rpms
/
pki-core
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix installation issue in FIPS mode 

Resolves: #2002989
This commit is contained in:
Endi S. Dewata 2021-09-30 09:40:23 -05:00
parent db5622a428
commit c494b62b47
5 changed files with 310 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -82,3 +82,4 @@
/pki-10.10.5.tar.gz
/pki-10.11.0-alpha1.tar.gz
/pki-11.0.0-alpha1.tar.gz
/pki-11.0.0-beta1.tar.gz

70
0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch Normal file
View File

@ -0,0 +1,70 @@
From 1a7e9b493fc3cfbbd74ab9009fa840c5dcb55c8c Mon Sep 17 00:00:00 2001
From: jmagne <jmagne@redhat.com>
Date: Thu, 16 Sep 2021 15:48:37 -0700
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
in FIPS mode (RHEL-8.5) (#3742)
It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
that runs before the server runs. In order for this command to succeed, we must alter the python script that
runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".
This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
fips mode.
---
base/common/python/pki/cli/main.py | 11 ++++++++++-
base/common/share/etc/pki.conf | 10 ++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
index b0ae6c6fc..bc215aaa4 100644
--- a/base/common/python/pki/cli/main.py
+++ b/base/common/python/pki/cli/main.py
@@ -98,6 +98,7 @@ class PKICLI(pki.cli.CLI):
java_path = os.getenv('PKI_JAVA_PATH')
java_home = os.getenv('JAVA_HOME')
+ java_fips_cmd = os.getenv('JAVA_FIPS_ENABLED')
pki_lib = os.getenv('PKI_LIB')
logging_config = os.getenv('PKI_LOGGING_CONFIG')
@@ -113,7 +114,15 @@ class PKICLI(pki.cli.CLI):
cmd.extend(['/usr/bin/env', 'java'])
cmd.extend([
- '-cp', pki_lib + '/*',
+ '-cp', pki_lib + '/*'
+ ])
+
+ if java_fips_cmd is not None:
+ cmd.extend([
+ java_fips_cmd
+ ])
+
+ cmd.extend([
'-Djava.util.logging.config.file=' + logging_config,
'com.netscape.cmstools.cli.MainCLI'
])
diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index 17615b042..fd40ece3b 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -14,6 +14,16 @@ export JAVA_HOME
PKI_JAVA_PATH=${PKI_JAVA_PATH}
export PKI_JAVA_PATH
+# JVM options
+#
+# Command switch we want to tell java to observer fips mode
+# For the moment we want this to be false even if we really are
+# in fips mode, because we want the jss prover instead of the sun
+# fips provider to be selected.
+JAVA_FIPS_ENABLED="-Dcom.redhat.fips=false" # Disable FIPS mode
+
+export JAVA_FIPS_ENABLED
+
# JNI jar file location
JNI_JAR_DIR=/usr/lib/java
export JNI_JAR_DIR
--
2.31.1

26
0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch Normal file
View File

@ -0,0 +1,26 @@
From 115778bf20812b271c81f19806332f14151dcb7d Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@redhat.com>
Date: Thu, 23 Sep 2021 13:50:41 -0400
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our
standalone java tools.
---
base/tools/templates/pki_java_command_wrapper.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in
index 05650630d4..d68ed93a30 100644
--- a/base/tools/templates/pki_java_command_wrapper.in
+++ b/base/tools/templates/pki_java_command_wrapper.in
@@ -90,6 +90,7 @@ JAVA_OPTIONS=""
${JAVA} ${JAVA_OPTIONS} \
-cp "${PKI_LIB}/*" \
+ -Dcom.redhat.fips=false \
-Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \
com.netscape.cmstools.${COMMAND} "$@"
--
2.31.1

413
pki-core.spec
View File

