Skip to content

Commit d96d0d8

Browse files
nnmin-awsk8s-publishing-bot
nnmin-aws
authored and
k8s-publishing-bot
committed
update serial number to a valid non-zero number in ca certificate
Kubernetes-commit: cd08820ba9a0d5f2f95e3c46e27d01ca046f7d2a
1 parent 8d8e2bc commit d96d0d8

File tree

1 file changed

+22
-5
lines changed

1 file changed

+22
-5
lines changed

util/cert/cert.go

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ import (
2525
"crypto/x509/pkix"
2626
"encoding/pem"
2727
"fmt"
28+
"math"
2829
"math/big"
2930
"net"
3031
"os"
@@ -57,8 +58,14 @@ type AltNames struct {
5758
// NewSelfSignedCACert creates a CA certificate
5859
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
5960
now := time.Now()
61+
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
62+
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
63+
if err != nil {
64+
return nil, err
65+
}
66+
serial = new(big.Int).Add(serial, big.NewInt(1))
6067
tmpl := x509.Certificate{
61-
SerialNumber: new(big.Int).SetInt64(0),
68+
SerialNumber: serial,
6269
Subject: pkix.Name{
6370
CommonName: cfg.CommonName,
6471
Organization: cfg.Organization,
@@ -116,9 +123,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
116123
if err != nil {
117124
return nil, nil, err
118125
}
119-
126+
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
127+
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
128+
if err != nil {
129+
return nil, nil, err
130+
}
131+
serial = new(big.Int).Add(serial, big.NewInt(1))
120132
caTemplate := x509.Certificate{
121-
SerialNumber: big.NewInt(1),
133+
SerialNumber: serial,
122134
Subject: pkix.Name{
123135
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
124136
},
@@ -144,9 +156,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
144156
if err != nil {
145157
return nil, nil, err
146158
}
147-
159+
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
160+
serial, err = cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
161+
if err != nil {
162+
return nil, nil, err
163+
}
164+
serial = new(big.Int).Add(serial, big.NewInt(1))
148165
template := x509.Certificate{
149-
SerialNumber: big.NewInt(2),
166+
SerialNumber: serial,
150167
Subject: pkix.Name{
151168
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
152169
},

0 commit comments

Comments
 (0)