Fix serial-0 check to allow TRUSTED_PEER_TYPE load path and correct test assertions

jackctj117 · jackctj117 · commit 8ad7800111d9 · 2026-02-18T14:32:27.000-07:00
diff --git a/tests/api/test_asn.c b/tests/api/test_asn.c
@@ -793,7 +793,7 @@ int test_SerialNumber0_RootCA(void)
     EXPECT_DECLS;
 
 #if !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
-    !defined(WOLFSSL_NO_PEM)
+    !defined(WOLFSSL_NO_PEM) && defined(WOLFSSL_PEM_TO_DER)
     /* Test that root CA certificates with serial number 0 are accepted,
      * while non-root certificates with serial 0 are rejected (issue #8615) */
 
@@ -845,8 +845,8 @@ int test_SerialNumber0_RootCA(void)
 
     /* Test 5: Self-signed non-CA certificate with serial 0 should be rejected */
     ExpectNotNull(cm = wolfSSL_CertManagerNew());
-    ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL),
-                WC_NO_ERR_TRACE(ASN_PARSE_E));
+    ExpectIntNE(wolfSSL_CertManagerLoadCA(cm, selfSignedNonCASerial0File, NULL),
+                WOLFSSL_SUCCESS);
 
     if (cm != NULL) {
         wolfSSL_CertManagerFree(cm);
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -24113,25 +24113,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         }
     }
 
-#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \
-    !defined(WOLFSSL_ASN_ALLOW_0_SERIAL)
-    /* Defense-in-depth: reject serial number 0 for non-root certificates.
-     * RFC 5280 section 4.1.2.2 requires positive serial numbers.
-     * Allow serial 0 for self-signed CA certs (root CAs) since some legacy
-     * root CAs have serial 0. The primary enforcement with stricter type
-     * checking is in ParseCertRelative(). */
-    if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) {
-        if (!(cert->isCA && cert->selfSigned)
-#ifdef WOLFSSL_CERT_REQ
-            && !cert->isCSR
-#endif
-        ) {
-            WOLFSSL_MSG("Error serial number of 0 for non-root certificate");
-            ret = ASN_PARSE_E;
-        }
-    }
-#endif
-
     if ((ret == 0) && (!done) && (badDate != 0)) {
         /* Parsed whole certificate fine but return any date errors. */
         ret = badDate;
@@ -25823,7 +25804,8 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
          * are explicitly trusted and some legacy root CAs in real-world
          * trust stores have serial number 0. */
         if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) {
-            if (!(type == CA_TYPE && cert->isCA && cert->selfSigned)
+            if (!((type == CA_TYPE || type == TRUSTED_PEER_TYPE) &&
+                  cert->isCA && cert->selfSigned)
 #ifdef WOLFSSL_CERT_REQ
                 && !cert->isCSR
 #endif
