Add a new sequential number generator: legacy2

The current generator has a problem with converting from hex to decimal the range boundaries creating gaps between ranges. This a problem when third parties tools are used to with certificates because contiguous range are expected. This commit introduce the generator legacy2. This uses same configuration parameter but hex value are specified by the prefix '0x'. When value are written to the configuration value it is possible to set the radix with the options: - dbs.cert.id.radix (default to 16) - dbs.key.id.radix (default to 16) - dbs.request.id.radix (default to 10) Additionally, the new command `pki-server <subsystem>-id-generator-*` has been added to migrate from the legacy generator to the legacy2 or to random.
dogtagpki · Oct 24, 2024 · b85f88e · b85f88e
1 parent ff78d2a
commit b85f88e
Show file tree

Hide file tree

Showing 27 changed files with 1,053 additions and 97 deletions.
diff --git a/base/ca/src/main/java/com/netscape/cmscore/dbs/CRLRepository.java b/base/ca/src/main/java/com/netscape/cmscore/dbs/CRLRepository.java
@@ -49,7 +49,7 @@ public class CRLRepository extends Repository {
      * Constructs a CRL repository.
      */
     public CRLRepository(DBSubsystem dbSubsystem) {
-        super(dbSubsystem, 10);
+        super(dbSubsystem, DEC);
     }
 
     @Override
@@ -67,43 +67,33 @@ public void init() throws Exception {
         rangeDN = dbConfig.getRequestRangeDN() + "," + dbSubsystem.getBaseDN();
         logger.info("CRLRepository: - range DN: " + rangeDN);
 
-        String minSerial = dbConfig.getBeginRequestNumber();
-        if (minSerial != null) {
-            mMinSerialNo = new BigInteger(minSerial, mRadix);
-        }
+        mMinSerialNo = dbConfig.getBigInteger(DatabaseConfig.MIN_REQUEST_NUMBER, null);
         logger.info("CRLRepository: - min serial: " + mMinSerialNo);
 
-        String maxSerial = dbConfig.getEndRequestNumber();
-        if (maxSerial != null) {
-            mMaxSerialNo = new BigInteger(maxSerial, mRadix);
-        }
+        mMaxSerialNo = dbConfig.getBigInteger(DatabaseConfig.MAX_REQUEST_NUMBER, null);
         logger.info("CRLRepository: - max serial: " + mMaxSerialNo);
 
         String nextMinSerial = dbConfig.getNextBeginRequestNumber();
         if (nextMinSerial == null || nextMinSerial.equals("-1")) {
             mNextMinSerialNo = null;
         } else {
-            mNextMinSerialNo = new BigInteger(nextMinSerial, mRadix);
+            mNextMinSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MIN_REQUEST_NUMBER, null);
         }
         logger.info("CRLRepository: - next min serial: " + mNextMinSerialNo);
 
         String nextMaxSerial = dbConfig.getNextEndRequestNumber();
         if (nextMaxSerial == null || nextMaxSerial.equals("-1")) {
             mNextMaxSerialNo = null;
         } else {
-            mNextMaxSerialNo = new BigInteger(nextMaxSerial, mRadix);
+            mNextMaxSerialNo = dbConfig.getBigInteger(DatabaseConfig.NEXT_MAX_REQUEST_NUMBER, null);
         }
         logger.info("CRLRepository: - next max serial: " + mNextMaxSerialNo);
 
-        String lowWaterMark = dbConfig.getRequestLowWaterMark();
-        if (lowWaterMark != null) {
-            mLowWaterMarkNo = new BigInteger(lowWaterMark, mRadix);
-        }
-
-        String incrementNo = dbConfig.getRequestIncrement();
-        if (incrementNo != null) {
-            mIncrementNo = new BigInteger(incrementNo, mRadix);
-        }
+        mLowWaterMarkNo = dbConfig.getBigInteger(DatabaseConfig.REQUEST_LOW_WATER_MARK, null);
+        logger.debug("CRLRepository: - low water mark serial: " + mNextMaxSerialNo);
+
+        mIncrementNo = dbConfig.getBigInteger(DatabaseConfig.REQUEST_INCREMENT, null);
+        logger.debug("CRLRepository: - increment serial: " + mIncrementNo);
 
