Rebase to PKI 11.0.0

Resolves: #2003143

.gitignore

@@ -83,3 +83,4 @@
 /pki-10.11.0-alpha1.tar.gz
 /pki-11.0.0-alpha1.tar.gz
 /pki-11.0.0-beta1.tar.gz
+/pki-11.0.0.tar.gz

0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch

@@ -1,70 +0,0 @@
-From 1a7e9b493fc3cfbbd74ab9009fa840c5dcb55c8c Mon Sep 17 00:00:00 2001
-From: jmagne <jmagne@redhat.com>
-Date: Thu, 16 Sep 2021 15:48:37 -0700
-Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
- in FIPS mode (RHEL-8.5) (#3742)
-
-It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
-that runs before the server runs. In order for this command to succeed, we must alter the python script that
-runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".
-
-This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
-fips mode.
----
- base/common/python/pki/cli/main.py | 11 ++++++++++-
- base/common/share/etc/pki.conf     | 10 ++++++++++
- 2 files changed, 20 insertions(+), 1 deletion(-)
-
-diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
-index b0ae6c6fc..bc215aaa4 100644
---- a/base/common/python/pki/cli/main.py
-+++ b/base/common/python/pki/cli/main.py
-@@ -98,6 +98,7 @@ class PKICLI(pki.cli.CLI):
- 
-         java_path = os.getenv('PKI_JAVA_PATH')
-         java_home = os.getenv('JAVA_HOME')
-+        java_fips_cmd = os.getenv('JAVA_FIPS_ENABLED')
-         pki_lib = os.getenv('PKI_LIB')
-         logging_config = os.getenv('PKI_LOGGING_CONFIG')
- 
-@@ -113,7 +114,15 @@ class PKICLI(pki.cli.CLI):
-             cmd.extend(['/usr/bin/env', 'java'])
- 
-         cmd.extend([
--            '-cp', pki_lib + '/*',
-+            '-cp', pki_lib + '/*'
-+        ])
-+
-+        if java_fips_cmd is not None:
-+            cmd.extend([
-+                java_fips_cmd
-+            ])
-+
-+        cmd.extend([
-             '-Djava.util.logging.config.file=' + logging_config,
-             'com.netscape.cmstools.cli.MainCLI'
-         ])
-diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
-index 17615b042..fd40ece3b 100644
---- a/base/common/share/etc/pki.conf
-+++ b/base/common/share/etc/pki.conf
-@@ -14,6 +14,16 @@ export JAVA_HOME
- PKI_JAVA_PATH=${PKI_JAVA_PATH}
- export PKI_JAVA_PATH
- 
-+# JVM options
-+#
-+# Command switch we want to tell java to observer fips mode
-+# For the moment we want this to be false even if we really are
-+# in fips mode, because we want the jss prover instead of the sun
-+# fips provider to be selected.
-+JAVA_FIPS_ENABLED="-Dcom.redhat.fips=false" # Disable FIPS mode
-+
-+export JAVA_FIPS_ENABLED
-+
- # JNI jar file location
- JNI_JAR_DIR=/usr/lib/java
- export JNI_JAR_DIR
--- 
-2.31.1
-

0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch

@@ -1,26 +0,0 @@
-From 115778bf20812b271c81f19806332f14151dcb7d Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@redhat.com>
-Date: Thu, 23 Sep 2021 13:50:41 -0400
-Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
- in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our
- standalone java tools.
-
----
- base/tools/templates/pki_java_command_wrapper.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in
-index 05650630d4..d68ed93a30 100644
---- a/base/tools/templates/pki_java_command_wrapper.in
-+++ b/base/tools/templates/pki_java_command_wrapper.in
-@@ -90,6 +90,7 @@ JAVA_OPTIONS=""
- 
- ${JAVA} ${JAVA_OPTIONS} \
-   -cp "${PKI_LIB}/*" \
-+  -Dcom.redhat.fips=false \
-   -Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \
-   com.netscape.cmstools.${COMMAND} "$@"
- 
--- 
-2.31.1
-

