certtool: reject negative serial numbers

author Elias Gustafsson <elias.skondal@gmail.com>

Tue, 4 Apr 2023 00:07:21 +0000 (02:07 +0200)

committer Daiki Ueno <ueno@gnu.org>

Thu, 13 Jul 2023 07:03:06 +0000 (09:03 +0200)
author Elias Gustafsson <elias.skondal@gmail.com>
Tue, 4 Apr 2023 00:07:21 +0000 (02:07 +0200)
committer Daiki Ueno <ueno@gnu.org>
Thu, 13 Jul 2023 07:03:06 +0000 (09:03 +0200)
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c

index cddc54a1ffcb15ebf65a1c082dd37166ce1a21b6..dc1e0a87a64a05628df0e64cf94fa53d3c7a9465 100644 (file)
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -1611,6 +1611,14 @@ static void read_serial_value(unsigned char *serial, size_t *size,
                         continue;
                 }
  
+               if (decoded.data[0] & 0x80) {
+                       fprintf(stderr,
+                               "%s serial number is negative, "
+                               "see RFC 5280, section %s\n",
+                               label, rfc_section);
+                       continue;
+               }
+
                 if (decoded.size > max_size) {
                         fprintf(stderr, "maximum %zu octets allowed for %s\n",
                                 max_size, label);
@@ -1663,6 +1671,14 @@ static void get_serial_value(unsigned char *serial, size_t *size,
                         label, rfc_section);
                 exit(1);
         }
+
+       if (serial[0] & 0x80) {
+               fprintf(stderr,
+                       "%s serial number is negative, "
+                       "see RFC 5280, section %s\n",
+                       label, rfc_section);
+               exit(1);
+       }
  }
  
  static int default_serial(unsigned char *serial, size_t *size)
author	Elias Gustafsson <elias.skondal@gmail.com>
	Tue, 4 Apr 2023 00:07:21 +0000 (02:07 +0200)
committer	Daiki Ueno <ueno@gnu.org>
	Thu, 13 Jul 2023 07:03:06 +0000 (09:03 +0200)