Closed Bug 982780 Opened 7 years ago Closed 4 years ago

Test failure for mozilla::pkixder CertificateSerialNumberCrazyLong

Categories

(Core :: Security: PSM, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: st3fan, Unassigned)

References

Details

The CertificateSerialNumberCrazyLong is failing because der::CertificateSerialNumber() parses a long (> 20 octets) serial number without failure.

According to the RFC, serial numbers should not be longer than 20 octets.

Maybe we do this because we do actually get crazy long serial numbers in the wild?
Good work!

Overly-long serial numbers are not really problematic for us, so I didn't enforce that restriction in the serial number parser. However, we do end up relying on serial numbers being limited in length in CreateEncodedOCSPRequest in pkixocsp.cpp:

  // The only way we could have a request this large is if the serialNumber was
  // ridiculously and unreasonably large. RFC 5280 says "Conforming CAs MUST
  // NOT use serialNumber values longer than 20 octets." With this restriction,
  // we allow for some amount of non-conformance with that requirement while
  // still ensuring we can encode the length values in the ASN.1 TLV structures
  // in a single byte.

I am worried that if we try to strictly enforce this requirement now, given the information we have, we may cause unnecessary compatibility problems. My suggestion is that we leave this bug open, but we don't fix it until after insanity::pkix ships. This means that we should temporarily change the CertificateSerialNumberCrazyLong test so that it passes with the current behavior.
Sounds good. I will modify the test in the original bug for the tests.
Summary: Test failure for insanity::pkixder CertificateSerialNumberCrazyLong → Test failure for mozilla::pkixder CertificateSerialNumberCrazyLong
Assignee: sarentz → nobody
I don't think we're likely to ever address this. There's considerable compatibility risk, and supporting serial numbers longer than 20 bytes (but shorter than 128 bytes) poses no particular implementation or safety risk.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.