Fix random serial DER encoding.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2026-05-28 09:01:24 +02:00 · 2026-05-12 19:48:30 +02:00
parent a4a1651ed4
commit d3ce3c20dc
2 changed files with 14 additions and 3 deletions
--- a/src/usb/lwip/rest_server.c
+++ b/src/usb/lwip/rest_server.c
@@ -980,6 +980,17 @@ void rest_handle_request(rest_conn_t *conn) {
    }
 }

+int x509_set_random_serial(mbedtls_x509write_cert *crt) {
+    uint8_t serial[16];
+    random_fill_buffer(serial, sizeof(serial));
+    serial[0] &= 0x7F;
+
+    size_t off = 0;
+    while (off < sizeof(serial) - 1 && serial[off] == 0x00) off++;
+
+    return mbedtls_x509write_crt_set_serial_raw(crt, serial + off, sizeof(serial) - off);
+}
+
 static void rest_check_and_load_credentials(void) {
    file_t *ef = file_new(EF_TLS_KEY);
    if (!file_has_data(ef)) {
@@ -1030,9 +1041,7 @@ static void rest_check_and_load_credentials(void) {
        if (ret != 0) goto out;
        ret = mbedtls_x509write_crt_set_issuer_name(&crt, "CN=pico-novus");
        if (ret != 0) goto out;
-        uint8_t serial[16];
-        random_fill_buffer(serial, sizeof(serial));
-        mbedtls_x509write_crt_set_serial_raw(&crt, serial, sizeof(serial));
+        x509_set_random_serial(&crt);
        if (ret != 0) goto out;
        ret = mbedtls_x509write_crt_set_validity(&crt, "20260101000000", "20360101000000");
        if (ret != 0) goto out;
--- a/src/usb/lwip/rest_server.h
+++ b/src/usb/lwip/rest_server.h
@@ -74,6 +74,8 @@ typedef struct {
 err_t rest_server_init(rest_conn_type_t conn_type);
 void rest_handle_request(rest_conn_t *conn);

+extern int x509_set_random_serial(mbedtls_x509write_cert *crt);
+
 extern int rest_server_error(rest_response_t *response, int status_code, const char *message);

 #endif