rpms/dogtag-pki
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Re-support JDK11

Browse Source 
Turns out all that was missing was a few shim JARs already packaged in
Fedora to plaster over JDK8->JDK11 differences.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
This commit is contained in:
Alexander Scheel 2020-08-20 16:58:23 -04:00
parent c918703d7a
commit 10b0c0fa07
No known key found for this signature in database
GPG Key ID: C0D6C737D0003143
8 changed files with 423 additions and 415 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -11,3 +11,4 @@
/pki-10.9.0-a2.tar.gz
/pki-10.9.0-b2.tar.gz
/pki-10.9.1.tar.gz
/pki-10.9.2.tar.gz

61
0001-Make-JDK-dependency-dynamic.patch Normal file
View File

@ -0,0 +1,61 @@
From 2ba8973d4d874bb135d52bb9288e31687903ccd3 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 20 Aug 2020 11:31:10 -0400
Subject: [PATCH 1/4] Make JDK dependency dynamic
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
pki.spec | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/pki.spec b/pki.spec
index 186a6dfbf..fbaefbc9c 100644
--- a/pki.spec
+++ b/pki.spec
@@ -52,6 +52,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
################################################################################
%define java_home /usr/lib/jvm/jre-openjdk
+%define java_devel java-devel
+%define java_headless java-headless
%if 0%{?fedora} && 0%{?fedora} >= 33
%define min_java_version 1:11
@@ -157,7 +159,7 @@ BuildRequires: make
BuildRequires: cmake >= 3.0.2
BuildRequires: gcc-c++
BuildRequires: zip
-BuildRequires: java-devel >= %{min_java_version}
+BuildRequires: %java_devel >= %{min_java_version}
BuildRequires: javapackages-tools
BuildRequires: redhat-rpm-config
BuildRequires: ldapjdk >= 4.22.0
@@ -331,7 +333,7 @@ PKI consists of the following components:
Summary: PKI Symmetric Key Package
-Requires: java-headless >= %{min_java_version}
+Requires: %java_headless >= %{min_java_version}
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.7.0
Requires: nss >= 3.38.0
@@ -399,7 +401,7 @@ This package contains PKI client library for Python 3.
Summary: PKI Base Java Package
BuildArch: noarch
-Requires: java-headless >= %{min_java_version}
+Requires: %java_headless >= %{min_java_version}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
@@ -492,6 +494,7 @@ Requires: tomcat >= 1:9.0.7
%endif
Requires: velocity
+Requires: sudo
Requires: systemd
Requires(post): systemd-units
Requires(preun): systemd-units
--
2.26.2

