Adds graceful handling of negative serial numbers in x509 certificates (#445)

Co-authored-by: Kelly Brazil <kellyjonbrazil@gmail.com>
2025-07-13 01:20:24 +02:00 · 2023-10-01 00:02:55 +02:00
parent 3249a017ae
commit 1a1aa8fda3
4 changed files with 35 additions and 1 deletions
--- a/jc/parsers/x509_cert.py
+++ b/jc/parsers/x509_cert.py
@ -477,7 +477,10 @@ def _fix_objects(obj):
                # according to the spec this field can be string or integer
                if isinstance(v, int):
                    v_str = str(v)
-                    v_hex = _b2a(_i2b(v))
+                    if v < 0:
+                        v_hex = "(Negative)" + _b2a(_i2b(abs(v)))
+                    else:
+                        v_hex = _b2a(_i2b(v))
                else:
                    v_str = str(v)
                    v_hex = _b2a(v_str.encode())
--- a/tests/fixtures/generic/x509-negative-serial.json
+++ b/tests/fixtures/generic/x509-negative-serial.json
@ -0,0 +1 @@
+[{"tbs_certificate": {"version": "v3", "serial_number": "(Negative)43:21:98:76:dc:ba:00:00:43:21:98:76:dc:ba:00:00:11:11:00:00", "signature": {"algorithm": "sha512_rsa", "parameters": null}, "issuer": {"country_name": "DE", "state_or_province_name": "stateOrProvinceName", "locality_name": "localityName", "organization_name": "organizationName", "organizational_unit_name": "organizationUnitName", "common_name": "commonName", "email_address": "emailAddress"}, "validity": {"not_before": 1693312810, "not_after": 2008672810, "not_before_iso": "2023-08-29T12:40:10+00:00", "not_after_iso": "2033-08-26T12:40:10+00:00"}, "subject": {"country_name": "DE", "state_or_province_name": "stateOrProvinceName", "locality_name": "localityName", "organization_name": "organizationName", "organizational_unit_name": "organizationUnitName", "common_name": "commonName", "email_address": "emailAddress"}, "subject_public_key_info": {"algorithm": {"algorithm": "rsa", "parameters": null}, "public_key": {"modulus": "a8:fe:f8:79:c6:bb:9e:0a:da:e1:ac:ae:5b:2b:b1:24:69:92:ec:c7:e5:af:8a:30:a9:89:f9:38:a7:93:c9:ca:74:2e:cb:91:a4:67:ea:8d:74:78:17:3b:7b:4e:18:08:dc:26:7e:8c:92:a2:47:86:28:3e:5b:43:e8:5c:1d:39:2f:90:7a:18:1e:da:ec:1a:00:bf:7e:86:b8:ab:fd:92:e0:79:eb:9e:8d:09:c5:36:ea:2d:15:9a:3e:d7:a6:8d:99:a8:96:41:fb:c0:9f:4f:37:0e:ac:9d:af:61:c0:53:63:f5:6a:45:b5:ef:a1:cd:f3:58:1d:4d:b5:9c:7b:f5", "public_exponent": 65537}}, "issuer_unique_id": null, "subject_unique_id": null, "extensions": null, "serial_number_str": "-383251587750925609224665374206538004257901182976"}, "signature_algorithm": {"algorithm": "sha512_rsa", "parameters": null}, "signature_value": "72:0c:3f:d9:b2:22:1c:57:1b:d6:b6:89:5a:e4:1b:55:5e:12:b2:d8:6d:c4:d8:f8:d3:2e:3e:02:18:2a:b3:7e:2c:8a:b6:4c:da:c5:f2:b8:25:5d:68:64:ca:66:be:6a:30:4a:60:bc:87:d8:05:82:82:cd:64:41:ad:03:ed:d7:38:e2:ac:19:07:83:40:26:a2:81:23:6a:6d:23:13:74:8d:f4:23:40:40:ab:d9:bd:1f:91:17:44:6e:58:7a:ba:b9:3f:3e:06:c7:00:7c:46:46:d9:d4:78:06:8f:7b:8a:4a:ff:72:71:da:06:21:6a:b7:8c:cd:cf:0e:cd:bc:e3"}]
--- a/tests/fixtures/generic/x509-negative-serial.pem
+++ b/tests/fixtures/generic/x509-negative-serial.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAk6gAwIBAgIUvN5niSNF//+83meJI0X//+7vAAAwDQYJKoZIhvcNAQEN
+BQAwga4xCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNzdGF0ZU9yUHJvdmluY2VOYW1l
+MRUwEwYDVQQHDAxsb2NhbGl0eU5hbWUxGTAXBgNVBAoMEG9yZ2FuaXphdGlvbk5h
+bWUxHTAbBgNVBAsMFG9yZ2FuaXphdGlvblVuaXROYW1lMRMwEQYDVQQDDApjb21t
+b25OYW1lMRswGQYJKoZIhvcNAQkBFgxlbWFpbEFkZHJlc3MwHhcNMjMwODI5MTI0
+MDEwWhcNMzMwODI2MTI0MDEwWjCBrjELMAkGA1UEBhMCREUxHDAaBgNVBAgME3N0
+YXRlT3JQcm92aW5jZU5hbWUxFTATBgNVBAcMDGxvY2FsaXR5TmFtZTEZMBcGA1UE
+CgwQb3JnYW5pemF0aW9uTmFtZTEdMBsGA1UECwwUb3JnYW5pemF0aW9uVW5pdE5h
+bWUxEzARBgNVBAMMCmNvbW1vbk5hbWUxGzAZBgkqhkiG9w0BCQEWDGVtYWlsQWRk
+cmVzczCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqP74eca7ngra4ayuWyux
+JGmS7Mflr4owqYn5OKeTycp0LsuRpGfqjXR4Fzt7ThgI3CZ+jJKiR4YoPltD6Fwd
+OS+Qehge2uwaAL9+hrir/ZLgeeuejQnFNuotFZo+16aNmaiWQfvAn083Dqydr2HA
+U2P1akW176HN81gdTbWce/UCAwEAATANBgkqhkiG9w0BAQ0FAAOBgQByDD/ZsiIc
+VxvWtola5BtVXhKy2G3E2PjTLj4CGCqzfiyKtkzaxfK4JV1oZMpmvmowSmC8h9gF
+goLNZEGtA+3XOOKsGQeDQCaigSNqbSMTdI30I0BAq9m9H5EXRG5Yerq5Pz4GxwB8
+RkbZ1HgGj3uKSv9ycdoGIWq3jM3PDs284w==
+-----END CERTIFICATE-----
--- a/tests/test_x509_cert.py
+++ b/tests/test_x509_cert.py
@ -27,6 +27,9 @@ class MyTests(unittest.TestCase):
    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-cert-bad-email.pem'), 'rb') as f:
        x509_cert_bad_email = f.read()

