Revert "#43, crypto/x509: don't allow too long serials"

This reverts commit b3f10b9a4cfeb8c384282f3e61aaf7356efab636. # Conflicts: # smx509/x509.go # smx509/x509_test.go
2025-04-28 05:06:18 +08:00 · 2022-04-22 08:28:12 +08:00 · 2022-04-22 08:28:12 +08:00 · 64f522ea1b
commit 64f522ea1b
parent 88dc7dc8ec
2 changed files with 3 additions and 49 deletions
--- a/smx509/x509.go
+++ b/smx509/x509.go
@ -1284,22 +1284,11 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,
 		return nil, errors.New("x509: no SerialNumber given")
 	}

-	// RFC 5280 Section 4.1.2.2: serial number must positive and should not be longer
-	// than 20 octets.
-	//
-	// We cannot simply check for len(serialBytes) > 20, because encoding/asn1 may
-	// pad the slice in order to prevent the integer being mistaken for a negative
-	// number (DER uses the high bit of the left-most byte to indicate the sign.),
-	// so we need to double check the composition of the serial if it is exactly
-	// 20 bytes.
+	// RFC 5280 Section 4.1.2.2: serial number must positive
+
 	if template.SerialNumber.Sign() == -1 {
 		return nil, errors.New("x509: serial number must be positive")
 	}
-	serialBytes := template.SerialNumber.Bytes()
-	if len(serialBytes) > 20 || (len(serialBytes) == 20 && serialBytes[0]&0x80 != 0) {
-		return nil, errors.New("x509: serial number exceeds 20 octets")
-	}
-
 	if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
 		return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
 	}
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@ -2450,39 +2450,6 @@ func TestOmitEmptyExtensions(t *testing.T) {
 	}
 }

-func TestCreateCertificateLongSerial(t *testing.T) {
-	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	serialBytes := make([]byte, 21)
-	serialBytes[0] = 0x80
-	serialBytes[20] = 1
-	tooLong := big.NewInt(0).SetBytes(serialBytes)
-
-	tmpl := &Certificate{
-		SerialNumber: tooLong,
-		Subject: pkix.Name{
-			CommonName: ":)",
-		},
-		NotAfter:  time.Now().Add(time.Hour),
-		NotBefore: time.Now().Add(-time.Hour),
-	}
-
-	expectedErr := "x509: serial number exceeds 20 octets"
-
-	_, err = CreateCertificate(rand.Reader, tmpl.asX509(), tmpl.asX509(), k.Public(), k)
-	if err == nil || err.Error() != expectedErr {
-		t.Errorf("CreateCertificate returned unexpected error: want %q, got %q", expectedErr, err)
-	}
-
-	serialBytes = serialBytes[:20]
-	tmpl.SerialNumber = big.NewInt(0).SetBytes(serialBytes)
-
-	_, err = CreateCertificate(rand.Reader, tmpl.asX509(), tmpl.asX509(), k.Public(), k)
-	if err == nil || err.Error() != expectedErr {
-		t.Errorf("CreateCertificate returned unexpected error: want %q, got %q", expectedErr, err)
 	}
 }

@ -2565,6 +2532,4 @@ func TestDuplicateExtensionsCSR(t *testing.T) {
 	}
 	_, err := ParseCertificateRequest(b.Bytes)
 	if err == nil {
-		t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions")
-	}
-}
+		t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions")