From e3d3555b3a69f6ad4288e651836d654d7ddf836c Mon Sep 17 00:00:00 2001
From: Martin Nilsson <nilsson@opera.com>
Date: Mon, 14 Jul 2014 16:29:37 +0200
Subject: [PATCH] Some certficate conformance fixes. RFC 5280 4.1.2.2

---
 lib/modules/Standards.pmod/X509.pmod | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/modules/Standards.pmod/X509.pmod b/lib/modules/Standards.pmod/X509.pmod
index 95aadfbc4a..5cf7601278 100644
--- a/lib/modules/Standards.pmod/X509.pmod
+++ b/lib/modules/Standards.pmod/X509.pmod
@@ -794,8 +794,6 @@ class TBSCertificate
     if (a[0]->type_name != "INTEGER")
       return 0;
     serial = a[0]->value;
-    if(serial<0)
-      return 0;
     DBG("TBSCertificate: serial = %s\n", (string) serial);
       
     if ((a[1]->type_name != "SEQUENCE")
@@ -1207,7 +1205,8 @@ string sign_key(Sequence issuer, Crypto.Sign c, Crypto.Sign ca, Crypto.Hash h,
 {
   Sequence algorithm_id = c->pkcs_signature_algorithm_id(h);
   if(!algorithm_id) error("Can't use %O for %O.\n", h, c);
-  if(serial<0) error("Serial number needs to be >=0.\n");
+  if(serial<=0) error("Conforming CA serial number needs to be >0.\n");
+  if(serial>1<<142) error("Serial needs to be less than 20 bytes encoded.\n");
 
   if( mappingp(extensions) )
   {
-- 
GitLab