Bug 1144188 - TPS tests: RPM rebuild failure due to wildcard imports
Summary: TPS tests: RPM rebuild failure due to wildcard imports
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core
Version: 6.6
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1146818
TreeView+ depends on / blocked
 
Reported: 2014-09-18 23:44 UTC by Matthew Harmsen
Modified: 2015-07-22 06:55 UTC (History)
5 users (show)

Fixed In Version: pki-core-9.0.3-38.el6_6
Doc Type: Bug Fix
Doc Text:
Several Java import statements specify wildcard arguments. However, due to the use of wildcard arguments in the import statements of the source code contained in the Red Hat Enterprise Linux 6 maintenance branch, a name space collision created the potential for a wrong class to be utilized. As a consequence, the Token Processing System (TPS) rebuild test failed with an error message. This update addresses the bug by supplying the fully named class in all of the contentious areas, and the TPS rebuild test no longer fails. (BZ#1144188)
Clone Of:
: 1146818 (view as bug list)
Environment:
Last Closed: 2015-07-22 06:55:26 UTC


Attachments (Terms of Use)
pki-core-9.0.3-bz1144188.patch (1.09 KB, patch)
2014-09-26 15:10 UTC, Matthew Harmsen
no flags Details | Diff
pki-core.spec (48.93 KB, text/plain)
2014-09-26 15:11 UTC, Matthew Harmsen
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1347 normal SHIPPED_LIVE Moderate: pki-core security and bug fix update 2015-07-20 18:07:50 UTC

Description Matthew Harmsen 2014-09-18 23:44:41 UTC
During the TPS testing of the 'pki-core' component for the RHEL 6.6 errata, a failure occurred when the TPS rebuild test failed with the following error:

     com/netscape/ca/CAService.java:642: error: reference to Extension is ambiguous, both interface java.security.cert.Extension in java.security.cert and class netscape.security.x509.Extension in netscape.security.x509 match
                        Extension ext = (Extension) e.nextElement();
                        ^
    com/netscape/ca/CAService.java:642: error: reference to Extension is ambiguous, both interface java.security.cert.Extension in java.security.cert and class netscape.security.x509.Extension in netscape.security.x509 match
                        Extension ext = (Extension) e.nextElement();

This was due to the use of "wildcards" in the import statements of the source code contained in the RHEL 6 maintenance branch (a problem that has been alleviated in newer versions of the product):

    . . .
    import netscape.security.x509.*;
    import netscape.security.util.BigInt;
    import netscape.security.util.*;
    import java.security.cert.*;
    . . .

For the purposes of RHEL 6.7, we should apply the following minimal fix so that the TPS tests will succeed:

diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index a63391d..43bb3dd 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -639,7 +639,7 @@ public class CAService implements ICAService, IService {
                     Enumeration e = exts.getElements();
 
                     while (e.hasMoreElements()) {
-                        Extension ext = (Extension) e.nextElement();
+                        netscape.security.x509.Extension ext = (netscape.security.x509.Extension) e.nextElement();
 
                         if (ext.getExtensionId().toString().equals(PKIXExtensions.BasicConstraints_Id.toString())) {
                             bc_ext = (BasicConstraintsExtension) ext;

Comment 2 Ade Lee 2014-09-19 03:18:42 UTC
The issue is stated as follows:
com/netscape/ca/CAService.java:642: error: reference to Extension is
ambiguous, both interface java.security.cert.Extension in
java.security.cert and class netscape.security.x509.Extension in
netscape.security.x509 match
Extension ext = (Extension) e.nextElement();

This never used to be a problem before because java.security.cert.Extension was only introduced in Java 7.  This also won't be a problem unless java.security.cert.Extension is found in the classpath before netscape.security.x509.Extension.

If it is though, and ext is instantiated as a netscape.security.x509.Extension, then some subsequent calls - like ext.getExtensionId() will fail.

Now, this code is in a function called issueX509Cert() - which sounds like its
pretty important.  In fact, I suspect its executed whenever we issue a cert.  

Thats a double edged sword -- we know that we have not had any 
issues - so its likely that the classpath is set up correctly.  On the other hand, do we want to rely on this for such an important bit of code?  Remember that classpath issues are notoriously difficult to debug.

Incidentally, on looking at this code, I think that Matt's initial solution needs to be tweaked a bit, so that the Enumeration is also typed -- ie.

Enumeration e = exts.getElements();  should become
Enumeration<netscape.security.x509.Extension> e = exts.getElements();

Comment 3 Nathan Kinder 2014-09-19 14:51:08 UTC
Proposing this as a 0day for RHEL 6.6.z based off of the description in comment#2.  The fix for this can be prepared quickly, as it's trivial.

Comment 8 Matthew Harmsen 2014-09-26 15:10:26 UTC
Created attachment 941624 [details]
pki-core-9.0.3-bz1144188.patch

Although we attempted to follow the Z-Stream procedures for a 0-day errata located at https://home.corp.redhat.com/wiki/working-z-streams, we were informed by release-engineering that if we checked this patch into the rhel-6.6 dist-git branch, that rhel-6.7 would be cloned from the rhel-6.6 branch (thus picking up this patch).

Comment 9 Matthew Harmsen 2014-09-26 15:11:22 UTC
Created attachment 941632 [details]
pki-core.spec

Although we attempted to follow the Z-Stream procedures for a 0-day errata located at https://home.corp.redhat.com/wiki/working-z-streams, we were informed by release-engineering that if we checked this spec file into the rhel-6.6 dist-git branch, that rhel-6.7 would be cloned from the rhel-6.6 branch (thus picking up this spec file).

Comment 11 Roshni 2015-04-08 20:59:01 UTC
TPS tests of RHEL 6.7 pki-core errata for build pki-core-9.0.3-40.el6 passed.

Comment 13 errata-xmlrpc 2015-07-22 06:55:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1347.html


Note You need to log in before you can comment on or make changes to this bug.