Update to 0.78.4:
- fix the "getcert start-tracking" -L and -l options (#1249753)
- output diagnostics about the second request when scep-submit encounters an
error during a second request to the SCEP server
- tweak initialization so that we set up for providing our D-Bus API before we
register our name with the bus, so that we can handle any requests that
arrive before the acknowledgement of that registration
- on systems that run systemd, add the right data file so that the service gets
started when someone tries to talk to the daemon (ticket #38)
- correctly check for error responses when sending GetCAChain requests to SCEP
servers
- fixup the key-information-read test for DSA to account for certutil
generating 1024 bit keys when we ask for more
- fix a typo in the package changelog
- add relevant references to bug reports and tickets in the 0.78 log
- switch to using popt for parsing command line arguments, continuing to
use old help text for now so that we can catch up with translations (print
old text for --help, new text (with longopts!) for -H)
- add some plumbing for eventually receiving per-certificate roots in
addition to issued certificates and chain certificates
- add a "rekey" command to getcert, for triggering enrollment using a new
key pair
- scep-submit: check for the Renewal capability, and default to taking
advantage of it during rekeying, unless the new -n flag is specified to it
- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs
to the helper
- dogtag-submit: add a flag for using the agent creds to do TLS client auth
while submitting enrollment requests
- dogtag-submit: handle cases where we submit a request and the server
returns a success code rather than just queuing the request
- ipa-submit: pass requested profile names to the server as an argument
named "profile_id"; if the server gives us an "unrecognized argument"
error, retry without it for compatibility's sake
- keygen: fix a possible crash if keygen fails to return a key from NSS
- correct the certmonger(8) man page's description of the -c flag, whic it
used to call the -C flag
- add logic for setting ownership and permissions on certificates and keys
when saving them to disk
- add configuration options "max_key_lifetime" and "max_key_use_count" for
making automatic renewal prefer rekeying
- don't display PINs in "getcert list" output (#42)
- clean up launching of a private instance in "getcert"
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
own safety checks have an effect
- backport record-keeping of key generation dates and counts of how many
times we've gotten certificates using a given key pair
- fix a data loss bug when saving renewed certificates to NSS databases - the
private key could be removed in error since 0.77
- fixes for bugs found by static analysis
- fix self-tests when built with OpenSSL 1.0.2
- expose the certificate's not-valid-before and not-valid-after dates as a
property over D-Bus (ticket #41)
- give the local signer its own configuration option to set the lifetime
of its signing certificate, falling back to the lifetime configured for
the self-signer as a default to match the previous behavior
- fix a potential read segfault parsing the output of an enrollment helper,
introduced in 0.77 (thanks to Steve Neuharth)
- read the ns-certtype extension value in certificates
- request an enrollment certtype extension to CSRs if we have a profile name
that we want to use (ticket #17, possibly part of IPA ticket #57)
- update to 0.77.1
- add initial, still rough, SCEP support (#1140241,#1161768)
- add an scep-submit helper to handle part of it
- getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
- getcert: add -l, -L flags to request/resubmit/start-tracking commands
to provide a way to set a ChallengePassword in signing requests
- lay some groundwork for rekeying support
- bundled dogtag enrollment helpers now output debugging info to stderr
- ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
- getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
#1181022, patch by David Kupka)
- use Zanata for translations
- getcert list: list the certificate's profile name, if it contains one
- dogtag-submit: accept additional options to pass to the server when
approving requests using agent creds (#1165155, patch by Jan Cholasta)
- getcert: print help output when 'status' isn't given any args (#1163541)
Update to 0.76.6:
- avoid premature exit on CA data analysis failures (should fix issue
reported by Natxo Asenjo)
- fixes for bugs found by static analysis
- rework the state machine so that we save an issued certificate's associated
CA certificates, then re-read the certificate, then run the post hook and
issue notifications, in that order, instead of saving CA certificates after
running the post hook, which was always a surprising order (#1131700)
- add a generic dogtag-submit helper that doesn't include any IPA defaults,
to make it easier to know the difference between paramenters it requires
