rpms
/
pki-core
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import pki-core-10.12.0-4.module+el8.7.0+16126+c5918a27

This commit is contained in:
CentOS Sources 2022-11-08 01:36:51 -05:00 committed by Stepan Oksanichenko
parent 6dca348454
commit 0da6891e35
3 changed files with 356 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch Normal file
View File

@ -0,0 +1,145 @@
From 039b3453d17bb5666d4b7a4eacc6a014703416c7 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Fri, 10 Jun 2022 17:25:07 +0100
Subject: [PATCH] Disable access to external entities when parsing XML
This reduces the vulnerability of XML parsers to XXE (XML external
entity) injection.
The best way to prevent XXE is to stop using XML altogether, which we do
plan to do. Until that happens I consider it worthwhile to tighten the
security here though.
---
.../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
.../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 +
.../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
.../src/test/java/com/netscape/test/TestListener.java | 5 ++++-
4 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index bdd485e89a..07fae1ad50 100644
--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -24,6 +24,7 @@ import java.util.Enumeration;
import java.util.Locale;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor {
XMLObject xmlObject = convertDomainInfoToXMLObject(before);
Document document = xmlObject.getDocument();
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
index 2a02d722a1..d9ac572747 100644
--- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
+++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
@@ -41,6 +41,7 @@ public class ServerXml {
ServerXml serverXml = new ServerXml();
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(filename);
diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
index 81fdbf4b2e..1043bcb477 100644
--- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
+++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
@@ -25,6 +25,7 @@ import java.io.OutputStream;
import java.io.StringWriter;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -56,6 +57,7 @@ public class XMLObject {
public XMLObject(InputStream s)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(s);
}
@@ -63,6 +65,7 @@ public class XMLObject {
public XMLObject(File f)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(f);
}
@@ -159,6 +162,8 @@ public class XMLObject {
public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(bos);
@@ -169,6 +174,8 @@ public class XMLObject {
public void output(OutputStream os)
throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(os);
@@ -177,6 +184,8 @@ public class XMLObject {
public String toXMLString() throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
StreamResult dest = new StreamResult(new StringWriter());
diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
index 3181d53dc8..ac5d6e0f42 100644
--- a/base/util/src/test/java/com/netscape/test/TestListener.java
+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
@@ -10,6 +10,7 @@ import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.TimeZone;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -22,7 +23,6 @@ import org.junit.runner.Description;
import org.junit.runner.Result;
import org.junit.runner.notification.Failure;
import org.junit.runner.notification.RunListener;
-
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
@@ -64,9 +64,12 @@ public class TestListener extends RunListener {
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
docBuilderFactory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
docBuilder = docBuilderFactory.newDocumentBuilder();
transFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
trans = transFactory.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");
--
2.35.1

32
SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch Normal file
View File

@ -0,0 +1,32 @@
From af9d5ee1e57b128603974595e26feb3effe05c87 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Thu, 14 Jul 2022 16:49:25 +0100
Subject: [PATCH] Fix accidental renaming of factories in conflict resolution.
