import pki-core-10.12.0-4.module+el8.7.0+16126+c5918a27
This commit is contained in:
parent
83a9d02de2
commit
18cf00342c
@ -0,0 +1,145 @@
|
||||
From 039b3453d17bb5666d4b7a4eacc6a014703416c7 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Kelley <ckelley@redhat.com>
|
||||
Date: Fri, 10 Jun 2022 17:25:07 +0100
|
||||
Subject: [PATCH] Disable access to external entities when parsing XML
|
||||
|
||||
This reduces the vulnerability of XML parsers to XXE (XML external
|
||||
entity) injection.
|
||||
|
||||
The best way to prevent XXE is to stop using XML altogether, which we do
|
||||
plan to do. Until that happens I consider it worthwhile to tighten the
|
||||
security here though.
|
||||
---
|
||||
.../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
|
||||
.../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 +
|
||||
.../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
|
||||
.../src/test/java/com/netscape/test/TestListener.java | 5 ++++-
|
||||
4 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
|
||||
index bdd485e89a..07fae1ad50 100644
|
||||
--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
|
||||
+++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
|
||||
@@ -24,6 +24,7 @@ import java.util.Enumeration;
|
||||
import java.util.Locale;
|
||||
import java.util.Vector;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
import javax.xml.transform.Transformer;
|
||||
@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor {
|
||||
XMLObject xmlObject = convertDomainInfoToXMLObject(before);
|
||||
Document document = xmlObject.getDocument();
|
||||
|
||||
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
|
||||
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
+ Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
|
||||
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
|
||||
index 2a02d722a1..d9ac572747 100644
|
||||
--- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
|
||||
+++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
|
||||
@@ -41,6 +41,7 @@ public class ServerXml {
|
||||
ServerXml serverXml = new ServerXml();
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(filename);
|
||||
|
||||
diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
|
||||
index 81fdbf4b2e..1043bcb477 100644
|
||||
--- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
|
||||
+++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
|
||||
@@ -25,6 +25,7 @@ import java.io.OutputStream;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Vector;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
@@ -56,6 +57,7 @@ public class XMLObject {
|
||||
public XMLObject(InputStream s)
|
||||
throws SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
mDoc = docBuilder.parse(s);
|
||||
}
|
||||
@@ -63,6 +65,7 @@ public class XMLObject {
|
||||
public XMLObject(File f)
|
||||
throws SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
mDoc = docBuilder.parse(f);
|
||||
}
|
||||
@@ -159,6 +162,8 @@ public class XMLObject {
|
||||
public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
|
||||
ByteArrayOutputStream bos = new ByteArrayOutputStream();
|
||||
TransformerFactory tranFactory = TransformerFactory.newInstance();
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer aTransformer = tranFactory.newTransformer();
|
||||
Source src = new DOMSource(mDoc);
|
||||
Result dest = new StreamResult(bos);
|
||||
@@ -169,6 +174,8 @@ public class XMLObject {
|
||||
public void output(OutputStream os)
|
||||
throws TransformerConfigurationException, TransformerException {
|
||||
TransformerFactory tranFactory = TransformerFactory.newInstance();
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer aTransformer = tranFactory.newTransformer();
|
||||
Source src = new DOMSource(mDoc);
|
||||
Result dest = new StreamResult(os);
|
||||
@@ -177,6 +184,8 @@ public class XMLObject {
|
||||
|
||||
public String toXMLString() throws TransformerConfigurationException, TransformerException {
|
||||
TransformerFactory tranFactory = TransformerFactory.newInstance();
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = tranFactory.newTransformer();
|
||||
Source src = new DOMSource(mDoc);
|
||||
StreamResult dest = new StreamResult(new StringWriter());
|
||||
diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
|
||||
index 3181d53dc8..ac5d6e0f42 100644
|
||||
--- a/base/util/src/test/java/com/netscape/test/TestListener.java
|
||||
+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
|
||||
@@ -10,6 +10,7 @@ import java.text.SimpleDateFormat;
|
||||
import java.util.Date;
|
||||
import java.util.TimeZone;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -22,7 +23,6 @@ import org.junit.runner.Description;
|
||||
import org.junit.runner.Result;
|
||||
import org.junit.runner.notification.Failure;
|
||||
import org.junit.runner.notification.RunListener;
|
||||
-
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.Text;
|
||||
@@ -64,9 +64,12 @@ public class TestListener extends RunListener {
|
||||
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
|
||||
|
||||
docBuilderFactory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
docBuilder = docBuilderFactory.newDocumentBuilder();
|
||||
|
||||
transFactory = TransformerFactory.newInstance();
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
trans = transFactory.newTransformer();
|
||||
trans.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
@ -0,0 +1,32 @@
|
||||
From af9d5ee1e57b128603974595e26feb3effe05c87 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Kelley <ckelley@redhat.com>
|
||||
Date: Thu, 14 Jul 2022 16:49:25 +0100
|
||||
Subject: [PATCH] Fix accidental renaming of factories in conflict resolution.
|
||||
|
||||
---
|
||||
base/util/src/test/java/com/netscape/test/TestListener.java | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
|
||||
index ac5d6e0f42..56b7793f61 100644
|
||||
--- a/base/util/src/test/java/com/netscape/test/TestListener.java
|
||||
+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
|
||||
@@ -64,12 +64,12 @@ public class TestListener extends RunListener {
|
||||
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
|
||||
|
||||
docBuilderFactory = DocumentBuilderFactory.newInstance();
|
||||
- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
docBuilder = docBuilderFactory.newDocumentBuilder();
|
||||
|
||||
transFactory = TransformerFactory.newInstance();
|
||||
- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
trans = transFactory.newTransformer();
|
||||
trans.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
@ -2,10 +2,10 @@
|
||||
Name: pki-core
|
||||
################################################################################
|
||||
|
||||
%global vendor_id redhat
|
||||
%global brand Red Hat
|
||||
%global product_name IDM PKI
|
||||
%global product_id idm-pki
|
||||
|
||||
Summary: %{brand} PKI Core Package
|
||||
Summary: %{product_name} Package
|
||||
URL: https://www.dogtagpki.org
|
||||
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
|
||||
License: GPLv2 and LGPLv2
|
||||
@ -13,10 +13,9 @@ License: GPLv2 and LGPLv2
|
||||
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
||||
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
||||
Version: 10.12.0
|
||||
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
#global _phase -alpha1
|
||||
|
||||
|
||||
# To create a tarball from a version tag:
|
||||
# $ git archive \
|
||||
# --format=tar.gz \
|
||||
@ -32,13 +31,14 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
|
||||
# > pki-VERSION-RELEASE.patch
|
||||
# Patch: pki-VERSION-RELEASE.patch
|
||||
|
||||
Patch: 0001-Fix-pki-healthcheck-for-clones.patch
|
||||
Patch0: 0001-Fix-pki-healthcheck-for-clones.patch
|
||||
Patch1: 0001-Disable-access-to-external-entities-when-parsing-XML.patch
|
||||
Patch2: 0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch
|
||||
|
||||
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
||||
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
||||
# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
|
||||
# safest.
|
||||
%if ! 0%{?rhel} || 0%{?rhel} > 8
|
||||
# md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+
|
||||
%if ! 0%{?rhel} || 0%{?rhel} >= 8
|
||||
ExcludeArch: i686
|
||||
%endif
|
||||
|
||||
@ -256,13 +256,13 @@ BuildRequires: nss-tools
|
||||
BuildRequires: openssl
|
||||
|
||||
# description for top-level package (if there is a separate meta package)
|
||||
%if "%{name}" != "%{vendor_id}-pki"
|
||||
%if "%{name}" != "%{product_id}"
|
||||
%description
|
||||
|
||||
%{brand} PKI is an enterprise software system designed
|
||||
%{product_name} is an enterprise software system designed
|
||||
to manage enterprise Public Key Infrastructure deployments.
