Skip to content

Allow serial number 0 for root CA certificates #9567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jackctj117 wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Allow serial number 0 for root CA certificates #9567

jackctj117 wants to merge 7 commits into from
+569 −13

Conversation

@jackctj117
Copy link
Contributor

@jackctj117 jackctj117 commented Dec 19, 2025

Fixes #8615

This pull request updates the logic for validating X.509 certificate serial numbers in wolfcrypt/src/asn.c. The main change is to improve compliance with RFC 5280 while allowing for real-world exceptions involving root CAs. The previous strict check for zero serial numbers is now more nuanced, permitting serial number 0 for self-signed CA certificates but still rejecting it for other certificates.

Certificate serial number validation improvements:

  • Moved and updated the check for serial numbers of 0 to allow self-signed CA (root) certificates to have a serial number of 0, while still treating serial 0 as an error for all other certificates. This better aligns with RFC 5280 and real-world trust store practices. [1] [2]
  • Removed the previous check that always treated a serial number of 0 as an error, regardless of certificate type.

Testing

Tested with certificates generated using OpenSSL to verify all scenarios:

  • Root CA with serial 0 loads successfully (previously failed, now passes)
  • End-entity cert with serial 0 is correctly rejected
  • Normal end-entity cert signed by root CA with serial 0 verifies successfully
  • Self-signed non-CA cert with serial 0 is correctly rejected

@jackctj117 jackctj117 self-assigned this Dec 19, 2025
kareem-wolfssl
kareem-wolfssl reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

@kareem-wolfssl kareem-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good.

Can you add some test cases with a CA and leaf cert with a serial of 0?

@kareem-wolfssl kareem-wolfssl mentioned this pull request Dec 19, 2025
Open
@jackctj117
Copy link
Contributor Author

jackctj117 commented Dec 23, 2025

@kareem-wolfssl it looks like the failures are looking for an expected failure due to a self-signed CA certificate with serial number 0.

@kareem-wolfssl
Copy link
Contributor

kareem-wolfssl commented Dec 23, 2025

@kareem-wolfssl it looks like the failures are looking for an expected failure due to a self-signed CA certificate with serial number 0.

Yes, you will need to update the failing test test_MakeCertWith0Ser since we no longer expect a root CA with serial 0 to fail.

@tmael tmael mentioned this pull request Dec 23, 2025
Closed
@dgarske
Copy link
Contributor

dgarske commented Dec 26, 2025

@jackctj117 looks like some valid unit test failures you will need to look into. All related to --enable-asn=original.

FAILURES:
   390: test_SerialNumber0_RootCA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kareem-wolfssl kareem-wolfssl Awaiting requested review from kareem-wolfssl

At least 1 approving review is required to merge this pull request.

Assignees

@jackctj117 jackctj117

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: WolfSSL accepts a certificate whose serial number is zero

3 participants

@jackctj117 @kareem-wolfssl @dgarske