Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: provide method for generating conformant serial numbers #52444

Open
rolandshoemaker opened this issue Apr 19, 2022 · 6 comments
Open
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal-FinalCommentPeriod
Milestone

Comments

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Apr 19, 2022

Currently, generating valid, RFC 5280 conformant, serial numbers is an exercise left up to the user. As of https://go.dev/cl/400377 we enforce the 20 octet length requirement, but it looks like a lot of users don't entirely know how they should go about generating a valid serial number (in particular if people do know about the 20 octet maximum, they are not aware that serials that are 20 octets long cannot have the MSB set.)

Since there are such ambiguities about how to best do this, it would seem prudent to just provide a function which generates serials (or a method on *Certificate) that are conformant with the 5280 rules, i.e.

  • func GenerateSerial(rand io.Reader) (*big.Int, error)
  • func (*Certificate) GenerateSerial(rand io.Reader) error
@rolandshoemaker rolandshoemaker added this to the Go1.19 milestone Apr 19, 2022
@ianlancetaylor ianlancetaylor removed this from the Go1.19 milestone Apr 19, 2022
@ianlancetaylor ianlancetaylor added this to the Proposal milestone Apr 19, 2022
@ianlancetaylor ianlancetaylor added the Proposal-Crypto label Apr 19, 2022
@ianlancetaylor ianlancetaylor added this to Incoming in Proposals Apr 19, 2022
@gopherbot
Copy link

@gopherbot gopherbot commented Apr 21, 2022

Change https://go.dev/cl/401657 mentions this issue: crypto/x509: revert serial length restriction

gopherbot pushed a commit that referenced this issue Apr 21, 2022
This reverts CL400377, which restricted serials passed to
x509.CreateCertificate to <= 20 octets. Unfortunately this turns out to
be something _a lot_ of people get wrong. Since it's not particularly
obvious how to properly generate conformant serials, until we provide
an easier way for people to get this right, reverting this restriction
makes sense (possible solution discussed in #52444.)

Change-Id: Ia85a0ffe61e2e547abdaf1389c3e1ad29e28a2be
Reviewed-on: https://go-review.googlesource.com/c/go/+/401657
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
@rsc
Copy link
Contributor

@rsc rsc commented Jun 1, 2022

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc rsc moved this from Incoming to Active in Proposals Jun 1, 2022
@rsc
Copy link
Contributor

@rsc rsc commented Jun 8, 2022

This seems fine. Does anyone object to this?

@rsc
Copy link
Contributor

@rsc rsc commented Jun 15, 2022

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@rsc rsc moved this from Active to Likely Accept in Proposals Jun 15, 2022
@rsc rsc moved this from Likely Accept to Accepted in Proposals Jun 22, 2022
@rsc
Copy link
Contributor

@rsc rsc commented Jun 22, 2022

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: crypto/x509: provide method for generating conformant serial numbers crypto/x509: provide method for generating conformant serial numbers Jun 22, 2022
@rsc rsc removed this from the Proposal milestone Jun 22, 2022
@rsc rsc added this to the Backlog milestone Jun 22, 2022
@martin-sucha
Copy link
Contributor

@martin-sucha martin-sucha commented Jun 22, 2022

It is not clear if the proposal is to add func GenerateSerial(rand io.Reader) (*big.Int, error) or func (*Certificate) GenerateSerial(rand io.Reader) error or both. Could you please clarify?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal-FinalCommentPeriod
Projects
Proposals
Accepted
Development

No branches or pull requests

5 participants