diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index ead4a2daf6..070294cdb4 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -27,4 +27,4 @@ jobs: # The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored. exclude_file: '.codespellexcludelines' # To skip files entirely from being processed, add it to the following list: - skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked,./examples/asn1/dumpasn1.cfg,./examples/asn1/oid_names.h' + skip: '*.cproject,*.csr,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked,./examples/asn1/dumpasn1.cfg,./examples/asn1/oid_names.h' diff --git a/certs/include.am b/certs/include.am index b19881d31f..8d7089c370 100644 --- a/certs/include.am +++ b/certs/include.am @@ -155,6 +155,7 @@ include certs/ocsp/include.am include certs/statickeys/include.am include certs/test/include.am include certs/test-pathlen/include.am +include certs/test-serial0/include.am include certs/intermediate/include.am include certs/falcon/include.am include certs/rsapss/include.am diff --git a/certs/test-serial0/README.md b/certs/test-serial0/README.md new file mode 100644 index 0000000000..2a5af47642 --- /dev/null +++ b/certs/test-serial0/README.md @@ -0,0 +1,66 @@ +# Serial Number 0 Test Certificates + +This directory contains test certificates for testing wolfSSL's handling of serial number 0 in certificates, specifically for issue #8615. + +## Background + +RFC 5280 section 4.1.2.2 requires certificate serial numbers to be positive non-zero integers. However, some legacy root CA certificates in real-world trust stores have serial number 0. Since root CAs are explicitly trusted by configuration (not by chain validation), wolfSSL allows serial 0 specifically for self-signed CA certificates (root CAs) while still enforcing RFC 5280 compliance for other certificate types. + +## Test Certificates + +This directory contains the following test certificates: + +### 1. root_serial0.pem +- **Type**: Root CA (self-signed, CA:TRUE) +- **Serial Number**: 0 +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Tests that legacy root CAs with serial 0 can be loaded + +### 2. root.pem +- **Type**: Root CA (self-signed, CA:TRUE) +- **Serial Number**: 1 +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Normal root CA for signing test certificates + +### 3. ee_serial0.pem +- **Type**: End-entity certificate (CA:FALSE) +- **Serial Number**: 0 +- **Signed By**: root.pem (serial 1) +- **Expected Behavior**: Should be rejected by wolfSSL +- **Purpose**: Tests that end-entity certs with serial 0 are still rejected + +### 4. ee_normal.pem +- **Type**: End-entity certificate (CA:FALSE) +- **Serial Number**: 100 +- **Signed By**: root_serial0.pem (serial 0) +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Tests that normal certificates signed by a serial 0 root CA work correctly + +### 5. selfsigned_nonca_serial0.pem +- **Type**: Self-signed certificate (CA:FALSE) +- **Serial Number**: 0 +- **Expected Behavior**: Should be rejected by wolfSSL +- **Purpose**: Tests that self-signed non-CA certs with serial 0 are rejected (only root CAs get the exception) + +## Regenerating Certificates + +To regenerate all test certificates: + +```bash +cd certs/test-serial0 +./generate_certs.sh +``` + +Requirements: +- OpenSSL command-line tool + +## Unit Tests + +These certificates are used by the `test_SerialNumber0_RootCA()` function in `tests/api/test_asn.c`. + +## Related Issues + +- GitHub Issue: https://github.com/wolfSSL/wolfssl/issues/8615 +- RFC 5280 Section 4.1.2.2: Certificate Serial Number Requirements +- RFC Errata 3200: Clarification that serial numbers must be non-zero + diff --git a/certs/test-serial0/ee_normal.csr b/certs/test-serial0/ee_normal.csr new file mode 100644 index 0000000000..5bd229b849 --- /dev/null +++ b/certs/test-serial0/ee_normal.