Generate certificates with unique serial numbers (#645)

2025-08-10 00:52:16 +00:00 · 2022-12-28 13:03:41 -06:00
parent ad20572dde
commit a996902a33
2 changed files with 7 additions and 1 deletions
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -410,7 +410,12 @@ creds_t gen_creds(const std::string_view &cn, std::uint32_t key_bits) {
  EVP_PKEY_keygen(ctx.get(), &pkey);

  X509_set_version(x509.get(), 2);
-  ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), 0);
+
+  // Generate a real serial number to avoid SEC_ERROR_REUSED_ISSUER_AND_SERIAL with Firefox
+  bignum_t serial { BN_new() };
+  BN_rand(serial.get(), 159, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY); // 159 bits to fit in 20 bytes in DER format
+  BN_set_negative(serial.get(), 0);                                // Serial numbers must be positive
+  BN_to_ASN1_INTEGER(serial.get(), X509_get_serialNumber(x509.get()));

  constexpr auto year = 60 * 60 * 24 * 365;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L