Upstream release 4.10.2
Synchronize patches with CentOS 9 Stream Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
4d4375dd2d
commit
e2e40e4ca3
2
.gitignore
vendored
2
.gitignore
vendored
@ -124,3 +124,5 @@
|
|||||||
/freeipa-4.10.0.tar.gz.asc
|
/freeipa-4.10.0.tar.gz.asc
|
||||||
/freeipa-4.10.1.tar.gz
|
/freeipa-4.10.1.tar.gz
|
||||||
/freeipa-4.10.1.tar.gz.asc
|
/freeipa-4.10.1.tar.gz.asc
|
||||||
|
/freeipa-4.10.2.tar.gz
|
||||||
|
/freeipa-4.10.2.tar.gz.asc
|
||||||
|
107
0001-Revert-cert_find-fix-call-with-all.patch
Normal file
107
0001-Revert-cert_find-fix-call-with-all.patch
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
From a44fd5a7691d263d670312e0c8e02efd868618c1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Tue, 6 Jun 2023 17:15:11 +0200
|
||||||
|
Subject: [PATCH] Revert "cert_find: fix call with --all"
|
||||||
|
|
||||||
|
This reverts commit 918b6e011795ba4854d178d18c86ad54f3cf75ab.
|
||||||
|
|
||||||
|
Revert "Use the OpenSSL certificate parser in cert-find"
|
||||||
|
|
||||||
|
This reverts commit 50dd79d1a35549034bc281fbdffea4399baed3c7.
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 2 --
|
||||||
|
ipaserver/plugins/cert.py | 27 +++------------------------
|
||||||
|
2 files changed, 3 insertions(+), 26 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index 3e23bbfe9d054a3a9febf468de0bcb4a6e81bb32..bec9780a82fe0d9bc5a50a93bdce8aa7e27a9f30 100755
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -412,7 +412,6 @@ BuildRequires: python3-pylint
|
||||||
|
BuildRequires: python3-pytest-multihost
|
||||||
|
BuildRequires: python3-pytest-sourceorder
|
||||||
|
BuildRequires: python3-qrcode-core >= 5.0.0
|
||||||
|
-BuildRequires: python3-pyOpenSSL
|
||||||
|
BuildRequires: python3-samba
|
||||||
|
BuildRequires: python3-six
|
||||||
|
BuildRequires: python3-sss
|
||||||
|
@@ -884,7 +883,6 @@ Requires: python3-netifaces >= 0.10.4
|
||||||
|
Requires: python3-pyasn1 >= 0.3.2-2
|
||||||
|
Requires: python3-pyasn1-modules >= 0.3.2-2
|
||||||
|
Requires: python3-pyusb
|
||||||
|
-Requires: python3-pyOpenSSL
|
||||||
|
Requires: python3-qrcode-core >= 5.0.0
|
||||||
|
Requires: python3-requests
|
||||||
|
Requires: python3-six
|
||||||
|
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
||||||
|
index 400b1b3cec0aba82e699a4a981516e121f3e0c77..36a0e8cb31b4dbdd9bff09165d1d8aa203936d37 100644
|
||||||
|
--- a/ipaserver/plugins/cert.py
|
||||||
|
+++ b/ipaserver/plugins/cert.py
|
||||||
|
@@ -30,7 +30,6 @@ import cryptography.x509
|
||||||
|
from cryptography.hazmat.primitives import hashes, serialization
|
||||||
|
from dns import resolver, reversename
|
||||||
|
import six
|
||||||
|
-import sys
|
||||||
|
|
||||||
|
from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber
|
||||||
|
from ipalib import api
|
||||||
|
@@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod):
|
||||||
|
)
|
||||||
|
|
||||||
|
def _get_cert_key(self, cert):
|
||||||
|
- # for cert-find with a certificate value
|
||||||
|
- if isinstance(cert, x509.IPACertificate):
|
||||||
|
- return (DN(cert.issuer), cert.serial_number)
|
||||||
|
-
|
||||||
|
- issuer = []
|
||||||
|
- for oid, value in cert.get_issuer().get_components():
|
||||||
|
- issuer.append(
|
||||||
|
- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))
|
||||||
|
- )
|
||||||
|
- issuer = ','.join(issuer)
|
||||||
|
- # Use this to flip from OpenSSL reverse to X500 ordering
|
||||||
|
- issuer = DN(issuer).x500_text()
|
||||||
|
- return (DN(issuer), cert.get_serial_number())
|
||||||
|
+ return (DN(cert.issuer), cert.serial_number)
|
||||||
|
|
||||||
|
def _cert_search(self, pkey_only, **options):
|
||||||
|
result = collections.OrderedDict()
|
||||||
|
@@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod):
|
||||||
|
return result, False, complete
|
||||||
|
|
||||||
|
def _ldap_search(self, all, pkey_only, no_members, **options):
|
||||||
|
- # defer import of the OpenSSL module to not affect the requests
|
||||||
|
- # module which will use pyopenssl if this is available.
