From: Martin Willi <martin@revosec.ch>
Date: Thu, 29 Nov 2012 15:35:06 +0000 (+0100)
Subject: Fix up serialNumber in openssl PKCS#7 if it has a leading MSB set
X-Git-Tag: 5.0.2dr4~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a344da291105642e7d214433c266559bedd4ba9;p=thirdparty%2Fstrongswan.git

Fix up serialNumber in openssl PKCS#7 if it has a leading MSB set
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
index 02f866b763..6cd243c614 100644
--- a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
@@ -593,6 +593,7 @@ static bool decrypt(private_openssl_pkcs7_t *this,
 			X509_ALGOR *alg;
 			X509_NAME *name;
 			ASN1_INTEGER *sn;
+			u_char zero = 0;
 			int oid;
 
 			if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) == 1 &&
@@ -609,8 +610,12 @@ static bool decrypt(private_openssl_pkcs7_t *this,
 				{
 					continue;
 				}
-				serial = identification_create_from_encoding(
-										ID_KEY_ID, openssl_asn1_str2chunk(sn));
+				chunk = openssl_asn1_str2chunk(sn);
+				if (chunk.len && chunk.ptr[0] | 0x80)
+				{	/* if MSB is set, append a zero to make it non-negative */
+					chunk = chunk_cata("cc", chunk_from_thing(zero), chunk);
+				}
+				serial = identification_create_from_encoding(ID_KEY_ID, chunk);
 				private = find_private(issuer, serial);
 				issuer->destroy(issuer);
 				serial->destroy(serial);