ca doesn't read fully from /dev/urandom #911
Milestone
Comments
|
cc @bdaehlie |
Merged
jmhodges
added a commit
that referenced
this issue
Oct 4, 2015
This didn't cause any certificates to be made with duplicate serial numbers because the primary key in the certificates table is the serial number and so attempts to insert duplicates fail. The cause is the use of rand/Reader.Read. rand/Reader.Read does not perform the io.ReadFull that rand.Read does. Without the io.ReadFull, less than all of the random part of the serial number would be filled in. Fixes #911.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The serial numbers from the ca are sometimes full of trailing zeros causing almost duplicate serial numbers (duplicates error out when attempted to be inserted out in the database, so no exploit is available) because
rand/Reader.Readwas used instead ofrand.Read.This ought to be a GA fix for our sanity, but is not actively exploitable.
The text was updated successfully, but these errors were encountered: