crypto/tls: generate random serial numbers.

NSS (used in Firefox and Chrome) won't accept two certificates with the same issuer and serial. But this causes problems with self-signed certificates with a fixed serial number. This change randomises the serial numbers in the certificates generated by generate_cert.go. R=golang-dev, r CC=golang-dev https://golang.org/cl/38290044
2013-12-15 12:57:57 -05:00 · 2013-12-15 12:57:57 -05:00 · 75982d4f0c
commit 75982d4f0c
parent 1a11255b00
1 changed files with 7 additions and 4 deletions
--- a/generate_cert.go
+++ b/generate_cert.go
@ -43,7 +43,6 @@ func main() {
 	priv, err := rsa.GenerateKey(rand.Reader, *rsaBits)
 	if err != nil {
 		log.Fatalf("failed to generate private key: %s", err)
-		return
 	}

 	var notBefore time.Time
@ -65,8 +64,14 @@ func main() {
 		notAfter = endOfTime
 	}

+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		log.Fatalf("failed to generate serial number: %s", err)
+	}
+
 	template := x509.Certificate{
-		SerialNumber: new(big.Int).SetInt64(0),
+		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"Acme Co"},
 		},
@ -95,13 +100,11 @@ func main() {
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
 		log.Fatalf("Failed to create certificate: %s", err)
-		return
 	}

 	certOut, err := os.Create("cert.pem")
 	if err != nil {
 		log.Fatalf("failed to open cert.pem for writing: %s", err)
-		return
 	}
 	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
 	certOut.Close()