diff --git a/certs/include.am b/certs/include.am index 68fcd1e2ea..3351bfabcd 100644 --- a/certs/include.am +++ b/certs/include.am @@ -146,6 +146,7 @@ include certs/ocsp/include.am include certs/statickeys/include.am include certs/test/include.am include certs/test-pathlen/include.am +include certs/test-serial0/include.am include certs/intermediate/include.am include certs/falcon/include.am include certs/rsapss/include.am diff --git a/certs/test-serial0/README.md b/certs/test-serial0/README.md new file mode 100644 index 0000000000..2a5af47642 --- /dev/null +++ b/certs/test-serial0/README.md @@ -0,0 +1,66 @@ +# Serial Number 0 Test Certificates + +This directory contains test certificates for testing wolfSSL's handling of serial number 0 in certificates, specifically for issue #8615. + +## Background + +RFC 5280 section 4.1.2.2 requires certificate serial numbers to be positive non-zero integers. However, some legacy root CA certificates in real-world trust stores have serial number 0. Since root CAs are explicitly trusted by configuration (not by chain validation), wolfSSL allows serial 0 specifically for self-signed CA certificates (root CAs) while still enforcing RFC 5280 compliance for other certificate types. + +## Test Certificates + +This directory contains the following test certificates: + +### 1. root_serial0.pem +- **Type**: Root CA (self-signed, CA:TRUE) +- **Serial Number**: 0 +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Tests that legacy root CAs with serial 0 can be loaded + +### 2. root.pem +- **Type**: Root CA (self-signed, CA:TRUE) +- **Serial Number**: 1 +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Normal root CA for signing test certificates + +### 3. ee_serial0.pem +- **Type**: End-entity certificate (CA:FALSE) +- **Serial Number**: 0 +- **Signed By**: root.pem (serial 1) +- **Expected Behavior**: Should be rejected by wolfSSL +- **Purpose**: Tests that end-entity certs with serial 0 are still rejected + +### 4. ee_normal.pem +- **Type**: End-entity certificate (CA:FALSE) +- **Serial Number**: 100 +- **Signed By**: root_serial0.pem (serial 0) +- **Expected Behavior**: Should be accepted by wolfSSL +- **Purpose**: Tests that normal certificates signed by a serial 0 root CA work correctly + +### 5. selfsigned_nonca_serial0.pem +- **Type**: Self-signed certificate (CA:FALSE) +- **Serial Number**: 0 +- **Expected Behavior**: Should be rejected by wolfSSL +- **Purpose**: Tests that self-signed non-CA certs with serial 0 are rejected (only root CAs get the exception) + +## Regenerating Certificates + +To regenerate all test certificates: + +```bash +cd certs/test-serial0 +./generate_certs.sh +``` + +Requirements: +- OpenSSL command-line tool + +## Unit Tests + +These certificates are used by the `test_SerialNumber0_RootCA()` function in `tests/api/test_asn.c`. + +## Related Issues + +- GitHub Issue: https://github.com/wolfSSL/wolfssl/issues/8615 +- RFC 5280 Section 4.1.2.2: Certificate Serial Number Requirements +- RFC Errata 3200: Clarification that serial numbers must be non-zero + diff --git a/certs/test-serial0/ee_normal.csr b/certs/test-serial0/ee_normal.csr new file mode 100644 index 0000000000..d299574a1c --- /dev/null +++ b/certs/test-serial0/ee_normal.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChTCCAW0CAQAwQDEaMBgGA1UEAwwRRW5kIEVudGl0eSBOb3JtYWwxFTATBgNV +BAoMDHdvbGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDQSvsliJPsY3ISeW7hj9iry1sP1uLy6RXBdsxfitjzgXjW +NT4wq04sC+WCB0ce2eQqtY5WEKWrY2Xcm565IgHGTa/lGMQVoyBALx7JFUfdgopI +p+3cmNdsh3brxyBid6vkWZ2Kqg66xrepP81DBjYJjZVZkPAcVPVaRy9OUcrYba3C +39Ag8dkazgEArTjWLzpn0E+R8TmNnBaHfNtC1sCQlBvXgcflmcgJX5YiezySyrxe +yZ2NLnI//T8gLfDET0wxaDl3ghaxsYmsm/S3k2O+/1LBIRVBo5m/StqKE0dd74Jy +l6IjLhA2AAIPKDead3agECwT92z8IBuEP+c+ReFbAgMBAAGgADANBgkqhkiG9w0B +AQsFAAOCAQEAq+cFptvWqf7wJyNHKx/ba8Vs5L7eQ0FxptaL+vL/GJpK/EB/eUXf +EbpznObJhe1koHzfdTg6AxORR/EdOnMwNd4OwsFf0EneC8As+fQp0VGJsI5pJROq +FHdwh4bvAnA/hb9xrmev1BemjNGiRfuyDxkFB737x0HqWE4hLT7r+/+K56nXjaOh +RW/J8Q6yestFmhOaYkikO/JRuDZycsjnig+tCpsqCMbPH8NDZnQ9iqsM7GsJnbJ0 +xN5564H6pybxWRAbzUwuqD9GjZEUMnQEl09Bj3RrvdO6k0Is/3DLz/j18Lq9SMVE +Pn65JyYOtOx4nYq/l0qwGmyxVH6B2iFK5A== +-----END CERTIFICATE REQUEST----- diff --git a/certs/test-serial0/ee_normal.pem b/certs/test-serial0/ee_normal.pem new file mode 100644 index 0000000000..1250886e78 --- /dev/null +++ b/certs/test-serial0/ee_normal.