diff --git a/certs/include.am b/certs/include.am index 68fcd1e2ea1..3351bfabcd8 100644 --- a/certs/include.am +++ b/certs/include.am @@ -146,6 +146,7 @@ include certs/ocsp/include.am include certs/statickeys/include.am include certs/test/include.am include certs/test-pathlen/include.am +include certs/test-serial0/include.am include certs/intermediate/include.am include certs/falcon/include.am include certs/rsapss/include.am diff --git a/certs/test-serial0/README.md b/certs/test-serial0/README.md new file mode 100644 index 00000000000..2a5af476426 --- /dev/null +++ b/certs/test-serial0/README.md @@ -0,0 +1,66 @@ +# Serial Number 0 Test Certificates + +This directory contains test certificates for testing wolfSSL's handling of serial number 0 in certificates, specifically for issue #8615. + +## Background + +RFC 5280 section 4.1.2.2 requires certificate serial numbers to be positive non-zero integers. However, some legacy root CA certificates in real-world trust stores have serial number 0. Since root CAs are explicitly trusted by configuration (not by chain validation), wolfSSL allows serial 0 specifically for self-signed CA certificates (root CAs) while still enforcing RFC 5280 compliance for other certificate types. + +## Test Certificates + +This directory contains the following test certificates: + +### 1. root_serial0.pem +- **Type**: Root CA (self-signed, CA:TRUE) +- **Serial Number**: 0 +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Tests that legacy root CAs with serial 0 can be loaded + +### 2. root.pem +- **Type**: Root CA (self-signed, CA:TRUE) +- **Serial Number**: 1 +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Normal root CA for signing test certificates + +### 3. ee_serial0.pem +- **Type**: End-entity certificate (CA:FALSE) +- **Serial Number**: 0 +- **Signed By**: root.pem (serial 1) +- **Expected Behavior**: Should be rejected by wolfSSL +- **Purpose**: Tests that end-entity certs with serial 0 are still rejected + +### 4. ee_normal.pem +- **Type**: End-entity certificate (CA:FALSE) +- **Serial Number**: 100 +- **Signed By**: root_serial0.pem (serial 0) +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Tests that normal certificates signed by a serial 0 root CA work correctly + +### 5. selfsigned_nonca_serial0.pem +- **Type**: Self-signed certificate (CA:FALSE) +- **Serial Number**: 0 +- **Expected Behavior**: Should be rejected by wolfSSL +- **Purpose**: Tests that self-signed non-CA certs with serial 0 are rejected (only root CAs get the exception) + +## Regenerating Certificates + +To regenerate all test certificates: + +```bash +cd certs/test-serial0 +./generate_certs.sh +``` + +Requirements: +- OpenSSL command-line tool + +## Unit Tests + +These certificates are used by the `test_SerialNumber0_RootCA()` function in `tests/api/test_asn.c`. + +## Related Issues + +- GitHub Issue: https://github.com/wolfSSL/wolfssl/issues/8615 +- RFC 5280 Section 4.1.2.2: Certificate Serial Number Requirements +- RFC Errata 3200: Clarification that serial numbers must be non-zero + diff --git a/certs/test-serial0/ee_normal.csr b/certs/test-serial0/ee_normal.csr new file mode 100644 index 00000000000..9f2965b7c6e --- /dev/null +++ b/certs/test-serial0/ee_normal.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChTCCAW0CAQAwQDEaMBgGA1UEAwwRRW5kIEVudGl0eSBOb3JtYWwxFTATBgNV +BAoMDHdvbGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDGmfUlMQyqetJsIs9jEX5KljUwq1T9Tg743KhWAFDTpR5T +rx0wsUBTnalsY+FdEzQXf0WJ4jLxBZjhiFlUJsVRF24hqME7WjaeJr3+x+8+B550 +81GiBL1B50dVszgyHPTQlhEy/RF3ZUkc+e7ntbmHj7z9es84wBgRhWufV78RcF0L +PwqY5rMOZCxIc9+J7pXZj3eebhXnEar/NwgMfBziKwZ23OFnr0WpYsg/zZxmr1Qr +AExT718RrZ6M5I2T6okgv9vY85oPrut8Gc6C8bFpAg/Z7FpnUaFNfnXzsuG0Lrg8 +k/STG6jR1rK/dFy1H9egpnFyhpdZZN3IkIIbA7XZAgMBAAGgADANBgkqhkiG9w0B +AQsFAAOCAQEAmx7S7a3tM4oJMgf9pI6VE+n1pTMhJ1izGs9+7aDU7Vw0/cSIn62X +NpMN59cYU8PEKmEDMhG11AzaajnoHYNV+a3V84is5gmUW3Gnj5a39nD4l7VRcWXk +1SsGxa4XCrss7SA+wydnbx/bH/t3FTkA7eX2v9Ad+z7gdcyxnSK+c1x0hDj5omHA +g0YpoHgNoS+kUG3oxc0ajzghyiiQCJKPTF2rNyzqFaWL48O49ZRpZHxacZhDAscN +ks/UU8T9s8f39/PthXDUvSqwYaqgOU+isgc4BVnLaDfeycpDG9P6LCM/LB8htecJ +9T4+O5ZhbfYWZA+MRawStYwtapWT37vL2Q== +-----END CERTIFICATE REQUEST----- diff --git a/certs/test-serial0/ee_normal.pem b/certs/test-serial0/ee_normal.pem new file mode 100644 index 00000000000..8a306da15ce --- /dev/null +++ b/certs/test-serial0/ee_normal.