From a3b4cd32e5c1ff593c5ba97bbedc0c8bd7b532b6 Mon Sep 17 00:00:00 2001
From: Min Ni <111446062+nnmin-aws@users.noreply.github.com>
Date: Tue, 9 May 2023 06:34:08 -0700
Subject: [PATCH] update serial number to a valid non-zero number in ca
 certificate (#117791)

* update serial number to a valid non-zero number in ca certificate

* fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit

Kubernetes-commit: e865b30abd0a862697ff1d2526ea8897ee98a523
---
 go.mod            |  8 ++++----
 go.sum            |  8 ++++----
 util/cert/cert.go | 27 ++++++++++++++++++++++-----
 3 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/go.mod b/go.mod
index 8635b25c..61749e41 100644
--- a/go.mod
+++ b/go.mod
@@ -23,8 +23,8 @@ require (
 	golang.org/x/term v0.7.0
 	golang.org/x/time v0.3.0
 	google.golang.org/protobuf v1.30.0
-	k8s.io/api v0.0.0-20230503175224-7a87286591e4
-	k8s.io/apimachinery v0.0.0-20230503174314-7ecc58659e5e
+	k8s.io/api v0.0.0-20230506223117-f3a0f2ed177a
+	k8s.io/apimachinery v0.0.0-20230508165628-e7958c5fe270
 	k8s.io/klog/v2 v2.100.1
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491
@@ -59,6 +59,6 @@ require (
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.0.0-20230503175224-7a87286591e4
-	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230503174314-7ecc58659e5e
+	k8s.io/api => k8s.io/api v0.0.0-20230506223117-f3a0f2ed177a
+	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230508165628-e7958c5fe270
 )
diff --git a/go.sum b/go.sum
index 8fcf752f..9cf743b4 100644
--- a/go.sum
+++ b/go.sum
@@ -478,10 +478,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.0.0-20230503175224-7a87286591e4 h1:cxVILqCCBsq5MCwFs3RkBL8HDUwZ6Sh5qH0UBJSTnnw=
-k8s.io/api v0.0.0-20230503175224-7a87286591e4/go.mod h1:/fu24lnfAhrloAI7EhcGTa0fXXQH5r4rUqEQMW9endY=
-k8s.io/apimachinery v0.0.0-20230503174314-7ecc58659e5e h1:zTmKa/UVIS4WvRrYbIblypAjK81XFnlq8zxUCiBFgFE=
-k8s.io/apimachinery v0.0.0-20230503174314-7ecc58659e5e/go.mod h1:jF849JXyKVKRC0O62ZBSygt6qOSEYju8i90sKd1mx4g=
+k8s.io/api v0.0.0-20230506223117-f3a0f2ed177a h1:8sUE9zRxWwhC0FmKr0+Jtm6wgnL3ljlVJOT94jSVsO4=
+k8s.io/api v0.0.0-20230506223117-f3a0f2ed177a/go.mod h1:/fu24lnfAhrloAI7EhcGTa0fXXQH5r4rUqEQMW9endY=
+k8s.io/apimachinery v0.0.0-20230508165628-e7958c5fe270 h1:0kz1rv3L87V/4KNEVPlst7yhT5RfAC+5JqeXR3rBXVc=
+k8s.io/apimachinery v0.0.0-20230508165628-e7958c5fe270/go.mod h1:jF849JXyKVKRC0O62ZBSygt6qOSEYju8i90sKd1mx4g=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
diff --git a/util/cert/cert.go b/util/cert/cert.go
index 4be1dfe4..37b023ef 100644
--- a/util/cert/cert.go
+++ b/util/cert/cert.go
@@ -25,6 +25,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
+	"math"
 	"math/big"
 	"net"
 	"os"
@@ -57,8 +58,14 @@ type AltNames struct {
 // NewSelfSignedCACert creates a CA certificate
 func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
 	now := time.Now()
+	// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
+	serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
+	if err != nil {
+		return nil, err
+	}
+	serial = new(big.Int).Add(serial, big.NewInt(1))
 	tmpl := x509.Certificate{
-		SerialNumber: new(big.Int).SetInt64(0),
+		SerialNumber: serial,
 		Subject: pkix.Name{
 			CommonName:   cfg.CommonName,
 			Organization: cfg.Organization,
@@ -116,9 +123,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 	if err != nil {
 		return nil, nil, err
 	}
-
+	// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
+	serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
+	if err != nil {
+		return nil, nil, err
+	}
+	serial = new(big.Int).Add(serial, big.NewInt(1))
 	caTemplate := x509.Certificate{
-		SerialNumber: big.NewInt(1),
+		SerialNumber: serial,
 		Subject: pkix.Name{
 			CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
 		},
@@ -144,9 +156,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 	if err != nil {
 		return nil, nil, err
 	}
-
+	// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
+	serial, err = cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
+	if err != nil {
+		return nil, nil, err
+	}
+	serial = new(big.Int).Add(serial, big.NewInt(1))
 	template := x509.Certificate{
-		SerialNumber: big.NewInt(2),
+		SerialNumber: serial,
 		Subject: pkix.Name{
 			CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
 		},