rpms/pki-core
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import pki-core-10.10.5-2.module+el8.4.0+10466+9830f79e

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:39:47 -04:00 committed by Andrew Lukoshko
parent 4a7a035137
commit 000d4583c5
5 changed files with 251 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/pki-10.9.4.tar.gz
SOURCES/pki-10.10.5.tar.gz

2
.pki-core.metadata
View File

@ -1 +1 @@
dd0b6a1732c36077180769ba58ed11e659c0b621 SOURCES/pki-10.9.4.tar.gz
61641f173fb9de15b4f16bdcef95ca97479bc947 SOURCES/pki-10.10.5.tar.gz

16
SOURCES/0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch → SOURCES/0001-Fix-renewal-profile-approval-process.patch
View File

@ -1,4 +1,4 @@
From 8b3cb80954a932867c2d4d96eb1cced83fa78996 Mon Sep 17 00:00:00 2001
From 608e9bbe537aba314b124ceef70f9b606ab7e121 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 13 Jan 2021 18:27:46 +1100
Subject: [PATCH] Fix renewal profile approval process
@ -48,10 +48,10 @@ Signed-off-by: Alexander Scheel <ascheel@redhat.com>
2 files changed, 79 insertions(+), 6 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 07f29fead..50292201b 100644
index 560507168a..431ce9ff78 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2962,6 +2962,16 @@ public class CertificateAuthority
@@ -1929,6 +1929,16 @@ public class CertificateAuthority
}
ProfileSubsystem ps = engine.getProfileSubsystem();
@ -69,13 +69,13 @@ index 07f29fead..50292201b 100644
CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
new ArgBlock(), profile, httpReq.getLocale());
diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index 917c64856..75677b5e4 100644
index 4293cdd064..fd20f48267 100644
--- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -31,6 +31,7 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringUtils;
import org.dogtagpki.server.ca.CAEngine;
+import org.dogtagpki.server.authorization.AuthzToken;
import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
import org.mozilla.jss.netscape.security.x509.X509CertImpl;
@ -166,5 +166,5 @@ index 917c64856..75677b5e4 100644
// create and populate requests
///////////////////////////////////////////////
--
2.29.2
2.26.2

80
SOURCES/0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
View File

@ -1,80 +0,0 @@
From d17df6f22376753b5cd156f1b7f51837cae1f522 Mon Sep 17 00:00:00 2001
From: jmagne <jmagne@redhat.com>
Date: Mon, 22 Feb 2021 13:44:20 -0800
Subject: [PATCH] pkispawn fails against 389-ds 1.4.3.19 #3458 (#3465)
Add suggested patch from stanislavlevin to solve this issue.
Also add f34 to the ipa tests,this time really add the tests.
Upon further review, back out of f34 tests until the infractructure
supports it.
Also hardcode tomcat app setting in spec file for the moment to
avoid possible glitches on certain platform.
Co-authored-by: Jack Magne <jmagne@localhost.localdomain>
---
.../com/netscape/cmscore/apps/CMSEngine.java | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/base/server/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/src/com/netscape/cmscore/apps/CMSEngine.java
index 295c4d4cc..f40f99136 100644
--- a/base/server/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -156,9 +156,8 @@ public class CMSEngine {
private static final int PW_OK =0;
//private static final int PW_BAD_SETUP = 1;
- private static final int PW_INVALID_PASSWORD = 2;
+ private static final int PW_INVALID_CREDENTIALS = 2;
private static final int PW_CANNOT_CONNECT = 3;
- private static final int PW_NO_USER = 4;
private static final int PW_MAX_ATTEMPTS = 3;
@@ -332,16 +331,16 @@ public class CMSEngine {
}
int iteration = 0;
- int result = PW_INVALID_PASSWORD;
+ int result = PW_INVALID_CREDENTIALS;
do {
String passwd = mPasswordStore.getPassword(tag, iteration);
result = testLDAPConnection(tag, connInfo, binddn, passwd);
iteration++;
- } while ((result == PW_INVALID_PASSWORD) && (iteration < PW_MAX_ATTEMPTS));
+ } while ((result == PW_INVALID_CREDENTIALS) && (iteration < PW_MAX_ATTEMPTS));
if (result != PW_OK) {
- if ((result == PW_NO_USER) && (tag.equals("replicationdb"))) {
+ if ((result == PW_INVALID_CREDENTIALS) && (tag.equals("replicationdb"))) {
logger.warn(
"CMSEngine: password test execution failed for replicationdb " +