404
0001-Support-FIPS-HSMs.patch
View File

@ -1,404 +0,0 @@
From a5d1c9dab35030c839e3a2b506bd3dfcf631ccdb Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 11 Aug 2020 11:56:27 -0500
Subject: [PATCH 1/5] Disabled AIA and cert policy extensions in ACME examples
The ACME NSS issuer has been modified to disable the AIA and
certificate policy extensions by default since they contain
non-functional URLs that might cause certbot to generate
error messages.
https://bugzilla.redhat.com/show_bug.cgi?id=1868233
---
base/acme/issuer/nss/ca_signing.conf | 9 +++++----
base/acme/issuer/nss/sslserver.conf | 9 +++++----
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/base/acme/issuer/nss/ca_signing.conf b/base/acme/issuer/nss/ca_signing.conf
index aedcd4b0e..b9a82a2d1 100644
--- a/base/acme/issuer/nss/ca_signing.conf
+++ b/base/acme/issuer/nss/ca_signing.conf
@@ -1,8 +1,9 @@
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
-authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
-certificatePolicies = 2.23.140.1.2.1, @cps_policy
-cps_policy.id = 1.3.6.1.4.1.44947.1.1.1
-cps_policy.CPS.1 = http://cps.example.com
+# authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
+
+# certificatePolicies = 2.23.140.1.2.1, @cps_policy
+# cps_policy.id = 1.3.6.1.4.1.44947.1.1.1
+# cps_policy.CPS.1 = http://cps.example.com
diff --git a/base/acme/issuer/nss/sslserver.conf b/base/acme/issuer/nss/sslserver.conf
index f9e04902b..e153c223e 100644
--- a/base/acme/issuer/nss/sslserver.conf
+++ b/base/acme/issuer/nss/sslserver.conf
@@ -1,10 +1,11 @@
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
-authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
-certificatePolicies = 2.23.140.1.2.1, @cps_policy
-cps_policy.id = 1.3.6.1.4.1.44947.1.1.1
-cps_policy.CPS.1 = http://cps.example.com
+# authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
+
+# certificatePolicies = 2.23.140.1.2.1, @cps_policy
+# cps_policy.id = 1.3.6.1.4.1.44947.1.1.1
+# cps_policy.CPS.1 = http://cps.example.com
--
2.26.2
From a48e731d0faab11929fd9bf3d54a0638bbf40a16 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 11 Aug 2020 14:41:16 -0400
Subject: [PATCH 2/5] Start NSSCertExportCLI
Can be tested with pki nss-cert-export
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
.../com/netscape/cmstools/nss/NSSCertCLI.java | 3 +-
.../cmstools/nss/NSSCertExportCLI.java | 128 ++++++++++++++++++
2 files changed, 130 insertions(+), 1 deletion(-)
create mode 100644 base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java
diff --git a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java
index 0313ffae5..2f1f8cac5 100644
--- a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java
@@ -12,8 +12,9 @@ public class NSSCertCLI extends CLI {
public NSSCertCLI(NSSCLI nssCLI) {
super("cert", "NSS certificate management commands", nssCLI);
+ addModule(new NSSCertExportCLI(this));
addModule(new NSSCertImportCLI(this));
- addModule(new NSSCertRequestCLI(this));
addModule(new NSSCertIssueCLI(this));
+ addModule(new NSSCertRequestCLI(this));
}
}
diff --git a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java
new file mode 100644
index 000000000..06150fe41
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java
@@ -0,0 +1,128 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package com.netscape.cmstools.nss;
+
+import java.io.FileOutputStream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import javax.net.ssl.KeyManagerFactory;
+import java.security.cert.X509Certificate;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+import org.apache.commons.io.IOUtils;
+import org.dogtagpki.cli.CommandCLI;
+import org.dogtagpki.nss.NSSDatabase;
+import org.mozilla.jss.pkcs11.PK11Cert;
+import org.mozilla.jss.netscape.security.util.Cert;
+import org.mozilla.jss.netscape.security.util.Utils;
+import org.mozilla.jss.netscape.security.x509.X509CertImpl;
