crypto/x509: ParseRevocationList accepts authorityCertSerialNumber set to 0

[onepeople158]

Go version

go version go1.24.2 linux/amd64

Output of go env in your module/workspace:

CN=US,OU=US,O=US,L=US,ST=US,C=US
2025-01-01 00:00:00 +0000 UTC
2025-12-01 00:00:00 +0000 UTC
134026152402537916809419830168838464
1
Key Identifier: ef69e0f7d51de699ecdc6dd0f7e2b95c64718335
Authority Cert Serial Number:0

What did you do?

Hello Developer:
I have a CRL file where the authorityCertSerialNumber field in the AKI extension is set to 0. Go successfully parsed the authorityCertSerialNumber field without any errors. However, according to RFC5280, the authorityCertSerialNumber field stores the certificate serial number, which must be a positive integer.So, is this a bug?

What did you see happen?

Go parsed a CRL file with the authorityCertSerialNumber set to 0.

What did you expect to see?

main.zip

[gabyhelp]

Related Issues

• crypto/x509: accepts invalid AKI extension in CRL #73030
• crypto/x509: incorrect handling of the CRL Number field #73029
• crypto/x509: certificate with empty Authority Key Identifier extension considered invalid #70619
• crypto/x509: accepts CRL with two AKI extension #73051
• crypto/x509: wrong value of RevocationList.AuthorityKeyId #67571 (closed)
• crypto/x509: ParseRevocationList does not populate Number and AuthorityKeyId fields #53726 (closed)
• crypto/x509: the ParseRevocationList() doesn't seem to populate the AuthorityKeyId correctly #57461 (closed)
• crypto/x509: certificate validation issues #67024 (closed)
• crypto/x509: Verify allows serialNumber larger than 20 octets #72076

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}