Generate certificates with unique serial numbers (#645)

2025-01-30 21:32:52 +00:00 · 2022-12-28 13:03:41 -06:00 · 2022-12-28 13:03:41 -06:00 · a996902a33
commit a996902a33
parent ad20572dde
2 changed files with 7 additions and 1 deletions
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@ -410,7 +410,12 @@ creds_t gen_creds(const std::string_view &cn, std::uint32_t key_bits) {
  EVP_PKEY_keygen(ctx.get(), &pkey);

  X509_set_version(x509.get(), 2);
-  ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), 0);
+
+  // Generate a real serial number to avoid SEC_ERROR_REUSED_ISSUER_AND_SERIAL with Firefox
+  bignum_t serial { BN_new() };
+  BN_rand(serial.get(), 159, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY); // 159 bits to fit in 20 bytes in DER format
+  BN_set_negative(serial.get(), 0);                                // Serial numbers must be positive
+  BN_to_ASN1_INTEGER(serial.get(), X509_get_serialNumber(x509.get()));

  constexpr auto year = 60 * 60 * 24 * 365;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
--- a/src/crypto.h
+++ b/src/crypto.h
@ -31,6 +31,7 @@ using md_ctx_t         = util::safe_ptr<EVP_MD_CTX, md_ctx_destroy>;
 using bio_t            = util::safe_ptr<BIO, BIO_free_all>;
 using pkey_t           = util::safe_ptr<EVP_PKEY, EVP_PKEY_free>;
 using pkey_ctx_t       = util::safe_ptr<EVP_PKEY_CTX, EVP_PKEY_CTX_free>;
+using bignum_t         = util::safe_ptr<BIGNUM, BN_free>;

 sha256_t hash(const std::string_view &plaintext);