- documentation updates
- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
when we detect certmonger versions prior to 0.58 being installed, to
avoid cases where some older versions choke on CAs with nicknames that
contain characters that can't legally be part of a D-Bus name (#948993)
- fix creation and packaging of the "local" CA's data directory
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
commands, and add a non-waiting "status" command
- add the "local" signer, a local toy CA that signs anything you'll
ask it to sign
- fix self-test errors that we trigger with new OpenSSL
- fix a build error that would sometimes happen when we're told to
build PIE binaries
- quiet a compile warning
- retrieve CA information from CAs, if the helpers can do so, and
add a command to explicitly refresh that data: "getcert refresh-ca"
- offer to save CA certificates to files and databases, when specified with
new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
trac #31)
- add IP address subject alternate names when getcert request/resubmit
is passed the -A option (trac #35)
- read and cache the freshestCRL extension in certificates
- properly interpret KDC-unreachable errors encountered in the IPA
submission error as a server-unreachable error that we will retry,
rather than a misconfiguration error which we won't
- don't let tests get tripped up by new formatting used in dos2unix status
messages (#1099080)
- updated translations
- be explicit that we are going to use bashisms in test scripts by calling
the shell interpreter as 'bash' rather than 'sh' (trac #27)
- also save state when we exit due to SIGHUP
- don't get tripped up when enrollment helpers hand us certificates
which include CRLF line terminators (ticket #25)
- be tolerant of certificate issuer names, subject names, DNS, email,
and Kerberos principal namem subjectAltNames, and crl distribution
point URLs that contain newlines
- read and cache the certificate template extension in certificates
- enforce different minimum key sizes depending on the type of key we're
trying to generate
- store DER versions of subject, issuer and template subject, if we have
them (Jan Cholasta, ticket #26)
- when generating signing requests with subject names that don't quite
parse as subject names, encode what we're given as PrintableString
rather than as a UTF8String
- always chdir() to a known location at startup, even if we're not
becoming a daemon
- fix a couple of memory leaks (static analysis)
- add missing buildrequires: on which
- encode the friendlyName attribute in signing requests as a BMPString,
not as a PrintableString
- catch more filesystem permissions problems earlier (more of #996581)
- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
where it belongs
- support generating requests and self-signing using DSA and EC keys
- check for cases where we fail to allocate memory while reading a request
or CA entry from disk (John Haxby)
- only handle one watch at a time, which should avoid abort() during
attempts to reconnect to the message bus after losing our connection
to it (#1055521)
- add a --with-homedir option to configure, and use it, since
subprocesses which we run and which use NSS may attempt to write to
$HOME/.pki, and 0.69's strategy of setting that to "/" was rightly
hitting SELinux policy denials (#1047798)
- tweak how we decide whether we're on the master or a minion when we're
told to use certmaster as a CA
- clean up one of the tests so that it doesn't have to work around internal
logging producing duplicate messages
- when logging errors while setting up to contact xmlrpc servers, explicitly
note that the error is client-side
- don't abort() due to incorrect locking when an attempt to save an issued
certificate to the designated location fails (part of #1032760/#1033333,
ticket #22)
- when reading an issued certificate from an enrollment helper, ignore
noise before or after the certificate itself (more of #1032760/1033333,
ticket #22)
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
ticket #22)
- clear the ca-error that we saved when we had an error talking to the CA if we
subsequently succeed in talking to the CA
- various other static-analysis fixes
0.67:
- when saving certificates to NSS databases, try to preserve the trust
value assigned to a previously-present certificate with the same nickname
and subject, if one is found
- when saving certificates to NSS databases, also prune certificates from
the database which have both the same nickname and subject as the one
we're adding, to avoid tripping up tools that only fetch one certificate
by nickname
0.66:
- build as position-independent executables with early binding (#883966)
- also don't tag the unit file as a configuration file (internal tooling)
- don't tag the D-Bus session .service file as a configuration file (internal
tooling)
update to 0.63:
- serialize access to NSS databases and the running of pre- and post-save
commands which might also access them (possibly fixing part of #883484)
- add a -u flag to getcert to enable requesting a keyUsage extension value
- request subjectKeyIdentifier extensions from CAs, and include them in
self-signed certificates
- request basicConstraints from CAs, defaulting to requests for end-entity
certificates
- when requesting CA certificates, also request authorityKeyIdentifier
- add support for requesting CRL distribution point and authorityInfoAccess
extensions that specify OCSP responder locations
- don't crash when OpenSSL can't build a template certificate from a request
when we're in FIPS mode
- put NSS in FIPS mode, when the system booted that way, except when we're
trying to write certificates to a database
- fix CSR generation and self-signing in FIPS mode with NSS
- fix self-signing in FIPS mode with OpenSSL
- new languages from the translation team: mai, ml, nn, ga