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmCgAwIBAgIBZDANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0 +IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE +BhMCVVMwHhcNMjYwMTIwMjIyMDU0WhcNMjcwMTIwMjIyMDU0WjBAMRowGAYDVQQD +DBFFbmQgRW50aXR5IE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBK+yWIk+xj +chJ5buGP2KvLWw/W4vLpFcF2zF+K2POBeNY1PjCrTiwL5YIHRx7Z5Cq1jlYQpatj +ZdybnrkiAcZNr+UYxBWjIEAvHskVR92Cikin7dyY12yHduvHIGJ3q+RZnYqqDrrG +t6k/zUMGNgmNlVmQ8BxU9VpHL05RythtrcLf0CDx2RrOAQCtONYvOmfQT5HxOY2c +Fod820LWwJCUG9eBx+WZyAlfliJ7PJLKvF7JnY0ucj/9PyAt8MRPTDFoOXeCFrGx +iayb9LeTY77/UsEhFUGjmb9K2ooTR13vgnKXoiMuEDYAAg8oN5p3dqAQLBP3bPwg +G4Q/5z5F4VsCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRnG/d+aW8BFCmq6uwx +C6dWjzttgjAfBgNVHSMEGDAWgBRt0+yEMO1FSR8j934e0GuPtvjJETANBgkqhkiG +9w0BAQsFAAOCAQEAcL96MOQD8SbVbhqBc7pJWrzUCfdHUX5TVfvwmSgU2+36cSkl +3X5ScMQT9FJbdMe/O3a3jpVVjNM1Tr4n1vL/32o5/3YVlzUZBKtOs+wQU4p+juin +ye9ot4IZTbv12Fqwp4UC1Z7QU9SwtwEVE6drWYEmc7dRN1DchEaI6fmGMCqIaD4+ +6rw4yUEeRn6tVVnzhRHK+F0iCSKUK4cpvDgJqbtzJDMHx777L1dZV/7Q3SLhdJoV +Iz+KB/HTUaaV47cUbJyxpGw4RmtsFW0Lt/B6Tgfp6X6laUCTLKIXxQVKEzxI2GMc +vBT21qGYbcWCAPdF0BBTo5zsI/zWtgyuTEWmMQ== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/ee_normal_key.pem b/certs/test-serial0/ee_normal_key.pem new file mode 100644 index 0000000000..d5b9f76733 --- /dev/null +++ b/certs/test-serial0/ee_normal_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQSvsliJPsY3IS +eW7hj9iry1sP1uLy6RXBdsxfitjzgXjWNT4wq04sC+WCB0ce2eQqtY5WEKWrY2Xc +m565IgHGTa/lGMQVoyBALx7JFUfdgopIp+3cmNdsh3brxyBid6vkWZ2Kqg66xrep +P81DBjYJjZVZkPAcVPVaRy9OUcrYba3C39Ag8dkazgEArTjWLzpn0E+R8TmNnBaH +fNtC1sCQlBvXgcflmcgJX5YiezySyrxeyZ2NLnI//T8gLfDET0wxaDl3ghaxsYms +m/S3k2O+/1LBIRVBo5m/StqKE0dd74Jyl6IjLhA2AAIPKDead3agECwT92z8IBuE +P+c+ReFbAgMBAAECggEAMTQ9PsEUPIfDZzTTaipaYz7PHJ9FDl/cWU7QeZNpq6A+ +pM+ACOw2s7X9uekxNkr/mM05ugAFusZoxiPm61HqvGcWsZZXn8rgr/jRm2vRBbU0 +KHSu/mkGnqcjgxAPiOM/MlqvGhYRE7MkqLEfMoGRm1EcYkOYTQEO0ow1UxmEQvq8 +NLiuPiX783SLGfcvaSXZ0Sjt7040J6YZmwPRQexf7FvR5wUqI/5xx6OqyXs4D/Ua +/UsJZNbaXmnUL4KR7D7mQXQnj3GZF1SC4xYwZxe+3XQI+YADjvyN2huv7JgWFszE +oBkaAGhlXFnilxPJ7MUOCAZgJuj0Q23MN2vCaB8CAQKBgQD+AHcCqbRUEP48cwVd +SA7nHf9u8b0Zf0KArh94SlFJPI9FvfqEIWguJqY0TgoOg8RSdnJTPxaKgix1MX8k +zrRYhmlX5vK0ZQrKoSIRoD0jeDXWbqywICamqurPeJW9DznhmAWlh4+99YcP0OAs +nzALph1fGzvHZG7UkSdBwGPnWwKBgQDR7nZ6dWSPKMZskNvhqv5aXZJ8bly6zRZB +X6uc/9pSjG9sFSlrx9JspoBcA9mvlMoGjbL+vPqTUC31X+7GbEUD0VGoz91zAHgL +nuzYNtO3uFUMrfsafwV2yxiIia5gO9xn+xvtYu9ooyeIbDH76Hx+NurvWE78n2wH +4u7QRaEOAQKBgQDEKC/AiraMxaLRpDJcW63GptABKgdTjYgaQF5lU197I52xyomR +SQtfuNFaS3pQw0n2NSsNRwdtaCJVTyhVkJyOUR9Bl0WQMwgmfFIHMqyEm+1X8JjE +W8/9nrlACGv7WarlobWapBpKJTds6250h2tfU6YTMMD1t4Yv+vlKOf3tSQKBgAax +DDPBFDCAAzsorumVkr/8pZOzzN7jdKcmzoiVmzbwZQjT79sQpoNyFztXoBO5sWre +D2uRSIdzkdN1eF34y4ZgoLK51Xw58pmkOjZ2IO+FP6jEzvE8RUdRF/oaMWW94rup +xG0frzPtp2/wyvMVqQo44+o3LWVeC4qA0E3xOj4BAoGAXg5lRpHvQ7pnBc3091bt +fDmZwFcqFnIH/9GATHzj2E0nBaTEkCFHNhPoW8gdpZBGUbe7Tgy1HGZUY9Few6Wt +n0CvP8dcaN2WTrUh7oWe5cL27ySOoGO46pUqgUSAwTKTReK7LsUq0s5wpsYcCrLp +bqDVpmojm7S1Ie/5Eep12r8= +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/ee_serial0.csr b/certs/test-serial0/ee_serial0.csr new file mode 100644 index 0000000000..859dc466c4 --- /dev/null +++ b/certs/test-serial0/ee_serial0.