None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
- Patch to fix NSS handling of keys in sqlite databases
- Patches to fix tests now that sqlite is the NSS default.
Also fix building in rawhide due to packaging changes
- Remove BR on mktemp. It is now provided by coreutils.
The BuildRequires was setup to use a file because for some older
distributions popt.h was included in popt itself.
It's time to remove this workaround.
- update to 0.79.5:
- getcert start-tracking: use issuer option when specified
- add support for specifying the MS certificate template
- Reformat certificates returned by Dogtag to strip extra newline
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
- update to 0.79.4:
- fix CA option name for ipa cert-request
- fix minor memory leak
- fix build warnings
- fix an incorrect date in the .spec changelog
- bump gettext version to avoid warning
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
- update to 0.79.2:
- update %%docs list because README is now README.md
- update to 0.79.1:
- update translations
- fix 'make archive' target
- update to 0.79:
- getcert now offers an option (-X) for requesting processing by a particular
CA if the server we're contacting is running more than one
- getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for
requesting BasicConstraints values
- getcert now displays times in local time instead of UTC, which was
previously the only way they were displayed; the --utc option can often be
used to switch back to its previous behavior
- the SCEP enrollment helper now correctly issues GetCACertChain requests to
SCEP servers, instead of issuing a GetCAChain request, which isn't part of
the protocol; from report by Jason Garland
- when issuing SCEP requests, the ID of the CA included in the HTTP request
is now URL-encoded, as it should be
- renewal or notification-of-impending-expiration logic is now triggered
closer to TTL thresholds rather than waiting for a periodic check to pass a
threshold
- properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz
for a lot of the legwork
- resync .spec file with Fedora
- upstream project migrated from fedorahosted.org to pagure.io
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add backported fix to the tests to wait a reasonable amount of time
after calling the 'resubmit' method for a new certificate to be issued
when we're exercising the D-Bus API (backport done by Jan Cholasta,
Instead of using killall to send a SIGHUP to the system bus daemon in
%post to get it to reload its configuration, use dbus-send to send a
ReloadConfig request over the bus (should fix#1277573).
Update to 0.78.4:
- fix the "getcert start-tracking" -L and -l options (#1249753)
- output diagnostics about the second request when scep-submit encounters an
error during a second request to the SCEP server
- tweak initialization so that we set up for providing our D-Bus API before we
register our name with the bus, so that we can handle any requests that
arrive before the acknowledgement of that registration
- on systems that run systemd, add the right data file so that the service gets
started when someone tries to talk to the daemon (ticket #38)
- correctly check for error responses when sending GetCAChain requests to SCEP
servers
- fixup the key-information-read test for DSA to account for certutil
generating 1024 bit keys when we ask for more
- fix a typo in the package changelog
- add relevant references to bug reports and tickets in the 0.78 log
- switch to using popt for parsing command line arguments, continuing to
use old help text for now so that we can catch up with translations (print
old text for --help, new text (with longopts!) for -H)
- add some plumbing for eventually receiving per-certificate roots in
addition to issued certificates and chain certificates
- add a "rekey" command to getcert, for triggering enrollment using a new
key pair
- scep-submit: check for the Renewal capability, and default to taking
advantage of it during rekeying, unless the new -n flag is specified to it
- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs
to the helper
- dogtag-submit: add a flag for using the agent creds to do TLS client auth
while submitting enrollment requests
- dogtag-submit: handle cases where we submit a request and the server
returns a success code rather than just queuing the request
- ipa-submit: pass requested profile names to the server as an argument
named "profile_id"; if the server gives us an "unrecognized argument"
error, retry without it for compatibility's sake
- keygen: fix a possible crash if keygen fails to return a key from NSS
- correct the certmonger(8) man page's description of the -c flag, whic it
used to call the -C flag
- add logic for setting ownership and permissions on certificates and keys
when saving them to disk
- add configuration options "max_key_lifetime" and "max_key_use_count" for
making automatic renewal prefer rekeying
- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request
includes IP address subjectAltName values
- correctly verify signatures on SCEP server replies when the signer is neither
the top-level CA nor the RA (feedback in #1161768)
- correctly verify signatures on SCEP server replies when there is more than
