Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update test for CA with sequential serial numbers #4872

Merged
merged 2 commits into from
Oct 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,209 changes: 1,156 additions & 53 deletions .github/workflows/ca-sequential-test.yml

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions base/ca/shared/conf/CS.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -705,6 +705,7 @@ jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.cms.jobs.RenewalNot
jobsScheduler.impl.RequestInQueueJob.class=com.netscape.cms.jobs.RequestInQueueJob
jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
jobsScheduler.impl.PruningJob.class=org.dogtagpki.server.ca.job.PruningJob
jobsScheduler.impl.SerialNumberUpdateJob.class=org.dogtagpki.server.ca.job.SerialNumberUpdateJob
jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5
jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification
jobsScheduler.job.certRenewalNotifier.emailTemplate=[pki_instance_path]/ca/emails/rnJob1.txt
Expand Down Expand Up @@ -748,6 +749,8 @@ jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=
jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=
jobsScheduler.job.pruning.enabled=false
jobsScheduler.job.pruning.pluginName=PruningJob
jobsScheduler.job.serialNumberUpdate.enabled=false
jobsScheduler.job.serialNumberUpdate.pluginName=SerialNumberUpdateJob
jss._000=##
jss._001=## JSS
jss._002=##
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
//
// Copyright Red Hat, Inc.
//
// SPDX-License-Identifier: GPL-2.0-or-later
//
package org.dogtagpki.server.ca.job;

import java.util.Calendar;
import java.util.Date;

import org.dogtagpki.server.ca.CAEngine;

import com.netscape.certsrv.base.IExtendedPluginInfo;
import com.netscape.cms.jobs.Job;

public class SerialNumberUpdateJob extends Job implements IExtendedPluginInfo {

public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(SerialNumberUpdateJob.class);

public SerialNumberUpdateJob() {
}

@Override
public String[] getConfigParams() {
return null;
}

@Override
public String[] getExtendedPluginInfo() {
return null;
}

@Override
public void run() {
Calendar calendar = Calendar.getInstance();
Date time = calendar.getTime();
logger.info("SerialNumberUpdateJob: Running " + mId + " job at " + time);

try {
CAEngine engine = (CAEngine) super.engine;
engine.updateSerialNumbers();
} catch (Exception e) {
logger.warn("SerialNumberUpdateJob: " + e.getMessage(), e);
}
}
}
8 changes: 8 additions & 0 deletions base/server/etc/default.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -351,8 +351,16 @@ pki_default_ocsp_uri=

pki_serial_number_range_start=
pki_serial_number_range_end=
pki_serial_number_range_increment=
pki_serial_number_range_minimum=
pki_serial_number_range_transfer=

pki_request_number_range_start=
pki_request_number_range_end=
pki_request_number_range_increment=
pki_request_number_range_minimum=
pki_request_number_range_transfer=

pki_replica_number_range_start=
pki_replica_number_range_end=

Expand Down
65 changes: 45 additions & 20 deletions base/server/python/pki/server/deployment/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -1180,11 +1180,11 @@ def configure_ca(self, subsystem):
subsystem.set_config('dbs.request.id.length', self.mdict['pki_request_id_length'])

else: # legacy
subsystem.set_config('dbs.beginRequestNumber', '1')
subsystem.set_config('dbs.endRequestNumber', '10000000')
subsystem.set_config('dbs.requestIncrement', '10000000')
subsystem.set_config('dbs.requestLowWaterMark', '2000000')
subsystem.set_config('dbs.requestCloneTransferNumber', '10000')
subsystem.set_config('dbs.beginRequestNumber', '1') # decimal
subsystem.set_config('dbs.endRequestNumber', '10000000') # decimal
subsystem.set_config('dbs.requestIncrement', '10000000') # decimal
subsystem.set_config('dbs.requestLowWaterMark', '2000000') # decimal
subsystem.set_config('dbs.requestCloneTransferNumber', '10000') # decimal
subsystem.set_config('dbs.requestRangeDN', 'ou=requests,ou=ranges')

request_number_range_start = self.mdict.get('pki_request_number_range_start')
Expand All @@ -1195,19 +1195,32 @@ def configure_ca(self, subsystem):
if request_number_range_end:
subsystem.set_config('dbs.endRequestNumber', request_number_range_end)

request_increment = self.mdict.get('pki_request_number_range_increment')
if request_increment:
subsystem.set_config('dbs.requestIncrement', request_increment)

request_minimum = self.mdict.get('pki_request_number_range_minimum')
if request_minimum:
subsystem.set_config('dbs.requestLowWaterMark', request_minimum)

request_transfer = self.mdict.get('pki_request_number_range_transfer')
if request_transfer:
subsystem.set_config('dbs.requestCloneTransferNumber', request_transfer)

cert_id_generator = self.mdict['pki_cert_id_generator']

if cert_id_generator == 'random':
subsystem.set_config('dbs.cert.id.generator', cert_id_generator)
subsystem.set_config('dbs.cert.id.length', self.mdict['pki_cert_id_length'])

else: # legacy
subsystem.set_config('dbs.beginSerialNumber', '1')
subsystem.set_config('dbs.endSerialNumber', '10000000')
subsystem.set_config('dbs.serialIncrement', '10000000')
subsystem.set_config('dbs.serialLowWaterMark', '2000000')
subsystem.set_config('dbs.serialCloneTransferNumber', '10000')
subsystem.set_config('dbs.beginSerialNumber', '1') # hex
subsystem.set_config('dbs.endSerialNumber', '10000000') # hex
subsystem.set_config('dbs.serialIncrement', '10000000') # hex
subsystem.set_config('dbs.serialLowWaterMark', '2000000') # hex
subsystem.set_config('dbs.serialCloneTransferNumber', '10000') # hex
subsystem.set_config('dbs.serialRangeDN', 'ou=certificateRepository,ou=ranges')

if config.str2bool(self.mdict['pki_random_serial_numbers_enable']):
subsystem.set_config('dbs.enableRandomSerialNumbers', 'true')
subsystem.set_config('dbs.randomSerialNumberCounter', '0')
Expand All @@ -1220,6 +1233,18 @@ def configure_ca(self, subsystem):
if serial_number_range_end:
subsystem.set_config('dbs.endSerialNumber', serial_number_range_end)

serial_increment = self.mdict.get('pki_serial_number_range_increment')
if serial_increment:
subsystem.set_config('dbs.serialIncrement', serial_increment)

serial_minimum = self.mdict.get('pki_serial_number_range_minimum')
if serial_minimum:
subsystem.set_config('dbs.serialLowWaterMark', serial_minimum)

serial_transfer = self.mdict.get('pki_serial_number_range_transfer')
if serial_transfer:
subsystem.set_config('dbs.serialCloneTransferNumber', serial_transfer)

replica_number_range_start = self.mdict.get('pki_replica_number_range_start')
if replica_number_range_start:
subsystem.set_config('dbs.beginReplicaNumber', replica_number_range_start)
Expand All @@ -1244,11 +1269,11 @@ def configure_kra(self, subsystem):
subsystem.set_config('dbs.request.id.length', self.mdict['pki_request_id_length'])

else: # legacy
subsystem.set_config('dbs.beginRequestNumber', '1')
subsystem.set_config('dbs.endRequestNumber', '10000000')
subsystem.set_config('dbs.requestIncrement', '10000000')
subsystem.set_config('dbs.requestLowWaterMark', '2000000')
subsystem.set_config('dbs.requestCloneTransferNumber', '10000')
subsystem.set_config('dbs.beginRequestNumber', '1') # decimal
subsystem.set_config('dbs.endRequestNumber', '10000000') # decimal
subsystem.set_config('dbs.requestIncrement', '10000000') # decimal
subsystem.set_config('dbs.requestLowWaterMark', '2000000') # decimal
subsystem.set_config('dbs.requestCloneTransferNumber', '10000') # decimal
subsystem.set_config('dbs.requestRangeDN', 'ou=requests,ou=ranges')

key_id_generator = self.mdict['pki_key_id_generator']
Expand All @@ -1258,11 +1283,11 @@ def configure_kra(self, subsystem):
subsystem.set_config('dbs.key.id.length', self.mdict['pki_key_id_length'])

else: # legacy
subsystem.set_config('dbs.beginSerialNumber', '1')
subsystem.set_config('dbs.endSerialNumber', '10000000')
subsystem.set_config('dbs.serialIncrement', '10000000')
subsystem.set_config('dbs.serialLowWaterMark', '2000000')
subsystem.set_config('dbs.serialCloneTransferNumber', '10000')
subsystem.set_config('dbs.beginSerialNumber', '1') # hex
subsystem.set_config('dbs.endSerialNumber', '10000000') # hex
subsystem.set_config('dbs.serialIncrement', '10000000') # hex
subsystem.set_config('dbs.serialLowWaterMark', '2000000') # hex
subsystem.set_config('dbs.serialCloneTransferNumber', '10000') # hex
subsystem.set_config('dbs.serialRangeDN', 'ou=keyRepository,ou=ranges')

if config.str2bool(self.mdict['pki_kra_ephemeral_requests']):
Expand Down
12 changes: 12 additions & 0 deletions base/server/src/main/java/com/netscape/cmscore/dbs/Repository.java
Original file line number Diff line number Diff line change
Expand Up @@ -539,9 +539,16 @@ public String getNextRange() throws EBaseException {
}

