pki: improve serial number generation + fix team association

Replace math/rand by crypto/rand. Fix big when associating certificate with leading zero: nginx prepend 0 wherehas we don't.
2018-02-02 20:29:16 +01:00 · 2018-02-02 20:29:16 +01:00 · 68e5c4cd2b
commit 68e5c4cd2b
parent 3ed8c619b1
5 changed files with 37 additions and 18 deletions
--- a/admin/api/certificate.go
+++ b/admin/api/certificate.go
@ -1,11 +1,12 @@
 package api

 import (
+	"crypto/rand"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"math/rand"
 	"io/ioutil"
+	"math/big"
 	"os"
 	"path"
 	"time"
@ -87,10 +88,19 @@ func getTeamP12File(cert fic.Certificate, _ []byte) (interface{}, error) {

 func generateClientCert(_ httprouter.Params, _ []byte) (interface{}, error) {
 	// First, generate a new, unique, serial
-	serial := rand.Int63()
-	for fic.ExistingCertSerial(serial) {
-		serial = rand.Int63()
+	var serial_gen [8]byte
+	if _, err := rand.Read(serial_gen[:]); err != nil {
+		return nil, err
 	}
+	for fic.ExistingCertSerial(serial_gen) {
+		if _, err := rand.Read(serial_gen[:]); err != nil {
+			return nil, err
+		}
+	}
+
+	var serial_b big.Int
+	serial_b.SetBytes(serial_gen[:])
+	serial := serial_b.Uint64()

 	// Let's pick a random password
 	password, err := pki.GeneratePassword()
@ -148,7 +158,10 @@ func updateCertificateAssociation(cert fic.Certificate, body []byte) (interface{
 	// moreover, backend doesn't update the DB at registration, it only creates a symlink
 	cert.IdTeam = uc.Team

-	dstLinkPath := path.Join(TeamsDir, fmt.Sprintf("_AUTH_ID_%X", cert.Id))
+	var serial big.Int
+	serial.SetUint64(cert.Id)
+
+	dstLinkPath := path.Join(TeamsDir, fmt.Sprintf("_AUTH_ID_%0X", serial.Bytes()))

 	if uc.Team != nil {
 		srcLinkPath := fmt.Sprintf("%d", *uc.Team)
--- a/admin/api/handlers.go
+++ b/admin/api/handlers.go
@ -282,7 +282,7 @@ func fileHandler(f func(fic.EFile,[]byte) (interface{}, error)) func (httprouter

 func certificateHandler(f func(fic.Certificate,[]byte) (interface{}, error)) func (httprouter.Params,[]byte) (interface{}, error) {
 	return func (ps httprouter.Params, body []byte) (interface{}, error) {
-		if certid, err := strconv.ParseInt(string(ps.ByName("certid")), 10, 64); err != nil {
+		if certid, err := strconv.ParseUint(string(ps.ByName("certid")), 10, 64); err != nil {
 			return nil, err
 		} else if cert, err := fic.GetCertificate(certid); err != nil {
 			return nil, err
--- a/admin/pki/client.go
+++ b/admin/pki/client.go
@ -13,21 +13,23 @@ import (
 	"time"
 )

-func ClientCertificatePath(serial int64) string {
+func ClientCertificatePath(serial uint64) string {
 	return path.Join(PKIDir, fmt.Sprintf("%d", serial), "cert.pem")
 }

-func ClientPrivkeyPath(serial int64) string {
+func ClientPrivkeyPath(serial uint64) string {
 	return path.Join(PKIDir, fmt.Sprintf("%d", serial), "privkey.pem")
 }

-func ClientP12Path(serial int64) string {
+func ClientP12Path(serial uint64) string {
 	return path.Join(PKIDir, fmt.Sprintf("%d", serial), "team.p12")
 }

-func GenerateClient(serial int64, notBefore time.Time, notAfter time.Time, parent_cert *x509.Certificate, parent_priv *ecdsa.PrivateKey) error {
+func GenerateClient(serial uint64, notBefore time.Time, notAfter time.Time, parent_cert *x509.Certificate, parent_priv *ecdsa.PrivateKey) error {
+	var certid big.Int
+	certid.SetUint64(serial)
 	client := &x509.Certificate{
-		SerialNumber: big.NewInt(serial),
+		SerialNumber: &certid,
 		Subject: pkix.Name{
 			Organization:       []string{"EPITA"},
 			OrganizationalUnit: []string{"SRS laboratory"},
@ -69,7 +71,7 @@ func GenerateClient(serial int64, notBefore time.Time, notAfter time.Time, paren
 	return nil
 }

-func WriteP12(serial int64, password string) error {
+func WriteP12(serial uint64, password string) error {
 	cmd := exec.Command("/usr/bin/openssl", "pkcs12", "-export",
 		"-inkey", ClientPrivkeyPath(serial),
 		"-in", ClientCertificatePath(serial),