|
||||
|
||||
PKI consists of the following components:
|
||||
%{product_name} consists of the following components:
|
||||
|
||||
* Automatic Certificate Management Environment (ACME) Responder
|
||||
* Certificate Authority (CA)
|
||||
@ -274,32 +274,32 @@ PKI consists of the following components:
|
||||
%endif
|
||||
|
||||
%if %{with meta}
|
||||
%if "%{name}" != "%{vendor_id}-pki"
|
||||
%if "%{name}" != "%{product_id}"
|
||||
################################################################################
|
||||
%package -n %{vendor_id}-pki
|
||||
%package -n %{product_id}
|
||||
################################################################################
|
||||
|
||||
Summary: %{brand} PKI Package
|
||||
Summary: %{product_name} Package
|
||||
%endif
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of ALL PKI theme packages
|
||||
Requires: %{vendor_id}-pki-server-theme = %{version}-%{release}
|
||||
Requires: %{vendor_id}-pki-console-theme = %{version}-%{release}
|
||||
Requires: %{product_id}-server-theme = %{version}-%{release}
|
||||
Requires: %{product_id}-console-theme = %{version}-%{release}
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of ALL PKI core packages
|
||||
Requires: pki-acme = %{version}-%{release}
|
||||
Requires: pki-ca = %{version}-%{release}
|
||||
Requires: pki-kra = %{version}-%{release}
|
||||
Requires: pki-ocsp = %{version}-%{release}
|
||||
Requires: pki-tks = %{version}-%{release}
|
||||
Requires: pki-tps = %{version}-%{release}
|
||||
Requires: %{product_id}-acme = %{version}-%{release}
|
||||
Requires: %{product_id}-ca = %{version}-%{release}
|
||||
Requires: %{product_id}-kra = %{version}-%{release}
|
||||
Requires: %{product_id}-ocsp = %{version}-%{release}
|
||||
Requires: %{product_id}-tks = %{version}-%{release}
|
||||
Requires: %{product_id}-tps = %{version}-%{release}
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of PKI console
|
||||
Requires: pki-console = %{version}-%{release}
|
||||
Requires: pki-javadoc = %{version}-%{release}
|
||||
Requires: %{product_id}-console = %{version}-%{release}
|
||||
Requires: %{product_id}-javadoc = %{version}-%{release}
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
|
||||
@ -308,16 +308,16 @@ Requires: esc >= 1.1.1
|
||||
%endif
|
||||
|
||||
# description for top-level package (unless there is a separate meta package)
|
||||
%if "%{name}" == "%{vendor_id}-pki"
|
||||
%if "%{name}" == "%{product_id}"
|
||||
%description
|
||||
%else
|
||||
%description -n %{vendor_id}-pki
|
||||
%description -n %{product_id}
|
||||
%endif
|
||||
|
||||
%{brand} PKI is an enterprise software system designed
|
||||
%{product_name} is an enterprise software system designed
|
||||
to manage enterprise Public Key Infrastructure deployments.
|
||||
|
||||
PKI consists of the following components:
|
||||
%{product_name} consists of the following components:
|
||||
|
||||
* Automatic Certificate Management Environment (ACME) Responder
|
||||
* Certificate Authority (CA)
|
||||
@ -331,10 +331,13 @@ PKI consists of the following components:
|
||||
|
||||
%if %{with base}
|
||||
################################################################################
|
||||
%package -n pki-symkey
|
||||
%package -n %{product_id}-symkey
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Symmetric Key Package
|
||||
Summary: %{product_name} Symmetric Key Package
|
||||
|
||||
Obsoletes: pki-symkey < %{version}-%{release}
|
||||
Provides: pki-symkey = %{version}-%{release}
|
||||
|
||||
Requires: %{java_headless}
|
||||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
@ -347,15 +350,14 @@ Conflicts: pki-javadoc < %{version}
|
||||
Conflicts: pki-server-theme < %{version}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
|
||||
%description -n pki-symkey
|
||||
The PKI Symmetric Key Java Package supplies various native
|
||||
symmetric key operations to Java programs.
|
||||
%description -n %{product_id}-symkey
|
||||
This package provides library for symmetric key operations.
|
||||
|
||||
################################################################################
|
||||
%package -n pki-base
|
||||
%package -n %{product_id}-base
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Base Package
|
||||
Summary: %{product_name} Base Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-base < %{version}-%{release}
|
||||
@ -372,25 +374,27 @@ Conflicts: pki-javadoc < %{version}
|
||||
Conflicts: pki-server-theme < %{version}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
|
||||
%description -n pki-base
|
||||
The PKI Base Package contains the common and client libraries and utilities
|
||||
written in Python.
|
||||
%description -n %{product_id}-base
|
||||
This package provides default configuration files for %{product_name} client.
|
||||
|
||||
################################################################################
|
||||
%package -n python3-pki
|
||||
%package -n python3-%{product_id}
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Python 3 Package
|
||||
Summary: %{product_name} Python 3 Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-base-python3 < %{version}
|
||||
Obsoletes: python3-pki < %{version}-%{release}
|
||||
Provides: python3-pki = %{version}-%{release}
|
||||
|
||||
Obsoletes: pki-base-python3 < %{version}-%{release}
|
||||
Provides: pki-base-python3 = %{version}-%{release}
|
||||
|
||||
%if 0%{?fedora} || 0%{?rhel} > 8
|
||||
%{?python_provide:%python_provide python3-pki}
|
||||
%endif
|
||||
|
||||
Requires: pki-base = %{version}-%{release}
|
||||
Requires: %{product_id}-base = %{version}-%{release}
|
||||
Requires: python3 >= 3.5
|
||||
Requires: python3-cryptography
|
||||
Requires: python3-ldap
|
||||
@ -401,14 +405,14 @@ Requires: python3-six
|
||||
Recommends: python3-nss
|
||||
%endif
|
||||
|
||||
%description -n python3-pki
|
||||
This package contains PKI client library for Python 3.
