diff --git a/SOURCES/pki-core-CA-certificate-profiles-startTime-param.patch b/SOURCES/pki-core-CA-certificate-profiles-startTime-param.patch new file mode 100644 index 0000000..4bacf4a --- /dev/null +++ b/SOURCES/pki-core-CA-certificate-profiles-startTime-param.patch @@ -0,0 +1,125 @@ +From 3ef576f59d5f554ea222754885e88538c2c9c596 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Wed, 26 Apr 2017 15:21:39 -0700 +Subject: [PATCH] CA in the certificate profiles the startTime parameter is not + working as expected. + +This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects. + +(cherry picked from commit d98f20d33378a37898d4d6ffec80b09261504823) +(cherry picked from commit 47990407d31501ae6c867d2f1a168b4d7cb22a5e) +--- + .../src/com/netscape/cms/profile/def/CAValidityDefault.java | 12 ++++++------ + .../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java | 4 ++-- + .../netscape/cms/profile/def/RandomizedValidityDefault.java | 2 +- + .../src/com/netscape/cms/profile/def/ValidityDefault.java | 10 +++++----- + 4 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java +index 2df256e..2ecd484 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java +@@ -24,6 +24,11 @@ import java.util.Calendar; + import java.util.Date; + import java.util.Locale; + ++import netscape.security.x509.BasicConstraintsExtension; ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.PKIXExtensions; ++import netscape.security.x509.X509CertInfo; ++ + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ca.ICertificateAuthority; +@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException; + import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; + +-import netscape.security.x509.BasicConstraintsExtension; +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.PKIXExtensions; +-import netscape.security.x509.X509CertInfo; +- + /** + * This class implements a CA signing cert enrollment default policy + * that populates a server-side configurable validity +@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + CMS.debug("CAValidityDefault: not before: " + notBefore); +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java +index 6532a13..2f05f32 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java +@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + Date notBefore = new Date(CMS.getCurrentDate().getTime() + + (1000 * startTime)); + long notAfterVal = 0; + + notAfterVal = notBefore.getTime() + +- (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION))); ++ (mDefault * Long.parseLong(getConfig(CONFIG_DURATION))); + Date notAfter = new Date(notAfterVal); + + ext = new PrivateKeyUsageExtension(notBefore, notAfter); +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java +index 6308715..ce69c15 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java +@@ -290,7 +290,7 @@ public class RandomizedValidityDefault extends EnrollDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + + String notBeforeRandomBitsStr = getConfig(CONFIG_NOT_BEFORE_RANDOM_BITS); + if (notBeforeRandomBitsStr == null || notBeforeRandomBitsStr.length() == 0) { +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java +index 21ec8ea..a74ccdf 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java +@@ -24,6 +24,10 @@ import java.util.Calendar; + import java.util.Date; + import java.util.Locale; + ++import netscape.security.x509.CertificateValidity; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509CertInfo; ++ + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.ca.ICertificateAuthority; +@@ -34,10 +38,6 @@ import com.netscape.certsrv.property.EPropertyException; + import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; + +-import netscape.security.x509.CertificateValidity; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509CertInfo; +- + /** + * This class implements an enrollment default policy + * that populates a server-side configurable validity +@@ -265,7 +265,7 @@ public class ValidityDefault extends EnrollDefault { + if (startTimeStr == null || startTimeStr.equals("")) { + startTimeStr = "60"; + } +- int startTime = Integer.parseInt(startTimeStr); ++ long startTime = Long.parseLong(startTimeStr); + + Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime)); + CMS.debug("ValidityDefault: not before: " + notBefore); +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index fd30e7f..bcaa4c3 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -65,8 +65,8 @@ Name: pki-core Version: 10.3.3 -#Release: 18%{?dist} -Release: 18.el7_3 +#Release: 19%{?dist} +Release: 19.el7_3 Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -304,6 +304,11 @@ Patch40: pki-core-javadoc-special-characters.patch ####################### ## RHEL 7.3.z Batch Update 4 Patch42: pki-core-add-profile-component-that-copies-CN-to-SAN.patch +####################### +## pki-core-10.3.3-19 +####################### +## RHEL 7.3.z Batch Update 6 +Patch43: pki-core-CA-certificate-profiles-startTime-param.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -960,6 +965,7 @@ This package is a part of the PKI Core used by the Certificate System. %patch40 -p1 #%patch41 -p1 %patch42 -p1 +%patch43 -p1 %clean %{__rm} -rf %{buildroot} @@ -1465,6 +1471,11 @@ systemctl daemon-reload %endif # %{with server} %changelog +* Fri May 19 2017 Dogtag Team 10.3.3-19 +- ## RHEL 7.3.z Batch Update 6 +- Bugzilla Bug #1447095 - RHCS 9.1 RC5 CA in the certificate profiles the + startTime parameter is not working as expected. (jmagne) + * Mon Mar 6 2017 Dogtag Team 10.3.3-18 - ## RHEL 7.3.z Batch Update 4 - Bugzilla Bug #1429492 - Add profile component that copies CN to SAN