Skip to content

Commit

Permalink
Add a new sequential number generator: legacy2
Browse files Browse the repository at this point in the history
The current generator has a problem with converting from hex to decimal
the range boundaries creating gaps between ranges. This a problem when
third parties tools are used to with certificates because contiguous
range are expected.

This commit introduce the generator legacy2. This uses same
configuration parameter but hex value are specified by the prefix '0x'.

When value are written to the configuration value it is possible to set
the radix with the options:
- dbs.cert.id.radix (default to 16)
- dbs.key.id.radix (default to 16)
- dbs.request.id.radix (default to 10)

Additionally, the new command `pki-server <subsystem>-id-generator-*`
has been added to migrate from the legacy generator to the legacy2 or to
random.
  • Loading branch information
fmarco76 committed Oct 23, 2024
1 parent ff78d2a commit eadcb97
Show file tree
Hide file tree
Showing 27 changed files with 1,053 additions and 97 deletions.
42 changes: 22 additions & 20 deletions base/ca/src/main/java/com/netscape/cmscore/dbs/CRLRepository.java
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ public class CRLRepository extends Repository {
* Constructs a CRL repository.
*/
public CRLRepository(DBSubsystem dbSubsystem) {
super(dbSubsystem, 10);
super(dbSubsystem, DEC);
}

@Override
Expand All @@ -67,43 +67,33 @@ public void init() throws Exception {
rangeDN = dbConfig.getRequestRangeDN() + "," + dbSubsystem.getBaseDN();
logger.info("CRLRepository: - range DN: " + rangeDN);

String minSerial = dbConfig.getBeginRequestNumber();
if (minSerial != null) {
mMinSerialNo = new BigInteger(minSerial, mRadix);
}
mMinSerialNo = dbConfig.getBigInteger(DatabaseConfig.MIN_REQUEST_NUMBER, null);
logger.info("CRLRepository: - min serial: " + mMinSerialNo);

String maxSerial = dbConfig.getEndRequestNumber();
if (maxSerial != null) {
mMaxSerialNo = new BigInteger(maxSerial, mRadix);
}
mMaxSerialNo = dbConfig.getBigInteger(DatabaseConfig.MAX_REQUEST_NUMBER, null);
logger.info("CRLRepository: - max serial: " + mMaxSerialNo);

String nextMinSerial = dbConfig.getNextBeginRequestNumber();
if (nextMinSerial == null || nextMinSerial.equals("-1")) {
mNextMinSerialNo = null;
} else {
mNextMinSerialNo = new BigInteger(nextMinSerial, mRadix);
mNextMinSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MIN_REQUEST_NUMBER, null);
}
logger.info("CRLRepository: - next min serial: " + mNextMinSerialNo);

String nextMaxSerial = dbConfig.getNextEndRequestNumber();
if (nextMaxSerial == null || nextMaxSerial.equals("-1")) {
mNextMaxSerialNo = null;
} else {
mNextMaxSerialNo = new BigInteger(nextMaxSerial, mRadix);
mNextMaxSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MAX_REQUEST_NUMBER, null);
}
logger.info("CRLRepository: - next max serial: " + mNextMaxSerialNo);

String lowWaterMark = dbConfig.getRequestLowWaterMark();
if (lowWaterMark != null) {
mLowWaterMarkNo = new BigInteger(lowWaterMark, mRadix);
}

String incrementNo = dbConfig.getRequestIncrement();
if (incrementNo != null) {
mIncrementNo = new BigInteger(incrementNo, mRadix);
}
mLowWaterMarkNo = dbConfig.getBigInteger(DatabaseConfig.REQUEST_LOW_WATER_MARK, null);
logger.debug("CRLRepository: - low water mark serial: " + mNextMaxSerialNo);

mIncrementNo = dbConfig.getBigInteger(DatabaseConfig.REQUEST_INCREMENT, null);
logger.debug("CRLRepository: - increment serial: " + mIncrementNo);

/*
DBRegistry reg = dbService.getRegistry();
Expand All @@ -129,6 +119,9 @@ public void setMinSerialConfig() throws EBaseException {

DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
String serial = mMinSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CRLRepository: Setting min serial number: " + serial);
dbConfig.setBeginRequestNumber(serial);
}
Expand All @@ -137,6 +130,9 @@ public void setMaxSerialConfig() throws EBaseException {

DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
String serial = mMaxSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CRLRepository: Setting max serial number: " + serial);
dbConfig.setEndRequestNumber(serial);
}
Expand All @@ -151,6 +147,9 @@ public void setNextMinSerialConfig() throws EBaseException {

