[gnutls-devel] GnuTLS | `certtool` permits creation of certificates "negative" serial numbers (#1237)

[Read-only notification of GnuTLS library development activities]

Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1237



over on the IETF's [LAMPS WG's mailing list](https://www.ietf.org/mailman/listinfo/spasm), [David A. Cooper writes](https://mailarchive.ietf.org/arch/msg/spasm/fy6ilJRnqBaXiZctVyHJELQMmK8/):

```
[The certificates] contain negative serial numbers. While 
this is permitted by X.509, Section 4.1.2.2 of RFC 5280 requires 
conforming CAs to use positive integers as serial numbers.
```

While the `certtool` template used to generate the certificate does contain hex that would be read as a negative number (e.g. `serial = 0xdebecc44907bab1df99acd6d1568fbb61df2e6`), certtool probably shouldn't embed it in non-compliant form.  Two different ways that GnuTLS could approach this would be:

 - prefix such a serial number with a leading 0x00 octet, thereby making it compliant, or
 - reject it as malformed and refuse to generate the cert (as it would if it saw a template line `serial = nan`) 

I suspect this is also the case for generating certificate requests, but i've only encountered it when generating certificates.

This concerns [draft-ietf-lamps-samples](https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/), which contains certificates being generated by `certtool`.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1237
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210512/f2883190/attachment.html>