Bug 816232 - serial number incorrectly cast from BigInt to integer in installation wizard
serial number incorrectly cast from BigInt to integer in installation wizard
Status: CLOSED NEXTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Installation Wizard (Show other bugs)
9.0
Unspecified Unspecified
medium Severity unspecified
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 760283 841663
  Show dependency treegraph
 
Reported: 2012-04-25 11:04 EDT by Ade Lee
Modified: 2015-01-04 18:51 EST (History)
6 users (show)

See Also:
Fixed In Version: pki-common-8.1.4-1.el5pki pki-util-8.1.2-1.el5pki
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 841663 (view as bug list)
Environment:
Last Closed: 2014-08-28 21:42:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix (4.96 KB, patch)
2012-08-31 15:48 EDT, Ade Lee
no flags Details | Diff

  None (edit)
Description Ade Lee 2012-04-25 11:04:04 EDT
Description of problem:

In the NamePanel, in ConfigCert(), we call CertUtil.createLocalCert() which gets the next serial number and then calls:

info = CryptoUtil.createX509CertInfo(x509key, serialNo.intValue(), 
                                     issuerdn, dn, date, date, keyAlgorithm);

Notice the serialNo.intValue().  This conversion from BigInt to Int breaks the install when serial numbers are high - as can happen when a bunch of clones are installed.  In fact, it looks like it breaks down somewhere between 70 000 000 and 80 000 000 hex.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jenny Galipeau 2012-08-06 14:56:08 EDT
Please add steps to reproduce/verify this bug
Comment 2 Ade Lee 2012-08-31 15:48:00 EDT
Created attachment 608658 [details]
patch to fix
Comment 3 Ade Lee 2012-08-31 15:49:09 EDT
PKI_8_1_ERRATA_BRANCH:

[vakwetu@alee-workpc pki]$ svn ci -m "Bugzilla BZ#816232 - incorrect casting from BigInt to Int in installation wizard"
Sending        base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
Sending        base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
Transmitting file data ..
Committed revision 2482.

PKI_8_BRANCH:
[vakwetu@alee-workpc pki]$ svn ci -m "Bugzilla BZ#816232 - incorrect casting from BigInt to Int in installation wizard" 
Sending        base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
Sending        base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
Transmitting file data ..
Committed revision 2481.
Comment 4 Ade Lee 2012-08-31 15:51:50 EDT
Defect description:
  The serial number generated for certificates is wrong when the number
is large. Problem is due to the conversion of BigInteger to integer
while generating a new serial number, which truncates the most
significant bits in the serial number and therefore a large number (eg.
10fff0001) becomes a smaller number (eg. fff0001). This conversion in
turn leads to a collision if a certificate with the smaller number
exists in the database.

Steps to reproduce the defect:
 
 - Create a CA. - (1)
 - Edit the fields minSerialNumber and maxSerialNumber in the
<CA-Installation Path>/conf.CS.cfg to large values like 100000000 and
110000000.
 - Restart the CA.
 - Configure the CA.
 - Create a new CA.
 - Configure this as a clone to (1)CA
 - After the Certificates are generated, view the serial number by
clicking on "View Certificate in PrettyPrint".  You are looking for the subsystem cert.

Results:
Before the patch is applied: The serial number is truncated.(Wrong)
After the patch is applied: The serial number is found as expected.
Comment 6 Niranjan Mallapadi Raghavender 2013-03-28 04:22:50 EDT
Non-ECC Environment
==================
1. Create Master CA instance 

pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca-bz816232-M1 \
          -subsystem_type=ca                 \
          -agent_secure_port=29443            \
          -ee_secure_port=29444               \
          -ee_secure_client_auth_port=29446   \
          -admin_secure_port=29445            \
          -unsecure_port=29180                \
          -tomcat_server_port=29701           \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-ca-bz816232-M1         \
          -redirect logs=/var/log/pki-ca-bz816232-M1     \
          -verbose

2. Stop the CA instance.

3. modify the CS.cfg as below 

$ cat /etc/pki-ca-bz816232-M1/CS.cfg  | grep dbs.

dbs.enableSerialManagement=false
dbs.beginRequestNumber=1
dbs.endRequestNumber=10000000
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.beginSerialNumber=100000000000000
dbs.endSerialNumber=100000010000000
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=100000002000000
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
dbs.beginReplicaNumber=1
dbs.endReplicaNumber=100
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true

4. Start the instance. configure the instance.

[root@dhcp207-162 816232]# /sbin/service pki-ca-bz816232-M1 restart
Stopping pki-ca-bz816232-M1: ....                          [  OK  ]
Starting pki-ca-bz816232-M1: 
    Using Java Security Manager
    Constructing 'pki-ca-bz816232-M1.policy' Security Policy
Starting pki-ca-bz816232-M1:                               [  OK  ]

pki-ca-bz816232-M1 (pid 31986) is running ...

    Unsecure Port       = http://dhcp207-162.lab.eng.pnq.redhat.com:29180/ca/ee/ca
    Secure Agent Port   = https://dhcp207-162.lab.eng.pnq.redhat.com:29443/ca/agent/ca
    Secure EE Port      = https://dhcp207-162.lab.eng.pnq.redhat.com:29444/ca/ee/ca
    Secure Admin Port   = https://dhcp207-162.lab.eng.pnq.redhat.com:29445/ca/services
    EE Client Auth Port = https://dhcp207-162.lab.eng.pnq.redhat.com:29446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://dhcp207-162.lab.eng.pnq.redhat.com:29445/ca
    Tomcat Port         = 29701 (for shutdown)

    PKI Instance Name:   pki-ca-bz816232-M1

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  Example Domain
    URL:   https://dhcp207-162.lab.eng.pnq.redhat.com:29445
    ==========================================================================

5. After Configurtion, serial Numbers as displayed.

dbs.beginReplicaNumber=1
dbs.beginRequestNumber=1
dbs.beginSerialNumber=100000000000000
dbs.enableSerialManagement=false
dbs.endReplicaNumber=100
dbs.endRequestNumber=10000000
dbs.endSerialNumber=100000010000000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.randomSerialNumberCounter=-1
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=100000002000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges


6.Create Clone instance:

pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-ca-bz816232-C1 \
          -subsystem_type=ca                 \
          -agent_secure_port=39443            \
          -ee_secure_port=39444               \
          -ee_secure_client_auth_port=39446   \
          -admin_secure_port=39445            \
          -unsecure_port=39180                \
          -tomcat_server_port=39701           \
          -user=pkiuser                      \
          -group=pkiuser                     \
          -redirect conf=/etc/pki-ca-bz816232-C1         \
          -redirect logs=/var/log/pki-ca-bz816232-C1     \
          -verbose

7. Configure the clone to Master CA-pki-ca-bz816232-M1, Below are the details in the Configuration Panels:

Key Store Panel:
	Use the default "Internal Key Storage token" 
Security Domain:
	Join to Existing Security Domain Example Domain 
	https://dhcp207-162.lab.eng.pnq.redhat.com:29445
Login to security Domain "Example Domain"

Subsystem Type
	Select "Clone an existing CA subsystem"
	Subsystem Name: Certificate Authority Clone1
	Accept the certificate chain

Import keys and Certificate
	Specify the master subsystem keys filename: savepkcs12
	password: redhat
Internal database
	host:localhost
	port:2389	
	Base DN: dc=dhcp207-162.lab.eng.pnq.redhat.com-pki-ca-bz816232-M1
	Database: dhcp207-162.lab.eng.pnq.redhat.com-pki-ca-bz816232-M1
	Bind DN: CN=Directory Manager
	Bind Password: redhat@123
Key Pairs:
	Key type: RSA
	Signed with: SHA256withRSA
	Signing Algorithm: SHA256withRSA
	Key size: 2048
Subject Names:
	Accept the default subject Names:
	SSL Server Certificate: 
		DN: CN=dhcp207-162.lab.eng.pnq.redhat.com,o=clone
		Nickname: Server-Cer cert-pki-ca-bz816232-C1

Requests and Certificates:
	View all the Certificates in Pretty Print:

<Snip of Certificates as seen from Pretty Print>

CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x100000000000000
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
            Validity: 
                Not Before: Thursday, March 28, 2013 12:55:07 PM EDT America/New_York
                Not  After: Sunday, March 28, 2021 12:55:07 PM EDT America/New_York
            Subject: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1


CN=OCSP Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Certificate in pretty print

    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x100000000000001
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
            Validity: 
                Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York
                Not  After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York
            Subject: CN=OCSP Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1

