net: retain leading zero bytes in X.509 serial numbers.

net/base/crl_set.cc

Index: net/base/crl_set.cc
diff --git a/net/base/crl_set.cc b/net/base/crl_set.cc
index 5b28be752d9ec3e345120e3ebabe7aeeac110af6..b76fd87e0b52422bc7178bd6f87466369de0b119 100644
--- a/net/base/crl_set.cc
+++ b/net/base/crl_set.cc
@@ -408,6 +408,18 @@ bool CRLSet::ApplyDelta(base::StringPiece data,
 CRLSet::Result CRLSet::CheckCertificate(
     const base::StringPiece& serial_number,
     const base::StringPiece& parent_spki) const {
+  base::StringPiece serial(serial_number);
+
+  if (!serial.empty() && serial[0] >= 0x80) {
+    // This serial number is negative but the process which generates CRL sets
+    // will reject any certificates with negative serial numbers as invalid.
+    return UNKNOWN;
+  }
+
+  // Remove any leading zero bytes.
+  while (!serial.empty() && serial[0] == 0x00)

[wtc, 2011/10/25 21:14:44]

BUG(?): !serial.empty() => serial.size() > 1
to avoid ending up with an empty string.

[agl, 2011/10/28 20:29:07]

Done.

+    serial.remove_prefix(1);
+
   std::map<std::string, size_t>::const_iterator i =
       crls_index_by_issuer_.find(parent_spki.as_string());
   if (i == crls_index_by_issuer_.end())