From 416b16873995ab3140029a174c00a7e90a74e0bf Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Sat, 18 Nov 2023 15:57:21 -0500
Subject: [PATCH] Negative serial numbers are mega deprecated

---
 CHANGELOG.rst                    | 3 +++
 src/rust/src/x509/certificate.rs | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 53c432076d9a..be056eaeee48 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -43,6 +43,9 @@ Changelog
   on LibreSSL.
 * Added support for RSA PSS signatures in PKCS7 with
   :meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`.
+* In the next release (43.0.0) of cryptography, loading an X.509 certificate
+  with a negative serial number will raise an exception. This has been
+  deprecated since 36.0.0.
 
 .. _v41-0-5:
 
diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs
index a7817f4be582..fac37c400454 100644
--- a/src/rust/src/x509/certificate.rs
+++ b/src/rust/src/x509/certificate.rs
@@ -398,7 +398,7 @@ fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyRes
         pyo3::PyErr::warn(
             py,
             warning_cls,
-            "Parsed a negative serial number, which is disallowed by RFC 5280.",
+            "Parsed a negative serial number, which is disallowed by RFC 5280. Loading this certificate will cause an exception in the next release of cryptography.",
             1,
         )?;
     }