one certificate in the chain between the RA and the top-level CA (feedback in
#1161768)
- don't display PINs in "getcert list" output (#42)
- clean up launching of a private instance in "getcert"
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
own safety checks have an effect
- backport record-keeping of key generation dates and counts of how many
times we've gotten certificates using a given key pair
- fix a data loss bug when saving renewed certificates to NSS databases - the
private key could be removed in error since 0.77
- fixes for bugs found by static analysis
- fix self-tests when built with OpenSSL 1.0.2
- expose the certificate's not-valid-before and not-valid-after dates as a
property over D-Bus (ticket #41)
- give the local signer its own configuration option to set the lifetime
of its signing certificate, falling back to the lifetime configured for
the self-signer as a default to match the previous behavior
- fix a potential read segfault parsing the output of an enrollment helper,
introduced in 0.77 (thanks to Steve Neuharth)
- read the ns-certtype extension value in certificates
- request an enrollment certtype extension to CSRs if we have a profile name
that we want to use (ticket #17, possibly part of IPA ticket #57)
- update to 0.77.1
- add initial, still rough, SCEP support (#1140241,#1161768)
- add an scep-submit helper to handle part of it
- getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
- getcert: add -l, -L flags to request/resubmit/start-tracking commands
to provide a way to set a ChallengePassword in signing requests
- lay some groundwork for rekeying support
- bundled dogtag enrollment helpers now output debugging info to stderr
- ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
- getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
#1181022, patch by David Kupka)
- use Zanata for translations
- getcert list: list the certificate's profile name, if it contains one
- dogtag-submit: accept additional options to pass to the server when
approving requests using agent creds (#1165155, patch by Jan Cholasta)
- getcert: print help output when 'status' isn't given any args (#1163541)
Update to 0.76.6:
- avoid premature exit on CA data analysis failures (should fix issue
reported by Natxo Asenjo)
- fixes for bugs found by static analysis
- rework the state machine so that we save an issued certificate's associated
CA certificates, then re-read the certificate, then run the post hook and
issue notifications, in that order, instead of saving CA certificates after
running the post hook, which was always a surprising order (#1131700)
- add a generic dogtag-submit helper that doesn't include any IPA defaults,
to make it easier to know the difference between paramenters it requires
and parameters which are optional
- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,
use discovery to find them (#1136900)
- require a single certificate to be specified to 'getcert status' (#1148001)
- shorten the default help message which getcert prints when it's not given
a specific command (#1131704)
- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen
for connections directly from clients running under the same UID
- add a command mode (-c) to certmonger, in which once it's started, it
launches a specified command, and after that command exits, the daemon exits
- when getcert is invoked with no bus running, if it's running as root, run
certmonger in private listener mode with the same invocation of getcert as
the command to start and wait for (#1134497)
- correct encoding/decoding of variant-typed data which we receive and
send as part of the org.freedesktop.DBus.Properties interface over the
bus, and add some tests for them (based on patch from David Kupka,
ticket #36)
- when getcert is passed a -a flag, to indicate that CA root
certificates should be stored in the specified database, don't ignore
locations which don't include a storage scheme (#1129537)
- when called to 'start-tracking' with the -a or -F flags, if we have
applicable certificates on-hand for a CA that we're either told to use
or which we decide is the correct one, save the certificates
(#1129696)
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
default.conf, and no "host" is set either, try to construct the server URI
using the "server" setting (#1126985)
- avoid potential use-after-free after a CA is removed dynamically (thanks to
Keenan Brock) (#1125342)
- add a "external-helper" property to CA objects
- add a 'refresh' option to the getcert command
- add a '-a' flag to the getcert command's 'refresh-ca' option
- adjust package Requires: on systemd-sysv on F19 and EL6 and older,
conditionalized it so that it's ignored on newer releases, and make
whether or not we call systemd-sysv-convert in triggers depend on that,
too (#1104138)
- fix an inconsistency in how we parse cookie values returned by CA helpers,
in that single-line values would lose the end-of-line after a daemon
restart, but not before
- handle timeout values and exit status values when calling CA helpers
in non-SUBMIT, non-POLL modes (#1118468)
- rework how we save CA certificates so that we save CA certificates associated
with end-entity certificates when we save that end-entity certificate, which
requires running all of the involved pre- and post-save commands
