From 430c6d0c1a404fc8d4d06e5727345728d4561ffb Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Tue, 18 Aug 2020 16:34:01 +0200
Subject: [PATCH] Increase # of bits for random serial numbers of certificates
 with PyOpenSSL backend (#90)

* Increase # of bits for random serial numbers of certificates with PyOpenSSL backend.

* Adjust algorithm to return a random number between 1000 and 2^160-1.
---
 .../90-openssl_certificate-pyopenssl-serial.yml    |  2 ++
 plugins/modules/x509_certificate.py                | 14 +++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/90-openssl_certificate-pyopenssl-serial.yml

diff --git a/changelogs/fragments/90-openssl_certificate-pyopenssl-serial.yml b/changelogs/fragments/90-openssl_certificate-pyopenssl-serial.yml
new file mode 100644
index 00000000..d684a122
--- /dev/null
+++ b/changelogs/fragments/90-openssl_certificate-pyopenssl-serial.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- "openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness for serial numbers, instead of a random number between 1000 and 99999. Please note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76)."
diff --git a/plugins/modules/x509_certificate.py b/plugins/modules/x509_certificate.py
index b27ec7c4..950e84ce 100644
--- a/plugins/modules/x509_certificate.py
+++ b/plugins/modules/x509_certificate.py
@@ -868,7 +868,7 @@ import tempfile
 import traceback
 
 from distutils.version import LooseVersion
-from random import randint
+from random import randrange
 
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils._text import to_native, to_bytes, to_text
@@ -1264,6 +1264,14 @@ class SelfSignedCertificateCryptography(Certificate):
         return result
 
 
+def generate_serial_number():
+    """Generate a serial number for a certificate"""
+    while True:
+        result = randrange(0, 1 << 160)
+        if result >= 1000:
+            return result
+
+
 class SelfSignedCertificate(Certificate):
     """Generate the self-signed certificate."""
 
@@ -1275,7 +1283,7 @@ class SelfSignedCertificate(Certificate):
         self.notAfter = get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after', backend=self.backend)
         self.digest = module.params['selfsigned_digest']
         self.version = module.params['selfsigned_version']
-        self.serial_number = randint(1000, 99999)
+        self.serial_number = generate_serial_number()
 
         if self.csr_content is None and not os.path.exists(self.csr_path):
             raise CertificateError(
@@ -1570,7 +1578,7 @@ class OwnCACertificate(Certificate):
         self.notAfter = get_relative_time_option(module.params['ownca_not_after'], 'ownca_not_after', backend=self.backend)
         self.digest = module.params['ownca_digest']
         self.version = module.params['ownca_version']
-        self.serial_number = randint(1000, 99999)
+        self.serial_number = generate_serial_number()
         if module.params['ownca_create_subject_key_identifier'] != 'create_if_not_provided':
             module.fail_json(msg='ownca_create_subject_key_identifier cannot be used with the pyOpenSSL backend!')
         if module.params['ownca_create_authority_key_identifier']: