cert: quote RFC 5280 RE: lax serial numbers.

rustls · Mar 13, 2023 · 71a699e · 71a699e
1 parent 9802622
commit 71a699e
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/cert.rs b/src/cert.rs
@@ -140,7 +140,11 @@ pub(crate) fn lenient_certificate_serial_number(input: &mut untrusted::Reader) -
     // * "The serial number MUST be a positive integer [...]"
     //
     // However, we don't enforce these constraints, as there are widely-deployed trust anchors
-    // and many X.509 implementations in common use that violate these constraints.
+    // and many X.509 implementations in common use that violate these constraints. This is called
+    // out by the same section of RFC 5280 as cited above:
+    //   Note: Non-conforming CAs may issue certificates with serial numbers
+    //   that are negative or zero.  Certificate users SHOULD be prepared to
+    //   gracefully handle such certificates.
     der::expect_tag_and_get_value(input, der::Tag::Integer).map(|_| ())
 }