Commit Graph

148 Commits

Author SHA1 Message Date
Rob Crittenden
556a0b448b Update to 0.79.4
- update to 0.79.4:
  - fix CA option name for ipa cert-request
  - fix minor memory leak
  - fix build warnings
  - fix an incorrect date in the .spec changelog
  - bump gettext version to avoid warning

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2017-08-07 17:56:14 -04:00
Fedora Release Engineering
b373412701 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild 2017-08-02 18:42:53 +00:00
Fedora Release Engineering
a5d6ea922f - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-26 04:41:03 +00:00
Nalin Dahyabhai
6ff35d776f Update to 0.79.3
- update to 0.79.3:
  - fix self-signing self-test cases that used DSA or EC keys

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-02-28 01:33:53 -05:00
Nalin Dahyabhai
c68c5e7f21 Update to 0.79.2-2
- update to 0.79.2:
  - update %%docs list because README is now README.md

- update to 0.79.1:
  - update translations
  - fix 'make archive' target

- update to 0.79:
  - getcert now offers an option (-X) for requesting processing by a particular
    CA if the server we're contacting is running more than one
  - getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for
    requesting BasicConstraints values
  - getcert now displays times in local time instead of UTC, which was
    previously the only way they were displayed; the --utc option can often be
    used to switch back to its previous behavior
  - the SCEP enrollment helper now correctly issues GetCACertChain requests to
    SCEP servers, instead of issuing a GetCAChain request, which isn't part of
    the protocol; from report by Jason Garland
  - when issuing SCEP requests, the ID of the CA included in the HTTP request
    is now URL-encoded, as it should be
  - renewal or notification-of-impending-expiration logic is now triggered
    closer to TTL thresholds rather than waiting for a periodic check to pass a
    threshold
  - properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz
    for a lot of the legwork
- resync .spec file with Fedora
- upstream project migrated from fedorahosted.org to pagure.io

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-02-27 22:03:49 -05:00
Fedora Release Engineering
a4236fbbbc - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-10 07:24:26 +00:00
Igor Gnatenko
d852149729 Rebuild for xmlrpc-c
Signed-off-by: Igor Gnatenko <ignatenko@redhat.com>
2017-01-21 14:49:59 +01:00
Nalin Dahyabhai
3f8a64cc9e Add backported fixes for test failures
Add backported fix to the tests to wait a reasonable amount of time
after calling the 'resubmit' method for a new certificate to be issued
when we're exercising the D-Bus API (backport done by Jan Cholasta,
2016-07-06 14:31:36 -04:00
Nalin Dahyabhai
93e4828d8d Use dbus-send instead of SIGHUP to reload the bus
Instead of using killall to send a SIGHUP to the system bus daemon in
%post to get it to reload its configuration, use dbus-send to send a
ReloadConfig request over the bus (should fix #1277573).
2016-07-06 13:45:36 -04:00
Dennis Gilmore
07d25c2dcf - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-03 17:33:39 +00:00
Nalin Dahyabhai
5f3c01e3a4 Update to 0.78.6
- document the -R, -N, -o, and -t flags for dogtag-ipa-renew-agent-submit
- stop checking that we can generate 512 bit keys during self-tests
2016-01-13 13:54:21 -05:00
Nalin Dahyabhai
1e4e4bd4df Update to 0.78.5
- fix a possible uninitialized memory read (possibly #1260871)
- log a diagnostic error when we fail to initialize libkrb5
2015-11-16 17:44:15 -05:00
Nalin Dahyabhai
c0ca98f8c4 Update to 0.78.4
Update to 0.78.4:
- fix the "getcert start-tracking" -L and -l options (#1249753)
- output diagnostics about the second request when scep-submit encounters an
  error during a second request to the SCEP server
2015-08-04 14:54:37 -04:00
Nalin Dahyabhai
cb61adfa6c Update to 0.78.3
- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit
  and the -O and -o flags to dogtag-submit (#1244914)
2015-07-20 15:29:52 -04:00
Nalin Dahyabhai
