On Thu, Apr 09, 2020 at 05:56:55PM +0100, Stuart Henderson wrote:
> Not new - this happened somewhere between 6.5 and 6.6 - but some
> certificates are now showing up with bad serial numbers in "openssl x509".
> Example below, a few other certs are affected.
>
> From the current /etc/ssl/cert.pem, these are the ones showing the same:
>
> - Serial Number: 11806822484801597146 (0xa3da427ea4b1aeda)
> - Serial Number: 14541511773111788494 (0xc9cdd3e9d57d23ce)
> - Serial Number: 18364802974209362175 (0xfedce3010fc948ff)
> - Serial Number: 10572350602393338211 (0x92b888dbb08ac163)
> - Serial Number: 14014712776195784473 (0xc27e43044e473f19)
> - Serial Number: 13492815561806991280 (0xbb401c43f55e4fb0)
> - Serial Number: 9548242946988625984 (0x84822c5f1c62d040)
> - Serial Number: 15752444095811006489 (0xda9bec71f303b019)
This is due to r1.34 of src/lib/libcrypto/asn1/a_int.c which changed
ASN1_INTEGER_get() to avoid undefined behavior. It now returns -1 more
often. Note that your examples are all larger than LONG_MAX.
Minimal fix for this issue is to use the fallback to colon separated hex
digits in X509_print_ex() in case ASN1_INTEGER_get() returns an error so
that your example cert yields:
Serial Number:
da:9b:ec:71:f3:03:b0:19
Index: asn1/t_x509.c
===================================================================
RCS file: /var/cvs/src/lib/libcrypto/asn1/t_x509.c,v
retrieving revision 1.31
diff -u -p -r1.31 t_x509.c
--- asn1/t_x509.c 18 May 2018 18:23:24 -0000 1.31
+++ asn1/t_x509.c 9 Apr 2020 17:53:51 -0000
@@ -145,8 +145,10 @@ X509_print_ex(BIO *bp, X509 *x, unsigned
goto err;
bs = X509_get_serialNumber(x);
- if (bs->length <= (int)sizeof(long)) {
+ l = -1;
+ if (bs->length <= (int)sizeof(long))
l = ASN1_INTEGER_get(bs);
+ if (l != -1) {
if (bs->type == V_ASN1_NEG_INTEGER) {
l = -l;
neg = "-";