---
base/util/src/test/java/com/netscape/test/TestListener.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
index ac5d6e0f42..56b7793f61 100644
--- a/base/util/src/test/java/com/netscape/test/TestListener.java
+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
@@ -64,12 +64,12 @@ public class TestListener extends RunListener {
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
docBuilderFactory = DocumentBuilderFactory.newInstance();
- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
docBuilder = docBuilderFactory.newDocumentBuilder();
transFactory = TransformerFactory.newInstance();
- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
trans = transFactory.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");
--
2.35.1

328
SPECS/pki-core.spec
View File

@ -2,10 +2,10 @@
Name: pki-core Name: pki-core
################################################################################ ################################################################################
%global vendor_id redhat %global product_name IDM PKI
%global brand Red Hat %global product_id idm-pki
Summary: %{brand} PKI Core Package Summary: %{product_name} Package
URL: https://www.dogtagpki.org URL: https://www.dogtagpki.org
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
License: GPLv2 and LGPLv2 License: GPLv2 and LGPLv2
@ -13,10 +13,9 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>. # For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1. # For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.12.0 Version: 10.12.0
Release: 2%{?_timestamp}%{?_commit_id}%{?dist} Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -alpha1 #global _phase -alpha1
# To create a tarball from a version tag: # To create a tarball from a version tag:
# $ git archive \ # $ git archive \
# --format=tar.gz \ # --format=tar.gz \
@ -32,13 +31,14 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# > pki-VERSION-RELEASE.patch # > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch
Patch: 0001-Fix-pki-healthcheck-for-clones.patch Patch0: 0001-Fix-pki-healthcheck-for-clones.patch
Patch1: 0001-Disable-access-to-external-entities-when-parsing-XML.patch
Patch2: 0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib # md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java) # compatible (https://fedoraproject.org/wiki/Packaging:Java)
# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems # md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+
# safest. %if ! 0%{?rhel} || 0%{?rhel} >= 8
%if ! 0%{?rhel} || 0%{?rhel} > 8
ExcludeArch: i686 ExcludeArch: i686
%endif %endif
@ -256,13 +256,13 @@ BuildRequires: nss-tools
BuildRequires: openssl BuildRequires: openssl
# description for top-level package (if there is a separate meta package) # description for top-level package (if there is a separate meta package)
%if "%{name}" != "%{vendor_id}-pki" %if "%{name}" != "%{product_id}"
%description %description
%{brand} PKI is an enterprise software system designed %{product_name} is an enterprise software system designed
to manage enterprise Public Key Infrastructure deployments. to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components: %{product_name} consists of the following components:
* Automatic Certificate Management Environment (ACME) Responder * Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA) * Certificate Authority (CA)
@ -274,32 +274,32 @@ PKI consists of the following components:
%endif %endif
%if %{with meta} %if %{with meta}
%if "%{name}" != "%{vendor_id}-pki" %if "%{name}" != "%{product_id}"
################################################################################ ################################################################################
%package -n %{vendor_id}-pki %package -n %{product_id}
################################################################################ ################################################################################
Summary: %{brand} PKI Package Summary: %{product_name} Package
%endif %endif
# Make certain that this 'meta' package requires the latest version(s) # Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI theme packages # of ALL PKI theme packages
Requires: %{vendor_id}-pki-server-theme = %{version}-%{release} Requires: %{product_id}-server-theme = %{version}-%{release}
Requires: %{vendor_id}-pki-console-theme = %{version}-%{release} Requires: %{product_id}-console-theme = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s) # Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI core packages # of ALL PKI core packages
Requires: pki-acme = %{version}-%{release} Requires: %{product_id}-acme = %{version}-%{release}
Requires: pki-ca = %{version}-%{release} Requires: %{product_id}-ca = %{version}-%{release}
Requires: pki-kra = %{version}-%{release} Requires: %{product_id}-kra = %{version}-%{release}
Requires: pki-ocsp = %{version}-%{release} Requires: %{product_id}-ocsp = %{version}-%{release}
Requires: pki-tks = %{version}-%{release} Requires: %{product_id}-tks = %{version}-%{release}
Requires: pki-tps = %{version}-%{release} Requires: %{product_id}-tps = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s) # Make certain that this 'meta' package requires the latest version(s)
# of PKI console # of PKI console
Requires: pki-console = %{version}-%{release} Requires: %{product_id}-console = %{version}-%{release}
Requires: pki-javadoc = %{version}-%{release} Requires: %{product_id}-javadoc = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s) # Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI clients -- except for s390/s390x where 'esc' is not built # of ALL PKI clients -- except for s390/s390x where 'esc' is not built
@ -308,16 +308,16 @@ Requires: esc >= 1.1.1
%endif %endif
# description for top-level package (unless there is a separate meta package) # description for top-level package (unless there is a separate meta package)
%if "%{name}" == "%{vendor_id}-pki" %if "%{name}" == "%{product_id}"
%description %description
%else %else
%description -n %{vendor_id}-pki %description -n %{product_id}
%endif %endif
%{brand} PKI is an enterprise software system designed %{product_name} is an enterprise software system designed
to manage enterprise Public Key Infrastructure deployments. to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components: %{product_name} consists of the following components:
* Automatic Certificate Management Environment (ACME) Responder * Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA) * Certificate Authority (CA)
@ -331,10 +331,13 @@ PKI consists of the following components:
%if %{with base} %if %{with base}
################################################################################ ################################################################################
%package -n pki-symkey %package -n %{product_id}-symkey
################################################################################ ################################################################################
Summary: PKI Symmetric Key Package Summary: %{product_name} Symmetric Key Package
Obsoletes: pki-symkey < %{version}-%{release}
Provides: pki-symkey = %{version}-%{release}
Requires: %{java_headless} Requires: %{java_headless}
Requires: jpackage-utils >= 0:1.7.5-10 Requires: jpackage-utils >= 0:1.7.5-10
@ -347,15 +350,14 @@ Conflicts: pki-javadoc < %{version}
Conflicts: pki-server-theme < %{version} Conflicts: pki-server-theme < %{version}
Conflicts: pki-console-theme < %{version} Conflicts: pki-console-theme < %{version}
%description -n pki-symkey %description -n %{product_id}-symkey
The PKI Symmetric Key Java Package supplies various native This package provides library for symmetric key operations.