144e7dd1b0 Update to 0.78.2
- tweak initialization so that we set up for providing our D-Bus API before we
  register our name with the bus, so that we can handle any requests that
  arrive before the acknowledgement of that registration
- on systems that run systemd, add the right data file so that the service gets
  started when someone tries to talk to the daemon (ticket #38)
- correctly check for error responses when sending GetCAChain requests to SCEP
  servers
2015-07-09 20:21:53 -04:00
Nalin Dahyabhai
a85bb52ef3 Update to 0.78.1
- fixup the key-information-read test for DSA to account for certutil
  generating 1024 bit keys when we ask for more
- fix a typo in the package changelog
- add relevant references to bug reports and tickets in the 0.78 log
2015-06-21 02:21:52 -04:00
Nalin Dahyabhai
0760509e84 Update to 0.78
- switch to using popt for parsing command line arguments, continuing to
  use old help text for now so that we can catch up with translations (print
  old text for --help, new text (with longopts!) for -H)
- add some plumbing for eventually receiving per-certificate roots in
  addition to issued certificates and chain certificates
- add a "rekey" command to getcert, for triggering enrollment using a new
  key pair
- scep-submit: check for the Renewal capability, and default to taking
  advantage of it during rekeying, unless the new -n flag is specified to it
- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs
  to the helper
- dogtag-submit: add a flag for using the agent creds to do TLS client auth
  while submitting enrollment requests
- dogtag-submit: handle cases where we submit a request and the server
  returns a success code rather than just queuing the request
- ipa-submit: pass requested profile names to the server as an argument
  named "profile_id"; if the server gives us an "unrecognized argument"
  error, retry without it for compatibility's sake
- keygen: fix a possible crash if keygen fails to return a key from NSS
- correct the certmonger(8) man page's description of the -c flag, whic it
  used to call the -C flag
- add logic for setting ownership and permissions on certificates and keys
  when saving them to disk
- add configuration options "max_key_lifetime" and "max_key_use_count" for
  making automatic renewal prefer rekeying
2015-06-20 11:25:43 -04:00
Dennis Gilmore
b13cf66225 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-17 02:30:53 +00:00
Nalin Dahyabhai
d00093b7bf Whoops, actually update to 0.77.5 2015-05-28 10:25:45 -04:00
Nalin Dahyabhai
631c1c94d1 update to 0.77.4
- don't display PINs in "getcert list" output (#42)
- clean up launching of a private instance in "getcert"
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
  own safety checks have an effect
- backport record-keeping of key generation dates and counts of how many
  times we've gotten certificates using a given key pair
2015-05-17 16:53:39 -04:00
Nalin Dahyabhai
a1cad26520 Update to 0.77.3
- fix a data loss bug when saving renewed certificates to NSS databases - the
  private key could be removed in error since 0.77
- fixes for bugs found by static analysis
- fix self-tests when built with OpenSSL 1.0.2
2015-05-07 17:19:09 -04:00
Nalin Dahyabhai
c44b07d085 Update to 0.77.2
- expose the certificate's not-valid-before and not-valid-after dates as a
  property over D-Bus (ticket #41)
- give the local signer its own configuration option to set the lifetime
  of its signing certificate, falling back to the lifetime configured for
  the self-signer as a default to match the previous behavior
- fix a potential read segfault parsing the output of an enrollment helper,
  introduced in 0.77 (thanks to Steve Neuharth)
- read the ns-certtype extension value in certificates
- request an enrollment certtype extension to CSRs if we have a profile name
  that we want to use (ticket #17, possibly part of IPA ticket #57)
2015-04-14 13:37:57 -04:00
Nalin Dahyabhai
54551d64ad Update to 0.77.1
- update to 0.77.1
  - add initial, still rough, SCEP support (#1140241,#1161768)
