From: Adam Langley <agl@golang.org>
Date: Sun, 15 Dec 2013 17:57:57 +0000 (-0500)
Subject: crypto/tls: generate random serial numbers.
X-Git-Tag: go1.3beta1~1235
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=1dabd716660c182c05c003c198fa3ea4feba6c89;p=gostls13.git

crypto/tls: generate random serial numbers.

NSS (used in Firefox and Chrome) won't accept two certificates with the same
issuer and serial. But this causes problems with self-signed certificates
with a fixed serial number.

This change randomises the serial numbers in the certificates generated by
generate_cert.go.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/38290044
---

diff --git a/src/pkg/crypto/tls/generate_cert.go b/src/pkg/crypto/tls/generate_cert.go
index b417ea4640..1b4830c725 100644
--- a/src/pkg/crypto/tls/generate_cert.go
+++ b/src/pkg/crypto/tls/generate_cert.go
@@ -43,7 +43,6 @@ func main() {
 	priv, err := rsa.GenerateKey(rand.Reader, *rsaBits)
 	if err != nil {
 		log.Fatalf("failed to generate private key: %s", err)
-		return
 	}
 
 	var notBefore time.Time
@@ -65,8 +64,14 @@ func main() {
 		notAfter = endOfTime
 	}
 
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		log.Fatalf("failed to generate serial number: %s", err)
+	}
+
 	template := x509.Certificate{
-		SerialNumber: new(big.Int).SetInt64(0),
+		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"Acme Co"},
 		},
@@ -95,13 +100,11 @@ func main() {
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
 		log.Fatalf("Failed to create certificate: %s", err)
-		return
 	}
 
 	certOut, err := os.Create("cert.pem")
 	if err != nil {
 		log.Fatalf("failed to open cert.pem for writing: %s", err)
-		return
 	}
 	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
 	certOut.Close()