|
||||
%description -n python3-%{product_id}
|
||||
This package provides common and client library for Python 3.
|
||||
|
||||
################################################################################
|
||||
%package -n pki-base-java
|
||||
%package -n %{product_id}-base-java
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Base Java Package
|
||||
Summary: %{product_name} Base Java Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-base-java < %{version}-%{release}
|
||||
@ -427,7 +431,7 @@ Requires: slf4j-jdk14
|
||||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
Requires: jss >= 4.9.0, jss < 5.0.0
|
||||
Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
|
||||
Requires: pki-base = %{version}-%{release}
|
||||
Requires: %{product_id}-base = %{version}-%{release}
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 8
|
||||
Requires: resteasy >= 3.0.26
|
||||
@ -448,38 +452,40 @@ Requires: xerces-j2
|
||||
Requires: xml-commons-apis
|
||||
Requires: xml-commons-resolver
|
||||
|
||||
%description -n pki-base-java
|
||||
The PKI Base Java Package contains the common and client libraries and utilities
|
||||
written in Java.
|
||||
%description -n %{product_id}-base-java
|
||||
This package provides common and client libraries for Java.
|
||||
|
||||
################################################################################
|
||||
%package -n pki-tools
|
||||
%package -n %{product_id}-tools
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Tools Package
|
||||
Summary: %{product_name} Tools Package
|
||||
|
||||
Obsoletes: pki-tools < %{version}-%{release}
|
||||
Provides: pki-tools = %{version}-%{release}
|
||||
|
||||
Requires: openldap-clients
|
||||
Requires: nss-tools >= 3.36.1
|
||||
Requires: pki-base-java = %{version}-%{release}
|
||||
Requires: %{product_id}-base-java = %{version}-%{release}
|
||||
Requires: p11-kit-trust
|
||||
|
||||
# PKICertImport depends on certutil and openssl
|
||||
Requires: nss-tools
|
||||
Requires: openssl
|
||||
|
||||
%description -n pki-tools
|
||||
This package contains PKI executables that can be used to help make
|
||||
Certificate System into a more complete and robust PKI solution.
|
||||
%description -n %{product_id}-tools
|
||||
This package provides tools that can be used to help make
|
||||
%{product_name} into a more complete and robust PKI solution.
|
||||
|
||||
# with base
|
||||
%endif
|
||||
|
||||
%if %{with server}
|
||||
################################################################################
|
||||
%package -n pki-server
|
||||
%package -n %{product_id}-server
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Server Package
|
||||
Summary: %{product_name} Server Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-server < %{version}-%{release}
|
||||
@ -491,8 +497,8 @@ Requires: policycoreutils
|
||||
Requires: procps-ng
|
||||
Requires: openldap-clients
|
||||
Requires: openssl
|
||||
Requires: pki-symkey = %{version}-%{release}
|
||||
Requires: pki-tools = %{version}-%{release}
|
||||
Requires: %{product_id}-symkey = %{version}-%{release}
|
||||
Requires: %{product_id}-tools = %{version}-%{release}
|
||||
|
||||
Requires: keyutils
|
||||
|
||||
@ -539,25 +545,27 @@ Provides: bundled(js-jquery-i18n-properties) = 1.2.7
|
||||
Provides: bundled(js-patternfly) = 3.59.2
|
||||
Provides: bundled(js-underscore) = 1.9.2
|
||||
|
||||
%description -n pki-server
|
||||
The PKI Server Package contains libraries and utilities needed by other
|
||||
PKI subsystems.
|
||||
%description -n %{product_id}-server
|
||||
This package provides libraries and utilities needed by %{product_name} services.
|
||||
|
||||
# with server
|
||||
%endif
|
||||
|
||||
%if %{with acme}
|
||||
################################################################################
|
||||
%package -n pki-acme
|
||||
%package -n %{product_id}-acme
|
||||
################################################################################
|
||||
|
||||
Summary: PKI ACME Package
|
||||
Summary: %{product_name} ACME Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-acme < %{version}-%{release}
|
||||
Provides: pki-acme = %{version}-%{release}
|
||||
|
||||
%description -n pki-acme
|
||||
The PKI ACME responder is a service that provides an automatic certificate
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
|
||||
%description -n %{product_id}-acme
|
||||
%{product_name} ACME responder is a service that provides an automatic certificate
|
||||
management via ACME v2 protocol defined in RFC 8555.