CN=dhcp207-162.lab.eng.pnq.redhat.com,o=clone
Certificate in pretty print

    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x10000000FFF0001
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
            Validity: 
                Not Before: Thursday, March 28, 2013 1:07:19 PM EDT America/New_York
                Not  After: Wednesday, March 18, 2015 1:07:19 PM EDT America/New_York
            Subject: CN=dhcp207-162.lab.eng.pnq.redhat.com,O=clone
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537
CN=CA Subsystem Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Certificate in pretty print

    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x100000000000003
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
            Validity: 
                Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York
                Not  After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York
            Subject: CN=CA Subsystem Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 
                    Exponent: 65537

CN=CA Audit Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
Certificate in pretty print

    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x100000000000004
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=Certificate Authority,OU=pki-ca-bz816232-M1,O=Example Domain
            Validity: 
                Not Before: Thursday, March 28, 2013 12:55:08 PM EDT America/New_York
                Not  After: Wednesday, March 18, 2015 12:55:08 PM EDT America/New_York
            Subject: CN=CA Audit Signing Certificate,OU=pki-ca-bz816232-M1,O=Example Domain
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
                Public Key: 

</Snip of Certificates as seen from Pretty Print>

8. Restart the clone instance.		
	
[root@dhcp207-162 816232]# /sbin/service pki-ca-bz816232-C1 restart
Stopping pki-ca-bz816232-C1: ..                            [  OK  ]
Starting pki-ca-bz816232-C1: 
    Using Java Security Manager
    Constructing 'pki-ca-bz816232-C1.policy' Security Policy
Starting pki-ca-bz816232-C1:                               [  OK  ]

pki-ca-bz816232-C1 (pid 1608) is running ...

    Unsecure Port       = http://dhcp207-162.lab.eng.pnq.redhat.com:39180/ca/ee/ca
    Secure Agent Port   = https://dhcp207-162.lab.eng.pnq.redhat.com:39443/ca/agent/ca
    Secure EE Port      = https://dhcp207-162.lab.eng.pnq.redhat.com:39444/ca/ee/ca
    Secure Admin Port   = https://dhcp207-162.lab.eng.pnq.redhat.com:39445/ca/services
    EE Client Auth Port = https://dhcp207-162.lab.eng.pnq.redhat.com:39446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://dhcp207-162.lab.eng.pnq.redhat.com:39445/ca
    Tomcat Port         = 39701 (for shutdown)

    PKI Instance Name:   pki-ca-bz816232-C1

    PKI Subsystem Type:  CA Clone (Security Domain)

    Registered PKI Security Domain Information:
    ==========================================================================
    Name:  Example Domain
    URL:   https://dhcp207-162.lab.eng.pnq.redhat.com:39445
    ==========================================================================

After configuring clone, Master's CS.cfg (pki-ca-bz816232-M1)
dbs.beginReplicaNumber=1
dbs.beginRequestNumber=1
dbs.beginSerialNumber=100000000000000
dbs.enableSerialManagement=true
dbs.endReplicaNumber=95
dbs.endRequestNumber=9990000
dbs.endSerialNumber=10000000fff0000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.nextBeginSerialNumber=100000010000001
dbs.nextEndSerialNumber=100000020000000
dbs.randomSerialNumberCounter=-1
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=100000002000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges


Clone's CS.cfg (pki-ca-bz816232-C1)

dbs.beginReplicaNumber=98
dbs.beginRequestNumber=9990001
dbs.beginSerialNumber=10000000fff0001
dbs.enableSerialManagement=true
dbs.endReplicaNumber=100
dbs.endRequestNumber=10000000
dbs.endSerialNumber=100000010000000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.nextBeginRequestNumber=10000001
dbs.nextBeginSerialNumber=100000020000001
dbs.nextEndRequestNumber=20000000
dbs.nextEndSerialNumber=100000030000000
dbs.randomSerialNumberCounter=-1
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=2000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
Comment 7 Niranjan Mallapadi Raghavender 2013-04-05 11:25:32 EDT
Configuring ECC CA clone fails for which BZ 948983 has been created. 
https://bugzilla.redhat.com/show_bug.cgi?id=948983

Marking this BZ to verified state.

Note You need to log in before you can comment on or make changes to this bug.