+    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-negative-serial.pem'), 'rb') as f:
+        x509_cert_negative_serial = f.read()
+
    # output
    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-ca-cert.json'), 'r', encoding='utf-8') as f:
        x509_ca_cert_json = json.loads(f.read())
@ -46,6 +49,9 @@ class MyTests(unittest.TestCase):
    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-cert-bad-email.json'), 'r', encoding='utf-8') as f:
        x509_cert_bad_email_json = json.loads(f.read())

+    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-negative-serial.json'), 'r', encoding='utf-8') as f:
+        x509_cert_negative_serial_json = json.loads(f.read())
+

    def test_x509_cert_nodata(self):
        """
@ -89,6 +95,12 @@ class MyTests(unittest.TestCase):
        """
        self.assertEqual(jc.parsers.x509_cert.parse(self.x509_cert_bad_email, quiet=True), self.x509_cert_bad_email_json)

+    def test_x509_cert_negative_serial(self):
+        """
+        Test 'cat x509-cert-bad-email.pem' (PEM file with a non-compliant email address)
+        """
+        self.assertEqual(jc.parsers.x509_cert.parse(self.x509_cert_negative_serial, quiet=True), self.x509_cert_negative_serial_json)
+

 if __name__ == '__main__':
    unittest.main()
				`@ -0,0 +1 @@`
				[{"tbs_certificate": {"version": "v3", "serial_number": "(Negative)43:21:98:76:dc:ba:00:00:43:21:98:76:dc:ba:00:00:11:11:00:00", "signature": {"algorithm": "sha512_rsa", "parameters": null}, "issuer": {"country_name": "DE", "state_or_province_name": "stateOrProvinceName", "locality_name": "localityName", "organization_name": "organizationName", "organizational_unit_name": "organizationUnitName", "common_name": "commonName", "email_address": "emailAddress"}, "validity": {"not_before": 1693312810, "not_after": 2008672810, "not_before_iso": "2023-08-29T12:40:10+00:00", "not_after_iso": "2033-08-26T12:40:10+00:00"}, "subject": {"country_name": "DE", "state_or_province_name": "stateOrProvinceName", "locality_name": "localityName", "organization_name": "organizationName", "organizational_unit_name": "organizationUnitName", "common_name": "commonName", "email_address": "emailAddress"}, "subject_public_key_info": {"algorithm": {"algorithm": "rsa", "parameters": null}, "public_key": {"modulus": "a8:fe:f8:79:c6:bb:9e:0a:da:e1:ac:ae:5b:2b:b1:24:69:92:ec:c7:e5:af:8a:30:a9:89:f9:38:a7:93:c9:ca:74:2e:cb:91:a4:67:ea:8d:74:78:17:3b:7b:4e:18:08:dc:26:7e:8c:92:a2:47:86:28:3e:5b:43:e8:5c:1d:39:2f:90:7a:18:1e:da:ec:1a:00:bf:7e:86:b8:ab:fd:92:e0:79:eb:9e:8d:09:c5:36:ea:2d:15:9a:3e:d7:a6:8d:99:a8:96:41:fb:c0:9f:4f:37:0e:ac:9d:af:61:c0:53:63:f5:6a:45:b5:ef:a1:cd:f3:58:1d:4d:b5:9c:7b:f5", "public_exponent": 65537}}, "issuer_unique_id": null, "subject_unique_id": null, "extensions": null, "serial_number_str": "-383251587750925609224665374206538004257901182976"}, "signature_algorithm": {"algorithm": "sha512_rsa", "parameters": null}, "signature_value": "72:0c:3f:d9:b2:22:1c:57:1b:d6:b6:89:5a:e4:1b:55:5e:12:b2:d8:6d:c4:d8:f8:d3:2e:3e:02:18:2a:b3:7e:2c:8a:b6:4c:da:c5:f2:b8:25:5d:68:64:ca:66:be:6a:30:4a:60:bc:87:d8:05:82:82:cd:64:41:ad:03:ed:d7:38:e2:ac:19:07:83:40:26:a2:81:23:6a:6d:23:13:74:8d:f4:23:40:40:ab:d9:bd:1f:91:17:44:6e:58:7a:ba:b9:3f:3e:06:c7:00:7c:46:46:d9:d4:78:06:8f:7b:8a:4a:ff:72:71:da:06:21:6a:b7:8c:cd:cf:0e:cd:bc:e3"}]