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmCgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0 +IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE +BhMCVVMwHhcNMjUxMjE5MjM0MDE4WhcNMjYxMjE5MjM0MDE4WjBAMRowGAYDVQQD +DBFFbmQgRW50aXR5IE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMaZ9SUxDKp6 +0mwiz2MRfkqWNTCrVP1ODvjcqFYAUNOlHlOvHTCxQFOdqWxj4V0TNBd/RYniMvEF +mOGIWVQmxVEXbiGowTtaNp4mvf7H7z4HnnTzUaIEvUHnR1WzODIc9NCWETL9EXdl +SRz57ue1uYePvP16zzjAGBGFa59XvxFwXQs/Cpjmsw5kLEhz34nuldmPd55uFecR +qv83CAx8HOIrBnbc4WevRaliyD/NnGavVCsATFPvXxGtnozkjZPqiSC/29jzmg+u +63wZzoLxsWkCD9nsWmdRoU1+dfOy4bQuuDyT9JMbqNHWsr90XLUf16CmcXKGl1lk +3ciQghsDtdkCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQOtYl8IbuhwNvuxtw/ +E0EiPBLdITAfBgNVHSMEGDAWgBTKbzmfzfMDi8bSxDKvXPrVlJO7QTANBgkqhkiG +9w0BAQsFAAOCAQEAp2KWiroy9OFUFghTBWquc5oQUVS5f1IYfVt4Gas0Vz9Sokwm +xl+TiXJAA9mV8RSxxkIokGcOsyycwzwyq9IeGhq1ovEgNNJM5OVjkdX5CjjnWs+i +Kum+TEWAawWnTDSRyhxjcbdAu+5TtF+Wk9UwO6hEOEaTUzpgEaGLgiqyJSV3XEpp +y9BQTQ4wwmLv3qzZR8P6O+pRxMIHKu/kkD/2gxlKyonH+PikbR+d1DNP/Hwn92q7 +qs8o7udsluxfHsO8JCiqtRDuHyHPpTTSQIBX1MqIn57dEY67HSIfyXXOsq+ygW/I +coAv4SxQ5arEXmaZXOkcR8Z36FhIw1XO+qBGfg== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/ee_normal_key.pem b/certs/test-serial0/ee_normal_key.pem new file mode 100644 index 00000000000..33e55116d6e --- /dev/null +++ b/certs/test-serial0/ee_normal_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDGmfUlMQyqetJs +Is9jEX5KljUwq1T9Tg743KhWAFDTpR5Trx0wsUBTnalsY+FdEzQXf0WJ4jLxBZjh +iFlUJsVRF24hqME7WjaeJr3+x+8+B55081GiBL1B50dVszgyHPTQlhEy/RF3ZUkc ++e7ntbmHj7z9es84wBgRhWufV78RcF0LPwqY5rMOZCxIc9+J7pXZj3eebhXnEar/ +NwgMfBziKwZ23OFnr0WpYsg/zZxmr1QrAExT718RrZ6M5I2T6okgv9vY85oPrut8 +Gc6C8bFpAg/Z7FpnUaFNfnXzsuG0Lrg8k/STG6jR1rK/dFy1H9egpnFyhpdZZN3I +kIIbA7XZAgMBAAECggEAEVCl92lN2zqHHbIb67LAPzIruVkOuWD0sYzSHmFmVUrY +QzU0HHqFCw/mur0AjolYlCiJVbVYz1EMxwkIuhYBQ7SBFRfYn7CaAh2K7hYyDRyZ +RkVahiosnVIpPYG5HLa6lMmoqTiNgnUxs9WJ7JNtoAc6U81BGN0NRtB06s5kfwQU +f4cJ0eW9FoAgLorxCQTdfWDecV26wEy7AylEPZwavs7oDjxeIMSmE0X7kaAzXXab +LYrjLY8d2ySQLPOO+0fwCnKqxPAIS11iZOXkyEb1sEurSH/k4F6SPI44qpr3sUP+ +W9FSXdFe0d9FXNLAEsUcx1ZlQhTcXatwmTfrsuvgiwKBgQD8VCLCpjmRAYLAWNWd +k8lXXc4XZHKVdW3mSFBoiVTaTTdMncm55VrCaPTizZcjQSP1lsvTaIskjzh/aJ5A +ZoKN7b0d9uI4voSdT72qdjV//CSTwHcxqngxidYhVncTVHGW2SxWCQpCdnkB9Ljt +ONRSSo1eSC7iejKDB1gCyB6hhwKBgQDJfbNX0ZnnzW3dd9Z9dl7HZk0BtdlbLlSn +XZKPpHjDpHKA8tNLAJqfUS7m70rOlk8K6Ls9Lw/BWWQmNH95Syyd99xXw32q2gwJ +U9OQZkOg1TBriXdOy0GMPR1Hva4pTL+p6cUdtTuoiSqDsWQFXCXJX2yZbX9vSHqS +wnOxquxFnwKBgQCQroWH6twTQzR/qfBCfFz0VXs4eoYhIMY1Rr2kUypuSdwteEQU +7WfPFXNlINFKi61cwmx4+fberaiNlaU39A9j5i+MIOWx97v+n5x3Q3SFwEQQ3Ej8 +F2z3qrs3PmbklITVJA2B/4j8dwYHkxT+IJnN3aWVq/oGLl8MNofGgIzfvQKBgQCJ +qxMgi5umn9vTGBA7ROdZQnKXGpLaE/vPJsX+0xeYRQHfTQpFErKS7DspmpH4OQbk +o0NbeI5BQzyERhZa35wqirHIXU+9rqHOtbG11cmbWE5vC0uzUHkGwrMA037txPyn +sYv20l9iteWQeWGnr+A5iLOA2Sna9SCaqbW2zNwGbQKBgQCJ9FzkJZTNn5xmFmhH +JaCwl+BUKFIITN9xgoB7G2Fd5s8dMRhATnSxWHxoYh+VMIDZmJVItatSMN84ATN+ +xis5DbQdKvCDcBhuDc9U46UhmQvvg5PpHBAdDVg2VGY6n7ZTydOSTEJJIjINxzDD +ditcotkx/ZONY00aSgx/FtmmkA== +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/ee_serial0.csr b/certs/test-serial0/ee_serial0.csr new file mode 100644 index 00000000000..e2d0226c133 --- /dev/null +++ b/certs/test-serial0/ee_serial0.