    - add an scep-submit helper to handle part of it
  - getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
  - getcert: add -l, -L flags to request/resubmit/start-tracking commands
    to provide a way to set a ChallengePassword in signing requests
  - lay some groundwork for rekeying support
  - bundled dogtag enrollment helpers now output debugging info to stderr
  - ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
  - getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
    #1181022, patch by David Kupka)
  - use Zanata for translations
  - getcert list: list the certificate's profile name, if it contains one
2015-02-27 16:44:06 -05:00
Nalin Dahyabhai
cedf1c324f Update to 0.76.8
- dogtag-submit: accept additional options to pass to the server when
  approving requests using agent creds (#1165155, patch by Jan Cholasta)
- getcert: print help output when 'status' isn't given any args (#1163541)
2014-11-18 10:09:47 -05:00
Nalin Dahyabhai
8991081682 Update to 0.76.7
- correctly read CA not-valid-after dates on 32-bit machines (also
  reported by Natxo Asenjo), so that we don't spin on polling them
2014-11-11 13:06:53 -05:00
Nalin Dahyabhai
40a88215a9 Update to 0.76.6
Update to 0.76.6:
- avoid premature exit on CA data analysis failures (should fix issue
  reported by Natxo Asenjo)
- fixes for bugs found by static analysis
- rework the state machine so that we save an issued certificate's associated
  CA certificates, then re-read the certificate, then run the post hook and
  issue notifications, in that order, instead of saving CA certificates after
  running the post hook, which was always a surprising order (#1131700)
- add a generic dogtag-submit helper that doesn't include any IPA defaults,
  to make it easier to know the difference between paramenters it requires
  and parameters which are optional
- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,
  use discovery to find them (#1136900)
- require a single certificate to be specified to 'getcert status' (#1148001)
- shorten the default help message which getcert prints when it's not given
  a specific command (#1131704)
- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen
  for connections directly from clients running under the same UID
- add a command mode (-c) to certmonger, in which once it's started, it
  launches a specified command, and after that command exits, the daemon exits
- when getcert is invoked with no bus running, if it's running as root, run
  certmonger in private listener mode with the same invocation of getcert as
  the command to start and wait for (#1134497)
2014-11-10 17:58:42 -05:00
Nalin Dahyabhai
b6fcbbc5a0 Update to 0.75.14
- make pathname canonicalization slightly smarter, to handle ".." in
  locations
- updates to self-tests
2014-08-28 14:12:24 -04:00
Kevin Fenzi
dae5f838b3 Rebuild for rpm bug 1131960 2014-08-21 11:37:56 -06:00
Nalin Dahyabhai
9250e88626 Update to 0.75.13
- correct encoding/decoding of variant-typed data which we receive and
  send as part of the org.freedesktop.DBus.Properties interface over the
  bus, and add some tests for them (based on patch from David Kupka,
  ticket #36)
- when getcert is passed a -a flag, to indicate that CA root
  certificates should be stored in the specified database, don't ignore
  locations which don't include a storage scheme (#1129537)
- when called to 'start-tracking' with the -a or -F flags, if we have
  applicable certificates on-hand for a CA that we're either told to use
  or which we decide is the correct one, save the certificates
  (#1129696)
2014-08-18 13:20:11 -04:00
Peter Robinson
c1bf21c857 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild 2014-08-15 23:55:20 +00:00
Nalin Dahyabhai
3ad00ba314 Update to 0.75.10
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
  default.conf, and no "host" is set either, try to construct the server URI
  using the "server" setting (#1126985)
2014-08-05 15:44:15 -04:00
Nalin Dahyabhai
3f724f69b3 Update to 0.75.9
- avoid potential use-after-free after a CA is removed dynamically (thanks to