"with NO_SUCH_USER. This may not be a latest instance. Ignoring ..");
@@ -364,7 +363,7 @@ public class CMSEngine {
int ret = PW_OK;
if (StringUtils.isEmpty(pwd)) {
- return PW_INVALID_PASSWORD;
+ return PW_INVALID_CREDENTIALS;
}
String host = info.getHost();
@@ -383,12 +382,9 @@ public class CMSEngine {
switch (e.getLDAPResultCode()) {
case LDAPException.NO_SUCH_OBJECT:
- logger.debug("CMSEngine: user does not exist: " + binddn);
- ret = PW_NO_USER;
- break;
case LDAPException.INVALID_CREDENTIALS:
- logger.debug("CMSEngine: invalid password");
- ret = PW_INVALID_PASSWORD;
+ logger.debug("CMSEngine: invalid credentials");
+ ret = PW_INVALID_CREDENTIALS;
break;
default:
logger.debug("CMSEngine: unable to connect to " + name + ": " + e.getMessage());
--
2.29.2

412
SPECS/pki-core.spec
View File

@ -6,15 +6,15 @@ Name: pki-core
%global brand Red Hat
Summary: %{brand} PKI Core Package
URL: http://www.dogtagpki.org/
URL: https://www.dogtagpki.org
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
License: GPLv2 and LGPLv2
# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase.
# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase.
Version: 10.9.4
Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.10.5
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -beta1
# To create a tarball from a version tag:
# $ git archive \
@ -36,8 +36,15 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/:
# [Errno 111] Connection refused -- Some packages may not be found!
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
Patch2: 0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch
Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
Patch2: 0001-Fix-renewal-profile-approval-process.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
# safest.
%if ! 0%{?rhel} || 0%{?rhel} > 8
ExcludeArch: i686
%endif
################################################################################
# NSS
@ -49,7 +56,7 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
# Python
################################################################################
%if 0%{?rhel}
%if 0%{?rhel} && 0%{?rhel} <= 8
%global python_executable /usr/libexec/platform-python
%else
%global python_executable /usr/bin/python3
@ -59,14 +66,15 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
# Java
################################################################################
%define java_home /usr/lib/jvm/jre-openjdk
%define java_devel java-devel
%define java_headless java-headless
%if 0%{?fedora} && 0%{?fedora} >= 33
%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
%define min_java_version 1:11
%define java_home /usr/lib/jvm/java-11-openjdk
%else
%define min_java_version 1:1.8.0
%define java_home /usr/lib/jvm/java-1.8.0-openjdk
%endif
################################################################################
@ -111,6 +119,8 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
%global with_base 1
# package_option server
%global with_server 1
# package_option acme
%global with_acme 1
# package_option ca
%global with_ca 1
# package_option kra
@ -130,6 +140,8 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
%define debug_package %{nil}
%endif
%bcond_without sdnotify
# ignore unpackaged files from native 'tpsclient'
# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app
%define _unpackaged_files_terminate_build 0
@ -181,7 +193,7 @@ BuildRequires: ldapjdk >= 4.22.0
BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
BuildRequires: apache-commons-lang
BuildRequires: apache-commons-lang3 >= 3.2
BuildRequires: apache-commons-net
BuildRequires: jakarta-commons-httpclient
BuildRequires: glassfish-jaxb-api
@ -201,7 +213,7 @@ BuildRequires: velocity
BuildRequires: xalan-j2
BuildRequires: xerces-j2
%if 0%{?rhel}
%if 0%{?rhel} && ! 0%{?eln}
BuildRequires: resteasy >= 3.0.26
%else
BuildRequires: jboss-annotations-1.2-api
@ -225,19 +237,22 @@ BuildRequires: python3-nss
BuildRequires: python3-requests >= 2.6.0
BuildRequires: python3-six
%if 0%{?rhel}
# no python3-pytest-runner
%else
%if 0%{?fedora} || 0%{?rhel} > 8
BuildRequires: python3-pytest-runner
%endif
BuildRequires: junit
BuildRequires: jpackage-utils >= 0:1.7.5-10
BuildRequires: jss >= 4.7.0
BuildRequires: tomcatjss >= 7.5.0
BuildRequires: jss >= 4.8.1
BuildRequires: tomcatjss >= 7.6.1
# JNA is used to bind to libsystemd
%if %{with sdnotify}
BuildRequires: jna
%endif
BuildRequires: systemd-units
%if 0%{?rhel}
%if 0%{?rhel} && ! 0%{?eln}
BuildRequires: pki-servlet-engine
%else
BuildRequires: tomcat >= 1:9.0.7
@ -255,7 +270,7 @@ BuildRequires: zlib
BuildRequires: zlib-devel
# build dependency to build man pages
%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel}
%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel} && 0%{?rhel} <= 8
BuildRequires: go-md2man
%else
BuildRequires: golang-github-cpuguy83-md2man
@ -281,6 +296,7 @@ to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components:
* Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
@ -305,6 +321,7 @@ Requires: %{vendor_id}-pki-console-theme = %{version}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI core packages
Requires: pki-acme = %{version}
Requires: pki-ca = %{version}
Requires: pki-kra = %{version}
Requires: pki-ocsp = %{version}
@ -317,8 +334,10 @@ Requires: pki-console = %{version}
Requires: pki-javadoc = %{version}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI clients
# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
%ifnarch s390 s390x
Requires: esc >= 1.1.1
%endif
# description for top-level package (unless there is a separate meta package)
%if "%{name}" == "%{vendor_id}-pki"
@ -332,6 +351,7 @@ to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components:
* Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
@ -350,7 +370,7 @@ Summary: PKI Symmetric Key Package
Requires: %java_headless >= %{min_java_version}
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.7.0
Requires: jss >= 4.8.0
Requires: nss >= 3.38.0
# Ensure we end up with a useful installation
@ -394,13 +414,14 @@ BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}
%if 0%{?fedora}
%if 0%{?fedora} || 0%{?rhel} > 8
%{?python_provide:%python_provide python3-pki}
%endif
Requires: pki-base = %{version}-%{release}
Requires: python3 >= 3.5
Requires: python3-cryptography
Requires: python3-ldap
Requires: python3-lxml
Requires: python3-nss
Requires: python3-requests >= 2.6.0
@ -420,7 +441,7 @@ Requires: %java_headless >= %{min_java_version}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
Requires: apache-commons-lang
Requires: apache-commons-lang3 >= 3.2
Requires: apache-commons-logging
Requires: apache-commons-net
Requires: jakarta-commons-httpclient
@ -432,7 +453,7 @@ Requires: jss >= 4.7.0
Requires: ldapjdk >= 4.22.0
Requires: pki-base = %{version}-%{release}
%if 0%{?rhel}
%if 0%{?rhel} && 0%{?rhel} <= 8
Requires: resteasy >= 3.0.26
%else
Requires: resteasy-atom-provider >= 3.0.17-1
@ -442,7 +463,7 @@ Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
%if 0%{?fedora} && 0%{?fedora} >= 33
%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
Requires: jaxb-impl >= 2.3.3
Requires: jakarta-activation >= 1.2.2
%endif
@ -487,7 +508,6 @@ Summary: PKI Server Package
BuildArch: noarch
Requires: hostname
Requires: net-tools
Requires: policycoreutils
Requires: procps-ng
@ -500,15 +520,14 @@ Requires: keyutils
Requires: policycoreutils-python-utils
Requires: python3-ldap
Requires: python3-lxml
Requires: python3-libselinux
Requires: python3-policycoreutils
Requires: selinux-policy-targeted >= 3.13.1-159
%if 0%{?rhel}
Requires: pki-servlet-engine >= 1:9.0.7
%if 0%{?rhel} && ! 0%{?eln}
Requires: pki-servlet-engine
%else
Requires: tomcat >= 1:9.0.7
%endif
@ -520,7 +539,12 @@ Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
Requires: tomcatjss >= 7.5.0
Requires: tomcatjss >= 7.6.1
# JNA is used to bind to libsystemd
%if %{with sdnotify}
Requires: jna
%endif
# pki-healthcheck depends on the following library
%if 0%{?rhel}
@ -544,18 +568,29 @@ Provides: bundled(js-patternfly) = 3.59.2
Provides: bundled(js-underscore) = 1.9.2
%description -n pki-server
The PKI Server Package contains libraries and utilities needed by the
following PKI subsystems:
the Certificate Authority (CA),
the Key Recovery Authority (KRA),
the Online Certificate Status Protocol (OCSP) Manager,
the Token Key Service (TKS), and
the Token Processing Service (TPS).
The PKI Server Package contains libraries and utilities needed by other
PKI subsystems.
# with server
%endif
%if %{with acme}
################################################################################
%package -n pki-acme
################################################################################
Summary: PKI ACME Package
BuildArch: noarch
Requires: pki-server = %{version}-%{release}
%description -n pki-acme
The PKI ACME responder is a service that provides an automatic certificate
management via ACME v2 protocol defined in RFC 8555.
# with acme
%endif
%if %{with ca}
################################################################################
%package -n pki-ca
@ -836,16 +871,10 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se
# otherwise get <major> version number
java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
# get Tomcat <major>.<minor> version number
tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
# assume tomcat app_server
app_server=tomcat-8.5
if [ $tomcat_version == "9.0" ]; then
app_server=tomcat-8.5
else
app_server=tomcat-$tomcat_version
fi
%if 0%{?rhel}
%if 0%{?rhel} && 0%{?rhel} <= 8
%{__mkdir_p} build
cd build
%endif
@ -855,9 +884,9 @@ cd build
-DVERSION=%{version}-%{release} \
-DVAR_INSTALL_DIR:PATH=/var \
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
-DJAVA_VERSION=%{java_version} \
-DJAVA_VERSION=${java_version} \
-DJAVA_HOME=%java_home \
-DPKI_JAVA_PATH=%java \
-DPKI_JAVA_PATH=%java_home/bin/java \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
-DAPP_SERVER=$app_server \
@ -866,20 +895,27 @@ cd build
-DNSS_DEFAULT_DB_TYPE=%{nss_default_db_type} \
-DBUILD_PKI_CORE:BOOL=ON \
-DPYTHON_EXECUTABLE=%{python_executable} \
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
%if ! %{with server} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps}
%if ! %{with server} && ! %{with acme} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps}
-DWITH_SERVER:BOOL=OFF \
%endif
-DWITH_CA:BOOL=%{?with_ca:ON}%{!?with_ca:OFF} \
-DWITH_KRA:BOOL=%{?with_kra:ON}%{!?with_kra:OFF} \
-DWITH_OCSP:BOOL=%{?with_ocsp:ON}%{!?with_ocsp:OFF} \
-DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \
-DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \
-DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \
-DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
-DTHEME=%{?with_theme:%{vendor_id}} \
%if 0%{?rhel}
%if 0%{?rhel} && 0%{?rhel} <= 8
..
%else
-B %{_vpath_builddir}
%endif
%if 0%{?fedora}
%if 0%{?fedora} || 0%{?rhel} > 8
cd %{_vpath_builddir}
%endif
@ -896,7 +932,7 @@ cd %{_vpath_builddir}
%install
################################################################################
%if 0%{?rhel}
%if 0%{?rhel} && 0%{?rhel} <= 8
cd build
%else
cd %{_vpath_builddir}
@ -1081,8 +1117,8 @@ fi
%files -n pki-tools
################################################################################
%license base/native-tools/LICENSE
%doc base/native-tools/doc/README
%license base/tools/LICENSE
%doc base/tools/doc/README
%{_bindir}/p7tool
%{_bindir}/pistool
%{_bindir}/pki
@ -1090,7 +1126,6 @@ fi
%{_bindir}/setpin
%{_bindir}/sslget
%{_bindir}/tkstool
%{_datadir}/pki/native-tools/
%{_bindir}/AtoB
%{_bindir}/AuditVerify
%{_bindir}/BtoA
@ -1115,7 +1150,7 @@ fi
%{_bindir}/PrettyPrintCrl
%{_bindir}/TokenInfo
%{_javadir}/pki/pki-tools.jar
%{_datadir}/pki/java-tools/
%{_datadir}/pki/tools/
%{_datadir}/pki/lib/p11-kit-trust.so
%{_mandir}/man1/AtoB.1.gz
%{_mandir}/man1/AuditVerify.1.gz
@ -1165,9 +1200,8 @@ fi
%{_sbindir}/pkidestroy
%{_sbindir}/pki-server
%{_sbindir}/pki-server-upgrade
%{python3_sitelib}/pki/server/
%{_sbindir}/pki-healthcheck
%{python3_sitelib}/pki/server/healthcheck/
%{python3_sitelib}/pki/server/
%{python3_sitelib}/pkihealthcheck-*.egg-info/