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChzCCAW8CAQAwQjEcMBoGA1UEAwwTRW5kIEVudGl0eSBTZXJpYWwgMDEVMBMG +A1UECgwMd29sZlNTTCBUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALEtqgqXbOUdAsBBRE3FvtL9gUQOBn+JMBvrXTgHMhV5 +Bx6AEQF7x4av90MUllAnPKthbJrJlFEHenlKfmQ/mGygdlwenf4WZtKx0tbRwkGX +o6ZQwsFlDuHAIykn99B+tnm+8C3LcTirTDEBNcyauqhgJigIH5W5X+4LqqK5GAlB +Pj/YgUpNxCdLIZUm7m+Zms3U2kKCmZEDCQDGItA8Zfc8a4Fut4W6ZqtzGhJ8+8KK +I/+QpGhdYzAptMJ4oKYShTE3WgQxMAdwnSYTqu5V4h1fCq2fdAMZL3Sa8yE7vimZ +t4eGNWM/WdrEuX/3GBd/A6B9L0m0fSOC6YzLpPKiBfkCAwEAAaAAMA0GCSqGSIb3 +DQEBCwUAA4IBAQBG+FbMGBe6uz/kTHNvxlQUxH5HoLUnrbeP/fRM8zrh6EsCPrcX +o6hBt03rAvw0EbNOB4QYNt5qEZpz7N3164yfnN6rQjAdwcvg3Anoy3tImIMaNl0k +BE4ju5TlUSIc+qqHaqTKxZzM2XoomgztyZX1c4DeSspRBLK7/neaK02ZQKcHRQ7P +dyrVp2/LpZXrD3oa0kPExJKcb88MerBDQLUE7hM4dgHq73C69zoHT+PxGF9DvbC6 +OfP41FBFEEG2/q9BC9/PQWaBLzBVmQCyBNiGskPppHYql0Kb6urc9bNS2hsFVaOW +v2Mw+6Yfh/Csm78QurQAe5J4llMu/Jc0lPYQ +-----END CERTIFICATE REQUEST----- diff --git a/certs/test-serial0/ee_serial0.pem b/certs/test-serial0/ee_serial0.pem new file mode 100644 index 0000000000..9a3924251a --- /dev/null +++ b/certs/test-serial0/ee_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0 +IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT +AlVTMB4XDTI2MDEyMDIyMjA1NFoXDTI3MDEyMDIyMjA1NFowQjEcMBoGA1UEAwwT +RW5kIEVudGl0eSBTZXJpYWwgMDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALEtqgqXbOUd +AsBBRE3FvtL9gUQOBn+JMBvrXTgHMhV5Bx6AEQF7x4av90MUllAnPKthbJrJlFEH +enlKfmQ/mGygdlwenf4WZtKx0tbRwkGXo6ZQwsFlDuHAIykn99B+tnm+8C3LcTir +TDEBNcyauqhgJigIH5W5X+4LqqK5GAlBPj/YgUpNxCdLIZUm7m+Zms3U2kKCmZED +CQDGItA8Zfc8a4Fut4W6ZqtzGhJ8+8KKI/+QpGhdYzAptMJ4oKYShTE3WgQxMAdw +nSYTqu5V4h1fCq2fdAMZL3Sa8yE7vimZt4eGNWM/WdrEuX/3GBd/A6B9L0m0fSOC +6YzLpPKiBfkCAwEAAaN5MHcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTyadZTmltoi4cKgwkj +nBnlwHOAEjAfBgNVHSMEGDAWgBSJPs7EkDRfdCKEKo9bs+7f7fbDVjANBgkqhkiG +9w0BAQsFAAOCAQEApkyEGnc9kvcZ6j9WcCqd83dwfKglWItlQxoEOwG0ion0nML2 +YZ1YOaKY96jZCAmWnlHPyZX9jURvPqizq/0M158pAAkoNo0IGLyLn2Pgl0JZsMwc +oVVKrYhIttLHC1nwlmBeNA7XcfWeS7Dhdicwbao6Vfib1wid4KARbj8XC4bfsfil +zEGTMyDYW14cA7bywv3QQk48ZJtVosKrzddyiAEwSlt/sduwO1BfIEjy6lmZv71M +RDVAve4fO3rAu3S5o42bHIEZAzMyABq1oMHIEYvTXIDVT5c2MKCx5vqMNxuYLJUF +w0cYT3ASVYvLUQA6gMW6Fo1F46yReSN5SgdMtg== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/ee_serial0_key.pem b/certs/test-serial0/ee_serial0_key.pem new file mode 100644 index 0000000000..20bd9d2880 --- /dev/null +++ b/certs/test-serial0/ee_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxLaoKl2zlHQLA +QURNxb7S/YFEDgZ/iTAb6104BzIVeQcegBEBe8eGr/dDFJZQJzyrYWyayZRRB3p5 +Sn5kP5hsoHZcHp3+FmbSsdLW0cJBl6OmUMLBZQ7hwCMpJ/fQfrZ5vvAty3E4q0wx +ATXMmrqoYCYoCB+VuV/uC6qiuRgJQT4/2IFKTcQnSyGVJu5vmZrN1NpCgpmRAwkA +xiLQPGX3PGuBbreFumarcxoSfPvCiiP/kKRoXWMwKbTCeKCmEoUxN1oEMTAHcJ0m +E6ruVeIdXwqtn3QDGS90mvMhO74pmbeHhjVjP1naxLl/9xgXfwOgfS9JtH0jgumM +y6TyogX5AgMBAAECggEAAnzpE4zRwfCAQkyJdvvBEUYBtCjr5sJ0/gnxkK1Tnk3S +ZC5EzJPxy2aKMlWtDAax4UZFCPsuDGYFUvrMpjswBjF3kJV6sV1TM1arAhhUsfZ9 +IaxmQJBa/MRKMhsgjZcaxglXnYQmcTuKHnFB49YadG3JEIWXZPMjD0PTkRd/Gr9t +V2NCnFcDVB/LhPrK03ZFm0iZdkKyjvNRF6HqL65m+S52vpOYLeGEGWckR0g/hfCF +MkpoSOtrj2CBzdKHHC35F5Rpplz0lxH0nNedsExOk6TEnrxNZJVtU22W6nxe4s7o +H9kTmVl/qwjkWMPNgKDy/SFhW9AM3FJ1WL0AgC3KIQKBgQDmsSTooLWK44PDh16e +kYvT0kYOaVke1eJIkDdx6+CYFP6QsOdB4/Fs7mWpWzGTWzOoHj6hZQZ3ZNLwoSrK +zUfnFu/epu8x9LRJ/3mGJDwvUbFYqUShjaCqGz7cikRTe3DdCXDNyIefLfDouVLS +Nu7GDq63ZivIAIgJ7pWl2RXImQKBgQDEnZ7Y9/ywbTpcGszNUL2ycQbJlRKo0CKs +E74gWdH+HV9Pw1hzUaokkOOVWP05Tys1f6Pxzdjd1Rsx+qdu2kiP/X8HdyOTGJHX +cmHdANLVB8xwvPVqJfYf2AE4sMR0v9T9tfTumMcsVklsmPVv4vOMP1uNozDGPY/N +RJwNRDekYQKBgQCXvcWtTqibZvPw1UYjv1DeT93M9PauFbn2SQZvZNwirQyVWAeF +i83t/RHZyCZf6wmbd+lyd+U8+5DUvu5K36SAGNJG/j8v+OnuEqF43rTH21BwJUcD +jQk1Wx6KKlivIO8oNWGBunma9rkUG3Ki24dLt7Ss5gO+Vrsk7U55/MUbYQKBgQC+ +RUL5+VLicXHuvEjB0IcjbloBLnB2SaWkHR77M7ESV95q1EJ+puMeq9ByMUIs+b54 +8WL4mBps4tSEk2sAzeE25zzNPrCAo2BPvPOT6j4dxoRD/bkJ1l7PBjx4XihgS1yV +gkbbt6HX+FDp9URf2KOUb6Pr96c10VGede0GsaOfQQKBgFY34rstr7y6TV+7z3GI +OZOiZPwK0CV79Nz5YnzbyfLF4/OUVq4nmtQyJWyxGSKv8WRVwXsfxJS1aHg2X/ji +DxbgXYcspSAqzVB8B0VuOhQniU/vcV7jz8eV0i/UArIEil5IJhgbCV54rrmP1S0a +MXoHymWsugQICuHqmyCDyzhn +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/generate_certs.sh b/certs/test-serial0/generate_certs.sh new file mode 100755 index 0000000000..605096bddf --- /dev/null +++ b/certs/test-serial0/generate_certs.