@ -2,10 +2,13 @@
Name: pki-core
################################################################################
%global vendor_id redhat
%global brand Red Hat
%global product_name PKI
%global product_id pki
Summary: %{brand} PKI Core Package
# NOTE: Do not specify the theme for pki-core
# global theme dogtag
Summary: %{product_name} Core Package
URL: https://www.dogtagpki.org
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
License: GPLv2 and LGPLv2
@ -13,8 +16,8 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 11.0.0
Release: 0.5.alpha1%{?_timestamp}%{?_commit_id}%{?dist}
%global _phase -alpha1
Release: 0.6.beta1%{?_timestamp}%{?_commit_id}%{?dist}
%global _phase -beta1
# To create a tarball from a version tag:
# $ git archive \
@ -31,7 +34,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
Patch1: admin-cert-p12.patch
Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
Patch2: 0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
@ -88,8 +92,7 @@ ExcludeArch: i686
# If --with pkgs option is specified, only packages specified with
# --with <package> will be built (inclusion method).
# bcond_with pkgs
%global with_pkgs 1
%bcond_with pkgs
# Define package_option macro to wrap bcond_with or bcond_without macro
# depending on package selection method.
@ -103,16 +106,13 @@ ExcludeArch: i686
# Define --with <package> or --without <package> options depending on
# package selection method.
# package_option base
%global with_base 1
# package_option server
%global with_server 1
# package_option acme
%global with_acme 1
# package_option ca
%global with_ca 1
# package_option kra
%global with_kra 1
%package_option base
%package_option server
%package_option acme
%package_option ca
%package_option kra
# NOTE: Do not build the following packages for pki-core
# package_option ocsp
# package_option tks
# package_option tps
@ -120,7 +120,6 @@ ExcludeArch: i686
# package_option theme
# package_option meta
# package_option tests
%global with_tests 1
# package_option debug
%if ! %{with debug}
@ -248,13 +247,13 @@ BuildRequires: nss-tools
BuildRequires: openssl
# description for top-level package (if there is a separate meta package)
%if "%{name}" != "%{vendor_id}-pki"
%if "%{name}" != "%{product_id}"
%description
%{brand} PKI is an enterprise software system designed
%{product_name} is an enterprise software system designed
to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components:
%{product_name} consists of the following components:
* Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA)
@ -266,36 +265,32 @@ PKI consists of the following components:
%endif
%if %{with meta}
%if "%{name}" != "%{vendor_id}-pki"
%if "%{name}" != "%{product_id}"
################################################################################
%package -n %{vendor_id}-pki
%package -n %{product_id}
################################################################################
Summary: %{brand} PKI Package
Summary: %{product_name} Package
%endif
Obsoletes: pki-console < %{version}
Obsoletes: pki-console-theme < %{version}
Obsoletes: idm-console-framework < 2.0
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI theme packages
Requires: %{vendor_id}-pki-server-theme = %{version}
%if %{with console}
Requires: %{vendor_id}-pki-console-theme = %{version}
%endif
Requires: %{product_id}-server-theme = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI core packages
Requires: pki-acme = %{version}
Requires: pki-ca = %{version}
Requires: pki-kra = %{version}
Requires: pki-ocsp = %{version}
Requires: pki-tks = %{version}
Requires: pki-tps = %{version}
Requires: %{product_id}-acme = %{version}-%{release}
Requires: %{product_id}-ca = %{version}-%{release}
Requires: %{product_id}-kra = %{version}-%{release}
Requires: %{product_id}-ocsp = %{version}-%{release}
Requires: %{product_id}-tks = %{version}-%{release}
Requires: %{product_id}-tps = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of PKI console
%if %{with console}
Requires: pki-console = %{version}
%endif
Requires: pki-javadoc = %{version}
Requires: %{product_id}-javadoc = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
@ -304,16 +299,16 @@ Requires: esc >= 1.1.1
%endif
# description for top-level package (unless there is a separate meta package)
%if "%{name}" == "%{vendor_id}-pki"
%if "%{name}" == "%{product_id}"
%description
%else
%description -n %{vendor_id}-pki
%description -n %{product_id}
%endif
%{brand} PKI is an enterprise software system designed
%{product_name} is an enterprise software system designed
to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components:
%{product_name} consists of the following components:
* Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA)
@ -327,10 +322,13 @@ PKI consists of the following components:
%if %{with base}
################################################################################
%package -n pki-symkey
%package -n %{product_id}-symkey
################################################################################
Summary: PKI Symmetric Key Package
Summary: %{product_name} Symmetric Key Package
Obsoletes: pki-symkey < %{version}-%{release}
Provides: pki-symkey = %{version}-%{release}
Requires: %{java_headless}
Requires: jpackage-utils >= 0:1.7.5-10
@ -341,21 +339,20 @@ Requires: nss >= 3.38.0
Conflicts: pki-symkey < %{version}
Conflicts: pki-javadoc < %{version}
Conflicts: pki-server-theme < %{version}
%if %{with console}
Conflicts: pki-console-theme < %{version}
%endif
%description -n pki-symkey
The PKI Symmetric Key Java Package supplies various native
symmetric key operations to Java programs.
