Add a new sequential number generator: legacy2

The current generator has a problem with converting from hex to decimal
the range boundaries creating gaps between ranges. This a problem when
third parties tools are used to with certificates because contiguous
range are expected.

This commit introduce the generator legacy2. This uses same
configuration parameter but hex value are specified by the prefix '0x'.

When value are written to the configuration value it is possible to set
the radix with the options:
- dbs.cert.id.radix (default to 16)
- dbs.key.id.radix (default to 16)
- dbs.request.id.radix (default to 10)

Additionally, the new command `pki-server <subsystem>-id-generator-*`
has been added to migrate from the legacy generator to the legacy2 or to
random.

base/ca/src/main/java/com/netscape/cmscore/dbs/CRLRepository.java

@@ -49,7 +49,7 @@ public class CRLRepository extends Repository {
      * Constructs a CRL repository.
      */
     public CRLRepository(DBSubsystem dbSubsystem) {
-        super(dbSubsystem, 10);
+        super(dbSubsystem, DEC);
     }
 
     @Override
@@ -67,26 +67,18 @@ public void init() throws Exception {
         rangeDN = dbConfig.getRequestRangeDN() + "," + dbSubsystem.getBaseDN();
         logger.info("CRLRepository: - range DN: " + rangeDN);
 
-        minSerialName = DatabaseConfig.MIN_REQUEST_NUMBER;
-        String minSerial = dbConfig.getBeginRequestNumber();
-        if (minSerial != null) {
-            mMinSerialNo = new BigInteger(minSerial, mRadix);
-        }
+        mMinSerialNo = dbConfig.getBigInteger(DatabaseConfig.MIN_REQUEST_NUMBER, null);
         logger.info("CRLRepository: - min serial: " + mMinSerialNo);
 
-        maxSerialName = DatabaseConfig.MAX_REQUEST_NUMBER;
-        String maxSerial = dbConfig.getEndRequestNumber();
-        if (maxSerial != null) {
-            mMaxSerialNo = new BigInteger(maxSerial, mRadix);
-        }
+        mMaxSerialNo = dbConfig.getBigInteger(DatabaseConfig.MAX_REQUEST_NUMBER, null);
         logger.info("CRLRepository: - max serial: " + mMaxSerialNo);
 
         nextMinSerialName = DatabaseConfig.NEXT_MIN_REQUEST_NUMBER;
         String nextMinSerial = dbConfig.getNextBeginRequestNumber();
         if (nextMinSerial == null || nextMinSerial.equals("-1")) {
             mNextMinSerialNo = null;
         } else {
-            mNextMinSerialNo = new BigInteger(nextMinSerial, mRadix);
+            mNextMinSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MIN_REQUEST_NUMBER, null);
         }
         logger.info("CRLRepository: - next min serial: " + mNextMinSerialNo);
 
@@ -95,19 +87,15 @@ public void init() throws Exception {
         if (nextMaxSerial == null || nextMaxSerial.equals("-1")) {
             mNextMaxSerialNo = null;
         } else {
-            mNextMaxSerialNo = new BigInteger(nextMaxSerial, mRadix);
+            mNextMaxSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MAX_REQUEST_NUMBER, null);
         }
         logger.info("CRLRepository: - next max serial: " + mNextMaxSerialNo);
 
-        String lowWaterMark = dbConfig.getRequestLowWaterMark();
-        if (lowWaterMark != null) {
-            mLowWaterMarkNo = new BigInteger(lowWaterMark, mRadix);
-        }
-
-        String incrementNo = dbConfig.getRequestIncrement();
-        if (incrementNo != null) {
-            mIncrementNo = new BigInteger(incrementNo, mRadix);
-        }
+        mLowWaterMarkNo = dbConfig.getBigInteger(DatabaseConfig.REQUEST_LOW_WATER_MARK, null);
+        logger.debug("CRLRepository: - low water mark serial: " + mNextMaxSerialNo);
+
+        mIncrementNo = dbConfig.getBigInteger(DatabaseConfig.REQUEST_INCREMENT, null);
+        logger.debug("CRLRepository: - increment serial: " + mIncrementNo);
 
         /*
         DBRegistry reg = dbService.getRegistry();

base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java

@@ -80,6 +80,7 @@ public class CertificateRepository extends Repository {
     private static final BigInteger BI_MINUS_ONE = BigInteger.ONE.negate();
 
     public static final String PROP_CERT_ID_GENERATOR = "cert.id.generator";
+    public static final String PROP_CERT_ID_RADIX = "cert.id.radix";
     public static final String DEFAULT_CERT_ID_GENERATOR = "legacy";
 
     public static final String PROP_CERT_ID_LENGTH = "cert.id.length";
@@ -103,8 +104,15 @@ public CertificateRepository(
             SecureRandom secureRandom,
             DBSubsystem dbSubsystem) {
 
