[Ejbca-develop] Question about cert serial number generation

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello:

I am trying to track down an issue, and it has caused me to stray into the EJBCA serial number code.  I saw the notes in the SernoGenerator.java about the restrictions on serial numbers, then I ran across this code in ejbca_4_0_12\src\java\org\ejbca\util\CertTools.java

        byte[] serno = new byte[8];
        SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
        random.setSeed(new Date().getTime());
        random.nextBytes(serno);
        certgen.setSerialNumber(new java.math.BigInteger(serno).abs());

which is not technically following the rules.  I was wondering if this should be a call to use the SernoGenerator ?

Also wondering about this method in ejbca_4_0_12\modules\ejbca-xkms-cli\src\org\ejbca\core\protocol\xkms\client\XKMSCLIBaseCommand.java

protected String genId() throws NoSuchAlgorithmException {
        BigInteger serno = null;
        Random random = SecureRandom.getInstance("SHA1PRNG");

        long seed = Math.abs((new Date().getTime()) + this.hashCode());
        random.setSeed(seed);
                                try {
                        byte[] sernobytes = new byte[8];

                        random.nextBytes(sernobytes);
                        serno = (new java.math.BigInteger(sernobytes)).abs();

                                } catch (Exception e) {
                                                getPrintStream().println("Error generating response ID " );
                                }
                                return "_" + serno.toString();
                }