Bug 1461441

Summary: Serial number does not fall in the range when serial number range and random serial number is enabled in the installation file
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: pki-coreAssignee: Jack Magne <jmagne>
Status: CLOSED NOTABUG QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: arubin, mharmsen, msauton
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-28 21:49:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roshni 2017-06-14 12:59:39 UTC 
Description of problem:
Serial number does not fall in the range when serial number range and random serial number is enabled in the installation file

Version-Release number of selected component (if applicable):
pki-core-10.4.1-8.el7

How reproducible:
always

Steps to Reproduce:
1. pkispawn CA with the following installation file (I was attempting migration)
[root@nocp1 ~]# cat rpattath/ca-migration.cfg 
[DEFAULT]
pki_instance_name=pki-tomcat-ca-rpattath
pki_user=pkiuser
pki_group=pkiuser
pki_audit_group=pkiaudit
pki_https_port=30042
pki_http_port=30044

#NSS DB Token Password
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM6000-OCS
pki_token_password=

#Admin Password
pki_admin_password=
pki_client_pkcs12_password=
pki_ds_ldap_port=1604
pki_ds_bind_dn=cn=Database Manager
pki_ds_password=
pki_ds_remove_data=True
pki_existing=True
pki_ds_secure_connection=True
pki_ds_ldaps_port=1605
pki_ds_secure_connection_ca_pem_file=/tmp/ca_cert.pem

[Tomcat]
pki_ajp_port=30009
pki_tomcat_server_port=30005

[CA]
pki_ca_signing_csr_path=/root/rpattath/ca_signing.csr
pki_ca_signing_cert_path=/root/rpattath/ca_signing.crt
pki_ca_signing_nickname=caSigningCert cert-pki-ca-rpattath
pki_ca_signing_token=NHSM6000-OCS
pki_pin=
pki_ds_hostname=nocp1.idm.lab.eng.rdu2.redhat.com
pki_ds_base_dn=dc=nocp9.idm.lab.eng.rdu2.redhat.com-pki-ca-rpattath
pki_ds_database=nocp9.idm.lab.eng.rdu2.redhat.com-pki-ca-rpattath
pki_serial_number_range_start=50
pki_request_number_range_start=100
pki_random_serial_numbers_enable=True
pki_master_crl_enable=False
pki_skip_installation=True

2.
3.

Actual results:
None of the serial numbers of system certs generated after pkispawn falls in the range specified

Expected results:
The random serial number must fall in the range specified

Additional info:
Comment 2 Jack Magne 2017-08-25 01:20:32 UTC 
This issue, is possibly due to an error in the config file.


The following may be the issue:


pki_serial_number_range_start=50
pki_request_number_range_start=100

One setting is for the start of the serial number range and the other is for the start of the request number range. The endpoints of both those ranges will be defaulted to some large number.


I tried the following on my box:


pki_serial_number_range_start=3
pki_serial_number_range_end=20

For some reason the server appears to interpret the serial number range values as hex or base 16. Unfortunately, I haven't been able to determine how to input a direct hex value. What happens is it will accept and integer and it will be interpreted at hex. For instance our 20 will be considered 0x20, which is 32 in decimal.


This would explain the following serial numbers generated for the system certs after ca installation:

Notice they conform to the very skinny range of 3 to 32. This artificial small range is just to prove the server is getting the right values and doing the right things with them.


0x3 	valid 	
CN=CA Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain
0x4 	valid 	
CN=PKI Administrator,E=caadmin.com,OU=pki-client-auth,O=sjc.redhat.com Security Domain
0x9 	valid 	
CN=CA OCSP Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain
0xd 	valid 	
CN=CA Audit Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain
0x10 	valid 	
CN=Subsystem Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain
0x1d 	valid 	
CN=dhcp-16-206.sjc.redhat.com,OU=pki-client-auth,O=sjc.redhat.com Security Domain


After verification of this by QE I believe we can close this bug.
Comment 3 Jack Magne 2017-08-28 21:49:49 UTC 
QE agrees to close this for the reasons listed in the previous comment.