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# +# Generate test certificates for serial number 0 testing (issue #8615) +# This script creates certificates in the certs/test-serial0/ directory + +set -e + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$SCRIPT_DIR" + +echo "===================================================" +echo "Generating serial 0 test certificates in: $SCRIPT_DIR" +echo "===================================================" + +# 1. Create Root CA with serial number 0 +echo "" +echo "[1/5] Creating Root CA with serial number 0..." +openssl req -x509 -newkey rsa:2048 -keyout root_serial0_key.pem -out root_serial0.pem \ + -days 3650 -nodes -subj "/CN=Test Root CA Serial 0/O=wolfSSL Test/C=US" \ + -set_serial 0 \ + -addext "basicConstraints=critical,CA:TRUE" \ + -addext "keyUsage=critical,keyCertSign,cRLSign" + +echo " Root CA serial number:" +openssl x509 -in root_serial0.pem -noout -serial + +# 2. Create normal Root CA (serial != 0) +echo "" +echo "[2/5] Creating normal Root CA with serial number 1..." +openssl req -x509 -newkey rsa:2048 -keyout root_key.pem -out root.pem \ + -days 3650 -nodes -subj "/CN=Test Root CA Normal/O=wolfSSL Test/C=US" \ + -set_serial 1 \ + -addext "basicConstraints=critical,CA:TRUE" \ + -addext "keyUsage=critical,keyCertSign,cRLSign" + +echo " Root CA serial number:" +openssl x509 -in root.pem -noout -serial + +# 3. Create end-entity cert with serial 0 signed by normal root +echo "" +echo "[3/5] Creating end-entity certificate with serial number 0..." +openssl req -newkey rsa:2048 -keyout ee_serial0_key.pem -out ee_serial0.csr -nodes \ + -subj "/CN=End Entity Serial 0/O=wolfSSL Test/C=US" + +openssl x509 -req -in ee_serial0.csr -CA root.pem -CAkey root_key.pem \ + -out ee_serial0.pem -days 365 -set_serial 0 \ + -extfile <(echo "basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +extendedKeyUsage=serverAuth,clientAuth") + +echo " End-entity cert serial number:" +openssl x509 -in ee_serial0.pem -noout -serial + +# 4. Create normal end-entity cert signed by root CA with serial 0 +echo "" +echo "[4/5] Creating normal end-entity certificate (signed by serial 0 root)..." +openssl req -newkey rsa:2048 -keyout ee_normal_key.pem -out ee_normal.csr -nodes \ + -subj "/CN=End Entity Normal/O=wolfSSL Test/C=US" + +openssl x509 -req -in ee_normal.csr -CA root_serial0.pem -CAkey root_serial0_key.pem \ + -out ee_normal.pem -days 365 -set_serial 100 \ + -extfile <(echo "basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +extendedKeyUsage=serverAuth,clientAuth") + +echo " Normal end-entity cert serial number:" +openssl x509 -in ee_normal.pem -noout -serial + +# 5. Create self-signed non-CA certificate with serial 0 +echo "" +echo "[5/5] Creating self-signed non-CA certificate with serial number 0..." +openssl req -x509 -newkey rsa:2048 -keyout selfsigned_nonca_serial0_key.pem \ + -out selfsigned_nonca_serial0.pem -days 365 -nodes \ + -subj "/CN=Self-Signed Non-CA Serial 0/O=wolfSSL Test/C=US" \ + -set_serial 0 \ + -addext "basicConstraints=CA:FALSE" \ + -addext "keyUsage=digitalSignature,keyEncipherment" + +echo " Self-signed non-CA cert serial number:" +openssl x509 -in selfsigned_nonca_serial0.pem -noout -serial + +echo "" +echo "===================================================" +echo "Certificate generation complete!" +echo "===================================================" +echo "" +echo "Generated certificates in: $SCRIPT_DIR" +echo " - root_serial0.pem (Root CA with serial 0)" +echo " - root.pem (Normal root CA)" +echo " - ee_serial0.pem (End-entity with serial 0)" +echo " - ee_normal.pem (Normal end-entity)" +echo " - selfsigned_nonca_serial0.pem (Self-signed non-CA with serial 0)" +echo "" + diff --git a/certs/test-serial0/include.am b/certs/test-serial0/include.am new file mode 100644 index 0000000000..dd8056cc52 --- /dev/null +++ b/certs/test-serial0/include.am @@ -0,0 +1,20 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + +dist_doc_DATA+= certs/test-serial0/README.md + +EXTRA_DIST+= certs/test-serial0/generate_certs.sh \ + certs/test-serial0/root_serial0.pem \ + certs/test-serial0/root_serial0_key.pem \ + certs/test-serial0/root.pem \ + certs/test-serial0/root_key.pem \ + certs/test-serial0/ee_serial0.pem \ + certs/test-serial0/ee_serial0.csr \ + certs/test-serial0/ee_serial0_key.pem \ + certs/test-serial0/ee_normal.pem \ + certs/test-serial0/ee_normal.csr \ + certs/test-serial0/ee_normal_key.pem \ + certs/test-serial0/selfsigned_nonca_serial0.pem \ + certs/test-serial0/selfsigned_nonca_serial0_key.pem + diff --git a/certs/test-serial0/root.pem b/certs/test-serial0/root.pem new file mode 100644 index 0000000000..b0301039c0 --- /dev/null +++ b/certs/test-serial0/root.