parent
c494b62b47
commit
60fb329feb
|
@ -83,3 +83,4 @@
|
|||
/pki-10.11.0-alpha1.tar.gz
|
||||
/pki-11.0.0-alpha1.tar.gz
|
||||
/pki-11.0.0-beta1.tar.gz
|
||||
/pki-11.0.0.tar.gz
|
||||
|
|
|
@ -1,70 +0,0 @@
|
|||
From 1a7e9b493fc3cfbbd74ab9009fa840c5dcb55c8c Mon Sep 17 00:00:00 2001
|
||||
From: jmagne <jmagne@redhat.com>
|
||||
Date: Thu, 16 Sep 2021 15:48:37 -0700
|
||||
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
|
||||
in FIPS mode (RHEL-8.5) (#3742)
|
||||
|
||||
It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
|
||||
that runs before the server runs. In order for this command to succeed, we must alter the python script that
|
||||
runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".
|
||||
|
||||
This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
|
||||
fips mode.
|
||||
---
|
||||
base/common/python/pki/cli/main.py | 11 ++++++++++-
|
||||
base/common/share/etc/pki.conf | 10 ++++++++++
|
||||
2 files changed, 20 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
|
||||
index b0ae6c6fc..bc215aaa4 100644
|
||||
--- a/base/common/python/pki/cli/main.py
|
||||
+++ b/base/common/python/pki/cli/main.py
|
||||
@@ -98,6 +98,7 @@ class PKICLI(pki.cli.CLI):
|
||||
|
||||
java_path = os.getenv('PKI_JAVA_PATH')
|
||||
java_home = os.getenv('JAVA_HOME')
|
||||
+ java_fips_cmd = os.getenv('JAVA_FIPS_ENABLED')
|
||||
pki_lib = os.getenv('PKI_LIB')
|
||||
logging_config = os.getenv('PKI_LOGGING_CONFIG')
|
||||
|
||||
@@ -113,7 +114,15 @@ class PKICLI(pki.cli.CLI):
|
||||
cmd.extend(['/usr/bin/env', 'java'])
|
||||
|
||||
cmd.extend([
|
||||
- '-cp', pki_lib + '/*',
|
||||
+ '-cp', pki_lib + '/*'
|
||||
+ ])
|
||||
+
|
||||
+ if java_fips_cmd is not None:
|
||||
+ cmd.extend([
|
||||
+ java_fips_cmd
|
||||
+ ])
|
||||
+
|
||||
+ cmd.extend([
|
||||
'-Djava.util.logging.config.file=' + logging_config,
|
||||
'com.netscape.cmstools.cli.MainCLI'
|
||||
])
|
||||
diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
|
||||
index 17615b042..fd40ece3b 100644
|
||||
--- a/base/common/share/etc/pki.conf
|
||||
+++ b/base/common/share/etc/pki.conf
|
||||
@@ -14,6 +14,16 @@ export JAVA_HOME
|
||||
PKI_JAVA_PATH=${PKI_JAVA_PATH}
|
||||
export PKI_JAVA_PATH
|
||||
|
||||
+# JVM options
|
||||
+#
|
||||
+# Command switch we want to tell java to observer fips mode
|
||||
+# For the moment we want this to be false even if we really are
|
||||
+# in fips mode, because we want the jss prover instead of the sun
|
||||
+# fips provider to be selected.
|
||||
+JAVA_FIPS_ENABLED="-Dcom.redhat.fips=false" # Disable FIPS mode
|
||||
+
|
||||
+export JAVA_FIPS_ENABLED
|
||||
+
|
||||
# JNI jar file location
|
||||
JNI_JAR_DIR=/usr/lib/java
|
||||
export JNI_JAR_DIR
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From 115778bf20812b271c81f19806332f14151dcb7d Mon Sep 17 00:00:00 2001
|
||||
From: Jack Magne <jmagne@redhat.com>
|
||||
Date: Thu, 23 Sep 2021 13:50:41 -0400
|
||||
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
|
||||
in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our
|
||||
standalone java tools.
|
||||
|
||||
---
|
||||
base/tools/templates/pki_java_command_wrapper.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in
|
||||
index 05650630d4..d68ed93a30 100644
|
||||
--- a/base/tools/templates/pki_java_command_wrapper.in
|
||||
+++ b/base/tools/templates/pki_java_command_wrapper.in
|
||||
@@ -90,6 +90,7 @@ JAVA_OPTIONS=""
|
||||
|
||||
${JAVA} ${JAVA_OPTIONS} \
|
||||
-cp "${PKI_LIB}/*" \
|
||||
+ -Dcom.redhat.fips=false \
|
||||
-Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \
|
||||
com.netscape.cmstools.${COMMAND} "$@"
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From 0371cd21488648b779d6b7e2af2d893f86a182bc Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Thu, 24 Jun 2021 11:19:46 +0200
|
||||
Subject: [PATCH] PKCS#12 export: encrypt private key with AES
|
||||
|
||||
pk12util export defaults to "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2
|
||||
CBC". The algorithm is no longer supported by OpenSSL 3.0.0. Use modern
|
||||
PBES2 with AES-128-CBC to encrypt private key and leave public certs
|
||||
unencrypted.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975406
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
base/server/python/pki/server/deployment/pkihelper.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
||||
index eb407e01e1..7c197b07f1 100644
|
||||
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
||||
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
||||
@@ -1997,6 +1997,11 @@ def create_file(self, out_file, nickname, out_pwfile,
|
||||
logger.error(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
|
||||
raise Exception(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
|
||||
|
||||
+ # encrypt private keys with PKCS#5 PBES2
|
||||
+ command.extend(["-c", "AES-128-CBC"])
|
||||
+ # don't encrypt public certs
|
||||
+ command.extend(["-C", "NONE"])
|
||||
+
|
||||
logger.debug('Command: %s', ' '.join(command))
|
||||
with open(os.devnull, "w") as fnull:
|
||||
subprocess.check_call(command, stdout=fnull, stderr=fnull)
|
Binary file not shown.
|
@ -16,8 +16,8 @@ License: GPLv2 and LGPLv2
|
|||
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
||||
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
||||
Version: 11.0.0
|
||||
Release: 0.6.beta1%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
%global _phase -beta1
|
||||
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
#global _phase -alpha1
|
||||
|
||||
# To create a tarball from a version tag:
|
||||
# $ git archive \
|
||||
|
@ -34,9 +34,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
|
|||
# > pki-VERSION-RELEASE.patch
|
||||
# Patch: pki-VERSION-RELEASE.patch
|
||||
|
||||
Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
|
||||
Patch2: 0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
|
||||
|
||||
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
||||
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
||||
# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
|
||||
|
@ -962,16 +959,6 @@ ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroo
|
|||
# with server
|
||||
%endif
|
||||
|
||||
# TEMP provide links to the temporarily bundled JAXB JAR (#2002594)
|
||||
if test -f "/usr/share/java/glassfish-jaxb-api/jakarta.xml.bind-api.jar";
|
||||
then
|
||||
echo "jakarta.xml.bind-api.jar already installed"
|
||||
else
|
||||
echo "Providing links to jakarta.xml.bind-api.jar"
|
||||
sudo cp %{_topdir}/BUILD/pki-11.0.0-beta1/jakarta.xml.bind-api.jar /usr/share/java/glassfish-jaxb-api/jakarta.xml.bind-api.jar
|
||||
sudo ln -sf /usr/share/java/glassfish-jaxb-api/jakarta.xml.bind-api.jar /usr/share/java/jaxb-api.jar
|
||||
fi
|
||||
|
||||
%if %{with server}
|
||||
|
||||
%pre -n %{product_id}-server
|
||||
|
@ -1382,6 +1369,9 @@ fi
|
|||
|
||||
################################################################################
|
||||
%changelog
|
||||
* Tue Oct 05 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-1
|
||||
- Rebase to PKI 11.0.0
|
||||
|
||||
* Thu Sep 30 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.6.beta1
|
||||
- Rebase to PKI 11.0.0-beta1
|
||||
- Bug #1999052 - pki instance creation fails for IPA server
|
||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (pki-11.0.0-beta1.tar.gz) = 66762825f9120d65712e33708199be4f9951fe1328e924d134b89e47b440bb862b8bbfe1dfa025d1e532439324c4a46ca2fd0e2451fc433ff6d5c9a61613ed61
|
||||
SHA512 (pki-11.0.0.tar.gz) = 91d687b563d39c969f47aea96fde38d21a8068881fa39897aa961ff86053b2fba0cd69001500382f7cbfc737b7859e0204793e09d51befde6c2e6811d8e2b9fb
|
||||
|
|
Loading…
Reference in New Issue