Use crypto random generator for certificate serial numbers

b9311b0b · Daniel Lyubomirov · ce101c52 · b9311b0b · b9311b0b · b9311b0b
Verified Commit b9311b0b authored 4 years ago by Daniel Lyubomirov
--- a/cpp/src/vereign/crypto/cert.cc
+++ b/cpp/src/vereign/crypto/cert.cc
@@ -2,6 +2,7 @@

 #include <vereign/crypto/bio.hh>
 #include <vereign/crypto/errors.hh>
+#include <vereign/crypto/rand.hh>
 #include <vereign/encoding/base64.hh>

 #include <openssl/x509v3.h>
@@ -333,10 +334,7 @@ static auto createCert(
  // set serial number
  auto serial_number = cert_data.SerialNumber;
  if (serial_number == 0) {
-    // FIXME: is using time ok ?
-    serial_number = std::chrono::duration_cast<std::chrono::milliseconds>(
-      std::chrono::system_clock::now().time_since_epoch()
-    ).count();
+    serial_number = crypto::RandUint64();
  }
  r = ASN1_INTEGER_set_uint64(X509_get_serialNumber(cert.get()), serial_number);
  if (r != 1) {

--- a/cpp/src/vereign/crypto/rand.cc
+++ b/cpp/src/vereign/crypto/rand.cc
@@ -23,4 +23,15 @@ auto Rand(std::size_t size) -> bytes::Buffer {
  return buf;
 }

+auto RandUint64() -> uint64_t {
+  uint64_t x = 0;
+  int result = RAND_bytes((uint8_t*) &x, sizeof(x));
+  if (result == 0) {
+    ERR_clear_error();
+    throw Error("crypto rand failed");
+  }
+
+  return x;
+}
+
 } // vereign::crypto
--- a/cpp/src/vereign/crypto/rand.hh
+++ b/cpp/src/vereign/crypto/rand.hh
@@ -43,6 +43,15 @@ void Rand(bytes::Buffer& buf, std::size_t size);
 */
 auto Rand(std::size_t size) -> bytes::Buffer;

+/**
+ * Generates random uint64_t.
+ *
+ * @returns random unsigned 64 bit integer.
+ *
+ * @throws crypto::Error on failure.
+ */
+auto RandUint64() -> uint64_t;
+
 } // vereign::crypto

 #endif // __VEREIGN_CRYPTO_RAND_HH