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRwwGgYDVQQDDBNUZXN0 +IFJvb3QgQ0EgTm9ybWFsMRUwEwYDVQQKDAx3b2xmU1NMIFRlc3QxCzAJBgNVBAYT +AlVTMB4XDTI2MDEyMDIyMjA1NFoXDTM2MDExODIyMjA1NFowQjEcMBoGA1UEAwwT +VGVzdCBSb290IENBIE5vcm1hbDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsKPjfQf+g/ +/3mo5V0NFhHpIuSN3FKHzA/U22iZ/2w2YE5i/B5Yu161M9hrhObGuhqfo1KiP6+O ++vyR/aVZ5Opigjs1/oajQF98HvoTUBFZaG+jCiicGpIV5+RSok4UB25F4y+wygRP +RCKB9tqojUnKWbzwAS91iOT4or6iogScUEI2m/AiYl+OwXq0xAp9remgZgk43Wb0 +2X6N1aOFSpuqGSp0aG8XjUqj2mGZGfxQXuEUGk6Vtcohng9Ocof7KQwr3oyLWcOl +XDXFsAVcHfinQ9ik01zXtqZy5jikdynWF+tPXu98SIb169x0HV42wt0dJkATxTf9 +81m/Aw1nbH8CAwEAAaNjMGEwHQYDVR0OBBYEFIk+zsSQNF90IoQqj1uz7t/t9sNW +MB8GA1UdIwQYMBaAFIk+zsSQNF90IoQqj1uz7t/t9sNWMA8GA1UdEwEB/wQFMAMB +Af8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAqCSPxGXj7Bgs/ +qxjRk1ouwOd3m6F+bop8bgsc2smlGw9ZBNff13ElkWX8TtkvynSa1bVYcWIiinYj +QWpQFeyd271MQYTNq8OzvKw4o2i/0vaom1csDCJeY72/Vk7RGAUPfVfuZhXgA4xq +6VLRgCGdI8LW7x2/lCx1WzDTo87PvnUbxJ2DaMfAINzxSz2rvew0qGYM4zXndMLt +8YQUhqJ5CgZznX3Oq0YCI5fWrHWky+IZSoxa4WBf/0wQ2HLXv1go60TQBkiyQFC5 +FEoXl6Ffh7RrfHbzMLs+hjqEzVqR3btc6yN7gsCALfvaCe+aqmCdv0511W0yJuXX +aLSFNxev +-----END CERTIFICATE----- diff --git a/certs/test-serial0/root_key.pem b/certs/test-serial0/root_key.pem new file mode 100644 index 0000000000..beef996168 --- /dev/null +++ b/certs/test-serial0/root_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCrCj430H/oP/95 +qOVdDRYR6SLkjdxSh8wP1Ntomf9sNmBOYvweWLtetTPYa4Tmxroan6NSoj+vjvr8 +kf2lWeTqYoI7Nf6Go0BffB76E1ARWWhvowoonBqSFefkUqJOFAduReMvsMoET0Qi +gfbaqI1Jylm88AEvdYjk+KK+oqIEnFBCNpvwImJfjsF6tMQKfa3poGYJON1m9Nl+ +jdWjhUqbqhkqdGhvF41Ko9phmRn8UF7hFBpOlbXKIZ4PTnKH+ykMK96Mi1nDpVw1 +xbAFXB34p0PYpNNc17amcuY4pHcp1hfrT17vfEiG9evcdB1eNsLdHSZAE8U3/fNZ +vwMNZ2x/AgMBAAECggEAN/1m56N/s3n7ugoxZxgJEPzl+LZ9mKCuisItvtymkfhs +50wc5xw53eNoYOC1hUwpkNyQPNUzDte5zqNFynKWbqmnoxVmSBG52WgKxec7jypa +9yyCf0+2nPrByerJCdEhq5YCLFLtlqKSFc/AjMyfT7gHT0Orx6rskLPZppkbe3Fc +QHOaCS8ptRWidbLapoVf37gAcdhzG7IyDY8lPlkew0A0oKo2Gw8cfBWeFxI3sILN +TBNkfF2B+VA6O74Kxo+br+/Z/mUesNSPyvNBho9GDXV+eKrnCHwroTN8eMQnR0zz +gG7kgmtiBuM4jGio5O4YAea5frpS/RpFsPoKtXZI1QKBgQDpN1QV9KYm73p9Fsx+ +o3lR2QR55e50GZhBNKxhNEFAfK/Heu9W2HCENENvk5YPbKhaEo88oggTaQ2S9Etx +h4ldGZVcZh1i0Itxudri1smeHDk200Dls6xYXOa58QVA3jvHLWX7TUuXVJEpb3hP +n9kJJaKbfz0JHfZyQXFRQmOxLQKBgQC7v+gt/hif4pH16pItiEkLxiZk+6UvQOBa +jSGpWcO4ERajFKh1RxgRetNaCXONaEpId5GJrRQQo+lSzdPDBYkFWAETMK82S58g +SfEuCuPBIW/GpshjWWiCshz4Iu7ebcaKaI1AOaqP9fgO/COEsi1KgNLhs7uY11b/ +OjtJNUUn2wKBgQCt3s4VwFvPU2NitwimsYHVf5JSvxXUAPD+TCLoJWkwhsUWV5Tw +jlT0e3J7UPDjdwLchFG9xp92uS+hi/hjH8VNX7F3PbpS3V/Y3dNOowuVkT0mnsEX +f6jSCBEMN6DPB+BRUothm/LrU+UVm0F7O5U3uJNOksISdgAylo/BIVnp0QKBgGHa +Qnt+HH1wS9yctjUu+8s8KhSlp1E6gfQP7IRkOYK8vUyf3rDJLf0mQ/OAS45e1aBx +WRQldfi6RUgX6I+TWffEB0NmM1ucDEJ650209UFaWPRzRqupFLRRepHFOzQIiNro +ZP4dUA0aCIBe33AwoTRccgyabWLakQgS5IViUznTAoGBAKp+mVnVe3Bjcake7BxY +PZ84h+mPH/yluBrw8cZ9btwvLPOh4dY1OmzYp5AOyD5Ny5OgwbhEFd94ICc1l4aM +jISMlENBFUQNGdCTIw6at7dDoDfNLBdj5ILk84sp7SsNzsJj2wjMUf1IWNGdk31U +/vS6RGDW8wnle1OiFKlJgFEf +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/root_serial0.pem b/certs/test-serial0/root_serial0.pem new file mode 100644 index 0000000000..8d628e0194 --- /dev/null +++ b/certs/test-serial0/root_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIBADANBgkqhkiG9w0BAQsFADBEMR4wHAYDVQQDDBVUZXN0 +IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDELMAkGA1UE +BhMCVVMwHhcNMjYwMTIwMjIyMDU0WhcNMzYwMTE4MjIyMDU0WjBEMR4wHAYDVQQD +DBVUZXN0IFJvb3QgQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL +MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Nc+B +5JeYF9oGKWArnr6uxFavqB5ByRZn4Bs6RXAldeekhlNMMLwUjLMoXV8bMshqMYwg +Wv2YufEhBs0jbUVYtl6pVd9QpFSSBuRDa9hHDgNkHLteuqVGeAfTPOUSvjrhqOqa +st605Bi+IhM3uGxxI4SxqpS8AiywMWXsWD2a4yp68gpKNq7h7eByCcDgImPeyC6i +fmdoiTNSFOChGNaFI7eWuY+n7xjOQUsUbwqP/Ogv2a0lmHK4jzjEHi4yvh2neat1 +9Q9+FnL36Qq0SRiFIBflrWX5liYOdlmhuByuSc5kxSEAVIT3lSbjgolU+kFbH8n+ +k5BsYE8qGX2Gmq3FAgMBAAGjYzBhMB0GA1UdDgQWBBRt0+yEMO1FSR8j934e0GuP +tvjJETAfBgNVHSMEGDAWgBRt0+yEMO1FSR8j934e0GuPtvjJETAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEALgjZlkoY +ZkzpusX9iKJCqiBPTAeDtUFyw2ZqSV8jwWH2Miz7OHg52SFHii5Hkgb9iv3nJ3UD +J7qAb7sHCKhs5fiebz+9e/xQsS1U+wvmuxD3CBlSoGFwP8VmrY3G2BHU/laTZeuq +p4Nv0tNrG8mE/MYjkSFyw/8ZHXaWQV6fO0RMWMUDM1fDJhOewxmt+KaDfx9EHKR0 +hLkT9HjoJv+3DupORmleUU05TRhprWiL5azFxN/iUQ2Me+FQdJZTxv7Uy1MO8C4c ++X6fhA+SB8k0kNbIeaezw9+V5xKrV128yBymG1GUVhN2E95TqBfWGdtvjEtZHner +Uc3vhbTbplj7tg== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/root_serial0_key.pem b/certs/test-serial0/root_serial0_key.pem new file mode 100644 index 0000000000..7ada7dc156 --- /dev/null +++ b/certs/test-serial0/root_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5Nc+B5JeYF9oG +KWArnr6uxFavqB5ByRZn4Bs6RXAldeekhlNMMLwUjLMoXV8bMshqMYwgWv2YufEh +Bs0jbUVYtl6pVd9QpFSSBuRDa9hHDgNkHLteuqVGeAfTPOUSvjrhqOqast605Bi+ +IhM3uGxxI4SxqpS8AiywMWXsWD2a4yp68gpKNq7h7eByCcDgImPeyC6ifmdoiTNS +FOChGNaFI7eWuY+n7xjOQUsUbwqP/Ogv2a0lmHK4jzjEHi4yvh2neat19Q9+FnL3 +6Qq0SRiFIBflrWX5liYOdlmhuByuSc5kxSEAVIT3lSbjgolU+kFbH8n+k5BsYE8q +GX2Gmq3FAgMBAAECggEASOaJWxNjKBabVrmKhSDi5V+az2FZJ4PDMffgP7t9PQF/ +wB6vQtob7erDyiuWd9oxULtX8JRgJXFrHBjVPhCQry55bCXE1LUaJLBZwL/+TVmS +tCErD0pgK7CrQ9ZARHRkMNaQIXwudP0jUBORhOkupgnY/SWrjaU9ecy31aOV/BSo ++AHOZZQnDZX5QmQpxS0i1pP2wxw6n36y/d6g39xpim3toYBq0tQ/MAlndvrCRzDE +6uNhCQAIvCmk/m4vDvsCvVbXQcNytOb2bcIAfcLwDQ0X7XQfS7VnPKmisXaiHeDg +8ZQ0GRO2vBxb7csZra/OBDm7k6zSPvMrYqNoChlAsQKBgQD+ItfvDwDqL0BmGlLi +jCRmXBIuIxoYJ1PjuMWnj7+JdrohJtwRhm4NG5zLfa/2TmPUQ++kx1wbv/wbIlYD +x/tFlQ+MVNDUtjSXD6MXVtPE4N8jV8D/3xWYH6HRiIV0mh6LIKriEnSRQx2/Jj38 +K2qFZOoasc2Bj27THBh4haq4EwKBgQC6kY3qaUWZzxcAZIWky5FNYcZsPfFpdPV0 +eItLqRgbK3mp+R0pd3SPpQ+GIoiu2mXKFxm/haSu+amcqJ4nCAQ01pOtbxPo7It8 +q1Xi2pYEr6zCl2kJfoeC/vpUJSxFCDDU90d7knTkvcOpN2wYDRWr9sSXtNpS3V2s +RHqfKxTtxwKBgQCa3Z7a5ji3fP3weoAh4CbaXacSiH+BUo3zioigWJ/u4/P++dBH +ubTctgPxmXEeVpzNIG0r6/T8UB0QZ/ckrLw5peFosdLknPglSfkn4th/9EzmG7bX +9hkRr80Lg/dXnAea3thjlb2FO/InpuVFAywRh/KFO+6w0jhF26wp3cKwEwKBgFgg +myWoNm1SCi5wTUSrt+YSknTcyaUjzzIGIt5JcI6c+apVdvX4bEHSGUQmGeRmW4Cb +atkyGrlgS0MpzxLm0X3YAggBmSkEW1s3X6l50TVDelqsxLvsXbx+DucibAfrt41R +hR2U78yA6uSKvm+Z9qu1M+XpUtujnzTZYAbBhfBPAoGATd4yRw18IazAtpeyx+CH +RQHC4U92WP/TcgZhT4w2QMriWjvV6XYfzsyj7Dc6S51oUK9U1h8MVF+x898TrXVL +RNGOOmlVyoDe2+VRkaDpG89cQMes9Ud8ve95jveZXPRjigYa60QAmAHSK9b2MvEL +ejljSLrOS4e7NeZGP4cWsGk= +-----END PRIVATE KEY----- diff --git a/certs/test-serial0/selfsigned_nonca_serial0.pem b/certs/test-serial0/selfsigned_nonca_serial0.pem new file mode 100644 index 0000000000..37a1105409 --- /dev/null +++ b/certs/test-serial0/selfsigned_nonca_serial0.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaTCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQsFADBKMSQwIgYDVQQDDBtTZWxm +LVNpZ25lZCBOb24tQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdvbGZTU0wgVGVzdDEL +MAkGA1UEBhMCVVMwHhcNMjYwMTIwMjIyMDU0WhcNMjcwMTIwMjIyMDU0WjBKMSQw +IgYDVQQDDBtTZWxmLVNpZ25lZCBOb24tQ0EgU2VyaWFsIDAxFTATBgNVBAoMDHdv +bGZTU0wgVGVzdDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCv5HESEppap1/bx7gRlY4hYsVAOxoZIY1PuOnZ1zj75e3+mEA++7qH +Bs3Q0R+T6UYAnFGF6LjdXDTZLfW4iUmFO7Cqev/y8lqN6t63uV1Vp7iwVK1AwVTQ +UK8MyBLb/1RMFmPRfd4T7k/5bK0oi+VZKEzP/+8L3LqX+Pod5BdO8BBqnOGC8L6c +GUUH63EaP05sxeKoMLWocYEiB/2NrD6WpUcrExEP29xhG4JsiaiUsLM99roObjnl +02yIW3+tjSIMKUmhS5QW6rw5PsqVugSOoTID5NEeblTycoM9+Zg1ihpqx/afHJif +bSiDeB/CGPG9cvakvKp/ySgJav1k6H5DAgMBAAGjWjBYMB0GA1UdDgQWBBQZ4KVT +Vu3NgAtBD6v4uExNfuea4TAfBgNVHSMEGDAWgBQZ4KVTVu3NgAtBD6v4uExNfuea +4TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAQEATXA4 +9doVSY1rMti8dHdLhzcfCS6fXTF9mVrHtSE9jhpwBzassylkF4ueUtMDYJ2Qp4/A +xDf6fsclIDdmNP42o2UjJh/XCQ6VGNkIuGvRmz2sM4kX/ckRGPcdEfC3vHyEMLSr +70BVC4UrE4QrMbjwNewVLkaApRvZxjM57jaq6r8VmUXO176NH3CF6ICnWGfWUeJk +DCZ42tF4oNPgCePRRWtMVi1uQZi9ntxhbYg55sRaPdFe/E2aMNUS8I/XSXtEbHfK +yPY4knqZQe66LaK4+/TX/LseVJX3TIt2wJCHkR2A4ddOSR9iKQGIZJaJmmlFS5NO +Ax8Qipttc1Rrqj2pVA== +-----END CERTIFICATE----- diff --git a/certs/test-serial0/selfsigned_nonca_serial0_key.pem