Introduce WOLFSSL_ASN_ALLOW_0_SERIAL #7893
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
julek-wolfssl
approved these changes
Aug 22, 2024
|
retest this please |
douzzer
approved these changes
Aug 24, 2024
This was referenced Sep 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
While working on wolfSSL "Certificate Bundles" in support of improved integration in the Espressif ESP-IDF, I noticed there are several certs in the (current default) mbedTLS bundle that do not have a serial number. For example the Go Daddy Class 2 CA.
By default, wolfSSL does not allow a missing serial number per RFC 5280 section 4.1.2.4. Although this could be resolved by enabling
WOLFSSL_NO_ASN_STRICT, I did not want to completely disable all of the other strict ASN checking just because a few certs in a bundle many be missing a serial number.This PR introduces
WOLFSSL_ASN_ALLOW_0_SERIALthat regardless of havingWOLFSSL_NO_ASN_STRICTor not, will allow a missing serial number.Note that it must be a valid missing serial number: The length must be exactly one byte and the data is zero.
If there's a zero for the length and a zero for the data, this will still be considered to have always failed the ASN check regardless of
WOLFSSL_NO_ASN_STRICTand/orWOLFSSL_ASN_ALLOW_0_SERIAL.See my WIP ESP-IDF 5.2.2 branch and my esp_http_client_example for the WIP Certificate Bundle support.
Some minor spelling corrections also included.
Fixes zd#
Does not fix, but see related related tickets including 18469 and 18228.
Testing
How did you test?
Tested only in Espressif ESP32 environment.
Checklist