Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: generate serial number for nil template SerialNumber #67675

Closed
rolandshoemaker opened this issue May 28, 2024 · 8 comments
Closed

crypto/x509: generate serial number for nil template SerialNumber #67675

rolandshoemaker opened this issue May 28, 2024 · 8 comments
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues release-blocker
Milestone
Go1.24

Comments

@rolandshoemaker
Copy link
Member

Serial number generation is painfully complicated, especially if you want spec compliance. We've seen, over and over, that people get this wrong, even when trying to get it right.

We should provide an extremely simple way for people to get a correct serial easily. I propose that if the template passed to CreateCertificate contains a nil SerialNumber (currently an error), we will generate a conformant serial number, and add the following to the CreateCertificate documentation:

// If template.SerialNumber is nil, a serial number will be generated which
// conforms to RFC 5280, Section 4.1.2.2 using entropy from rand.

This is similar to, but somewhat different from, #52444. Either both, or just this proposal, could be implemented (the same logic would be used in both places).
@gopherbot gopherbot added this to the Proposal milestone May 28, 2024
@ianlancetaylor ianlancetaylor moved this to Incoming in Proposals May 28, 2024
@ianlancetaylor ianlancetaylor added the Proposal-Crypto Proposal related to crypto packages or other security issues label May 28, 2024
@AGWA
Copy link

AGWA commented May 29, 2024
edited
Loading

I like this more than #52444 since it requires less code to use, and doesn't require handling an additional error return. I can't think of a reason to ever generate a standalone serial number.

@rsc rsc changed the title proposal: crypto/x509: automatically generate serial if template SerialNumber is nil proposal: crypto/x509: generate serial number for nil template SerialNumber May 30, 2024
@rsc rsc moved this from Incoming to Active in Proposals May 30, 2024
@rsc
Copy link
Contributor

rsc commented May 30, 2024

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc
Copy link
Contributor

rsc commented Jun 5, 2024

Have all remaining concerns about this proposal been addressed?

The proposal is to change CreateCertificate to handle a nil template.SerialNumber by generating a serial number according to RFC 5280, Section 4.1.2.2.

The other create routines do not take templates with serial numbers and are unaffected.

@rsc
Copy link
Contributor

rsc commented Jun 12, 2024

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

The proposal is to change CreateCertificate to handle a nil template.SerialNumber by generating a serial number according to RFC 5280, Section 4.1.2.2.

The other create routines do not take templates with serial numbers and are unaffected.

@rsc rsc moved this from Active to Likely Accept in Proposals Jun 12, 2024
@rolandshoemaker rolandshoemaker mentioned this issue Jun 18, 2024
Closed
@rsc
Copy link
Contributor

rsc commented Jun 24, 2024

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

The proposal is to change CreateCertificate to handle a nil template.SerialNumber by generating a serial number according to RFC 5280, Section 4.1.2.2.

The other create routines do not take templates with serial numbers and are unaffected.

@rsc rsc moved this from Likely Accept to Accepted in Proposals Jun 24, 2024
@rsc rsc changed the title proposal: crypto/x509: generate serial number for nil template SerialNumber crypto/x509: generate serial number for nil template SerialNumber Jun 24, 2024
@rsc rsc modified the milestones: Proposal, Backlog Jun 24, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/630995 mentions this issue: crypto/x509: generate serial number for nil template SerialNumber

@dmitshur dmitshur modified the milestones: Backlog, Go1.24 Nov 22, 2024
@dmitshur
Copy link
Contributor

@rolandshoemaker There's no API change here, but this still seems like a change that should be covered in Go 1.24 release notes, is that right? Mentioning it there will also help more people discover this new to Go 1.24 ability to take advantage of it.

I'll reopen as a release blocker so this is easy to track; please update as needed. Thanks.

@dmitshur dmitshur reopened this Nov 26, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/631683 mentions this issue: doc: add note about crypto/x509 serial generation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues release-blocker
Projects
Proposals
Status: Accepted
Milestone
Go1.24
Development

No branches or pull requests
6 participants
@rsc @AGWA @dmitshur @ianlancetaylor @rolandshoemaker @gopherbot