String nextRange = attr.getStringValues().nextElement();

// parse nextRange as decimal
BigInteger nextRangeNo = new BigInteger(nextRange);

BigInteger newNextRangeNo = nextRangeNo.add(mIncrementNo);

// generate new nextRange in decimal
String newNextRange = newNextRangeNo.toString();

// generate endRange in decimal
String endRange = newNextRangeNo.subtract(BigInteger.ONE).toString();

logger.info("Repository: Updating " + DBSubsystem.PROP_NEXT_RANGE + " from " + nextRange + " to " + newNextRange);
Expand All @@ -563,8 +570,13 @@ public String getNextRange() throws EBaseException {
LDAPAttributeSet attrs = new LDAPAttributeSet();
attrs.add(new LDAPAttribute("objectClass", "top"));
attrs.add(new LDAPAttribute("objectClass", "pkiRange"));

// store beginRange as decimal
attrs.add(new LDAPAttribute("beginRange", nextRange));

// store endRange as decimal
attrs.add(new LDAPAttribute("endRange", endRange));

attrs.add(new LDAPAttribute("cn", nextRange));
attrs.add(new LDAPAttribute("host", cs.getHostname()));
attrs.add(new LDAPAttribute("securePort", engine.getEESSLPort()));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,11 +109,18 @@ public void updateSerialNumberRange(
LdapBoundConnection conn = new LdapBoundConnection(socketFactory, connInfo, authInfo);

try {
// parse the end of current cert range as decimal
// NOTE: this is a bug, cert range is stored as hex in CS.cfg
BigInteger endSerialNumber = new BigInteger(dbConfig.getEndSerialNumber());
BigInteger nextSerialNumber = endSerialNumber.add(BigInteger.ONE);

// generate nextRange in decimal
String nextSerialNumber = endSerialNumber.add(BigInteger.ONE).toString();

String serialDN = dbConfig.getSerialDN() + "," + baseDN;
LDAPAttribute attrSerialNextRange = new LDAPAttribute("nextRange", nextSerialNumber.toString());

// store nextRange as decimal
LDAPAttribute attrSerialNextRange = new LDAPAttribute("nextRange", nextSerialNumber);

LDAPModification serialmod = new LDAPModification(LDAPModification.REPLACE, attrSerialNextRange);

conn.modify(serialDN, serialmod);
Expand Down Expand Up @@ -145,11 +152,17 @@ public void updateRequestNumberRange(
try {
logger.info("Updating request ID range");

// parse the end of current range as decimal
BigInteger endRequestNumber = new BigInteger(dbConfig.getEndRequestNumber());
BigInteger nextRequestNumber = endRequestNumber.add(BigInteger.ONE);

// generate nextRange in decimal
String nextRequestNumber = endRequestNumber.add(BigInteger.ONE).toString();

String requestDN = dbConfig.getRequestDN() + "," + baseDN;
LDAPAttribute attrRequestNextRange = new LDAPAttribute("nextRange", nextRequestNumber.toString());

// store nextRange as decimal
LDAPAttribute attrRequestNextRange = new LDAPAttribute("nextRange", nextRequestNumber);

LDAPModification requestmod = new LDAPModification(LDAPModification.REPLACE, attrRequestNextRange);

conn.modify(requestDN, requestmod);
Expand Down
36 changes: 36 additions & 0 deletions base/server/upgrade/11.6.0/02-AddSerialNumberUpdateJob.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#
# Copyright Red Hat, Inc.
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
import pki.server.upgrade


class AddSerialNumberUpdateJob(pki.server.upgrade.PKIServerUpgradeScriptlet):

def __init__(self):
super().__init__()
self.message = 'Add SerialNumberUpdateJob'

def upgrade_subsystem(self, instance, subsystem):

if subsystem.name != 'ca':
return

self.backup(subsystem.cs_conf)

class_name = subsystem.config.get('jobsScheduler.impl.SerialNumberUpdateJob.class')
if class_name is None:
subsystem.config['jobsScheduler.impl.SerialNumberUpdateJob.class'] = \
'org.dogtagpki.server.ca.job.SerialNumberUpdateJob'

enabled = subsystem.config.get('jobsScheduler.job.serialNumberUpdate.enabled')
if enabled is None:
subsystem.config['jobsScheduler.job.serialNumberUpdate.enabled'] = 'false'

plugin_name = subsystem.config.get('jobsScheduler.job.serialNumberUpdate.pluginName')
if plugin_name is None:
subsystem.config['jobsScheduler.job.serialNumberUpdate.pluginName'] = \
'SerialNumberUpdateJob'

subsystem.save()
Loading