From 374f8db2e34fa948638a1214a2966c2bb903481e Mon Sep 17 00:00:00 2001
From: terrafrost <terrafrost@php.net>
Date: Thu, 16 Jul 2015 11:31:20 -0500
Subject: [PATCH 1/3] X509: use a random serial number

---
 phpseclib/File/X509.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php
index 3649c3e7..8fcd9c9c 100644
--- a/phpseclib/File/X509.php
+++ b/phpseclib/File/X509.php
@@ -317,6 +317,10 @@ class File_X509
             include_once 'Math/BigInteger.php';
         }
 
+        if (!function_exists('crypt_random_string')) {
+            include_once 'Crypt/Random.php';
+        }
+
         // Explicitly Tagged Module, 1988 Syntax
         // http://tools.ietf.org/html/rfc5280#appendix-A.1
 
@@ -3277,7 +3281,12 @@ class File_X509
 
             $startDate = !empty($this->startDate) ? $this->startDate : @date('D, d M Y H:i:s O');
             $endDate = !empty($this->endDate) ? $this->endDate : @date('D, d M Y H:i:s O', strtotime('+1 year'));
-            $serialNumber = !empty($this->serialNumber) ? $this->serialNumber : new Math_BigInteger();
+            // "The serial number MUST be a positive integer"
+            // "Conforming CAs MUST NOT use serialNumber values longer than 20 octets."
+            //  -- https://tools.ietf.org/html/rfc5280#section-4.1.2.2
+            $serialNumber = !empty($this->serialNumber) ?
+                $this->serialNumber :
+                new Math_BigInteger(crypt_random_string(20) & ("\x7F" . str_repeat("\xFF", 19)), 256);
 
             $this->currentCert = array(
                 'tbsCertificate' =>
@@ -3566,6 +3575,11 @@ class File_X509
             $crlNumber = $this->serialNumber;
         } else {
             $crlNumber = $this->getExtension('id-ce-cRLNumber');
+            // "The CRL number is a non-critical CRL extension that conveys a
+            //  monotonically increasing sequence number for a given CRL scope and
+            //  CRL issuer.  This extension allows users to easily determine when a
+            //  particular CRL supersedes another CRL."
+            // -- https://tools.ietf.org/html/rfc5280#section-5.2.3
             $crlNumber = $crlNumber !== false ? $crlNumber->add(new Math_BigInteger(1)) : null;
         }
 

From 693804e62ae856bcf026b65db0581e0b1fc83fe8 Mon Sep 17 00:00:00 2001
From: terrafrost <terrafrost@php.net>
Date: Thu, 16 Jul 2015 11:50:22 -0500
Subject: [PATCH 2/3] X509: move where Crypt/Random loading is done

---
 phpseclib/File/X509.php | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php
index 8fcd9c9c..f3c86d3f 100644
--- a/phpseclib/File/X509.php
+++ b/phpseclib/File/X509.php
@@ -317,10 +317,6 @@ class File_X509
             include_once 'Math/BigInteger.php';
         }
 
-        if (!function_exists('crypt_random_string')) {
-            include_once 'Crypt/Random.php';
-        }
-
         // Explicitly Tagged Module, 1988 Syntax
         // http://tools.ietf.org/html/rfc5280#appendix-A.1
 
@@ -3281,12 +3277,17 @@ class File_X509
 
             $startDate = !empty($this->startDate) ? $this->startDate : @date('D, d M Y H:i:s O');
             $endDate = !empty($this->endDate) ? $this->endDate : @date('D, d M Y H:i:s O', strtotime('+1 year'));
-            // "The serial number MUST be a positive integer"
-            // "Conforming CAs MUST NOT use serialNumber values longer than 20 octets."
-            //  -- https://tools.ietf.org/html/rfc5280#section-4.1.2.2
-            $serialNumber = !empty($this->serialNumber) ?
-                $this->serialNumber :
-                new Math_BigInteger(crypt_random_string(20) & ("\x7F" . str_repeat("\xFF", 19)), 256);
+            if (!empty($this->serialNumber)) {
+                $serialNumber = $this->serialNumber;
+            } else {
+                if (!function_exists('crypt_random_string')) {
+                    include_once 'Crypt/Random.php';
+                }
+                // "The serial number MUST be a positive integer"
+                // "Conforming CAs MUST NOT use serialNumber values longer than 20 octets."
+                //  -- https://tools.ietf.org/html/rfc5280#section-4.1.2.2
+                $serialNumber = new Math_BigInteger(crypt_random_string(20) & ("\x7F" . str_repeat("\xFF", 19)), 256);
+            }
 
             $this->currentCert = array(
                 'tbsCertificate' =>

From 0d3a117608db561a5e43e428a3f890aa94c40bf6 Mon Sep 17 00:00:00 2001
From: terrafrost <terrafrost@php.net>
Date: Fri, 17 Jul 2015 00:45:20 -0500
Subject: [PATCH 3/3] X509: add a comment to explain the bitmask

---
 phpseclib/File/X509.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php
index f3c86d3f..6f8de788 100644
--- a/phpseclib/File/X509.php
+++ b/phpseclib/File/X509.php
@@ -3283,9 +3283,13 @@ class File_X509
                 if (!function_exists('crypt_random_string')) {
                     include_once 'Crypt/Random.php';
                 }
-                // "The serial number MUST be a positive integer"
-                // "Conforming CAs MUST NOT use serialNumber values longer than 20 octets."
-                //  -- https://tools.ietf.org/html/rfc5280#section-4.1.2.2
+                /* "The serial number MUST be a positive integer"
+                   "Conforming CAs MUST NOT use serialNumber values longer than 20 octets."
+                    -- https://tools.ietf.org/html/rfc5280#section-4.1.2.2
+
+                   for the integer to be positive the leading bit needs to be 0 hence the
+                   application of a bitmap
+                */
                 $serialNumber = new Math_BigInteger(crypt_random_string(20) & ("\x7F" . str_repeat("\xFF", 19)), 256);
             }