  Keenan Brock) (#1125342)
- add a "external-helper" property to CA objects
2014-07-31 14:24:23 -04:00
Nalin Dahyabhai
1bab3989b3 Update to 0.75.8
- add a 'refresh' option to the getcert command
- add a '-a' flag to the getcert command's 'refresh-ca' option
- adjust package Requires: on systemd-sysv on F19 and EL6 and older,
  conditionalized it so that it's ignored on newer releases, and make
  whether or not we call systemd-sysv-convert in triggers depend on that,
  too (#1104138)
- fix an inconsistency in how we parse cookie values returned by CA helpers,
  in that single-line values would lose the end-of-line after a daemon
  restart, but not before
- handle timeout values and exit status values when calling CA helpers
  in non-SUBMIT, non-POLL modes (#1118468)
- rework how we save CA certificates so that we save CA certificates associated
  with end-entity certificates when we save that end-entity certificate, which
  requires running all of the involved pre- and post-save commands
2014-07-21 16:25:17 -04:00
Nalin Dahyabhai
acbe23a0ad Update to 0.75.6
- avoid potential use-after-free and read overrun after a CA is added
  dynamically (thanks to Jan Cholasta)
2014-06-26 10:18:38 -04:00
Nalin Dahyabhai
ff961cf333 Update to 0.75.5
- documentation updates
- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
  when we detect certmonger versions prior to 0.58 being installed, to
  avoid cases where some older versions choke on CAs with nicknames that
  contain characters that can't legally be part of a D-Bus name (#948993)
- fix creation and packaging of the "local" CA's data directory
2014-06-20 17:06:03 -04:00
Nalin Dahyabhai
341c446f8c Update to 0.75.3
- read and cache whether or not we saw a noOCSPcheck extension in
  certificates
- documentation updates
2014-06-18 14:39:06 -04:00
Nalin Dahyabhai
dd986d5036 Update to 0.75.2
- when generating keys using OpenSSL, if key generation fails, try
  again with the default key size, in case we're in FIPS mode
- documentation updates
2014-06-16 18:42:06 -04:00
Nalin Dahyabhai
66cd6b4b41 Update to 0.75.1
- log the state in 'getcert status' verbose mode
2014-06-15 00:14:39 -04:00
Nalin Dahyabhai
468fcf0c32 Update to 0.75
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
  commands, and add a non-waiting "status" command
- add the "local" signer, a local toy CA that signs anything you'll
  ask it to sign
- fix self-test errors that we trigger with new OpenSSL
- fix a build error that would sometimes happen when we're told to
  build PIE binaries
- quiet a compile warning
- retrieve CA information from CAs, if the helpers can do so, and
  add a command to explicitly refresh that data: "getcert refresh-ca"
- offer to save CA certificates to files and databases, when specified with
  new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
  trac #31)
- add IP address subject alternate names when getcert request/resubmit
  is passed the -A option (trac #35)
- read and cache the freshestCRL extension in certificates
- properly interpret KDC-unreachable errors encountered in the IPA
  submission error as a server-unreachable error that we will retry,
  rather than a misconfiguration error which we won't
- don't let tests get tripped up by new formatting used in dos2unix status
  messages (#1099080)
- updated translations
- be explicit that we are going to use bashisms in test scripts by calling
  the shell interpreter as 'bash' rather than 'sh' (trac #27)
2014-06-13 17:32:02 -04:00
Dennis Gilmore
2c35256181 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-06 23:26:55 -05:00
Nalin Dahyabhai
2a8cd1da74 Update to 0.74
- also save state when we exit due to SIGHUP
- don't get tripped up when enrollment helpers hand us certificates
  which include CRLF line terminators (ticket #25)
- be tolerant of certificate issuer names, subject names, DNS, email,
  and Kerberos principal namem subjectAltNames, and crl distribution
  point URLs that contain newlines
- read and cache the certificate template extension in certificates
