From 790847d17c27c412b68a91a7f8505fbc083fa567 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 3 Oct 2016 12:15:10 +0200 Subject: pki: Don't remove zero bytes in CRL serials anymore This was added a few years ago because pki --signcrl once encoded serials incorrectly as eight byte blobs. But still ensure we have can handle overflows in case the serial is encoded incorrectly without zero-prefix. --- src/pki/commands/signcrl.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 6d873d326..b9cf9c466 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -376,14 +376,15 @@ static int sign_crl() lastenum = enumerator_create_empty(); } - /* remove superfluous leading zeros */ - while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 && - (crl_serial.ptr[1] & 0x80) == 0x00) + if (!crl_serial.len || crl_serial.ptr[0] & 0x80) + { /* add leading 0x00 to handle potential overflow if serial is encoded + * incorrectly */ + crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial); + } + else { - crl_serial = chunk_skip_zero(crl_serial); + crl_serial = chunk_clone(crl_serial); } - crl_serial = chunk_clone(crl_serial); - /* increment the serial number by one */ chunk_increment(crl_serial); -- cgit v1.2.3