%description -n %{product_id}-symkey
This package provides library for symmetric key operations.
################################################################################
%package -n pki-base
%package -n %{product_id}-base
################################################################################
Summary: PKI Base Package
Summary: %{product_name} Base Package
BuildArch: noarch
Obsoletes: pki-base < %{version}-%{release}
Provides: pki-base = %{version}-%{release}
Requires: nss >= 3.36.1
Requires: python3-pki = %{version}-%{release}
@ -365,28 +362,28 @@ Requires(post): python3-pki = %{version}-%{release}
Conflicts: pki-symkey < %{version}
Conflicts: pki-javadoc < %{version}
Conflicts: pki-server-theme < %{version}
%if %{with console}
Conflicts: pki-console-theme < %{version}
%endif
%description -n pki-base
The PKI Base Package contains the common and client libraries and utilities
written in Python.
%description -n %{product_id}-base
This package provides default configuration files for %{product_name} client.
################################################################################
%package -n python3-pki
%package -n python3-%{product_id}
################################################################################
Summary: PKI Python 3 Package
Summary: %{product_name} Python 3 Package
BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}
Obsoletes: python3-pki < %{version}-%{release}
Provides: python3-pki = %{version}-%{release}
Obsoletes: pki-base-python3 < %{version}-%{release}
Provides: pki-base-python3 = %{version}-%{release}
%if 0%{?fedora} || 0%{?rhel} > 8
%{?python_provide:%python_provide python3-pki}
%endif
Requires: pki-base = %{version}-%{release}
Requires: %{product_id}-base = %{version}-%{release}
Requires: python3 >= 3.5
Requires: python3-cryptography
Requires: python3-ldap
@ -394,16 +391,19 @@ Requires: python3-lxml
Requires: python3-requests >= 2.6.0
Requires: python3-six
%description -n python3-pki
This package contains PKI client library for Python 3.
%description -n python3-%{product_id}
This package provides common and client library for Python 3.
################################################################################
%package -n pki-base-java
%package -n %{product_id}-base-java
################################################################################
Summary: PKI Base Java Package
Summary: %{product_name} Base Java Package
BuildArch: noarch
Obsoletes: pki-base-java < %{version}-%{release}
Provides: pki-base-java = %{version}-%{release}
Requires: %{java_headless}
Requires: apache-commons-cli
Requires: apache-commons-codec
@ -416,13 +416,12 @@ Requires: slf4j-jdk14
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 5.0.0
Requires: ldapjdk >= 5.0.0
Requires: pki-base = %{version}-%{release}
Requires: %{product_id}-base = %{version}-%{release}
%if 0%{?rhel} && 0%{?rhel} <= 8
Requires: resteasy >= 3.0.26
%else
Requires: resteasy-client >= 3.0.17-1
Requires: resteasy-jaxb-provider >= 3.0.17-1
Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
@ -431,48 +430,53 @@ Requires: xalan-j2
Requires: xerces-j2
Requires: xml-commons-resolver
%description -n pki-base-java
The PKI Base Java Package contains the common and client libraries and utilities
written in Java.