} else {
String serial = mNextMinSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CRLRepository: Setting next min number: " + serial);
dbConfig.setNextBeginRequestNumber(serial);
}
Expand All @@ -166,6 +165,9 @@ public void setNextMaxSerialConfig() throws EBaseException {

} else {
String serial = mNextMaxSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CRLRepository: Setting next max number: " + serial);
dbConfig.setNextEndRequestNumber(serial);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ public class CertificateRepository extends Repository {
private static final BigInteger BI_MINUS_ONE = BigInteger.ONE.negate();

public static final String PROP_CERT_ID_GENERATOR = "cert.id.generator";
public static final String PROP_CERT_ID_RADIX = "cert.id.radix";
public static final String DEFAULT_CERT_ID_GENERATOR = "legacy";

public static final String PROP_CERT_ID_LENGTH = "cert.id.length";
Expand All @@ -103,8 +104,15 @@ public CertificateRepository(
SecureRandom secureRandom,
DBSubsystem dbSubsystem) {

super(dbSubsystem, 16);

super(dbSubsystem, HEX);
DatabaseConfig dbc = dbSubsystem.getDBConfigStore();
try {
this.mRadix = dbc.getInteger(PROP_CERT_ID_RADIX, HEX);
logger.debug("CertificateRepository: number radix {}", this.mRadix);

} catch (EBaseException ex) {
logger.debug("CertificateRepository: error reading number radix config, using default {} for ", HEX);
}
this.secureRandom = secureRandom;
}

Expand All @@ -126,12 +134,47 @@ public void init() throws Exception {

idLength = mDBConfig.getInteger(PROP_CERT_ID_LENGTH, DEFAULT_CERT_ID_LENGTH);
logger.debug("CertificateRepository: - cert ID length: " + idLength);

} else if (idGenerator == IDGenerator.LEGACY_2) {
initLegacy2Generator();
} else {
initLegacyGenerator();
}
}

protected void initLegacy2Generator() throws EBaseException {

rangeDN = mDBConfig.getSerialRangeDN() + "," + dbSubsystem.getBaseDN();
logger.debug("CertificateRepository: - range DN: " + rangeDN);

mMinSerialNo = mDBConfig.getBigInteger(DatabaseConfig.MIN_SERIAL_NUMBER, null);
logger.debug("CertificateRepository: - min serial: " + mMinSerialNo);

mMaxSerialNo = mDBConfig.getBigInteger(DatabaseConfig.MAX_SERIAL_NUMBER, null);
logger.debug("CertificateRepository: - max serial: " + mMaxSerialNo);

String nextMinSerial = mDBConfig.getNextBeginSerialNumber();
if (nextMinSerial == null || nextMinSerial.equals("-1")) {
mNextMinSerialNo = null;
} else {
mNextMinSerialNo = mDBConfig.getBigInteger(DatabaseConfig.NEXT_MIN_SERIAL_NUMBER, null);
}
logger.debug("CertificateRepository: - next min serial: " + mNextMinSerialNo);

String nextMaxSerial = mDBConfig.getNextEndSerialNumber();
if (nextMaxSerial == null || nextMaxSerial.equals("-1")) {
mNextMaxSerialNo = null;
} else {
mNextMaxSerialNo = mDBConfig.getBigInteger(DatabaseConfig.NEXT_MAX_SERIAL_NUMBER, null);
}
logger.debug("CertificateRepository: - next max serial: " + mNextMaxSerialNo);

mLowWaterMarkNo = mDBConfig.getBigInteger(DatabaseConfig.SERIAL_LOW_WATER_MARK, null);
logger.debug("CertificateRepository: - low water mark serial: " + mNextMaxSerialNo);

mIncrementNo = mDBConfig.getBigInteger(DatabaseConfig.SERIAL_INCREMENT, null);
logger.debug("CertificateRepository: - increment serial: " + mIncrementNo);
}

public void initLegacyGenerator() throws Exception {

rangeDN = mDBConfig.getSerialRangeDN() + "," + dbSubsystem.getBaseDN();
Expand Down Expand Up @@ -180,6 +223,9 @@ public void setMinSerialConfig() throws EBaseException {

DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
String serial = mMinSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CertificateRepository: Setting min serial number: " + serial);
dbConfig.setBeginSerialNumber(serial);
}
Expand All @@ -188,6 +234,9 @@ public void setMaxSerialConfig() throws EBaseException {

DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
String serial = mMaxSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CertificateRepository: Setting max serial number: " + serial);
dbConfig.setEndSerialNumber(serial);
}
Expand All @@ -202,6 +251,9 @@ public void setNextMinSerialConfig() throws EBaseException {

} else {
String serial = mNextMinSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CertificateRepository: Setting next min number: " + serial);
dbConfig.setNextBeginSerialNumber(serial);
}
Expand All @@ -217,6 +269,9 @@ public void setNextMaxSerialConfig() throws EBaseException {

