oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Ensure DER form of hxtool ca random serial numbers

Browse Source
This commit is contained in:
Viktor Dukhovni
2015-03-05 03:27:15 -05:00
committed by Viktor Dukhovni
parent b7ca6bbc7a
commit 745eeb1252
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/hx509/ca.c
View File

@@ -1126,6 +1126,12 @@ ca_sign(hx509_context context,
goto out; goto out;
} }
} else { } else {
/*
* If no explicit serial number is specified, 20 random bytes should be
* sufficiently collision resistant. Since the serial number must be a
* positive integer, ensure minimal ASN.1 DER form by forcing the high
* bit off and the next bit on (thus avoiding an all zero first octet).
*/
tbsc->serialNumber.length = 20; tbsc->serialNumber.length = 20;
tbsc->serialNumber.data = malloc(tbsc->serialNumber.length); tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
if (tbsc->serialNumber.data == NULL){ if (tbsc->serialNumber.data == NULL){
@@ -1133,9 +1139,9 @@ ca_sign(hx509_context context,
hx509_set_error_string(context, 0, ret, "Out of memory"); hx509_set_error_string(context, 0, ret, "Out of memory");
goto out; goto out;
} }
/* XXX diffrent */
RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length); RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f; ((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
((unsigned char *)tbsc->serialNumber.data)[0] |= 0x40;
} }
/* signature AlgorithmIdentifier, */ /* signature AlgorithmIdentifier, */
ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature); ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);