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChTCCAW0CAQAwQDEaMBgGA1UEAwwRRW5kIEVudGl0eSBOb3JtYWwxFTATBgNV +BAoMDHdvbGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC7acfABhow9B3a27fBAngMsCjSoRie5Iv5VvcFOR1eChXk +d4a2/x9eehwonlJ2TkmCpaeO2CiHpqHMjjdDabkmhJvaBkkfkpzRKgHuPatXig4h +hZBQE1RACvg7Mf8/Ge7lz/FoY7v39whhAnrUlxT55zPeeC831o5xB2dc0HtDVC9b +9OeCGhMVhLdScxaobJQVMqA6luFAkeTi3GFvJ9BWtWPQjpUnNsuw7qIEhUfVBh16 +WYuSISFpNxayWiNQW2vxGMlISvmIv6oYbdMbj3xeaxbQKtDrYCYxBcL7IrpGQyAM +2OjcduI8Oqp4Tzr5hcLEynxmyjQD+0vvhbFHxaNZAgMBAAGgADANBgkqhkiG9w0B +AQsFAAOCAQEAZo5E2KNfWcaPpIvGjolzQkkZlHNfdhJgP2TSvg8/tFJi4iVst9nI +1SFhSGMRp18pZYjfesTQsZ8zhxa63twSlaHDYBNWa8TlRTnizYzMTRMGklOOutj5 +f7U9WRbQOLSwKTwdy5P5ty47u+k/n7KypQ4zdiHvYJtyXh0B74tslQivvJ0TclgF +arP/6KkcpWqY7RbZz/JytCmCfQD5rT1/8CUZ42oWnoaW0BQdDZ9AOuO4FLMgQf4h +ddNzj7J5TJ9NRL1klBtrLeWOMy4+7fT68Z608ov9DR2iZpMuGwqzurSE+65pMZx8 +QIu2jEC5ym04fmpOu7KZQitsaPV3nkMubg== +-----END CERTIFICATE REQUEST----- diff --git a/certs/test-serial0/ee_normal.pem b/certs/test-serial0/ee_normal.pem new file mode 100644 index 0000000000..6db9a9f014 --- /dev/null +++ b/certs/test-serial0/ee_normal.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmCgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0 +IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE +BhMCVVMwHhcNMjYwMjEyMTg0MjQxWhcNMzYwMjEwMTg0MjQxWjBAMRowGAYDVQQD +DBFFbmQgRW50aXR5IE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtpx8AGGjD0 +Hdrbt8ECeAywKNKhGJ7ki/lW9wU5HV4KFeR3hrb/H156HCieUnZOSYKlp47YKIem +ocyON0NpuSaEm9oGSR+SnNEqAe49q1eKDiGFkFATVEAK+Dsx/z8Z7uXP8Whju/f3 +CGECetSXFPnnM954LzfWjnEHZ1zQe0NUL1v054IaExWEt1JzFqhslBUyoDqW4UCR +5OLcYW8n0Fa1Y9COlSc2y7DuogSFR9UGHXpZi5IhIWk3FrJaI1Bba/EYyUhK+Yi/ +qhht0xuPfF5rFtAq0OtgJjEFwvsiukZDIAzY6Nx24jw6qnhPOvmFwsTKfGbKNAP7 +S++FsUfFo1kCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRSQ/8YEzcAmpCVGPyd +RMtW2AdUKzAfBgNVHSMEGDAWgBST0ya/F9I/q8UUWwMNPMOE2pQDmjANBgkqhkiG +9w0BAQsFAAOCAQEAm8sGIp3s155eg1+9KnZQBA9Y4jMnTflMOQS+dqezzyTdWrj8 +EjtKh8/V8492ye0jTEiL2al6MT5ZNk6k1/hIgPfifGkGDyTXup61q9vleqpazq4y +oDuF75GQ+rjII5i78W3bSf/uyKdA4N3IW64GqTqzEHDK/KYOMbR8Z3pQr8JfsJud +Tfub1WbH4X+NgOgXB0vospzv7qMa3RN7I4kIf2EOEym35OPu9UzByDZ/mNH24rf3 +f09JCyFC02nHyyqatpoZ3Bwr7Vwf2Vm6lalYGbgasrSjpR2hs5BJ8N0RvDL34Ap6 +tS4psAsVEy92ginYZb/6R+iYHxd38/nMiPSQyA== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/ee_normal_key.pem b/certs/test-serial0/ee_normal_key.pem new file mode 100644 index 0000000000..d962012de9 --- /dev/null +++ b/certs/test-serial0/ee_normal_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7acfABhow9B3a +27fBAngMsCjSoRie5Iv5VvcFOR1eChXkd4a2/x9eehwonlJ2TkmCpaeO2CiHpqHM +jjdDabkmhJvaBkkfkpzRKgHuPatXig4hhZBQE1RACvg7Mf8/Ge7lz/FoY7v39whh +AnrUlxT55zPeeC831o5xB2dc0HtDVC9b9OeCGhMVhLdScxaobJQVMqA6luFAkeTi +3GFvJ9BWtWPQjpUnNsuw7qIEhUfVBh16WYuSISFpNxayWiNQW2vxGMlISvmIv6oY +bdMbj3xeaxbQKtDrYCYxBcL7IrpGQyAM2OjcduI8Oqp4Tzr5hcLEynxmyjQD+0vv +hbFHxaNZAgMBAAECggEAD27eZPjmVuoAvAvu6FqAh070YE/60TmHMKZm23ZrbYSN +bqMhzq0DU3ThH76Akj8lJ43mVp7Z9j2/F4i4kqPApvmG71/SzWJLPqA5HiTUQ3Za +GTbrU49xQdWFa95/TfN1Qasrjonz/y9Hxdv96xwb5+5lo5LTFJk7C/ds8sQ0+ljD +1kX8YhvnpqibsDclq2bUH3OegvamxwwZRlV5GGCJdr4+bXmqmlg58KaEj30zEeAS +dGKtf1UTWcEz1uBVYt19akOccGccgVAjJzuS9tPISU47OpzJILt4MHck8J88FjE7 +oaCM/MpqNdH1/d4i3eEAugV/wZJQbOzXLhU9NFs7+QKBgQD5tlg4yT2kMADzgPdW +HPNMa4TFMI3LBSNZB5gNJ8j9HfBfCcWXJckWcyIGk4/OCq71iiFhilFiO1GcGgZD +OJboN/UvVRX+MFdcEJPb5mDJO/0FCk80TH/PvTvsbu8QJfmH0372y9chyk4pQeqL ++0MI27Q48rSmQ2QwIGJume22FQKBgQDAIdpxktgIeRTQMwip9p08E0g8POr4SH+J +XIguRkPlt1Moehf96wgKcN+IIHsI5BlVDyYWyYKBc0ytezvWQ6q6ZWQUdXAfQeSG +AKNt9WbntFDvRWsblon2Pa4+QIzXPZBGCIgoaNWfTuqbvKUMyalCpjdgPEHr7nac +SoM/cOhtNQKBgQCbg+tXmkTwbxD4lbX0BF2ll0R9xipYaN/Fv4v7jW6H7NBZb+2F +n3unppZnQBkMOe0ScC8v3wOmSMkfjbmevayF/OuOyc/DmXmelZhwF/7o9Jo0PGJt +cMMcrn6WVdQ+21eXNqlYrERT//lDipC3EwmBh8qquMS20zufGVwUA3terQKBgHtq +A3gqvAwNQrpN3cXXPL6nICJZexFK+GlSf8NBrUF0lb0NWDXpb/vM7zjwrDdU1ZTW +qz+95s+iMWHKI/CI/LTIhhXCLehWGiWdaV0rYhN5tvdLHvbUpv/+NNuV+SIVUIQ7 +3MIgPQAc4ARzk414R/og7LcrXajgP147Wr04mIP1AoGAWLbKSLFvqccaGntPQg4N +pHIrKioFSvwccbe82PhQMnQWSfOc4foSEhlawvHEeVmlx8+iZnMn+TflUxAGNVpi +shNoI+STG2BJRXy9DTqK19wCJl0ORWRpESTuv7GsmcHIB+RbCG8FMtTmTctfJGan +7zYa7/EfWSqHxvYJhHGUJvk= +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/ee_serial0.csr b/certs/test-serial0/ee_serial0.csr new file mode 100644 index 0000000000..5578a4951b --- /dev/null +++ b/certs/test-serial0/ee_serial0.