- enforce different minimum key sizes depending on the type of key we're
  trying to generate
- store DER versions of subject, issuer and template subject, if we have
  them (Jan Cholasta, ticket #26)
- when generating signing requests with subject names that don't quite
  parse as subject names, encode what we're given as PrintableString
  rather than as a UTF8String
- always chdir() to a known location at startup, even if we're not
  becoming a daemon
- fix a couple of memory leaks (static analysis)
- add missing buildrequires: on which
2014-04-03 13:27:21 -04:00
Nalin Dahyabhai
42ca560e41 Update to 0.73
- encode the friendlyName attribute in signing requests as a BMPString,
  not as a PrintableString
- catch more filesystem permissions problems earlier (more of #996581)
- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
  where it belongs
- support generating requests and self-signing using DSA and EC keys
2014-02-24 10:18:07 -05:00
Nalin Dahyabhai
19b37db4dc Update to 0.71(.2)
- check for cases where we fail to allocate memory while reading a request
  or CA entry from disk (John Haxby)
- only handle one watch at a time, which should avoid abort() during
  attempts to reconnect to the message bus after losing our connection
  to it (#1055521)
2014-01-27 17:22:09 -05:00
Nalin Dahyabhai
8562aa3ebe update to 0.70
- add a --with-homedir option to configure, and use it, since
  subprocesses which we run and which use NSS may attempt to write to
  $HOME/.pki, and 0.69's strategy of setting that to "/" was rightly
  hitting SELinux policy denials (#1047798)
2014-01-02 13:12:26 -05:00
Nalin Dahyabhai
05449cb7fb Update to 0.69
- tweak how we decide whether we're on the master or a minion when we're
  told to use certmaster as a CA
- clean up one of the tests so that it doesn't have to work around internal
  logging producing duplicate messages
- when logging errors while setting up to contact xmlrpc servers, explicitly
  note that the error is client-side
- don't abort() due to incorrect locking when an attempt to save an issued
  certificate to the designated location fails (part of #1032760/#1033333,
  ticket #22)
- when reading an issued certificate from an enrollment helper, ignore
  noise before or after the certificate itself (more of #1032760/1033333,
  ticket #22)
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
  ticket #22)
- clear the ca-error that we saved when we had an error talking to the CA if we
  subsequently succeed in talking to the CA
- various other static-analysis fixes
2013-12-09 19:43:57 -05:00
Nalin Dahyabhai
b3093eeb92 update to 0.68
- notice when the OpenSSL RNG isn't seeded
- notice when saving certificates or keys fails due to filesystem-related
  permission denial (#996581)
2013-08-29 16:12:05 -04:00
Nalin Dahyabhai
b10c43033d Fix self-tests when run with newer certutil
- pull up a patch from master to adapt self-tests to certutil's
  diagnostic output having changed (#992050)
2013-08-06 02:18:52 -04:00
Dennis Gilmore
42d62b9d4a - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-02 23:39:35 -05:00
Nalin Dahyabhai
8e1117aa6e update to 0.67
0.67:
- when saving certificates to NSS databases, try to preserve the trust
  value assigned to a previously-present certificate with the same nickname
  and subject, if one is found
- when saving certificates to NSS databases, also prune certificates from
  the database which have both the same nickname and subject as the one
  we're adding, to avoid tripping up tools that only fetch one certificate
  by nickname

0.66:
- build as position-independent executables with early binding (#883966)
- also don't tag the unit file as a configuration file (internal tooling)
- don't tag the D-Bus session .service file as a configuration file (internal
  tooling)
2013-03-11 18:08:35 -04:00
Dennis Gilmore
1b1f591c69 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild 2013-02-13 12:22:47 -06:00
Nalin Dahyabhai
8f23785283 update to 0.65
Update to 0.65, which flushes out bugs in the locking work that landed in 0.63.
