From: Alberto Leiva Popper <ydahhrk@gmail.com>
Date: Mon, 19 Jan 2026 19:08:30 +0000 (-0600)
Subject: Reject negative certificate serial numbers
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=016f3995c0a0279c31c57d526850a71dd5b0f5e8;p=thirdparty%2FFORT-validator.git

Reject negative certificate serial numbers

Thanks to 雷东政 for reporting this.
---

diff --git a/src/object/certificate.c b/src/object/certificate.c
index 731c9b82..ac5108ee 100644
--- a/src/object/certificate.c
+++ b/src/object/certificate.c
@@ -139,6 +139,11 @@ validate_serial_number(X509 *cert)
 	if (log_val_enabled(LOG_DEBUG))
 		debug_serial_number(number);
 
+	if (BN_is_negative(number)) {
+		BN_free(number);
+		return pr_val_err("Serial number is negative.");
+	}
+
 	state = state_retrieve();
 	x509stack_store_serial(validation_certstack(state), number);
 	return 0;