symmetric key operations to Java programs.
################################################################################ ################################################################################
%package -n pki-base %package -n %{product_id}-base
################################################################################ ################################################################################
Summary: PKI Base Package Summary: %{product_name} Base Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-base < %{version}-%{release} Obsoletes: pki-base < %{version}-%{release}
@ -372,25 +374,27 @@ Conflicts: pki-javadoc < %{version}
Conflicts: pki-server-theme < %{version} Conflicts: pki-server-theme < %{version}
Conflicts: pki-console-theme < %{version} Conflicts: pki-console-theme < %{version}
%description -n pki-base %description -n %{product_id}-base
The PKI Base Package contains the common and client libraries and utilities This package provides default configuration files for %{product_name} client.
written in Python.
################################################################################ ################################################################################
%package -n python3-pki %package -n python3-%{product_id}
################################################################################ ################################################################################
Summary: PKI Python 3 Package Summary: %{product_name} Python 3 Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-base-python3 < %{version} Obsoletes: python3-pki < %{version}-%{release}
Provides: python3-pki = %{version}-%{release}
Obsoletes: pki-base-python3 < %{version}-%{release}
Provides: pki-base-python3 = %{version}-%{release} Provides: pki-base-python3 = %{version}-%{release}
%if 0%{?fedora} || 0%{?rhel} > 8 %if 0%{?fedora} || 0%{?rhel} > 8
%{?python_provide:%python_provide python3-pki} %{?python_provide:%python_provide python3-pki}
%endif %endif
Requires: pki-base = %{version}-%{release} Requires: %{product_id}-base = %{version}-%{release}
Requires: python3 >= 3.5 Requires: python3 >= 3.5
Requires: python3-cryptography Requires: python3-cryptography
Requires: python3-ldap Requires: python3-ldap
@ -401,14 +405,14 @@ Requires: python3-six
Recommends: python3-nss Recommends: python3-nss
%endif %endif
%description -n python3-pki %description -n python3-%{product_id}
This package contains PKI client library for Python 3. This package provides common and client library for Python 3.
################################################################################ ################################################################################
%package -n pki-base-java %package -n %{product_id}-base-java
################################################################################ ################################################################################
Summary: PKI Base Java Package Summary: %{product_name} Base Java Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-base-java < %{version}-%{release} Obsoletes: pki-base-java < %{version}-%{release}
@ -427,7 +431,7 @@ Requires: slf4j-jdk14
Requires: jpackage-utils >= 0:1.7.5-10 Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.9.0, jss < 5.0.0 Requires: jss >= 4.9.0, jss < 5.0.0
Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0 Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
Requires: pki-base = %{version}-%{release} Requires: %{product_id}-base = %{version}-%{release}
%if 0%{?rhel} && 0%{?rhel} <= 8 %if 0%{?rhel} && 0%{?rhel} <= 8
Requires: resteasy >= 3.0.26 Requires: resteasy >= 3.0.26
@ -448,38 +452,40 @@ Requires: xerces-j2
Requires: xml-commons-apis Requires: xml-commons-apis
Requires: xml-commons-resolver Requires: xml-commons-resolver
%description -n pki-base-java %description -n %{product_id}-base-java
The PKI Base Java Package contains the common and client libraries and utilities This package provides common and client libraries for Java.
written in Java.
