03018e682822c6294edf5d182abca218f341a46e switched from using certificate-transparency/x509 to crypto/x509. This means that x509 certificates are parsed more strictly. Nuvoton, at least, issued some EK certificates with leading 0s in the serial number - this is a spec violation and crypto/x509 rejects them. Unfortunately I'm not in a position to get all of these reissued, so would it be possible to switch back to using certificate-transparency? This has the unfortunate outcome that some of the x509 object API is visible to consumers, so consumers who already switched from certificate-transparency/x509 to crypto/x509 would have to switch back unless we find a reasonable way to abstract that.
mjg59
commented
7 months ago
03018e682822c6294edf5d182abca218f341a46e switched from using certificate-transparency/x509 to crypto/x509. This means that x509 certificates are parsed more strictly. Nuvoton, at least, issued some EK certificates with leading 0s in the serial number - this is a spec violation and crypto/x509 rejects them. Unfortunately I'm not in a position to get all of these reissued, so would it be possible to switch back to using certificate-transparency? This has the unfortunate outcome that some of the x509 object API is visible to consumers, so consumers who already switched from certificate-transparency/x509 to crypto/x509 would have to switch back unless we find a reasonable way to abstract that.