Use random numbers for certificate serials

elazarl · Sep 11, 2019 · ecfe977 · ecfe977
1 parent aaf7bbe
commit ecfe977
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/signer.go b/signer.go
@@ -11,6 +11,7 @@ import (
 	"crypto/x509/pkix"
 	"fmt"
 	"math/big"
+	"math/rand"
 	"net"
 	"runtime"
 	"sort"
@@ -48,9 +49,8 @@ func signHost(ca tls.Certificate, hosts []string) (cert *tls.Certificate, err er
 	if err != nil {
 		panic(err)
 	}
-	hash := hashSorted(append(hosts, goproxySignerVersion, ":"+runtime.Version()))
-	serial := new(big.Int)
-	serial.SetBytes(hash)
+
+	serial := big.NewInt(rand.Int63())
 	template := x509.Certificate{
 		// TODO(elazar): instead of this ugly hack, just encode the certificate and hash the binary form.
 		SerialNumber: serial,
@@ -74,6 +74,7 @@ func signHost(ca tls.Certificate, hosts []string) (cert *tls.Certificate, err er
 		}
 	}
 
+	hash := hashSorted(append(hosts, goproxySignerVersion, ":"+runtime.Version()))
 	var csprng CounterEncryptorRand
 	if csprng, err = NewCounterEncryptorRandFromKey(ca.PrivateKey, hash); err != nil {
 		return
@@ -102,3 +103,8 @@ func signHost(ca tls.Certificate, hosts []string) (cert *tls.Certificate, err er
 		PrivateKey:  certpriv,
 	}, nil
 }
+
+func init() {
+	// Avoid deterministic random numbers
+	rand.Seed(time.Now().UnixNano())
+}