b/certs/test-serial0/selfsigned_nonca_serial0_key.pem new file mode 100644 index 0000000000..ccbda2b073 --- /dev/null +++ b/certs/test-serial0/selfsigned_nonca_serial0_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCv5HESEppap1/b +x7gRlY4hYsVAOxoZIY1PuOnZ1zj75e3+mEA++7qHBs3Q0R+T6UYAnFGF6LjdXDTZ +LfW4iUmFO7Cqev/y8lqN6t63uV1Vp7iwVK1AwVTQUK8MyBLb/1RMFmPRfd4T7k/5 +bK0oi+VZKEzP/+8L3LqX+Pod5BdO8BBqnOGC8L6cGUUH63EaP05sxeKoMLWocYEi +B/2NrD6WpUcrExEP29xhG4JsiaiUsLM99roObjnl02yIW3+tjSIMKUmhS5QW6rw5 +PsqVugSOoTID5NEeblTycoM9+Zg1ihpqx/afHJifbSiDeB/CGPG9cvakvKp/ySgJ +av1k6H5DAgMBAAECggEABinanngBaajQzppGhHM5qkjUQaZwiS3oTkFcDHKiwAz0 +FIZQRgS7Kg0efDE/yoaTmeTgZHFdvQAEqBGYuTEyXtVTIP4zZteAPdXbnROFRkGc +0qz87zZ3Gt+g6rE+G/BsC0iDke03sXoZ2lMpFDEmxcOIQYel4EQJU9b5KL/74xuu +b7JZoNpd/0LboSTHkZKslW4MbpG/V+LCaJZ6VJ22D8KBZ+rRoRJ9SAbkrcSYnbrM +lBD9+FwFhrnokXR7Z7k/T2ZAybW8K0jaNcP/c0z0JcaSZwnizGuCJxPAbbBblKSG +OSS4Lh2hLmCWAzJZcnGYhDSnGtuf4Ob6SntxNDaVXQKBgQDx6ZVynosKQmefhPlf +Je72OqBIs4CyzHg2JRNq4pe9b/dHoSwHKYSgnqjPN1ByGG9RnrRle3VRxAJvEn7+ +uwsMLkHqEKBIKK6+Kd+PQ8fhNMc2zawohq66ItYipn+gSRaFsa6+KlRuiDfwV57O +qQGiy9+lg1m07ZYymHSyU4H4dwKBgQC6IqJmyaTfB9Ubgax8mHzqqT35TwRoHlhY +8Huh/EjEGC47BMcKW5khgXBylzv09UUU1N7HsAMejzxAP5+njNOuPEJtOYy14mps +BBcHOn3D2RMXg41XWZFHeYIDWbAdYPxf3ZzV0fCKZ0WskwiQ1BV5NuS2yyLHlchB +saWQuM1nlQKBgAIfWYdS6sdhQ8V7hjCWhZ01cHiS0ps+/gMDmkMCz/ACjnnbaSZ6 +78X0/mgrBRKrMjbWHKETTzkzbg4JbIHRpEwsD7n9AVsAuF/EwEhigNtx+hl5/nuw +itHpQlW1fkMqwP7VS0Ix3uHFYjBCpIsNoo0KGuE54MyclQfGnKd/4hELAoGADmTX +QjOduFGWvUXN3OS95DeqPzlJEfQmyNnv9ZrY1bE5Af9glQB4WwrzcykWzd6ZtP6x +K6gE1bwl4KIK6p4NUJAAYwnsQ7R6nlfCoCB50UdcHplhuLuIbIqM701kPSFe4tr0 +YeSWQV2zGaFVLD36WyFPloMm8WA32DywnPxthfECgYBUSCnDUrhqdg6ouOOMq5uN +XYRKQyAUTDYfsPwIlw6FcQ8BqDkiYCjnz//w399yY4BcvRc+ahVehkKu+abGMgHe +ec9jDxP0BYqDvi/i0VugjkSJDm8VE3r39Un0HKgNPN3konOgbeyaosGejcvoXiUT +eLDQp3iFLtwr7UKw3/QEBQ== +-----END PRIVATE KEY----- diff --git a/tests/api.c b/tests/api.c index 95b5f37713..a9d486fd0c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -19897,12 +19897,14 @@ static int test_MakeCertWith0Ser(void) CTC_NAME_SIZE); cert.selfSigned = 1; - cert.isCA = 1; + /* Changed from isCA=1 to isCA=0 to test non-root certificate. + * Serial 0 is now allowed for root CAs (selfSigned && isCA), + * but should still be rejected for non-CA certificates. */ + cert.isCA = 0; cert.sigType = CTC_SHA256wECDSA; -#ifdef WOLFSSL_CERT_EXT - cert.keyUsage |= KEYUSE_KEY_CERT_SIGN; -#endif + /* Note: KEYUSE_KEY_CERT_SIGN is not set here because it's only valid for + * CA certificates. This test creates a non-CA certificate (isCA=0). */ /* set serial number to 0 */ cert.serialSz = 1; diff --git a/tests/api/test_asn.c b/tests/api/test_asn.c index c3907b394e..ca3731e22d 100644 --- a/tests/api/test_asn.c +++ b/tests/api/test_asn.c @@ -787,3 +787,75 @@ int test_wolfssl_local_MatchBaseName(void) return EXPECT_RESULT(); } + +int test_SerialNumber0_RootCA(void) +{ + EXPECT_DECLS; + +#if !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) + /* Test that root CA certificates with serial number 0 are accepted, + * while non-root certificates with serial 0 are rejected (issue #8615) */ + +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + WOLFSSL_CERT_MANAGER* cm = NULL; + const char* rootSerial0File = "./certs/test-serial0/root_serial0.pem"; + const char* rootNormalFile = "./certs/test-serial0/root.pem"; + const char* eeSerial0File = "./certs/test-serial0/ee_serial0.pem"; + const char* eeNormalFile = "./certs/test-serial0/ee_normal.pem"; + const char* selfSignedNonCASerial0File = + "./certs/test-serial0/selfsigned_nonca_serial0.pem"; + + /* Test 1: Root CA with serial 0 should load successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootSerial0File, NULL), + WOLFSSL_SUCCESS); + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 2: Normal root CA (serial != 0) should load successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootNormalFile, NULL), + WOLFSSL_SUCCESS); + + /* Test 3: End-entity cert with serial 0 should be rejected during verify */ + ExpectIntNE(wolfSSL_CertManagerVerify(cm, eeSerial0File, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 4: Normal