%config(noreplace) %{_sysconfdir}/pki/healthcheck.conf
@ -1189,6 +1223,7 @@ fi
%dir %{_sharedstatedir}/pki
%{_mandir}/man1/pkidaemon.1.gz
%{_mandir}/man5/pki_default.cfg.5.gz
%{_mandir}/man5/pki_healthcheck.conf.5.gz
%{_mandir}/man5/pki-server-logging.5.gz
%{_mandir}/man8/pki-server-upgrade.8.gz
%{_mandir}/man8/pkidestroy.8.gz
@ -1208,12 +1243,25 @@ fi
%{_mandir}/man8/pki-healthcheck.8.gz
%{_datadir}/pki/setup/
%{_datadir}/pki/server/
%{_datadir}/pki/acme/
%{_javadir}/pki/pki-acme.jar
%if %{with sdnotify}
%{_javadir}/pki/pki-systemd.jar
%endif
# with server
%endif
%if %{with acme}
################################################################################
%files -n pki-acme
################################################################################
%{_javadir}/pki/pki-acme.jar
%{_datadir}/pki/acme/
# with acme
%endif
%if %{with ca}
################################################################################
%files -n pki-ca
@ -1221,12 +1269,7 @@ fi
%license base/ca/LICENSE
%{_javadir}/pki/pki-ca.jar
%dir %{_datadir}/pki/ca
%{_datadir}/pki/ca/conf/
%{_datadir}/pki/ca/emails/
%{_datadir}/pki/ca/profiles/
%{_datadir}/pki/ca/setup/
%{_datadir}/pki/ca/webapps/
%{_datadir}/pki/ca/
# with ca
%endif
@ -1238,10 +1281,7 @@ fi
%license base/kra/LICENSE
%{_javadir}/pki/pki-kra.jar
%dir %{_datadir}/pki/kra
%{_datadir}/pki/kra/conf/
%{_datadir}/pki/kra/setup/
%{_datadir}/pki/kra/webapps/
%{_datadir}/pki/kra/
# with kra
%endif
@ -1253,10 +1293,7 @@ fi
%license base/ocsp/LICENSE
%{_javadir}/pki/pki-ocsp.jar
%dir %{_datadir}/pki/ocsp
%{_datadir}/pki/ocsp/conf/
%{_datadir}/pki/ocsp/setup/
%{_datadir}/pki/ocsp/webapps/
%{_datadir}/pki/ocsp/
# with ocsp
%endif
@ -1268,10 +1305,7 @@ fi
%license base/tks/LICENSE
%{_javadir}/pki/pki-tks.jar
%dir %{_datadir}/pki/tks
%{_datadir}/pki/tks/conf/
%{_datadir}/pki/tks/setup/
%{_datadir}/pki/tks/webapps/
%{_datadir}/pki/tks/
# with tks
%endif
@ -1283,11 +1317,7 @@ fi
%license base/tps/LICENSE
%{_javadir}/pki/pki-tps.jar
%dir %{_datadir}/pki/tps
%{_datadir}/pki/tps/applets/
%{_datadir}/pki/tps/conf/
%{_datadir}/pki/tps/setup/
%{_datadir}/pki/tps/webapps/
%{_datadir}/pki/tps/
%{_mandir}/man5/pki-tps-connector.5.gz
%{_mandir}/man5/pki-tps-profile.5.gz
%{_mandir}/man1/tpsclient.1.gz
@ -1365,199 +1395,239 @@ fi
################################################################################
%changelog
* Thu Mar 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.4-3
- Bug # 1933146 - PKI instance creation failed with new 389-ds-base build
* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
- Bug 1914396 - CVE-2021-20179 pki-core:10.6/pki-core: Unprivileged users can renew any certificate
* Thu Feb 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.4-2
- CVE-2021-20179: Fix unprivileged users can renew any certificate
* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
- Rebase to PKI 10.10.5
- Bug 1929067 - PKI instance creation failed with new 389-ds-base build
* Mon Feb 08 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.4-1
- Rebase to PKI 10.10.4
- Bug 1664435 - Error instantiating class for challenge_password with SCEP request
- Bug 1912418 - OCSP and TKS cloning failed due to duplicate replica ID
- Bug 1916686 - Memory leak during ACME performance test
- Bug 1919282 - ACME cert enrollment failed with HTTP 500
* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.3-1
- Rebase to PKI 10.10.3
- Bug 1584550 - CRMFPopClient: unexpected behavior with -y option when values are specified
- Bug 1590942 - CMCResponse treats -d as optional
- Bug 1890639 - Two-step installation with external certificates fails on HSM configured system
- Bug 1912493 - pkispawn reports incorrect FIPS mode
* Tue Dec 08 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.2-1
- Rebase to PKI 10.10.2