2013-01-09 11:15:48 -05:00
Nalin Dahyabhai
d5b1da7951 update to 0.63
update to 0.63:
- serialize access to NSS databases and the running of pre- and post-save
  commands which might also access them (possibly fixing part of #883484)
2012-12-19 12:03:42 -05:00
Nalin Dahyabhai
9e017b41b6 update to 0.62
- add a -u flag to getcert to enable requesting a keyUsage extension value
- request subjectKeyIdentifier extensions from CAs, and include them in
  self-signed certificates
- request basicConstraints from CAs, defaulting to requests for end-entity
  certificates
- when requesting CA certificates, also request authorityKeyIdentifier
- add support for requesting CRL distribution point and authorityInfoAccess
  extensions that specify OCSP responder locations
- don't crash when OpenSSL can't build a template certificate from a request
  when we're in FIPS mode
- put NSS in FIPS mode, when the system booted that way, except when we're
  trying to write certificates to a database
- fix CSR generation and self-signing in FIPS mode with NSS
- fix self-signing in FIPS mode with OpenSSL
- new languages from the translation team: mai, ml, nn, ga
2012-11-29 00:45:48 -05:00
Nalin Dahyabhai
d7b55107b2 check for errors from X509_REQ_to_X509()
backport a change from git to report X509_REQ_to_X509() failures as
CA-rejected-our-request failures
2012-11-27 18:54:37 -05:00
Nalin Dahyabhai
04733941c2 check for errors from X509_REQ_to_X509()
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
  self-signing using OpenSSL
2012-11-27 18:21:56 -05:00
Nalin Dahyabhai
7deadd699a update to 0.61
fixes a regression reading request state files where the request's
state is either NEED_TO_NOTIFY or NOTIFY
2012-09-24 17:10:27 -04:00
Nalin Dahyabhai
0310940a78 update to 0.60
- adjust internals of logic for talking to dogtag to at least have a
  concept of non-agent cases
- when talking to an IPA server's internal Dogtag instance, infer which
  ports the CA is listening on from the "dogtag_version" setting in the
  IPA configuration (Ade Lee)
- send a notification (or log a message, whatever) when we save a new
  certificate (#766167)
2012-09-05 19:37:06 -04:00
Dennis Gilmore
a2fa86e022 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-18 13:48:27 -05:00
Nalin Dahyabhai
00ccf81cb8 update to 0.59
0.59:
- mostly documentation updates

0.58:
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
  an IPA server's internal Dogtag instance
- export the requested profile and old certificate to enrollment helpers
- make libxml and libcurl into hard build-time requirements
- serialize all pre/save/post sequences to make sure that stop/save/start
  doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
  a service while we muck with more than one of its certificates
- add a command option (-T) to getcert for specifying which enrollment
  profile to tell a CA that we're using, in case it cares (#10)

0.57
- clarify that the command passed to getcert -C is a "post"-save command
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
2012-07-13 22:31:55 -04:00
Nalin Dahyabhai
f3bac67d59 - when a caller sets the is-default flag on a CA, and another CA is no
longer the default, emit the PropertiesChanged signal on the CA which is
  not the default, instead on the new default a second time
- drop some dead code from the D-Bus message handlers (static analysis, #796813)
- cache public keys when we read private keys
- go back to printing an error indicating that we're missing a required
  argument when we're missing a required argument, not that the option is
  invalid (broken since 0.51, #796542)
2012-03-03 01:20:58 -05:00
Nalin Dahyabhai
514d96bd6a -update to 0.55
- allow root to use our implementation of org.freedesktop.DBus.Properties
 - take more care to not emit useless PropertiesChanged signals
2012-02-15 17:44:35 -05:00
Nalin Dahyabhai
4c76e12d1d - update to 0.54 2012-02-15 02:27:13 -05:00
Dennis Gilmore
9a783a4fa5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild 2012-01-12 17:13:18 -06:00
Nalin Dahyabhai
b44f18eb7a - note that SELinux usually confines us to writing only to cert_t in
doc/getting-started.txt (#765599)
- fix crashes when we add a request during our first run when we're
  populating the hard-coded CA list
- properly deal with cases where a path is passed to us is "./XXX"
- in session mode, create our data directories as we go
2011-12-16 11:18:45 -05:00
Nalin Dahyabhai
49a9e127b0 - update to 0.51, mainly to add compatibility with super-new IPA 2011-12-06 11:08:31 -05:00
Nalin Dahyabhai
2fa6a22c81 - really fix these this time:
- getcert: error out when "list -c" finds no matching CA (#743488)