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChzCCAW8CAQAwQjEcMBoGA1UEAwwTRW5kIEVudGl0eSBTZXJpYWwgMDEVMBMG +A1UECgwMd29sZlNTTCBUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANGwuezLJ4wzv+rxwIqe3NINbEE/sC/FJWwNYj97/Fvv +uw6naIrpIPRGVU9QbZR4qfkmITbjjuzO/qls6nq1aBfZ8b+IGW0prEwD2r/9f+vu +/Z6ZwAjWMEijLy/nexiHV6kkerYybYRzLg5linD7r5NqAM3rcFn+SOH2atoLXlRt +8l6ay/GuY0DgZB1AFBkzmQZgQziEbOhu/45NFKzDyU5AQIqFsHGogH1PP9e34BP7 +xYPYZtrmoTTmw0iTDZ5LGyjqVRcrS1Sg7rJwDZSbbfOS8IYV/tJZCedKuqAqhlNT +mRtxDGJihAg9XMLOLk9KkS+HOhKA/LcCuCb0IiDrSBsCAwEAAaAAMA0GCSqGSIb3 +DQEBCwUAA4IBAQAvZ1t6G+anGT5A4c4ZvNSUH2W77lHJDAyN8c0GHf707sTal2w5 +Y2bXFYdNbzJzY5pxu6KlbyOTzO3/wMHHdzlOlVAgjaWzTBaG5em0BQra7ubMhAcb +ln3ntDRxyS7+c4sfOnYDVAMN9hfzBa3kHDXEKEiOQpKIXkceIGpCEWPJTsGv3S5b +qLP8cKlPV0MIwOqxYdedtJ06UNB9KUf2bC45k9LkhNLSQMsSugNXm7JrN37bFPOs +8CMs7Wp8KxcJIprqm+luxOAbrbTUp1QfrwbGaLhEZaRJ9JeuUH7w1yr/OAKO1ykh +TseVbJ6bIgu4clZKVFz91D1IYsoDNlZAqbRt +-----END CERTIFICATE REQUEST----- diff --git a/certs/test-serial0/ee_serial0.pem b/certs/test-serial0/ee_serial0.pem new file mode 100644 index 0000000000..8fa844c501 --- /dev/null +++ b/certs/test-serial0/ee_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0 +IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT +AlVTMB4XDTI2MDIxMjE4NDI0MVoXDTM2MDIxMDE4NDI0MVowQjEcMBoGA1UEAwwT +RW5kIEVudGl0eSBTZXJpYWwgMDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGwuezLJ4wz +v+rxwIqe3NINbEE/sC/FJWwNYj97/Fvvuw6naIrpIPRGVU9QbZR4qfkmITbjjuzO +/qls6nq1aBfZ8b+IGW0prEwD2r/9f+vu/Z6ZwAjWMEijLy/nexiHV6kkerYybYRz +Lg5linD7r5NqAM3rcFn+SOH2atoLXlRt8l6ay/GuY0DgZB1AFBkzmQZgQziEbOhu +/45NFKzDyU5AQIqFsHGogH1PP9e34BP7xYPYZtrmoTTmw0iTDZ5LGyjqVRcrS1Sg +7rJwDZSbbfOS8IYV/tJZCedKuqAqhlNTmRtxDGJihAg9XMLOLk9KkS+HOhKA/LcC +uCb0IiDrSBsCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQrN98QYv7WN+rIBvON +nnd6fFy8MDAfBgNVHSMEGDAWgBSUNQJzDQIXMYyAzNbT0FJ6vt3/KjANBgkqhkiG +9w0BAQsFAAOCAQEABkABI8CpNYExowEMky171dLGL+2KiDFbF4duLqQoE6N2nfWO +AzYkl1WY1MXJUZ4YYCTBAakI4yflU2U4NSf0cw5v7sKxOK2iy2nigCQMiuhLIzQJ +uXyJu4SnueLcVDulA6z098AwmUCR2rqrY/iwJ1W6z2ZP1jtpZ7y8fa0fjm1StfGR +Ps4XDMzMqbVaRItKq+dH+hnErctIn2mwJ1aGfdpqM6qkluP/PJbpDEFzIY2WABvy +cVMXo54DUiThicPakQnXJGaHaH/9xnYgqlHiRTK7cLb0Gpt4w2m93GSivY244f46 +haoGPLPBmxQYCt2LVVempS1OEEBijDlaA/qEjA== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/ee_serial0_key.pem b/certs/test-serial0/ee_serial0_key.pem new file mode 100644 index 0000000000..4d09bade92 --- /dev/null +++ b/certs/test-serial0/ee_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRsLnsyyeMM7/q +8cCKntzSDWxBP7AvxSVsDWI/e/xb77sOp2iK6SD0RlVPUG2UeKn5JiE2447szv6p +bOp6tWgX2fG/iBltKaxMA9q//X/r7v2emcAI1jBIoy8v53sYh1epJHq2Mm2Ecy4O +ZYpw+6+TagDN63BZ/kjh9mraC15UbfJemsvxrmNA4GQdQBQZM5kGYEM4hGzobv+O +TRSsw8lOQECKhbBxqIB9Tz/Xt+AT+8WD2Gba5qE05sNIkw2eSxso6lUXK0tUoO6y +cA2Um23zkvCGFf7SWQnnSrqgKoZTU5kbcQxiYoQIPVzCzi5PSpEvhzoSgPy3Argm +9CIg60gbAgMBAAECggEAKOm1bRk6TyWttXaT3bgfV7CcxaJaiweJRKrb140mcP22 +XqaVRD02W9L5RC9qIgTlDSK+ako+EcBVedMxcN3CQJ0aiQdSBrWR04cRAFLCydLo +kzBmgpLf+tw0EcG1h9Soau0eMDxol+YtP0vali7VVArju0nLsxNlPwloUcDUF969 +ZVGpx4CNFv+z4UAninhEys27C//4A6Jh8HW1zJNXt+ryThToKx8NXd63afSrU7Zj +dyWTpper4p28nGn33M3rMzhDPTpcp9TGzBJwualxgvRdgp9d6B6Jso7JOcHO/DbX +DVIC0ISoDnls2w6RC5C5y7gkOrl1/Ez9axbsaEBSGQKBgQDxaLnHfjiUVrb6Pr3a +N9q2pFRoQTepUdsYI6n59a6z9aGkI3Opg1xLGxQr1HmrVSDX6ptOYSyT4DcSv0+T +cNn6r9XKnOZyXop+Hl89NaUUSOAXt7s05KU4iyRmEjPSgtBf4+gkyCUE1gkBRJPF +XXE8CK3Rv1gVQC2ssU+gVAF9LQKBgQDeXTkGWYHZQRL+QsUUAmJy42hAjfj6iCzZ +C4wtBy5NmRydTY9t71WWmqBa+KaL3crUBZudm3l/OIFWhZF4j3dAw1OORYsZ50OS +sjEH3YHolX/ixsT3Tg0m9wmQvqwm3vNkYKfA2kF9SqPDkbMSCKgdi9+DxoDMmgdI +ChtHGOp3ZwKBgB/rAc0vkhmC0ZSKoR1uDxvg5EwYe1yGtxoc9QdYhW3Dx0hla5B5 +DsXbYbJd2GxfyATkPv6A+Jzgo0d2RfYvkJKFlxW/4vQyLct5BoyYQChLbl2UbEsV +BAdS1lAsje+CXjyfbH0YfVSDXBNv1r3cmfEfEKRP0TyWDLPtiaKgGMZNAoGBALOo +MiiVLLoxP306ySwPeSdF4Lc3fdA9Ma7zC4Bd6uU7LclSHu49jrMtnx2hBD7BJd0D +4uUF9rX5G1aieBQmJb2nktzCB08YcJoXalHmf81A7KB25DDDWREASzQtOb32KEQT +a7X/ISZvpbye/UU2xU2J8z7upKWqVPO5ZqyczuNFAoGBANIOLWxJVKlGeAbokTZc +Ke7cxqsYNg5hxTStpKCzRPY6Md3R9+QBSgN/H1tdd+3a4oDZM0wCUS49TcJmXPWR +j1gx/Y9dZ0izL+ngurEKZ86Q4Lh4sf3DZJk9M1Tg5RmSUw4i2QqS+fyLwuEhMVL9 +xsxeubYgc6Jd+D8htwAG2H0H +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/generate_certs.sh b/certs/test-serial0/generate_certs.sh new file mode 100755 index 0000000000..dc9ba4c961 --- /dev/null +++ b/certs/test-serial0/generate_certs.