crypto/tls: generate random serial numbers.

NSS (used in Firefox and Chrome) won't accept two certificates with the same
issuer and serial. But this causes problems with self-signed certificates
with a fixed serial number.

This change randomises the serial numbers in the certificates generated by
generate_cert.go.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/38290044

diff --git a/src/pkg/crypto/tls/generate_cert.go b/src/pkg/crypto/tls/generate_cert.go
index b417ea4640fef84fbac2d0dfc655f5ab6249bdd5..1b4830c725cb40f0766f354442ed74e4ffbd9807 100644 (file)
--- a/src/pkg/crypto/tls/generate_cert.go
+++ b/src/pkg/crypto/tls/generate_cert.go
@@ -43,7 +43,6 @@ func main() {
        priv, err := rsa.GenerateKey(rand.Reader, *rsaBits)
        if err != nil {
                log.Fatalf("failed to generate private key: %s", err)
-               return
        }
 
        var notBefore time.Time
@@ -65,8 +64,14 @@ func main() {
                notAfter = endOfTime
        }
 
+       serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+       serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+       if err != nil {
+               log.Fatalf("failed to generate serial number: %s", err)
+       }
+
        template := x509.Certificate{
-               SerialNumber: new(big.Int).SetInt64(0),
+               SerialNumber: serialNumber,
                Subject: pkix.Name{
                        Organization: []string{"Acme Co"},
                },
@@ -95,13 +100,11 @@ func main() {
        derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
        if err != nil {
                log.Fatalf("Failed to create certificate: %s", err)
-               return
        }
 
        certOut, err := os.Create("cert.pem")
        if err != nil {
                log.Fatalf("failed to open cert.pem for writing: %s", err)
-               return
        }
        pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
        certOut.Close()