Commit Graph

131 Commits

Author SHA1 Message Date
Rob Crittenden
a170c390c3 Update to upstream 0.79.9 2020-01-31 14:27:20 -05:00
Fedora Release Engineering
64447f1ec7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-28 13:52:45 +00:00
Rob Crittenden
0d5116507b Use python 3 in tests, drop DSA tests disabled by policy
- Change python2-dbus build dependency to python3
- Convert tests to pass under python 3
- Skip DSA tests because it is disabled by default crypto policy
2019-10-30 13:27:58 -04:00
Fedora Release Engineering
fd501fe0b9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 20:07:08 +00:00
Rob Crittenden
21430b4d60 Update to upstream 0.79.8 2019-07-17 13:57:55 -04:00
Rob Crittenden
6f1c170b8b Add BuildRequires for krb5-devel, the buildroot changed 2019-05-22 15:23:43 -04:00
Rob Crittenden
2b5894b598 Move systemd tmpfiles from /var/run to /run
systemd 239 complains about the legacy of certmonger's tmpfiles
which are located in /var/run.

Change /var/run -> /run in systemd service file
2019-05-22 15:00:12 -04:00
Rob Crittenden
7eca3b6000 Update to upstream 0.79.7
Also fix rpm warning about embedded % in a comment
2019-02-18 11:34:00 -05:00
Fedora Release Engineering
b7968d8ead - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-01-31 15:27:18 +00:00
Igor Gnatenko
21eb591c1f Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:23:57 +01:00
Rob Crittenden
3103197f85 Pull in upstream fixes discovered in coverity and clang 2018-10-04 09:32:35 -04:00
Rob Crittenden
37cd032951 Improve NSS token handling
The updated NSS crypto-policy enables all tokens which broke
requesting certificates due to the way that tokens were managed.
2018-10-01 14:34:36 -04:00
Fedora Release Engineering
2ae7127155 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-12 21:41:43 +00:00
Jason Tibbitts
5deb371093 Remove needless use of %defattr 2018-07-10 00:29:44 -05:00
Adam Williamson
25f3d17e70 No longer buildrequire libidn-devel (as we use libidn2 now) 2018-05-18 15:18:39 -07:00
Rob Crittenden
f021a3d3fd Update to upstream 0.79.6 2018-05-08 13:08:07 -04:00
Iryna Shcherbina
3548e64705 Update Python 2 dependency declarations to new packaging standards 2018-03-15 00:30:33 +01:00
Rob Crittenden
c5174122f5 Fix unit tests. NSS crypto policy disallows keys < 1024 2018-02-23 13:41:55 -05:00
Rob Crittenden
21cdfd73c3 Add BuildRequires on gcc 2018-02-21 11:12:48 -05:00
Igor Gnatenko
e27a720d62
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 07:54:23 +01:00
Igor Gnatenko
24f7ad695b Remove BuildRoot definition
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-13 23:07:26 +01:00
Fedora Release Engineering
a1123016c0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-07 04:46:10 +00:00
Rob Crittenden
6155daa274 Fixes for F28 switch to sqlite as the default NSS database type
- Patch to fix NSS handling of keys in sqlite databases
- Patches to fix tests now that sqlite is the NSS default.

Also fix building in rawhide due to packaging changes

- Remove BR on mktemp. It is now provided by coreutils.
2018-01-16 16:14:56 -05:00
Rob Crittenden
3987281325 Switch BR from /usr/include/popt.h to popt-devel
The BuildRequires was setup to use a file because for some older
distributions popt.h was included in popt itself.

It's time to remove this workaround.
2017-10-04 13:35:02 -04:00
Rob Crittenden
41e3137ddf Update to 0.79.5
- update to 0.79.5:
   - getcert start-tracking: use issuer option when specified
   - add support for specifying the MS certificate template
   - Reformat certificates returned by Dogtag to strip extra newline

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2017-09-01 16:15:10 -04:00
Rob Crittenden
7433273f05 Reformat certificates returned by Dogtag.
Dogtag was including a spurious newline before
-----END CERTIFICATE-----
2017-08-21 18:27:01 -04:00
Rob Crittenden
556a0b448b Update to 0.79.4
- update to 0.79.4:
  - fix CA option name for ipa cert-request
  - fix minor memory leak
  - fix build warnings
  - fix an incorrect date in the .spec changelog
  - bump gettext version to avoid warning