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# +# Generate test certificates for serial number 0 testing (issue #8615) +# This script creates certificates in the certs/test-serial0/ directory + +set -e + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$SCRIPT_DIR" + +echo "===================================================" +echo "Generating serial 0 test certificates in: $SCRIPT_DIR" +echo "===================================================" + +# 1. Create Root CA with serial number 0 +echo "" +echo "[1/5] Creating Root CA with serial number 0..." +openssl req -x509 -newkey rsa:2048 -keyout root_serial0_key.pem -out root_serial0.pem \ + -days 7300 -nodes -subj "/CN=Test Root CA Serial 0/O=wolfSSL Test/C=US" \ + -set_serial 0 \ + -addext "basicConstraints=critical,CA:TRUE" \ + -addext "keyUsage=critical,keyCertSign,cRLSign" + +echo " Root CA serial number:" +openssl x509 -in root_serial0.pem -noout -serial + +# 2. Create normal Root CA (serial != 0) +echo "" +echo "[2/5] Creating normal Root CA with serial number 1..." +openssl req -x509 -newkey rsa:2048 -keyout root_key.pem -out root.pem \ + -days 7300 -nodes -subj "/CN=Test Root CA Normal/O=wolfSSL Test/C=US" \ + -set_serial 1 \ + -addext "basicConstraints=critical,CA:TRUE" \ + -addext "keyUsage=critical,keyCertSign,cRLSign" + +echo " Root CA serial number:" +openssl x509 -in root.pem -noout -serial + +# 3. Create end-entity cert with serial 0 signed by normal root +echo "" +echo "[3/5] Creating end-entity certificate with serial number 0..." +openssl req -newkey rsa:2048 -keyout ee_serial0_key.pem -out ee_serial0.csr -nodes \ + -subj "/CN=End Entity Serial 0/O=wolfSSL Test/C=US" + +openssl x509 -req -in ee_serial0.csr -CA root.pem -CAkey root_key.pem \ + -out ee_serial0.pem -days 3650 -set_serial 0 \ + -extfile <(echo "basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +extendedKeyUsage=serverAuth,clientAuth") + +echo " End-entity cert serial number:" +openssl x509 -in ee_serial0.pem -noout -serial + +# 4. Create normal end-entity cert signed by root CA with serial 0 +echo "" +echo "[4/5] Creating normal end-entity certificate (signed by serial 0 root)..." +openssl req -newkey rsa:2048 -keyout ee_normal_key.pem -out ee_normal.csr -nodes \ + -subj "/CN=End Entity Normal/O=wolfSSL Test/C=US" + +openssl x509 -req -in ee_normal.csr -CA root_serial0.pem -CAkey root_serial0_key.pem \ + -out ee_normal.pem -days 3650 -set_serial 100 \ + -extfile <(echo "basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +extendedKeyUsage=serverAuth,clientAuth") + +echo " Normal end-entity cert serial number:" +openssl x509 -in ee_normal.pem -noout -serial + +# 5. Create self-signed non-CA certificate with serial 0 +echo "" +echo "[5/5] Creating self-signed non-CA certificate with serial number 0..." +openssl req -x509 -newkey rsa:2048 -keyout selfsigned_nonca_serial0_key.pem \ + -out selfsigned_nonca_serial0.pem -days 3650 -nodes \ + -subj "/CN=Self-Signed Non-CA Serial 0/O=wolfSSL Test/C=US" \ + -set_serial 0 \ + -addext "basicConstraints=CA:FALSE" \ + -addext "keyUsage=digitalSignature,keyEncipherment" + +echo " Self-signed non-CA cert serial number:" +openssl x509 -in selfsigned_nonca_serial0.pem -noout -serial + +echo "" +echo "===================================================" +echo "Certificate generation complete!" +echo "===================================================" +echo "" +echo "Generated certificates in: $SCRIPT_DIR" +echo " - root_serial0.pem (Root CA with serial 0)" +echo " - root.pem (Normal root CA)" +echo " - ee_serial0.pem (End-entity with serial 0)" +echo " - ee_normal.pem (Normal end-entity)" +echo " - selfsigned_nonca_serial0.pem (Self-signed non-CA with serial 0)" +echo "" + diff --git a/certs/test-serial0/include.am b/certs/test-serial0/include.am new file mode 100644 index 0000000000..90e388730f --- /dev/null +++ b/certs/test-serial0/include.am @@ -0,0 +1,20 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + +dist_doc_DATA+= certs/test-serial0/README.md + +EXTRA_DIST += certs/test-serial0/generate_certs.sh \ + certs/test-serial0/root_serial0.pem \ + certs/test-serial0/root_serial0_key.pem \ + certs/test-serial0/root.pem \ + certs/test-serial0/root_key.pem \ + certs/test-serial0/ee_serial0.pem \ + certs/test-serial0/ee_serial0.csr \ + certs/test-serial0/ee_serial0_key.pem \ + certs/test-serial0/ee_normal.pem \ + certs/test-serial0/ee_normal.csr \ + certs/test-serial0/ee_normal_key.pem \ + certs/test-serial0/selfsigned_nonca_serial0.pem \ + certs/test-serial0/selfsigned_nonca_serial0_key.pem + diff --git a/certs/test-serial0/root.pem b/certs/test-serial0/root.pem new file mode 100644 index 0000000000..d05ea433f9 --- /dev/null +++ b/certs/test-serial0/root.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0 +IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT +AlVTMB4XDTI2MDIxMjE4NDI0MVoXDTQ2MDIwNzE4NDI0MVowQjEcMBoGA1UEAwwT +VGVzdCBSb290IENBIE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5SSIwVlzjt +VzO1oCz5FLKikMiUDd/9i6BJvGbPeagvCp7JJQVRZspbuzDLj1TTVUh5rZLzbjjk +bF5+EuGkXsK+RDJm1CsiUPhj0Nkro9GuidMlyzELMVVR++q2OyflZGlbaajDxOU5 +zzDenLlGOu0rwkW5E8RSx5LtngO3fQz4Xz2ZcvRQu4J5XxJ9HmD3y2x+HgcKtOPD +6fYEn/Usiv8dhVy6Iy+/537maV4ZDAt5adjnixcnr4gBp4bfqMM7vgBSeeuQ8mQB +rUou3QCXf8OK2nEBVo1syZ8//IUE7wkgEdI+qKMv+Rir05vNlbTiZ+R0OPO4zG+H +BF9vTpx7mm0CAwEAAaNjMGEwHQYDVR0OBBYEFJQ1AnMNAhcxjIDM1tPQUnq+3f8q +MB8GA1UdIwQYMBaAFJQ1AnMNAhcxjIDM1tPQUnq+3f8qMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQB1ki2j0f55xgkQ +2l/7rG6av8FFqgdyYu/YOfO6U9CKQjdWC46ho2rkQ5BOPFd+eG0iRZps80qlPYK/ +8szRUgnq5QctBOK731ASYHt1NjBBByKNsn9cOhbfACDTMGMivyXBaKJ0p7BLVeSa +0uwawdmfAB7mBMq8Ke4l+Jxcg97vgitIwmcYo4cztGaDEcd8U5VLIyyF/wbFI25O +ikwTnJ5Icxon0ueYN7bWZE4p4eVTWPk925EjSZjR1vrT3NNCeDV9x8rICk6tCsGO +6mhVPtrjvDSsLXiYieGioSehNYpUqp+59zECys5MgliIo/qxLvGiahCzuRk/tA+N +bBil5ocH +-----END CERTIFICATE----- diff --git a/certs/test-serial0/root_key.pem b/certs/test-serial0/root_key.pem new file mode 100644 index 0000000000..c69f9c1ef5 --- /dev/null +++ b/certs/test-serial0/root_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+UkiMFZc47Vcz +taAs+RSyopDIlA3f/YugSbxmz3moLwqeySUFUWbKW7swy49U01VIea2S82445Gxe +fhLhpF7CvkQyZtQrIlD4Y9DZK6PRronTJcsxCzFVUfvqtjsn5WRpW2mow8TlOc8w +3py5RjrtK8JFuRPEUseS7Z4Dt30M+F89mXL0ULuCeV8SfR5g98tsfh4HCrTjw+n2 +BJ/1LIr/HYVcuiMvv+d+5mleGQwLeWnY54sXJ6+IAaeG36jDO74AUnnrkPJkAa1K +Lt0Al3/DitpxAVaNbMmfP/yFBO8JIBHSPqijL/kYq9ObzZW04mfkdDjzuMxvhwRf +b06ce5ptAgMBAAECggEAG67y1AOI91QYmNIsrhX+A3zfg/l7Ki9iaaqID8lSiBrt +l8qoyqT8R2d/6zlUzDEgSNZAH+2uRPK+66C5hN5IlVmhKFaqOmr3raWxOYGeRs/1 +RsQK0gOvhZpTAyFGKge1KxkLnat6PqCByXk8ATwcsqZokAU7gZVL58yN7Tr5otLW +nYXwNIReLoHW6g46+pRX6S3vUpVfQtGW0vXeRxFOO+A42hqzZc7NJsvbrXAWk63w +4EgLVyf2oIGqAiMTMyXxd1QqXlCR4LfrBgn1i18WOKY1DuoxMoMEkZtAONowmwek +BaA5Sa0OBTvH/j99bBhkdww6EWThKa4F1rGx6VbiSQKBgQDlx63mHAwiCzpolSME +B3BXG5H1eMd60baBN9QnjaHlj6zaEjqk8Gh7CYsQG/kDt5pfr/xC8p2hJC+JmYDu +EEfmEopcm+0KinhVHFZKqqBhs1sSuyrCMI+uzl5GvGCO84qhE8fKk4DkbI14kLyy +Px57zIpd66buubrmGC2MuBxw1QKBgQDUCfE5TP2HlzBsT6eXbJ71kwXioBbF3V4H +tWHserNDQYvkzGnSP70tdFfB7inHydLfe0qj0BmDe/0tm+rO6imAw6nDZtueEmgx +QszF/tu3YmJlVMqsUz5wEeG/jl6bk0A3IGkbTmoJ3LzflZHr1GgVfd6Ify3M22+h +QAMKumIPOQKBgQCruOj7eaaPoriKBDrg/fY1A0O3ogXigevU8jY5QR3nA9L4PntZ +XNmYae9loKIe5w4VyN3L4qlvDi4AtZmnUL+K7/w7bcRfBlEbuku7DX1CxtmfTAWO +juAykcPfNVUsQFIwQyoi+M1w6LdpjTGYPJe5iYk227Ar5N4Kq7MO4WFP6QKBgBn1 +/areWkw3np4kQoivq+a1UYslvqQLLnATLSIfA8PASriArpQnaaofDH+aAVOMylzC +Y6ka2YTXsW/cHyumT96MFkTuWwVHi6o8W4YCZjRVv2ZYs1fV+VcPWWxyqfKyXLJj +LXtCZok+lYFqdqtBHl1DQ/PCXoEufMRpafXuTANBAoGBAK8VhDbr+Lf63QfRlLO7 +Xdej1YenrZfpbsjnUIoNNF8kP2HjvUvAeKA+I+e/7T0yg/o5IsGOqQ0sOSBLOVqN +BPmXCS5tIgDk60SSNu+EPNVPlJJroRWbdlC0v2IGIOhfVXcNT1SgC9AwIXcDCpyD +s8i0G1uPWbM5PBCczwh8glnj +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/root_serial0.pem b/certs/test-serial0/root_serial0.pem new file mode 100644 index 0000000000..fd152f274a --- /dev/null +++ b/certs/test-serial0/root_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0 +IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE +BhMCVVMwHhcNMjYwMjEyMTg0MjQxWhcNNDYwMjA3MTg0MjQxWjBEMR4wHAYDVQQD +DBVUZXN0IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL +MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCIxdM +2CccfLpUs6vlP1PY9HUak67WGwx9C+gub874XADuONOAVrmhdZcrvTBdtr5X4fff +tBjWOMh4bDe8Vvzx0/uVEGPhielMz3rsCAj3igEOdLLI96ufS1gVnKm6VwiW+jPg +9hTkWHotpD/G+T4uzPPx8kBRgO1kBet0+ZXNcZ+TkVqZyxGCzAa2z83q1n03YTXz +2U1fxYN9hpryt8GEFrY9b9icbE6AcDEMsR5w7vuBdMM5DDLGZt51JoxmKXeABtcC +L0nbtCGV8d72VzdEVeiVsodhc5ktPbiBkWweVyFaL2Ggezzbzc8mRznkfLUToKk0 +GU/Qm5BuheJ/GxbpAgMBAAGjYzBhMB0GA1UdDgQWBBST0ya/F9I/q8UUWwMNPMOE +2pQDmjAfBgNVHSMEGDAWgBST0ya/F9I/q8UUWwMNPMOE2pQDmjAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAMbxjGSFb +aiGx5w6tPw4ckaoxHYmPHnvyN7CTrSZe/JDlR1XLkVq4w78IYPybfEhReJTmTmmA +lKe8VNIbo+fmxl2k3GX1tv7tmHWrs1kHeuYmL1cwDaWXE7AEQcZ0gC5h8AvycFCE +zEVj9bIg4UAy5R0b1cisBKWN+wZDIMTxtgE1a/HiNNtbeQzrf68k4CHfyovm+Gra +/vpq3GWrz8cYgVVLv1YT/SPl/w8CRtx30CIV1VUvgaIGGBphrilHg3VkxBnuwfE7 +QYBE3Z2w+xGbAO2t5ssrJY39ZjlWuTuOJ8QHmEGzB5xpx+zKhDOGDnDwRSpbDmNq +ksoqtfOc69SOWw== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/root_serial0_key.pem b/certs/test-serial0/root_serial0_key.pem new file mode 100644 index 0000000000..1bd8fe8394 --- /dev/null +++ b/certs/test-serial0/root_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCIxdM2CccfLpU +s6vlP1PY9HUak67WGwx9C+gub874XADuONOAVrmhdZcrvTBdtr5X4ffftBjWOMh4 +bDe8Vvzx0/uVEGPhielMz3rsCAj3igEOdLLI96ufS1gVnKm6VwiW+jPg9hTkWHot +pD/G+T4uzPPx8kBRgO1kBet0+ZXNcZ+TkVqZyxGCzAa2z83q1n03YTXz2U1fxYN9 +hpryt8GEFrY9b9icbE6AcDEMsR5w7vuBdMM5DDLGZt51JoxmKXeABtcCL0nbtCGV +8d72VzdEVeiVsodhc5ktPbiBkWweVyFaL2Ggezzbzc8mRznkfLUToKk0GU/Qm5Bu +heJ/GxbpAgMBAAECggEAXOXO0gJDIPIcdciuUlpt5I0B9nBCAwlZfgLzHTl6iET6 +WwRNTQXy+SycZJ045jc6uTIT23PCSMxOPbXHK/RSQOQn6Ko5qWTFg3BrSUQFCnL6 +03CLVviRIv46Tck0PMtF/H0I0zbeQ3CFMo78x9lf5KRFfXrnRTkVH75ncAe4o+BK +ibL1S6zo5HEqVHtcIHG7wbHvOOJ82gTHd/jpNCagOvx8K0N2gctKA/NJtp6iLA+h +CpnUEmRqGeRpvYNMGQfCqvY7WA5PsVdWddA0Q1z7fLc13Qh09ZBEjEgT0OJg7TNn +xD9PFGmixCcdnzw+IfkNkXvIZjC5x/qKMXePvWMbwwKBgQD97djfXSNNo5bsx05/ +jyuBZERmHJUsqNtGoKmMqZm18G22jRVk+ZIoN4pbUiBxKhB78mOU2di0ul4AS3gy +4mNHHrihsnTkZu50AgTLkbRvZZ0Z5uwBvmJrht1Dvey3mQSXOO7rxVuzq4ihbIRm +gpVzGMRrLaBLryLrw8oJ9lls6wKBgQDDuGkARkg2A59pY+bVja403G7r5BF7VVs2 +KKSS2bAYz/nN7KQeIiQ+abxQ2qXDkZqwu1EC6NgNlcd+BagmG9rDNnIelTpPhDdx ++Cn43MRCTJFI7o0q+yp3gFsf8guN1cWAUyDAiNp1PmCI/Z5CkRB5GvNpBEN5b/pD +peQVljLGewKBgQD40IuWarQCCo8DmlP/x/EQS4h+Kfm+FgMu1JTugO1eCqXmn53c +IHQntix7SSEC4f3fBeav3zpp9MfRMCIqcgxnjuHJh4zklTuILsY2FqKgGQh0bgLJ +vpy/0hmTnFGMoYKPDzmFixBNIIKz8hpWPBRnAFjO0JlmL8lfDa02T87WWwKBgGhh +iV5kHU7xT6tdZFawYSBAD8guskQcmbCgrGTFRG13PbrdYgnQG5RNv+k/MvjCRsXK +oMH0fIWCRAqp6aupX1qNRv+Yhqix0wAtYfUfiGvzeehzkUZC/bsN8YtwA0l5oQN3 +Uhhc5GVzBvkIicbmpupvvTFc3L9/QPGjH6mDmUDRAoGABNh4WZDq9AOl20WTCqLL ++wMXyZSZIZ3DOyt43mzGl9DJ32MXeM5FS2Knq0F8L+g/oULO2X97s5qqFnz2N9vb +0LYc6BS8en3Hn9wqB9/mFDhGVZ0NCegdMt6ZV/TOfxdxycUvfHLRJGuBaDH23D2s +qIOwGJjYClLGdaEl9Cs+sJw= +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/selfsigned_nonca_serial0.pem b/certs/test-serial0/selfsigned_nonca_serial0.pem new file mode 100644 index 0000000000..2e637a6965 --- /dev/null +++ b/certs/test-serial0/selfsigned_nonca_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaTCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQsFADBKMSQwIgYDVQQDDBtTZWxm +LVNpZ25lZCBOb24tQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL +MAkGA1UEBhMCVVMwHhcNMjYwMjEyMTg0MjQxWhcNMzYwMjEwMTg0MjQxWjBKMSQw +IgYDVQQDDBtTZWxmLVNpZ25lZCBOb24tQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdv +bGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCP4jmMTI7zNkK8SZsGwbLHpI2oIILaVUIWwRmj1sl6qwxYIczWr6JI +0iTnS0jMTe6SU+YWT0XeJ2I22I1TAMcSA8vdB5dELucbGdY7ivgAhmOPm1/wlhr5 +4IfCEAKrvii7LC5nW3HeU9Xl1gPuVikjGAwAIKyGjfK0gq5eIQBbf2jR3XgbLFNQ +Vt+uSVdAmwtq4Iv0XYuBz3fbZjzruDM/0bL5BvIFOdJPA+btruOKSBd/SplAr0pj +epU5I0QofM6IGsj3F7jqYJw+DNiMfooNSr8eV/HfHH5VxXXf66zJNnqxA3zj5nF4 +YjYcaqVceQYyA+2YG7dXOx0aLNdX7+HbAgMBAAGjWjBYMB0GA1UdDgQWBBR9K6PI +0cuoE+Zor9OmShs3ckuHxzAfBgNVHSMEGDAWgBR9K6PI0cuoE+Zor9OmShs3ckuH +xzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAQEAYQ80 +99NKhHlekjXDpwCWiY96dGNHmJ2uwAm52FUaSRtu5r45pMCdbo8FxnjSt4NLzf6h +cl2tuWEGiZmkdA96hdyFiCxyVqtCMBCnNQyIe39xKvRyplRma+f4V2Pb+ujr9pwd +rK9jknGl1U1b1pNNI50CwXxKw3BGfHMYtnXLdmbFYwE7GZb0iVyHj+SdhYF4GlDP +c04V1UP6R7hVUVwNNzN4xaQrkGpPfMBjM67O33P7+GIPXqARrZkNtC8RqyWcIjiP +4VyCbKX77n6IWm9L1I3iCKlbCysgBLZouLDMFlKDybiXzVmXizCl/CFsCG0uFC7z +BFrJhbND59EW3R0Qqg== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/selfsigned_nonca_serial0_key.pem b/certs/test-serial0/selfsigned_nonca_serial0_key.pem new file mode 100644 index 0000000000..88e5ebaec3 --- /dev/null +++ b/certs/test-serial0/selfsigned_nonca_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCP4jmMTI7zNkK8 +SZsGwbLHpI2oIILaVUIWwRmj1sl6qwxYIczWr6JI0iTnS0jMTe6SU+YWT0XeJ2I2 +2I1TAMcSA8vdB5dELucbGdY7ivgAhmOPm1/wlhr54IfCEAKrvii7LC5nW3HeU9Xl +1gPuVikjGAwAIKyGjfK0gq5eIQBbf2jR3XgbLFNQVt+uSVdAmwtq4Iv0XYuBz3fb +ZjzruDM/0bL5BvIFOdJPA+btruOKSBd/SplAr0pjepU5I0QofM6IGsj3F7jqYJw+ +DNiMfooNSr8eV/HfHH5VxXXf66zJNnqxA3zj5nF4YjYcaqVceQYyA+2YG7dXOx0a +LNdX7+HbAgMBAAECggEAAtSpDWlfZ/sl9QrkmHnHx68vIOL9oA0C0GxTlsVlMqn3 +qwMh/eKB2c0kl2oD8tMvrgkR+6Z06oxi9ienqkeSmTNnEse4pMlqXMgribLjfN47 +rNJo/l5MaGm3KqWAES6vq8OkBjnXwnbhFOs4UUVV/GPNrxlEO6j9fkfhR8kvbQmu +YJM21xH9890SrEWrYAA+5qLFiDR4JmHrSqZLfQSAcNfL3UmEHZwdre4Coo9KSIRC +zaC0Va7k+RUuujzMhJx4PxjEjNqzRVj7iEOAuczcDeDPWEqxgV5hjrY0E+TRPUXA +rsG3+Mqm0DOZurlWqRiKWfu9x0Z87lT/+HaGvNZHWQKBgQDDbLkh54wvzjA6T8JB +EiaJ6/XV4usQNbw8fJm3JmOYC9168KE7DtJ/0uYubrv6gkfW8sIlndXkAvgGed8v +ns9QElKvtPlDw8GlTjBESaiN8Ts2gS43Milm/KuNp+3hy5fT1KGKWJXLd3b86Oaz +M6LCMR07dHDtPIro6kOZUhzjYwKBgQC8e6LmGBdHku5Xk3ErzBhl4+gO/DHEja6p +hYG131uaGoPvi53wYS9vGPinwgkYVv/7gZC+rBjvfukndK6ivZQAOuLAZ9zN5LCs +uM94IveF2zUhQYZDaycYcc6dRvjjAU1YxIXRFiFvCr3E5qHndV5lxnaP8IaW5hQd +I8juLeHdKQKBgFcjFXF+s01lnK+DfNRS6Yg6BEW4hqOVsjcuP8Qgg+v57mmw/dM9 +irKgMS6nBX5vtOStHdB0Djk68ajBkrjDESFc6i2afkKu+Jtiv7bTOSsBUyu8cgT+ +guN+6mehZzp081/qwZTUZwZwYEfo+WUSMxJvn98wzmGZyz6LplSo/mSNAoGAfkdH +SGlzj1x9mucJt5Ix9nHPE9sbbNiP4Lu1v6g5svF425Dq7BXwtbpBPgPeHBSNxG92 +Dok2255njyu5pQbmlZDeQpJTeQ5y4AWh2pdyxpeq7PD9h0XPF62IBA98yHoi3Aou +rXrqQ38qzTTH3E7iQ8XHwYAgbBESAMPs5saOwKECgYAEDQQ4JpqdBHj/TSmIb/9P +UxwO6f5tf+QuU9QwORMMZVBsCs/7EbTLRouMNT8GGyoQhctA5RfTpITdYdK7mfJr +Fp2uxaQIMq0l8PQ9fDKWZnTMZEgM9RpAu0I8hgZs8aoEmLppuXI+m0oyyKUY5I7p +1au5XJLanQ1HMlJfkpfYhQ== +-----END PRIVATE KEY----- diff --git a/tests/api.c b/tests/api.c index 0cda4e114a..d264bac43b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -20456,12 +20456,14 @@ static int test_MakeCertWith0Ser(void) CTC_NAME_SIZE); cert.selfSigned = 1; - cert.isCA = 1; + /* Changed from isCA=1 to isCA=0 to test non-root certificate. + * Serial 0 is now allowed for root CAs (selfSigned && isCA), + * but should still be rejected for non-CA certificates. */ + cert.isCA = 0; cert.sigType = CTC_SHA256wECDSA; -#ifdef WOLFSSL_CERT_EXT - cert.keyUsage |= KEYUSE_KEY_CERT_SIGN; -#endif + /* Note: KEYUSE_KEY_CERT_SIGN is not set here because it's only valid for + * CA certificates. This test creates a non-CA certificate (isCA=0). */ /* set serial number to 0 */ cert.serialSz = 1; diff --git a/tests/api/test_asn.c b/tests/api/test_asn.c index ecfe4ede50..de3eac55b5 100644 --- a/tests/api/test_asn.c +++ b/tests/api/test_asn.c @@ -920,3 +920,81 @@ int test_wc_DecodeRsaPssParams(void) #endif /* WC_RSA_PSS && !NO_RSA && !NO_ASN */ return EXPECT_RESULT(); } + +int test_SerialNumber0_RootCA(void) +{ + EXPECT_DECLS; + +#if !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + !defined(WOLFSSL_NO_PEM) && defined(WOLFSSL_PEM_TO_DER) + /* Test that root CA certificates with serial number 0 are accepted, + * while non-root certificates with serial 0 are rejected (issue #8615) */ + +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + WOLFSSL_CERT_MANAGER* cm = NULL; + const char* rootSerial0File = "./certs/test-serial0/root_serial0.pem"; + const char* rootNormalFile = "./certs/test-serial0/root.pem"; + const char* selfSignedNonCASerial0File = + "./certs/test-serial0/selfsigned_nonca_serial0.pem"; + + /* Test 1: Root CA with serial 0 should load successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootSerial0File, NULL), + WOLFSSL_SUCCESS); + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 2: Normal root CA (serial != 0) should load successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootNormalFile, NULL), + WOLFSSL_SUCCESS); + +#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \ + defined(OPENSSL_EXTRA) + { + const char* eeSerial0File = "./certs/test-serial0/ee_serial0.pem"; + const char* eeNormalFile = "./certs/test-serial0/ee_normal.pem"; + + /* Test 3: End-entity cert with serial 0 should be rejected during + * verify */ + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, eeSerial0File, + WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_PARSE_E)); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 4: Normal end-entity cert signed by root CA with serial 0 + * should verify successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootSerial0File, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, eeNormalFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + } +#endif + + /* Test 5: Self-signed non-CA certificate with serial 0 should be rejected */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntNE(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL), + WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } +#endif /* !WOLFSSL_NO_ASN_STRICT && !WOLFSSL_PYTHON && + !WOLFSSL_ASN_ALLOW_0_SERIAL */ +#endif /* !NO_CERTS && !NO_FILESYSTEM && !NO_RSA && !WOLFSSL_NO_PEM */ + + return EXPECT_RESULT(); +} diff --git a/tests/api/test_asn.h b/tests/api/test_asn.h index 2403bc81d1..65b4c0fb53 100644 --- a/tests/api/test_asn.h +++ b/tests/api/test_asn.h @@ -29,12 +29,14 @@ int test_GetSetShortInt(void); int test_wc_IndexSequenceOf(void); int test_wolfssl_local_MatchBaseName(void); int test_wc_DecodeRsaPssParams(void); +int test_SerialNumber0_RootCA(void); #define TEST_ASN_DECLS \ TEST_DECL_GROUP("asn", test_SetAsymKeyDer), \ TEST_DECL_GROUP("asn", test_GetSetShortInt), \ TEST_DECL_GROUP("asn", test_wc_IndexSequenceOf), \ TEST_DECL_GROUP("asn", test_wolfssl_local_MatchBaseName), \ - TEST_DECL_GROUP("asn", test_wc_DecodeRsaPssParams) + TEST_DECL_GROUP("asn", test_wc_DecodeRsaPssParams), \ + TEST_DECL_GROUP("asn", test_SerialNumber0_RootCA) #endif /* WOLFCRYPT_TEST_ASN_H */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 231d250b6e..421ab298e9 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -24206,21 +24206,10 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, cert->version = version; cert->serialSz = (int)serialSz; - #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ - !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) - /* RFC 5280 section 4.1.2.2 states that non-conforming CAs may issue - * a negative or zero serial number and should be handled gracefully. - * Since it is a non-conforming CA that issues a serial of 0 then we - * treat it as an error here. */ - if (cert->serialSz == 1 && cert->serial[0] == 0) { - WOLFSSL_MSG("Error serial number of 0, use WOLFSSL_NO_ASN_STRICT " - "if wanted"); - ret = ASN_PARSE_E; - } - #endif + /* RFC 5280 requires serial number to be present and at least 1 byte */ if (cert->serialSz == 0) { - WOLFSSL_MSG("Error serial size is zero. Should be at least one " - "even with no serial number."); + WOLFSSL_MSG("Error: certificate serial number is empty " + "(zero-length serial is invalid per RFC 5280)"); ret = ASN_PARSE_E; } @@ -26121,6 +26110,26 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, } #endif +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + /* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires + * positive serial numbers. However, allow zero for self-signed CA + * certificates (root CAs) being loaded as trust anchors since they + * are explicitly trusted and some legacy root CAs in real-world + * trust stores have serial number 0. */ + if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) { + if (!((type == CA_TYPE || type == TRUSTED_PEER_TYPE) && + cert->isCA && cert->selfSigned) +#ifdef WOLFSSL_CERT_REQ + && !cert->isCSR +#endif + ) { + WOLFSSL_MSG("Error serial number of 0 for non-root certificate"); + return ASN_PARSE_E; + } + } +#endif + #ifndef ALLOW_INVALID_CERTSIGN /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 * If the cA boolean is not asserted, then the keyCertSign bit in the