- Change python2-dbus build dependency to python3
- Convert tests to pass under python 3
- Skip DSA tests because it is disabled by default crypto policy
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
- Patch to fix NSS handling of keys in sqlite databases
- Patches to fix tests now that sqlite is the NSS default.
Also fix building in rawhide due to packaging changes
- Remove BR on mktemp. It is now provided by coreutils.
The BuildRequires was setup to use a file because for some older
distributions popt.h was included in popt itself.
It's time to remove this workaround.
- update to 0.79.5:
- getcert start-tracking: use issuer option when specified
- add support for specifying the MS certificate template
- Reformat certificates returned by Dogtag to strip extra newline
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
- update to 0.79.4:
- fix CA option name for ipa cert-request
- fix minor memory leak
- fix build warnings
- fix an incorrect date in the .spec changelog
- bump gettext version to avoid warning
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
- update to 0.79.2:
- update %%docs list because README is now README.md
- update to 0.79.1:
- update translations
- fix 'make archive' target
- update to 0.79:
- getcert now offers an option (-X) for requesting processing by a particular
CA if the server we're contacting is running more than one
- getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for
requesting BasicConstraints values
- getcert now displays times in local time instead of UTC, which was
previously the only way they were displayed; the --utc option can often be
used to switch back to its previous behavior
- the SCEP enrollment helper now correctly issues GetCACertChain requests to
SCEP servers, instead of issuing a GetCAChain request, which isn't part of
the protocol; from report by Jason Garland
- when issuing SCEP requests, the ID of the CA included in the HTTP request
is now URL-encoded, as it should be
- renewal or notification-of-impending-expiration logic is now triggered
closer to TTL thresholds rather than waiting for a periodic check to pass a
threshold
- properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz
for a lot of the legwork
- resync .spec file with Fedora
- upstream project migrated from fedorahosted.org to pagure.io
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add backported fix to the tests to wait a reasonable amount of time
after calling the 'resubmit' method for a new certificate to be issued
when we're exercising the D-Bus API (backport done by Jan Cholasta,
Instead of using killall to send a SIGHUP to the system bus daemon in
%post to get it to reload its configuration, use dbus-send to send a
ReloadConfig request over the bus (should fix#1277573).
Update to 0.78.4:
- fix the "getcert start-tracking" -L and -l options (#1249753)
- output diagnostics about the second request when scep-submit encounters an
error during a second request to the SCEP server
- tweak initialization so that we set up for providing our D-Bus API before we
register our name with the bus, so that we can handle any requests that
arrive before the acknowledgement of that registration
- on systems that run systemd, add the right data file so that the service gets
started when someone tries to talk to the daemon (ticket #38)
- correctly check for error responses when sending GetCAChain requests to SCEP
servers
- fixup the key-information-read test for DSA to account for certutil
generating 1024 bit keys when we ask for more
- fix a typo in the package changelog
- add relevant references to bug reports and tickets in the 0.78 log
- switch to using popt for parsing command line arguments, continuing to
use old help text for now so that we can catch up with translations (print
old text for --help, new text (with longopts!) for -H)
- add some plumbing for eventually receiving per-certificate roots in
addition to issued certificates and chain certificates
- add a "rekey" command to getcert, for triggering enrollment using a new
key pair
- scep-submit: check for the Renewal capability, and default to taking
advantage of it during rekeying, unless the new -n flag is specified to it
- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs
to the helper
- dogtag-submit: add a flag for using the agent creds to do TLS client auth
while submitting enrollment requests
- dogtag-submit: handle cases where we submit a request and the server
returns a success code rather than just queuing the request
- ipa-submit: pass requested profile names to the server as an argument
named "profile_id"; if the server gives us an "unrecognized argument"
error, retry without it for compatibility's sake
- keygen: fix a possible crash if keygen fails to return a key from NSS
- correct the certmonger(8) man page's description of the -c flag, whic it
used to call the -C flag
- add logic for setting ownership and permissions on certificates and keys
when saving them to disk
- add configuration options "max_key_lifetime" and "max_key_use_count" for
making automatic renewal prefer rekeying
- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request
includes IP address subjectAltName values
- correctly verify signatures on SCEP server replies when the signer is neither
the top-level CA nor the RA (feedback in #1161768)
- correctly verify signatures on SCEP server replies when there is more than
one certificate in the chain between the RA and the top-level CA (feedback in
#1161768)
- don't display PINs in "getcert list" output (#42)
- clean up launching of a private instance in "getcert"
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
own safety checks have an effect
- backport record-keeping of key generation dates and counts of how many
times we've gotten certificates using a given key pair
- fix a data loss bug when saving renewed certificates to NSS databases - the
private key could be removed in error since 0.77
- fixes for bugs found by static analysis
- fix self-tests when built with OpenSSL 1.0.2
- expose the certificate's not-valid-before and not-valid-after dates as a
property over D-Bus (ticket #41)
- give the local signer its own configuration option to set the lifetime
of its signing certificate, falling back to the lifetime configured for
the self-signer as a default to match the previous behavior
- fix a potential read segfault parsing the output of an enrollment helper,
introduced in 0.77 (thanks to Steve Neuharth)
- read the ns-certtype extension value in certificates
- request an enrollment certtype extension to CSRs if we have a profile name
that we want to use (ticket #17, possibly part of IPA ticket #57)
- update to 0.77.1
- add initial, still rough, SCEP support (#1140241,#1161768)
- add an scep-submit helper to handle part of it
- getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
- getcert: add -l, -L flags to request/resubmit/start-tracking commands
to provide a way to set a ChallengePassword in signing requests
- lay some groundwork for rekeying support
- bundled dogtag enrollment helpers now output debugging info to stderr
- ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
- getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
#1181022, patch by David Kupka)
- use Zanata for translations
- getcert list: list the certificate's profile name, if it contains one