end-entity cert signed by root CA with serial 0 + * should verify successfully */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, rootSerial0File, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, eeNormalFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } + + /* Test 5: Self-signed non-CA certificate with serial 0 should be rejected */ + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntNE(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL), + WOLFSSL_SUCCESS); + + if (cm != NULL) { + wolfSSL_CertManagerFree(cm); + cm = NULL; + } +#endif /* !WOLFSSL_NO_ASN_STRICT && !WOLFSSL_PYTHON && + !WOLFSSL_ASN_ALLOW_0_SERIAL */ +#endif /* !NO_CERTS && !NO_FILESYSTEM && !NO_RSA && WOLFSSL_CERT_GEN && + WOLFSSL_CERT_EXT */ + + return EXPECT_RESULT(); +} diff --git a/tests/api/test_asn.h b/tests/api/test_asn.h index e78bb145bb..23e683f38b 100644 --- a/tests/api/test_asn.h +++ b/tests/api/test_asn.h @@ -28,11 +28,13 @@ int test_SetAsymKeyDer(void); int test_GetSetShortInt(void); int test_wc_IndexSequenceOf(void); int test_wolfssl_local_MatchBaseName(void); +int test_SerialNumber0_RootCA(void); #define TEST_ASN_DECLS \ TEST_DECL_GROUP("asn", test_SetAsymKeyDer), \ TEST_DECL_GROUP("asn", test_GetSetShortInt), \ TEST_DECL_GROUP("asn", test_wc_IndexSequenceOf), \ - TEST_DECL_GROUP("asn", test_wolfssl_local_MatchBaseName) + TEST_DECL_GROUP("asn", test_wolfssl_local_MatchBaseName), \ + TEST_DECL_GROUP("asn", test_SerialNumber0_RootCA) #endif /* WOLFCRYPT_TEST_ASN_H */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 4ea0743ce6..837b988028 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -23897,18 +23897,7 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, cert->version = version; cert->serialSz = (int)serialSz; - #if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ - !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) - /* RFC 5280 section 4.1.2.2 states that non-conforming CAs may issue - * a negative or zero serial number and should be handled gracefully. - * Since it is a non-conforming CA that issues a serial of 0 then we - * treat it as an error here. */ - if (cert->serialSz == 1 && cert->serial[0] == 0) { - WOLFSSL_MSG("Error serial number of 0, use WOLFSSL_NO_ASN_STRICT " - "if wanted"); - ret = ASN_PARSE_E; - } - #endif + /* Check for serial size of zero */ if (cert->serialSz == 0) { WOLFSSL_MSG("Error serial size is zero. Should be at least one " "even with no serial number."); @@ -24124,6 +24113,24 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt, } } +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + /* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires + * positive serial numbers. However, allow zero for self-signed CA + * certificates (root CAs) since they are explicitly trusted and some + * legacy root CAs in real-world trust stores have serial number 0. */ + if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) { + if (!(cert->isCA && cert->selfSigned) +#ifdef WOLFSSL_CERT_REQ + && !cert->isCSR +#endif + ) { + WOLFSSL_MSG("Error serial number of 0 for non-root certificate"); + ret = ASN_PARSE_E; + } + } +#endif + if ((ret == 0) && (!done) && (badDate != 0)) { /* Parsed whole certificate fine but return any date errors. */ ret = badDate; @@ -25755,6 +25762,27 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, cert->srcIdx = cert->sigIndex; } +#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \ + !defined(WOLFSSL_ASN_ALLOW_0_SERIAL) + /* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires + * positive serial numbers. However, allow zero for self-signed CA + * certificates (root CAs) since they are explicitly trusted and some + * legacy root CAs in real-world trust stores have serial number 0. */ + if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) { + if (!(cert->isCA && cert->selfSigned) +#ifdef WOLFSSL_CERT_REQ + && !cert->isCSR +#endif + ) { + WOLFSSL_MSG("Error serial number of 0 for non-root certificate"); + ret = ASN_PARSE_E; + } + } + if (ret < 0) { + return ret; + } +#endif + if ((ret = GetSigAlg(cert, #ifdef WOLFSSL_CERT_REQ !cert->isCSR ? &confirmOID : &cert->signatureOID,