Bug 816232
| Summary: | serial number incorrectly cast from BigInt to integer in installation wizard | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Ade Lee <alee> | ||||
| Component: | Installation Wizard | Assignee: | Ade Lee <alee> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 9.0 | CC: | benl, dan, jgalipea, mharmsen, mniranja, nkinder | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-common-8.1.4-1.el5pki pki-util-8.1.2-1.el5pki | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 841663 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-08-29 01:42:10 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 760283, 841663 | ||||||
| Attachments: |
|
||||||
Please add steps to reproduce/verify this bug Created attachment 608658 [details]
patch to fix
PKI_8_1_ERRATA_BRANCH: [vakwetu@alee-workpc pki]$ svn ci -m "Bugzilla BZ#816232 - incorrect casting from BigInt to Int in installation wizard" Sending base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java Sending base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java Transmitting file data .. Committed revision 2482. PKI_8_BRANCH: [vakwetu@alee-workpc pki]$ svn ci -m "Bugzilla BZ#816232 - incorrect casting from BigInt to Int in installation wizard" Sending base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java Sending base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java Transmitting file data .. Committed revision 2481. Defect description: The serial number generated for certificates is wrong when the number is large. Problem is due to the conversion of BigInteger to integer while generating a new serial number, which truncates the most significant bits in the serial number and therefore a large number (eg. 10fff0001) becomes a smaller number (eg. fff0001). This conversion in turn leads to a collision if a certificate with the smaller number exists in the database. Steps to reproduce the defect: - Create a CA. - (1) - Edit the fields minSerialNumber and maxSerialNumber in the <CA-Installation Path>/conf.CS.cfg to large values like 100000000 and 110000000. - Restart the CA. - Configure the CA. - Create a new CA. - Configure this as a clone to (1)CA - After the Certificates are generated, view the serial number by clicking on "View Certificate in PrettyPrint". You are looking for the subsystem cert. Results: Before the patch is applied: The serial number is truncated.(Wrong) After the patch is applied: The serial number is found as expected. Non-ECC Environment
==================
1. Create Master CA instance
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca-bz816232-M1 \
-subsystem_type=ca \
-agent_secure_port=29443 \
-ee_secure_port=29444 \
-ee_secure_client_auth_port=29446 \
-admin_secure_port=29445 \
-unsecure_port=29180 \
-tomcat_server_port=29701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ca-bz816232-M1 \
-redirect logs=/var/log/pki-ca-bz816232-M1 \
-verbose
2. Stop the CA instance.
3. modify the CS.cfg as below
$ cat /etc/pki-ca-bz816232-M1/CS.cfg | grep dbs.
dbs.enableSerialManagement=false
dbs.beginRequestNumber=1
dbs.endRequestNumber=10000000
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.beginSerialNumber=100000000000000
dbs.endSerialNumber=100000010000000
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=100000002000000
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
dbs.beginReplicaNumber=1
dbs.endReplicaNumber=100
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
4. Start the instance. configure the instance.
[root@dhcp207-162 816232]# /sbin/service pki-ca-bz816232-M1 restart
Stopping pki-ca-bz816232-M1: .... [ OK ]
Starting pki-ca-bz816232-M1:
Using Java Security Manager
Constructing 'pki-ca-bz816232-M1.policy' Security Policy
Starting pki-ca-bz816232-M1: [ OK ]
pki-ca-bz816232-M1 (pid 31986) is running ...
Unsecure Port = http://dhcp207-162.lab.eng.pnq.redhat.com:29180/ca/ee/ca
Secure Agent Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29443/ca/agent/ca
Secure EE Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29444/ca/ee/ca
Secure Admin Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29445/ca/services
EE Client Auth Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29446/ca/eeca/ca
PKI Console Port = pkiconsole https://dhcp207-162.lab.eng.pnq.redhat.com:29445/ca
Tomcat Port = 29701 (for shutdown)
