letsencrypt · mkhandker19 · Jun 15, 2026 · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -5,7 +5,6 @@ import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -943,7 +942,7 @@ func TestNoteSignError(t *testing.T) {
 
 func TestGenerateSKID(t *testing.T) {
 	t.Parallel()
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	key, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "Error generating key")
 
 	sha256skid, err := generateSKID(key.Public())
@@ -957,25 +956,25 @@ func TestVerifyTBSCertIsDeterministic(t *testing.T) {
 	t.Parallel()
 
 	// Create first keypair and cert
-	testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "unable to generate ECDSA private key")
 	template := &x509.Certificate{
 		NotAfter:     time.Now().Add(1 * time.Hour),
 		DNSNames:     []string{"example.com"},
 		SerialNumber: big.NewInt(1),
 	}
-	certDer1, err := x509.CreateCertificate(rand.Reader, template, template, &testKey.PublicKey, testKey)
+	certDer1, err := x509.CreateCertificate(nil, template, template, &testKey.PublicKey, testKey)
 	test.AssertNotError(t, err, "unable to create certificate")
 
 	// Create second keypair and cert
-	testKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	testKey2, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "unable to generate ECDSA private key")
 	template2 := &x509.Certificate{
 		NotAfter:     time.Now().Add(2 * time.Hour),
 		DNSNames:     []string{"example.net"},
 		SerialNumber: big.NewInt(2),
 	}
-	certDer2, err := x509.CreateCertificate(rand.Reader, template2, template2, &testKey2.PublicKey, testKey2)
+	certDer2, err := x509.CreateCertificate(nil, template2, template2, &testKey2.PublicKey, testKey2)
 	test.AssertNotError(t, err, "unable to create certificate")
 
 	testCases := []struct {

@@ -5,15 +5,14 @@ package main
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"log"
 	"os"
 )
 
 func main() {
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	if err != nil {
 		log.Fatalf("Failed to parse private key: %s", err)
 	}
@@ -29,7 +28,7 @@ func main() {
 			"Capitalizedletters.COM",
 		},
 	}
-	csr, err := x509.CreateCertificateRequest(rand.Reader, req, priv)
+	csr, err := x509.CreateCertificateRequest(nil, req, priv)
 	if err != nil {
 		log.Fatalf("unable to create CSR: %s", err)
 	}

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
@@ -105,7 +104,7 @@ func TestSerialsFromPrivateKey(t *testing.T) {
 	fc := clock.NewFake()
 	fc.Set(time.Now())
 
-	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "creating test private key")
 	keyBytes, err := x509.MarshalPKCS8PrivateKey(privKey)
 	test.AssertNotError(t, err, "marshalling test private key bytes")

@@ -5,7 +5,6 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
@@ -32,12 +31,12 @@ import (
 
 func TestSPKIHashesFromPrivateKeys(t *testing.T) {
 
-	ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "Generating ECDSA key")
 	pkcs8ecdsa, err := x509.MarshalPKCS8PrivateKey(ecdsaKey)
 	test.AssertNotError(t, err, "Marshalling PKCS8 private key")
 
-	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	rsaKey, err := rsa.GenerateKey(nil, 2048)
 	test.AssertNotError(t, err, "Generating RSA key")
 	pkcs8rsa, err := x509.MarshalPKCS8PrivateKey(rsaKey)
 	test.AssertNotError(t, err, "Marshalling PKCS8 private key")
@@ -166,7 +165,7 @@ func TestBlockSPKIHash(t *testing.T) {
 	log := blog.NewMock()
 	msa := mockSARecordingBlocks{}
 
-	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "creating test private key")
 	keyHash, err := core.KeyDigest(privKey.Public())
 	test.AssertNotError(t, err, "computing test SPKI hash")

@@ -549,7 +549,7 @@ func TestGenerateCSR(t *testing.T) {
 		Country:      "country",
 	}
 
-	signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	signer, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "failed to generate test key")
 
 	csrBytes, err := generateCSR(profile, &wrappedSigner{signer})

@@ -4,7 +4,6 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -53,15 +52,15 @@ func TestGenerateCRLTimeBounds(t *testing.T) {
 type wrappedSigner struct{ k crypto.Signer }
 
 func (p wrappedSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
-	return p.k.Sign(rand.Reader, digest, opts)
+	return p.k.Sign(nil, digest, opts)
 }
 
 func (p wrappedSigner) Public() crypto.PublicKey {
 	return p.k.Public()
 }
 
 func TestGenerateCRLLints(t *testing.T) {
-	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	k, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "failed to generate test key")
 
 	cert := &x509.Certificate{
@@ -74,7 +73,7 @@ func TestGenerateCRLLints(t *testing.T) {
 		SubjectKeyId: []byte{1, 2, 3},
 	}
 
-	certBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, k.Public(), k)
+	certBytes, err := x509.CreateCertificate(nil, cert, cert, k.Public(), k)
 	test.AssertNotError(t, err, "failed to generate test cert")
 	cert, err = x509.ParseCertificate(certBytes)
 	test.AssertNotError(t, err, "failed to parse test cert")
@@ -102,7 +101,7 @@ func TestGenerateCRLLints(t *testing.T) {
 }
 
 func TestGenerateCRL(t *testing.T) {
-	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	k, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "failed to generate test key")
 
 	template := &x509.Certificate{
@@ -116,7 +115,7 @@ func TestGenerateCRL(t *testing.T) {
 		SubjectKeyId:          []byte{1, 2, 3},
 	}
 
-	certBytes, err := x509.CreateCertificate(rand.Reader, template, template, k.Public(), k)
+	certBytes, err := x509.CreateCertificate(nil, template, template, k.Public(), k)
 	test.AssertNotError(t, err, "failed to generate test cert")
 	cert, err := x509.ParseCertificate(certBytes)
 	test.AssertNotError(t, err, "failed to parse test cert")

@@ -3,7 +3,6 @@ package main
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"errors"
 	"testing"
 
@@ -40,7 +39,7 @@ func TestECGenerate(t *testing.T) {
 	ctx.GenerateRandomFunc = func(pkcs11.SessionHandle, int) ([]byte, error) {
 		return []byte{1, 2, 3}, nil
 	}
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "Failed to generate a ECDSA test key")
 
 	// Test ecGenerate fails with unknown curve
@@ -92,7 +91,7 @@ func TestECGenerate(t *testing.T) {
 }
 
 func ecPKCS11Sign(priv *ecdsa.PrivateKey, msg []byte) ([]byte, error) {
-	r, s, err := ecdsa.Sign(rand.Reader, priv, msg[:])
+	r, s, err := ecdsa.Sign(nil, priv, msg[:])
 	if err != nil {
 		return nil, err
 	}

@@ -4,7 +4,6 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
@@ -46,7 +45,7 @@ func TestGenerateKeyRSA(t *testing.T) {
 	tmp := t.TempDir()
 
 	ctx := setupCtx()
-	rsaPriv, err := rsa.GenerateKey(rand.Reader, 1024)
+	rsaPriv, err := rsa.GenerateKey(nil, 1024)
 	test.AssertNotError(t, err, "Failed to generate a test RSA key")
 	ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
 		return []*pkcs11.Attribute{
@@ -56,7 +55,7 @@ func TestGenerateKeyRSA(t *testing.T) {
 	}
 	ctx.SignFunc = func(_ pkcs11.SessionHandle, msg []byte) ([]byte, error) {
 		// Chop of the hash identifier and feed back into rsa.SignPKCS1v15
-		return rsa.SignPKCS1v15(rand.Reader, rsaPriv, crypto.SHA256, msg[19:])
+		return rsa.SignPKCS1v15(nil, rsaPriv, crypto.SHA256, msg[19:])
 	}
 	s := &pkcs11helpers.Session{Module: &ctx, Session: 0}
 	keyPath := path.Join(tmp, "test-rsa-key.pem")
@@ -74,7 +73,7 @@ func TestGenerateKeyRSA(t *testing.T) {
 }
 
 func setECGenerateFuncs(ctx *pkcs11helpers.MockCtx) {
-	ecPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	ecPriv, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	if err != nil {
 		panic(err)
 	}

@@ -3,7 +3,6 @@ package main
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -22,7 +21,7 @@ import (
 
 func TestLoadPubKey(t *testing.T) {
 	tmp := t.TempDir()
-	key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	key, _ := ecdsa.GenerateKey(elliptic.P256(), nil)
 
 	_, _, err := loadPubKey(path.Join(tmp, "does", "not", "exist"))
 	test.AssertError(t, err, "should fail on non-existent file")
@@ -1295,14 +1294,14 @@ func TestPostIssuanceLinting(t *testing.T) {
 	err := postIssuanceLinting(nil, nil)
 	test.AssertError(t, err, "should have failed because no certificate was provided")
 
-	testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil)
 	test.AssertNotError(t, err, "unable to generate ECDSA private key")
 	template := &x509.Certificate{
 		NotAfter:     clk.Now().Add(1 * time.Hour),
 		DNSNames:     []string{"example.com"},
 		SerialNumber: big.NewInt(1),
 	}
-	certDer, err := x509.CreateCertificate(rand.Reader, template, template, &testKey.PublicKey, testKey)
+	certDer, err := x509.CreateCertificate(nil, template, template, &testKey.PublicKey, testKey)
 	test.AssertNotError(t, err, "unable to create certificate")
 	parsedCert, err := x509.ParseCertificate(certDer)
 	test.AssertNotError(t, err, "unable to parse DER bytes")

@@ -2,7 +2,6 @@ package main
 
 import (
 	"crypto"
-	"crypto/rand"
 	"crypto/rsa"
 	"errors"
 	"math/big"
@@ -44,7 +43,7 @@ func TestRSAGenerate(t *testing.T) {
 		return []byte{1, 2, 3}, nil
 	}
 
-	priv, err := rsa.GenerateKey(rand.Reader, 1024)
+	priv, err := rsa.GenerateKey(nil, 1024)
 	test.AssertNotError(t, err, "Failed to generate a RSA test key")
 
 	// Test rsaGenerate fails when GenerateKeyPair fails
@@ -86,7 +85,7 @@ func TestRSAGenerate(t *testing.T) {
 	}
 	ctx.SignFunc = func(_ pkcs11.SessionHandle, msg []byte) ([]byte, error) {
 		// Chop of the hash identifier and feed back into rsa.SignPKCS1v15
-		return rsa.SignPKCS1v15(rand.Reader, priv, crypto.SHA256, msg[19:])
+		return rsa.SignPKCS1v15(nil, priv, crypto.SHA256, msg[19:])
 	}
 	_, _, err = rsaGenerate(s, "", 1024)
 	test.AssertNotError(t, err, "rsaGenerate didn't succeed when everything worked as expected")