diff --git a/.gitignore b/.gitignore index f3e57d3..6a4f3a0 100644 --- a/.gitignore +++ b/.gitignore @@ -124,3 +124,5 @@ /freeipa-4.10.0.tar.gz.asc /freeipa-4.10.1.tar.gz /freeipa-4.10.1.tar.gz.asc +/freeipa-4.10.2.tar.gz +/freeipa-4.10.2.tar.gz.asc diff --git a/0001-Revert-cert_find-fix-call-with-all.patch b/0001-Revert-cert_find-fix-call-with-all.patch new file mode 100644 index 0000000..f81b3b7 --- /dev/null +++ b/0001-Revert-cert_find-fix-call-with-all.patch @@ -0,0 +1,107 @@ +From a44fd5a7691d263d670312e0c8e02efd868618c1 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 6 Jun 2023 17:15:11 +0200 +Subject: [PATCH] Revert "cert_find: fix call with --all" + +This reverts commit 918b6e011795ba4854d178d18c86ad54f3cf75ab. + +Revert "Use the OpenSSL certificate parser in cert-find" + +This reverts commit 50dd79d1a35549034bc281fbdffea4399baed3c7. +--- + freeipa.spec.in | 2 -- + ipaserver/plugins/cert.py | 27 +++------------------------ + 2 files changed, 3 insertions(+), 26 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 3e23bbfe9d054a3a9febf468de0bcb4a6e81bb32..bec9780a82fe0d9bc5a50a93bdce8aa7e27a9f30 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -412,7 +412,6 @@ BuildRequires: python3-pylint + BuildRequires: python3-pytest-multihost + BuildRequires: python3-pytest-sourceorder + BuildRequires: python3-qrcode-core >= 5.0.0 +-BuildRequires: python3-pyOpenSSL + BuildRequires: python3-samba + BuildRequires: python3-six + BuildRequires: python3-sss +@@ -884,7 +883,6 @@ Requires: python3-netifaces >= 0.10.4 + Requires: python3-pyasn1 >= 0.3.2-2 + Requires: python3-pyasn1-modules >= 0.3.2-2 + Requires: python3-pyusb +-Requires: python3-pyOpenSSL + Requires: python3-qrcode-core >= 5.0.0 + Requires: python3-requests + Requires: python3-six +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index 400b1b3cec0aba82e699a4a981516e121f3e0c77..36a0e8cb31b4dbdd9bff09165d1d8aa203936d37 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -30,7 +30,6 @@ import cryptography.x509 + from cryptography.hazmat.primitives import hashes, serialization + from dns import resolver, reversename + import six +-import sys + + from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber + from ipalib import api +@@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod): + ) + + def _get_cert_key(self, cert): +- # for cert-find with a certificate value +- if isinstance(cert, x509.IPACertificate): +- return (DN(cert.issuer), cert.serial_number) +- +- issuer = [] +- for oid, value in cert.get_issuer().get_components(): +- issuer.append( +- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8')) +- ) +- issuer = ','.join(issuer) +- # Use this to flip from OpenSSL reverse to X500 ordering +- issuer = DN(issuer).x500_text() +- return (DN(issuer), cert.get_serial_number()) ++ return (DN(cert.issuer), cert.serial_number) + + def _cert_search(self, pkey_only, **options): + result = collections.OrderedDict() +@@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod): + return result, False, complete + + def _ldap_search(self, all, pkey_only, no_members, **options): +- # defer import of the OpenSSL module to not affect the requests +- # module which will use pyopenssl if this is available. +- if sys.modules.get('OpenSSL.SSL', False) is None: +- del sys.modules["OpenSSL.SSL"] +- import OpenSSL.crypto + ldap = self.api.Backend.ldap2 + + filters = [] +@@ -1813,21 +1795,18 @@ class cert_find(Search, CertMethod): + ca_enabled = getattr(context, 'ca_enabled') + for entry in entries: + for attr in ('usercertificate', 'usercertificate;binary'): +- for der in entry.raw.get(attr, []): +- cert = OpenSSL.crypto.load_certificate( +- OpenSSL.crypto.FILETYPE_ASN1, der) ++ for cert in entry.get(attr, []): + cert_key = self._get_cert_key(cert) + try: + obj = result[cert_key] + except KeyError: +- obj = {'serial_number': cert.get_serial_number()} ++ obj = {'serial_number': cert.serial_number} + if not pkey_only and (all or not ca_enabled): + # Retrieving certificate details is now deferred + # until after all certificates are collected. + # For the case of CA-less we need to keep + # the certificate because getting it again later + # would require unnecessary LDAP searches. +- cert = cert.to_cryptography() + obj['certificate'] = ( + base64.b64encode( + cert.public_bytes(x509.Encoding.DER)) +-- +2.40.1 + diff --git a/freeipa-issue-9355.patch b/freeipa-issue-9355.patch deleted file mode 100644 index a2c7983..0000000 --- a/freeipa-issue-9355.