Generate a unique serial for each cert

1 files changed, 14 insertions, 0 deletions

diff --git a/src/ssl_mbedtls.cc b/src/ssl_mbedtls.cc
index 3395d83..10de993 100644
--- a/src/ssl_mbedtls.cc
+++ b/src/ssl_mbedtls.cc
@@ -504,6 +504,7 @@ bool SSLCert::generate(Logger* logger, SSLEntropy* entropy,
                        std::string const& host, SSLKey* key,
                        std::string* cert) {
   mbedtls_x509write_cert crt;
+  mbedtls_mpi serial;
   char issuer_name[256];
   std::string subject;
   bool ok = false;
@@ -513,6 +514,7 @@ bool SSLCert::generate(Logger* logger, SSLEntropy* entropy,
   char not_after[20];
   unsigned char buffer[16000];
   mbedtls_x509write_crt_init(&crt);
+  mbedtls_mpi_init(&serial);
   mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA256);
 
   if (key) {
@@ -569,6 +571,17 @@ bool SSLCert::generate(Logger* logger, SSLEntropy* entropy,
     goto error;
   }
 
+  if (mbedtls_mpi_fill_random(
+          &serial, 32, mbedtls_ctr_drbg_random,
+          static_cast<SSLEntropyImpl*>(entropy)->random())) {
+    logerr(logger, ret, "Unable generate serial");
+    goto error;
+  }
+  if (mbedtls_x509write_crt_set_serial(&crt, &serial)) {
+    logerr(logger, ret, "Unable to set serial");
+    goto error;
+  }
+
   ret = mbedtls_x509write_crt_pem(
       &crt, buffer, sizeof(buffer),
       mbedtls_ctr_drbg_random,
@@ -581,6 +594,7 @@ bool SSLCert::generate(Logger* logger, SSLEntropy* entropy,
 
   ok = true;
  error:
+  mbedtls_mpi_free(&serial);
   mbedtls_x509write_crt_free(&crt);
   return ok;
 }