-        super(dbSubsystem, 16);
-
+        super(dbSubsystem, HEX);
+        DatabaseConfig dbc = dbSubsystem.getDBConfigStore();
+        try {
+            this.mRadix = dbc.getInteger(PROP_CERT_ID_RADIX, HEX);
+            logger.debug("CertificateRepository: number radix {}", this.mRadix);
+
+        } catch (EBaseException ex) {
+            logger.debug("CertificateRepository: error reading number radix config, using default {} for ", HEX);
+        }
         this.secureRandom = secureRandom;
     }
 
@@ -126,12 +134,51 @@ public void init() throws Exception {
 
             idLength = mDBConfig.getInteger(PROP_CERT_ID_LENGTH, DEFAULT_CERT_ID_LENGTH);
             logger.debug("CertificateRepository: - cert ID length: " + idLength);
-
+        } else if (idGenerator == IDGenerator.LEGACY_2) {
+            initLegacy2Generator();
         } else {
             initLegacyGenerator();
         }
     }
 
+    protected void initLegacy2Generator() throws EBaseException {
+
+        rangeDN = mDBConfig.getSerialRangeDN() + "," + dbSubsystem.getBaseDN();
+        logger.debug("CertificateRepository: - range DN: " + rangeDN);
+
+        minSerialName = DatabaseConfig.MIN_SERIAL_NUMBER;
+        mMinSerialNo = mDBConfig.getBigInteger(minSerialName, null);
+        logger.debug("CertificateRepository: - min serial: " + mMinSerialNo);
+
+        maxSerialName = DatabaseConfig.MAX_SERIAL_NUMBER;
+        mMaxSerialNo = mDBConfig.getBigInteger(maxSerialName, null);
+        logger.debug("CertificateRepository: - max serial: " + mMaxSerialNo);
+
+        nextMinSerialName = DatabaseConfig.NEXT_MIN_SERIAL_NUMBER;
+        String nextMinSerial = mDBConfig.getNextBeginSerialNumber();
+        if (nextMinSerial == null || nextMinSerial.equals("-1")) {
+            mNextMinSerialNo = null;
+        } else {
+            mNextMinSerialNo = mDBConfig.getBigInteger(DatabaseConfig.NEXT_MIN_SERIAL_NUMBER, null);
+        }
+        logger.debug("CertificateRepository: - next min serial: " + mNextMinSerialNo);
+
+        nextMaxSerialName = DatabaseConfig.NEXT_MAX_SERIAL_NUMBER;
+        String nextMaxSerial = mDBConfig.getNextEndSerialNumber();
+        if (nextMaxSerial == null || nextMaxSerial.equals("-1")) {
+            mNextMaxSerialNo = null;
+        } else {
+            mNextMaxSerialNo = mDBConfig.getBigInteger(DatabaseConfig.NEXT_MAX_SERIAL_NUMBER, null);
+        }
+        logger.debug("CertificateRepository: - next max serial: " + mNextMaxSerialNo);
+
+        mLowWaterMarkNo = mDBConfig.getBigInteger(DatabaseConfig.SERIAL_LOW_WATER_MARK, null);
+        logger.debug("CertificateRepository: - low water mark serial: " + mNextMaxSerialNo);
+
+        mIncrementNo = mDBConfig.getBigInteger(DatabaseConfig.SERIAL_INCREMENT, null);
+        logger.debug("CertificateRepository: - increment serial: " + mIncrementNo);
+    }
+
     public void initLegacyGenerator() throws Exception {
 
         rangeDN = mDBConfig.getSerialRangeDN() + "," + dbSubsystem.getBaseDN();

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java

@@ -36,6 +36,7 @@ public CACLI(CLI parent) {
         addModule(new SubsystemGroupCLI(this));
         addModule(new CAProfileCLI(this));
         addModule(new CARangeCLI(this));
+        addModule(new CAIdCLI(this));
         addModule(new SubsystemUserCLI(this));
         addModule(new SDCLI(this));
     }

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java

@@ -0,0 +1,19 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+
+/**
+ * @author Marco Fargetta {@literal <mfargett@redhat.com>}
+ */
+public class CAIdCLI extends CLI {
+    public CAIdCLI(CLI parent) {
+        super("id", "CA id generator management commands", parent);
+
+        addModule(new CAIdGeneratorCLI(this));
+    }
+}

