rpms/pki-core
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import pki-core-10.11.2-2.module+el8.5.0+12735+8eb38ccc

Browse Source
This commit is contained in:
CentOS Sources 2021-11-09 05:01:50 -05:00 committed by Stepan Oksanichenko
parent 7b23e1ce93
commit 2e7f456c68
9 changed files with 104 additions and 615 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/pki-10.10.5.tar.gz
SOURCES/pki-10.11.2.tar.gz

2
.pki-core.metadata
View File

@ -1 +1 @@
61641f173fb9de15b4f16bdcef95ca97479bc947 SOURCES/pki-10.10.5.tar.gz
864e86742b5462527a677c060d5b3b1d0f11b299 SOURCES/pki-10.11.2.tar.gz

26
SOURCES/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch Normal file
View File

@ -0,0 +1,26 @@
From 607300e57ea05a1475656f1493745f7c7a28b747 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@redhat.com>
Date: Thu, 23 Sep 2021 13:50:41 -0400
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our
standalone java tools.
---
base/tools/templates/pki_java_command_wrapper.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in
index 05650630d..d68ed93a3 100644
--- a/base/tools/templates/pki_java_command_wrapper.in
+++ b/base/tools/templates/pki_java_command_wrapper.in
@@ -90,6 +90,7 @@ JAVA_OPTIONS=""
${JAVA} ${JAVA_OPTIONS} \
-cp "${PKI_LIB}/*" \
+ -Dcom.redhat.fips=false \
-Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \
com.netscape.cmstools.${COMMAND} "$@"
--
2.31.1

31
SOURCES/0001-Fix-permission-for-existing-installation-logs.patch
View File

@ -1,31 +0,0 @@
From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 17 May 2021 17:39:50 -0500
Subject: [PATCH] Fix permission for existing installation logs
The spec file has been updated to remove world access
from existing installation logs in /var/log/pki.
Resolves: CVE-2021-3551
---
pki.spec | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/pki.spec b/pki.spec
index a9ea345d8f..64bfd4fe7d 100644
--- a/pki.spec
+++ b/pki.spec
@@ -991,6 +991,10 @@ fi
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
+# CVE-2021-3551
+# Remove world access from existing installation logs
+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
+
# Reload systemd daemons on upgrade only
if [ "$1" == "2" ]
then
--
2.30.2

49
SOURCES/0001-Fix-permission-for-new-installation-logs.patch
View File

@ -1,49 +0,0 @@
From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 17 May 2021 15:39:44 -0500
Subject: [PATCH] Fix permission for new installation logs
The enable_pki_logger() has been updated to disable
world access for new installation logs to be created
in /var/log/pki.
Resolves: CVE-2021-3551
---
.../python/pki/server/deployment/pkilogging.py | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py
index 089a292559..0926173700 100644
--- a/base/server/python/pki/server/deployment/pkilogging.py
+++ b/base/server/python/pki/server/deployment/pkilogging.py
@@ -21,8 +21,12 @@
# System Imports
from __future__ import absolute_import
import logging
+import os
+import pathlib
import pprint
+import pki
+
sensitive_parameters = []
# Initialize 'pretty print' for objects
@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name):
console_format = logging.Formatter('%(levelname)s: %(message)s')
console.setFormatter(console_format)
- # Configure file handler
- log_file = logging.FileHandler(filename, 'w')
+ # Create an empty file with the proper permission
+ pathlib.Path(filename).touch()
+ os.chmod(filename, pki.server.DEFAULT_FILE_MODE)
+
+ # Configure file handler with append mode to preserve the permission
+ log_file = logging.FileHandler(filename)
file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s',
'%Y-%m-%d %H:%M:%S')
log_file.setFormatter(file_format)
--
2.30.2