- Bug 1392616 - KRA key recovery cli kra-key-retrieve generates an invalid p12 file
- Bug 1897120 - pki-server cert-fix command failing
- Bug 1694664 - ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (503)
* Tue Nov 17 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.1-1
- Rebase to PKI 10.10.1
- Bug 1843416 - kra-audit-mod fail with Invalid event configuration
- Bug 1889691 - ACME failed when run with more than 1 thread/connection
- Bug 1891577 - Sub-ordinate installation is failing with NullPointerException
* Wed Oct 28 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.0-1
- Rebase to PKI 10.10.0
- Add workaround for missing capture_output in Python 3.6
- Fix JSS initialization in pki-server <subsystem>-user-cert-add
- Fix NPE in UGSubsystem.findUsersByKeyword()
- Bug 1787115 - Need Method to copy SKI from CSR to Certificate signed
- Bug 1875563 - Add KRA Transport and Storage Certificates profiles, audit for IPA
- Bug 1883996 - Inconsistent folders in pki-tools
* Tue Oct 20 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.0-0.2.beta1
- Rebase to PKI 10.10.0-beta1
- Bug 1868233 - Disabling AIA and cert policy extensions in ACME examples
* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.4-1
- Rebased to PKI 10.9.4
- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
- Rebase to PKI 10.9.4
- Bug 1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
* Thu Sep 03 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.3-1
- Rebased to PKI 10.9.3
- Bug #1869893 - Common certificates are missing in CS.cfg on shared PKI instance
- Rebase to PKI 10.9.3
- Bug 1869893 - Common certificates are missing in CS.cfg on shared PKI instance
* Tue Aug 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.2-2
- Bug #1871064 - Replica install failing during pki-ca component configuration
- Bug 1871064 - Replica install failing during pki-ca component configuration
* Tue Aug 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.2-1
- Rebased to PKI 10.9.2
- Rebase to PKI 10.9.2
* Wed Aug 12 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.1-2
- Bug #1857933 - CA Installation is failing with ncipher v12.30 HSM
- Bug #1868233 - Disabling AIA and cert policy extensions in ACME examples
- Bug 1857933 - CA Installation is failing with ncipher v12.30 HSM
- Bug 1868233 - Disabling AIA and cert policy extensions in ACME examples
* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.1-1
- Rebased to PKI 10.9.1
- Bug #1426572 - Fix Secure connection issue when server is down
- Rebase to PKI 10.9.1
- Bug 1426572 - Fix Secure connection issue when server is down
* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-1
- Rebased to PKI 10.9.0
- Rebase to PKI 10.9.0
* Fri Jul 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.7
- Fixed pki kra-key-generate failure
- Fixed error handling in PKIRealm
* Tue Jul 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.7
- Fix pki kra-key-generate failure
- Fix error handling in PKIRealm
* Fri Jul 10 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.6
- Rebased to PKI 10.9.0-b4
- Rebase to PKI 10.9.0-b4
* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.4
- Rebased to PKI 10.9.0-b2
- Rebase to PKI 10.9.0-b2
* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.3
- Rebased to PKI 10.9.0-b1
- Rebase to PKI 10.9.0-b1
* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.1
- Rebased to PKI 10.9.0-a1
- Rebase to PKI 10.9.0-a1
* Tue Mar 03 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.3-1
- Rebased to PKI 10.8.3
- Bug #1809210 - TPS installation failure on HSM machine
- Bug #1807421 - Subordinate CA installation failed
- Bug #1806840 - KRA cloning with HSM failed
- Rebase to PKI 10.8.3
- Bug 1809210 - TPS installation failure on HSM machine
- Bug 1807421 - Subordinate CA installation failed