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChzCCAW8CAQAwQjEcMBoGA1UEAwwTRW5kIEVudGl0eSBTZXJpYWwgMDEVMBMG +A1UECgwMd29sZlNTTCBUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANUOzExpAy8FaTQVU4yj2FxAY93lRLhNe9R9CW9LBKZD +6R3tg+EltRK5i4798RnZfXwanU2LeCFi21a7q7FL29gaeTxxP1CrB59lubdvlqIK +82TAubWHBhoPt0dPR5bTsBPtwoqn8ZPAJPTBqFkzpkX8ASNIakvPH546RX+6WHbJ +a175fxyKMRo6V9UKWjA/sqQkhIOA3Drl6x4d7haa35NquZm/OeIQnEqu2XWTdWcx +iMqKquTNyJ2izZ4WRa65QzVMPLQrlh47xtPUC5Hu17sgW2FYY1GiOmTO3iKAXZsn +yt+9UWJru8NuvWkxIZdwOABLJm8K25XW8GvZUvoan7cCAwEAAaAAMA0GCSqGSIb3 +DQEBCwUAA4IBAQC/GAHuVZz2p/Tkk7QXrIbovWvw2g1gusPDJrL27471ZwFUnTyA +y5NZDGRSMazZCylclRBIATEEEiTobR32+3NaT/r01wMBW/9R5uh7MpDAJjA9jS/8 +zE92TwwT9H8RHnkbJXzxKPbnRZF/Nl5FE0DzH7YlHY9PKAbkeN3l3M5zy8yxoon+ +1g2QiEVHiGWPshtpbqpKuxbgwSJ8bP6BdZ51fwmgSCqzaei+OCXrGKKHJqdHpwRd +iX7tp4PtcCWiifwvb1d/az5X/CGBfK6qar8jYNa5dGLXQn2pilAxoddRSDIrrNnN +pT3R8Djb1CQGFtS7RUdtmA5FRqlY3cAFI4o6 +-----END CERTIFICATE REQUEST----- diff --git a/certs/test-serial0/ee_serial0.pem b/certs/test-serial0/ee_serial0.pem new file mode 100644 index 00000000000..7cd5afec479 --- /dev/null +++ b/certs/test-serial0/ee_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0 +IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT +AlVTMB4XDTI1MTIxOTIzNDAxOFoXDTI2MTIxOTIzNDAxOFowQjEcMBoGA1UEAwwT +RW5kIEVudGl0eSBTZXJpYWwgMDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUOzExpAy8F +aTQVU4yj2FxAY93lRLhNe9R9CW9LBKZD6R3tg+EltRK5i4798RnZfXwanU2LeCFi +21a7q7FL29gaeTxxP1CrB59lubdvlqIK82TAubWHBhoPt0dPR5bTsBPtwoqn8ZPA +JPTBqFkzpkX8ASNIakvPH546RX+6WHbJa175fxyKMRo6V9UKWjA/sqQkhIOA3Drl +6x4d7haa35NquZm/OeIQnEqu2XWTdWcxiMqKquTNyJ2izZ4WRa65QzVMPLQrlh47 +xtPUC5Hu17sgW2FYY1GiOmTO3iKAXZsnyt+9UWJru8NuvWkxIZdwOABLJm8K25XW +8GvZUvoan7cCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQx+Na6kBfWYPpaWckA +enIUHRBTpjAfBgNVHSMEGDAWgBSHt8mJk7i7mgilD+S1x772GmpVEzANBgkqhkiG +9w0BAQsFAAOCAQEAToFw7Pq59wHF05exYFlSC8R5TRQy9C4fZH55J5urGZ76pOFw +7jyxke2QacP0/3bE3/cJOFPjGm4pu060+lI9sVu0S4ztiRjaNhbHm2vbpZ7ZLXrL +2ytMG4S17rbkCw/nPbNEi4aleB/QPI8g2oVDmxO9ZR8dGhh9CBsNsfy5iHo+clV3 +NAim9bhd3otyJRJcEfTUBe2n+DIu87B4s+/8d7NWZm/0s3p+tDZ8b9cvJcakN4Ty +uN42s7goJ+fBQhPyPvxn/DT6wQY0rfEtsPGF4DFliKdnOlrHkctA9mC3ysGWbNa4 +m/t6/U2WeTZPSgJad/OHsXHP+/Ke7dEiXHZsCw== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/ee_serial0_key.pem b/certs/test-serial0/ee_serial0_key.pem new file mode 100644 index 00000000000..34d641b0f44 --- /dev/null +++ b/certs/test-serial0/ee_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDVDsxMaQMvBWk0 +FVOMo9hcQGPd5US4TXvUfQlvSwSmQ+kd7YPhJbUSuYuO/fEZ2X18Gp1Ni3ghYttW +u6uxS9vYGnk8cT9QqwefZbm3b5aiCvNkwLm1hwYaD7dHT0eW07AT7cKKp/GTwCT0 +wahZM6ZF/AEjSGpLzx+eOkV/ulh2yWte+X8cijEaOlfVClowP7KkJISDgNw65ese +He4Wmt+TarmZvzniEJxKrtl1k3VnMYjKiqrkzcidos2eFkWuuUM1TDy0K5YeO8bT +1AuR7te7IFthWGNRojpkzt4igF2bJ8rfvVFia7vDbr1pMSGXcDgASyZvCtuV1vBr +2VL6Gp+3AgMBAAECggEAFfkjutGtwWC2e+ejKUMQolsFsbHeh39+QOjwWykKfrdM +SIjhbAv+g8LdEM9B2V+j4HPCO2gh6JeQdX5/c5aWQtBgJoqrc/9fluHf6Ho6t9WX +SpHR1VXqnC94wIL9qCGG7Fc+FBzD/m/3n8KFQUXhZSBbYa8rP0xKP4BVAJpQW1e0 +WkMxy57kMdZYAgFsGK3vdnaZyBFtIePj1WDplRwR4wCFWq920MWWv5WyG2OyIXiP +BG7o8qhEyU+bPKbIWfaLtIrZHwNk38HoDoluoKx3/W9rEY0jS/Qgwk+Z5Dd4/ufS +C+sf82bh5mlOvCsBt5LTfuIhjXH0QVSWYqiQW5Zk8QKBgQD3G/iQo+yK+7hGiELm +YasBftSJ3kW2J19BWzWsH31P6QzpwldHXDgJo3pITpoBnNvWgfa5y+/D7aN9WrMs +JY3DZO9eyUHw4j2tC0c9HCORObgWYdwQ274UCV6y2o815ty+B/4Vla1ENt2TPWHa +8TCgaBjGH8Px187zJRoKmFdOeQKBgQDcuTEuwLRhky6O4bBh41XZ7CfvfBco1EXx +yk12WJ63bpVmRlmciWQWEwUVOHr3cGRzCCeQ1Y3uz7jYMDit3ZkfkbIjHwwxLaVn +TC+9hptp4oEidO30Qsf7PQKzkE7jg6FVCw/MsPMj6LXI45dM6i0k6zIrmmcUpPaw +6QHnriETrwKBgAJ7I2nAW5WhpV3/7DwH6wGe1l9z/dswVgJ/+e/6ePWeb2TBcMLk +qCNgos+rClzNyF9E+scuxv9+mU+e44Gj9uJpVwXqm2DhxKDCJjr0116T58dBwEXj +DuuAlJTTIPD3mmvGBMUOtaijrGHYEe1y0nwpz2Xd18fL1OYYD0Tf9rBxAoGAT3dR +UL7KcpLV4VU59pQtdY8DdcJcaDO8lue56dDQG8Rxf2f2nVgNs7DXVKOICgvp7kxS +Sl/IgOFCcHsz/MzaczY2R1THQ/FmKoGQcpDC5WVKDsjAXv+oFjkJ/vIGpPzgGcko +wA45C4Wd5RyjfWqWJEOVRYOKdzFJK7pIGExl1jsCgYAzQksueSZmOaekeuSDcOxz +VVAalQcH7Z6mtoPu8NGRtdnQt4fdKWzEEZ1B4jPk2TqgYqsu7DPo/N46Go/96fAY +w4w/OaamuD+Pv3bPkpgArBlcz954/JCzkNwVO1dgbg4KYSxuYWfYGV41c1R5lvYT +wK6SetMgDcNc9rp6OG81xg== +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/generate_certs.sh b/certs/test-serial0/generate_certs.sh new file mode 100755 index 00000000000..605096bddf1 --- /dev/null +++ b/certs/test-serial0/generate_certs.