 - getcert: error out when "list -i" finds no matching request (#743485)
2011-10-14 11:55:56 -04:00
Nalin Dahyabhai
18495c2dde - update to 0.49:
- when using an NSS database, skip loading the module database (#743042)
 - when using an NSS database, skip loading root certs
 - generate SPKAC values when generating CSRs, though we don't do anything with SPKAC values yet
 - internally maintain and use challenge passwords, if we have them
 - behave better when certificates have shorter lifetimes
 - add/recognize/handle notification type "none"
 - getcert: error out when "list -c" finds no matching CA (#743488)
 - getcert: error out when "list -i" finds no matching request (#743485)
 - don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated array (#742348)
 - getcert: distinguish between {stat() succeeds but isn't a directory} and {stat() failed} when printing an error message (#739903)
 - getcert resubmit/start-tracking: when we're looking for an existing request by ID, and we don't find one, note that specifically (#741262)
2011-10-13 17:25:09 -04:00
Nalin Dahyabhai
ef57f434b8 - update to 0.46 2011-08-15 15:42:36 -04:00
Nalin Dahyabhai
b81a31a3da - modify the systemd .service file to be a proper 'dbus' service (more of #718172) 2011-08-11 13:56:57 -04:00
Nalin Dahyabhai
c5c48c7ba2 - update to 0.44:
- check specifically for cases where a specified token that we need to
    use just isn't present for whatever reason (#697058)
2011-08-11 11:50:26 -04:00
Nalin Dahyabhai
c0eb1bf7eb - update to 0.43 2011-08-10 18:23:52 -04:00
Nalin Dahyabhai
a15951ae49 - getcert: fix a buffer overrun preparing a request for the daemon when
there are more parameters to encode than space in the array (#696185)
- updated translations: de, es, id, pl, ru, uk
2011-04-13 10:29:00 -04:00
Nalin Dahyabhai
cc3917e153 - update to 0.41 2011-04-11 17:35:07 -04:00
Nalin Dahyabhai
933d5c2933 - update to 0.40
- fix validation check on EKU OIDs in getcert (#691351)
  - get session bus mode sorted
  - add a list of recognized EKU values to the getcert-request man page
2011-03-28 17:14:09 -04:00
Nalin Dahyabhai
3749ef64b7 - update to 0.39
- fix use of an uninitialized variable in the xmlrpc-based submission helpers (#690886)
2011-03-25 14:12:02 -04:00
Nalin Dahyabhai
838b40e07a - update to 0.38
- catch cases where we can't read a PIN file, but we never have to log
    in to the token to access the private key (more of #688229)
2011-03-24 15:30:29 -04:00
Nalin Dahyabhai
2329f71493 - update to 0.37
- be more careful about checking if we can read a PIN file successfully
    before we even call an API that might need us to try (#688229)
  - fix strict aliasing warnings
2011-03-22 19:33:39 -04:00
Nalin Dahyabhai
2a98aebb9c - update to 0.36
- fix some use-after-free bugs in the daemon (#689776)
  - fix a copy/paste error in certmonger-ipa-submit(8)
  - getcert now suppresses error details when not given its new -v option
    (#683926, more of #681641/#652047)
  - updated translations
    - de, es, pl, ru, uk
    - indonesian translation is now for "id" rather than "in"
2011-03-22 11:44:09 -04:00
Nalin Dahyabhai
a1bb00ae72 - update to 0.35.1, because there's a leap day between now and a year from now 2011-03-02 15:51:28 -05:00
Nalin Dahyabhai
664b62c20a - self-test fixes to rebuild properly in mock (#670322) 2011-02-14 17:46:45 -05:00
Dennis Gilmore
538932ab29 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-08 01:20:49 -06:00
Nalin Dahyabhai
469401701f - update to 0.34 2011-01-14 10:02:47 -05:00
Nalin Dahyabhai
a20057c7d4 update to 0.32 2010-11-30 13:58:31 -05:00
Nalin Dahyabhai
c276b718ef Merge branch 'master' of ssh://pkgs.fedoraproject.org/certmonger
Conflicts:
	certmonger.spec
2010-09-30 17:36:57 -04:00
Nalin Dahyabhai
2f5670644b explicitly require "dbus" to try to ensure we have a running system bus when we get started (#639126) 2010-09-30 17:36:08 -04:00
Jesse Keating
d7a3dcea2a - Rebuilt for gcc bug 634757 2010-09-29 14:02:02 -07:00
Nalin Dahyabhai
ed4ae41b22 - try to SIGHUP the messagebus daemon at first install so that it'll let us claim our service name if it isn't restarted before we are first started (#636876) 2010-09-23 13:07:41 -04:00
Nalin Dahyabhai
c00dcb498c - update to 0.30
- fix bugs caught by self-tests
2010-08-25 15:51:50 -04:00
Nalin Dahyabhai
0250202b6c - fix self-signing certificate notBefore and notAfter values on 32-bit machines
- portability and test fixes
2010-08-23 12:04:13 -04:00
Nalin Dahyabhai
6f0969ce62 - update to 0.26
- when canceling a submission request that's being handled by a helper,
    reap the child process's status after killing it (#624120)
  - update to 0.25
    - new translations
      - in by Okta Purnama Rahadian!