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e07ead943abf070107a9669fc4564c9dc7518832 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Mar 2023 09:39:03 +0200 -Subject: [PATCH] ipalib/x509: Implement abstract method - Certificate.verify_directly_issued_by - -Added in Python Cryptography 40.0 -Thanks to @tiran for the code - -Fixes: https://pagure.io/freeipa/issue/9355 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Stanislav Levin ---- - ipalib/x509.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ipalib/x509.py b/ipalib/x509.py -index 3fcd3f424..ed2e8f1d8 100644 ---- a/ipalib/x509.py -+++ b/ipalib/x509.py -@@ -405,6 +405,11 @@ class IPACertificate(crypto_x509.Certificate): - def tbs_precertificate_bytes(self): - return self._cert.tbs_precertificate_bytes - -+ if hasattr(crypto_x509.Certificate, "verify_directly_issued_by"): -+ # added in python-cryptography 40.0 -+ def verify_directly_issued_by(self, issuer): -+ return self._cert.verify_directly_issued_by(issuer) -+ - - def load_pem_x509_certificate(data): - """ --- -2.40.0 - diff --git a/freeipa.spec b/freeipa.spec index ca0d05e..ca24813 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -168,7 +168,7 @@ # RHEL 8.7+, F35+ %global sssd_version 2.7.1 -%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) +%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 2>/dev/null | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) %global kdcproxy_version 0.4-3 %if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 @@ -200,7 +200,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.10.1 +%define IPA_VERSION 4.10.2 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -213,7 +213,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?rc_version:.%rc_version}%{?dist} +Release: 1%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -224,8 +224,7 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc %endif -# python-cryptography 40.0+ support -Patch0: freeipa-issue-9355.patch +Patch0: 0001-Revert-cert_find-fix-call-with-all.patch # RHEL spec file only: START: Change branding to IPA and Identity Management # Moved branding logos and background to redhat-logos-ipa-80.4: @@ -684,6 +683,7 @@ Requires: jansson %endif Requires: sssd-ipa >= %{sssd_version} Requires: sssd-idp >= %{sssd_version} +Requires: sssd-krb5 >= %{sssd_version} Requires: certmonger >= %{certmonger_version} Requires: nss-tools >= %{nss_version} Requires: bind-utils @@ -1247,10 +1247,8 @@ if [ $1 -gt 1 ] ; then test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then - if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then - echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew - cat /etc/krb5.conf >> /etc/krb5.conf.ipanew - mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + if grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then + sed -i '\;includedir /var/lib/sss/pubconf/krb5.include.d;d' /etc/krb5.conf fi fi @@ -1744,6 +1742,10 @@ fi %endif %changelog +* Tue Jun 13 2023 Alexander Bokovoy - 4.10.2-1 +- Upstream release FreeIPA 4.10.2 +- Synchronize patches with CentOS 9 Stream + * Mon May 15 2023 Alexander Bokovoy - 4.10.1-5 - Support python-cryptography 40.0 diff --git a/sources b/sources index f0bf56b..ec1fc5a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.10.1.tar.gz) = b06ff7d18aaf6345132eebba1cfe1b9653f71ba07e12f708a52253327961ff03eddd19b79bfdbee9d44f20f04d410fe860f2fd916e66c79fc6366ceb3f8ec5f2 -SHA512 (freeipa-4.10.1.tar.gz.asc) = cc1e795a5e953b9bdd5e68ccbd7a46da0ab9bf236b96e1a6eae41e3100ebc46cdd93414cbad89bc35c3bf87b518b9bad74b8e4858f42f12b37c5734e1edb5efc +SHA512 (freeipa-4.10.2.tar.gz) = be5c1552ead25f9fd6f885687110e2017abdb16ca3047a4458129fe5f8437d3bbd97723b49650dafd770333b30a6cdbc7b0c26fdf0c522ec2b62d0df642ce768 +SHA512 (freeipa-4.10.2.tar.gz.asc) = 732a73326548103aa9133a8ca6c3e56101fb858a2746d4aa2799571bab20111b9be36f5991f1f433fed2e435698a583b9be3cfc14d0abb9808355c3c5ab19fc7