Comments (7)
Thanks! I wrote up a slightly modified fix but based on your report and hints here. Landed in aff153f.
from curl.
Thank you!
from curl.
For other octets retrieved via CURLINFO_CERTINFO like rsa and signature a colon is used as the separator for each octet. I'm not sure why not for serial number. OpenSSL in their output uses the colon as a separator but only for long serial numbers (see openssl x509 -noout -text -in cert). I don't see why not do it that way for all. Though changing it to be consistent with the others at this point may break a user's parsing of it.
Another thing that looks strange in that area is output of negative serial numbers. The current way is to prefix the octets with - to designate negative direction (a la integer). but the way OpenSSL does it looks more correct.. although again any change at this point may break a user's parsing.
from curl.
@jay changing it could still be safe as it was completely broken before and thus was never parsed successfully anyway! I can see how matching openssl's output could be valuable.
I also glanced over the negative thing before I ignored it but you're right, we should make sure to output the same serial number that openssl does, even when negative.
from curl.
Ok. If you have no objections I'll replace that block with i2c_ASN1_INTEGER
.
from curl.
No objections at all!
from curl.
They're not using i2c_ASN1_INTEGER
, for the output. I assumed they were based on what I was reading. Mistake! I should've tested the output of a large negative serial number to be sure. I created a cert with a serial of -999,999,999,999,999,999,999:
openssl req -config openssl.cnf -x509 -newkey rsa:2048 -keyout serial_number_negative_nines.key -out serial_number_negative_nines.crt -days 3650 -nodes -batch -set_serial -999999999999999999999 -subj /CN=localhost/
openssl x509 -noout -text -in serial_number_negative_nines.crt
Here's the relevant part of their x509 output, which comes from X509_print_ex:
Serial Number:
(Negative)36:35:c9:ad:c5:de:9f:ff:ff
And if I specify -serial it also shows serial=-3635C9ADC5DE9FFFFF
. So I guess there is some basis. A smaller number that fits in a long like -2000 shows Serial Number: -2000 (-0x7d0)
and serial=-07D0
.
What libcurl is doing right now is the same as the OpenSSL 'serial' format, not the OpenSSL 'Serial Number' format. That's probably fine given that nobody's used it yet, but if you want I can change it to their 'Serial Number' format as seen in X509_print_ex. libcurl had something similar to that for small numbers prior to your change but it would have to be modified to take into account negative numbers.
So it doesn't look like much of an issue anymore. Shame, the i2c method still looks more correct to me and easier to parse!
from curl.
Related Issues (20)
- Curl tries to generate shell completions even when --without-*-functions-dir is given HOT 5
- cmake does not build curl.1 HOT 16
- curl using cmake on arm32 systems build error -Werror=cast-align HOT 21
- CURLE_RECV_ERROR when the SSL server closes the connection immediately after data HOT 9
- Current curl-win64-mingw binaries do no longer contain SSPI HOT 7
- Download file from FTP with space HOT 2
- aws-sigv4 request signature does not match expected value HOT 11
- Curl doesn't POST full text file if it contains old Mac-style `CR` line endings HOT 3
- `Curl_resolver_init` is not thread-safe HOT 7
- Report of ip & port number after entering passive ftp mode HOT 2
- Socket gets closed twice when connection is dead HOT 12
- Curl hangs with HTTP 2.0 request HOT 5
- curl: (60) SSL certificate problem: self-signed certificate HOT 2
- Noticed "* We are completely uploaded and fine" for downloads also HOT 2
- files downloaded with curl are corrupted somehow HOT 15
- FTPS upload of large file (800 GB) using TLS 1.3 gets slower and slower after ~4.5h and 360 GB HOT 9
- When CURLOPT_SSL_VERIFYPEER is set to "1", local cert does not verify. HOT 3
- Crash in getparameter HOT 1
- Perl-collector is not working after Curl Upgrade HOT 3
- curl `--ipv6` on macOS will connect to an ipv4 address HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from curl.