         /*
         DBRegistry reg = dbService.getRegistry();
@@ -129,6 +119,9 @@ public void setMinSerialConfig() throws EBaseException {
 
         DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
         String serial = mMinSerialNo.toString(mRadix);
+        if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+           serial = "0x" + serial;
+        }
         logger.debug("CRLRepository: Setting min serial number: " + serial);
         dbConfig.setBeginRequestNumber(serial);
     }
@@ -137,6 +130,9 @@ public void setMaxSerialConfig() throws EBaseException {
 
         DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
         String serial = mMaxSerialNo.toString(mRadix);
+        if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+           serial = "0x" + serial;
+        }
         logger.debug("CRLRepository: Setting max serial number: " + serial);
         dbConfig.setEndRequestNumber(serial);
     }
@@ -151,6 +147,9 @@ public void setNextMinSerialConfig() throws EBaseException {
 
         } else {
             String serial = mNextMinSerialNo.toString(mRadix);
+            if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+               serial = "0x" + serial;
+            }
             logger.debug("CRLRepository: Setting next min number: " + serial);
             dbConfig.setNextBeginRequestNumber(serial);
         }
@@ -166,6 +165,9 @@ public void setNextMaxSerialConfig() throws EBaseException {
 
         } else {
             String serial = mNextMaxSerialNo.toString(mRadix);
+            if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+               serial = "0x" + serial;
+            }
             logger.debug("CRLRepository: Setting next max number: " + serial);
             dbConfig.setNextEndRequestNumber(serial);
         }

diff --git a/base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java b/base/ca/src/main/java/com/netscape/cmscore/dbs/CertificateRepository.java
@@ -80,6 +80,7 @@ public class CertificateRepository extends Repository {
     private static final BigInteger BI_MINUS_ONE = BigInteger.ONE.negate();
 
     public static final String PROP_CERT_ID_GENERATOR = "cert.id.generator";
+    public static final String PROP_CERT_ID_RADIX = "cert.id.radix";
     public static final String DEFAULT_CERT_ID_GENERATOR = "legacy";
 
     public static final String PROP_CERT_ID_LENGTH = "cert.id.length";
@@ -103,8 +104,15 @@ public CertificateRepository(
             SecureRandom secureRandom,
             DBSubsystem dbSubsystem) {
 
-        super(dbSubsystem, 16);
-
+        super(dbSubsystem, HEX);
+        DatabaseConfig dbc = dbSubsystem.getDBConfigStore();
+        try {
+            this.mRadix = dbc.getInteger(PROP_CERT_ID_RADIX, HEX);
+            logger.debug("CertificateRepository: number radix {}", this.mRadix);
+
+        } catch (EBaseException ex) {
+            logger.debug("CertificateRepository: error reading number radix config, using default {} for ", HEX);
+        }
         this.secureRandom = secureRandom;
     }
 
@@ -126,12 +134,47 @@ public void init() throws Exception {
 
             idLength = mDBConfig.getInteger(PROP_CERT_ID_LENGTH, DEFAULT_CERT_ID_LENGTH);
             logger.debug("CertificateRepository: - cert ID length: " + idLength);
-
+        } else if (idGenerator == IDGenerator.LEGACY_2) {
+            initLegacy2Generator();
         } else {
             initLegacyGenerator();
         }
     }
 