%description -n %{product_id}-base-java
This package provides common and client libraries for Java.
################################################################################
%package -n pki-tools
%package -n %{product_id}-tools
################################################################################
Summary: PKI Tools Package
Summary: %{product_name} Tools Package
Obsoletes: pki-tools < %{version}-%{release}
Provides: pki-tools = %{version}-%{release}
Requires: openldap-clients
Requires: nss-tools >= 3.36.1
Requires: pki-base-java = %{version}-%{release}
Requires: %{product_id}-base-java = %{version}-%{release}
Requires: p11-kit-trust
# PKICertImport depends on certutil and openssl
Requires: nss-tools
Requires: openssl
%description -n pki-tools
This package contains PKI executables that can be used to help make
Certificate System into a more complete and robust PKI solution.
%description -n %{product_id}-tools
This package provides tools that can be used to help make
%{product_name} into a more complete and robust PKI solution.
# with base
%endif
%if %{with server}
################################################################################
%package -n pki-server
%package -n %{product_id}-server
################################################################################
Summary: PKI Server Package
Summary: %{product_name} Server Package
BuildArch: noarch
Obsoletes: pki-server < %{version}-%{release}
Provides: pki-server = %{version}-%{release}
Requires: hostname
Requires: policycoreutils
Requires: procps-ng
Requires: openldap-clients
Requires: openssl
Requires: pki-symkey = %{version}-%{release}
Requires: pki-tools = %{version}-%{release}
Requires: %{product_id}-symkey = %{version}-%{release}
Requires: %{product_id}-tools = %{version}-%{release}
Requires: keyutils
@ -492,7 +496,6 @@ Requires: tomcat >= 1:9.0.7
Requires: systemd
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
Requires: tomcatjss >= 8.0.0
@ -518,25 +521,27 @@ Provides: bundled(js-jquery-i18n-properties) = 1.2.7
Provides: bundled(js-patternfly) = 3.59.2
Provides: bundled(js-underscore) = 1.9.2
%description -n pki-server
The PKI Server Package contains libraries and utilities needed by other
PKI subsystems.
%description -n %{product_id}-server
This package provides libraries and utilities needed by %{product_name} services.
# with server
%endif
%if %{with acme}
################################################################################
%package -n pki-acme
%package -n %{product_id}-acme
################################################################################
Summary: PKI ACME Package
Summary: %{product_name} ACME Package
BuildArch: noarch
Requires: pki-server = %{version}-%{release}
Obsoletes: pki-acme < %{version}-%{release}
Provides: pki-acme = %{version}-%{release}
%description -n pki-acme
The PKI ACME responder is a service that provides an automatic certificate
Requires: %{product_id}-server = %{version}-%{release}
%description -n %{product_id}-acme
%{product_name} ACME responder is a service that provides an automatic certificate
management via ACME v2 protocol defined in RFC 8555.
# with acme
@ -544,19 +549,21 @@ management via ACME v2 protocol defined in RFC 8555.
%if %{with ca}
################################################################################
%package -n pki-ca
%package -n %{product_id}-ca
################################################################################
Summary: PKI CA Package
Summary: %{product_name} CA Package
BuildArch: noarch
Requires: pki-server = %{version}-%{release}
Obsoletes: pki-ca < %{version}-%{release}
Provides: pki-ca = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-ca
The Certificate Authority (CA) is a required PKI subsystem which issues,
%description -n %{product_id}-ca
%{product_name} Certificate Authority (CA) is a required subsystem which issues,
renews, revokes, and publishes certificates as well as compiling and
publishing Certificate Revocation Lists (CRLs).
@ -569,19 +576,21 @@ where it obtains its own signing certificate from a public CA.