} else {
String serial = mNextMaxSerialNo.toString(mRadix);
if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
serial = "0x" + serial;
}
logger.debug("CertificateRepository: Setting next max number: " + serial);
dbConfig.setNextEndSerialNumber(serial);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ public CACLI(CLI parent) {
addModule(new SubsystemGroupCLI(this));
addModule(new CAProfileCLI(this));
addModule(new CARangeCLI(this));
addModule(new CAIdCLI(this));
addModule(new SubsystemUserCLI(this));
addModule(new SDCLI(this));
}
Expand Down
19 changes: 19 additions & 0 deletions base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
//
// Copyright Red Hat, Inc.
//
// SPDX-License-Identifier: GPL-2.0-or-later
//
package org.dogtagpki.server.ca.cli;

import org.dogtagpki.cli.CLI;

/**
* @author Marco Fargetta {@literal <[email protected]>}
*/
public class CAIdCLI extends CLI {
public CAIdCLI(CLI parent) {
super("id", "CA id generator management commands", parent);

addModule(new CAIdGeneratorCLI(this));
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
//
// Copyright Red Hat, Inc.
//
// SPDX-License-Identifier: GPL-2.0-or-later
//
package org.dogtagpki.server.ca.cli;

import org.dogtagpki.cli.CLI;

/**
* @author Marco Fargetta {@literal <[email protected]>}
*/
public class CAIdGeneratorCLI extends CLI {

public CAIdGeneratorCLI(CLI parent) {
super("generator", "CA id generator commands", parent);

addModule(new CAIdGeneratorUpdateCLI(this));
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
//
// Copyright Red Hat, Inc.
//
// SPDX-License-Identifier: GPL-2.0-or-later
//
package org.dogtagpki.server.ca.cli;

import com.netscape.cmscore.apps.DatabaseConfig;
import com.netscape.cmscore.dbs.CertificateRepository;
import com.netscape.cmscore.dbs.Repository;
import com.netscape.cmscore.dbs.Repository.IDGenerator;
import com.netscape.cmscore.ldapconn.LdapAuthInfo;
import com.netscape.cmscore.ldapconn.LdapConnInfo;
import com.netscape.cmscore.ldapconn.PKISocketFactory;
import org.dogtagpki.cli.CLI;
import org.dogtagpki.server.cli.SubsystemIdGeneratorUpdateCLI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
* @author Marco Fargetta {@literal <[email protected]>}
*/
public class CAIdGeneratorUpdateCLI extends SubsystemIdGeneratorUpdateCLI {
private static final Logger logger = LoggerFactory.getLogger(CAIdGeneratorUpdateCLI.class);

public CAIdGeneratorUpdateCLI(CLI parent) {
super(parent);
}

@Override
protected void updateSerialNumberRangeGenerator(PKISocketFactory socketFactory, LdapConnInfo connInfo,
LdapAuthInfo authInfo, DatabaseConfig dbConfig, String baseDN, IDGenerator newGenerator, String hostName, String securePort) throws Exception {
String value = dbConfig.getString(
CertificateRepository.PROP_CERT_ID_GENERATOR,
CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
idGenerator = IDGenerator.fromString(value);

if (newGenerator == IDGenerator.RANDOM && idGenerator != IDGenerator.RANDOM) {
dbConfig.put(CertificateRepository.PROP_CERT_ID_GENERATOR, newGenerator.toString());
dbConfig.put(CertificateRepository.PROP_CERT_ID_LENGTH, "128");
dbConfig.remove("enableRandomSerialNumbers");
dbConfig.remove("randomSerialNumberCounter");
}
if (newGenerator == IDGenerator.LEGACY_2 && idGenerator == IDGenerator.LEGACY) {
dbConfig.put(CertificateRepository.PROP_CERT_ID_GENERATOR, newGenerator.toString());
dbConfig.put(CertificateRepository.PROP_CERT_ID_RADIX, Integer.toString(Repository.HEX));
}

super.updateSerialNumberRangeGenerator(socketFactory, connInfo, authInfo, dbConfig, baseDN, newGenerator, hostName, securePort);
}


}
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ public void updateSerialNumberRange(
String value = dbConfig.getString(
CertificateRepository.PROP_CERT_ID_GENERATOR,
CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
IDGenerator idGenerator = IDGenerator.fromString(value);
idGenerator = IDGenerator.fromString(value);

if (idGenerator != IDGenerator.LEGACY) {
if (idGenerator == IDGenerator.RANDOM) {
logger.info("No need to update certificate ID range");
return;
}
Expand Down
Loading

0 comments on commit eadcb97

Please sign in to comment.