Re: [Openvpn-users] crl-verify [SOLVED]

Thu, 16 Apr 2020 23:41:22 -0700 

Hi,

On Fri, Apr 17, 2020 at 03:40:12AM +0100, tincanteksup wrote:
> Missing the point completely.
> 
> *Why* does openvpn expect a decimal value for something which is clearly 
> intended to be and is at source Hex.

It is a *number*.  Whether a particular frontend presents it as "hex" is 
a matter of, well, "frontend presentation".

Inside the crypto libraries, it's just a bignum - this is what the
OpenVPN code does to get the serial:

backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
    ASN1_INTEGER *asn1_i;
    BIGNUM *bignum;
    char *openssl_serial, *serial;

    asn1_i = X509_get_serialNumber(cert);
    bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
    openssl_serial = BN_bn2dec(bignum);

    serial = string_alloc(openssl_serial, gc);

    BN_free(bignum);
    OPENSSL_free(openssl_serial);

    return serial;
}


so, no special "we take a hex thing and change formatting to serial"
(admittedly, formatting a bignum in hex is less work than convert to
decimal string).


Now, for environment purposes, we actually do "serial (decimal)" and
"serial (hex)"...

    /* export serial number as environmental variable */
    serial = backend_x509_get_serial(peer_cert, &gc);
    openvpn_snprintf(envname, sizeof(envname), "tls_serial_%d", cert_depth);

    /* export serial number in hex as environmental variable */
    serial = backend_x509_get_serial_hex(peer_cert, &gc);
    openvpn_snprintf(envname, sizeof(envname), "tls_serial_hex_%d", cert_depth);


which came in in commit f80a52b09eed8e5 to make openssl and polarssl
backends consistent (because polarssl used to do "hex" while openssl
always did "serial", as long as OpenVPN existed).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             [email protected]

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users























					Reply via email to