[Pki-devel] [pki-devel][PATCH]

John Magne Wed, 26 Apr 2017 15:29:51 -0700

CA in the certificate profiles the startTime parameter is not working as 
expected.
    
    This simple fix addresses an overflow in the "startTime" paramenter in 4 
places in the code. I felt that honing in only on the startTime value was the 
best way to go. In some of the files other than ValidityDefault.java, there 
were possibly some values that could be changed from int to long. Due to the 
complexity of some of the calculations involved in some of those cases, it is 
best to fix the exact issue at hand instead of introducing some other possible 
side effects.


Tested with a simple enrollment in the caUserCert profile by setting the 
startTime constraint to the offending value listed in the ticket/bug. The 
correct start time 30 days in the future was calculated and made part of the 
cert.


Issue:

https://pagure.io/dogtagpki/issue/2520

From 91d7f82be94532a691768021a0661efd6a93e093 Mon Sep 17 00:00:00 2001
From: Jack Magne <jma...@dhcp-16-206.sjc.redhat.com>
Date: Wed, 26 Apr 2017 15:21:39 -0700
Subject: [PATCH] CA in the certificate profiles the startTime parameter is not
 working as expected.

This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
---
 .../src/com/netscape/cms/profile/def/CAValidityDefault.java  | 12 ++++++------
 .../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java     |  4 ++--
 .../netscape/cms/profile/def/RandomizedValidityDefault.java  |  2 +-
 .../src/com/netscape/cms/profile/def/ValidityDefault.java    | 10 +++++-----
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
index 2df256e..2ecd484 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
@@ -24,6 +24,11 @@ import java.util.Calendar;
 import java.util.Date;
 import java.util.Locale;
 
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.X509CertInfo;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException;
 import com.netscape.certsrv.property.IDescriptor;
 import com.netscape.certsrv.request.IRequest;
 
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.PKIXExtensions;
-import netscape.security.x509.X509CertInfo;
-
 /**
  * This class implements a CA signing cert enrollment default policy
  * that populates a server-side configurable validity
@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault {
         if (startTimeStr == null || startTimeStr.equals("")) {
             startTimeStr = "60";
         }
-        int startTime = Integer.parseInt(startTimeStr);
+        long startTime = Long.parseLong(startTimeStr);
 
         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
         CMS.debug("CAValidityDefault: not before: " + notBefore);
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
index 6532a13..2f05f32 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault {
             if (startTimeStr == null || startTimeStr.equals("")) {
                 startTimeStr = "60";
             }
-            int startTime = Integer.parseInt(startTimeStr);
+            long startTime = Long.parseLong(startTimeStr);
             Date notBefore = new Date(CMS.getCurrentDate().getTime() +
                     (1000 * startTime));
             long notAfterVal = 0;
 
             notAfterVal = notBefore.getTime() +
-                    (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION)));
+                    (mDefault * Long.parseLong(getConfig(CONFIG_DURATION)));
             Date notAfter = new Date(notAfterVal);
 
             ext = new PrivateKeyUsageExtension(notBefore, notAfter);
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
index 6308715..ce69c15 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
@@ -290,7 +290,7 @@ public class RandomizedValidityDefault extends EnrollDefault {
         if (startTimeStr == null || startTimeStr.equals("")) {
             startTimeStr = "60";
         }
-        int startTime = Integer.parseInt(startTimeStr);
+        long startTime = Long.parseLong(startTimeStr);
 
         String notBeforeRandomBitsStr = getConfig(CONFIG_NOT_BEFORE_RANDOM_BITS);
         if (notBeforeRandomBitsStr == null || notBeforeRandomBitsStr.length() == 0) {
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
index 21ec8ea..a74ccdf 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
@@ -24,6 +24,10 @@ import java.util.Calendar;
 import java.util.Date;
 import java.util.Locale;
 
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.ca.ICertificateAuthority;
@@ -34,10 +38,6 @@ import com.netscape.certsrv.property.EPropertyException;
 import com.netscape.certsrv.property.IDescriptor;
 import com.netscape.certsrv.request.IRequest;
 
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-
 /**
  * This class implements an enrollment default policy
  * that populates a server-side configurable validity
@@ -265,7 +265,7 @@ public class ValidityDefault extends EnrollDefault {
         if (startTimeStr == null || startTimeStr.equals("")) {
             startTimeStr = "60";
         }
-        int startTime = Integer.parseInt(startTimeStr);
+        long startTime = Long.parseLong(startTimeStr);
 
         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
         CMS.debug("ValidityDefault: not before: " + notBefore);
-- 
2.5.0

_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [pki-devel][PATCH]

Reply via email to