|
||||
|
||||
# with acme
|
||||
@ -565,19 +573,22 @@ management via ACME v2 protocol defined in RFC 8555.
|
||||
|
||||
%if %{with ca}
|
||||
################################################################################
|
||||
%package -n pki-ca
|
||||
%package -n %{product_id}-ca
|
||||
################################################################################
|
||||
|
||||
Summary: PKI CA Package
|
||||
Summary: %{product_name} CA Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-ca < %{version}-%{release}
|
||||
Provides: pki-ca = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-ca
|
||||
The Certificate Authority (CA) is a required PKI subsystem which issues,
|
||||
%description -n %{product_id}-ca
|
||||
%{product_name} Certificate Authority (CA) is a required subsystem which issues,
|
||||
renews, revokes, and publishes certificates as well as compiling and
|
||||
publishing Certificate Revocation Lists (CRLs).
|
||||
|
||||
@ -590,19 +601,22 @@ where it obtains its own signing certificate from a public CA.
|
||||
|
||||
%if %{with kra}
|
||||
################################################################################
|
||||
%package -n pki-kra
|
||||
%package -n %{product_id}-kra
|
||||
################################################################################
|
||||
|
||||
Summary: PKI KRA Package
|
||||
Summary: %{product_name} KRA Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-kra < %{version}-%{release}
|
||||
Provides: pki-kra = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-kra
|
||||
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
|
||||
%description -n %{product_id}-kra
|
||||
%{product_name} Key Recovery Authority (KRA) is an optional subsystem that can act
|
||||
as a key archival facility. When configured in conjunction with the
|
||||
Certificate Authority (CA), the KRA stores private encryption keys as part of
|
||||
the certificate enrollment process. The key archival mechanism is triggered
|
||||
@ -621,19 +635,22 @@ since such archival would undermine non-repudiation properties of signing keys.
|
||||
|
||||
%if %{with ocsp}
|
||||
################################################################################
|
||||
%package -n pki-ocsp
|
||||
%package -n %{product_id}-ocsp
|
||||
################################################################################
|
||||
|
||||
Summary: PKI OCSP Package
|
||||
Summary: %{product_name} OCSP Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-ocsp < %{version}-%{release}
|
||||
Provides: pki-ocsp = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-ocsp
|
||||
The Online Certificate Status Protocol (OCSP) Manager is an optional PKI
|
||||
%description -n %{product_id}-ocsp
|
||||
%{product_name} Online Certificate Status Protocol (OCSP) Manager is an optional
|
||||
subsystem that can act as a stand-alone OCSP service. The OCSP Manager
|
||||
performs the task of an online certificate validation authority by enabling
|
||||
OCSP-compliant clients to do real-time verification of certificates. Note
|
||||
@ -659,19 +676,22 @@ whenever they are issued or updated.
|
||||
|
||||
%if %{with tks}
|
||||
################################################################################
|
||||
%package -n pki-tks
|
||||
%package -n %{product_id}-tks
|
||||
################################################################################
|
||||
|
||||
Summary: PKI TKS Package
|
||||
Summary: %{product_name} TKS Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-tks < %{version}-%{release}
|
||||
Provides: pki-tks = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-tks
|
||||
The Token Key Service (TKS) is an optional PKI subsystem that manages the
|
||||
%description -n %{product_id}-tks
|
||||
%{product_name} Token Key Service (TKS) is an optional subsystem that manages the
|
||||
master key(s) and the transport key(s) required to generate and distribute
|
||||
keys for hardware tokens. TKS provides the security between tokens and an
|
||||
instance of Token Processing System (TPS), where the security relies upon the
|
||||
@ -691,12 +711,15 @@ behind the firewall with restricted access.
|
||||
|
||||
%if %{with tps}
|
||||
################################################################################
|
||||
%package -n pki-tps
|
||||
%package -n %{product_id}-tps
|
||||
################################################################################
|
||||
|
||||
Summary: PKI TPS Package
|
||||
Summary: %{product_name} TPS Package
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-tps < %{version}-%{release}
|
||||
Provides: pki-tps = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
@ -707,8 +730,8 @@ Requires(postun): systemd-units
|
||||
Requires: nss-tools >= 3.36.1
|
||||
Requires: openldap-clients
|
||||
|
||||
%description -n pki-tps
|
||||
The Token Processing System (TPS) is an optional PKI subsystem that acts
|
||||
%description -n %{product_id}-tps
|
||||
%{product_name} Token Processing System (TPS) is an optional subsystem that acts
|
||||
as a Registration Authority (RA) for authenticating and processing
|
||||
enrollment requests, PIN reset requests, and formatting requests from
|
||||
the Enterprise Security Client (ESC).