################################################################################ ################################################################################
%package -n pki-tools %package -n %{product_id}-tools
################################################################################ ################################################################################
Summary: PKI Tools Package Summary: %{product_name} Tools Package
Obsoletes: pki-tools < %{version}-%{release}
Provides: pki-tools = %{version}-%{release}
Requires: openldap-clients Requires: openldap-clients
Requires: nss-tools >= 3.36.1 Requires: nss-tools >= 3.36.1
Requires: pki-base-java = %{version}-%{release} Requires: %{product_id}-base-java = %{version}-%{release}
Requires: p11-kit-trust Requires: p11-kit-trust
# PKICertImport depends on certutil and openssl # PKICertImport depends on certutil and openssl
Requires: nss-tools Requires: nss-tools
Requires: openssl Requires: openssl
%description -n pki-tools %description -n %{product_id}-tools
This package contains PKI executables that can be used to help make This package provides tools that can be used to help make
Certificate System into a more complete and robust PKI solution. %{product_name} into a more complete and robust PKI solution.
# with base # with base
%endif %endif
%if %{with server} %if %{with server}
################################################################################ ################################################################################
%package -n pki-server %package -n %{product_id}-server
################################################################################ ################################################################################
Summary: PKI Server Package Summary: %{product_name} Server Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-server < %{version}-%{release} Obsoletes: pki-server < %{version}-%{release}
@ -491,8 +497,8 @@ Requires: policycoreutils
Requires: procps-ng Requires: procps-ng
Requires: openldap-clients Requires: openldap-clients
Requires: openssl Requires: openssl
Requires: pki-symkey = %{version}-%{release} Requires: %{product_id}-symkey = %{version}-%{release}
Requires: pki-tools = %{version}-%{release} Requires: %{product_id}-tools = %{version}-%{release}
Requires: keyutils Requires: keyutils
@ -539,25 +545,27 @@ Provides: bundled(js-jquery-i18n-properties) = 1.2.7
Provides: bundled(js-patternfly) = 3.59.2 Provides: bundled(js-patternfly) = 3.59.2
Provides: bundled(js-underscore) = 1.9.2 Provides: bundled(js-underscore) = 1.9.2
%description -n pki-server %description -n %{product_id}-server
The PKI Server Package contains libraries and utilities needed by other This package provides libraries and utilities needed by %{product_name} services.
PKI subsystems.
# with server # with server
%endif %endif
%if %{with acme} %if %{with acme}
################################################################################ ################################################################################
%package -n pki-acme %package -n %{product_id}-acme
################################################################################ ################################################################################
Summary: PKI ACME Package Summary: %{product_name} ACME Package
BuildArch: noarch BuildArch: noarch
Requires: pki-server = %{version}-%{release} Obsoletes: pki-acme < %{version}-%{release}
Provides: pki-acme = %{version}-%{release}
%description -n pki-acme Requires: %{product_id}-server = %{version}-%{release}
The PKI ACME responder is a service that provides an automatic certificate
%description -n %{product_id}-acme
%{product_name} ACME responder is a service that provides an automatic certificate
management via ACME v2 protocol defined in RFC 8555. management via ACME v2 protocol defined in RFC 8555.
# with acme # with acme
@ -565,19 +573,22 @@ management via ACME v2 protocol defined in RFC 8555.
%if %{with ca} %if %{with ca}
################################################################################ ################################################################################
%package -n pki-ca %package -n %{product_id}-ca
################################################################################ ################################################################################
Summary: PKI CA Package Summary: %{product_name} CA Package
BuildArch: noarch BuildArch: noarch
Requires: pki-server = %{version}-%{release} Obsoletes: pki-ca < %{version}-%{release}
Provides: pki-ca = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%description -n pki-ca %description -n %{product_id}-ca
The Certificate Authority (CA) is a required PKI subsystem which issues, %{product_name} Certificate Authority (CA) is a required subsystem which issues,
renews, revokes, and publishes certificates as well as compiling and renews, revokes, and publishes certificates as well as compiling and
publishing Certificate Revocation Lists (CRLs). publishing Certificate Revocation Lists (CRLs).
@ -590,19 +601,22 @@ where it obtains its own signing certificate from a public CA.