admin-cert-p12.patch

@@ -1,32 +0,0 @@
-From 0371cd21488648b779d6b7e2af2d893f86a182bc Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Thu, 24 Jun 2021 11:19:46 +0200
-Subject: [PATCH] PKCS#12 export: encrypt private key with AES
-
-pk12util export defaults to "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2
-CBC". The algorithm is no longer supported by OpenSSL 3.0.0. Use modern
-PBES2 with AES-128-CBC to encrypt private key and leave public certs
-unencrypted.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975406
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
----
- base/server/python/pki/server/deployment/pkihelper.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
-index eb407e01e1..7c197b07f1 100644
---- a/base/server/python/pki/server/deployment/pkihelper.py
-+++ b/base/server/python/pki/server/deployment/pkihelper.py
-@@ -1997,6 +1997,11 @@ def create_file(self, out_file, nickname, out_pwfile,
-                 logger.error(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
-                 raise Exception(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
- 
-+            # encrypt private keys with PKCS#5 PBES2
-+            command.extend(["-c", "AES-128-CBC"])
-+            # don't encrypt public certs
-+            command.extend(["-C", "NONE"])
-+
-             logger.debug('Command: %s', ' '.join(command))
-             with open(os.devnull, "w") as fnull:
-                 subprocess.check_call(command, stdout=fnull, stderr=fnull)

pki-core.spec

@@ -16,8 +16,8 @@ License:          GPLv2 and LGPLv2
 # For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
 # For official (i.e. supported) releases, use x.y.z-r where r >=1.
 Version:          11.0.0
-Release:          0.6.beta1%{?_timestamp}%{?_commit_id}%{?dist}
-%global           _phase -beta1
+Release:          1%{?_timestamp}%{?_commit_id}%{?dist}
+#global           _phase -alpha1
 
 # To create a tarball from a version tag:
 # $ git archive \
@@ -34,9 +34,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
 
-Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
-Patch2: 0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
-
 # md2man isn't available on i686. Additionally, we aren't generally multi-lib
 # compatible (https://fedoraproject.org/wiki/Packaging:Java)
 # so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
@@ -962,16 +959,6 @@ ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroo
 # with server
 %endif
 
-# TEMP provide links to the temporarily bundled JAXB JAR (#2002594)
-if test -f "/usr/share/java/glassfish-jaxb-api/jakarta.xml.bind-api.jar";
-then
-    echo "jakarta.xml.bind-api.jar already installed"
-else
-    echo "Providing links to jakarta.xml.bind-api.jar"
-    sudo cp %{_topdir}/BUILD/pki-11.0.0-beta1/jakarta.xml.bind-api.jar /usr/share/java/glassfish-jaxb-api/jakarta.xml.bind-api.jar
-    sudo ln -sf /usr/share/java/glassfish-jaxb-api/jakarta.xml.bind-api.jar /usr/share/java/jaxb-api.jar
-fi
-
 %if %{with server}
 
 %pre -n %{product_id}-server
@@ -1382,6 +1369,9 @@ fi
 
 ################################################################################
 %changelog
+* Tue Oct 05 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-1
+- Rebase to PKI 11.0.0
+
 * Thu Sep 30 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.6.beta1
 - Rebase to PKI 11.0.0-beta1
 - Bug #1999052 - pki instance creation fails for IPA server

sources

@@ -1 +1 @@
-SHA512 (pki-11.0.0-beta1.tar.gz) = 66762825f9120d65712e33708199be4f9951fe1328e924d134b89e47b440bb862b8bbfe1dfa025d1e532439324c4a46ca2fd0e2451fc433ff6d5c9a61613ed61
+SHA512 (pki-11.0.0.tar.gz) = 91d687b563d39c969f47aea96fde38d21a8068881fa39897aa961ff86053b2fba0cd69001500382f7cbfc737b7859e0204793e09d51befde6c2e6811d8e2b9fb