Commit Graph

148 Commits

Author SHA1 Message Date
Nalin Dahyabhai
8f23785283 update to 0.65
Update to 0.65, which flushes out bugs in the locking work that landed in 0.63.
2013-01-09 11:15:48 -05:00
Nalin Dahyabhai
d5b1da7951 update to 0.63
update to 0.63:
- serialize access to NSS databases and the running of pre- and post-save
  commands which might also access them (possibly fixing part of #883484)
2012-12-19 12:03:42 -05:00
Nalin Dahyabhai
9e017b41b6 update to 0.62
- add a -u flag to getcert to enable requesting a keyUsage extension value
- request subjectKeyIdentifier extensions from CAs, and include them in
  self-signed certificates
- request basicConstraints from CAs, defaulting to requests for end-entity
  certificates
- when requesting CA certificates, also request authorityKeyIdentifier
- add support for requesting CRL distribution point and authorityInfoAccess
  extensions that specify OCSP responder locations
- don't crash when OpenSSL can't build a template certificate from a request
  when we're in FIPS mode
- put NSS in FIPS mode, when the system booted that way, except when we're
  trying to write certificates to a database
- fix CSR generation and self-signing in FIPS mode with NSS
- fix self-signing in FIPS mode with OpenSSL
- new languages from the translation team: mai, ml, nn, ga
2012-11-29 00:45:48 -05:00
Nalin Dahyabhai
d7b55107b2 check for errors from X509_REQ_to_X509()
backport a change from git to report X509_REQ_to_X509() failures as
CA-rejected-our-request failures
2012-11-27 18:54:37 -05:00
Nalin Dahyabhai
04733941c2 check for errors from X509_REQ_to_X509()
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
  self-signing using OpenSSL
2012-11-27 18:21:56 -05:00
Nalin Dahyabhai
7deadd699a update to 0.61
fixes a regression reading request state files where the request's
state is either NEED_TO_NOTIFY or NOTIFY
2012-09-24 17:10:27 -04:00
Nalin Dahyabhai
0310940a78 update to 0.60
- adjust internals of logic for talking to dogtag to at least have a
  concept of non-agent cases
- when talking to an IPA server's internal Dogtag instance, infer which
  ports the CA is listening on from the "dogtag_version" setting in the
  IPA configuration (Ade Lee)
- send a notification (or log a message, whatever) when we save a new
  certificate (#766167)
2012-09-05 19:37:06 -04:00
Dennis Gilmore
a2fa86e022 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-18 13:48:27 -05:00
Nalin Dahyabhai
00ccf81cb8 update to 0.59
0.59:
- mostly documentation updates

0.58:
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
  an IPA server's internal Dogtag instance
- export the requested profile and old certificate to enrollment helpers
- make libxml and libcurl into hard build-time requirements
- serialize all pre/save/post sequences to make sure that stop/save/start
  doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
  a service while we muck with more than one of its certificates
- add a command option (-T) to getcert for specifying which enrollment
  profile to tell a CA that we're using, in case it cares (#10)

0.57
- clarify that the command passed to getcert -C is a "post"-save command
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
2012-07-13 22:31:55 -04:00
Nalin Dahyabhai
f3bac67d59 - when a caller sets the is-default flag on a CA, and another CA is no
longer the default, emit the PropertiesChanged signal on the CA which is
  not the default, instead on the new default a second time
- drop some dead code from the D-Bus message handlers (static analysis, #796813)
- cache public keys when we read private keys
- go back to printing an error indicating that we're missing a required
  argument when we're missing a required argument, not that the option is
  invalid (broken since 0.51, #796542)
2012-03-03 01:20:58 -05:00
Nalin Dahyabhai
514d96bd6a -update to 0.55
- allow root to use our implementation of org.freedesktop.DBus.Properties
 - take more care to not emit useless PropertiesChanged signals
2012-02-15 17:44:35 -05:00
Nalin Dahyabhai
4c76e12d1d - update to 0.54 2012-02-15 02:27:13 -05:00
Dennis Gilmore
9a783a4fa5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild 2012-01-12 17:13:18 -06:00
Nalin Dahyabhai
b44f18eb7a - note that SELinux usually confines us to writing only to cert_t in
doc/getting-started.txt (#765599)
- fix crashes when we add a request during our first run when we're
  populating the hard-coded CA list
- properly deal with cases where a path is passed to us is "./XXX"
- in session mode, create our data directories as we go
2011-12-16 11:18:45 -05:00
Nalin Dahyabhai
49a9e127b0 - update to 0.51, mainly to add compatibility with super-new IPA 2011-12-06 11:08:31 -05:00
Nalin Dahyabhai
2fa6a22c81 - really fix these this time:
- getcert: error out when "list -c" finds no matching CA (#743488)
 - getcert: error out when "list -i" finds no matching request (#743485)
2011-10-14 11:55:56 -04:00
Nalin Dahyabhai
18495c2dde - update to 0.49:
- when using an NSS database, skip loading the module database (#743042)
 - when using an NSS database, skip loading root certs
 - generate SPKAC values when generating CSRs, though we don't do anything with SPKAC values yet
 - internally maintain and use challenge passwords, if we have them
 - behave better when certificates have shorter lifetimes
 - add/recognize/handle notification type "none"
 - getcert: error out when "list -c" finds no matching CA (#743488)
 - getcert: error out when "list -i" finds no matching request (#743485)
 - don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated array (#742348)
 - getcert: distinguish between {stat() succeeds but isn't a directory} and {stat() failed} when printing an error message (#739903)
 - getcert resubmit/start-tracking: when we're looking for an existing request by ID, and we don't find one, note that specifically (#741262)
2011-10-13 17:25:09 -04:00
Nalin Dahyabhai
ef57f434b8 - update to 0.46 2011-08-15 15:42:36 -04:00
Nalin Dahyabhai
b81a31a3da - modify the systemd .service file to be a proper 'dbus' service (more of #718172) 2011-08-11 13:56:57 -04:00
Nalin Dahyabhai
c5c48c7ba2 - update to 0.44:
- check specifically for cases where a specified token that we need to
    use just isn't present for whatever reason (#697058)
2011-08-11 11:50:26 -04:00
Nalin Dahyabhai
c0eb1bf7eb - update to 0.43 2011-08-10 18:23:52 -04:00
Nalin Dahyabhai
a15951ae49 - getcert: fix a buffer overrun preparing a request for the daemon when
there are more parameters to encode than space in the array (#696185)
- updated translations: de, es, id, pl, ru, uk
2011-04-13 10:29:00 -04:00
Nalin Dahyabhai
cc3917e153 - update to 0.41 2011-04-11 17:35:07 -04:00
Nalin Dahyabhai
933d5c2933 - update to 0.40
- fix validation check on EKU OIDs in getcert (#691351)
  - get session bus mode sorted
  - add a list of recognized EKU values to the getcert-request man page
2011-03-28 17:14:09 -04:00
Nalin Dahyabhai
3749ef64b7 - update to 0.39
- fix use of an uninitialized variable in the xmlrpc-based submission helpers (#690886)
2011-03-25 14:12:02 -04:00
Nalin Dahyabhai
838b40e07a - update to 0.38
- catch cases where we can't read a PIN file, but we never have to log
    in to the token to access the private key (more of #688229)
2011-03-24 15:30:29 -04:00
Nalin Dahyabhai
2329f71493 - update to 0.37
- be more careful about checking if we can read a PIN file successfully
    before we even call an API that might need us to try (#688229)
  - fix strict aliasing warnings
2011-03-22 19:33:39 -04:00
Nalin Dahyabhai
2a98aebb9c - update to 0.36
- fix some use-after-free bugs in the daemon (#689776)
  - fix a copy/paste error in certmonger-ipa-submit(8)
  - getcert now suppresses error details when not given its new -v option
    (#683926, more of #681641/#652047)
  - updated translations
    - de, es, pl, ru, uk
    - indonesian translation is now for "id" rather than "in"
2011-03-22 11:44:09 -04:00
Nalin Dahyabhai
a1bb00ae72 - update to 0.35.1, because there's a leap day between now and a year from now 2011-03-02 15:51:28 -05:00
Nalin Dahyabhai
664b62c20a - self-test fixes to rebuild properly in mock (#670322) 2011-02-14 17:46:45 -05:00
Dennis Gilmore
538932ab29 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-08 01:20:49 -06:00
Nalin Dahyabhai
469401701f - update to 0.34 2011-01-14 10:02:47 -05:00
Nalin Dahyabhai
a20057c7d4 update to 0.32 2010-11-30 13:58:31 -05:00
Nalin Dahyabhai
c276b718ef Merge branch 'master' of ssh://pkgs.fedoraproject.org/certmonger
Conflicts:
	certmonger.spec
2010-09-30 17:36:57 -04:00
Nalin Dahyabhai
2f5670644b explicitly require "dbus" to try to ensure we have a running system bus when we get started (#639126) 2010-09-30 17:36:08 -04:00
Jesse Keating
d7a3dcea2a - Rebuilt for gcc bug 634757 2010-09-29 14:02:02 -07:00
Nalin Dahyabhai
ed4ae41b22 - try to SIGHUP the messagebus daemon at first install so that it'll let us claim our service name if it isn't restarted before we are first started (#636876) 2010-09-23 13:07:41 -04:00
Nalin Dahyabhai
c00dcb498c - update to 0.30
- fix bugs caught by self-tests
2010-08-25 15:51:50 -04:00
Nalin Dahyabhai
0250202b6c - fix self-signing certificate notBefore and notAfter values on 32-bit machines
- portability and test fixes
2010-08-23 12:04:13 -04:00
Nalin Dahyabhai
6f0969ce62 - update to 0.26
- when canceling a submission request that's being handled by a helper,
    reap the child process's status after killing it (#624120)
  - update to 0.25
    - new translations
      - in by Okta Purnama Rahadian!