170
SOURCES/0001-Fix-renewal-profile-approval-process.patch
View File

@ -1,170 +0,0 @@
From 608e9bbe537aba314b124ceef70f9b606ab7e121 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 13 Jan 2021 18:27:46 +1100
Subject: [PATCH] Fix renewal profile approval process
Due to a recent change in PKI CLI, the CLI now passes along user
authentication with submissions to the renewal endpoint. Unlike the EE
pages, the REST API has passed along this authentication for a while.
Due to a bug in the RenewalProcessor, requests with credentials against
profiles with no authentication method and no ACLs result in the
certificiate automatically being approved. This occurs because, when
an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
the code to allow Light-Weight SubCAs to issue certificates, validation
wasn't done on the passed principal, to see if it was a trusted agent.
Because profiles requring Agent approval have an empty ACL list (as, no
user should be able to submit a certificate request and have it
automatically signed without agent approval), authorize allows any user
to approve this request and thus accepts the AuthToken.
Critical analysis: the RenewalProcessor code interprets (authToken
!= null) as evidence that the authenticated user is /authorized/ to
immediately issue the certificate. This mismatch of concerns (authn
vs authz) resulted in a misunderstanding of system behaviour. The
"latent" AuthToken (from the HTTP request) was assigned to authToken
without realising that authorization needed to be performed.
We fix this by splitting the logic on whether the profile defines an
authenticator. If so, we (re)authenticate and authorize the user
according to the profile configuration.
If the profile does not define an authenticator but there is a
principal in the HTTP request, if (and only if) the user has
permission to approve certificate requests *and* the requested
renewal profile is caManualRenewal (which is hardcoded to be used
for LWCA renewal), then we issue the certificate immediately. This
special case ensures that LWCA renewal keeps working.
Otherwise, if there is no principal in the HTTP request or the
principal does not have permission to approve certificate requests,
we leave the authToken unset. The resulting renewal request will be
created with status PENDING, i.e. enqueued for agent review.
Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
.../com/netscape/ca/CertificateAuthority.java | 10 +++
.../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++--
2 files changed, 79 insertions(+), 6 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 560507168a..431ce9ff78 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -1929,6 +1929,16 @@ public class CertificateAuthority
}
ProfileSubsystem ps = engine.getProfileSubsystem();
+ /* NOTE: hard-coding the profile to use for Lightweight CA renewal
+ * might be OK, but caManualRenewal was not the right one to use.
+ * As a consequence, we have an undesirable special case in
+ * RenewalProcessor.processRenewal().
+ *
+ * We should introduce a new profile specifically for LWCA renewal,
+ * with an authenticator and ACLs to match the authz requirements
+ * for the renewAuthority REST resource itself. Then we can use
+ * it here, and remove the workaround from RenewalProcessor.
+ */
Profile profile = ps.getProfile("caManualRenewal");
CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
new ArgBlock(), profile, httpReq.getLocale());
diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index 4293cdd064..fd20f48267 100644
--- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.dogtagpki.server.ca.CAEngine;
+import org.dogtagpki.server.authorization.AuthzToken;
import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
import org.mozilla.jss.netscape.security.x509.X509CertImpl;
@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor {
// before creating the request, authenticate the request
IAuthToken authToken = null;
- Principal principal = request.getUserPrincipal();
- if (principal instanceof PKIPrincipal)
- authToken = ((PKIPrincipal) principal).getAuthToken();
- if (authToken == null && authenticator != null) {
- authToken = authenticate(request, origReq, authenticator, context, true, credentials);
+
+ if (authenticator != null) {
+ /* The profile specifies an authenticator. Use it to
+ * authenticate the user. Ignore the "latent" session
+ * principal (if any).
+ */
+ authToken = authenticate(
+ request,
+ origReq,
+ authenticator,
+ context,
+ true /* isRenewal */,
+ credentials);
+ } else {
+ /* When authenticator is null, we expect manual agent
+ * review (leave authToken as null).
+ *
+ * But as a special case to ensure Lightweight CA (LWCA)
+ * renewal works, if there is a latent user in the HTTP
+ * request, we use that user (i.e. set authToken to the
+ * principal's IAuthToken) if and only if:
+ *
+ * - The renewal profile is caManualRenewal (LWCA renewal
+ * is hardcoded to use this profile); AND
+ *
+ * - The latent user is authorized to "execute"
+ * certificate requests (i.e. agent approval)
+ *
+ * See also CertificateAuthority.renewAuthority().
+ */
+
+ Principal principal = request.getUserPrincipal();
+ if (
+ renewProfileId.equals("caManualRenewal")
+ && principal instanceof PKIPrincipal
+ ) {
+ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken();
+ AuthzToken authzToken = authorize(
+ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute");
+ if (authzToken != null) {
+ // Success (no exception); user is authorized to approve
+ // cert requests. Set the authToken.
+ //
+ // NOTE: This authz does not replace or subsume the
+ // profile-specific authz check below.
+ authToken = latentToken;
+ } else {
+ // leave authToken as null to enqueue a pending request.
+ }
+ } else {
+ // not caManualRenewal or no latent principal;
+ // leave authToken as null to enqueue a pending request.
+ }
}
- // authentication success, now authorize
+ /* Authorize the request.
+ *
+ * If authToken != null, it will be checked against ACLs specified
+ * in the profile (if any). If ACLs are defined and authToken does
+ * not match, throws an authorization exception.
+ *
+ * If authToken == null, no check is performed (even if the profile
+ * defines ACLs). This is fine, because null authToken will cause
+ * the request status to be 'pending' [agent approval].
+ */
authorize(profileId, renewProfile, authToken);
+ /* At this point, the request will be created. If authToken
+ * is non-null, then the certificate will be issued
+ * immediately. Otherwise the request will be pending. */
+
+
///////////////////////////////////////////////
// create and populate requests
///////////////////////////////////////////////
--
2.26.2