- Bug 1806840 - KRA cloning with HSM failed
* Wed Feb 19 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.2-2
- Bug #1795215 - pkispawn interactive installation failed
- Bug 1795215 - pkispawn interactive installation failed
* Mon Feb 17 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.2-1
- Rebased to PKI 10.8.2
- Bug #1802006 - KRA installation failed to create ECC admin cert
- Rebase to PKI 10.8.2
- Bug 1802006 - KRA installation failed to create ECC admin cert
* Mon Feb 10 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.1-1
- Rebased to PKI 10.8.1
- Rebase to PKI 10.8.1
* Fri Feb 07 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-1
- Rebased to PKI 10.8.0
- Rebase to PKI 10.8.0
* Thu Jan 16 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.5
- Rebased to PKI 10.8.0-b3
- Rebase to PKI 10.8.0-b3
* Fri Dec 13 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.4
- Rebased to PKI 10.8.0-b2
- Rebase to PKI 10.8.0-b2
* Wed Dec 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.3
- Rebased to PKI 10.8.0-b1
- Rebase to PKI 10.8.0-b1
* Fri Nov 22 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.2
- Rebased to PKI 10.8.0-a2
- Rebase to PKI 10.8.0-a2
* Thu Oct 31 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.1
- Rebased to PKI 10.8.0-a1
- Rebase to PKI 10.8.0-a1
* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.3-1
- Rebased to PKI 10.7.3
- Bug #1698084 - pkidestroy not working as expected
- Bug #1468050 and Bug #1448235 - Support AES for LWCA key replication
- Rebase to PKI 10.7.3
- Bug 1698084 - pkidestroy not working as expected
- Bug 1468050 and Bug #1448235 - Support AES for LWCA key replication
* Tue Jul 23 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.2-1
- Rebased to PKI 10.7.2
- Bug #1721340 - TPS installation failure
- Bug #1248216 - Incorrect pkidaemon status
- Bug #1729215 - cert-fix: detect and prevent pkidbuser being used as --agent-uid
- Bug #1698059 - pki-core implements crypto
- Rebase to PKI 10.7.2
- Bug 1721340 - TPS installation failure
- Bug 1248216 - Incorrect pkidaemon status
- Bug 1729215 - cert-fix: detect and prevent pkidbuser being used as --agent-uid
- Bug 1698059 - pki-core implements crypto
* Thu Jun 13 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.1-2
- Fixed cloning issue
- Fixed TPS installation issue
- Fix cloning issue
- Fix TPS installation issue
* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.1-1
- Rebased to PKI 10.7.1
- Rebase to PKI 10.7.1
* Wed Apr 24 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.0-1
- Rebased to PKI 10.7.0
- Rebase to PKI 10.7.0
* Mon Jan 28 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.9-2
- Bug #1652269 - Replace Nuxwdog
- Bug 1652269 - Replace Nuxwdog
* Mon Jan 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.9-1
- Rebased to PKI 10.6.9
- Bug #1629048 - X500Name.directoryStringEncodingOrder overridden by CSR encoding
- Bug #1652269 - Replace Nuxwdog
- Bug #1656856 - Need Method to Include SKI in CA Signing Certificate Request
- Rebase to PKI 10.6.9
- Bug 1629048 - X500Name.directoryStringEncodingOrder overridden by CSR encoding
- Bug 1652269 - Replace Nuxwdog
- Bug 1656856 - Need Method to Include SKI in CA Signing Certificate Request
* Thu Nov 29 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.8-1
- Rebased to PKI 10.6.8
- Bug #1602659 - Fix issues found by covscan
- Bug #1566360 - Fix missing serial number from pki-server subsystem-cert-find
- Rebase to PKI 10.6.8
- Bug 1602659 - Fix issues found by covscan
- Bug 1566360 - Fix missing serial number from pki-server subsystem-cert-find
* Fri Oct 26 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.7-3
- Bug #1643101 - Fix problems due to token normalization