|
||||||
|
- if sys.modules.get('OpenSSL.SSL', False) is None:
|
||||||
|
- del sys.modules["OpenSSL.SSL"]
|
||||||
|
- import OpenSSL.crypto
|
||||||
|
ldap = self.api.Backend.ldap2
|
||||||
|
|
||||||
|
filters = []
|
||||||
|
@@ -1813,21 +1795,18 @@ class cert_find(Search, CertMethod):
|
||||||
|
ca_enabled = getattr(context, 'ca_enabled')
|
||||||
|
for entry in entries:
|
||||||
|
for attr in ('usercertificate', 'usercertificate;binary'):
|
||||||
|
- for der in entry.raw.get(attr, []):
|
||||||
|
- cert = OpenSSL.crypto.load_certificate(
|
||||||
|
- OpenSSL.crypto.FILETYPE_ASN1, der)
|
||||||
|
+ for cert in entry.get(attr, []):
|
||||||
|
cert_key = self._get_cert_key(cert)
|
||||||
|
try:
|
||||||
|
obj = result[cert_key]
|
||||||
|
except KeyError:
|
||||||
|
- obj = {'serial_number': cert.get_serial_number()}
|
||||||
|
+ obj = {'serial_number': cert.serial_number}
|
||||||
|
if not pkey_only and (all or not ca_enabled):
|
||||||
|
# Retrieving certificate details is now deferred
|
||||||
|
# until after all certificates are collected.
|
||||||
|
# For the case of CA-less we need to keep
|
||||||
|
# the certificate because getting it again later
|
||||||
|
# would require unnecessary LDAP searches.
|
||||||
|
- cert = cert.to_cryptography()
|
||||||
|
obj['certificate'] = (
|
||||||
|
base64.b64encode(
|
||||||
|
cert.public_bytes(x509.Encoding.DER))
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From e07ead943abf070107a9669fc4564c9dc7518832 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 24 Mar 2023 09:39:03 +0200
|
|
||||||
Subject: [PATCH] ipalib/x509: Implement abstract method
|
|
||||||
Certificate.verify_directly_issued_by
|
|
||||||
|
|
||||||
Added in Python Cryptography 40.0
|
|
||||||
Thanks to @tiran for the code
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9355
|
|
||||||
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
||||||
---
|
|
||||||
ipalib/x509.py | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipalib/x509.py b/ipalib/x509.py
|
|
||||||
index 3fcd3f424..ed2e8f1d8 100644
|
|
||||||
--- a/ipalib/x509.py
|
|
||||||
+++ b/ipalib/x509.py
|
|
||||||
@@ -405,6 +405,11 @@ class IPACertificate(crypto_x509.Certificate):
|
|
||||||
def tbs_precertificate_bytes(self):
|
|
||||||
return self._cert.tbs_precertificate_bytes
|
|
||||||
|
|
||||||
+ if hasattr(crypto_x509.Certificate, "verify_directly_issued_by"):
|
|
||||||
+ # added in python-cryptography 40.0
|
|
||||||
+ def verify_directly_issued_by(self, issuer):
|
|
||||||
+ return self._cert.verify_directly_issued_by(issuer)
|
|
||||||
+
|
|
||||||
|
|
||||||
def load_pem_x509_certificate(data):
|
|
||||||
"""
|
|
||||||
--
|
|
||||||
2.40.0
|
|
||||||
|
|
20
freeipa.spec
20
freeipa.spec
@ -168,7 +168,7 @@
|
|||||||
# RHEL 8.7+, F35+
|
# RHEL 8.7+, F35+
|
||||||
%global sssd_version 2.7.1
|
%global sssd_version 2.7.1
|
||||||
|
|
||||||
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
|
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 2>/dev/null | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
|
||||||
%global kdcproxy_version 0.4-3
|
%global kdcproxy_version 0.4-3
|
||||||
|
|
||||||
%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
|
%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
|
||||||
@ -200,7 +200,7 @@
|
|||||||
|
|
||||||
# Work-around fact that RPM SPEC parser does not accept
|
# Work-around fact that RPM SPEC parser does not accept
|
||||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||||
%define IPA_VERSION 4.10.1
