Dont let users choose serial

sbernauer · sbernauer · commit e9e8bacf23b6 · 2025-05-27T08:51:43.000+02:00
diff --git a/crates/stackable-certs/src/ca/ca_builder.rs b/crates/stackable-certs/src/ca/ca_builder.rs
@@ -87,11 +87,6 @@ where
     #[builder(default = DEFAULT_CA_VALIDITY)]
     validity: Duration,
 
-    /// Serial number of the generated certificate.
-    ///
-    /// If not specified a random serial will be generated.
-    serial_number: Option<u64>,
-
     /// Cryptographic keypair used to sign leaf certificates.
     ///
     /// If not specified a random keypair will be generated.
@@ -120,8 +115,6 @@ where
     pub fn build(
         self,
     ) -> Result<CertificateAuthority<SKP>, CreateCertificateAuthorityError<SKP::Error>> {
-        let serial_number =
-            SerialNumber::from(self.serial_number.unwrap_or_else(|| rand::random::<u64>()));
         let validity = Validity::from_now(*self.validity).context(ParseValiditySnafu)?;
         let subject: Name = self.subject.parse().context(ParseSubjectSnafu {
             subject: self.subject,
@@ -130,6 +123,7 @@ where
             Some(signing_key_pair) => signing_key_pair,
             None => SKP::new().context(CreateSigningKeyPairSnafu)?,
         };
+        let serial_number = SerialNumber::from(rand::random::<u64>());
 
         let spki_pem = signing_key_pair
             .verifying_key()
@@ -203,15 +197,13 @@ mod tests {
             &ca.ca_cert().tbs_certificate,
             SDP_ROOT_CA_SUBJECT,
             DEFAULT_CA_VALIDITY,
-            None,
         )
     }
 
     #[test]
     fn customized_ca() {
         let ca = CertificateAuthority::builder()
             .subject("CN=Test")
-            .serial_number(42)
             .signing_key_pair(rsa::SigningKey::new().unwrap())
             .validity(Duration::from_days_unchecked(13))
             .build()
@@ -221,16 +213,10 @@ mod tests {
             &ca.ca_cert().tbs_certificate,
             "CN=Test",
             Duration::from_days_unchecked(13),
-            Some(42),
         )
     }
 
-    fn assert_ca_cert_attributes(
-        ca_cert: &TbsCertificateInner,
-        subject: &str,
-        validity: Duration,
-        serial_number: Option<u64>,
-    ) {
+    fn assert_ca_cert_attributes(ca_cert: &TbsCertificateInner, subject: &str, validity: Duration) {
         assert_eq!(ca_cert.subject, subject.parse().unwrap());
 
         let not_before = ca_cert.validity.not_before.to_system_time();
@@ -241,11 +227,5 @@ mod tests {
                 .expect("Failed to calculate duration between notBefore and notAfter"),
             *validity
         );
-
-        if let Some(serial_number) = serial_number {
-            assert_eq!(ca_cert.serial_number, SerialNumber::from(serial_number))
-        } else {
-            assert_ne!(ca_cert.serial_number, SerialNumber::from(0_u64))
-        }
     }
 }
diff --git a/crates/stackable-certs/src/cert_builder.rs b/crates/stackable-certs/src/cert_builder.rs
@@ -111,11 +111,6 @@ where
     #[builder(default = DEFAULT_CERTIFICATE_VALIDITY)]
     validity: Duration,
 
-    /// Serial number of the generated certificate.
-    ///
-    /// If not specified a random serial will be generated.
-    serial_number: Option<u64>,
-
     /// Cryptographic keypair used to for the certificates.
     ///
     /// If not specified a random keypair will be generated.
@@ -143,9 +138,6 @@ where
     <KP::SigningKey as signature::Keypair>::VerifyingKey: EncodePublicKey,
 {
     pub fn build(self) -> Result<CertificatePair<KP>, CreateCertificateError<KP::Error>> {
-        let serial_number =
-            SerialNumber::from(self.serial_number.unwrap_or_else(|| rand::random::<u64>()));
-
         let validity = Validity::from_now(*self.validity).context(ParseValiditySnafu)?;
         let subject: Name = self.subject.parse().context(ParseSubjectSnafu {
             subject: self.subject,
@@ -154,6 +146,7 @@ where
             Some(key_pair) => key_pair,
             None => KP::new().context(CreateKeyPairSnafu)?,
         };
+        let serial_number = SerialNumber::from(rand::random::<u64>());
 
         let ca_validity = self.signed_by.ca_cert().tbs_certificate.validity;
         let ca_not_after = ca_validity.not_after.to_system_time();
@@ -261,7 +254,6 @@ mod tests {
             &[],
             &[],
             DEFAULT_CERTIFICATE_VALIDITY,
-            None,
         );
     }
 
@@ -281,7 +273,6 @@ mod tests {
             .subject("CN=trino-coordinator-default-0")
             .subject_alterative_dns_names(&sans)
             .subject_alterative_ip_addresses(&san_ips)
-            .serial_number(08121997)
             .validity(Duration::from_days_unchecked(42))
             .key_pair(rsa::SigningKey::new().unwrap())
             .signed_by(&ca)
@@ -294,7 +285,6 @@ mod tests {
             &sans,
             &san_ips,
             Duration::from_days_unchecked(42),
-            Some(08121997),
         );
     }
 
@@ -304,7 +294,6 @@ mod tests {
         sans: &[&str],
         san_ips: &[IpAddr],
         validity: Duration,
-        serial_number: Option<u64>,
     ) {
         assert_eq!(certificate.subject, subject.parse().unwrap());
 
@@ -345,12 +334,6 @@ mod tests {
                 .expect("Failed to calculate duration between notBefore and notAfter"),
             *validity
         );
-
-        if let Some(serial_number) = serial_number {
-            assert_eq!(certificate.serial_number, SerialNumber::from(serial_number))
-        } else {
-            assert_ne!(certificate.serial_number, SerialNumber::from(0_u64))
-        }
     }
 
     fn bytes_to_ip_addr(bytes: &[u8]) -> IpAddr {
