You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It does not prohibit deprecated IA5String in DirectoryString. (RFC 5280 non-compliant)
It allows unnecessary bits in Key Usage Extension. These bits do not represent any standard certificate purpose. (RFC 5280 non-compliant)
You should not allow 0 (zero) as certificate serial number. RFC 5280 says,
“The serial number MUST be a positive integer assigned by the CA to each certificate...CAs MUST force the serial Number to be a non-negative integer...Non-conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates.”
The text was updated successfully, but these errors were encountered:
It does not look like issue (1) is fixed properly. Do you reject the certificate when the value of common name (for example) attribute in RDN is an empty string ("")?
We tested certificate chain validation logic of mbedTLS v2.25.0 using the cert_app application and found following bugs.
mbedtls_x509_string_to_names()
#7849) It allows empty DirectoryString (e.g., "") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant)“The serial number MUST be a positive integer assigned by the CA to each certificate...CAs MUST force the serial Number to be a non-negative integer...Non-conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates.”
The text was updated successfully, but these errors were encountered: