Bug 1144188 – TPS tests: RPM rebuild failure due to wildcard imports

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1144188 - TPS tests: RPM rebuild failure due to wildcard imports

Summary:	TPS tests: RPM rebuild failure due to wildcard imports

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pki-core (Show other bugs)
Sub Component:
Version:	6.6
Hardware:	Unspecified Unspecified

Priority	urgent Severity urgent
Target Milestone:	rc
Target Release:	---
Assigned To:	Matthew Harmsen
QA Contact:	Asha Akkiangady
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Depends On:
Blocks:	1146818
	Show dependency tree / graph

Reported:	2014-09-18 19:44 EDT by Matthew Harmsen
Modified:	2015-07-22 02:55 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	pki-core-9.0.3-38.el6_6
Doc Type:	Bug Fix
Doc Text:	Several Java import statements specify wildcard arguments. However, due to the use of wildcard arguments in the import statements of the source code contained in the Red Hat Enterprise Linux 6 maintenance branch, a name space collision created the potential for a wrong class to be utilized. As a consequence, the Token Processing System (TPS) rebuild test failed with an error message. This update addresses the bug by supplying the fully named class in all of the contentious areas, and the TPS rebuild test no longer fails. (BZ#1144188)
Story Points:	---
Clone Of:
Clones:	1146818 (view as bug list)
Environment:
Last Closed:	2015-07-22 02:55:26 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
pki-core-9.0.3-bz1144188.patch (1.09 KB, patch) 2014-09-26 11:10 EDT, Matthew Harmsen	no flags	Details \| Diff
pki-core.spec (48.93 KB, text/plain) 2014-09-26 11:11 EDT, Matthew Harmsen	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1347	normal	SHIPPED_LIVE	Moderate: pki-core security and bug fix update	2015-07-20 14:07:50 EDT

Groups: None (edit)

Description Matthew Harmsen 2014-09-18 19:44:41 EDT

During the TPS testing of the 'pki-core' component for the RHEL 6.6 errata, a failure occurred when the TPS rebuild test failed with the following error:

     com/netscape/ca/CAService.java:642: error: reference to Extension is ambiguous, both interface java.security.cert.Extension in java.security.cert and class netscape.security.x509.Extension in netscape.security.x509 match
                        Extension ext = (Extension) e.nextElement();
                        ^
    com/netscape/ca/CAService.java:642: error: reference to Extension is ambiguous, both interface java.security.cert.Extension in java.security.cert and class netscape.security.x509.Extension in netscape.security.x509 match
                        Extension ext = (Extension) e.nextElement();

This was due to the use of "wildcards" in the import statements of the source code contained in the RHEL 6 maintenance branch (a problem that has been alleviated in newer versions of the product):

    . . .
    import netscape.security.x509.*;
    import netscape.security.util.BigInt;
    import netscape.security.util.*;
    import java.security.cert.*;
    . . .

For the purposes of RHEL 6.7, we should apply the following minimal fix so that the TPS tests will succeed:

diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index a63391d..43bb3dd 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -639,7 +639,7 @@ public class CAService implements ICAService, IService {
                     Enumeration e = exts.getElements();
 
                     while (e.hasMoreElements()) {
-                        Extension ext = (Extension) e.nextElement();
+                        netscape.security.x509.Extension ext = (netscape.security.x509.Extension) e.nextElement();
 
                         if (ext.getExtensionId().toString().equals(PKIXExtensions.BasicConstraints_Id.toString())) {
                             bc_ext = (BasicConstraintsExtension) ext;

Comment 2 Ade Lee 2014-09-18 23:18:42 EDT

The issue is stated as follows:
com/netscape/ca/CAService.java:642: error: reference to Extension is
ambiguous, both interface java.security.cert.Extension in
java.security.cert and class netscape.security.x509.Extension in
netscape.security.x509 match
Extension ext = (Extension) e.nextElement();

This never used to be a problem before because java.security.cert.Extension was only introduced in Java 7.  This also won't be a problem unless java.security.cert.Extension is found in the classpath before netscape.security.x509.Extension.

If it is though, and ext is instantiated as a netscape.security.x509.Extension, then some subsequent calls - like ext.getExtensionId() will fail.

Now, this code is in a function called issueX509Cert() - which sounds like its
pretty important.  In fact, I suspect its executed whenever we issue a cert.  

Thats a double edged sword -- we know that we have not had any 
issues - so its likely that the classpath is set up correctly.  On the other hand, do we want to rely on this for such an important bit of code?  Remember that classpath issues are notoriously difficult to debug.

Incidentally, on looking at this code, I think that Matt's initial solution needs to be tweaked a bit, so that the Enumeration is also typed -- ie.

Enumeration e = exts.getElements();  should become
Enumeration<netscape.security.x509.Extension> e = exts.getElements();

Comment 3 Nathan Kinder 2014-09-19 10:51:08 EDT

Proposing this as a 0day for RHEL 6.6.z based off of the description in comment#2.  The fix for this can be prepared quickly, as it's trivial.

Comment 8 Matthew Harmsen 2014-09-26 11:10:26 EDT

Created attachment 941624 [details]
pki-core-9.0.3-bz1144188.patch

Although we attempted to follow the Z-Stream procedures for a 0-day errata located at https://home.corp.redhat.com/wiki/working-z-streams, we were informed by release-engineering that if we checked this patch into the rhel-6.6 dist-git branch, that rhel-6.7 would be cloned from the rhel-6.6 branch (thus picking up this patch).

Comment 9 Matthew Harmsen 2014-09-26 11:11:22 EDT

Created attachment 941632 [details]
pki-core.spec

Although we attempted to follow the Z-Stream procedures for a 0-day errata located at https://home.corp.redhat.com/wiki/working-z-streams, we were informed by release-engineering that if we checked this spec file into the rhel-6.6 dist-git branch, that rhel-6.7 would be cloned from the rhel-6.6 branch (thus picking up this spec file).

Comment 11 Roshni 2015-04-08 16:59:01 EDT

TPS tests of RHEL 6.7 pki-core errata for build pki-core-9.0.3-40.el6 passed.

Comment 13 errata-xmlrpc 2015-07-22 02:55:26 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1347.html

Note You need to log in before you can comment on or make changes to this bug.