+import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+
+import com.netscape.certsrv.client.ClientConfig;
+import com.netscape.cmstools.cli.MainCLI;
+
+public class NSSCertExportCLI extends CommandCLI {
+
+ public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(NSSCertExportCLI.class);
+
+ public NSSCertExportCLI(NSSCertCLI nssCertCLI) {
+ super("export", "Export certificate", nssCertCLI);
+ }
+
+ public void printHelp() {
+ formatter.printHelp(getFullName() + " [OPTIONS...] nickname [path]", options);
+ }
+
+ public void createOptions() {
+ Option option = new Option(null, "format", true, "Certificate format: PEM (default), DER, RAW");
+ option.setArgName("format");
+ options.addOption(option);
+
+ option = new Option(null, "with-chain", false, "Export with certificate chain from NSS DB");
+ option.setArgName("with-chain");
+ options.addOption(option);
+ }
+
+ public void execute(CommandLine cmd) throws Exception {
+
+ String[] cmdArgs = cmd.getArgs();
+ String nickname = null;
+ String path = null;
+
+ if (cmdArgs.length < 1) {
+ throw new Exception("Missing required positional argument: nickname");
+ }
+ nickname = cmdArgs[0];
+
+ if (cmdArgs.length >= 2) {
+ path = cmdArgs[1];
+ }
+
+ String format = cmd.getOptionValue("format", "PEM").toUpperCase();
+ boolean chain = cmd.hasOption("with-chain");
+
+ if (!format.equals("PEM") && !format.equals("DER") && !format.equals("RAW")) {
+ throw new Exception("Unknown type of output format: " + format);
+ }
+
+ if (chain && format.equals("DER")) {
+ throw new Exception("Unable to write chain of DER-encoded certificates; use PEM instead.");
+ }
+
+ MainCLI mainCLI = (MainCLI) getRoot();
+ mainCLI.init();
+
+ X509Certificate[] certs;
+
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
+ JSSKeyManager km = (JSSKeyManager) kmf.getKeyManagers()[0];
+
+ if (chain) {
+ certs = km.getCertificateChain(nickname);
+ } else {
+ certs = new X509Certificate[] {
+ (PK11Cert) km.getCertificate(nickname)
+ };
+ }
+
+ byte[] output = null;
+
+ if (format.equals("RAW")) {
+ StringBuffer buffer = new StringBuffer();
+ for (X509Certificate cert : certs) {
+ buffer.append(cert.toString());
+ }
+
+ output = buffer.toString().getBytes();
+ } else if (format.equals("PEM")) {
+ StringBuffer buffer = new StringBuffer();
+
+ for (X509Certificate cert : certs) {
+ byte[] encoded = cert.getEncoded();
+ buffer.append(Cert.HEADER);
+ buffer.append("\r\n");
+ buffer.append(Utils.base64encodeMultiLine(encoded));
+ buffer.append(Cert.FOOTER);
+ buffer.append("\r\n\r\n");
+ }
+
+ output = buffer.toString().getBytes();
+ } else if (format.equals("DER")) {
+ for (X509Certificate cert : certs) {
+ output = cert.getEncoded();
+ }
+ }
+
+ if (path == null) {
+ System.out.println(new String(output));
+ } else {
+ try (FileOutputStream fos = new FileOutputStream(path)) {
+ fos.write(output);
+ }
+ }
+ }
+}
--
2.26.2
From 0c6b6e916420faa583a25a12621100a35bba1b57 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 11 Aug 2020 15:16:01 -0400
Subject: [PATCH 3/5] Fix export on FIPS-enabled HSMs
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
base/common/python/pki/nssdb.py | 70 +++++++++++++++++----------------
1 file changed, 37 insertions(+), 33 deletions(-)
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 599cd9895..ff2af4a40 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -1351,6 +1351,38 @@ class NSSDatabase(object):
epoch = datetime.datetime.utcfromtimestamp(0)
return (date - epoch).total_seconds() * 1000
+ def export_cert_from_db(self,
+ nickname,
+ output_file,
+ include_chain=False,
+ output_format=None):
+ cmd = [
+ 'pki',
+ '-d', self.directory
+ ]
+
+ if self.password_file:
+ cmd.extend(['-C', self.password_file])
+
+ if self.token:
+ cmd.extend(['--token', self.token])
+ full_name = self.token + ':' + nickname
+ else:
+ full_name = nickname
+
+ cmd.extend(['nss-cert-export'])
+
+ if include_chain:
+ cmd.extend(['--with-chain'])
+
+ if output_format:
+ cmd.extend(['--format', output_format])
+
+ cmd.extend([full_name, output_file])
+
+ logger.debug('Command: %s', ' '.join(map(str, cmd)))
+ subprocess.check_call(cmd)
+
def export_cert(self,
nickname,
pkcs12_file,
@@ -1752,39 +1784,11 @@ class NSSDatabase(object):
shutil.rmtree(tmpdir)
def extract_ca_cert(self, ca_path, nickname):
- tmpdir = tempfile.mkdtemp()
-
- try:
- p12_file = os.path.join(tmpdir, "sslserver.p12")
- password = pki.generate_password()
-
- # Build a chain containing the certificate we're trying to
- # export. OpenSSL gets confused if we don't have a key for
- # the end certificate: rh-bz#1246371
- self.export_pkcs12(p12_file, pkcs12_password=password,
- nicknames=[nickname], include_key=False,
- include_chain=True)
-
- # This command is similar to the one from server/__init__.py.
- # However, to work during the initial startup, we do not
- # specify the cacerts option! This ensures we always get
- cmd_export_ca = [
- 'openssl', 'pkcs12',
- '-in', p12_file,
- '-out', ca_path,
- '-nodes', '-nokeys',
- '-passin', 'pass:' + password
- ]
-
- # Remove CA.crt prior to starting; openssl gets annoyed otherwise.
- if os.path.exists(ca_path):
- os.remove(ca_path)
-
- res_ca = subprocess.check_output(cmd_export_ca,
- stderr=subprocess.STDOUT).decode('utf-8')
- logger.debug('Result of CA cert export: %s', res_ca)
- finally:
- shutil.rmtree(tmpdir)
+ # Build a chain containing the certificate we're trying to
+ # export. OpenSSL gets confused if we don't have a key for
+ # the end certificate: rh-bz#1246371
+ self.export_cert_from_db(nickname, ca_path, include_chain=True,
+ output_format="PEM")
@staticmethod
def __generate_key_args(key_type=None, key_size=None, curve=None):
--
2.26.2
From 2df13c4195e8e6b184294888b2c6376043047e33 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 11 Aug 2020 19:39:39 -0500
Subject: [PATCH 4/5] Fixed cert nickname in NSSDatabase.export_cert_from_db()
The NSSDatabase.export_cert_from_db() has been modified to
no longer prepend the token name to the cert nickname since
the cert nickname obtained from serverCertNick.conf already
contains the token name.
---
base/common/python/pki/nssdb.py | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index ff2af4a40..c7ce89336 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -1366,9 +1366,6 @@ class NSSDatabase(object):
if self.token:
cmd.extend(['--token', self.token])
- full_name = self.token + ':' + nickname
- else:
- full_name = nickname
cmd.extend(['nss-cert-export'])
@@ -1378,7 +1375,7 @@ class NSSDatabase(object):
if output_format:
cmd.extend(['--format', output_format])
- cmd.extend([full_name, output_file])
+ cmd.extend([nickname, output_file])
logger.debug('Command: %s', ' '.join(map(str, cmd)))
subprocess.check_call(cmd)
--
2.26.2
From eb28b09fb030fe5df2b6b4cfa16338ddd0325b30 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 11 Aug 2020 20:07:56 -0500
Subject: [PATCH 5/5] Removed blank lines in pki nss-cert-export output
The pki nss-cert-export has been modified to remove the extra
blank lines between certs and at the end of the output.
---
.../src/com/netscape/cmstools/nss/NSSCertExportCLI.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java
index 06150fe41..9aaf83a30 100644
--- a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java
@@ -107,7 +107,7 @@ public class NSSCertExportCLI extends CommandCLI {
buffer.append("\r\n");
buffer.append(Utils.base64encodeMultiLine(encoded));
buffer.append(Cert.FOOTER);
- buffer.append("\r\n\r\n");
+ buffer.append("\r\n");
}
output = buffer.toString().getBytes();
@@ -118,7 +118,8 @@ public class NSSCertExportCLI extends CommandCLI {
}
if (path == null) {
- System.out.println(new String(output));
+ System.out.print(new String(output));
+ System.out.flush();
} else {
try (FileOutputStream fos = new FileOutputStream(path)) {
fos.write(output);
--
2.26.2