23
SOURCES/0001-Removed-dependency-on-pytest-runner.patch
View File

@ -1,23 +0,0 @@
From ab8b87af09b26c3c7ec257e0fb8e5ae931153120 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 8 Feb 2020 21:56:41 -0600
Subject: [PATCH] Removed dependency on pytest-runner
---
base/server/healthcheck/setup.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/base/server/healthcheck/setup.py b/base/server/healthcheck/setup.py
index 22db8bd0f..c629e34c0 100644
--- a/base/server/healthcheck/setup.py
+++ b/base/server/healthcheck/setup.py
@@ -32,6 +32,5 @@ setup(
'Programming Language :: Python :: 3.6',
],
python_requires='!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*',
- setup_requires=['pytest-runner'],
tests_require=['pytest'],
)
--
2.21.0

236
SOURCES/0001-Use-password-file-when-creating-admin-user.patch
View File

@ -1,236 +0,0 @@
From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 17 May 2021 18:17:26 -0500
Subject: [PATCH] Use password file when creating admin user
The pki-server <subsystem>-user-add has been updated to
provide a --password-file option. The deployment tool
has been modified to use this option when creating the
admin user to avoid the password from getting logged in
the debug mode.
Resolves: CVE-2021-3551
---
base/server/python/pki/server/cli/user.py | 9 ++-
.../python/pki/server/deployment/__init__.py | 5 +-
base/server/python/pki/server/subsystem.py | 74 +++++++++++--------
.../server/cli/SubsystemUserAddCLI.java | 11 +++
4 files changed, 66 insertions(+), 33 deletions(-)
diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py
index c00a1acb50..c5c8d52956 100644
--- a/base/server/python/pki/server/cli/user.py
+++ b/base/server/python/pki/server/cli/user.py
@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI):
print(' --full-name <full name> Full name')
print(' --email <email> Email')
print(' --password <password> Password')
+ print(' --password-file <path> Password file')
print(' --phone <phone> Phone')
print(' --type <type> Type')
print(' --state <state> State')
@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI):
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
- 'instance=', 'full-name=', 'email=', 'password=',
+ 'instance=', 'full-name=', 'email=',
+ 'password=', 'password-file=',
'phone=', 'type=', 'state=', 'tps-profiles=',
'verbose', 'debug', 'help'])
@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI):
full_name = None
email = None
password = None
+ password_file = None
phone = None
user_type = None
state = None
@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI):
elif o == '--password':
password = a
+ elif o == '--password-file':
+ password_file = a
+
elif o == '--phone':
phone = a
@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI):
full_name=full_name,
email=email,
password=password,
+ password_file=password_file,
phone=phone,
user_type=user_type,
tps_profiles=tps_profiles,
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 347ab1acdd..6d5f083b47 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -373,6 +373,8 @@ class PKIDeployer:
response = client.setupAdmin(request)
+ # Run the command as current user such that
+ # it can read the temporary password file.
subsystem.add_user(
uid,
full_name=full_name,
@@ -380,7 +382,8 @@ class PKIDeployer:
password=password,
user_type='adminType',
state='1',
- tps_profiles=tps_profiles)
+ tps_profiles=tps_profiles,
+ as_current_user=True)
admin_groups = subsystem.config['preop.admin.group']
