Check that serial number is not negative

project-chip · May 3, 2021 · cf1e898 · cf1e898
1 parent 241fc67
commit cf1e898
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/src/credentials/GenerateChipX509Cert.cpp b/src/credentials/GenerateChipX509Cert.cpp
@@ -336,6 +336,8 @@ CHIP_ERROR EncodeTBSCert(const X509CertRequestParams & requestParams, Certificat
     uint8_t numDNs = 1;
     bool isCA      = true;
 
+    VerifyOrReturnError(requestParams.SerialNumber > 0, CHIP_ERROR_INVALID_ARGUMENT);
+
     ASN1_START_SEQUENCE
     {
         // version [0] EXPLICIT Version DEFAULT v1

diff --git a/src/credentials/tests/TestChipCert.cpp b/src/credentials/tests/TestChipCert.cpp
@@ -665,6 +665,13 @@ static void TestChipCert_GenerateRootCert(nlTestSuite * inSuite, void * inContex
     NL_TEST_ASSERT(inSuite,
                    NewRootX509Cert(root_params, keypair, signed_cert, sizeof(signed_cert), signed_len) ==
                        CHIP_ERROR_INVALID_ARGUMENT);
+
+    // Test that serial number cannot be negative
+    root_params.HasNodeID    = false;
+    root_params.SerialNumber = -1;
+    NL_TEST_ASSERT(inSuite,
+                   NewRootX509Cert(root_params, keypair, signed_cert, sizeof(signed_cert), signed_len) ==
+                       CHIP_ERROR_INVALID_ARGUMENT);
 }
 
 static void TestChipCert_GenerateRootFabCert(nlTestSuite * inSuite, void * inContext)
@@ -724,6 +731,13 @@ static void TestChipCert_GenerateICACert(nlTestSuite * inSuite, void * inContext
     NL_TEST_ASSERT(inSuite,
                    NewICAX509Cert(ica_params, 4321, ica_keypair.Pubkey(), keypair, signed_cert, sizeof(signed_cert), signed_len) ==
                        CHIP_ERROR_INVALID_ARGUMENT);
+
+    // Test that serial number cannot be negative
+    ica_params.HasNodeID    = false;
+    ica_params.SerialNumber = -1;
+    NL_TEST_ASSERT(inSuite,
+                   NewICAX509Cert(ica_params, 4321, ica_keypair.Pubkey(), keypair, signed_cert, sizeof(signed_cert), signed_len) ==
+                       CHIP_ERROR_INVALID_ARGUMENT);
 }
 
 static void TestChipCert_GenerateNOCRoot(nlTestSuite * inSuite, void * inContext)
@@ -765,6 +779,14 @@ static void TestChipCert_GenerateNOCRoot(nlTestSuite * inSuite, void * inContext
     NL_TEST_ASSERT(inSuite,
                    NewNodeOperationalX509Cert(noc_params, kIssuerIsRootCA, noc_keypair.Pubkey(), keypair, signed_cert,
                                               sizeof(signed_cert), signed_len) == CHIP_ERROR_INVALID_ARGUMENT);
+
+    // Test that serial number cannot be negative
+    noc_params.HasNodeID    = true;
+    noc_params.HasFabricID  = true;
+    noc_params.SerialNumber = -1;
+    NL_TEST_ASSERT(inSuite,
+                   NewNodeOperationalX509Cert(noc_params, kIssuerIsRootCA, noc_keypair.Pubkey(), keypair, signed_cert,
+                                              sizeof(signed_cert), signed_len) == CHIP_ERROR_INVALID_ARGUMENT);
 }
 
 static void TestChipCert_GenerateNOCICA(nlTestSuite * inSuite, void * inContext)