From 5923a9a5e37052029ac4de951820cdef58213a21 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@oath.com>
Date: Mon, 3 Sep 2018 15:11:36 +0200
Subject: Make serial number a BigInteger to allow for >64-bit values

---
 .../com/yahoo/security/X509CertificateBuilder.java     | 18 +++++++++++++-----
 .../src/test/java/com/yahoo/security/TestUtils.java    |  3 ++-
 .../com/yahoo/security/X509CertificateBuilderTest.java |  5 +++--
 .../com/yahoo/security/X509CertificateUtilsTest.java   |  3 ++-
 4 files changed, 20 insertions(+), 9 deletions(-)

(limited to 'vespajlib')

diff --git a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java
index 826284d2229..54d7d39253e 100644
--- a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java
+++ b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java
@@ -21,6 +21,7 @@ import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.cert.X509Certificate;
 import java.sql.Date;
 import java.time.Instant;
@@ -35,7 +36,7 @@ import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
  */
 public class X509CertificateBuilder {
 
-    private final long serialNumber;
+    private final BigInteger serialNumber;
     private final SignatureAlgorithm signingAlgorithm;
     private final PrivateKey caPrivateKey;
     private final Instant notBefore;
@@ -53,7 +54,7 @@ public class X509CertificateBuilder {
                                    PublicKey certPublicKey,
                                    PrivateKey caPrivateKey,
                                    SignatureAlgorithm signingAlgorithm,
-                                   long serialNumber) {
+                                   BigInteger serialNumber) {
         this.issuer = issuer;
         this.subject = subject;
         this.notBefore = notBefore;
@@ -70,7 +71,7 @@ public class X509CertificateBuilder {
                                                  Instant notAfter,
                                                  PrivateKey caPrivateKey,
                                                  SignatureAlgorithm signingAlgorithm,
-                                                 long serialNumber) {
+                                                 BigInteger serialNumber) {
         try {
             PKCS10CertificationRequest bcCsr = csr.getBcCsr();
             PublicKey publicKey = new JcaPKCS10CertificationRequest(bcCsr)
@@ -96,7 +97,7 @@ public class X509CertificateBuilder {
                                                      Instant notBefore,
                                                      Instant notAfter,
                                                      SignatureAlgorithm signingAlgorithm,
-                                                     long serialNumber) {
+                                                     BigInteger serialNumber) {
         return new X509CertificateBuilder(subject,
                                           subject,
                                           notBefore,
@@ -107,6 +108,13 @@ public class X509CertificateBuilder {
                                           serialNumber);
     }
 
+    /**
+     * @return generates a cryptographically secure positive serial number up to 128 bits
+     */
+    public static BigInteger generateRandomSerialNumber() {
+        return new BigInteger(128, new SecureRandom());
+    }
+
     public X509CertificateBuilder addSubjectAlternativeName(String dnsName) {
         this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dnsName));
         return this;
@@ -129,7 +137,7 @@ public class X509CertificateBuilder {
     public X509Certificate build() {
         try {
             JcaX509v3CertificateBuilder jcaCertBuilder = new JcaX509v3CertificateBuilder(
-                    issuer, BigInteger.valueOf(serialNumber), Date.from(notBefore), Date.from(notAfter), subject, certPublicKey);
+                    issuer, serialNumber, Date.from(notBefore), Date.from(notAfter), subject, certPublicKey);
             if (basicConstraintsExtension != null) {
                 jcaCertBuilder.addExtension(
                         Extension.basicConstraints,
diff --git a/vespajlib/src/test/java/com/yahoo/security/TestUtils.java b/vespajlib/src/test/java/com/yahoo/security/TestUtils.java
index dcf75e26aec..fcfcfb2b761 100644
--- a/vespajlib/src/test/java/com/yahoo/security/TestUtils.java
+++ b/vespajlib/src/test/java/com/yahoo/security/TestUtils.java
@@ -2,6 +2,7 @@
 package com.yahoo.security;
 
 import javax.security.auth.x500.X500Principal;
+import java.math.BigInteger;
 import java.nio.file.Path;
 import java.security.KeyPair;
 import java.security.KeyStore;
@@ -31,7 +32,7 @@ class TestUtils {
     static X509Certificate createCertificate(KeyPair keyPair, X500Principal subject)  {
         return X509CertificateBuilder
                 .fromKeypair(
-                        keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, 1)
+                        keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1))
                 .build();
     }
 
diff --git a/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java
index 469d4887858..7e6d343b570 100644
--- a/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java
@@ -6,6 +6,7 @@ import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 
 import javax.security.auth.x500.X500Principal;
+import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
@@ -51,7 +52,7 @@ public class X509CertificateBuilderTest {
                         Instant.now(),
                         Instant.now().plus(1, ChronoUnit.DAYS),
                         signatureAlgorithm,
-                        1)
+                        BigInteger.valueOf(1))
                 .setBasicConstraints(true, true)
                 .build();
         assertEquals(subject, cert.getSubjectX500Principal());
@@ -72,7 +73,7 @@ public class X509CertificateBuilderTest {
                         Instant.now().plus(1, ChronoUnit.DAYS),
                         caKeypair.getPrivate(),
                         signatureAlgorithm,
-                        1)
+                        BigInteger.valueOf(1))
                 .addSubjectAlternativeName("subject1.alt")
                 .addSubjectAlternativeName("subject2.alt")
                 .build();
diff --git a/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java b/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
index dc744d9f2b9..76a93028efe 100644
--- a/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
@@ -4,6 +4,7 @@ package com.yahoo.security;
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
+import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
@@ -62,7 +63,7 @@ public class X509CertificateUtilsTest {
                         Instant.now(),
                         Instant.now().plus(1, ChronoUnit.DAYS),
                         SignatureAlgorithm.SHA512_WITH_ECDSA,
-                        1)
+                        BigInteger.valueOf(1))
                 .addSubjectAlternativeName(san)
                 .build();
 
-- 
cgit v1.2.3