PKI Instance Name: pki-ca-bz816232-M1
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: Example Domain
URL: https://dhcp207-162.lab.eng.pnq.redhat.com:29445
==========================================================================
5. After Configurtion, serial Numbers as displayed.
dbs.beginReplicaNumber=1
dbs.beginRequestNumber=1
dbs.beginSerialNumber=100000000000000
dbs.enableSerialManagement=false
dbs.endReplicaNumber=100
dbs.endRequestNumber=10000000
dbs.endSerialNumber=100000010000000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.randomSerialNumberCounter=-1
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=100000002000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
6.Create Clone instance:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca-bz816232-C1 \
-subsystem_type=ca \
-agent_secure_port=39443 \
-ee_secure_port=39444 \
-ee_secure_client_auth_port=39446 \
-admin_secure_port=39445 \
-unsecure_port=39180 \
-tomcat_server_port=39701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ca-bz816232-C1 \
-redirect logs=/var/log/pki-ca-bz816232-C1 \
-verbose
7. Configure the clone to Master CA-pki-ca-bz816232-M1, Below are the details in the Configuration Panels:
Key Store Panel:
Use the default "Internal Key Storage token"
Security Domain:
Join to Existing Security Domain Example Domain
https://dhcp207-162.lab.eng.pnq.redhat.com:29445
Login to security Domain "Example Domain"
Subsystem Type
Select "Clone an existing CA subsystem"
Subsystem Name: Certificate Authority Clone1
Accept the certificate chain
Import keys and Certificate
Specify the master subsystem keys filename: savepkcs12
password: redhat
Internal database
host:localhost
port:2389
Base DN: dc=dhcp207-162.lab.eng.pnq.redhat.com-pki-ca-bz816232-M1
Database: dhcp207-162.lab.eng.pnq.redhat.com-pki-ca-bz816232-M1
Bind DN: CN=Directory Manager
Bind Password: redhat@123
Key Pairs:
Key type: RSA
Signed with: SHA256withRSA
Signing Algorithm: SHA256withRSA
Key size: 2048
Subject Names:
Accept the default subject Names:
SSL Server Certificate:
DN: CN=dhcp207-162.lab.eng.pnq.redhat.com,o=clone
Nickname: Server-Cer cert-pki-ca-bz816232-C1
Requests and Certificates:
View all the Certificates in Pretty Print:
<Snip of Certificates as seen from Pretty Print>
CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
Certificate:
Data:
Version: v3
Serial Number: 0x100000000000000
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
Validity:
Not Before: Thursday, March 28, 2013 12:55:07 PM EDT America/New_York
Not After: Sunday, March 28, 2021 12:55:07 PM EDT America/New_York
Subject: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
CN=OCSP Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Certificate in pretty print
Certificate:
Data:
Version: v3
Serial Number: 0x100000000000001
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
Validity:
Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York
Not After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York
Subject: CN=OCSP Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
CN=dhcp207-162.lab.eng.pnq.redhat.com,o=clone
Certificate in pretty print
Certificate:
Data:
Version: v3
Serial Number: 0x10000000FFF0001
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
Validity:
Not Before: Thursday, March 28, 2013 1:07:19 PM EDT America/New_York
Not After: Wednesday, March 18, 2015 1:07:19 PM EDT America/New_York
Subject: CN=dhcp207-162.lab.eng.pnq.redhat.com,O=clone
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
CN=CA Subsystem Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Certificate in pretty print
Certificate:
Data:
Version: v3
Serial Number: 0x100000000000003
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
Validity:
Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York
Not After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York
Subject: CN=CA Subsystem Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
CN=CA Audit Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Certificate in pretty print
Certificate:
Data:
Version: v3
Serial Number: 0x100000000000004
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
Validity:
Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York
Not After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York
Subject: CN=CA Audit Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
</Snip of Certificates as seen from Pretty Print>
8. Restart the clone instance.
[root@dhcp207-162 816232]# /sbin/service pki-ca-bz816232-C1 restart
Stopping pki-ca-bz816232-C1: .. [ OK ]
Starting pki-ca-bz816232-C1:
Using Java Security Manager
Constructing 'pki-ca-bz816232-C1.policy' Security Policy
Starting pki-ca-bz816232-C1: [ OK ]
pki-ca-bz816232-C1 (pid 1608) is running ...
Unsecure Port = http://dhcp207-162.lab.eng.pnq.redhat.com:39180/ca/ee/ca
Secure Agent Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39443/ca/agent/ca
Secure EE Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39444/ca/ee/ca
Secure Admin Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39445/ca/services
EE Client Auth Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39446/ca/eeca/ca
PKI Console Port = pkiconsole https://dhcp207-162.lab.eng.pnq.redhat.com:39445/ca
Tomcat Port = 39701 (for shutdown)
PKI Instance Name: pki-ca-bz816232-C1
PKI Subsystem Type: CA Clone (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: Example Domain
URL: https://dhcp207-162.lab.eng.pnq.redhat.com:39445
==========================================================================
After configuring clone, Master's CS.cfg (pki-ca-bz816232-M1)
dbs.beginReplicaNumber=1
dbs.beginRequestNumber=1
dbs.beginSerialNumber=100000000000000
dbs.enableSerialManagement=true
dbs.endReplicaNumber=95
dbs.endRequestNumber=9990000
dbs.endSerialNumber=10000000fff0000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.nextBeginSerialNumber=100000010000001
dbs.nextEndSerialNumber=100000020000000
dbs.randomSerialNumberCounter=-1
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=100000002000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
Clone's CS.cfg (pki-ca-bz816232-C1)
dbs.beginReplicaNumber=98
dbs.beginRequestNumber=9990001
dbs.beginSerialNumber=10000000fff0001
dbs.enableSerialManagement=true
dbs.endReplicaNumber=100
dbs.endRequestNumber=10000000
dbs.endSerialNumber=100000010000000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.nextBeginRequestNumber=10000001
dbs.nextBeginSerialNumber=100000020000001
dbs.nextEndRequestNumber=20000000
dbs.nextEndSerialNumber=100000030000000
dbs.randomSerialNumberCounter=-1
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=2000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
Configuring ECC CA clone fails for which BZ 948983 has been created. https://bugzilla.redhat.com/show_bug.cgi?id=948983 Marking this BZ to verified state. |
Description of problem: In the NamePanel, in ConfigCert(), we call CertUtil.createLocalCert() which gets the next serial number and then calls: info = CryptoUtil.createX509CertInfo(x509key, serialNo.intValue(), issuerdn, dn, date, date, keyAlgorithm); Notice the serialNo.intValue(). This conversion from BigInt to Int breaks the install when serial numbers are high - as can happen when a bunch of clones are installed. In fact, it looks like it breaks down somewhere between 70 000 000 and 80 000 000 hex. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: