Add random serial# support.

Add -rand_serial to CA command and "serial_rand" config option. Up RAND_BITS to 159, and comment why: now confirms to CABForum guidelines (Ballot 164) as well as IETF RFC 5280 (PKIX). Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4185)
author: Rich Salz <rsalz@openssl.org> 2017-08-16 15:49:25 -0400
committer: Rich Salz <rsalz@openssl.org> 2017-08-22 09:00:04 -0400
commit: ffb46830e2dfd3203044e6190f50a20fec50162d (patch)
tree: 744d016ce5d6dea1aa48a36e95024d8333dff969 /apps/apps.h
parent: 932c0df29b7a5a2902c52e2f536b5b83392e2d42 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/apps/apps.h b/apps/apps.h
index 3b6597869f..fdf316a08e 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -568,7 +568,12 @@ void store_setup_crl_download(X509_STORE *st);
 
 # define APP_PASS_LEN    1024
 
-# define SERIAL_RAND_BITS        64
+/*
+ * IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
+ * so that the first bit will never be one, so that the DER encoding
+ * rules won't force a leading octet.
+ */
+# define SERIAL_RAND_BITS        159
 
 int app_isdir(const char *);
 int app_access(const char *, int flag);
author	Rich Salz <rsalz@openssl.org>	2017-08-16 15:49:25 -0400
committer	Rich Salz <rsalz@openssl.org>	2017-08-22 09:00:04 -0400
commit	ffb46830e2dfd3203044e6190f50a20fec50162d (patch)
tree	744d016ce5d6dea1aa48a36e95024d8333dff969 /apps/apps.h
parent	932c0df29b7a5a2902c52e2f536b5b83392e2d42 (diff)