From 16ac0d8eb6e14dc57a325359059fdd7ae19a3176 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Wed, 27 Nov 2019 09:14:19 +1000
Subject: [PATCH] Support 20-byte serial numbers and disallow 0.

---
 wolfcrypt/src/asn.c            | 12 ++++++++----
 wolfssl/wolfcrypt/asn_public.h |  3 ++-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 5668b5fb1..3e78d26ef 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8907,10 +8907,14 @@ WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output,
         return BAD_FUNC_ARG;
 
     /* remove leading zeros */
-    while (snSzInt > 1 && sn[0] == 0) {
+    while (snSzInt > 0 && sn[0] == 0) {
         snSzInt--;
         sn++;
     }
+    /* RFC 5280 - 4.1.2.2:
+     *   Serial numbers must be a postive value (and not zero) */
+    if (snSzInt == 0)
+        return BAD_FUNC_ARG;
 
     if (sn[0] & 0x80)
         maxSnSz--;
@@ -8920,8 +8924,8 @@ WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output,
 
     i = SetASNInt(snSzInt, sn[0], NULL);
     /* truncate if input is too long */
-    if ((word32)snSzInt > outputSz - i)
-        snSzInt = outputSz - i;
+    if (snSzInt > (int)outputSz - i)
+        snSzInt = (int)outputSz - i;
     /* sanity check number of bytes to copy */
     if (snSzInt <= 0) {
         return BUFFER_E;
@@ -11866,7 +11870,7 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
     /* serial number (must be positive) */
     if (cert->serialSz == 0) {
         /* generate random serial */
-        cert->serialSz = CTC_SERIAL_SIZE;
+        cert->serialSz = CTC_GEN_SERIAL_SZ;
         ret = wc_RNG_GenerateBlock(rng, cert->serial, cert->serialSz);
         if (ret != 0)
             return ret;
diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h
index 45597cb3e..07c5e004b 100644
--- a/wolfssl/wolfcrypt/asn_public.h
+++ b/wolfssl/wolfcrypt/asn_public.h
@@ -146,7 +146,8 @@ enum Ctc_Misc {
     CTC_NAME_SIZE     = WC_CTC_NAME_SIZE,
     CTC_DATE_SIZE     =    32,
     CTC_MAX_ALT_SIZE  = WC_CTC_MAX_ALT_SIZE, /* may be huge, default: 16384 */
-    CTC_SERIAL_SIZE   =    16,
+    CTC_SERIAL_SIZE   =    20,
+    CTC_GEN_SERIAL_SZ =    16,
 #ifdef WOLFSSL_CERT_EXT
     /* AKID could contains: hash + (Option) AuthCertIssuer,AuthCertSerialNum
      * We support only hash */