and parameters which are optional
- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,
use discovery to find them (#1136900)
- require a single certificate to be specified to 'getcert status' (#1148001)
- shorten the default help message which getcert prints when it's not given
a specific command (#1131704)
- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen
for connections directly from clients running under the same UID
- add a command mode (-c) to certmonger, in which once it's started, it
launches a specified command, and after that command exits, the daemon exits
- when getcert is invoked with no bus running, if it's running as root, run
certmonger in private listener mode with the same invocation of getcert as
the command to start and wait for (#1134497)
- correct encoding/decoding of variant-typed data which we receive and
send as part of the org.freedesktop.DBus.Properties interface over the
bus, and add some tests for them (based on patch from David Kupka,
ticket #36)
- when getcert is passed a -a flag, to indicate that CA root
certificates should be stored in the specified database, don't ignore
locations which don't include a storage scheme (#1129537)
- when called to 'start-tracking' with the -a or -F flags, if we have
applicable certificates on-hand for a CA that we're either told to use
or which we decide is the correct one, save the certificates
(#1129696)
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
default.conf, and no "host" is set either, try to construct the server URI
using the "server" setting (#1126985)
- avoid potential use-after-free after a CA is removed dynamically (thanks to
Keenan Brock) (#1125342)
- add a "external-helper" property to CA objects
- add a 'refresh' option to the getcert command
- add a '-a' flag to the getcert command's 'refresh-ca' option
- adjust package Requires: on systemd-sysv on F19 and EL6 and older,
conditionalized it so that it's ignored on newer releases, and make
whether or not we call systemd-sysv-convert in triggers depend on that,
too (#1104138)
- fix an inconsistency in how we parse cookie values returned by CA helpers,
in that single-line values would lose the end-of-line after a daemon
restart, but not before
- handle timeout values and exit status values when calling CA helpers
in non-SUBMIT, non-POLL modes (#1118468)
- rework how we save CA certificates so that we save CA certificates associated
with end-entity certificates when we save that end-entity certificate, which
requires running all of the involved pre- and post-save commands
- documentation updates
- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
when we detect certmonger versions prior to 0.58 being installed, to
avoid cases where some older versions choke on CAs with nicknames that
contain characters that can't legally be part of a D-Bus name (#948993)
- fix creation and packaging of the "local" CA's data directory
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
commands, and add a non-waiting "status" command
- add the "local" signer, a local toy CA that signs anything you'll
ask it to sign
- fix self-test errors that we trigger with new OpenSSL
- fix a build error that would sometimes happen when we're told to
build PIE binaries
- quiet a compile warning
- retrieve CA information from CAs, if the helpers can do so, and
add a command to explicitly refresh that data: "getcert refresh-ca"
- offer to save CA certificates to files and databases, when specified with
new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
trac #31)
- add IP address subject alternate names when getcert request/resubmit
is passed the -A option (trac #35)
- read and cache the freshestCRL extension in certificates
- properly interpret KDC-unreachable errors encountered in the IPA
submission error as a server-unreachable error that we will retry,
rather than a misconfiguration error which we won't
- don't let tests get tripped up by new formatting used in dos2unix status
messages (#1099080)
- updated translations
- be explicit that we are going to use bashisms in test scripts by calling
the shell interpreter as 'bash' rather than 'sh' (trac #27)
- also save state when we exit due to SIGHUP
- don't get tripped up when enrollment helpers hand us certificates
which include CRLF line terminators (ticket #25)
- be tolerant of certificate issuer names, subject names, DNS, email,
and Kerberos principal namem subjectAltNames, and crl distribution
point URLs that contain newlines
- read and cache the certificate template extension in certificates
- enforce different minimum key sizes depending on the type of key we're
trying to generate
- store DER versions of subject, issuer and template subject, if we have
them (Jan Cholasta, ticket #26)
- when generating signing requests with subject names that don't quite
parse as subject names, encode what we're given as PrintableString
rather than as a UTF8String
- always chdir() to a known location at startup, even if we're not
