Re: [Ejbca-develop] Suggestions around random serial number generation

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Jaime,

Thanks for the patch (I lost that email...).
See issue:
https://jira.primekey.se/browse/ECA-7989

I made small modification to your patch, removed deprecated methods and
other tiny fixes, and added a multi-threaded test.

Otherwise a very elegant patch. Thanks.

Regards,
Tomas

On 2019-03-17 18:35, Jaime Hablutzel wrote:
> First, I wanted to clarify that with EJBCA <7.0.1, the default 8 bytes
> configuration for serial numbers generation wasn't delivering 63 bits of
> entropy (as being declared) mainly because of the implementation
> filtering out values that would produce a DER encoding in less than 8
> bytes, so the real entropy being provided would be around (or less than):
> 
> log2(0x7FFFFFFFFFFFFFFF - 0x80000000000000 + 1) = 62.99435343685886
> 
> Now, I would like to suggest to improve the documentation at
> https://www.ejbca.org/docs/CA_Fields.html#src-42205242_id-.CAFieldsv7.0.1-Ca_Serial_Number_Octet_Size,
> modifying it to something like this:
> 
>     Sets the length in octets of certificate serial numbers generated,
>     but note that the length of the serial number IS NOT the same that
>     the entropy it contains (e.g. 8 octets or 64 bit serial number
>     doesn't provide 64 bits of entropy) because some values are being
>     filtered out: 
>     - Negative values (all with the most-significant-bit set to 1).
>     - Values than would provide a shorter encoding than the requested
>     length in octets.
>     - Serial numbers for previously generated certificates.
>     Now, CA/B Forum requires the use of 64 bit entropy when generating
>     serial numbers, hence, for complying with that requirement, larger
>     sizes than 8 octets are required (for more information, refer to the
>     CA/Browser Forum information on Ballot 164 - Certificate Serial
>     Number Entropy). 
>     Possible values can range between 4 and 20 octets, and the default
>     for all new CAs is 20 octets.
> 
> 
> Finally, I have attached a patch with some improvements over the current
> code at ECA-4991.
> 
> -- 
> Jaime Hablutzel -  RPC 994690880
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 