diff --git a/.gitignore b/.gitignore index bcc0b54..a71dbf1 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ /pki-11.5.0-alpha7.tar.gz /pki-11.5.0-alpha8.tar.gz /pki-11.5.0.tar.gz +/pki-11.5.2.tar.gz diff --git a/dogtag-pki.spec b/dogtag-pki.spec index 4fce3a6..25be27c 100644 --- a/dogtag-pki.spec +++ b/dogtag-pki.spec @@ -9,12 +9,12 @@ Name: dogtag-pki # Upstream version number: %global major_version 11 %global minor_version 5 -%global update_version 0 +%global update_version 2 # Downstream release number: # - development/stabilization (unsupported): 0. where n >= 1 # - GA/update (supported): where n >= 1 -%global release_number 2 +%global release_number 1 # Development phase: # - development (unsupported): alpha where n >= 1 @@ -28,9 +28,9 @@ Name: dogtag-pki Summary: %{product_name} Package URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 -License: GPL-2.0-only and LGPL-2.0-only +License: GPL-2.0-only AND LGPL-2.0-only Version: %{major_version}.%{minor_version}.%{update_version} -Release: %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist}.1 +Release: %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist} # To create a tarball from a version tag: # $ git archive \ @@ -53,6 +53,9 @@ ExclusiveArch: %{java_arches} ExcludeArch: i686 %endif +# Bundle dependencies unless --without deps is specified. +%bcond_without deps + ################################################################################ # PKCS #11 Kit Trust ################################################################################ @@ -63,9 +66,27 @@ ExcludeArch: i686 # Java ################################################################################ -%global java_devel java-17-openjdk-devel -%global java_headless java-17-openjdk-headless -%global java_home %{_jvmdir}/jre-17-openjdk +%if 0%{?rhel} + +%define java_devel java-17-openjdk-devel +%define java_headless java-17-openjdk-headless +%define java_home %{_jvmdir}/jre-17-openjdk + +%else + +# Use Java 21 on Fedora 40+, otherwise use Java 17. +%global java_devel java-devel >= 1:17 +%global java_headless java-headless >= 1:17 + +# Don't use find since it might not work well with local builds. +# find {_jvmdir} -maxdepth 1 | grep "jre-[0-9]\+$" +%global java_home %( + source /usr/share/java-utils/java-functions; + _prefer_jre=true; + set_jvm; + echo $JAVA_HOME) + +%endif ################################################################################ # Application Server @@ -82,13 +103,13 @@ ExcludeArch: i686 # Build the package unless --without is specified. # For idm-pki do not build the following packages: -# ocsp, tks, tps, javadoc, theme, tests, debug +# est, ocsp, tks, tps, javadoc, theme, tests, debug %bcond_without base %bcond_without server %bcond_without acme %bcond_without ca -%bcond_without est +%bcond_with est %bcond_without kra %bcond_with ocsp %bcond_with tks @@ -162,6 +183,11 @@ BuildRequires: maven-local BuildRequires: xmvn-tools %endif BuildRequires: javapackages-tools + +%if %{with deps} +BuildRequires: xmlstarlet +%endif + BuildRequires: mvn(commons-cli:commons-cli) BuildRequires: mvn(commons-codec:commons-codec) BuildRequires: mvn(commons-io:commons-io) @@ -169,17 +195,32 @@ BuildRequires: mvn(org.apache.commons:commons-lang3) BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(commons-net:commons-net) BuildRequires: mvn(org.slf4j:slf4j-api) +BuildRequires: mvn(org.apache.httpcomponents:httpclient) BuildRequires: mvn(xml-apis:xml-apis) BuildRequires: mvn(xml-resolver:xml-resolver) BuildRequires: mvn(org.junit.jupiter:junit-jupiter-api) + +BuildRequires: mvn(jakarta.activation:jakarta.activation-api) +BuildRequires: mvn(jakarta.xml.bind:jakarta.xml.bind-api) + +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-databind) +BuildRequires: mvn(com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider) + +BuildRequires: mvn(org.jboss.logging:jboss-logging) +BuildRequires: mvn(org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec) + BuildRequires: mvn(org.jboss.resteasy:resteasy-client) BuildRequires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) BuildRequires: mvn(org.jboss.resteasy:resteasy-jaxrs) BuildRequires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) + BuildRequires: mvn(org.apache.tomcat:tomcat-catalina) >= 9.0.62 BuildRequires: mvn(org.apache.tomcat:tomcat-servlet-api) >= 9.0.62 BuildRequires: mvn(org.apache.tomcat:tomcat-jaspic-api) >= 9.0.62 BuildRequires: mvn(org.apache.tomcat:tomcat-util-scan) >= 9.0.62 + BuildRequires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0 BuildRequires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0 BuildRequires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0 @@ -416,9 +457,19 @@ Requires: mvn(commons-logging:commons-logging) Requires: mvn(commons-net:commons-net) Requires: mvn(org.slf4j:slf4j-api) Requires: mvn(org.slf4j:slf4j-jdk14) +Requires: mvn(jakarta.annotation:jakarta.annotation-api) + +%if %{without deps} +Requires: mvn(com.fasterxml.jackson.core:jackson-annotations) +Requires: mvn(com.fasterxml.jackson.core:jackson-core) +Requires: mvn(com.fasterxml.jackson.core:jackson-databind) +Requires: mvn(com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider) + Requires: mvn(org.jboss.resteasy:resteasy-client) Requires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) Requires: mvn(org.jboss.resteasy:resteasy-jaxrs) +%endif + Requires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0 Requires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0 Requires: %{product_id}-base = %{version}-%{release} @@ -485,7 +536,10 @@ Requires: python3-policycoreutils Requires: selinux-policy-targeted >= 3.13.1-159 +%if %{without deps} Requires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) +%endif + Requires: tomcat >= 1:9.0.62 Requires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0 @@ -861,6 +915,55 @@ This package provides test suite for %{product_name}. %autosetup -n pki-%{version}%{?phase:-}%{?phase} -p 1 +%if %{with deps} +if [ ! -d lib ] +then + mkdir lib + + JACKSON_VERSION=$(rpm -q jackson-annotations | sed -n 's/^jackson-annotations-\([^-]*\)-.*$/\1/p') + echo "Importing Jackson $JACKSON_VERSION from RPM" + + cp /usr/share/java/jackson-annotations.jar \ + lib/jackson-annotations-$JACKSON_VERSION.jar + cp /usr/share/java/jackson-core.jar \ + lib/jackson-core-$JACKSON_VERSION.jar + cp /usr/share/java/jackson-databind.jar \ + lib/jackson-databind-$JACKSON_VERSION.jar + cp /usr/share/java/jackson-jaxrs-providers/jackson-jaxrs-base.jar \ + lib/jackson-jaxrs-base-$JACKSON_VERSION.jar + cp /usr/share/java/jackson-jaxrs-providers/jackson-jaxrs-json-provider.jar \ + lib/jackson-jaxrs-json-provider-$JACKSON_VERSION.jar + cp /usr/share/java/jackson-modules/jackson-module-jaxb-annotations.jar \ + lib/jackson-module-jaxb-annotations-$JACKSON_VERSION.jar + + JAXRS_VERSION=$(rpm -q jboss-jaxrs-2.0-api | sed -n 's/^jboss-jaxrs-2.0-api-\([^-]*\)-.*$/\1.Final/p') + echo "Importing JAX-RS 2.0 API $JAXRS_VERSION from RPM" + + cp /usr/share/java/jboss-jaxrs-2.0-api.jar \ + lib/jboss-jaxrs-2.0-api-$JAXRS_VERSION.jar + + JBOSS_LOGGING_VERSION=$(rpm -q jboss-logging | sed -n 's/^jboss-logging-\([^-]*\)-.*$/\1.Final/p') + echo "Importing JBoss Logging $JBOSS_LOGGING_VERSION from RPM" + + cp /usr/share/java/jboss-logging/jboss-logging.jar \ + lib/jboss-logging-$JBOSS_LOGGING_VERSION.jar + + RESTEASY_VERSION=$(rpm -q pki-resteasy-core | sed -n 's/^pki-resteasy-core-\([^-]*\)-.*$/\1.Final/p') + echo "Importing RESTEasy $RESTEASY_VERSION from RPM" + + cp /usr/share/java/resteasy/resteasy-jaxrs.jar \ + lib/resteasy-jaxrs-$RESTEASY_VERSION.jar + cp /usr/share/java/resteasy/resteasy-client.jar \ + lib/resteasy-client-$RESTEASY_VERSION.jar + cp /usr/share/java/resteasy/resteasy-jackson2-provider.jar \ + lib/resteasy-jackson2-provider-$RESTEASY_VERSION.jar + cp /usr/share/java/resteasy/resteasy-servlet-initializer.jar \ + lib/resteasy-servlet-initializer-$RESTEASY_VERSION.jar + + ls -la lib +fi +%endif + %if ! %{with base} %pom_disable_module common base %pom_disable_module tools base @@ -1011,6 +1114,7 @@ popd # Remove all symbol table and relocation information from the executable. C_FLAGS="-s" +CXX_FLAGS="$CXX_FLAGS -g -fPIE -pie" %if 0%{?fedora} # https://sourceware.org/annobin/annobin.html/Test-gaps.html @@ -1021,12 +1125,23 @@ C_FLAGS="$C_FLAGS -fcf-protection=full" # https://sourceware.org/annobin/annobin.html/Test-optimization.html C_FLAGS="$C_FLAGS -O2" +CXX_FLAGS="$CXX_FLAGS -O2" # https://sourceware.org/annobin/annobin.html/Test-glibcxx-assertions.html C_FLAGS="$C_FLAGS -D_GLIBCXX_ASSERTIONS" +CXX_FLAGS="$CXX_FLAGS -D_GLIBCXX_ASSERTIONS" # https://sourceware.org/annobin/annobin.html/Test-lto.html C_FLAGS="$C_FLAGS -fno-lto" + +# https://sourceware.org/annobin/annobin.html/Test-fortify.html +C_FLAGS="$C_FLAGS -D_FORTIFY_SOURCE=3" +CXX_FLAGS="$CXX_FLAGS -D_FORTIFY_SOURCE=3" + +# https://sourceware.org/annobin/annobin.html/Test-stack-clash.html +C_FLAGS="$C_FLAGS -fstack-clash-protection" +CXX_FLAGS="$CXX_FLAGS -fstack-clash-protection" + %endif pkgs=base\ @@ -1060,6 +1175,7 @@ pkgs=base\ --share-dir=%{_datadir} \ --cmake=%{__cmake} \ --c-flags="$C_FLAGS" \ + --cxx-flags="$CXX_FLAGS" \ --java-home=%{java_home} \ --jni-dir=%{_jnidir} \ --unit-dir=%{_unitdir} \ @@ -1085,6 +1201,159 @@ pkgs=base\ --install-dir=%{buildroot} \ install +%if %{with deps} + +%if %{with meta} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}.xml +%endif + +%if %{with base} +echo "Installing JAR deps into %{buildroot}%{_datadir}/pki/lib" +cp lib/jackson-annotations-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/jackson-core-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/jackson-databind-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/jackson-jaxrs-base-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/jackson-jaxrs-json-provider-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/jackson-module-jaxb-annotations-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/jboss-jaxrs-2.0-api-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/jboss-logging-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/resteasy-jaxrs-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/resteasy-client-*.jar %{buildroot}%{_datadir}/pki/lib +cp lib/resteasy-jackson2-provider-*.jar %{buildroot}%{_datadir}/pki/lib +ls -l %{buildroot}%{_datadir}/pki/lib + +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-java.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-java.xml + +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-tools.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-tools.xml +%endif + +%if %{with server} +echo "Installing JAR deps into %{buildroot}%{_datadir}/pki/server/common/lib" +cp lib/resteasy-servlet-initializer-*.jar %{buildroot}%{_datadir}/pki/server/common/lib +ls -l %{buildroot}%{_datadir}/pki/server/common/lib + +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-server.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-server.xml +%endif + +%if %{with ca} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-ca.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-ca.xml +%endif + +%if %{with kra} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-kra.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-kra.xml +%endif + +%if %{with ocsp} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-ocsp.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-ocsp.xml +%endif + +%if %{with tks} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-tks.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-tks.xml +%endif + +%if %{with tps} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-tps.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-tps.xml +%endif + +%if %{with acme} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-acme.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-acme.xml +%endif + +%if %{with est} +echo "Removing RPM deps from %{buildroot}%{_datadir}/maven-metadata/pki-pki-est.xml" +xmlstarlet edit --inplace \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.core']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.module']" \ + -d "//_:dependency[_:groupId='com.fasterxml.jackson.jaxrs']" \ + -d "//_:dependency[_:groupId='org.jboss.spec.javax.ws.rs']" \ + -d "//_:dependency[_:groupId='org.jboss.logging']" \ + -d "//_:dependency[_:groupId='org.jboss.resteasy']" \ + %{buildroot}%{_datadir}/maven-metadata/%{name}-pki-est.xml +%endif + +# with deps +%endif + %if %{with server} %pre -n %{product_id}-server @@ -1501,6 +1770,10 @@ fi ################################################################################ %changelog +* Wed Jul 03 2024 Red Hat PKI Team - 11.5.2-1 +- Rebase to PKI 11.5.2 +- CVE-2023-4727 pki-core: dogtag ca: token authentication bypass vulnerability + * Mon Jun 24 2024 Troy Dawson - 11.5.0-2.1 - Bump release for June 2024 mass rebuild diff --git a/sources b/sources index e4e8cf5..306e664 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (pki-11.5.0.tar.gz) = 28b4099abd59b6fb5c510fff39fe7b2258f663f3fc21c973243a9615f5f601a18b763722ee6ea033afe76a094464d4fdce5cd0af45f9126566badf89e3a69923 +SHA512 (pki-11.5.2.tar.gz) = 206d957c5a8508130e83464af0bece5d79113844b65af5bf82c342508f858987cd7d5eccb69014dfbfefb5b802a51ade6aed761af80a0ea920e6deba1a9e2ad1