%if %{with kra} %if %{with kra}
################################################################################ ################################################################################
%package -n pki-kra %package -n %{product_id}-kra
################################################################################ ################################################################################
Summary: PKI KRA Package Summary: %{product_name} KRA Package
BuildArch: noarch BuildArch: noarch
Requires: pki-server = %{version}-%{release} Obsoletes: pki-kra < %{version}-%{release}
Provides: pki-kra = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%description -n pki-kra %description -n %{product_id}-kra
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act %{product_name} Key Recovery Authority (KRA) is an optional subsystem that can act
as a key archival facility. When configured in conjunction with the as a key archival facility. When configured in conjunction with the
Certificate Authority (CA), the KRA stores private encryption keys as part of Certificate Authority (CA), the KRA stores private encryption keys as part of
the certificate enrollment process. The key archival mechanism is triggered the certificate enrollment process. The key archival mechanism is triggered
@ -621,19 +635,22 @@ since such archival would undermine non-repudiation properties of signing keys.
%if %{with ocsp} %if %{with ocsp}
################################################################################ ################################################################################
%package -n pki-ocsp %package -n %{product_id}-ocsp
################################################################################ ################################################################################
Summary: PKI OCSP Package Summary: %{product_name} OCSP Package
BuildArch: noarch BuildArch: noarch
Requires: pki-server = %{version}-%{release} Obsoletes: pki-ocsp < %{version}-%{release}
Provides: pki-ocsp = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%description -n pki-ocsp %description -n %{product_id}-ocsp
The Online Certificate Status Protocol (OCSP) Manager is an optional PKI %{product_name} Online Certificate Status Protocol (OCSP) Manager is an optional
subsystem that can act as a stand-alone OCSP service. The OCSP Manager subsystem that can act as a stand-alone OCSP service. The OCSP Manager
performs the task of an online certificate validation authority by enabling performs the task of an online certificate validation authority by enabling
OCSP-compliant clients to do real-time verification of certificates. Note OCSP-compliant clients to do real-time verification of certificates. Note
@ -659,19 +676,22 @@ whenever they are issued or updated.
%if %{with tks} %if %{with tks}
################################################################################ ################################################################################
%package -n pki-tks %package -n %{product_id}-tks
################################################################################ ################################################################################
Summary: PKI TKS Package Summary: %{product_name} TKS Package
BuildArch: noarch BuildArch: noarch
Requires: pki-server = %{version}-%{release} Obsoletes: pki-tks < %{version}-%{release}
Provides: pki-tks = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%description -n pki-tks %description -n %{product_id}-tks
The Token Key Service (TKS) is an optional PKI subsystem that manages the %{product_name} Token Key Service (TKS) is an optional subsystem that manages the
master key(s) and the transport key(s) required to generate and distribute master key(s) and the transport key(s) required to generate and distribute
keys for hardware tokens. TKS provides the security between tokens and an keys for hardware tokens. TKS provides the security between tokens and an
instance of Token Processing System (TPS), where the security relies upon the instance of Token Processing System (TPS), where the security relies upon the
@ -691,12 +711,15 @@ behind the firewall with restricted access.
%if %{with tps} %if %{with tps}
################################################################################ ################################################################################
%package -n pki-tps %package -n %{product_id}-tps
################################################################################ ################################################################################
Summary: PKI TPS Package Summary: %{product_name} TPS Package
Requires: pki-server = %{version}-%{release} Obsoletes: pki-tps < %{version}-%{release}
Provides: pki-tps = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
@ -707,8 +730,8 @@ Requires(postun): systemd-units
Requires: nss-tools >= 3.36.1 Requires: nss-tools >= 3.36.1
Requires: openldap-clients Requires: openldap-clients
%description -n pki-tps %description -n %{product_id}-tps
The Token Processing System (TPS) is an optional PKI subsystem that acts %{product_name} Token Processing System (TPS) is an optional subsystem that acts
as a Registration Authority (RA) for authenticating and processing as a Registration Authority (RA) for authenticating and processing
enrollment requests, PIN reset requests, and formatting requests from enrollment requests, PIN reset requests, and formatting requests from
the Enterprise Security Client (ESC). the Enterprise Security Client (ESC).
@ -732,10 +755,10 @@ smart card.