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2017-08-07 17:56:14 -04:00
Fedora Release Engineering
b373412701 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild 2017-08-02 18:42:53 +00:00
Fedora Release Engineering
a5d6ea922f - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-26 04:41:03 +00:00
Nalin Dahyabhai
6ff35d776f Update to 0.79.3
- update to 0.79.3:
  - fix self-signing self-test cases that used DSA or EC keys

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-02-28 01:33:53 -05:00
Nalin Dahyabhai
c68c5e7f21 Update to 0.79.2-2
- update to 0.79.2:
  - update %%docs list because README is now README.md

- update to 0.79.1:
  - update translations
  - fix 'make archive' target

- update to 0.79:
  - getcert now offers an option (-X) for requesting processing by a particular
    CA if the server we're contacting is running more than one
  - getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for
    requesting BasicConstraints values
  - getcert now displays times in local time instead of UTC, which was
    previously the only way they were displayed; the --utc option can often be
    used to switch back to its previous behavior
  - the SCEP enrollment helper now correctly issues GetCACertChain requests to
    SCEP servers, instead of issuing a GetCAChain request, which isn't part of
    the protocol; from report by Jason Garland
  - when issuing SCEP requests, the ID of the CA included in the HTTP request
    is now URL-encoded, as it should be
  - renewal or notification-of-impending-expiration logic is now triggered
    closer to TTL thresholds rather than waiting for a periodic check to pass a
    threshold
  - properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz
    for a lot of the legwork
- resync .spec file with Fedora
- upstream project migrated from fedorahosted.org to pagure.io

