Negative serial numbers are mega deprecated (#9897)

pyca · Nov 18, 2023 · d517aae · d517aae
1 parent 79fc4cc
commit d517aae
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -43,6 +43,9 @@ Changelog
   on LibreSSL.
 * Added support for RSA PSS signatures in PKCS7 with
   :meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`.
+* In the next release (43.0.0) of cryptography, loading an X.509 certificate
+  with a negative serial number will raise an exception. This has been
+  deprecated since 36.0.0.
 
 .. _v41-0-5:
 

diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs
@@ -398,7 +398,7 @@ fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyRes
         pyo3::PyErr::warn(
             py,
             warning_cls,
-            "Parsed a negative serial number, which is disallowed by RFC 5280.",
+            "Parsed a negative serial number, which is disallowed by RFC 5280. Loading this certificate will cause an exception in the next release of cryptography.",
             1,
         )?;
     }