asn: drop redundant serial-0 check in DecodeCertInternal to avoid fail-open on forged isC

jackctj117 · jackctj117 · commit 3ef89158422e · 2026-04-28T09:23:57.000-06:00
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -20983,25 +20983,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         }
     }
 
-#if !defined(WOLFSSL_NO_ASN_STRICT) && !defined(WOLFSSL_PYTHON) && \
-    !defined(WOLFSSL_ASN_ALLOW_0_SERIAL)
-    /* Check for serial number of 0. RFC 5280 section 4.1.2.2 requires
-     * positive serial numbers. However, allow zero for self-signed CA
-     * certificates (root CAs) being loaded as trust anchors since they
-     * are explicitly trusted and some legacy root CAs in real-world
-     * trust stores have serial number 0. */
-    if ((ret == 0) && (cert->serialSz == 1) && (cert->serial[0] == 0)) {
-        if (!(cert->isCA && cert->selfSigned)
-#ifdef WOLFSSL_CERT_REQ
-            && !cert->isCSR
-#endif
-        ) {
-            WOLFSSL_MSG("Error serial number of 0 for non-root certificate");
-            ret = ASN_PARSE_E;
-        }
-    }
-#endif
-
     if ((ret == 0) && (!done) && (badDate != 0)) {
         /* Parsed whole certificate fine but return any date errors. */
         ret = badDate;