groups = [x.strip() for x in admin_groups.split(',')]
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index a3ed0c7f3a..41d8d67c2e 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -1335,54 +1335,66 @@ class PKISubsystem(object):
full_name=None,
email=None,
password=None,
+ password_file=None,
phone=None,
user_type=None,
state=None,
tps_profiles=None,
as_current_user=False):
- cmd = [self.name + '-user-add']
+ tmpdir = tempfile.mkdtemp()
- if full_name:
- cmd.append('--full-name')
- cmd.append(full_name)
+ try:
+ if password and not password_file:
+ password_file = os.path.join(tmpdir, 'password.txt')
+ with open(password_file, 'w') as f:
+ f.write(password)
- if email:
- cmd.append('--email')
- cmd.append(email)
+ cmd = [self.name + '-user-add']
- if password:
- cmd.append('--password')
- cmd.append(password)
+ if full_name:
+ cmd.append('--full-name')
+ cmd.append(full_name)
- if phone:
- cmd.append('--phone')
- cmd.append(phone)
+ if email:
+ cmd.append('--email')
+ cmd.append(email)
- if user_type:
- cmd.append('--type')
- cmd.append(user_type)
+ if password_file:
+ cmd.append('--password-file')
+ cmd.append(password_file)
- if state:
- cmd.append('--state')
- cmd.append(state)
+ if phone:
+ cmd.append('--phone')
+ cmd.append(phone)
- if tps_profiles:
- cmd.append('--tps-profiles')
- cmd.append(','.join(tps_profiles))
+ if user_type:
+ cmd.append('--type')
+ cmd.append(user_type)
- if logger.isEnabledFor(logging.DEBUG):
- cmd.append('--debug')
+ if state:
+ cmd.append('--state')
+ cmd.append(state)
- elif logger.isEnabledFor(logging.INFO):
- cmd.append('--verbose')
+ if tps_profiles:
+ cmd.append('--tps-profiles')
+ cmd.append(','.join(tps_profiles))
- cmd.append(user_id)
+ if logger.isEnabledFor(logging.DEBUG):
+ cmd.append('--debug')
- self.run(
- cmd,
- as_current_user=as_current_user,
- capture_output=True)
+ elif logger.isEnabledFor(logging.INFO):
+ cmd.append('--verbose')
+
+ cmd.append(user_id)
+
+ self.run(
+ cmd,
+ as_current_user=as_current_user,
+ capture_output=True)
+
+ finally:
+ shutil.rmtree(tmpdir)
def modify_user(self, user_id, add_see_also=None, del_see_also=None,
as_current_user=False):
diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
index 5a385c359f..04d68de758 100644
--- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
+++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
@@ -6,6 +6,8 @@
package org.dogtagpki.server.cli;
import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
import java.util.Arrays;
import java.util.List;
@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI {
option.setArgName("password");
options.addOption(option);
+ option = new Option(null, "password-file", true, "Password file");
+ option.setArgName("path");
+ options.addOption(option);
+
option = new Option(null, "phone", true, "Phone");
option.setArgName("phone");
options.addOption(option);
@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI {
String email = cmd.getOptionValue("email");
String password = cmd.getOptionValue("password");
+ String passwordFile = cmd.getOptionValue("password-file");
String phone = cmd.getOptionValue("phone");
String type = cmd.getOptionValue("type");
String state = cmd.getOptionValue("state");
String tpsProfiles = cmd.getOptionValue("tps-profiles");
+ if (passwordFile != null) {
+ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim();
+ }
+
String catalinaBase = System.getProperty("catalina.base");
TomcatJSS tomcatjss = TomcatJSS.getInstance();
--
2.30.2