%if %{with kra}
################################################################################
%package -n pki-kra
%package -n %{product_id}-kra
################################################################################
Summary: PKI KRA Package
Summary: %{product_name} KRA Package
BuildArch: noarch
Requires: pki-server = %{version}-%{release}
Obsoletes: pki-kra < %{version}-%{release}
Provides: pki-kra = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-kra
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
%description -n %{product_id}-kra
%{product_name} Key Recovery Authority (KRA) is an optional subsystem that can act
as a key archival facility. When configured in conjunction with the
Certificate Authority (CA), the KRA stores private encryption keys as part of
the certificate enrollment process. The key archival mechanism is triggered
@ -600,19 +609,21 @@ since such archival would undermine non-repudiation properties of signing keys.
%if %{with ocsp}
################################################################################
%package -n pki-ocsp
%package -n %{product_id}-ocsp
################################################################################
Summary: PKI OCSP Package
Summary: %{product_name} OCSP Package
BuildArch: noarch
Requires: pki-server = %{version}
Obsoletes: pki-ocsp < %{version}-%{release}
Provides: pki-ocsp = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-ocsp
The Online Certificate Status Protocol (OCSP) Manager is an optional PKI
%description -n %{product_id}-ocsp
%{product_name} Online Certificate Status Protocol (OCSP) Manager is an optional
subsystem that can act as a stand-alone OCSP service. The OCSP Manager
performs the task of an online certificate validation authority by enabling
OCSP-compliant clients to do real-time verification of certificates. Note
@ -638,19 +649,21 @@ whenever they are issued or updated.
%if %{with tks}
################################################################################
%package -n pki-tks
%package -n %{product_id}-tks
################################################################################
Summary: PKI TKS Package
Summary: %{product_name} TKS Package
BuildArch: noarch
Requires: pki-server = %{version}
Obsoletes: pki-tks < %{version}-%{release}
Provides: pki-tks = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-tks
The Token Key Service (TKS) is an optional PKI subsystem that manages the
%description -n %{product_id}-tks
%{product_name} Token Key Service (TKS) is an optional subsystem that manages the
master key(s) and the transport key(s) required to generate and distribute
keys for hardware tokens. TKS provides the security between tokens and an
instance of Token Processing System (TPS), where the security relies upon the
@ -670,14 +683,16 @@ behind the firewall with restricted access.
%if %{with tps}
################################################################################
%package -n pki-tps
%package -n %{product_id}-tps
################################################################################
Summary: PKI TPS Package
Summary: %{product_name} TPS Package
Requires: pki-server = %{version}
Obsoletes: pki-tps < %{version}-%{release}
Provides: pki-tps = %{version}-%{release}
Requires: %{product_id}-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
# additional runtime requirements needed to run native 'tpsclient'
@ -686,8 +701,8 @@ Requires(postun): systemd-units
Requires: nss-tools >= 3.36.1
Requires: openldap-clients
%description -n pki-tps
The Token Processing System (TPS) is an optional PKI subsystem that acts
%description -n %{product_id}-tps
%{product_name} Token Processing System (TPS) is an optional subsystem that acts
as a Registration Authority (RA) for authenticating and processing
enrollment requests, PIN reset requests, and formatting requests from
the Enterprise Security Client (ESC).
@ -711,77 +726,78 @@ smart card.
%if %{with javadoc}
################################################################################
%package -n pki-javadoc
%package -n %{product_id}-javadoc
################################################################################
Summary: PKI Javadoc Package
Summary: %{product_name} Javadoc Package
BuildArch: noarch
Obsoletes: pki-javadoc < %{version}-%{release}
Provides: pki-javadoc = %{version}-%{release}
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
Conflicts: pki-symkey < %{version}
Conflicts: pki-server-theme < %{version}
%if %{with console}
Conflicts: pki-console-theme < %{version}
%endif
%description -n pki-javadoc
This package contains PKI API documentation.
%description -n %{product_id}-javadoc
This package provides %{product_name} API documentation.