becoming a daemon
- fix a couple of memory leaks (static analysis)
- add missing buildrequires: on which
- encode the friendlyName attribute in signing requests as a BMPString,
not as a PrintableString
- catch more filesystem permissions problems earlier (more of #996581)
- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
where it belongs
- support generating requests and self-signing using DSA and EC keys
- check for cases where we fail to allocate memory while reading a request
or CA entry from disk (John Haxby)
- only handle one watch at a time, which should avoid abort() during
attempts to reconnect to the message bus after losing our connection
to it (#1055521)
- add a --with-homedir option to configure, and use it, since
subprocesses which we run and which use NSS may attempt to write to
$HOME/.pki, and 0.69's strategy of setting that to "/" was rightly
hitting SELinux policy denials (#1047798)
- tweak how we decide whether we're on the master or a minion when we're
told to use certmaster as a CA
- clean up one of the tests so that it doesn't have to work around internal
logging producing duplicate messages
- when logging errors while setting up to contact xmlrpc servers, explicitly
note that the error is client-side
- don't abort() due to incorrect locking when an attempt to save an issued
certificate to the designated location fails (part of #1032760/#1033333,
ticket #22)
- when reading an issued certificate from an enrollment helper, ignore
noise before or after the certificate itself (more of #1032760/1033333,
ticket #22)
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
ticket #22)
- clear the ca-error that we saved when we had an error talking to the CA if we
subsequently succeed in talking to the CA
- various other static-analysis fixes
0.67:
- when saving certificates to NSS databases, try to preserve the trust
value assigned to a previously-present certificate with the same nickname
and subject, if one is found
- when saving certificates to NSS databases, also prune certificates from
the database which have both the same nickname and subject as the one
we're adding, to avoid tripping up tools that only fetch one certificate
by nickname
0.66:
- build as position-independent executables with early binding (#883966)
- also don't tag the unit file as a configuration file (internal tooling)
- don't tag the D-Bus session .service file as a configuration file (internal
tooling)
update to 0.63:
- serialize access to NSS databases and the running of pre- and post-save
commands which might also access them (possibly fixing part of #883484)
- add a -u flag to getcert to enable requesting a keyUsage extension value
- request subjectKeyIdentifier extensions from CAs, and include them in
self-signed certificates
- request basicConstraints from CAs, defaulting to requests for end-entity
certificates
- when requesting CA certificates, also request authorityKeyIdentifier
- add support for requesting CRL distribution point and authorityInfoAccess
extensions that specify OCSP responder locations
- don't crash when OpenSSL can't build a template certificate from a request
when we're in FIPS mode
- put NSS in FIPS mode, when the system booted that way, except when we're
trying to write certificates to a database
- fix CSR generation and self-signing in FIPS mode with NSS
- fix self-signing in FIPS mode with OpenSSL
- new languages from the translation team: mai, ml, nn, ga
- adjust internals of logic for talking to dogtag to at least have a
concept of non-agent cases
- when talking to an IPA server's internal Dogtag instance, infer which
ports the CA is listening on from the "dogtag_version" setting in the
IPA configuration (Ade Lee)
- send a notification (or log a message, whatever) when we save a new
certificate (#766167)
0.59:
- mostly documentation updates
0.58:
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
an IPA server's internal Dogtag instance
- export the requested profile and old certificate to enrollment helpers
- make libxml and libcurl into hard build-time requirements
- serialize all pre/save/post sequences to make sure that stop/save/start
doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
a service while we muck with more than one of its certificates
- add a command option (-T) to getcert for specifying which enrollment
profile to tell a CA that we're using, in case it cares (#10)
0.57
- clarify that the command passed to getcert -C is a "post"-save command
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
longer the default, emit the PropertiesChanged signal on the CA which is
not the default, instead on the new default a second time
- drop some dead code from the D-Bus message handlers (static analysis, #796813)
- cache public keys when we read private keys
- go back to printing an error indicating that we're missing a required
argument when we're missing a required argument, not that the option is
invalid (broken since 0.51, #796542)