%if %{with javadoc} %if %{with javadoc}
################################################################################ ################################################################################
%package -n pki-javadoc %package -n %{product_id}-javadoc
################################################################################ ################################################################################
Summary: PKI Javadoc Package Summary: %{product_name} Javadoc Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-javadoc < %{version}-%{release} Obsoletes: pki-javadoc < %{version}-%{release}
@ -747,18 +770,18 @@ Conflicts: pki-symkey < %{version}
Conflicts: pki-server-theme < %{version} Conflicts: pki-server-theme < %{version}
Conflicts: pki-console-theme < %{version} Conflicts: pki-console-theme < %{version}
%description -n pki-javadoc %description -n %{product_id}-javadoc
This package contains PKI API documentation. This package provides %{product_name} API documentation.
# with javadoc # with javadoc
%endif %endif
%if %{with console} %if %{with console}
################################################################################ ################################################################################
%package -n pki-console %package -n %{product_id}-console
################################################################################ ################################################################################
Summary: PKI Console Package Summary: %{product_name} Console Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-console < %{version}-%{release} Obsoletes: pki-console < %{version}-%{release}
@ -767,21 +790,21 @@ Provides: pki-console = %{version}-%{release}
BuildRequires: idm-console-framework >= 1.2.0 BuildRequires: idm-console-framework >= 1.2.0
Requires: idm-console-framework >= 1.2.0 Requires: idm-console-framework >= 1.2.0
Requires: pki-base-java = %{version}-%{release} Requires: %{product_id}-base-java = %{version}-%{release}
Requires: pki-console-theme = %{version}-%{release} Requires: %{product_id}-console-theme = %{version}-%{release}
%description -n pki-console %description -n %{product_id}-console
The PKI Console is a Java application used to administer PKI server. %{product_name} Console is a Java application used to administer %{product_name} Server.
# with console # with console
%endif %endif
%if %{with theme} %if %{with theme}
################################################################################ ################################################################################
%package -n %{vendor_id}-pki-server-theme %package -n %{product_id}-server-theme
################################################################################ ################################################################################
Summary: %{brand} PKI Server Theme Package Summary: %{product_name} Server Theme Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-server-theme < %{version}-%{release} Obsoletes: pki-server-theme < %{version}-%{release}
@ -793,15 +816,14 @@ Conflicts: pki-symkey < %{version}
Conflicts: pki-console-theme < %{version} Conflicts: pki-console-theme < %{version}
Conflicts: pki-javadoc < %{version} Conflicts: pki-javadoc < %{version}
%description -n %{vendor_id}-pki-server-theme %description -n %{product_id}-server-theme
This PKI Server Theme Package contains This package provides theme files for %{product_name} Server.
%{brand} textual and graphical user interface for PKI Server.
################################################################################ ################################################################################
%package -n %{vendor_id}-pki-console-theme %package -n %{product_id}-console-theme
################################################################################ ################################################################################
Summary: %{brand} PKI Console Theme Package Summary: %{product_name} Console Theme Package
BuildArch: noarch BuildArch: noarch
Obsoletes: pki-console-theme < %{version}-%{release} Obsoletes: pki-console-theme < %{version}-%{release}
@ -813,23 +835,28 @@ Conflicts: pki-symkey < %{version}
Conflicts: pki-server-theme < %{version} Conflicts: pki-server-theme < %{version}
Conflicts: pki-javadoc < %{version} Conflicts: pki-javadoc < %{version}
%description -n %{vendor_id}-pki-console-theme %description -n %{product_id}-console-theme
This PKI Console Theme Package contains This package provides theme files for %{product_name} Console.
%{brand} textual and graphical user interface for PKI Console.
# with theme # with theme
%endif %endif
%if %{with tests} %if %{with tests}
################################################################################ ################################################################################
%package -n pki-tests %package -n %{product_id}-tests
################################################################################ ################################################################################
Summary: PKI Tests Summary: %{product_name} Tests
BuildArch: noarch BuildArch: noarch
%description -n pki-tests Obsoletes: pki-tests < %{version}-%{release}
This package contains PKI test suite. Provides: pki-tests = %{version}-%{release}
Requires: python3-pylint
Requires: python3-flake8
%description -n %{product_id}-tests
This package provides test suite for %{product_name}.