    - fix detection of cases where we can't access a private key in an NSS
      database because we don't have the PIN
    - teach '*getcert start-tracking' about the -p and -P options which the
      '*getcert request' commands already understand (#621670), and also
      the -U, -K, -E, and -D flags
    - double-check that the nicknames of keys we get back from
      PK11_ListPrivKeysInSlot() match the desired nickname before accepting
      them as matches, so that our tests won't all blow up on EL5
    - fix dynamic addition and removal of CAs implemented through helpers
    - init script: ensure that the subsys lock is created whenever we're called to
      "start" when we're already running (even more of #596719)
    - more gracefully handle manual daemon startups and cleaning up of unexpected
      crashes (still more of #596719)
    - don't create the daemon pidfile until after we've connected to the D-Bus
      (still more of #596719)
2010-08-13 14:35:38 -04:00
Nalin Dahyabhai
f8d7e57c9a - update to 0.24
- keep the lock on the pid file, if we have one, when we fork, and cancel
    daemon startup if we can't gain ownership of the lock (the rest of
    #596719)
- make the man pages note which external configuration files we consult
    when submitting requests to certmaster and ipa CAs
2010-06-08 15:26:12 +00:00
Nalin Dahyabhai
599e094b4d - update to 0.23
- new translations
- pl by Piotr Drąg!
- cancel daemon startup if we can't gain ownership of our well-known
    service name on the DBus (#596719)
2010-05-27 22:32:54 +00:00
Nalin Dahyabhai
ab20852900 - update to 0.22
- new translations
- de by Fabian Affolter!
- certmaster-submit: don't fall over when we can't find a certmaster.conf
    or a minion.conf (i.e., certmaster isn't installed) (#588932)
- when reading extension values from certificates, prune out duplicate
    principal names, email addresses, and hostnames
2010-05-14 16:54:43 +00:00
Nalin Dahyabhai
a436504f7c - update to 0.21
- getcert/*-getcert: relay the desired CA to the local service, whether
    specified on the command line (in getcert) or as a built-in hard-wired
    default (in *-getcert) (#584983)
- flesh out the default certmonger.conf so that people can get a feel for
    the expected formatting (Jenny Galipeau)
2010-05-04 18:37:19 +00:00
Nalin Dahyabhai
4d4e3a63c4 - update to 0.20
- correctly parse certificate validity periods given in years (spotted by
    Stephen Gallagher)
- setup for translation
- es by Héctor Daniel Cabrera!
- ru by Yulia Poyarkova!
- uk by Yuri Chornoivan!
- fix unpreprocessed defaults in certmonger.conf's man page
- tweak the IPA-specific message that indicates a principal name also needs
    to be specified if we're not using the default subject name (#579542)
- make the validity period of self-signed certificates into a configuration
    setting and not a piece of the state information we track about the
    signer
- init script: exit with status 2 instead of 1 when invoked with an
    unrecognized argument (#584517)
2010-04-21 21:57:28 +00:00
Nalin Dahyabhai
36aa62b942 update to 0.19 2010-03-24 00:07:21 +00:00
Nalin Dahyabhai
473822dd8b - update to 0.18
- add support for using encrypted storage for keys, using PIN values
    supplied directly or read from files whose names are supplied
- don't choke on NSS database locations that use the "sql:" or "dbm:"
    prefix
2010-02-12 20:43:18 +00:00
Nalin Dahyabhai
54c0197e97 - initial import (#541072) 2010-01-27 16:04:22 +00:00