25
0002-Add-server-dependency-on-jaxb-api.patch Normal file
View File

@ -0,0 +1,25 @@
From 55e82e4a31b93e0cf3e3e98533145f5f52c716fd Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 6 Aug 2020 18:31:13 -0400
Subject: [PATCH 2/4] Add server dependency on jaxb-api
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
base/server/CMakeLists.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
index 8f83aed91..64e66c9fc 100644
--- a/base/server/CMakeLists.txt
+++ b/base/server/CMakeLists.txt
@@ -97,6 +97,7 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_BASE_JAR} common/lib/jackson-jaxrs-base.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_JSON_PROVIDER_JAR} common/lib/jackson-jaxrs-json-provider.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} common/lib/jackson-module-jaxb-annotations.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} common/lib/jaxb-api.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} common/lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} common/lib/ldapjdk.jar
COMMAND ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-cmsutil.jar
--
2.26.2

153
0003-Add-JAXB-Implementation-dependency-for-JDK11.patch Normal file
View File

@ -0,0 +1,153 @@
From 5971bd813096e4fa994547a691a3b5bf7b3427dd Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 19 Aug 2020 15:24:59 -0400
Subject: [PATCH 3/4] Add JAXB Implementation dependency for JDK11+
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
.classpath | 1 +
base/CMakeLists.txt | 8 ++++++++
base/common/CMakeLists.txt | 3 ++-
base/server/CMakeLists.txt | 1 +
base/server/share/conf/pki.policy | 4 ++++
pki.spec | 1 +
pom.xml | 6 ++++++
scripts/compose_pki_test_package | 1 +
tests/dogtag/dev_java_tests/run_junit_tests.sh | 1 +
9 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/.classpath b/.classpath
index 04168f05a..ae7f001a0 100644
--- a/.classpath
+++ b/.classpath
@@ -34,6 +34,7 @@
<classpathentry kind="lib" path="/usr/share/java/junit.jar"/>
<classpathentry kind="lib" path="/usr/share/java/ldapjdk.jar"/>
<classpathentry kind="lib" path="/usr/share/java/jaxb-api.jar"/>
+ <classpathentry kind="lib" path="/usr/share/java/jaxb/jaxb-impl.jar"/>
<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpclient.jar"/>
<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpcore.jar"/>
<classpathentry kind="lib" path="/usr/share/java/jboss-jaxrs-2.0-api.jar"/>
diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
index 5f94170ac..2fef383ec 100644
--- a/base/CMakeLists.txt
+++ b/base/CMakeLists.txt
@@ -174,6 +174,14 @@ find_file(JAXB_API_JAR
/usr/share/java
)
+find_file(JAXB_IMPL_JAR
+ NAMES
+ jaxb-impl.jar
+ PATHS
+ /usr/share/java/jaxb
+ /usr/share/java
+)
+
find_file(JSS_JAR
NAMES
jss4.jar
diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index 4c21bb4aa..4fb3e30b5 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -29,6 +29,7 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_JSON_PROVIDER_JAR} lib/jackson-jaxrs-json-provider.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} lib/jackson-module-jaxb-annotations.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} lib/jaxb-api.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} lib/jaxb-impl.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} lib/ldapjdk.jar
COMMAND ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar
@@ -147,7 +148,7 @@ install(
install(
DIRECTORY
- DESTINATION
+ DESTINATION
${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd.target.wants
)
diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
index 64e66c9fc..7053ac208 100644
--- a/base/server/CMakeLists.txt
+++ b/base/server/CMakeLists.txt
@@ -98,6 +98,7 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_JSON_PROVIDER_JAR} common/lib/jackson-jaxrs-json-provider.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} common/lib/jackson-module-jaxb-annotations.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} common/lib/jaxb-api.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} common/lib/jaxb-impl.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} common/lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} common/lib/ldapjdk.jar
COMMAND ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-cmsutil.jar
diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy
index 9d66f9d51..2fbcaef90 100644
--- a/base/server/share/conf/pki.policy
+++ b/base/server/share/conf/pki.policy
@@ -48,6 +48,10 @@ grant codeBase "file:/usr/share/java/jaxb-api.jar" {
permission java.security.AllPermission;
};
+grant codeBase "file:/usr/share/java/jaxb/jaxb-impl.jar" {
+ permission java.security.AllPermission;
+};
+
grant codeBase "file:/usr/share/java/jaxme/jaxmeapi.jar" {
permission java.security.AllPermission;
};
diff --git a/pki.spec b/pki.spec
index fbaefbc9c..8d931a8a7 100644
--- a/pki.spec
+++ b/pki.spec
@@ -423,6 +423,7 @@ Requires: resteasy >= 3.0.26
Requires: resteasy-atom-provider >= 3.0.17-1
Requires: resteasy-client >= 3.0.17-1
Requires: resteasy-jaxb-provider >= 3.0.17-1
+Requires: jaxb-impl
Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
diff --git a/pom.xml b/pom.xml
index 731d41cbe..35644e20e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -80,6 +80,12 @@
<scope>runtime</scope>
</dependency>
+ <dependency>
+ <groupId>com.sun.xml.bind</groupId>
+ <artifactId>jaxb-impl</artifactId>
+ <version>2.3.3</version>
+ </dependency>
+
<dependency>
<groupId>org.jboss.spec.javax.annotation</groupId>
<artifactId>jboss-annotations-api_1.2_spec</artifactId>
diff --git a/scripts/compose_pki_test_package b/scripts/compose_pki_test_package
index 1642cd8d9..f6de770e1 100755
--- a/scripts/compose_pki_test_package
+++ b/scripts/compose_pki_test_package
@@ -118,6 +118,7 @@ CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-mcc.jar
CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar
+CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar
CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar
CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar
CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar
diff --git a/tests/dogtag/dev_java_tests/run_junit_tests.sh b/tests/dogtag/dev_java_tests/run_junit_tests.sh
index 4544c1496..317958ccc 100644
--- a/tests/dogtag/dev_java_tests/run_junit_tests.sh
+++ b/tests/dogtag/dev_java_tests/run_junit_tests.sh
@@ -54,6 +54,7 @@ run_dev_junit_tests() {
CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar
+ CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar
CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar
CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar
CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar
--
2.26.2

