Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Don't generate certificates with the same serial number as the CA

Bug discovered using an old version of curl relying on the NSS
library: the certificates generated by the context broker are
rejected with error -8054: SEC_ERROR_REUSED_ISSUER_AND_SERIAL.

This is because we use the same serial number as the CA in the
generated certificates.

Fixed by incrementing the serial number by one.

(cherry picked from commit b7e3a0d40e5d4a9f20080f2a67858da1fe72fc72)
(Fix for Bug 7042)
  • Loading branch information...
commit 152442f3507ad942d20798c95785cdef5e27e5fd 1 parent e8939b9
@priteau priteau authored timf committed
View
3  ctx-broker/src/org/nimbustools/ctxbroker/security/CertificateAuthority.java
@@ -47,6 +47,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.ByteArrayInputStream;
+import java.math.BigInteger;
public class CertificateAuthority {
@@ -198,7 +199,7 @@ private String getTargetDN(String cnString) {
private void initializeGenerator() {
this.certGen.reset();
- this.certGen.setSerialNumber(this.caX509.getSerialNumber());
+ this.certGen.setSerialNumber(this.caX509.getSerialNumber().add(BigInteger.ONE));
this.certGen.setSignatureAlgorithm(this.caX509.getSigAlgName());
this.certGen.setIssuerDN(this.caX509Name);
Please sign in to comment.
Something went wrong with that request. Please try again.