Commit Graph

61 Commits

Author SHA1 Message Date
Nalin Dahyabhai
8562aa3ebe update to 0.70
- add a --with-homedir option to configure, and use it, since
  subprocesses which we run and which use NSS may attempt to write to
  $HOME/.pki, and 0.69's strategy of setting that to "/" was rightly
  hitting SELinux policy denials (#1047798)
2014-01-02 13:12:26 -05:00
Nalin Dahyabhai
05449cb7fb Update to 0.69
- tweak how we decide whether we're on the master or a minion when we're
  told to use certmaster as a CA
- clean up one of the tests so that it doesn't have to work around internal
  logging producing duplicate messages
- when logging errors while setting up to contact xmlrpc servers, explicitly
  note that the error is client-side
- don't abort() due to incorrect locking when an attempt to save an issued
  certificate to the designated location fails (part of #1032760/#1033333,
  ticket #22)
- when reading an issued certificate from an enrollment helper, ignore
  noise before or after the certificate itself (more of #1032760/1033333,
  ticket #22)
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
  ticket #22)
- clear the ca-error that we saved when we had an error talking to the CA if we
  subsequently succeed in talking to the CA
- various other static-analysis fixes
2013-12-09 19:43:57 -05:00
Nalin Dahyabhai
b3093eeb92 update to 0.68
- notice when the OpenSSL RNG isn't seeded
- notice when saving certificates or keys fails due to filesystem-related
  permission denial (#996581)
2013-08-29 16:12:05 -04:00
Nalin Dahyabhai
b10c43033d Fix self-tests when run with newer certutil
- pull up a patch from master to adapt self-tests to certutil's
  diagnostic output having changed (#992050)
2013-08-06 02:18:52 -04:00
Dennis Gilmore
42d62b9d4a - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-02 23:39:35 -05:00
Nalin Dahyabhai
8e1117aa6e update to 0.67
0.67:
- when saving certificates to NSS databases, try to preserve the trust
  value assigned to a previously-present certificate with the same nickname
  and subject, if one is found
- when saving certificates to NSS databases, also prune certificates from
  the database which have both the same nickname and subject as the one
  we're adding, to avoid tripping up tools that only fetch one certificate
  by nickname

0.66:
- build as position-independent executables with early binding (#883966)
- also don't tag the unit file as a configuration file (internal tooling)
- don't tag the D-Bus session .service file as a configuration file (internal
  tooling)
2013-03-11 18:08:35 -04:00
Dennis Gilmore
1b1f591c69 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild 2013-02-13 12:22:47 -06:00
Nalin Dahyabhai
8f23785283 update to 0.65
Update to 0.65, which flushes out bugs in the locking work that landed in 0.63.
2013-01-09 11:15:48 -05:00
Nalin Dahyabhai
d5b1da7951 update to 0.63
update to 0.63:
- serialize access to NSS databases and the running of pre- and post-save
  commands which might also access them (possibly fixing part of #883484)
2012-12-19 12:03:42 -05:00
Nalin Dahyabhai
bd4c7a9730 whoops, no longer necessary 2012-11-29 00:59:12 -05:00
Nalin Dahyabhai
9e017b41b6 update to 0.62
- add a -u flag to getcert to enable requesting a keyUsage extension value
- request subjectKeyIdentifier extensions from CAs, and include them in
  self-signed certificates
- request basicConstraints from CAs, defaulting to requests for end-entity
  certificates
- when requesting CA certificates, also request authorityKeyIdentifier
- add support for requesting CRL distribution point and authorityInfoAccess
  extensions that specify OCSP responder locations
- don't crash when OpenSSL can't build a template certificate from a request
  when we're in FIPS mode
- put NSS in FIPS mode, when the system booted that way, except when we're
  trying to write certificates to a database
- fix CSR generation and self-signing in FIPS mode with NSS
- fix self-signing in FIPS mode with OpenSSL
- new languages from the translation team: mai, ml, nn, ga
2012-11-29 00:45:48 -05:00
Nalin Dahyabhai
d7b55107b2 check for errors from X509_REQ_to_X509()
backport a change from git to report X509_REQ_to_X509() failures as
CA-rejected-our-request failures
2012-11-27 18:54:37 -05:00
Nalin Dahyabhai
04733941c2 check for errors from X509_REQ_to_X509()
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
  self-signing using OpenSSL
2012-11-27 18:21:56 -05:00
Nalin Dahyabhai
7deadd699a update to 0.61
fixes a regression reading request state files where the request's
state is either NEED_TO_NOTIFY or NOTIFY
2012-09-24 17:10:27 -04:00
Nalin Dahyabhai
0310940a78 update to 0.60
- adjust internals of logic for talking to dogtag to at least have a
  concept of non-agent cases
- when talking to an IPA server's internal Dogtag instance, infer which
  ports the CA is listening on from the "dogtag_version" setting in the
  IPA configuration (Ade Lee)
- send a notification (or log a message, whatever) when we save a new
  certificate (#766167)
2012-09-05 19:37:06 -04:00
Dennis Gilmore
a2fa86e022 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-18 13:48:27 -05:00
Nalin Dahyabhai
00ccf81cb8 update to 0.59
0.59:
- mostly documentation updates

