openssl/openssl
Voir sur GitHubRFC 5280 X509 compliance issues in OpenSSL v3.1.1 or later
Open
#24 258 ouverte le 24 avr. 2024
branch: masterhelp wantedtriaged: feature
Métriques du dépôt
- Stars
- (30 157 stars)
- Métriques de merge PR
- (Aucune PR mergée en 30 j)
Description
- It allows empty DirectoryString (e.g., "") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant)
- You should not allow 0 (zero) as certificate serial number. RFC 5280 says, "The serial number MUST be a positive integer assigned by the CA to each cer- tificate...CAs MUST force the serial Number to be a non-negative integer...Non- conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates."
- We found your implementation do not report any error or warning for Version 4 - 10 (value 3-9) certificates whereas Certificate Version can be either 1 (value 0), 2 (value 1), or 3 (value 2). (RFC 5280 non-compliant)