From 75982d4f0cdb558a047e4937820cb0600ceb5d0d Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@golang.org>
Date: Sun, 15 Dec 2013 12:57:57 -0500
Subject: [PATCH] crypto/tls: generate random serial numbers.

NSS (used in Firefox and Chrome) won't accept two certificates with the same
issuer and serial. But this causes problems with self-signed certificates
with a fixed serial number.

This change randomises the serial numbers in the certificates generated by
generate_cert.go.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/38290044
---
 generate_cert.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/generate_cert.go b/generate_cert.go
index b417ea4..1b4830c 100644
--- a/generate_cert.go
+++ b/generate_cert.go
@@ -43,7 +43,6 @@ func main() {
 	priv, err := rsa.GenerateKey(rand.Reader, *rsaBits)
 	if err != nil {
 		log.Fatalf("failed to generate private key: %s", err)
-		return
 	}
 
 	var notBefore time.Time
@@ -65,8 +64,14 @@ func main() {
 		notAfter = endOfTime
 	}
 
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		log.Fatalf("failed to generate serial number: %s", err)
+	}
+
 	template := x509.Certificate{
-		SerialNumber: new(big.Int).SetInt64(0),
+		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"Acme Co"},
 		},
@@ -95,13 +100,11 @@ func main() {
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
 		log.Fatalf("Failed to create certificate: %s", err)
-		return
 	}
 
 	certOut, err := os.Create("cert.pem")
 	if err != nil {
 		log.Fatalf("failed to open cert.pem for writing: %s", err)
-		return
 	}
 	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
 	certOut.Close()