|
||||
@ -732,10 +755,10 @@ smart card.
|
||||
|
||||
%if %{with javadoc}
|
||||
################################################################################
|
||||
%package -n pki-javadoc
|
||||
%package -n %{product_id}-javadoc
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Javadoc Package
|
||||
Summary: %{product_name} Javadoc Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-javadoc < %{version}-%{release}
|
||||
@ -747,18 +770,18 @@ Conflicts: pki-symkey < %{version}
|
||||
Conflicts: pki-server-theme < %{version}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
|
||||
%description -n pki-javadoc
|
||||
This package contains PKI API documentation.
|
||||
%description -n %{product_id}-javadoc
|
||||
This package provides %{product_name} API documentation.
|
||||
|
||||
# with javadoc
|
||||
%endif
|
||||
|
||||
%if %{with console}
|
||||
################################################################################
|
||||
%package -n pki-console
|
||||
%package -n %{product_id}-console
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Console Package
|
||||
Summary: %{product_name} Console Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-console < %{version}-%{release}
|
||||
@ -767,21 +790,21 @@ Provides: pki-console = %{version}-%{release}
|
||||
BuildRequires: idm-console-framework >= 1.2.0
|
||||
|
||||
Requires: idm-console-framework >= 1.2.0
|
||||
Requires: pki-base-java = %{version}-%{release}
|
||||
Requires: pki-console-theme = %{version}-%{release}
|
||||
Requires: %{product_id}-base-java = %{version}-%{release}
|
||||
Requires: %{product_id}-console-theme = %{version}-%{release}
|
||||
|
||||
%description -n pki-console
|
||||
The PKI Console is a Java application used to administer PKI server.
|
||||
%description -n %{product_id}-console
|
||||
%{product_name} Console is a Java application used to administer %{product_name} Server.
|
||||
|
||||
# with console
|
||||
%endif
|
||||
|
||||
%if %{with theme}
|
||||
################################################################################
|
||||
%package -n %{vendor_id}-pki-server-theme
|
||||
%package -n %{product_id}-server-theme
|
||||
################################################################################
|
||||
|
||||
Summary: %{brand} PKI Server Theme Package
|
||||
Summary: %{product_name} Server Theme Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-server-theme < %{version}-%{release}
|
||||
@ -793,15 +816,14 @@ Conflicts: pki-symkey < %{version}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
Conflicts: pki-javadoc < %{version}
|
||||
|
||||
%description -n %{vendor_id}-pki-server-theme
|
||||
This PKI Server Theme Package contains
|
||||
%{brand} textual and graphical user interface for PKI Server.
|
||||
%description -n %{product_id}-server-theme
|
||||
This package provides theme files for %{product_name} Server.
|
||||
|
||||
################################################################################
|
||||
%package -n %{vendor_id}-pki-console-theme
|
||||
%package -n %{product_id}-console-theme
|
||||
################################################################################
|
||||
|
||||
Summary: %{brand} PKI Console Theme Package
|
||||
Summary: %{product_name} Console Theme Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-console-theme < %{version}-%{release}
|
||||
@ -813,23 +835,28 @@ Conflicts: pki-symkey < %{version}
|
||||
Conflicts: pki-server-theme < %{version}
|
||||
Conflicts: pki-javadoc < %{version}
|
||||
|
||||
%description -n %{vendor_id}-pki-console-theme
|
||||
This PKI Console Theme Package contains
|
||||
%{brand} textual and graphical user interface for PKI Console.
|
||||
%description -n %{product_id}-console-theme
|
||||
This package provides theme files for %{product_name} Console.
|
||||
|
||||
# with theme
|
||||
%endif
|
||||
|
||||
%if %{with tests}
|
||||
################################################################################
|
||||
%package -n pki-tests
|
||||
%package -n %{product_id}-tests
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Tests
|
||||
Summary: %{product_name} Tests
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n pki-tests
|
||||
This package contains PKI test suite.
|
||||
Obsoletes: pki-tests < %{version}-%{release}
|
||||
Provides: pki-tests = %{version}-%{release}
|
||||
|
||||
Requires: python3-pylint
|
||||
Requires: python3-flake8
|
||||
|
||||
%description -n %{product_id}-tests
|
||||
This package provides test suite for %{product_name}.
