To accomplish this, prepend 'x' before hex serial numbers, so they
can be distinguished from decimal serial numbers. For example:
tls_serial_1 = "x4D:9B:7C:94"
is equivalent to:
tls_serial_1 = "1302035604"
Currently, only PolarSSL generates hex serial numbers while
OpenSSL returns decimal serial numbers.
RFC 5280, published in 2008, decrees that serial numbers can be
up to 20 bytes long, hence it is necessary to support SSL
libraries that return the serial number as a hex string.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/ssl_verify_polarssl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_verify_polarssl.c
b/src/openvpn/ssl_verify_polarssl.c
index a2e6a8e..e87d2e2 100644
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -161,11 +161,12 @@ char *
backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
char *buf = NULL;
- size_t len = cert->serial.len * 3 + 1;
+ size_t len = cert->serial.len * 3;
- buf = gc_malloc(len, true, gc);
+ buf = gc_malloc(len+1, true, gc);
- if(x509_serial_gets(buf, len-1, &cert->serial) < 0)
+ buf[0] = 'x';
+ if(x509_serial_gets(buf+1, len, &cert->serial) < 0)
buf = NULL;
return buf;
--
1.9.1
