Bonjour,
Hodie pr. Kal. Mar. MMVI est, Mark H. Wood scripsit:
> I think that part of the difficulty here is the words used. Our
> experience in other areas is overwhelmingly in favor of "serial number"
> being a sample from a counter that starts at 0 or 1 and is incremented by
> 1 every time it's consulted.
That's not really incompatible with something random, from the
outside. Just keep an internal counter, pack it properly into a
128bit structure, encrypt it with an AES key, et voilĂ , you have a
random serial number, and you're sure you won't have any duplicate.
A command-line version (for the CA.{pl,sh} utility) could be this
script:
----- genserial.sh
#! /bin/sh
COUNTER=`cat counter`
echo -n $COUNTER | openssl enc -K "`od -t x1 -A n aeskey.bin | sed 's/ //g'`"
-aes-128-ecb -iv ffff | od -t x1 -A n | sed 's/ //g' > serial
echo "obase=16; ibase=16; $COUNTER+1" | bc > counter
-----
For this to work, you have to generate a random AES key:
dd if=/dev/urandom of=aeskey.bin bs=1 count=16
and initialize your counter file:
echo "1" > counter (or any value you want)
Call this script to generate a serial number based on the counter, and
increment the counter for the next one. Just tell 'openssl ca' to use
the generated serial, as what is done by default by CA.{pl,sh}.
The iv parameter value is not important, because we use the ECB mode,
but the software needs one to be set, so just make it happy.
This simple script doesn't allow you to generate 2^128 different
serial numbers, you'll only get 16^16 different ones, but for a
home-made CA, that should be enough.
> So we see a field described as a serial
> number and ask why it isn't behaving properly. It's too bad the standard
> calls this attribute a "serial number" rather than, say, "certificate
> unique identifier", but the term is fixed now.
The standard goes back to 1988 for the final X.509 v1, and at that
time, the described X.509 collision attack didn't exist.
Then, somewhere between 1988 and 1997, X.509v2 came in, adding the
subjectUniqueIdentifier field (a UniqueIdentifier is a BIT STRING),
which was replaced in 1997 (X.509v3) by the subjectKeyIdentifier
extension.
The subjectUniqueIdentifier and subjectKeyIdentifier are really meant
to be unique by themselves (wether it's truely unique or not is left
to the implementor), but the serialNumber is not unique alone, by
definition.
--
Erwann ABALEA <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