180
SPECS/pki-core.spec
View File

@ -12,9 +12,9 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.10.5
Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -beta1
Version: 10.11.2
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -alpha1
# To create a tarball from a version tag:
# $ git archive \
@ -30,16 +30,7 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# <version tag> \
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
# Do not remove this!! pytest-runner isn't available on RHEL. Removing this
# patch will break RHEL builds. The error message is:
# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/:
# [Errno 111] Connection refused -- Some packages may not be found!
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
Patch2: 0001-Fix-renewal-profile-approval-process.patch
Patch3: 0001-Use-password-file-when-creating-admin-user.patch
Patch4: 0001-Fix-permission-for-new-installation-logs.patch
Patch5: 0001-Fix-permission-for-existing-installation-logs.patch
Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
@ -69,15 +60,14 @@ ExcludeArch: i686
# Java
################################################################################
%define java_devel java-devel
%define java_headless java-headless
%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
%define min_java_version 1:11
%define java_home /usr/lib/jvm/java-11-openjdk
%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
%define java_devel java-1.8.0-openjdk-devel
%define java_headless java-1.8.0-openjdk-headless
%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
%else
%define min_java_version 1:1.8.0
%define java_home /usr/lib/jvm/java-1.8.0-openjdk
%define java_devel java-11-openjdk-devel
%define java_headless java-11-openjdk-headless
%define java_home /usr/lib/jvm/jre-11-openjdk
%endif
################################################################################
@ -94,8 +84,7 @@ ExcludeArch: i686
# By default the build will execute unit tests unless --without test
# option is specified.
# bcond_without test
%global with_test 1
%bcond_without test
# By default all packages will be built except the ones specified with
# --without <package> option (exclusion method).
@ -143,8 +132,6 @@ ExcludeArch: i686
%define debug_package %{nil}
%endif
%bcond_without sdnotify
# ignore unpackaged files from native 'tpsclient'
# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app
%define _unpackaged_files_terminate_build 0
@ -182,23 +169,20 @@ fi;
# Build Dependencies
################################################################################
# autosetup
BuildRequires: git
BuildRequires: make
BuildRequires: cmake >= 3.0.2
BuildRequires: gcc-c++
BuildRequires: zip
BuildRequires: %java_devel >= %{min_java_version}
BuildRequires: %{java_devel}
BuildRequires: javapackages-tools
BuildRequires: redhat-rpm-config
BuildRequires: ldapjdk >= 4.22.0
BuildRequires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
BuildRequires: apache-commons-lang3 >= 3.2
BuildRequires: apache-commons-logging
BuildRequires: apache-commons-net
BuildRequires: jakarta-commons-httpclient
BuildRequires: glassfish-jaxb-api
BuildRequires: slf4j
BuildRequires: slf4j-jdk14
@ -212,22 +196,10 @@ BuildRequires: policycoreutils
BuildRequires: python3-lxml
BuildRequires: python3-sphinx
BuildRequires: velocity
BuildRequires: xalan-j2
BuildRequires: xerces-j2
%if 0%{?rhel} && ! 0%{?eln}
BuildRequires: resteasy >= 3.0.26
%else
BuildRequires: jboss-annotations-1.2-api
BuildRequires: jboss-jaxrs-2.0-api
BuildRequires: jboss-logging
BuildRequires: resteasy-atom-provider >= 3.0.17-1
BuildRequires: resteasy-client >= 3.0.17-1
BuildRequires: resteasy-jaxb-provider >= 3.0.17-1
BuildRequires: resteasy-core >= 3.0.17-1
BuildRequires: resteasy-jackson2-provider >= 3.0.17-1
%endif
BuildRequires: python3 >= 3.5
BuildRequires: python3-devel
@ -236,23 +208,14 @@ BuildRequires: python3-cryptography
BuildRequires: python3-lxml
BuildRequires: python3-ldap
BuildRequires: python3-libselinux
BuildRequires: python3-nss
BuildRequires: python3-requests >= 2.6.0
BuildRequires: python3-six
%if 0%{?fedora} || 0%{?rhel} > 8
BuildRequires: python3-pytest-runner
%endif
BuildRequires: junit
BuildRequires: jpackage-utils >= 0:1.7.5-10
BuildRequires: jss >= 4.8.1
BuildRequires: tomcatjss >= 7.6.1
BuildRequires: jss >= 4.9.0, jss < 5.0.0
BuildRequires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