+    protected void initLegacy2Generator() throws EBaseException {
+
+        rangeDN = mDBConfig.getSerialRangeDN() + "," + dbSubsystem.getBaseDN();
+        logger.debug("CertificateRepository: - range DN: " + rangeDN);
+
+        mMinSerialNo = mDBConfig.getBigInteger(DatabaseConfig.MIN_SERIAL_NUMBER, null);
+        logger.debug("CertificateRepository: - min serial: " + mMinSerialNo);
+
+        mMaxSerialNo = mDBConfig.getBigInteger(DatabaseConfig.MAX_SERIAL_NUMBER, null);
+        logger.debug("CertificateRepository: - max serial: " + mMaxSerialNo);
+
+        String nextMinSerial = mDBConfig.getNextBeginSerialNumber();
+        if (nextMinSerial == null || nextMinSerial.equals("-1")) {
+            mNextMinSerialNo = null;
+        } else {
+            mNextMinSerialNo = mDBConfig.getBigInteger(DatabaseConfig.NEXT_MIN_SERIAL_NUMBER, null);
+        }
+        logger.debug("CertificateRepository: - next min serial: " + mNextMinSerialNo);
+
+        String nextMaxSerial = mDBConfig.getNextEndSerialNumber();
+        if (nextMaxSerial == null || nextMaxSerial.equals("-1")) {
+            mNextMaxSerialNo = null;
+        } else {
+            mNextMaxSerialNo = mDBConfig.getBigInteger(DatabaseConfig.NEXT_MAX_SERIAL_NUMBER, null);
+        }
+        logger.debug("CertificateRepository: - next max serial: " + mNextMaxSerialNo);
+
+        mLowWaterMarkNo = mDBConfig.getBigInteger(DatabaseConfig.SERIAL_LOW_WATER_MARK, null);
+        logger.debug("CertificateRepository: - low water mark serial: " + mNextMaxSerialNo);
+
+        mIncrementNo = mDBConfig.getBigInteger(DatabaseConfig.SERIAL_INCREMENT, null);
+        logger.debug("CertificateRepository: - increment serial: " + mIncrementNo);
+    }
+
     public void initLegacyGenerator() throws Exception {
 
         rangeDN = mDBConfig.getSerialRangeDN() + "," + dbSubsystem.getBaseDN();
@@ -180,6 +223,9 @@ public void setMinSerialConfig() throws EBaseException {
 
         DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
         String serial = mMinSerialNo.toString(mRadix);
+        if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+            serial = "0x" + serial;
+        }
         logger.debug("CertificateRepository: Setting min serial number: " + serial);
         dbConfig.setBeginSerialNumber(serial);
     }
@@ -188,6 +234,9 @@ public void setMaxSerialConfig() throws EBaseException {
 
         DatabaseConfig dbConfig = dbSubsystem.getDBConfigStore();
         String serial = mMaxSerialNo.toString(mRadix);
+        if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+            serial = "0x" + serial;
+        }
         logger.debug("CertificateRepository: Setting max serial number: " + serial);
         dbConfig.setEndSerialNumber(serial);
     }
@@ -202,6 +251,9 @@ public void setNextMinSerialConfig() throws EBaseException {
 
         } else {
             String serial = mNextMinSerialNo.toString(mRadix);
+            if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+               serial = "0x" + serial;
+            }
             logger.debug("CertificateRepository: Setting next min number: " + serial);
             dbConfig.setNextBeginSerialNumber(serial);
         }
@@ -217,6 +269,9 @@ public void setNextMaxSerialConfig() throws EBaseException {
 
         } else {
             String serial = mNextMaxSerialNo.toString(mRadix);
+            if (mRadix == HEX && idGenerator == IDGenerator.LEGACY_2) {
+               serial = "0x" + serial;
+            }
             logger.debug("CertificateRepository: Setting next max number: " + serial);
             dbConfig.setNextEndSerialNumber(serial);
         }

diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java
@@ -36,6 +36,7 @@ public CACLI(CLI parent) {
         addModule(new SubsystemGroupCLI(this));
         addModule(new CAProfileCLI(this));
         addModule(new CARangeCLI(this));
+        addModule(new CAIdCLI(this));
         addModule(new SubsystemUserCLI(this));
         addModule(new SDCLI(this));
     }

diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java
@@ -0,0 +1,19 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+
+/**
+ * @author Marco Fargetta {@literal <[email protected]>}
+ */
+public class CAIdCLI extends CLI {
+    public CAIdCLI(CLI parent) {
+        super("id", "CA id generator management commands", parent);
+
+        addModule(new CAIdGeneratorCLI(this));
+    }
+}
diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorCLI.java
@@ -0,0 +1,21 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import org.dogtagpki.cli.CLI;
+
+/**
+ * @author Marco Fargetta {@literal <[email protected]>}
+ */
+public class CAIdGeneratorCLI extends CLI {
+
+    public CAIdGeneratorCLI(CLI parent) {
+        super("generator", "CA id generator commands", parent);
+
+        addModule(new CAIdGeneratorUpdateCLI(this));
+    }
+
+}
diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorUpdateCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorUpdateCLI.java
@@ -0,0 +1,53 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package org.dogtagpki.server.ca.cli;
+
+import com.netscape.cmscore.apps.DatabaseConfig;
+import com.netscape.cmscore.dbs.CertificateRepository;
+import com.netscape.cmscore.dbs.Repository;
+import com.netscape.cmscore.dbs.Repository.IDGenerator;
+import com.netscape.cmscore.ldapconn.LdapAuthInfo;
+import com.netscape.cmscore.ldapconn.LdapConnInfo;
+import com.netscape.cmscore.ldapconn.PKISocketFactory;
+import org.dogtagpki.cli.CLI;
+import org.dogtagpki.server.cli.SubsystemIdGeneratorUpdateCLI;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Marco Fargetta {@literal <[email protected]>}
+ */
+public class CAIdGeneratorUpdateCLI extends SubsystemIdGeneratorUpdateCLI {
+    private static final Logger logger = LoggerFactory.getLogger(CAIdGeneratorUpdateCLI.class);
+
+    public CAIdGeneratorUpdateCLI(CLI parent) {
+        super(parent);
+    }
+
+    @Override
+    protected void updateSerialNumberRangeGenerator(PKISocketFactory socketFactory, LdapConnInfo connInfo,
+            LdapAuthInfo authInfo, DatabaseConfig dbConfig, String baseDN, IDGenerator newGenerator, String hostName, String securePort) throws Exception {
+        String value = dbConfig.getString(
+                CertificateRepository.PROP_CERT_ID_GENERATOR,
+                CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
+        idGenerator = IDGenerator.fromString(value);
+
+        if (newGenerator == IDGenerator.RANDOM && idGenerator != IDGenerator.RANDOM) {
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_GENERATOR, newGenerator.toString());
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_LENGTH, "128");
+            dbConfig.remove("enableRandomSerialNumbers");
+            dbConfig.remove("randomSerialNumberCounter");
+        }
+        if (newGenerator == IDGenerator.LEGACY_2 && idGenerator == IDGenerator.LEGACY) {
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_GENERATOR, newGenerator.toString());
+            dbConfig.put(CertificateRepository.PROP_CERT_ID_RADIX, Integer.toString(Repository.HEX));
+        }
+
+        super.updateSerialNumberRangeGenerator(socketFactory, connInfo, authInfo, dbConfig, baseDN, newGenerator, hostName, securePort);
+    }
+
+
+}
diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeUpdateCLI.java
@@ -39,9 +39,9 @@ public void updateSerialNumberRange(
         String value = dbConfig.getString(
                 CertificateRepository.PROP_CERT_ID_GENERATOR,
                 CertificateRepository.DEFAULT_CERT_ID_GENERATOR);
-        IDGenerator idGenerator = IDGenerator.fromString(value);
+        idGenerator = IDGenerator.fromString(value);
 
-        if (idGenerator != IDGenerator.LEGACY) {
+        if (idGenerator == IDGenerator.RANDOM) {
             logger.info("No need to update certificate ID range");
             return;
         }