pki: improve serial number generation + fix team association
Replace math/rand by crypto/rand. Fix big when associating certificate with leading zero: nginx prepend 0 wherehas we don't.
This commit is contained in:
parent
3ed8c619b1
commit
68e5c4cd2b
5 changed files with 37 additions and 18 deletions
|
|
@ -1,11 +1,12 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"io/ioutil"
|
||||
"math/big"
|
||||
"os"
|
||||
"path"
|
||||
"time"
|
||||
|
|
@ -87,10 +88,19 @@ func getTeamP12File(cert fic.Certificate, _ []byte) (interface{}, error) {
|
|||
|
||||
func generateClientCert(_ httprouter.Params, _ []byte) (interface{}, error) {
|
||||
// First, generate a new, unique, serial
|
||||
serial := rand.Int63()
|
||||
for fic.ExistingCertSerial(serial) {
|
||||
serial = rand.Int63()
|
||||
var serial_gen [8]byte
|
||||
if _, err := rand.Read(serial_gen[:]); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
for fic.ExistingCertSerial(serial_gen) {
|
||||
if _, err := rand.Read(serial_gen[:]); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
var serial_b big.Int
|
||||
serial_b.SetBytes(serial_gen[:])
|
||||
serial := serial_b.Uint64()
|
||||
|
||||
// Let's pick a random password
|
||||
password, err := pki.GeneratePassword()
|
||||
|
|
@ -148,7 +158,10 @@ func updateCertificateAssociation(cert fic.Certificate, body []byte) (interface{
|
|||
// moreover, backend doesn't update the DB at registration, it only creates a symlink
|
||||
cert.IdTeam = uc.Team
|
||||
|
||||
dstLinkPath := path.Join(TeamsDir, fmt.Sprintf("_AUTH_ID_%X", cert.Id))
|
||||
var serial big.Int
|
||||
serial.SetUint64(cert.Id)
|
||||
|
||||
dstLinkPath := path.Join(TeamsDir, fmt.Sprintf("_AUTH_ID_%0X", serial.Bytes()))
|
||||
|
||||
if uc.Team != nil {
|
||||
srcLinkPath := fmt.Sprintf("%d", *uc.Team)
|
||||
|
|
|
|||
|
|
@ -282,7 +282,7 @@ func fileHandler(f func(fic.EFile,[]byte) (interface{}, error)) func (httprouter
|
|||
|
||||
func certificateHandler(f func(fic.Certificate,[]byte) (interface{}, error)) func (httprouter.Params,[]byte) (interface{}, error) {
|
||||
return func (ps httprouter.Params, body []byte) (interface{}, error) {
|
||||
if certid, err := strconv.ParseInt(string(ps.ByName("certid")), 10, 64); err != nil {
|
||||
if certid, err := strconv.ParseUint(string(ps.ByName("certid")), 10, 64); err != nil {
|
||||
return nil, err
|
||||
} else if cert, err := fic.GetCertificate(certid); err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
Reference in a new issue