# with tests # with tests
%endif %endif
@ -887,7 +914,7 @@ cd build
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
-DTHEME=%{?with_theme:%{vendor_id}} \ -DTHEME=%{?with_theme:%{theme}} \
%if 0%{?rhel} && 0%{?rhel} <= 8 %if 0%{?rhel} && 0%{?rhel} <= 8
.. ..
%else %else
@ -934,7 +961,7 @@ ctest --output-on-failure
cat > %{buildroot}%{_datadir}/doc/pki/README << EOF cat > %{buildroot}%{_datadir}/doc/pki/README << EOF
This package is a "meta-package" whose dependencies pull in all of the This package is a "meta-package" whose dependencies pull in all of the
packages comprising the %{brand} Public Key Infrastructure (PKI) Suite. packages comprising the %{product_name} Suite.
EOF EOF
# with meta # with meta
@ -964,7 +991,7 @@ ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroo
%if %{with server} %if %{with server}
%pre -n pki-server %pre -n %{product_id}-server
getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
if ! getent passwd %{pki_username} >/dev/null ; then if ! getent passwd %{pki_username} >/dev/null ; then
useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
@ -976,7 +1003,7 @@ exit 0
%if %{with base} %if %{with base}
%post -n pki-base %post -n %{product_id}-base
if [ $1 -eq 1 ] if [ $1 -eq 1 ]
then then
@ -990,7 +1017,7 @@ else
echo >> /var/log/pki/pki-upgrade-%{version}.log echo >> /var/log/pki/pki-upgrade-%{version}.log
fi fi
%postun -n pki-base %postun -n %{product_id}-base
if [ $1 -eq 0 ] if [ $1 -eq 0 ]
then then
@ -1003,11 +1030,7 @@ fi
%if %{with server} %if %{with server}
%post -n pki-server %post -n %{product_id}-server
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
# CVE-2021-3551 # CVE-2021-3551
# Remove world access from existing installation logs # Remove world access from existing installation logs
find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
@ -1033,9 +1056,9 @@ fi
%endif %endif
%if %{with meta} %if %{with meta}
%if "%{name}" != "%{vendor_id}-pki" %if "%{name}" != "%{product_id}"
################################################################################ ################################################################################
%files -n %{vendor_id}-pki %files -n %{product_id}
################################################################################ ################################################################################
%else %else
%files %files
@ -1048,7 +1071,7 @@ fi
%if %{with base} %if %{with base}
################################################################################ ################################################################################
%files -n pki-symkey %files -n %{product_id}-symkey
################################################################################ ################################################################################
%license base/symkey/LICENSE %license base/symkey/LICENSE
@ -1056,7 +1079,7 @@ fi
%{_libdir}/symkey/ %{_libdir}/symkey/
################################################################################ ################################################################################
%files -n pki-base %files -n %{product_id}-base
################################################################################ ################################################################################
%license base/common/LICENSE %license base/common/LICENSE
@ -1082,7 +1105,7 @@ fi
%{_mandir}/man8/pki-upgrade.8.gz %{_mandir}/man8/pki-upgrade.8.gz
################################################################################ ################################################################################
%files -n pki-base-java %files -n %{product_id}-base-java
################################################################################ ################################################################################
%license base/common/LICENSE %license base/common/LICENSE
@ -1094,7 +1117,7 @@ fi
%{_javadir}/pki/pki-certsrv.jar %{_javadir}/pki/pki-certsrv.jar
################################################################################ ################################################################################
%files -n python3-pki %files -n python3-%{product_id}
################################################################################ ################################################################################
%license base/common/LICENSE %license base/common/LICENSE
@ -1105,7 +1128,7 @@ fi
%{python3_sitelib}/pki %{python3_sitelib}/pki
################################################################################ ################################################################################
%files -n pki-tools %files -n %{product_id}-tools
################################################################################ ################################################################################
%license base/tools/LICENSE %license base/tools/LICENSE
@ -1180,7 +1203,7 @@ fi
%if %{with server} %if %{with server}
################################################################################ ################################################################################
%files -n pki-server %files -n %{product_id}-server
################################################################################ ################################################################################
%license base/common/THIRD_PARTY_LICENSES %license base/common/THIRD_PARTY_LICENSES
@ -1241,7 +1264,7 @@ fi
%if %{with acme} %if %{with acme}
################################################################################ ################################################################################
%files -n pki-acme %files -n %{product_id}-acme
################################################################################ ################################################################################
%{_javadir}/pki/pki-acme.jar %{_javadir}/pki/pki-acme.jar
@ -1252,7 +1275,7 @@ fi
%if %{with ca} %if %{with ca}