    - fix detection of cases where we can't access a private key in an NSS
      database because we don't have the PIN
    - teach '*getcert start-tracking' about the -p and -P options which the
      '*getcert request' commands already understand (#621670), and also
      the -U, -K, -E, and -D flags
    - double-check that the nicknames of keys we get back from
      PK11_ListPrivKeysInSlot() match the desired nickname before accepting
      them as matches, so that our tests won't all blow up on EL5
    - fix dynamic addition and removal of CAs implemented through helpers
    - init script: ensure that the subsys lock is created whenever we're called to
      "start" when we're already running (even more of #596719)
    - more gracefully handle manual daemon startups and cleaning up of unexpected
      crashes (still more of #596719)
    - don't create the daemon pidfile until after we've connected to the D-Bus
      (still more of #596719)
2010-08-13 14:35:38 -04:00
Nalin Dahyabhai
f8d7e57c9a - update to 0.24
- keep the lock on the pid file, if we have one, when we fork, and cancel
    daemon startup if we can't gain ownership of the lock (the rest of
    #596719)
- make the man pages note which external configuration files we consult
    when submitting requests to certmaster and ipa CAs
2010-06-08 15:26:12 +00:00
Nalin Dahyabhai
599e094b4d - update to 0.23
- new translations
- pl by Piotr Drąg!
- cancel daemon startup if we can't gain ownership of our well-known
    service name on the DBus (#596719)
2010-05-27 22:32:54 +00:00
Nalin Dahyabhai
ab20852900 - update to 0.22
- new translations
- de by Fabian Affolter!
- certmaster-submit: don't fall over when we can't find a certmaster.conf
    or a minion.conf (i.e., certmaster isn't installed) (#588932)
- when reading extension values from certificates, prune out duplicate
    principal names, email addresses, and hostnames
2010-05-14 16:54:43 +00:00
Nalin Dahyabhai
a436504f7c - update to 0.21
- getcert/*-getcert: relay the desired CA to the local service, whether
    specified on the command line (in getcert) or as a built-in hard-wired
    default (in *-getcert) (#584983)
- flesh out the default certmonger.conf so that people can get a feel for
    the expected formatting (Jenny Galipeau)
2010-05-04 18:37:19 +00:00
Nalin Dahyabhai
4d4e3a63c4 - update to 0.20
- correctly parse certificate validity periods given in years (spotted by
    Stephen Gallagher)
- setup for translation
- es by Héctor Daniel Cabrera!
- ru by Yulia Poyarkova!
- uk by Yuri Chornoivan!
- fix unpreprocessed defaults in certmonger.conf's man page
- tweak the IPA-specific message that indicates a principal name also needs
    to be specified if we're not using the default subject name (#579542)
- make the validity period of self-signed certificates into a configuration
    setting and not a piece of the state information we track about the
    signer
- init script: exit with status 2 instead of 1 when invoked with an
    unrecognized argument (#584517)
2010-04-21 21:57:28 +00:00
Nalin Dahyabhai
36aa62b942 update to 0.19 2010-03-24 00:07:21 +00:00
Nalin Dahyabhai
473822dd8b - update to 0.18
- add support for using encrypted storage for keys, using PIN values
    supplied directly or read from files whose names are supplied
- don't choke on NSS database locations that use the "sql:" or "dbm:"
    prefix
2010-02-12 20:43:18 +00:00
Nalin Dahyabhai
54c0197e97 - initial import (#541072) 2010-01-27 16:04:22 +00:00