160
0004-Add-Jakarta-Activation-dependency-for-JDK11.patch Normal file
View File

@ -0,0 +1,160 @@
From 17af4157bb51efe829314d3bdd9efedd14667d26 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 20 Aug 2020 08:47:58 -0400
Subject: [PATCH 4/4] Add Jakarta Activation dependency for JDK11+
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
.classpath | 1 +
base/CMakeLists.txt | 14 ++++++++++++++
base/common/CMakeLists.txt | 1 +
base/server/CMakeLists.txt | 1 +
base/server/share/conf/pki.policy | 4 ++++
pki.spec | 6 +++++-
pom.xml | 6 ++++++
scripts/compose_pki_test_package | 1 +
tests/dogtag/dev_java_tests/run_junit_tests.sh | 2 +-
9 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/.classpath b/.classpath
index ae7f001a0..078d3a403 100644
--- a/.classpath
+++ b/.classpath
@@ -35,6 +35,7 @@
<classpathentry kind="lib" path="/usr/share/java/ldapjdk.jar"/>
<classpathentry kind="lib" path="/usr/share/java/jaxb-api.jar"/>
<classpathentry kind="lib" path="/usr/share/java/jaxb/jaxb-impl.jar"/>
+ <classpathentry kind="lib" path="/usr/share/java/jakarta-activation/jakarta.activation.jar"/>
<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpclient.jar"/>
<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpcore.jar"/>
<classpathentry kind="lib" path="/usr/share/java/jboss-jaxrs-2.0-api.jar"/>
diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
index 2fef383ec..8a19f9c71 100644
--- a/base/CMakeLists.txt
+++ b/base/CMakeLists.txt
@@ -182,6 +182,20 @@ find_file(JAXB_IMPL_JAR
/usr/share/java
)
+find_file(JAKARTA_ACTIVATION_JAR
+ NAMES
+ jakarta.activation.jar
+ jakarta-activation.jar
+ jaxb.activation.jar
+ jaxb-activation.jar
+ PATHS
+ /usr/share/java/jakarta-activation
+ /usr/share/java/jakarta
+ /usr/share/java/jaxb-activation
+ /usr/share/java/jaxb
+ /usr/share/java
+)
+
find_file(JSS_JAR
NAMES
jss4.jar
diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index 4fb3e30b5..4e9d44255 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -30,6 +30,7 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} lib/jackson-module-jaxb-annotations.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} lib/jaxb-api.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} lib/jaxb-impl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAKARTA_ACTIVATION_JAR} lib/jakarta.activation.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} lib/ldapjdk.jar
COMMAND ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar
diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
index 7053ac208..04f537436 100644
--- a/base/server/CMakeLists.txt
+++ b/base/server/CMakeLists.txt
@@ -99,6 +99,7 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} common/lib/jackson-module-jaxb-annotations.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} common/lib/jaxb-api.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} common/lib/jaxb-impl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAKARTA_ACTIVATION_JAR} common/lib/jakarta.activation.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} common/lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} common/lib/ldapjdk.jar
COMMAND ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-cmsutil.jar
diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy
index 2fbcaef90..460fff0bb 100644
--- a/base/server/share/conf/pki.policy
+++ b/base/server/share/conf/pki.policy
@@ -52,6 +52,10 @@ grant codeBase "file:/usr/share/java/jaxb/jaxb-impl.jar" {
permission java.security.AllPermission;
};
+grant codeBase "file:/usr/share/java/jakarta-activation/jakarta.activation.jar" {
+ permission java.security.AllPermission;
+};
+
grant codeBase "file:/usr/share/java/jaxme/jaxmeapi.jar" {
permission java.security.AllPermission;
};
diff --git a/pki.spec b/pki.spec
index 8d931a8a7..e29b6d12f 100644
--- a/pki.spec
+++ b/pki.spec
@@ -423,11 +423,15 @@ Requires: resteasy >= 3.0.26
Requires: resteasy-atom-provider >= 3.0.17-1
Requires: resteasy-client >= 3.0.17-1
Requires: resteasy-jaxb-provider >= 3.0.17-1
-Requires: jaxb-impl
Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
+%if 0%{?fedora} && 0%{?fedora} >= 33
+Requires: jaxb-impl >= 2.3.3
+Requires: jakarta-activation >= 1.2.2
+%endif
+
Requires: xalan-j2
Requires: xerces-j2
Requires: xml-commons-apis
diff --git a/pom.xml b/pom.xml
index 35644e20e..34af3c121 100644
--- a/pom.xml
+++ b/pom.xml
@@ -86,6 +86,12 @@
<version>2.3.3</version>
</dependency>
+ <dependency>
+ <groupId>jakarta.activation</groupId>
+ <artifactId>jakarta.activation-api</artifactId>
+ <version>1.2.2</version>
+ </dependency>
+
<dependency>
<groupId>org.jboss.spec.javax.annotation</groupId>
<artifactId>jboss-annotations-api_1.2_spec</artifactId>
diff --git a/scripts/compose_pki_test_package b/scripts/compose_pki_test_package
index f6de770e1..b8c39c682 100755
--- a/scripts/compose_pki_test_package
+++ b/scripts/compose_pki_test_package
@@ -119,6 +119,7 @@ CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar
+CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-activation/jakarta.activation.jar
CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar
CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar
CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar
diff --git a/tests/dogtag/dev_java_tests/run_junit_tests.sh b/tests/dogtag/dev_java_tests/run_junit_tests.sh
index 317958ccc..76efd757b 100644
--- a/tests/dogtag/dev_java_tests/run_junit_tests.sh
+++ b/tests/dogtag/dev_java_tests/run_junit_tests.sh
@@ -54,7 +54,7 @@ run_dev_junit_tests() {
CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar
- CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar
+ CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-activation/jakarta.activation.jar
CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar
CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar
CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar
--
2.26.2