0.58:
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
  an IPA server's internal Dogtag instance
- export the requested profile and old certificate to enrollment helpers
- make libxml and libcurl into hard build-time requirements
- serialize all pre/save/post sequences to make sure that stop/save/start
  doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
  a service while we muck with more than one of its certificates
- add a command option (-T) to getcert for specifying which enrollment
  profile to tell a CA that we're using, in case it cares (#10)

0.57
- clarify that the command passed to getcert -C is a "post"-save command
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
2012-07-13 22:31:55 -04:00
Nalin Dahyabhai
f3bac67d59 - when a caller sets the is-default flag on a CA, and another CA is no
longer the default, emit the PropertiesChanged signal on the CA which is
  not the default, instead on the new default a second time
- drop some dead code from the D-Bus message handlers (static analysis, #796813)
- cache public keys when we read private keys
- go back to printing an error indicating that we're missing a required
  argument when we're missing a required argument, not that the option is
  invalid (broken since 0.51, #796542)
2012-03-03 01:20:58 -05:00
Nalin Dahyabhai
514d96bd6a -update to 0.55
- allow root to use our implementation of org.freedesktop.DBus.Properties
 - take more care to not emit useless PropertiesChanged signals
2012-02-15 17:44:35 -05:00
Nalin Dahyabhai
4c76e12d1d - update to 0.54 2012-02-15 02:27:13 -05:00
Dennis Gilmore
9a783a4fa5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild 2012-01-12 17:13:18 -06:00
Nalin Dahyabhai
b44f18eb7a - note that SELinux usually confines us to writing only to cert_t in
doc/getting-started.txt (#765599)
- fix crashes when we add a request during our first run when we're
  populating the hard-coded CA list
- properly deal with cases where a path is passed to us is "./XXX"
- in session mode, create our data directories as we go
2011-12-16 11:18:45 -05:00
Nalin Dahyabhai
49a9e127b0 - update to 0.51, mainly to add compatibility with super-new IPA 2011-12-06 11:08:31 -05:00
Nalin Dahyabhai
2fa6a22c81 - really fix these this time:
- getcert: error out when "list -c" finds no matching CA (#743488)
 - getcert: error out when "list -i" finds no matching request (#743485)
2011-10-14 11:55:56 -04:00
Nalin Dahyabhai
18495c2dde - update to 0.49:
- when using an NSS database, skip loading the module database (#743042)
 - when using an NSS database, skip loading root certs
 - generate SPKAC values when generating CSRs, though we don't do anything with SPKAC values yet
 - internally maintain and use challenge passwords, if we have them
 - behave better when certificates have shorter lifetimes
 - add/recognize/handle notification type "none"
 - getcert: error out when "list -c" finds no matching CA (#743488)
 - getcert: error out when "list -i" finds no matching request (#743485)
 - don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated array (#742348)
 - getcert: distinguish between {stat() succeeds but isn't a directory} and {stat() failed} when printing an error message (#739903)
 - getcert resubmit/start-tracking: when we're looking for an existing request by ID, and we don't find one, note that specifically (#741262)
2011-10-13 17:25:09 -04:00
Nalin Dahyabhai
ef57f434b8 - update to 0.46 2011-08-15 15:42:36 -04:00
Nalin Dahyabhai
653879e39b - treat the ability to access keys in an NSS database without using a PIN,
