openssl/openssl

RFC 5280 X509 compliance issues in OpenSSL v3.1.1 or later

Open

#24 258 ouverte le 24 avr. 2024

Voir sur GitHub
 (9 commentaires) (0 réactions) (0 assignés)C (11 262 forks)batch import
branch: masterhelp wantedtriaged: feature

Métriques du dépôt

Stars
 (30 157 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

  1. It allows empty DirectoryString (e.g., "") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant)
  2. You should not allow 0 (zero) as certificate serial number. RFC 5280 says, "The serial number MUST be a positive integer assigned by the CA to each cer- tificate...CAs MUST force the serial Number to be a non-negative integer...Non- conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates."
  3. We found your implementation do not report any error or warning for Version 4 - 10 (value 3-9) certificates whereas Certificate Version can be either 1 (value 0), 2 (value 1), or 3 (value 2). (RFC 5280 non-compliant)

Guide contributeur