# JNA is used to bind to libsystemd
%if %{with sdnotify}
BuildRequires: jna
%endif
BuildRequires: systemd-units
%if 0%{?rhel} && ! 0%{?eln}
@ -319,22 +282,22 @@ Summary: %{brand} PKI Package
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI theme packages
Requires: %{vendor_id}-pki-server-theme = %{version}
Requires: %{vendor_id}-pki-console-theme = %{version}
Requires: %{vendor_id}-pki-server-theme = %{version}-%{release}
Requires: %{vendor_id}-pki-console-theme = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI core packages
Requires: pki-acme = %{version}
Requires: pki-ca = %{version}
Requires: pki-kra = %{version}
Requires: pki-ocsp = %{version}
Requires: pki-tks = %{version}
Requires: pki-tps = %{version}
Requires: pki-acme = %{version}-%{release}
Requires: pki-ca = %{version}-%{release}
Requires: pki-kra = %{version}-%{release}
Requires: pki-ocsp = %{version}-%{release}
Requires: pki-tks = %{version}-%{release}
Requires: pki-tps = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of PKI console
Requires: pki-console = %{version}
Requires: pki-javadoc = %{version}
Requires: pki-console = %{version}-%{release}
Requires: pki-javadoc = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
@ -371,9 +334,9 @@ PKI consists of the following components:
Summary: PKI Symmetric Key Package
Requires: %java_headless >= %{min_java_version}
Requires: %{java_headless}
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.8.0
Requires: jss >= 4.9.0, jss < 5.0.0
Requires: nss >= 3.38.0
# Ensure we end up with a useful installation
@ -416,7 +379,7 @@ Summary: PKI Python 3 Package
BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}
Provides: pki-base-python3 = %{version}-%{release}
%if 0%{?fedora} || 0%{?rhel} > 8
%{?python_provide:%python_provide python3-pki}
%endif
@ -426,9 +389,11 @@ Requires: python3 >= 3.5
Requires: python3-cryptography
Requires: python3-ldap
Requires: python3-lxml
Requires: python3-nss
Requires: python3-requests >= 2.6.0
Requires: python3-six
%if 0%{?rhel} < 9 || 0%{?fedora} < 34
Recommends: python3-nss
%endif
%description -n python3-pki
This package contains PKI client library for Python 3.
@ -440,26 +405,24 @@ This package contains PKI client library for Python 3.
Summary: PKI Base Java Package
BuildArch: noarch
Requires: %java_headless >= %{min_java_version}
Requires: %{java_headless}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
Requires: apache-commons-lang3 >= 3.2
Requires: apache-commons-logging
Requires: apache-commons-net
Requires: jakarta-commons-httpclient
Requires: glassfish-jaxb-api
Requires: slf4j
Requires: slf4j-jdk14
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.7.0
Requires: ldapjdk >= 4.22.0
Requires: jss >= 4.9.0, jss < 5.0.0
Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
Requires: pki-base = %{version}-%{release}
%if 0%{?rhel} && 0%{?rhel} <= 8
Requires: resteasy >= 3.0.26
%else
Requires: resteasy-atom-provider >= 3.0.17-1
Requires: resteasy-client >= 3.0.17-1
Requires: resteasy-jaxb-provider >= 3.0.17-1
Requires: resteasy-core >= 3.0.17-1
@ -535,19 +498,13 @@ Requires: pki-servlet-engine
Requires: tomcat >= 1:9.0.7
%endif
Requires: velocity
Requires: sudo
Requires: systemd
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
Requires: tomcatjss >= 7.6.1
# JNA is used to bind to libsystemd
%if %{with sdnotify}
Requires: jna
%endif
Requires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
# pki-healthcheck depends on the following library
%if 0%{?rhel}
@ -658,7 +615,7 @@ since such archival would undermine non-repudiation properties of signing keys.
Summary: PKI OCSP Package
BuildArch: noarch
Requires: pki-server = %{version}
Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@ -696,7 +653,7 @@ whenever they are issued or updated.
Summary: PKI TKS Package
BuildArch: noarch
Requires: pki-server = %{version}
Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@ -727,7 +684,7 @@ behind the firewall with restricted access.
Summary: PKI TPS Package
Requires: pki-server = %{version}
Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@ -792,8 +749,8 @@ BuildArch: noarch
BuildRequires: idm-console-framework >= 1.2.0
Requires: idm-console-framework >= 1.2.0
Requires: pki-base-java = %{version}
Requires: pki-console-theme = %{version}
Requires: pki-base-java = %{version}-%{release}
Requires: pki-console-theme = %{version}-%{release}
