Description of problem: In the NamePanel, in ConfigCert(), we call CertUtil.createLocalCert() which gets the next serial number and then calls: info = CryptoUtil.createX509CertInfo(x509key, serialNo.intValue(), issuerdn, dn, date, date, keyAlgorithm); Notice the serialNo.intValue(). This conversion from BigInt to Int breaks the install when serial numbers are high - as can happen when a bunch of clones are installed. In fact, it looks like it breaks down somewhere between 70 000 000 and 80 000 000 hex. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please add steps to reproduce/verify this bug
Created attachment 608658 [details] patch to fix
PKI_8_1_ERRATA_BRANCH: [vakwetu@alee-workpc pki]$ svn ci -m "Bugzilla BZ#816232 - incorrect casting from BigInt to Int in installation wizard" Sending base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java Sending base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java Transmitting file data .. Committed revision 2482. PKI_8_BRANCH: [vakwetu@alee-workpc pki]$ svn ci -m "Bugzilla BZ#816232 - incorrect casting from BigInt to Int in installation wizard" Sending base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java Sending base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java Transmitting file data .. Committed revision 2481.
Defect description: The serial number generated for certificates is wrong when the number is large. Problem is due to the conversion of BigInteger to integer while generating a new serial number, which truncates the most significant bits in the serial number and therefore a large number (eg. 10fff0001) becomes a smaller number (eg. fff0001). This conversion in turn leads to a collision if a certificate with the smaller number exists in the database. Steps to reproduce the defect: - Create a CA. - (1) - Edit the fields minSerialNumber and maxSerialNumber in the <CA-Installation Path>/conf.CS.cfg to large values like 100000000 and 110000000. - Restart the CA. - Configure the CA. - Create a new CA. - Configure this as a clone to (1)CA - After the Certificates are generated, view the serial number by clicking on "View Certificate in PrettyPrint". You are looking for the subsystem cert. Results: Before the patch is applied: The serial number is truncated.(Wrong) After the patch is applied: The serial number is found as expected.
Non-ECC Environment ================== 1. Create Master CA instance pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ca-bz816232-M1 \ -subsystem_type=ca \ -agent_secure_port=29443 \ -ee_secure_port=29444 \ -ee_secure_client_auth_port=29446 \ -admin_secure_port=29445 \ -unsecure_port=29180 \ -tomcat_server_port=29701 \ -user=pkiuser \ -group=pkiuser \ -redirect conf=/etc/pki-ca-bz816232-M1 \ -redirect logs=/var/log/pki-ca-bz816232-M1 \ -verbose 2. Stop the CA instance. 3. modify the CS.cfg as below $ cat /etc/pki-ca-bz816232-M1/CS.cfg | grep dbs. dbs.enableSerialManagement=false dbs.beginRequestNumber=1 dbs.endRequestNumber=10000000 dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestRangeDN=ou=requests, ou=ranges dbs.beginSerialNumber=100000000000000 dbs.endSerialNumber=100000010000000 dbs.serialIncrement=10000000 dbs.serialLowWaterMark=100000002000000 dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialRangeDN=ou=certificateRepository, ou=ranges dbs.beginReplicaNumber=1 dbs.endReplicaNumber=100 dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaRangeDN=ou=replica, ou=ranges dbs.ldap=internaldb dbs.newSchemaEntryAdded=true 4. Start the instance. configure the instance. [root@dhcp207-162 816232]# /sbin/service pki-ca-bz816232-M1 restart Stopping pki-ca-bz816232-M1: .... [ OK ] Starting pki-ca-bz816232-M1: Using Java Security Manager Constructing 'pki-ca-bz816232-M1.policy' Security Policy Starting pki-ca-bz816232-M1: [ OK ] pki-ca-bz816232-M1 (pid 31986) is running ... Unsecure Port = http://dhcp207-162.lab.eng.pnq.redhat.com:29180/ca/ee/ca Secure Agent Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29443/ca/agent/ca Secure EE Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29444/ca/ee/ca Secure Admin Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29445/ca/services EE Client Auth Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29446/ca/eeca/ca PKI Console Port = pkiconsole https://dhcp207-162.lab.eng.pnq.redhat.com:29445/ca Tomcat Port = 29701 (for shutdown) PKI Instance Name: pki-ca-bz816232-M1 PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: Example Domain URL: https://dhcp207-162.lab.eng.pnq.redhat.com:29445 ========================================================================== 5. After Configurtion, serial Numbers as displayed. dbs.beginReplicaNumber=1 dbs.beginRequestNumber=1 dbs.beginSerialNumber=100000000000000 dbs.enableSerialManagement=false dbs.endReplicaNumber=100 dbs.endRequestNumber=10000000 dbs.endSerialNumber=100000010000000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.randomSerialNumberCounter=-1 dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=100000002000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges 6.Create Clone instance: pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ca-bz816232-C1 \ -subsystem_type=ca \ -agent_secure_port=39443 \ -ee_secure_port=39444 \ -ee_secure_client_auth_port=39446 \ -admin_secure_port=39445 \ -unsecure_port=39180 \ -tomcat_server_port=39701 \ -user=pkiuser \ -group=pkiuser \ -redirect conf=/etc/pki-ca-bz816232-C1 \ -redirect logs=/var/log/pki-ca-bz816232-C1 \ -verbose 7. Configure the clone to Master CA-pki-ca-bz816232-M1, Below are the details in the Configuration Panels: Key Store Panel: Use the default "Internal Key Storage