From b37f6c1b95815d39fea26b2a17e318602eefe709 Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Fri, 13 Jan 2023 08:39:36 +0100
Subject: [PATCH 1/4] x509write_crt: reject serial longer than
 X509_RFC5280_MAX_SERIAL_LEN

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 library/x509write_crt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index 4a65939c3..a8f4c286e 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -100,6 +100,10 @@ int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx,
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
+    if (mbedtls_mpi_size(serial) > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
+        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+    }
+
     if ((ret = mbedtls_mpi_copy(&ctx->serial, serial)) != 0) {
         return ret;
     }

From 5b787142a9968a947f715a30411a585fdde0dd43 Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Fri, 13 Jan 2023 08:40:26 +0100
Subject: [PATCH 2/4] test: x509: add function for testing long serials

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 tests/suites/test_suite_x509write.data     |  3 +++
 tests/suites/test_suite_x509write.function | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index aa8b3cd26..4cff30d18 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -132,3 +132,6 @@ mbedtls_x509_string_to_names:"C=NL, O=Offspark\a Inc., OU=PolarSSL":"":MBEDTLS_E
 
 X509 String to Names #6 (Escape at end)
 mbedtls_x509_string_to_names:"C=NL, O=Offspark\":"":MBEDTLS_ERR_X509_INVALID_NAME
+
+Check max serial length
+x509_set_serial_check:
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 84da1438e..03ecdab46 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -425,6 +425,24 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_WRITE_C */
+void x509_set_serial_check()
+{
+    mbedtls_x509write_cert ctx;
+    mbedtls_mpi serial_mpi;
+    uint8_t invalid_serial[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN + 1];
+
+    memset(invalid_serial, 0x01, sizeof(invalid_serial));
+
+    mbedtls_mpi_init(&serial_mpi);
+    TEST_EQUAL(mbedtls_mpi_read_binary(&serial_mpi, invalid_serial,
+                                       sizeof(invalid_serial)), 0);
+    TEST_EQUAL(mbedtls_x509write_crt_set_serial(&ctx, &serial_mpi),
+               MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+    mbedtls_mpi_free(&serial_mpi);
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */
 void mbedtls_x509_string_to_names(char *name, char *parsed_name, int result
                                   )

From 8cf549d0479402d349081687b3bd347a1236cede Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Fri, 13 Jan 2023 08:41:15 +0100
Subject: [PATCH 3/4] changelog: document the enforced check on x509 serial
 setting

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 .../improve_x509_cert_writing_serial_number_management.txt   | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt

diff --git a/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt
new file mode 100644
index 000000000..a85c79b70
--- /dev/null
+++ b/ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
+     whose binary representation is longer than 20 bytes. This was already
+     forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
+     enforced also at code level.

From 7ba003746816a9bfd3cd6fb57bcb7dd406006090 Mon Sep 17 00:00:00 2001
From: Valerio Setti <valerio.setti@nordicsemi.no>
Date: Thu, 26 Jan 2023 18:03:27 +0100
Subject: [PATCH 4/4] test: improve error handling in x509_set_serial_check()

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
---
 tests/suites/test_suite_x509write.function | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 03ecdab46..6fd73477e 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -439,6 +439,8 @@ void x509_set_serial_check()
                                        sizeof(invalid_serial)), 0);
     TEST_EQUAL(mbedtls_x509write_crt_set_serial(&ctx, &serial_mpi),
                MBEDTLS_ERR_X509_BAD_INPUT_DATA);
+
+exit:
     mbedtls_mpi_free(&serial_mpi);
 }
 /* END_CASE */