pki: Don't generate negative random serial numbers in X.509 certificates
authorMartin Willi <martin@revosec.ch>
Wed, 5 Feb 2014 10:05:28 +0000 (11:05 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 09:14:58 +0000 (11:14 +0200)
According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.

src/pki/commands/issue.c
src/pki/commands/self.c

index d5c33b8..c2a120f 100644 (file)
@@ -363,6 +363,7 @@ static int issue()
                        rng->destroy(rng);
                        goto end;
                }
+               serial.ptr[0] &= 0x7F;
                rng->destroy(rng);
        }
 
index c28c9c2..7d4bf1c 100644 (file)
@@ -314,6 +314,7 @@ static int self()
                        rng->destroy(rng);
                        goto end;
                }
+               serial.ptr[0] &= 0x7F;
                rng->destroy(rng);
        }
        not_before = time(NULL);