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# +# Generate test certificates for serial number 0 testing (issue #8615) +# This script creates certificates in the certs/test-serial0/ directory + +set -e + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$SCRIPT_DIR" + +echo "===================================================" +echo "Generating serial 0 test certificates in: $SCRIPT_DIR" +echo "===================================================" + +# 1. Create Root CA with serial number 0 +echo "" +echo "[1/5] Creating Root CA with serial number 0..." +openssl req -x509 -newkey rsa:2048 -keyout root_serial0_key.pem -out root_serial0.pem \ + -days 3650 -nodes -subj "/CN=Test Root CA Serial 0/O=wolfSSL Test/C=US" \ + -set_serial 0 \ + -addext "basicConstraints=critical,CA:TRUE" \ + -addext "keyUsage=critical,keyCertSign,cRLSign" + +echo " Root CA serial number:" +openssl x509 -in root_serial0.pem -noout -serial + +# 2. Create normal Root CA (serial != 0) +echo "" +echo "[2/5] Creating normal Root CA with serial number 1..." +openssl req -x509 -newkey rsa:2048 -keyout root_key.pem -out root.pem \ + -days 3650 -nodes -subj "/CN=Test Root CA Normal/O=wolfSSL Test/C=US" \ + -set_serial 1 \ + -addext "basicConstraints=critical,CA:TRUE" \ + -addext "keyUsage=critical,keyCertSign,cRLSign" + +echo " Root CA serial number:" +openssl x509 -in root.pem -noout -serial + +# 3. Create end-entity cert with serial 0 signed by normal root +echo "" +echo "[3/5] Creating end-entity certificate with serial number 0..." +openssl req -newkey rsa:2048 -keyout ee_serial0_key.pem -out ee_serial0.csr -nodes \ + -subj "/CN=End Entity Serial 0/O=wolfSSL Test/C=US" + +openssl x509 -req -in ee_serial0.csr -CA root.pem -CAkey root_key.pem \ + -out ee_serial0.pem -days 365 -set_serial 0 \ + -extfile <(echo "basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +extendedKeyUsage=serverAuth,clientAuth") + +echo " End-entity cert serial number:" +openssl x509 -in ee_serial0.pem -noout -serial + +# 4. Create normal end-entity cert signed by root CA with serial 0 +echo "" +echo "[4/5] Creating normal end-entity certificate (signed by serial 0 root)..." +openssl req -newkey rsa:2048 -keyout ee_normal_key.pem -out ee_normal.csr -nodes \ + -subj "/CN=End Entity Normal/O=wolfSSL Test/C=US" + +openssl x509 -req -in ee_normal.csr -CA root_serial0.pem -CAkey root_serial0_key.pem \ + -out ee_normal.pem -days 365 -set_serial 100 \ + -extfile <(echo "basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +extendedKeyUsage=serverAuth,clientAuth") + +echo " Normal end-entity cert serial number:" +openssl x509 -in ee_normal.pem -noout -serial + +# 5. Create self-signed non-CA certificate with serial 0 +echo "" +echo "[5/5] Creating self-signed non-CA certificate with serial number 0..." +openssl req -x509 -newkey rsa:2048 -keyout selfsigned_nonca_serial0_key.pem \ + -out selfsigned_nonca_serial0.pem -days 365 -nodes \ + -subj "/CN=Self-Signed Non-CA Serial 0/O=wolfSSL Test/C=US" \ + -set_serial 0 \ + -addext "basicConstraints=CA:FALSE" \ + -addext "keyUsage=digitalSignature,keyEncipherment" + +echo " Self-signed non-CA cert serial number:" +openssl x509 -in selfsigned_nonca_serial0.pem -noout -serial + +echo "" +echo "===================================================" +echo "Certificate generation complete!" +echo "===================================================" +echo "" +echo "Generated certificates in: $SCRIPT_DIR" +echo " - root_serial0.pem (Root CA with serial 0)" +echo " - root.pem (Normal root CA)" +echo " - ee_serial0.pem (End-entity with serial 0)" +echo " - ee_normal.pem (Normal end-entity)" +echo " - selfsigned_nonca_serial0.pem (Self-signed non-CA with serial 0)" +echo "" + diff --git a/certs/test-serial0/include.am b/certs/test-serial0/include.am new file mode 100644 index 00000000000..efbf993070f --- /dev/null +++ b/certs/test-serial0/include.am @@ -0,0 +1,13 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + +dist_doc_DATA+= certs/test-serial0/README.md + +EXTRA_DIST+= certs/test-serial0/generate_certs.sh \ + certs/test-serial0/root_serial0.pem \ + certs/test-serial0/root.pem \ + certs/test-serial0/ee_serial0.pem \ + certs/test-serial0/ee_normal.pem \ + certs/test-serial0/selfsigned_nonca_serial0.pem + diff --git a/certs/test-serial0/root.pem b/certs/test-serial0/root.pem new file mode 100644 index 00000000000..581a6422e24 --- /dev/null +++ b/certs/test-serial0/root.