Skip to content

Commit

Permalink
Generate certificates with unique serial numbers
Browse files Browse the repository at this point in the history
Fixes SEC_ERROR_REUSED_ISSUER_AND_SERIAL using Firefox
  • Loading branch information
cgutman committed Dec 28, 2022
1 parent ad20572 commit e098e7b
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
7 changes: 6 additions & 1 deletion src/crypto.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -410,7 +410,12 @@ creds_t gen_creds(const std::string_view &cn, std::uint32_t key_bits) {
EVP_PKEY_keygen(ctx.get(), &pkey);

X509_set_version(x509.get(), 2);
ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), 0);

// Generate a real serial number to avoid SEC_ERROR_REUSED_ISSUER_AND_SERIAL with Firefox
bignum_t serial { BN_new() };
BN_rand(serial.get(), 159, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY); // 159 bits to fit in 20 bytes in DER format
BN_set_negative(serial.get(), 0); // Serial numbers must be positive
BN_to_ASN1_INTEGER(serial.get(), X509_get_serialNumber(x509.get()));

constexpr auto year = 60 * 60 * 24 * 365;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
Expand Down
1 change: 1 addition & 0 deletions src/crypto.h
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ using md_ctx_t = util::safe_ptr<EVP_MD_CTX, md_ctx_destroy>;
using bio_t = util::safe_ptr<BIO, BIO_free_all>;
using pkey_t = util::safe_ptr<EVP_PKEY, EVP_PKEY_free>;
using pkey_ctx_t = util::safe_ptr<EVP_PKEY_CTX, EVP_PKEY_CTX_free>;
using bignum_t = util::safe_ptr<BIGNUM, BN_free>;

sha256_t hash(const std::string_view &plaintext);

Expand Down

0 comments on commit e098e7b

Please sign in to comment.