b.Bytes)
 	if err == nil {
 		t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions")
+	}
+}