################################################################################ ################################################################################
%files -n pki-ca %files -n %{product_id}-ca
################################################################################ ################################################################################
%license base/ca/LICENSE %license base/ca/LICENSE
@ -1264,7 +1287,7 @@ fi
%if %{with kra} %if %{with kra}
################################################################################ ################################################################################
%files -n pki-kra %files -n %{product_id}-kra
################################################################################ ################################################################################
%license base/kra/LICENSE %license base/kra/LICENSE
@ -1276,7 +1299,7 @@ fi
%if %{with ocsp} %if %{with ocsp}
################################################################################ ################################################################################
%files -n pki-ocsp %files -n %{product_id}-ocsp
################################################################################ ################################################################################
%license base/ocsp/LICENSE %license base/ocsp/LICENSE
@ -1288,7 +1311,7 @@ fi
%if %{with tks} %if %{with tks}
################################################################################ ################################################################################
%files -n pki-tks %files -n %{product_id}-tks
################################################################################ ################################################################################
%license base/tks/LICENSE %license base/tks/LICENSE
@ -1300,7 +1323,7 @@ fi
%if %{with tps} %if %{with tps}
################################################################################ ################################################################################
%files -n pki-tps %files -n %{product_id}-tps
################################################################################ ################################################################################
%license base/tps/LICENSE %license base/tps/LICENSE
@ -1322,7 +1345,7 @@ fi
%if %{with javadoc} %if %{with javadoc}
################################################################################ ################################################################################
%files -n pki-javadoc %files -n %{product_id}-javadoc
################################################################################ ################################################################################
%{_javadocdir}/pki-%{version}/ %{_javadocdir}/pki-%{version}/
@ -1332,7 +1355,7 @@ fi
%if %{with console} %if %{with console}
################################################################################ ################################################################################
%files -n pki-console %files -n %{product_id}-console
################################################################################ ################################################################################
%license base/console/LICENSE %license base/console/LICENSE
@ -1344,10 +1367,10 @@ fi
%if %{with theme} %if %{with theme}
################################################################################ ################################################################################
%files -n %{vendor_id}-pki-server-theme %files -n %{product_id}-server-theme
################################################################################ ################################################################################
%license themes/%{vendor_id}/common-ui/LICENSE %license themes/%{theme}/common-ui/LICENSE
%dir %{_datadir}/pki %dir %{_datadir}/pki
%{_datadir}/pki/CS_SERVER_VERSION %{_datadir}/pki/CS_SERVER_VERSION
%{_datadir}/pki/common-ui/ %{_datadir}/pki/common-ui/
@ -1362,10 +1385,10 @@ fi
%{_datadir}/pki/server/webapps/pki/tks %{_datadir}/pki/server/webapps/pki/tks
################################################################################ ################################################################################
%files -n %{vendor_id}-pki-console-theme %files -n %{product_id}-console-theme
################################################################################ ################################################################################
%license themes/%{vendor_id}/console-ui/LICENSE %license themes/%{theme}/console-ui/LICENSE
%{_javadir}/pki/pki-console-theme.jar %{_javadir}/pki/pki-console-theme.jar
# with theme # with theme
@ -1373,7 +1396,7 @@ fi
%if %{with tests} %if %{with tests}
################################################################################ ################################################################################
%files -n pki-tests %files -n %{product_id}-tests
################################################################################ ################################################################################
%{_datadir}/pki/tests/ %{_datadir}/pki/tests/
@ -1383,6 +1406,13 @@ fi
################################################################################ ################################################################################
%changelog %changelog
* Mon Jul 25 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-4
- Bug 2107334 - CVE-2022-2414 access to external entities when parsing XML can lead to XXE
- Rename packages to idm-pki
* Wed Jun 01 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-3
- ExcludeArch i686 as md2man not available in RHEL 8.7
* Thu Feb 03 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-2 * Thu Feb 03 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-2
- Bug 2027470 - pki-healthcheck ClonesConnectivyAndDataCheck fails - Bug 2027470 - pki-healthcheck ClonesConnectivyAndDataCheck fails