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorCLI.java

@@ -0,0 +1,21 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+
+/**
+ * @author Marco Fargetta {@literal <mfargett@redhat.com>}
+ */
+public class CAIdGeneratorCLI extends CLI {
+
+    public CAIdGeneratorCLI(CLI parent) {
+        super("generator", "CA id generator commands", parent);
+
+        addModule(new CAIdGeneratorUpdateCLI(this));
+    }
+
+}

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorUpdateCLI.java

@@ -0,0 +1,53 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import com.netscape.cmscore.apps.DatabaseConfig;
+import com.netscape.cmscore.dbs.CertificateRepository;
+import com.netscape.cmscore.dbs.Repository;
+import com.netscape.cmscore.dbs.Repository.IDGenerator;
+import com.netscape.cmscore.ldapconn.LdapAuthInfo;
+import com.netscape.cmscore.ldapconn.LdapConnInfo;
+import com.netscape.cmscore.ldapconn.PKISocketFactory;
+import org.dogtagpki.cli.CLI;
+import org.dogtagpki.server.cli.SubsystemIdGeneratorUpdateCLI;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Marco Fargetta {@literal <mfargett@redhat.com>}
+ */
+public class CAIdGeneratorUpdateCLI extends SubsystemIdGeneratorUpdateCLI {
+    private static final Logger logger = LoggerFactory.getLogger(CAIdGeneratorUpdateCLI.class);
+
+    public CAIdGeneratorUpdateCLI(CLI parent) {
+        super(parent);
+    }
+
+    @Override
+    protected void updateSerialNumberRangeGenerator(PKISocketFactory socketFactory, LdapConnInfo connInfo,
+            LdapAuthInfo authInfo, DatabaseConfig dbConfig, String baseDN, IDGenerator newGenerator, String hostName, String securePort) throws Exception {
+        String value = dbConfig.getString(
+                CertificateRepository.PROP_CERT_ID_GENERATOR,
+                CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
+        idGenerator = IDGenerator.fromString(value);
+
+        if (newGenerator == IDGenerator.RANDOM && idGenerator != IDGenerator.RANDOM) {
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_GENERATOR, newGenerator.toString());
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_LENGTH, "128");
+            dbConfig.remove("enableRandomSerialNumbers");
+            dbConfig.remove("randomSerialNumberCounter");
+        }
+        if (newGenerator == IDGenerator.LEGACY_2 && idGenerator == IDGenerator.LEGACY) {
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_GENERATOR, newGenerator.toString());
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_RADIX, Integer.toString(Repository.HEX));
+        }
+
+        super.updateSerialNumberRangeGenerator(socketFactory, connInfo, authInfo, dbConfig, baseDN, newGenerator, hostName, securePort);
+    }
+
+
+}

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java

@@ -39,9 +39,9 @@ public void updateSerialNumberRange(
         String value = dbConfig.getString(
                 CertificateRepository.PROP_CERT_ID_GENERATOR,
                 CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
-        IDGenerator idGenerator = IDGenerator.fromString(value);
+        idGenerator = IDGenerator.fromString(value);
 
-        if (idGenerator != IDGenerator.LEGACY) {
+        if (idGenerator == IDGenerator.RANDOM) {
             logger.info("No need to update certificate ID range");
             return;
         }

base/kra/src/main/java/com/netscape/cmscore/dbs/KeyRepository.java

@@ -45,6 +45,7 @@ public class KeyRepository extends Repository {
     public static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(KeyRepository.class);
 
     public static final String PROP_KEY_ID_GENERATOR = "key.id.generator";
+    public static final String PROP_KEY_ID_RADIX = "key.id.radix";
     public static final String DEFAULT_KEY_ID_GENERATOR = "legacy";
 
     public static final String PROP_KEY_ID_LENGTH = "key.id.length";
@@ -62,7 +63,15 @@ public KeyRepository(
             SecureRandom secureRandom,
             DBSubsystem dbSubsystem) {
 
-        super(dbSubsystem, 16);
+        super(dbSubsystem, HEX);
+        DatabaseConfig dbc = dbSubsystem.getDBConfigStore();
+        try {
+            this.mRadix = dbc.getInteger(PROP_KEY_ID_RADIX, HEX);
+            logger.debug("KeyRepository: number radix {}", this.mRadix);
+
+        } catch (EBaseException ex) {
+            logger.debug("KeyRepository: error reading number radix config, using default {} for ", HEX);
+        }
 
         this.secureRandom = secureRandom;
     }
@@ -85,7 +94,8 @@ public void init() throws Exception {
 
             idLength = dbConfig.getInteger(PROP_KEY_ID_LENGTH, DEFAULT_KEY_ID_LENGTH);
             logger.info("KeyRepository: - key ID length: {}", idLength);
-
+        } else if (idGenerator == IDGenerator.LEGACY_2) {
+            initLegacy2Generator();
         } else {
             initLegacyGenerator();
         }
@@ -168,6 +178,45 @@ public void init() throws Exception {
 
