Fix getting long serial numbers for openssl < 1.1

From https://www.ietf.org/rfc/rfc5280.txt

> As noted in Section 4.1.2.2, serial numbers can be expected to
> contain long integers.  Certificate users MUST be able to handle
> serialNumber values up to 20 octets in length.  Conforming CAs MUST
> NOT use serialNumber values longer than 20 octets.

Without this, nghttpx will fatal.

    jbraeg$ openssl x509 -in ~/test_certs/client.crt -serial -noout
    serial=E0CFDFC7CEA10DF8AAF715C37FAEB410

    jbraeg$ curl -k --key ~/test_certs/client.key --cert ~/test_certs/client.crt https://192.168.98.100:3000/; echo
    curl: (56) Unexpected EOF

    ...
    Assertion failed: n == b.size() (shrpx_tls.cc: get_x509_serial: 2051)
    2019-01-03T20:25:21.289Z 1 1 f84316ae NOTICE (shrpx_log.cc:895) Worker process: [9] exited abnormally with status 0x06; exit status 0; signal Aborted(6)
    2019-01-03T20:25:21.290Z 1 1 f84316ae NOTICE (shrpx.cc:4311) Shutdown momentarily
This commit is contained in:
Josh Braegger 2019-01-03 13:20:29 -08:00
parent 082e162f3c
commit 5b2efc0a12
1 changed files with 2 additions and 2 deletions

View File

@ -2046,9 +2046,9 @@ StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
return StringRef{}; return StringRef{};
} }
std::array<uint8_t, 8> b; std::array<uint8_t, 20> b;
auto n = BN_bn2bin(bn, b.data()); auto n = BN_bn2bin(bn, b.data());
assert(n == b.size()); assert(n <= 20);
return util::format_hex(balloc, StringRef{std::begin(b), std::end(b)}); return util::format_hex(balloc, StringRef{std::begin(b), std::end(b)});
#endif // !OPENSSL_1_1_API #endif // !OPENSSL_1_1_API