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0 +IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT +AlVTMB4XDTI1MTIxOTIzNDAxN1oXDTM1MTIxNzIzNDAxN1owQjEcMBoGA1UEAwwT +VGVzdCBSb290IENBIE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKVS5W8y81i +YOYfBB60Zf/RxDy3Y7Sck1TyD6YbR4LOhvR+Wirbg09C0Yg+yrERzF2GlkugwT+j +SSlSljgzoieWIVxTdAfHCje7JwZA17/6YAthUFpqpzSzGLcAFpWvtFSCwTd+1CTw +suME5AL7qXF3jrhDJ9+VgfQJIlvbMnY1kLBG62ceG659q5WfHxWOOXXU/6dUOC6+ +DAW6njh9AKvQJM/J3yV2U8XJD31DnQyk3GnA1vSp3fiFF1F20kcHALwP6i7mm7Nl +sjs3mBmNH+gPRdfsKuuDH99bKi1utophWtkhgmHHTsR9woTZOSUlJwAVE4Eh0hLG +vVjvdEkR9rsCAwEAAaNjMGEwHQYDVR0OBBYEFIe3yYmTuLuaCKUP5LXHvvYaalUT +MB8GA1UdIwQYMBaAFIe3yYmTuLuaCKUP5LXHvvYaalUTMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBEIi3qHMBYUhwf +qsADCG8cseg+ay81gypC5UGsvoSCY6vFXKFHJrN40IDOw0j4aOHrLnVIps8JqJ1g +w6IbM+sOU90fN45O32a/hvBIvC2YjkOen1ubzSRmJShGJPCTMN/ukHUr52G2Uvdl +N9STaYzE2kQE/tcK6FiD/uHosN+WqfPE7YfqbV4PtVR8UCzGTHYUtAe8T0xGdvz1 +NR1cZy9lhaRAcOx1G28rGo6pIGqMg/OKdY49RwshC7WnBAwJT4kvp7fAO57DRx+z +UTk+Mzgw/51jQo6/6glSs7Ry8yjwaEI51JkF/afz63ugMBh+HDa9YT7/k1mHdgNf +BM6gjMgs +-----END CERTIFICATE----- diff --git a/certs/test-serial0/root_key.pem b/certs/test-serial0/root_key.pem new file mode 100644 index 00000000000..e44af572219 --- /dev/null +++ b/certs/test-serial0/root_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClUuVvMvNYmDm +HwQetGX/0cQ8t2O0nJNU8g+mG0eCzob0floq24NPQtGIPsqxEcxdhpZLoME/o0kp +UpY4M6InliFcU3QHxwo3uycGQNe/+mALYVBaaqc0sxi3ABaVr7RUgsE3ftQk8LLj +BOQC+6lxd464QyfflYH0CSJb2zJ2NZCwRutnHhuufauVnx8Vjjl11P+nVDguvgwF +up44fQCr0CTPyd8ldlPFyQ99Q50MpNxpwNb0qd34hRdRdtJHBwC8D+ou5puzZbI7 +N5gZjR/oD0XX7Crrgx/fWyotbraKYVrZIYJhx07EfcKE2TklJScAFROBIdISxr1Y +73RJEfa7AgMBAAECggEAOUA5AYEPi8n2za5xhWE5o5fB/8VLikAJX1RrQ0nCdBu0 +/GnSuMpma6MyyD4FYCzm7tujC/Rr93/hDk300etrOe+DuEj7mjA3cudXV5EriZou +uRp0TG4V7T0GuA1IF9mfGsBv/haMb6P8VixBtBj8pVxyeweTS0cPedBYMiOfyMR9 +geRGv/In9pyud/JnesUGKLh9HwxRaR2iSUuLMuvPSnDzQIrELZMDn5UkMJOtYWFB +ER/8sMK9Ns47dmRM2tK1F6Di0OP0rNcg7J/ThCoJ1HWAKC46txsk8VsxQYLGM1IY +Um3G4aK+tpiistd2gzPOe4QYN+Tc+eaoi6JR2UrMOQKBgQDkwSNtzjSZulAF0hQv +NlQqkRIdnM/VM+Kcykb6uNjlWuSyFKKFL59Nei3Qj0K31IhU1icBCGvPhgx0fUMG +QrbtXFpnO7ZFJtNhMyA5Yvdzw/KxW4+izy/ZxCBTLJKzCo+riCz4lN2Yfz3MVn8g +MtIczyThPGkNyO1Pa+TPQTJmcwKBgQDZwkEfFJoXEBiu5W6gVNkW0PiTCkCeTk3/ +M4PGrLGqZd+GA9WiCGJlfCrl9K01eTyKGBIsojOU73LB+uYzTgI2HQrdkfnq7yny +uFty63u5WCgs4cK2yR426xTjWq+266AQFIN8kK0/RUdF4QCNAyeLU0hyhpxiPwi0 ++78yHBdUmQKBgQCoqaL2tkBgTFfuQrvxJ4ydKgOCY/l1SGFAm4AEIsCBMyhGCSLf +MoKxfHFFQiu+IO04KAHwKAZdp4eNaEI/3nbDwgFB9mvoxry6ARk0Vrz+1S4fCNR6 +BWtRk+MFkGrFqfbOUYRe8FwGsWKeQ/RNiEsVRMH7dDA9IrWehn3ZNkfz8wKBgQDC +3LgVrgPt23ObHqiORR828a1fN293ui7Fzj1/zg32o88QR+Ima0ZR9nkU6o0NKv5n +vP6WfleWUWfp+jGBe68y6W5NtFFmULrC/wKmpd9DjoX1E9mAZBzrnBZHFWHkWJoV +iaXYFEdUNRSAjcZGaao7XT2ZbqgGqs2J1zXTC5w9EQKBgHA0sgxTh+M+jV8kBDZo +c1J3pF/bWMUp8DePNbwsaz6Qu9vGe7e25xJZO8PtSzHVzgahz980Y4HJzOu7pRCM +BvERqMndDggUVLCw5irtdEqlPNUt+Bdf//xX9JiEEXuojDm0bJlxYeXWV4CVc1nI +6BUG5sJfCeICcyKJAS6kn3KC +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/root_serial0.pem b/certs/test-serial0/root_serial0.pem new file mode 100644 index 00000000000..89bdc498fc1 --- /dev/null +++ b/certs/test-serial0/root_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0 +IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE +BhMCVVMwHhcNMjUxMjE5MjM0MDE3WhcNMzUxMjE3MjM0MDE3WjBEMR4wHAYDVQQD +DBVUZXN0IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL +MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrIH40 +erYfetOLROpuIy/CWwiPVyiG+FC6QiMmKOjEy0SXH5ZlxTSX/TWnhqv2KszUv1wg +v0RtWSE+zL69VhcbIGJBXDs3CoLYIaLwUl0UnP0QKcnpiAPkTeyPh9oQq1sRCACK +J/COuAMY04Xs8wNatTYugUZfCqi5VKigVxLngNVEruHg306sWTRVjv5BjjwvfbL4 +5XnUPs3sAQ+rD2uGLQ1TDZ07Td8nKwrUEyrdLoIxXUmMGYZnFMFN2GI1PmuJmYt+ +M+Lsi23YrobIV4OfFVoZ1Ln6kYgu/ocH/trQ32hD4P0L8tL9fZgMb5/G9LgYWTY4 +DjYdsOtBx0PAe+0DAgMBAAGjYzBhMB0GA1UdDgQWBBTKbzmfzfMDi8bSxDKvXPrV +lJO7QTAfBgNVHSMEGDAWgBTKbzmfzfMDi8bSxDKvXPrVlJO7QTAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAdNqm7c3j +08UY1493GDDEvGmn+Qncl1thCTeFkzeI9TCmQNmjdaDR4UYxEWq81X/clpm2VzXy +Gq0ya1NqnfcNSKS4q9VSZFx6MC2YpnK2e87flTz2386ghEHrxkp5E7ZYL6uuvk2D +omBYoML5tESpBt3C6/564lHzebywUIUR5W2t9zQUK7Y7swGrzMnMsb+/j954S0x2 +7nB6xTsBdw2UL/h4VyIp5igC8+Zp8BoxdmGSFPQvJoTSvMS5rjmWgIhbhVIH+zvm +ICiUA76VAZaCjq2BGKSvoGtzvADebTwEGgsF+bzB+96L/8BH2NCAsLQ8h9X507iq +dqms0IqlEiXKfA== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/root_serial0_key.pem b/certs/test-serial0/root_serial0_key.pem new file mode 100644 index 00000000000..634be8014a6 --- /dev/null +++ b/certs/test-serial0/root_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrIH40erYfetOL +ROpuIy/CWwiPVyiG+FC6QiMmKOjEy0SXH5ZlxTSX/TWnhqv2KszUv1wgv0RtWSE+ +zL69VhcbIGJBXDs3CoLYIaLwUl0UnP0QKcnpiAPkTeyPh9oQq1sRCACKJ/COuAMY +04Xs8wNatTYugUZfCqi5VKigVxLngNVEruHg306sWTRVjv5BjjwvfbL45XnUPs3s +AQ+rD2uGLQ1TDZ07Td8nKwrUEyrdLoIxXUmMGYZnFMFN2GI1PmuJmYt+M+Lsi23Y +robIV4OfFVoZ1Ln6kYgu/ocH/trQ32hD4P0L8tL9fZgMb5/G9LgYWTY4DjYdsOtB +x0PAe+0DAgMBAAECggEAG/4qNup13UtpzGffE1olJ11d1pjS09VN21ITTtw1S2/W +zgPIReiO9GfivX89pPyWWhzddKvlBSAl3JCAiRdKm1DeUcPFGflZswI5ladbe5I8 +oUa8tTtfK5sFnesCpGRrdqtA71ieNLJsK0T6rOqJu25WKSBTgxuKwxpSpTvpJz46 +e6GOFng3zGMQPONnaCgVTIhBSn86dhT2kxg+ah+wYUJcY5tdhhub84nyUQptx8qn +kV6eKOM6j4ds5tkgRnXalFD49j66tDQyERpRJSLnbUE6JxbFckxbpl86lLj6p1BR +ezBOhtpYtZdOQg7HiGCwHW+098br3vL2bfri/q5ybQKBgQDqOuE1kDlB/TW1zc3o +4APxwbsh6Xx/pFLGFjuOOiQIaGDxoGvJtNfFAXfnCljSSoJXw6kQVXxZ5RE62H9b +ugnUCFRiVYFbkxHplWQwUq5QJ3SmIgYFJEndcGFv33v9+glG3NKFo8iGE4muJPFw ++JSjpjB3DMDFroKuQtSb3rFJBwKBgQC7CC2/Ohxs+cPs8z6NHH4vVbAvBFdqOOoX +tqkvMP3bnQ6oIkAuEJ/2IisErF/Jja7qTLK35+LOw0bX2FbotqNtb+ukUvu+kol/ +XEVmlFIuxWxlrvoSGMDPD04ob6us9z3YDnsKkoS+FIqe5u5Le04lhEzFcBoYQyy5 +jXoZzzPpJQKBgAOtev3BTvTXSfGZ0qLWaZlxJkQJC3hhlx8fGD5KcWhkYylIEIkx +OrYQKNbK1cwveU5xdwUXooUy0Itw/Mbu69qVauXEW+yZKY3WV6VelvgRNoapQBjy +kepVKmJ8StEZDO48511Lzgk041OFpvjUHllXcalc3OX9sHWV/QqZe4UfAoGAfAWm +YEHmi5TsCPobpnMYccb+d48HcFahVGw5sCNqkvCIwZFEwccga5Sotgaf1gVv0cpe +UHkh+z2ego7gwpwpru4icerdKLf/GUdUdfswq/caNCtdhBaJ9EQP7dxvGNkyV0zy +5kXWZD021rwHlGIFpfce+WWmyCPzSm+4Ydj2cUkCgYAyaxA7DKXNnp5kWl8t9MK9 +ReioSMoXs2cqrmR51UDZNCv5TeqrJ6hVeYHKVsfDicsPLDUGaVSkYAWzSVh3x6Aw +WW4WpXvQVZy/gETVQoqUHQG+HjV1wWcqZ923nnlk0h4gn4yG7QUy5eE1AjTBzUxj +g9kd4izacQwN71PCjY1nzA== +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/selfsigned_nonca_serial0.pem b/certs/test-serial0/selfsigned_nonca_serial0.pem new file mode 100644 index 00000000000..02e42534289 --- /dev/null +++ b/certs/test-serial0/selfsigned_nonca_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaTCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQsFADBKMSQwIgYDVQQDDBtTZWxm +LVNpZ25lZCBOb24tQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL +MAkGA1UEBhMCVVMwHhcNMjUxMjE5MjM0MDE4WhcNMjYxMjE5MjM0MDE4WjBKMSQw +IgYDVQQDDBtTZWxmLVNpZ25lZCBOb24tQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdv +bGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCfd5OZn5tx6hQWpwRuxHW+JEvMoIYpRDrfDYhvojPVnKlvLjwR/Wqh +Xf14BSkK7i1rfMkGa27r8+1nASBxwg0qSdL9yhKVEZKw64Ho8KIuEX5Nspu/Cpqt +kY3Iq4DOaVb5zlwqlmdDWPLwuw31FKvqoKeemAMHPW/tumMXNqjhfw8TVaerkvd0 +BsHf137z3p2w0nzdv00je6bXFuqNFgUTbIDGosxHTG8MFwnlOmU+qqykwDGT/IMe +Ba8YPfslaTgi0mVIWuNO7Ye1+uA3GpnCLsJxBV+NChiZUPnOsYlW0tZo7LbE2q6D +1AI5jwu25ccQlskTo/XJosx3vzlt5KPrAgMBAAGjWjBYMB0GA1UdDgQWBBQk/2Bc +jpaxm/OmYDhmC3b1E5xA9zAfBgNVHSMEGDAWgBQk/2Bcjpaxm/OmYDhmC3b1E5xA +9zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAQEAAnT+ +BA1g63JcAXtpe/vD3x91n8iErppTTR0gQruCzuNBSZikmBngXQAiMJwGhJdUNbHu +v6dL0CduCvVXAT93cvwqf9KjcZDBsQhpiRGsGlSO+uV0wG/gqX2UsN+LKZdUbv6J +HtOMbpMIqQqnbBfJzIEmaoiIYrRQXmv2OcTN0AExBVNERSPDP4sNOozgqNpdoj/g +fB199fO/UCFQ7SeRsb60PrGAj9VBk722odRi6aNmWWyXpybwVeuqf7/R7mpkM17w +tcsY8eplQ4BmGygcGaWz6ppr98Kp4P/juy5ui2B657UOZrdRKmW8QkkJeCHR98kz +q02SitVOp/z7qpxV1Q== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/selfsigned_nonca_serial0_key.pem b/certs/test-serial0/selfsigned_nonca_serial0_key.pem new file mode 100644 index 00000000000..29daa7fc52e --- /dev/null +++ b/certs/test-serial0/selfsigned_nonca_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCfd5OZn5tx6hQW +pwRuxHW+JEvMoIYpRDrfDYhvojPVnKlvLjwR/WqhXf14BSkK7i1rfMkGa27r8+1n +ASBxwg0qSdL9yhKVEZKw64Ho8KIuEX5Nspu/CpqtkY3Iq4DOaVb5zlwqlmdDWPLw +uw31FKvqoKeemAMHPW/tumMXNqjhfw8TVaerkvd0BsHf137z3p2w0nzdv00je6bX +FuqNFgUTbIDGosxHTG8MFwnlOmU+qqykwDGT/IMeBa8YPfslaTgi0mVIWuNO7Ye1 ++uA3GpnCLsJxBV+NChiZUPnOsYlW0tZo7LbE2q6D1AI5jwu25ccQlskTo/XJosx3 +vzlt5KPrAgMBAAECggEABn1MQWUwYzteY+maEZPnIrzBZOtnakh/iNI5KinUqC2+ +62pbQXQpobV8eiTjnbFBoe0rFRrMIcgEcjumgVqfRIhKkM9nYC+d45tB5yPbxboq +hKjvE6Av2T5iIbdw/3Vj97iBIa6LNz9oa4mBMOcNc/fjul1/Sg0i/+6k163+w2Zi +yglYlbt7bwnuc7G1QEb560fdXLTWb0qCAdN+mBBn3DN9g1r9csRDwFfdkLjPJ6iO +aSzBFQ3wgLx2H4pCHv2iljdgTtR95l7GuAUFVOKpkuSNR/2jSkXWVfN7XOHBhQ2X +et8sDwoP2/m61Hl557xW1bHgUbICUEmtnr8F3lrkKQKBgQDcTqNdrfZ+6Ud5Dnkj +gDYskwHk3+5vaPZAQO9LU7EiMxqMOrzb7rkduNqbY1ydI0pHBqiqiELdZ1wIjtxF +s8R1rJ39DNMtLGdKDlEK9QHMXIIw7JqlFv8NcpBGkpLH9nDtqZlHqvuvW9wRC+f0 +Njcfe47pIMM5Sc3TO9gaqRtAjwKBgQC5TY/2L4S+8nmlYt78hWTY82isST5HZic1 +N3ZjRikXzaoyFu+/m4GzwB+MTZzn1YZmy5MKFnlIKAcoBjm23B4hBjC1lD4EwyS1 +Xx8Yvyt51ZWDvSdRXOHOaUo4hvq4qPBN382iJXla6sSC3lZUVrZHZh7QiSng2a1v +c1J4xOfc5QKBgFp3cF5nsXEsGk17xALwA08KjxyNWDwnvfdkst8b3wFMOvqapDMs +NJgf8KUeiEl+1GGWOmzMx6hjaUeaYpm82E/6MmZXfeBu+3tNpbn6ImLpGg09G8Pv +TY0YHmbcianTaUwu+OKVNAUuk4/sc7O1D62971GMQp6j0AGN8ZABIU/BAoGAF25e +WNPzZi3FAgu5hJbdhK1qu/ZbAK5DIPCNcMorYg4oikLqOAFS6kbN9nDN+Wa/ovn0 +8t6aoWwmU4JOA/hbevOMbzl6iiGe36xSg0+REMvYJxthAGHNT8tyjilLRNRf5oj5 +OJqieMOc66tvoSSB0g9wsA/YEs2Tp7ceY5UKeJ0CgYAWCiWd3xrz8x1VPLJM1J27 +1JgqjxgYp9or0q1v21dxJOn6FEwmXc9z15lQ0TSBUhKrluBqK3t7254BSWhqu/Ul +uqeb7OUhJ+mHxDIJlj/AIzfF0nuyUoTZrDowVKTxg1KMHS9KsOI7o+pCfv8aGjvw +WAE0EsFxzAniEe2/l9Aq0g== +-----END PRIVATE KEY----- diff --git a/tests/api.c b/tests/api.c index 5f8406b20ae..f27deb327ff 100644 --- a/tests/api.c +++ b/tests/api.c @@ -26830,7 +26830,10 @@ static int test_MakeCertWith0Ser(void) CTC_NAME_SIZE); cert.selfSigned = 1; - cert.isCA = 1; + /* Changed from isCA=1 to isCA=0 to test non-root certificate. + * Serial 0 is now allowed for root CAs (selfSigned && isCA), + * but should still be rejected for non-CA certificates. */ + cert.isCA = 0; cert.sigType = CTC_SHA256wECDSA; #ifdef WOLFSSL_CERT_EXT diff --git a/tests/api/test_asn.c b/tests/api/test_asn.c index c3907b394e2..67d8682c188 100644 --- a/tests/api/test_asn.c +++ b/tests/api/test_asn.c @@ -641,6 +641,78 @@ int test_wc_IndexSequenceOf(void) return EXPECT_RESULT(); } +int test_SerialNumber0_RootCA(void) +{ + EXPECT_DECLS; + +#if !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) + /* Test that root CA certificates with serial number 0 are accepted, + * while non-root certificates with serial 0 are rejected (issue #8615) */ + +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + WOLFSSL_CERT_MANAGER* cm = NULL; + const char* rootSerial0File = "./certs/test-serial0/root_serial0.pem"; + const char* rootNormalFile = "./certs/test-serial0/root.pem"; + const char* eeSerial0File = "./certs/test-serial0/ee_serial0.pem"; + const char* eeNormalFile = "./certs/test-serial0/ee_normal.pem"; + const char* selfSignedNonCASerial0File = + "./certs/test-serial0/selfsigned_nonca_serial0.pem"; + + /* Test 1: Root CA with serial 0 should load successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootSerial0File, NULL), + WOLFSSL_SUCCESS); + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 2: Normal root CA (serial != 0) should load successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootNormalFile, NULL), + WOLFSSL_SUCCESS); + + /* Test 3: End-entity cert with serial 0 should be rejected during verify */ + ExpectIntNE(wolfSSL_CertManagerVerify(cm, eeSerial0File, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 4: Normal