- adjust internals of logic for talking to dogtag to at least have a
concept of non-agent cases
- when talking to an IPA server's internal Dogtag instance, infer which
ports the CA is listening on from the "dogtag_version" setting in the
IPA configuration (Ade Lee)
- send a notification (or log a message, whatever) when we save a new
certificate (#766167)
0.59:
- mostly documentation updates
0.58:
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
an IPA server's internal Dogtag instance
- export the requested profile and old certificate to enrollment helpers
- make libxml and libcurl into hard build-time requirements
- serialize all pre/save/post sequences to make sure that stop/save/start
doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
a service while we muck with more than one of its certificates
- add a command option (-T) to getcert for specifying which enrollment
profile to tell a CA that we're using, in case it cares (#10)
0.57
- clarify that the command passed to getcert -C is a "post"-save command
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
longer the default, emit the PropertiesChanged signal on the CA which is
not the default, instead on the new default a second time
- drop some dead code from the D-Bus message handlers (static analysis, #796813)
- cache public keys when we read private keys
- go back to printing an error indicating that we're missing a required
argument when we're missing a required argument, not that the option is
invalid (broken since 0.51, #796542)
doc/getting-started.txt (#765599)
- fix crashes when we add a request during our first run when we're
populating the hard-coded CA list
- properly deal with cases where a path is passed to us is "./XXX"
- in session mode, create our data directories as we go
- when using an NSS database, skip loading the module database (#743042)
- when using an NSS database, skip loading root certs
- generate SPKAC values when generating CSRs, though we don't do anything with SPKAC values yet
- internally maintain and use challenge passwords, if we have them
- behave better when certificates have shorter lifetimes
- add/recognize/handle notification type "none"
- getcert: error out when "list -c" finds no matching CA (#743488)
- getcert: error out when "list -i" finds no matching request (#743485)
- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated array (#742348)
- getcert: distinguish between {stat() succeeds but isn't a directory} and {stat() failed} when printing an error message (#739903)
- getcert resubmit/start-tracking: when we're looking for an existing request by ID, and we don't find one, note that specifically (#741262)
- fix validation check on EKU OIDs in getcert (#691351)
- get session bus mode sorted
- add a list of recognized EKU values to the getcert-request man page
- be more careful about checking if we can read a PIN file successfully
before we even call an API that might need us to try (#688229)
- fix strict aliasing warnings
- fix some use-after-free bugs in the daemon (#689776)
- fix a copy/paste error in certmonger-ipa-submit(8)
- getcert now suppresses error details when not given its new -v option
(#683926, more of #681641/#652047)
- updated translations
- de, es, pl, ru, uk
- indonesian translation is now for "id" rather than "in"
- when canceling a submission request that's being handled by a helper,
reap the child process's status after killing it (#624120)
- update to 0.25
- new translations
- in by Okta Purnama Rahadian!
- fix detection of cases where we can't access a private key in an NSS
database because we don't have the PIN
- teach '*getcert start-tracking' about the -p and -P options which the
'*getcert request' commands already understand (#621670), and also
the -U, -K, -E, and -D flags
- double-check that the nicknames of keys we get back from
PK11_ListPrivKeysInSlot() match the desired nickname before accepting
them as matches, so that our tests won't all blow up on EL5
- fix dynamic addition and removal of CAs implemented through helpers
- init script: ensure that the subsys lock is created whenever we're called to
"start" when we're already running (even more of #596719)
- more gracefully handle manual daemon startups and cleaning up of unexpected
crashes (still more of #596719)
- don't create the daemon pidfile until after we've connected to the D-Bus
(still more of #596719)
- keep the lock on the pid file, if we have one, when we fork, and cancel
daemon startup if we can't gain ownership of the lock (the rest of
#596719)
- make the man pages note which external configuration files we consult
when submitting requests to certmaster and ipa CAs
- new translations
- de by Fabian Affolter!
- certmaster-submit: don't fall over when we can't find a certmaster.conf
or a minion.conf (i.e., certmaster isn't installed) (#588932)
- when reading extension values from certificates, prune out duplicate
principal names, email addresses, and hostnames
- getcert/*-getcert: relay the desired CA to the local service, whether
specified on the command line (in getcert) or as a built-in hard-wired
default (in *-getcert) (#584983)
- flesh out the default certmonger.conf so that people can get a feel for
the expected formatting (Jenny Galipeau)
- correctly parse certificate validity periods given in years (spotted by
Stephen Gallagher)
- setup for translation
- es by Héctor Daniel Cabrera!
- ru by Yulia Poyarkova!
- uk by Yuri Chornoivan!
- fix unpreprocessed defaults in certmonger.conf's man page
- tweak the IPA-specific message that indicates a principal name also needs
to be specified if we're not using the default subject name (#579542)
- make the validity period of self-signed certificates into a configuration
setting and not a piece of the state information we track about the
signer
- init script: exit with status 2 instead of 1 when invoked with an
unrecognized argument (#584517)