mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard
verified publisher icon Mbed-TLS

Reporting Bugs in Certificate Chain Validation

Open joyantaDebnath opened this issue 2 years ago • 0 comments

Summary

  1. It allows empty DirectoryString (e.g., "") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant)
  2. You should not allow 0 (zero) as certificate serial number. RFC 5280 says, "The serial number MUST be a positive integer assigned by the CA to each cer- tificate...CAs MUST force the serial Number to be a non-negative integer...Non- conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates."

System information

Mbed TLS version (number or commit id): v3.4.0 or later Operating system and version: Linux

Expected behavior

Reject

Actual behavior

Accept

joyantaDebnath avatar Apr 24 '24 21:04 joyantaDebnath