Skip to content

fix: use crypto/rand instead of math/rand for session certificate serial numbers #6417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ankur-anand wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: use crypto/rand instead of math/rand for session certificate serial numbers #6417

ankur-anand wants to merge 1 commit into from
+7 −2

Conversation

@ankur-anand
Copy link

@ankur-anand ankur-anand commented Feb 9, 2026

Description

Replace the use of math/rand with cyrpto/rand for generating X.509 certificate serial Numbers in the session certificate.

Generating math/rand.Int63() has several potential issues, probably not directly evident due to the worker and target residing in the private subnet, but still not an ideal way to generate it.

  1. math/rand has a predictable Output and not suitable for security-sensitive contexts.
  2. Only produces 63 bits of randomness.

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.
  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
  • If applicable, I've documented the impact of any changes to security controls.
    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@ankur-anand ankur-anand requested a review from a team as a code owner February 9, 2026 13:38
@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Feb 9, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Feb 9, 2026

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core/session core

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ankur-anand