- Bug 1643101 - Fix problems due to token normalization
* Tue Oct 23 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.7-2
- Bug #1623444 - Fix Python KeyClient KeyRequestResponse parsing
- Bug 1623444 - Fix Python KeyClient KeyRequestResponse parsing
* Fri Oct 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.7-1
- Rebased to PKI 10.6.7
- Rebase to PKI 10.6.7
* Fri Aug 24 2018 Alexander Bokovoy <abokovoy@redhat.com> 10.6.6-3
- Build on s390x
* Wed Aug 22 2018 Alexander Bokovoy <abokovoy@redhat.com> 10.6.6-2
- Use platform-python interpreter
- Bug #1620066 - pkispawn crashes as /usr/bin/python3 does not exist
- Bug 1620066 - pkispawn crashes as /usr/bin/python3 does not exist
* Mon Aug 13 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.6-1
- Rebased to PKI 10.6.6
- Rebase to PKI 10.6.6
* Wed Aug 08 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.5-1
- Rebased to PKI 10.6.5
- Rebase to PKI 10.6.5
* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-4
- Bug #1612063 - Do not override system crypto policy (support TLS 1.3)
- Bug 1612063 - Do not override system crypto policy (support TLS 1.3)
* Wed Aug 01 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-3
- Patch PKI to use Jackson 2 and avoid Jackson 1 dependency.
Add direct dependency on slf4j-jdk14.
* Tue Jul 31 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-2
- Updated Jackson and RESTEasy dependencies
- Update Jackson and RESTEasy dependencies
* Fri Jul 20 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-1
- Rebased to PKI 10.6.4
- Rebase to PKI 10.6.4
* Thu Jul 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.3-1
- Rebased to PKI 10.6.3
- Rebase to PKI 10.6.3
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> 10.6.2-4
- Rebuilt for Python 3.7
- Rebuild for Python 3.7
* Thu Jun 28 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.2-3
- Fixed macro expressions
- Bug #1566606 - pki-core: Switch to Python 3
- Bug #1590467 - pki-core: Drop pylint dependency from RHEL 8
- Fix macro expressions
- Bug 1566606 - pki-core: Switch to Python 3
- Bug 1590467 - pki-core: Drop pylint dependency from RHEL 8
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> 10.6.2-2
- Rebuilt for Python 3.7
- Rebuild for Python 3.7
* Fri Jun 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.2-1
- Rebased to PKI 10.6.2
- Rebase to PKI 10.6.2
* Wed May 30 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.1-3
- Updated JSS dependency
- Updated Tomcat dependency
- Fixed rpmlint warnings
- Update JSS dependency
- Update Tomcat dependency
- Fix rpmlint warnings
* Fri May 04 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.1-2
- Bug #1574711 - pki-tools cannot be installed on current Rawhide
- Fixed rpmlint warnings
- Bug 1574711 - pki-tools cannot be installed on current Rawhide
- Fix rpmlint warnings
* Thu May 03 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.1-1
- Rebased to PKI 10.6.1
- Bug #1559047 - pki-core misses a dependency to pki-symkey
- Bug #1573094 - FreeIPA external CA installation fails
- Rebase to PKI 10.6.1
- Bug 1559047 - pki-core misses a dependency to pki-symkey
- Bug 1573094 - FreeIPA external CA installation fails
* Wed Apr 11 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.0-1
- Updated project URL and package descriptions
- Cleaned up spec file
- Rebased to PKI 10.6.0 final
- Update project URL and package descriptions
- Clean up spec file
- Rebase to PKI 10.6.0 final
* Thu Mar 29 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.0-0.3
- Iryna Shcherbina <ishcherb@redhat.com>: Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
- Rebased to PKI 10.6.0 beta2
- Rebase to PKI 10.6.0 beta2
* Thu Mar 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.0-0.2
- Rebased to PKI 10.6.0 beta
- Rebase to PKI 10.6.0 beta