when we've been told we need one, as an error (#692766, really this time)
2011-08-15 15:37:00 -04:00
Nalin Dahyabhai
b81a31a3da - modify the systemd .service file to be a proper 'dbus' service (more of #718172) 2011-08-11 13:56:57 -04:00
Nalin Dahyabhai
c5c48c7ba2 - update to 0.44:
- check specifically for cases where a specified token that we need to
    use just isn't present for whatever reason (#697058)
2011-08-11 11:50:26 -04:00
Nalin Dahyabhai
8cea822712 - update to 0.43 2011-08-10 18:24:45 -04:00
Nalin Dahyabhai
c0eb1bf7eb - update to 0.43 2011-08-10 18:23:52 -04:00
Nalin Dahyabhai
a15951ae49 - getcert: fix a buffer overrun preparing a request for the daemon when
there are more parameters to encode than space in the array (#696185)
- updated translations: de, es, id, pl, ru, uk
2011-04-13 10:29:00 -04:00
Nalin Dahyabhai
cc3917e153 - update to 0.41 2011-04-11 17:35:07 -04:00
Nalin Dahyabhai
933d5c2933 - update to 0.40
- fix validation check on EKU OIDs in getcert (#691351)
  - get session bus mode sorted
  - add a list of recognized EKU values to the getcert-request man page
2011-03-28 17:14:09 -04:00
Nalin Dahyabhai
3749ef64b7 - update to 0.39
- fix use of an uninitialized variable in the xmlrpc-based submission helpers (#690886)
2011-03-25 14:12:02 -04:00
Nalin Dahyabhai
838b40e07a - update to 0.38
- catch cases where we can't read a PIN file, but we never have to log
    in to the token to access the private key (more of #688229)
2011-03-24 15:30:29 -04:00
Nalin Dahyabhai
2329f71493 - update to 0.37
- be more careful about checking if we can read a PIN file successfully
    before we even call an API that might need us to try (#688229)
  - fix strict aliasing warnings
2011-03-22 19:33:39 -04:00
Nalin Dahyabhai
2a98aebb9c - update to 0.36
- fix some use-after-free bugs in the daemon (#689776)
  - fix a copy/paste error in certmonger-ipa-submit(8)
  - getcert now suppresses error details when not given its new -v option
    (#683926, more of #681641/#652047)
  - updated translations
    - de, es, pl, ru, uk
    - indonesian translation is now for "id" rather than "in"
2011-03-22 11:44:09 -04:00
Nalin Dahyabhai
a1bb00ae72 - update to 0.35.1, because there's a leap day between now and a year from now 2011-03-02 15:51:28 -05:00
Nalin Dahyabhai
664b62c20a - self-test fixes to rebuild properly in mock (#670322) 2011-02-14 17:46:45 -05:00
Dennis Gilmore
538932ab29 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-08 01:20:49 -06:00
Nalin Dahyabhai
469401701f - update to 0.34 2011-01-14 10:02:47 -05:00
Nalin Dahyabhai
a20057c7d4 update to 0.32 2010-11-30 13:58:31 -05:00
Nalin Dahyabhai
c276b718ef Merge branch 'master' of ssh://pkgs.fedoraproject.org/certmonger
Conflicts:
	certmonger.spec
2010-09-30 17:36:57 -04:00
Nalin Dahyabhai
2f5670644b explicitly require "dbus" to try to ensure we have a running system bus when we get started (#639126) 2010-09-30 17:36:08 -04:00
Jesse Keating
d7a3dcea2a - Rebuilt for gcc bug 634757 2010-09-29 14:02:02 -07:00
Nalin Dahyabhai
ed4ae41b22 - try to SIGHUP the messagebus daemon at first install so that it'll let us claim our service name if it isn't restarted before we are first started (#636876) 2010-09-23 13:07:41 -04:00
Nalin Dahyabhai
d5f4fb6175 - whoops, drop old source 2010-08-25 15:53:10 -04:00
Nalin Dahyabhai
c00dcb498c - update to 0.30
- fix bugs caught by self-tests
2010-08-25 15:51:50 -04:00
Nalin Dahyabhai
0250202b6c - fix self-signing certificate notBefore and notAfter values on 32-bit machines
- portability and test fixes
2010-08-23 12:04:13 -04:00