Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: provide method for generating conformant serial numbers #52444

Closed
rolandshoemaker opened this issue Apr 19, 2022 · 8 comments
Closed

crypto/x509: provide method for generating conformant serial numbers #52444

rolandshoemaker opened this issue Apr 19, 2022 · 8 comments
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone
Backlog

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Apr 19, 2022
edited
Loading

Currently, generating valid, RFC 5280 conformant, serial numbers is an exercise left up to the user. As of https://go.dev/cl/400377 we enforce the 20 octet length requirement, but it looks like a lot of users don't entirely know how they should go about generating a valid serial number (in particular if people do know about the 20 octet maximum, they are not aware that serials that are 20 octets long cannot have the MSB set.)

Since there are such ambiguities about how to best do this, it would seem prudent to just provide a function which generates serials (or a method on *Certificate) that are conformant with the 5280 rules, i.e.

  • func GenerateSerial(rand io.Reader) (*big.Int, error)
  • func (*Certificate) GenerateSerial(rand io.Reader) error
@rolandshoemaker rolandshoemaker added this to the Go1.19 milestone Apr 19, 2022
@ianlancetaylor ianlancetaylor modified the milestones: Go1.19, Proposal Apr 19, 2022
@ianlancetaylor ianlancetaylor added the Proposal-Crypto Proposal related to crypto packages or other security issues label Apr 19, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/401657 mentions this issue: crypto/x509: revert serial length restriction

gopherbot pushed a commit that referenced this issue Apr 21, 2022
@rolandshoemaker @gopherbot
crypto/x509: revert serial length restriction
4d96c3c 
This reverts CL400377, which restricted serials passed to
x509.CreateCertificate to <= 20 octets. Unfortunately this turns out to
be something _a lot_ of people get wrong. Since it's not particularly
obvious how to properly generate conformant serials, until we provide
an easier way for people to get this right, reverting this restriction
makes sense (possible solution discussed in #52444.)

Change-Id: Ia85a0ffe61e2e547abdaf1389c3e1ad29e28a2be
Reviewed-on: https://go-review.googlesource.com/c/go/+/401657
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
@rsc
Copy link
Contributor

rsc commented Jun 1, 2022

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc
Copy link
Contributor

rsc commented Jun 8, 2022

This seems fine. Does anyone object to this?

@rsc
Copy link
Contributor

rsc commented Jun 15, 2022

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@rsc
Copy link
Contributor

rsc commented Jun 22, 2022

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: crypto/x509: provide method for generating conformant serial numbers crypto/x509: provide method for generating conformant serial numbers Jun 22, 2022
@rsc rsc modified the milestones: Proposal, Backlog Jun 22, 2022
@martin-sucha
Copy link
Contributor

It is not clear if the proposal is to add func GenerateSerial(rand io.Reader) (*big.Int, error) or func (*Certificate) GenerateSerial(rand io.Reader) error or both. Could you please clarify?

@rsc rsc moved this to Accepted in Proposals Aug 10, 2022
@rsc rsc added this to Proposals Aug 10, 2022
@julieqiu julieqiu removed this from Go Security Sep 8, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/479120 mentions this issue: crypto/x509: add GenerateSerial

@rolandshoemaker rolandshoemaker mentioned this issue May 28, 2024
Closed
@rolandshoemaker
Copy link
Member Author

Closing this in favor of the proposal in #67675.

@emmansun emmansun mentioned this issue Nov 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
Proposals
Status: Accepted
Milestone
Backlog
Development

No branches or pull requests
5 participants
@rsc @martin-sucha @ianlancetaylor @rolandshoemaker @gopherbot