     }
 
+    protected void initLegacy2Generator() throws EBaseException {
+        DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
+
+        rangeDN = dbConfig.getSerialRangeDN() + "," + dbSubsystem.getBaseDN();
+        logger.debug("KeyRepository: - range DN: " + rangeDN);
+
+        minSerialName = DatabaseConfig.MIN_SERIAL_NUMBER;
+        mMinSerialNo = dbConfig.getBigInteger(minSerialName, null);
+        logger.debug("KeyRepository: - min serial: " + mMinSerialNo);
+
+        maxSerialName = DatabaseConfig.MAX_SERIAL_NUMBER;
+        mMaxSerialNo = dbConfig.getBigInteger(maxSerialName, null);
+        logger.debug("KeyRepository: - max serial: " + mMaxSerialNo);
+
+        nextMinSerialName = DatabaseConfig.NEXT_MIN_SERIAL_NUMBER;
+        String nextMinSerial = dbConfig.getNextBeginSerialNumber();
+        if (nextMinSerial == null || nextMinSerial.equals("-1")) {
+            mNextMinSerialNo = null;
+        } else {
+            mNextMinSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MIN_SERIAL_NUMBER, null);
+        }
+        logger.debug("KeyRepository: - next min serial: " + mNextMinSerialNo);
+
+        nextMaxSerialName = DatabaseConfig.NEXT_MAX_SERIAL_NUMBER;
+        String nextMaxSerial = dbConfig.getNextEndSerialNumber();
+        if (nextMaxSerial == null || nextMaxSerial.equals("-1")) {
+            mNextMaxSerialNo = null;
+        } else {
+            mNextMaxSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MAX_SERIAL_NUMBER, null);
+        }
+        logger.debug("KeyRepository: - next max serial: " + mNextMaxSerialNo);
+
+        mLowWaterMarkNo = dbConfig.getBigInteger(DatabaseConfig.SERIAL_LOW_WATER_MARK, null);
+        logger.debug("KeyRepository: - low water mark serial: " + mNextMaxSerialNo);
+
+        mIncrementNo = dbConfig.getBigInteger(DatabaseConfig.SERIAL_INCREMENT, null);
+        logger.debug("KeyRepository: - increment serial: " + mIncrementNo);
+    }
+
     public void initLegacyGenerator() throws Exception {
 
         DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();

base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java

@@ -35,6 +35,7 @@ public KRACLI(CLI parent) {
         addModule(new SubsystemDBCLI(this));
         addModule(new SubsystemGroupCLI(this));
         addModule(new KRARangeCLI(this));
+        addModule(new KRAIdCLI(this));
         addModule(new SubsystemUserCLI(this));
         addModule(new SDCLI(this));
     }

base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdCLI.java

@@ -0,0 +1,19 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.kra.cli;
+
+import org.dogtagpki.cli.CLI;
+
+/**
+ * @author Marco Fargetta {@literal <mfargett@redhat.com>}
+ */
+public class KRAIdCLI extends CLI {
+    public KRAIdCLI(CLI parent) {
+        super("id", "CA id generator management commands", parent);
+
+        addModule(new KRAIdGeneratorCLI(this));
+    }
+}

base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdGeneratorCLI.java

@@ -0,0 +1,18 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.kra.cli;
+
+import org.dogtagpki.cli.CLI;
+/**
+ * @author Marco Fargetta {@literal <mfargett@redhat.com>}
+ */
+public class KRAIdGeneratorCLI extends CLI {
+    public KRAIdGeneratorCLI(CLI parent) {
+        super("generator", "kra range generator commands", parent);
+
+        addModule(new kraIdGeneratorUpdateCLI(this));
+    }
+}

base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeUpdateCLI.java

@@ -41,7 +41,7 @@ public void updateSerialNumberRange(
                 KeyRepository.DEFAULT_KEY_ID_GENERATOR);
         IDGenerator idGenerator = IDGenerator.fromString(value);
 
-        if (idGenerator != IDGenerator.LEGACY) {
+        if (idGenerator == IDGenerator.RANDOM) {
             logger.info("No need to update key ID range");
             return;
         }