[Ejbca-develop] EJBCA is checking for serial number collisions after generating the certificate

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Quoting from
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/OVKywVZIBgAJ
:

In addition to random serial numbers, EJBCA checks for collisions, so even
> in the very unlikely event of equal serial numbers being generated, *no
> certificates with duplicated serial numbers should be issued from a CA
> based on the EJBCA software*. By comparison, collisions do happen
> regularly in testing when using 32 bit serial numbers (and are averted), so
> the underlying checks function as we expect.

Where the highlighted text is not correct, because, as observed from the
trunk source around r31776, if a newly generated random serial number
(generated by
org.cesecore.certificates.ca.internal.SernoGeneratorRandom#getSerno)
results that is being used by an existing certificate, a new collisioning
certificate is still generated (and CT precertificate published!) but it is
discarded only before trying to store it in the database, when the
collision validation is performed (
org.cesecore.certificates.certificate.CertificateCreateSessionBean#assertSerialNumberForIssuerOk
).

It isn't the expected behaviour. Isn't it?.

-- 
Jaime Hablutzel -  RPC 994690880