pki: Don't generate negative random serial numbers in X.509 certificates

According to RFC 5280 4.1.2.2 we MUST force non-negative serial numbers.
author: Martin Willi <martin@revosec.ch> 2014-02-05 11:05:28 +0100
committer: Martin Willi <martin@revosec.ch> 2014-03-31 11:14:58 +0200
commit: e49197f15eef80f5559fcb631d4a4c51ae7867e7 (patch)
tree: 286b1fac9922c60d2ade3f719f7672fed7caca2a /src/pki
parent: 0226ca886deb82e2cecd72706bedbf471911fec1 (diff)
download: strongswan-e49197f15eef80f5559fcb631d4a4c51ae7867e7.tar.bz2
strongswan-e49197f15eef80f5559fcb631d4a4c51ae7867e7.tar.xz
2 files changed, 2 insertions, 0 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index d5c33b89f..c2a120fca 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -363,6 +363,7 @@ static int issue()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
 
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c28c9c291..7d4bf1cc6 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -314,6 +314,7 @@ static int self()
 			rng->destroy(rng);
 			goto end;
 		}
+		serial.ptr[0] &= 0x7F;
 		rng->destroy(rng);
 	}
 	not_before = time(NULL);
author	Martin Willi <martin@revosec.ch>	2014-02-05 11:05:28 +0100
committer	Martin Willi <martin@revosec.ch>	2014-03-31 11:14:58 +0200
commit	e49197f15eef80f5559fcb631d4a4c51ae7867e7 (patch)
tree	286b1fac9922c60d2ade3f719f7672fed7caca2a /src/pki
parent	0226ca886deb82e2cecd72706bedbf471911fec1 (diff)
download	strongswan-e49197f15eef80f5559fcb631d4a4c51ae7867e7.tar.bz2 strongswan-e49197f15eef80f5559fcb631d4a4c51ae7867e7.tar.xz