|
%define IPA_VERSION 4.10.2
|
||||||
# Release candidate version -- uncomment with one percent for RC versions
|
# Release candidate version -- uncomment with one percent for RC versions
|
||||||
#%%global rc_version %%nil
|
#%%global rc_version %%nil
|
||||||
%define AT_SIGN @
|
%define AT_SIGN @
|
||||||
@ -213,7 +213,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 5%{?rc_version:.%rc_version}%{?dist}
|
Release: 1%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPL-3.0-or-later
|
License: GPL-3.0-or-later
|
||||||
@ -224,8 +224,7 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
|||||||
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
|
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# python-cryptography 40.0+ support
|
Patch0: 0001-Revert-cert_find-fix-call-with-all.patch
|
||||||
Patch0: freeipa-issue-9355.patch
|
|
||||||
|
|
||||||
# RHEL spec file only: START: Change branding to IPA and Identity Management
|
# RHEL spec file only: START: Change branding to IPA and Identity Management
|
||||||
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
||||||
@ -684,6 +683,7 @@ Requires: jansson
|
|||||||
%endif
|
%endif
|
||||||
Requires: sssd-ipa >= %{sssd_version}
|
Requires: sssd-ipa >= %{sssd_version}
|
||||||
Requires: sssd-idp >= %{sssd_version}
|
Requires: sssd-idp >= %{sssd_version}
|
||||||
|
Requires: sssd-krb5 >= %{sssd_version}
|
||||||
Requires: certmonger >= %{certmonger_version}
|
Requires: certmonger >= %{certmonger_version}
|
||||||
Requires: nss-tools >= %{nss_version}
|
Requires: nss-tools >= %{nss_version}
|
||||||
Requires: bind-utils
|
Requires: bind-utils
|
||||||
@ -1247,10 +1247,8 @@ if [ $1 -gt 1 ] ; then
|
|||||||
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
||||||
|
|
||||||
if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
|
if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
|
||||||
if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
|
if grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
|
||||||
echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
|
sed -i '\;includedir /var/lib/sss/pubconf/krb5.include.d;d' /etc/krb5.conf
|
||||||
cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
|
|
||||||
mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1744,6 +1742,10 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 13 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.2-1
|
||||||
|
- Upstream release FreeIPA 4.10.2
|
||||||
|
- Synchronize patches with CentOS 9 Stream
|
||||||
|
|
||||||
* Mon May 15 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.1-5
|
* Mon May 15 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.1-5
|
||||||
- Support python-cryptography 40.0
|
- Support python-cryptography 40.0
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (freeipa-4.10.1.tar.gz) = b06ff7d18aaf6345132eebba1cfe1b9653f71ba07e12f708a52253327961ff03eddd19b79bfdbee9d44f20f04d410fe860f2fd916e66c79fc6366ceb3f8ec5f2
|
SHA512 (freeipa-4.10.2.tar.gz) = be5c1552ead25f9fd6f885687110e2017abdb16ca3047a4458129fe5f8437d3bbd97723b49650dafd770333b30a6cdbc7b0c26fdf0c522ec2b62d0df642ce768
|
||||||
SHA512 (freeipa-4.10.1.tar.gz.asc) = cc1e795a5e953b9bdd5e68ccbd7a46da0ab9bf236b96e1a6eae41e3100ebc46cdd93414cbad89bc35c3bf87b518b9bad74b8e4858f42f12b37c5734e1edb5efc
|
SHA512 (freeipa-4.10.2.tar.gz.asc) = 732a73326548103aa9133a8ca6c3e56101fb858a2746d4aa2799571bab20111b9be36f5991f1f433fed2e435698a583b9be3cfc14d0abb9808355c3c5ab19fc7
|
||||||
|
Loading…
Reference in New Issue
Block a user