]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0226ca8)
pki: Don't generate negative random serial numbers in X.509 certificates
authorMartin Willi <martin@revosec.ch>
Wed, 5 Feb 2014 10:05:28 +0000 (11:05 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 09:14:58 +0000 (11:14 +0200)
According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.

src/pki/commands/issue.c patch | blob | blame | history
src/pki/commands/self.c patch | blob | blame | history

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index d5c33b89f1f2f3a31b87750adf00e758224f552b..c2a120fca315ce0a665809210c944507eb0d0bba 100644 (file)
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -363,6 +363,7 @@ static int issue()
                        rng->destroy(rng);
                        goto end;
                }
+               serial.ptr[0] &= 0x7F;
                rng->destroy(rng);
        }
 
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c28c9c291d54ea916da04c66b164d4b0cabc0a26..7d4bf1cc6119c282eb523b454ad0085a99ce3d04 100644 (file)
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -314,6 +314,7 @@ static int self()
                        rng->destroy(rng);
                        goto end;
                }
+               serial.ptr[0] &= 0x7F;
                rng->destroy(rng);
        }
        not_before = time(NULL);
Unnamed repository; edit this file 'description' to name the repository.