From 431e2a105051ebca0749fca25480f6972c578146 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 20 Jun 2025 09:48:11 +0200
Subject: [PATCH] lib: Fix Coverity ID 1509061 Use of 32-bit time_t

"man gnutls_x509_crt_set_serial" says that the serial number should be
a big-endian positive integer of up to 20 bytes....

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
---
 source4/lib/tls/tlscert.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 08386166a55..9f7e59f2796 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -45,7 +45,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 {
 	gnutls_x509_crt_t cacrt, crt;
 	gnutls_x509_privkey_t key, cakey;
-	uint32_t serial = (uint32_t)time(NULL);
+	uint8_t serial[8];
 	unsigned char keyid[100];
 	char buf[4096];
 	size_t bufsize;
@@ -90,7 +90,10 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 				      GNUTLS_OID_X520_COMMON_NAME, 0,
 				      hostname, strlen(hostname)));
 	TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
+
+	PUSH_BE_U64(serial, 0, time(NULL));
 	TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
+
 	TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
 	TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
 	TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 1));
-- 
2.47.3