32
dogtag-pki.spec
View File

@ -10,8 +10,10 @@ URL: http://www.dogtagpki.org/
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
License: GPLv2 and LGPLv2
Version: 10.9.1
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase.
# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase.
Version: 10.9.2
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1
# To create a tarball from a version tag:
@ -29,7 +31,11 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
Patch1: 0001-Support-FIPS-HSMs.patch
Patch1: 0001-Make-JDK-dependency-dynamic.patch
Patch2: 0002-Add-server-dependency-on-jaxb-api.patch
Patch3: 0003-Add-JAXB-Implementation-dependency-for-JDK11.patch
Patch4: 0004-Add-Jakarta-Activation-dependency-for-JDK11.patch
################################################################################
# NSS
@ -52,15 +58,13 @@ Patch1: 0001-Support-FIPS-HSMs.patch
################################################################################
%define java_home /usr/lib/jvm/jre-openjdk
%if 0%{?fedora} && 0%{?fedora} >= 33
%define min_java_version 1:1.8.0
%define java_devel java-1.8.0-openjdk-devel
%define java_headless java-1.8.0-openjdk-headless
%else
%define min_java_version 1:1.8.0
%define java_devel java-devel
%define java_headless java-headless
%if 0%{?fedora} && 0%{?fedora} >= 33
%define min_java_version 1:11
%else
%define min_java_version 1:1.8.0
%endif
################################################################################
@ -431,6 +435,11 @@ Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
%if 0%{?fedora} && 0%{?fedora} >= 33
Requires: jaxb-impl >= 2.3.3
Requires: jakarta-activation >= 1.2.2
%endif
Requires: xalan-j2
Requires: xerces-j2
Requires: xml-commons-apis
@ -1326,6 +1335,9 @@ fi
################################################################################
%changelog
* Tue Aug 18 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.2-1
- Second attempt at JDK11 Support
* Tue Aug 18 2020 Dogtag PKI Team <pki-devel@redhat.com> - 10.9.1-2
- Rebuilt to fix packaging issues introduced upstream

2
sources
View File

@ -1 +1 @@
SHA512 (pki-10.9.1.tar.gz) = afe814aee95e778afd84243903d9fcd05e31cb038d4289607115f9cc90ec666aaf4aab3b7f93dc54366762c96f54c8bbd9b60b486daef84280072041667d9b6a
SHA512 (pki-10.9.2.tar.gz) = 5c58af62d3a5113daee66cb538e41b0e1ec1c8303cf9a53e5f088e1a0228bd8f839d7708abae25051a449bd00ebd8246f2015e63c04a32bb9674b40c6c36c902