From e49197f15eef80f5559fcb631d4a4c51ae7867e7 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Wed, 5 Feb 2014 11:05:28 +0100
Subject: [PATCH] pki: Don't generate negative random serial numbers in X.509
 certificates

According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.
---
 src/pki/commands/issue.c | 1 +
 src/pki/commands/self.c  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index d5c33b89f1..c2a120fca3 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -363,6 +363,7 @@ static int issue()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
 
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c28c9c291d..7d4bf1cc61 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -314,6 +314,7 @@ static int self()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
 	not_before = time(NULL);
-- 
2.47.2