Merge pull request #741 from terrafrost/x509-serialnumber-2.0

X509: use a random serial number for 2.0 branch

* terrafrost/x509-serialnumber-2.0:
  X509: add a comment to explain the bitmask
  X509: move where Crypt/Random loading is done
  X509: use a random serial number
This commit is contained in:
Andreas Fischer 2015-07-17 12:31:10 +02:00
commit feea435071

View File

@ -28,6 +28,7 @@ namespace phpseclib\File;
use phpseclib\Crypt\Hash; use phpseclib\Crypt\Hash;
use phpseclib\Crypt\RSA; use phpseclib\Crypt\RSA;
use phpseclib\Crypt\Random;
use phpseclib\File\ASN1; use phpseclib\File\ASN1;
use phpseclib\File\ASN1\Element; use phpseclib\File\ASN1\Element;
use phpseclib\Math\BigInteger; use phpseclib\Math\BigInteger;
@ -3241,7 +3242,16 @@ class X509
$startDate = !empty($this->startDate) ? $this->startDate : @date('D, d M Y H:i:s O'); $startDate = !empty($this->startDate) ? $this->startDate : @date('D, d M Y H:i:s O');
$endDate = !empty($this->endDate) ? $this->endDate : @date('D, d M Y H:i:s O', strtotime('+1 year')); $endDate = !empty($this->endDate) ? $this->endDate : @date('D, d M Y H:i:s O', strtotime('+1 year'));
$serialNumber = !empty($this->serialNumber) ? $this->serialNumber : new BigInteger(); /* "The serial number MUST be a positive integer"
"Conforming CAs MUST NOT use serialNumber values longer than 20 octets."
-- https://tools.ietf.org/html/rfc5280#section-4.1.2.2
for the integer to be positive the leading bit needs to be 0 hence the
application of a bitmap
*/
$serialNumber = !empty($this->serialNumber) ?
$this->serialNumber :
new BigInteger(Random::string(20) & ("\x7F" . str_repeat("\xFF", 19)), 256);
$this->currentCert = array( $this->currentCert = array(
'tbsCertificate' => 'tbsCertificate' =>
@ -3530,6 +3540,11 @@ class X509
$crlNumber = $this->serialNumber; $crlNumber = $this->serialNumber;
} else { } else {
$crlNumber = $this->getExtension('id-ce-cRLNumber'); $crlNumber = $this->getExtension('id-ce-cRLNumber');
// "The CRL number is a non-critical CRL extension that conveys a
// monotonically increasing sequence number for a given CRL scope and
// CRL issuer. This extension allows users to easily determine when a
// particular CRL supersedes another CRL."
// -- https://tools.ietf.org/html/rfc5280#section-5.2.3
$crlNumber = $crlNumber !== false ? $crlNumber->add(new BigInteger(1)) : null; $crlNumber = $crlNumber !== false ? $crlNumber->add(new BigInteger(1)) : null;
} }