|
||||
|
||||
# with tests
|
||||
%endif
|
||||
@ -887,7 +914,7 @@ cd build
|
||||
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
|
||||
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
|
||||
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
|
||||
-DTHEME=%{?with_theme:%{vendor_id}} \
|
||||
-DTHEME=%{?with_theme:%{theme}} \
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 8
|
||||
..
|
||||
%else
|
||||
@ -934,7 +961,7 @@ ctest --output-on-failure
|
||||
|
||||
cat > %{buildroot}%{_datadir}/doc/pki/README << EOF
|
||||
This package is a "meta-package" whose dependencies pull in all of the
|
||||
packages comprising the %{brand} Public Key Infrastructure (PKI) Suite.
|
||||
packages comprising the %{product_name} Suite.
|
||||
EOF
|
||||
|
||||
# with meta
|
||||
@ -964,7 +991,7 @@ ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroo
|
||||
|
||||
%if %{with server}
|
||||
|
||||
%pre -n pki-server
|
||||
%pre -n %{product_id}-server
|
||||
getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
|
||||
if ! getent passwd %{pki_username} >/dev/null ; then
|
||||
useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
|
||||
@ -976,7 +1003,7 @@ exit 0
|
||||
|
||||
%if %{with base}
|
||||
|
||||
%post -n pki-base
|
||||
%post -n %{product_id}-base
|
||||
|
||||
if [ $1 -eq 1 ]
|
||||
then
|
||||
@ -990,7 +1017,7 @@ else
|
||||
echo >> /var/log/pki/pki-upgrade-%{version}.log
|
||||
fi
|
||||
|
||||
%postun -n pki-base
|
||||
%postun -n %{product_id}-base
|
||||
|
||||
if [ $1 -eq 0 ]
|
||||
then
|
||||
@ -1003,11 +1030,7 @@ fi
|
||||
|
||||
%if %{with server}
|
||||
|
||||
%post -n pki-server
|
||||
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
|
||||
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
||||
## PKI deployment process
|
||||
|
||||
%post -n %{product_id}-server
|
||||
# CVE-2021-3551
|
||||
# Remove world access from existing installation logs
|
||||
find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
|
||||
@ -1033,9 +1056,9 @@ fi
|
||||
%endif
|
||||
|
||||
%if %{with meta}
|
||||
%if "%{name}" != "%{vendor_id}-pki"
|
||||
%if "%{name}" != "%{product_id}"
|
||||
################################################################################
|
||||
%files -n %{vendor_id}-pki
|
||||
%files -n %{product_id}
|
||||
################################################################################
|
||||
%else
|
||||
%files
|
||||
@ -1048,7 +1071,7 @@ fi
|
||||
|
||||
%if %{with base}
|
||||
################################################################################
|
||||
%files -n pki-symkey
|
||||
%files -n %{product_id}-symkey
|
||||
################################################################################
|
||||
|
||||
%license base/symkey/LICENSE
|
||||
@ -1056,7 +1079,7 @@ fi
|
||||
%{_libdir}/symkey/
|
||||
|
||||
################################################################################
|
||||
%files -n pki-base
|
||||
%files -n %{product_id}-base
|
||||
################################################################################
|
||||
|
||||
%license base/common/LICENSE
|
||||
@ -1082,7 +1105,7 @@ fi
|
||||
%{_mandir}/man8/pki-upgrade.8.gz
|
||||
|
||||
################################################################################
|
||||
%files -n pki-base-java
|
||||
%files -n %{product_id}-base-java
|
||||
################################################################################
|
||||
|
||||
%license base/common/LICENSE
|
||||
@ -1094,7 +1117,7 @@ fi
|
||||
%{_javadir}/pki/pki-certsrv.jar
|
||||
|
||||
################################################################################
|
||||
%files -n python3-pki
|
||||
%files -n python3-%{product_id}
|
||||
################################################################################
|
||||
|
||||
%license base/common/LICENSE
|
||||
@ -1105,7 +1128,7 @@ fi
|
||||
%{python3_sitelib}/pki
|
||||
|
||||
################################################################################
|
||||
%files -n pki-tools
|
||||
%files -n %{product_id}-tools
|
||||
################################################################################
|
||||
|
||||
%license base/tools/LICENSE
|
||||
@ -1180,7 +1203,7 @@ fi
|
||||
|
||||
%if %{with server}
|
||||
################################################################################
|
||||
%files -n pki-server
|
||||
%files -n %{product_id}-server
|
||||
################################################################################
|
||||
|
||||
%license base/common/THIRD_PARTY_LICENSES
|
||||
@ -1241,7 +1264,7 @@ fi
|
||||
|
||||
%if %{with acme}
|
||||
################################################################################
|
||||
%files -n pki-acme
|
||||
%files -n %{product_id}-acme
|
||||
################################################################################
|
||||
|
||||
%{_javadir}/pki/pki-acme.jar
|
||||
@ -1252,7 +1275,7 @@ fi
|
||||
|
||||
%if %{with ca}
|
||||
################################################################################
|
||||
%files -n pki-ca
|
||||
%files -n %{product_id}-ca
|
||||
################################################################################
|
||||
|
||||
%license base/ca/LICENSE
|
||||
@ -1264,7 +1287,7 @@ fi
|
||||
|
||||
%if %{with kra}
|
||||
################################################################################
|
||||
%files -n pki-kra
|
||||
%files -n %{product_id}-kra
|
||||
################################################################################
|
||||
|
||||
%license base/kra/LICENSE
|
||||
@ -1276,7 +1299,7 @@ fi
|
||||
|
||||
%if %{with ocsp}
|
||||
################################################################################
|
||||
%files -n pki-ocsp
|
||||
%files -n %{product_id}-ocsp
|
||||
################################################################################
|
||||
|
||||
%license base/ocsp/LICENSE
|
||||
@ -1288,7 +1311,7 @@ fi
|
||||
|
||||
%if %{with tks}
|
||||
################################################################################
|
||||
%files -n pki-tks
|
||||
%files -n %{product_id}-tks
|
||||
################################################################################
|
||||
|
||||
%license base/tks/LICENSE
|
||||
@ -1300,7 +1323,7 @@ fi
|
||||
|
||||
%if %{with tps}
|
||||
################################################################################
|
||||
%files -n pki-tps
|
||||
%files -n %{product_id}-tps
|
||||
################################################################################
|
||||
|
||||
%license base/tps/LICENSE
|
||||
@ -1322,7 +1345,7 @@ fi
|
||||
|
||||
%if %{with javadoc}
|
||||
################################################################################
|
||||
%files -n pki-javadoc
|
||||
%files -n %{product_id}-javadoc
|
||||
################################################################################
|
||||
|
||||
%{_javadocdir}/pki-%{version}/
|
||||
@ -1332,7 +1355,7 @@ fi
|
||||
|
||||
%if %{with console}
|
||||
################################################################################
|
||||
%files -n pki-console
|
||||
%files -n %{product_id}-console
|
||||
################################################################################
|
||||
|
||||
%license base/console/LICENSE
|
||||
@ -1344,10 +1367,10 @@ fi
|
||||
|
||||
%if %{with theme}
|
||||
################################################################################
|
||||
%files -n %{vendor_id}-pki-server-theme
|
||||
%files -n %{product_id}-server-theme
|
||||
################################################################################
|
||||
|
||||
%license themes/%{vendor_id}/common-ui/LICENSE
|
||||
%license themes/%{theme}/common-ui/LICENSE
|
||||
%dir %{_datadir}/pki
|
||||
%{_datadir}/pki/CS_SERVER_VERSION
|
||||
%{_datadir}/pki/common-ui/
|
||||
@ -1362,10 +1385,10 @@ fi
|
||||
%{_datadir}/pki/server/webapps/pki/tks
|
||||
|
||||
################################################################################
|
||||
%files -n %{vendor_id}-pki-console-theme
|
||||
%files -n %{product_id}-console-theme
|
||||
################################################################################
|
||||
|
||||
%license themes/%{vendor_id}/console-ui/LICENSE
|
||||
%license themes/%{theme}/console-ui/LICENSE
|
||||
%{_javadir}/pki/pki-console-theme.jar
|
||||
|
||||
# with theme
|
||||
@ -1373,7 +1396,7 @@ fi
|
||||
|
||||
%if %{with tests}
|
||||
################################################################################
|
||||
%files -n pki-tests
|
||||
%files -n %{product_id}-tests
|
||||
################################################################################
|
||||
|
||||
%{_datadir}/pki/tests/
|
||||
@ -1383,6 +1406,13 @@ fi
|
||||
|
||||
################################################################################
|
||||
%changelog
|
||||
* Mon Jul 25 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-4
|
||||
- Bug 2107334 - CVE-2022-2414 access to external entities when parsing XML can lead to XXE
|
||||
- Rename packages to idm-pki
|
||||
|
||||
* Wed Jun 01 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-3
|
||||
- ExcludeArch i686 as md2man not available in RHEL 8.7
|
||||
|
||||
* Thu Feb 03 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-2
|
||||
- Bug 2027470 - pki-healthcheck ClonesConnectivyAndDataCheck fails
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user