end-entity cert signed by root CA with serial 0 + * should verify successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootSerial0File, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, eeNormalFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 5: Self-signed non-CA certificate with serial 0 should be rejected */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntNE(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL), + WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } +#endif /* !WOLFSSL_NO_ASN_STRICT && !WOLFSSL_PYTHON && + !WOLFSSL_ASN_ALLOW_0_SERIAL */ +#endif /* !NO_CERTS && !NO_FILESYSTEM && !NO_RSA && WOLFSSL_CERT_GEN && + WOLFSSL_CERT_EXT */ + + return EXPECT_RESULT(); +} + int test_wolfssl_local_MatchBaseName(void) { EXPECT_DECLS; diff --git a/tests/api/test_asn.h b/tests/api/test_asn.h index e78bb145bbe..dc7a53d96db 100644 --- a/tests/api/test_asn.h +++ b/tests/api/test_asn.h @@ -27,12 +27,14 @@ int test_SetAsymKeyDer(void); int test_GetSetShortInt(void); int test_wc_IndexSequenceOf(void); +int test_SerialNumber0_RootCA(void); int test_wolfssl_local_MatchBaseName(void); #define TEST_ASN_DECLS \ TEST_DECL_GROUP("asn", test_SetAsymKeyDer), \ TEST_DECL_GROUP("asn", test_GetSetShortInt), \ TEST_DECL_GROUP("asn", test_wc_IndexSequenceOf), \ + TEST_DECL_GROUP("asn", test_SerialNumber0_RootCA), \ TEST_DECL_GROUP("asn", test_wolfssl_local_MatchBaseName) #endif /* WOLFCRYPT_TEST_ASN_H */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3e5703c4143..9cf7252dcf2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -23794,18 +23794,7 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, cert->version = version; cert->serialSz = (int)serialSz; - #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ - !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) - /* RFC 5280 section 4.1.2.2 states that non-conforming CAs may issue - * a negative or zero serial number and should be handled gracefully. - * Since it is a non-conforming CA that issues a serial of 0 then we - * treat it as an error here. */ - if (cert->serialSz == 1 && cert->serial[0] == 0) { - WOLFSSL_MSG("Error serial number of 0, use WOLFSSL_NO_ASN_STRICT " - "if wanted"); - ret = ASN_PARSE_E; - } - #endif + /* Check for serial size of zero */ if (cert->serialSz == 0) { WOLFSSL_MSG("Error serial size is zero. Should be at least one " "even with no serial number."); @@ -24021,6 +24010,24 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, } } +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + /* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires + * positive serial numbers. However, allow zero for self-signed CA + * certificates (root CAs) since they are explicitly trusted and some + * legacy root CAs in real-world trust stores have serial number 0. */ + if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) { + if (!(cert->isCA && cert->selfSigned) +#ifdef WOLFSSL_CERT_REQ + && !cert->isCSR +#endif + ) { + WOLFSSL_MSG("Error serial number of 0 for non-root certificate"); + ret = ASN_PARSE_E; + } + } +#endif + if ((ret == 0) && (!done) && (badDate != 0)) { /* Parsed whole certificate fine but return any date errors. */ ret = badDate; @@ -25652,6 +25659,27 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, cert->srcIdx = cert->sigIndex; } +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + /* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires + * positive serial numbers. However, allow zero for self-signed CA + * certificates (root CAs) since they are explicitly trusted and some + * legacy root CAs in real-world trust stores have serial number 0. */ + if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) { + if (!(cert->isCA && cert->selfSigned) +#ifdef WOLFSSL_CERT_REQ + && !cert->isCSR +#endif + ) { + WOLFSSL_MSG("Error serial number of 0 for non-root certificate"); + ret = ASN_PARSE_E; + } + } + if (ret < 0) { + return ret; + } +#endif + if ((ret = GetSigAlg(cert, #ifdef WOLFSSL_CERT_REQ !cert->isCSR ? &confirmOID : &cert->signatureOID,