From: Martin Willi <martin@revosec.ch>
Date: Wed, 5 Feb 2014 10:05:28 +0000 (+0100)
Subject: pki: Don't generate negative random serial numbers in X.509 certificates
X-Git-Tag: 5.1.3rc1~24^2~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e49197f15eef80f5559fcb631d4a4c51ae7867e7;p=thirdparty%2Fstrongswan.git

pki: Don't generate negative random serial numbers in X.509 certificates

According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.
---

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index d5c33b89f1..c2a120fca3 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -363,6 +363,7 @@ static int issue()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
 
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c28c9c291d..7d4bf1cc61 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -314,6 +314,7 @@ static int self()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
 	not_before = time(NULL);