[RHCS-5445] Implement new SSN legacy2 generator for CA

The legacy id generator can introduce gaps when new ranges are allocated
because of some conversion errors between hex and decimal. A new serial id
generator has been introduced to avoid gap problems.

The old and new serial generator are described in the following pages:

- SSNv1: https://github.com/dogtagpki/pki/wiki/Sequential-Serial-Numbers-v1
- SSNv2://github.com/dogtagpki/pki/wiki/Sequential-Serial-Numbers-v2

Instances using SSNv1  can migrate to the SSNv2 using the commands
described here:

- https://github.com/dogtagpki/pki/wiki/Migrating-to-Sequential-Serial-Numbers-v2

If there is no need to avoid gaps it is better to avoid the migration.

NOTE: the links above provide documentation to the newer version of
dogtag. The porting to this release has some limitations to consider:

- the new generator is available only to the CA ids;
- some of the parameter are not customisable with `pkispawn` (e.g. increment, transfer, etc..) only the initial range limits.

Additionally, during the migration of a clone it is required to provide
new range limits even they will be overwritten with values coming from
master.

base/ca/shared/conf/db.ldif

@@ -150,16 +150,6 @@ objectClass: top
 objectClass: organizationalUnit
 ou: replica
 
-dn: ou=requests, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: requests
-
-dn: ou=certificateRepository, ou=ranges,{rootSuffix}
-objectClass: top
-objectClass: organizationalUnit
-ou: certificateRepository
-
 dn: ou=certificateProfiles,ou=ca,{rootSuffix}
 objectClass: top
 objectClass: organizationalUnit

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java

@@ -37,6 +37,7 @@ public CACLI(CLI parent) {
         addModule(new SubsystemGroupCLI(this));
         addModule(new CAProfileCLI(this));
         addModule(new SubsystemRangeCLI(this));
+        addModule(new CAIdCLI(this));
         addModule(new SubsystemUserCLI(this));
         addModule(new SDCLI(this));
     }

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBCLI.java

@@ -21,7 +21,6 @@
 import org.dogtagpki.cli.CLI;
 import org.dogtagpki.server.cli.SubsystemDBEmptyCLI;
 import org.dogtagpki.server.cli.SubsystemDBInfoCLI;
-import org.dogtagpki.server.cli.SubsystemDBInitCLI;
 import org.dogtagpki.server.cli.SubsystemDBRemoveCLI;
 import org.dogtagpki.server.cli.SubsystemDBVLVCLI;
 
@@ -34,7 +33,7 @@ public CADBCLI(CLI parent) {
         super("db", "CA database management commands", parent);
 
         addModule(new SubsystemDBInfoCLI(this));
-        addModule(new SubsystemDBInitCLI(this));
+        addModule(new CADBInitCLI(this));
         addModule(new SubsystemDBEmptyCLI(this));
         addModule(new SubsystemDBRemoveCLI(this));
         addModule(new CADBUpgradeCLI(this));

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CADBInitCLI.java

@@ -0,0 +1,31 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+import org.dogtagpki.cli.CLI;
+import org.dogtagpki.server.cli.SubsystemDBInitCLI;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.dbs.repository.IRepository.IDGenerator;
+import com.netscape.cmscore.apps.DatabaseConfig;
+import com.netscape.cmscore.dbs.CertificateRepository;
+/**
+ * @author Endi S. Dewata
+ */
+public class CADBInitCLI extends SubsystemDBInitCLI {
+    public static Logger logger = LoggerFactory.getLogger(CADBInitCLI.class);
+    public CADBInitCLI(CLI parent) {
+        super("init", "Initialize CA database", parent);
+    }
+    @Override
+    public void init(DatabaseConfig dbConfig) throws Exception {
+        super.init(dbConfig);
+        String value = dbConfig.getString(
+                CertificateRepository.PROP_CERT_ID_GENERATOR,
+                CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
+        serialIDGenerator = IDGenerator.fromString(value);
+    }
+}

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java

@@ -0,0 +1,19 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+
+/**
+ * @author Marco Fargetta {@literal <[email protected]>}
+ */
+public class CAIdCLI extends CLI {
+    public CAIdCLI(CLI parent) {
+        super("id", "CA id generator management commands", parent);
+
+        addModule(new CAIdGeneratorCLI(this));
+    }
+}

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorCLI.java

@@ -0,0 +1,21 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+
+/**
+ * @author Marco Fargetta {@literal <[email protected]>}
+ */
+public class CAIdGeneratorCLI extends CLI {
+
+    public CAIdGeneratorCLI(CLI parent) {
+        super("generator", "CA id generator commands", parent);
+
+        addModule(new CAIdGeneratorUpdateCLI(this));
+    }
+
+}

base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorUpdateCLI.java

@@ -0,0 +1,45 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+import org.dogtagpki.server.cli.SubsystemIdGeneratorUpdateCLI;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.dbs.repository.IRepository.IDGenerator;
+import com.netscape.cmscore.apps.DatabaseConfig;
+import com.netscape.cmscore.dbs.CertificateRepository;
+import com.netscape.cmscore.ldapconn.LdapBoundConnection;
+
+/**
+ * @author Marco Fargetta {@literal <[email protected]>}
+ */
+public class CAIdGeneratorUpdateCLI extends SubsystemIdGeneratorUpdateCLI {
+    private static final Logger logger = LoggerFactory.getLogger(CAIdGeneratorUpdateCLI.class);
+
+    public CAIdGeneratorUpdateCLI(CLI parent) {
+        super(parent);
+    }
+
+    @Override
+    protected void updateSerialNumberRangeGenerator(LdapBoundConnection conn,
+            DatabaseConfig dbConfig, String baseDN, String newRangesName,
+            IDGenerator newGenerator, String hostName, String securePort) throws Exception {
+        String value = dbConfig.getString(
+                CertificateRepository.PROP_CERT_ID_GENERATOR,
+                null);
+        if (value == null) {
+            idGenerator = IDGenerator.LEGACY;
+        } else {
+            idGenerator = IDGenerator.fromString(value);
+        }
+        if (newGenerator == IDGenerator.LEGACY_2 && idGenerator == IDGenerator.LEGACY) {
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_GENERATOR, newGenerator.toString());
+        }
+        super.updateSerialNumberRangeGenerator(conn, dbConfig, baseDN, newRangesName, newGenerator, hostName, securePort);
+    }
+}

base/common/src/main/java/com/netscape/certsrv/dbs/repository/IRepository.java

@@ -29,7 +29,27 @@
  * @version $Revision$, $Date$
  */
 public interface IRepository {
-
+    /**
+     * Base type for the serial generator
+     */
+    public enum IDGenerator {
+        LEGACY("legacy"),
+        LEGACY_2("legacy2");
+        private String name;
+        private IDGenerator(String name) {
+            this.name = name;
+        }
+        @Override
+        public String toString() {
+            return name;
+        }
+        public static IDGenerator fromString(String name) {
+            for (IDGenerator idGenerator : values()) {
+                if (idGenerator.name.equals(name)) return idGenerator;
+            }
+            throw new IllegalArgumentException("Invalid ID generator: " + name);
+        }
+    }
     /**
      * Retrieves the next serial number, and also increase the
      * serial number by one.
@@ -80,4 +100,30 @@ public interface IRepository {
      */
     public void setEnableSerialMgmt(boolean value) throws EBaseException;
 
-}
+
+    /**
+     * Gets the id generator associated with the repository instance
+     */
+    public IDGenerator getIDGenerator();
+
+    /**
+     * Sets the id generator associated with the repository instance
+     *
+     * @param the generator
+     */
+    public void setIDGenerator(IDGenerator idGenerator);
+
+    /**
+     * Sets the id generator associated with the repository instance
+     *
+     * @param the generator name
+     */
+    public void setIDGenerator(String idGenerator);
+
+    /**
+     * Gets the entry containing the nextRange attribute
+     *
+     * @return entry DN
+     */
+    public String getNextRangeDN();
+}

base/server/etc/default.cfg

@@ -450,6 +450,10 @@ pki_request_number_range_end=
 pki_replica_number_range_start=
 pki_replica_number_range_end=
 
+# Cert cert ID generator: legacy, legacy2
+pki_cert_id_generator=legacy
+# Cert request ID generator: legacy, legacy2
+pki_request_id_generator=legacy
 
 ###############################################################################
 ##  KRA Configuration:                                                       ##

base/server/python/pki/server/cli/ca.py

@@ -34,6 +34,7 @@
 import pki.server.cli.config
 import pki.server.cli.db
 import pki.server.cli.group
+import pki.server.cli.id
 import pki.server.cli.range
 import pki.server.cli.subsystem
 import pki.server.cli.user
@@ -58,6 +59,7 @@ def __init__(self):
         self.add_module(pki.server.cli.group.GroupCLI(self))
         self.add_module(CAProfileCLI())
         self.add_module(pki.server.cli.range.RangeCLI(self))
+        self.add_module(pki.server.cli.id.IdCLI(self))
         self.add_module(pki.server.cli.user.UserCLI(self))