token" Security Domain: Join to Existing Security Domain Example Domain https://dhcp207-162.lab.eng.pnq.redhat.com:29445 Login to security Domain "Example Domain" Subsystem Type Select "Clone an existing CA subsystem" Subsystem Name: Certificate Authority Clone1 Accept the certificate chain Import keys and Certificate Specify the master subsystem keys filename: savepkcs12 password: redhat Internal database host:localhost port:2389 Base DN: dc=dhcp207-162.lab.eng.pnq.redhat.com-pki-ca-bz816232-M1 Database: dhcp207-162.lab.eng.pnq.redhat.com-pki-ca-bz816232-M1 Bind DN: CN=Directory Manager Bind Password: redhat@123 Key Pairs: Key type: RSA Signed with: SHA256withRSA Signing Algorithm: SHA256withRSA Key size: 2048 Subject Names: Accept the default subject Names: SSL Server Certificate: DN: CN=dhcp207-162.lab.eng.pnq.redhat.com,o=clone Nickname: Server-Cer cert-pki-ca-bz816232-C1 Requests and Certificates: View all the Certificates in Pretty Print: <Snip of Certificates as seen from Pretty Print> CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain Certificate: Data: Version: v3 Serial Number: 0x100000000000000 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain Validity: Not Before: Thursday, March 28, 2013 12:55:07 PM EDT America/New_York Not After: Sunday, March 28, 2021 12:55:07 PM EDT America/New_York Subject: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 CN=OCSP Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain Certificate in pretty print Certificate: Data: Version: v3 Serial Number: 0x100000000000001 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain Validity: Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York Not After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York Subject: CN=OCSP Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 CN=dhcp207-162.lab.eng.pnq.redhat.com,o=clone Certificate in pretty print Certificate: Data: Version: v3 Serial Number: 0x10000000FFF0001 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain Validity: Not Before: Thursday, March 28, 2013 1:07:19 PM EDT America/New_York Not After: Wednesday, March 18, 2015 1:07:19 PM EDT America/New_York Subject: CN=dhcp207-162.lab.eng.pnq.redhat.com,O=clone Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 CN=CA Subsystem Certificate,OU=pki-ca-bz816232-M1,O=Example Domain Certificate in pretty print Certificate: Data: Version: v3 Serial Number: 0x100000000000003 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain Validity: Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York Not After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York Subject: CN=CA Subsystem Certificate,OU=pki-ca-bz816232-M1,O=Example Domain Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: Exponent: 65537 CN=CA Audit Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain Certificate in pretty print Certificate: Data: Version: v3 Serial Number: 0x100000000000004 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain Validity: Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York Not After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York Subject: CN=CA Audit Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: </Snip of Certificates as seen from Pretty Print> 8. Restart the clone instance. [root@dhcp207-162 816232]# /sbin/service pki-ca-bz816232-C1 restart Stopping pki-ca-bz816232-C1: .. [ OK ] Starting pki-ca-bz816232-C1: Using Java Security Manager Constructing 'pki-ca-bz816232-C1.policy' Security Policy Starting pki-ca-bz816232-C1: [ OK ] pki-ca-bz816232-C1 (pid 1608) is running ... Unsecure Port = http://dhcp207-162.lab.eng.pnq.redhat.com:39180/ca/ee/ca Secure Agent Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39443/ca/agent/ca Secure EE Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39444/ca/ee/ca Secure Admin Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39445/ca/services EE Client Auth Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39446/ca/eeca/ca PKI Console Port = pkiconsole https://dhcp207-162.lab.eng.pnq.redhat.com:39445/ca Tomcat Port = 39701 (for shutdown) PKI Instance Name: pki-ca-bz816232-C1 PKI Subsystem Type: CA Clone (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: Example Domain URL: https://dhcp207-162.lab.eng.pnq.redhat.com:39445 ========================================================================== After configuring clone, Master's CS.cfg (pki-ca-bz816232-M1) dbs.beginReplicaNumber=1 dbs.beginRequestNumber=1 dbs.beginSerialNumber=100000000000000 dbs.enableSerialManagement=true dbs.endReplicaNumber=95 dbs.endRequestNumber=9990000 dbs.endSerialNumber=10000000fff0000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.nextBeginSerialNumber=100000010000001 dbs.nextEndSerialNumber=100000020000000 dbs.randomSerialNumberCounter=-1 dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=100000002000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges Clone's CS.cfg (pki-ca-bz816232-C1) dbs.beginReplicaNumber=98 dbs.beginRequestNumber=9990001 dbs.beginSerialNumber=10000000fff0001 dbs.enableSerialManagement=true dbs.endReplicaNumber=100 dbs.endRequestNumber=10000000 dbs.endSerialNumber=100000010000000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.nextBeginRequestNumber=10000001 dbs.nextBeginSerialNumber=100000020000001 dbs.nextEndRequestNumber=20000000 dbs.nextEndSerialNumber=100000030000000 dbs.randomSerialNumberCounter=-1 dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=2000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges
Configuring ECC CA clone fails for which BZ 948983 has been created. https://bugzilla.redhat.com/show_bug.cgi?id=948983 Marking this BZ to verified state.