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2017-02-27 22:03:49 -05:00
Fedora Release Engineering
a4236fbbbc - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-10 07:24:26 +00:00
Igor Gnatenko
d852149729 Rebuild for xmlrpc-c
Signed-off-by: Igor Gnatenko <ignatenko@redhat.com>
2017-01-21 14:49:59 +01:00
Nalin Dahyabhai
3f8a64cc9e Add backported fixes for test failures
Add backported fix to the tests to wait a reasonable amount of time
after calling the 'resubmit' method for a new certificate to be issued
when we're exercising the D-Bus API (backport done by Jan Cholasta,
2016-07-06 14:31:36 -04:00
Nalin Dahyabhai
93e4828d8d Use dbus-send instead of SIGHUP to reload the bus
Instead of using killall to send a SIGHUP to the system bus daemon in
%post to get it to reload its configuration, use dbus-send to send a
ReloadConfig request over the bus (should fix #1277573).
2016-07-06 13:45:36 -04:00
Dennis Gilmore
07d25c2dcf - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-03 17:33:39 +00:00
Nalin Dahyabhai
5f3c01e3a4 Update to 0.78.6
- document the -R, -N, -o, and -t flags for dogtag-ipa-renew-agent-submit
- stop checking that we can generate 512 bit keys during self-tests
2016-01-13 13:54:21 -05:00
Nalin Dahyabhai
1e4e4bd4df Update to 0.78.5
- fix a possible uninitialized memory read (possibly #1260871)
- log a diagnostic error when we fail to initialize libkrb5
2015-11-16 17:44:15 -05:00
Nalin Dahyabhai
c0ca98f8c4 Update to 0.78.4
Update to 0.78.4:
- fix the "getcert start-tracking" -L and -l options (#1249753)
- output diagnostics about the second request when scep-submit encounters an
  error during a second request to the SCEP server
2015-08-04 14:54:37 -04:00
Nalin Dahyabhai
cb61adfa6c Update to 0.78.3
- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit
  and the -O and -o flags to dogtag-submit (#1244914)
2015-07-20 15:29:52 -04:00
Nalin Dahyabhai
144e7dd1b0 Update to 0.78.2
- tweak initialization so that we set up for providing our D-Bus API before we
  register our name with the bus, so that we can handle any requests that
  arrive before the acknowledgement of that registration
- on systems that run systemd, add the right data file so that the service gets
  started when someone tries to talk to the daemon (ticket #38)
- correctly check for error responses when sending GetCAChain requests to SCEP
  servers
2015-07-09 20:21:53 -04:00
Nalin Dahyabhai
a85bb52ef3 Update to 0.78.1
- fixup the key-information-read test for DSA to account for certutil
  generating 1024 bit keys when we ask for more
- fix a typo in the package changelog
- add relevant references to bug reports and tickets in the 0.78 log
2015-06-21 02:21:52 -04:00
Nalin Dahyabhai
0760509e84 Update to 0.78
- switch to using popt for parsing command line arguments, continuing to
  use old help text for now so that we can catch up with translations (print
  old text for --help, new text (with longopts!) for -H)
- add some plumbing for eventually receiving per-certificate roots in
  addition to issued certificates and chain certificates
- add a "rekey" command to getcert, for triggering enrollment using a new
  key pair
- scep-submit: check for the Renewal capability, and default to taking
  advantage of it during rekeying, unless the new -n flag is specified to it
- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs
  to the helper
- dogtag-submit: add a flag for using the agent creds to do TLS client auth
  while submitting enrollment requests
- dogtag-submit: handle cases where we submit a request and the server
  returns a success code rather than just queuing the request
- ipa-submit: pass requested profile names to the server as an argument
  named "profile_id"; if the server gives us an "unrecognized argument"
  error, retry without it for compatibility's sake
- keygen: fix a possible crash if keygen fails to return a key from NSS
- correct the certmonger(8) man page's description of the -c flag, whic it
  used to call the -C flag
- add logic for setting ownership and permissions on certificates and keys
  when saving them to disk
- add configuration options "max_key_lifetime" and "max_key_use_count" for
  making automatic renewal prefer rekeying
2015-06-20 11:25:43 -04:00
Dennis Gilmore
b13cf66225 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-17 02:30:53 +00:00
Nalin Dahyabhai
d00093b7bf Whoops, actually update to 0.77.5 2015-05-28 10:25:45 -04:00
Nalin Dahyabhai
d8c488e791 Update to 0.77.5
- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request
  includes IP address subjectAltName values
- correctly verify signatures on SCEP server replies when the signer is neither
  the top-level CA nor the RA (feedback in #1161768)
- correctly verify signatures on SCEP server replies when there is more than
  one certificate in the chain between the RA and the top-level CA (feedback in
  #1161768)
2015-05-28 10:24:43 -04:00
Nalin Dahyabhai
631c1c94d1 update to 0.77.4
- don't display PINs in "getcert list" output (#42)
- clean up launching of a private instance in "getcert"
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
  own safety checks have an effect
- backport record-keeping of key generation dates and counts of how many
  times we've gotten certificates using a given key pair
2015-05-17 16:53:39 -04:00
Nalin Dahyabhai
a1cad26520 Update to 0.77.3
- fix a data loss bug when saving renewed certificates to NSS databases - the
  private key could be removed in error since 0.77
- fixes for bugs found by static analysis
- fix self-tests when built with OpenSSL 1.0.2
2015-05-07 17:19:09 -04:00
Nalin Dahyabhai
c44b07d085 Update to 0.77.2
- expose the certificate's not-valid-before and not-valid-after dates as a
  property over D-Bus (ticket #41)
- give the local signer its own configuration option to set the lifetime
  of its signing certificate, falling back to the lifetime configured for
  the self-signer as a default to match the previous behavior
- fix a potential read segfault parsing the output of an enrollment helper,
  introduced in 0.77 (thanks to Steve Neuharth)
- read the ns-certtype extension value in certificates
- request an enrollment certtype extension to CSRs if we have a profile name
  that we want to use (ticket #17, possibly part of IPA ticket #57)
2015-04-14 13:37:57 -04:00
Nalin Dahyabhai
54551d64ad Update to 0.77.1
- update to 0.77.1
  - add initial, still rough, SCEP support (#1140241,#1161768)
    - add an scep-submit helper to handle part of it
  - getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
  - getcert: add -l, -L flags to request/resubmit/start-tracking commands
    to provide a way to set a ChallengePassword in signing requests
  - lay some groundwork for rekeying support
  - bundled dogtag enrollment helpers now output debugging info to stderr
  - ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
  - getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
    #1181022, patch by David Kupka)
  - use Zanata for translations
  - getcert list: list the certificate's profile name, if it contains one
2015-02-27 16:44:06 -05:00