%description -n pki-console
The PKI Console is a Java application used to administer PKI server.
@ -809,7 +766,7 @@ The PKI Console is a Java application used to administer PKI server.
Summary: %{brand} PKI Server Theme Package
BuildArch: noarch
Provides: pki-server-theme = %{version}
Provides: pki-server-theme = %{version}-%{release}
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
@ -828,7 +785,7 @@ This PKI Server Theme Package contains
Summary: %{brand} PKI Console Theme Package
BuildArch: noarch
Provides: pki-console-theme = %{version}
Provides: pki-console-theme = %{version}-%{release}
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
@ -861,7 +818,7 @@ This package contains PKI test suite.
%prep
################################################################################
%autosetup -n pki-%{version}%{?_phase} -p 1 -S git
%autosetup -n pki-%{version}%{?_phase} -p 1
################################################################################
%build
@ -875,7 +832,7 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se
java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
# assume tomcat app_server
app_server=tomcat-8.5
app_server=tomcat-9.0
%if 0%{?rhel} && 0%{?rhel} <= 8
%{__mkdir_p} build
@ -888,8 +845,8 @@ cd build
-DVAR_INSTALL_DIR:PATH=/var \
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
-DJAVA_VERSION=${java_version} \
-DJAVA_HOME=%java_home \
-DPKI_JAVA_PATH=%java_home/bin/java \
-DJAVA_HOME=%{java_home} \
-DPKI_JAVA_PATH=%{java_home}/bin/java \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
-DAPP_SERVER=$app_server \
@ -907,7 +864,6 @@ cd build
-DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \
-DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \
-DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \
-DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
@ -949,7 +905,7 @@ cd %{_vpath_builddir}
--no-print-directory \
install
%if %{with_test}
%if %{with test}
ctest --output-on-failure
%endif
@ -966,14 +922,22 @@ EOF
# Customize client library links in /usr/share/pki/lib
ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar
%if 0%{?fedora} && 0%{?fedora} <= 34 || 0%{?rhel} && 0%{?rhel} <= 8
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar
%else
ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/lib/jakarta.annotation-api.jar
%endif
%if %{with server}
# Customize server common library links in /usr/share/pki/server/common/lib
ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar
ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar
%if 0%{?fedora} && 0%{?fedora} <= 34 || 0%{?rhel} && 0%{?rhel} <= 8
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar
%else
ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/server/common/lib/jakarta.annotation-api.jar
%endif
# with server
%endif
@ -1127,6 +1091,7 @@ fi
%license base/tools/LICENSE
%doc base/tools/doc/README
%{_bindir}/p7tool
%{_bindir}/p12tool
%{_bindir}/pistool
%{_bindir}/pki
%{_bindir}/revoker
@ -1251,10 +1216,6 @@ fi
%{_datadir}/pki/setup/
%{_datadir}/pki/server/
%if %{with sdnotify}
%{_javadir}/pki/pki-systemd.jar
%endif
# with server
%endif
@ -1402,15 +1363,26 @@ fi
################################################################################
%changelog
* Wed May 19 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-3
- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
* Fri Sep 24 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-2
- Bug 2001576 - pki instance creation fails for IPA in FIPS mode
* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate
* Fri Sep 17 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-1
- Rebase to PKI 10.11.2
* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
- Rebase to PKI 10.10.5
- Bug 1929067 - PKI instance creation failed with new 389-ds-base build
* Thu Aug 12 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-2
- Bug 1992337 - Double issuance of non-CA subsystem certs at installation
* Mon Jul 26 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-1
- Rebase to PKI 10.11.0
* Mon Jun 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.3
- Rebase to PKI 10.11.0-alpha3
* Thu Jun 03 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.2
- Fix JAVA_HOME
* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.1
- Rebase to PKI 10.11.0-alpha2
* Mon Feb 08 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.4-1
- Rebase to PKI 10.10.4