# with javadoc
%endif
%if %{with console}
################################################################################
%package -n pki-console
%package -n %{product_id}-console
################################################################################
Summary: PKI Console Package
Summary: %{product_name} Console Package
BuildArch: noarch
BuildRequires: idm-console-framework >= 1.2.0
BuildRequires: idm-console-framework >= 2.0
Requires: idm-console-framework >= 1.2.0
Requires: pki-base-java = %{version}
Requires: pki-console-theme = %{version}
Obsoletes: pki-console < %{version}-%{release}
Provides: pki-console = %{version}-%{release}
%description -n pki-console
The PKI Console is a Java application used to administer PKI server.
Requires: idm-console-framework >= 2.0
Requires: %{product_id}-base-java = %{version}-%{release}
Requires: %{product_id}-console-theme = %{version}-%{release}
%description -n %{product_id}-console
%{product_name} Console is a Java application used to administer %{product_name} Server.
# with console
%endif
%if %{with theme}
################################################################################
%package -n %{vendor_id}-pki-server-theme
%package -n %{product_id}-server-theme
################################################################################
Summary: %{brand} PKI Server Theme Package
Summary: %{product_name} Server Theme Package
BuildArch: noarch
Provides: pki-server-theme = %{version}
Obsoletes: pki-server-theme < %{version}-%{release}
Provides: pki-server-theme = %{version}-%{release}
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
Conflicts: pki-symkey < %{version}
%if %{with console}
Conflicts: pki-console-theme < %{version}
%endif
Conflicts: pki-javadoc < %{version}
%description -n %{vendor_id}-pki-server-theme
This PKI Server Theme Package contains
%{brand} textual and graphical user interface for PKI Server.
%description -n %{product_id}-server-theme
This package provides theme files for %{product_name} Server.
%if %{with console}
################################################################################
%package -n %{vendor_id}-pki-console-theme
%package -n %{product_id}-console-theme
################################################################################
Summary: %{brand} PKI Console Theme Package
Summary: %{product_name} Console Theme Package
BuildArch: noarch
Provides: pki-console-theme = %{version}
Obsoletes: pki-console-theme < %{version}-%{release}
Provides: pki-console-theme = %{version}-%{release}
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
@ -789,9 +805,8 @@ Conflicts: pki-symkey < %{version}
Conflicts: pki-server-theme < %{version}
Conflicts: pki-javadoc < %{version}
%description -n %{vendor_id}-pki-console-theme
This PKI Console Theme Package contains
%{brand} textual and graphical user interface for PKI Console.
%description -n %{product_id}-console-theme
This package provides theme files for %{product_name} Console.
# with console
%endif
@ -801,14 +816,20 @@ This PKI Console Theme Package contains
%if %{with tests}
################################################################################
%package -n pki-tests
%package -n %{product_id}-tests
################################################################################
Summary: PKI Tests
Summary: %{product_name} Tests
BuildArch: noarch
%description -n pki-tests
This package contains PKI test suite.
Obsoletes: pki-tests < %{version}-%{release}
Provides: pki-tests = %{version}-%{release}
Requires: python3-pylint
Requires: python3-flake8
%description -n %{product_id}-tests
This package provides test suite for %{product_name}.
# with tests
%endif
@ -866,7 +887,7 @@ cd build
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
-DTHEME=%{?with_theme:%{vendor_id}} \
-DTHEME=%{?with_theme:%{theme}} \
%if 0%{?rhel} && 0%{?rhel} <= 8
..
%else
@ -913,7 +934,7 @@ ctest --output-on-failure
cat > %{buildroot}%{_datadir}/doc/pki/README << EOF
This package is a "meta-package" whose dependencies pull in all of the
packages comprising the %{brand} Public Key Infrastructure (PKI) Suite.
packages comprising the %{product_name} Suite.
EOF
# with meta
@ -953,7 +974,7 @@ fi
%if %{with server}
%pre -n pki-server
%pre -n %{product_id}-server
getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
if ! getent passwd %{pki_username} >/dev/null ; then
useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
@ -965,7 +986,7 @@ exit 0
%if %{with base}
%post -n pki-base
%post -n %{product_id}-base
if [ $1 -eq 1 ]
then
@ -979,7 +1000,7 @@ else
echo >> /var/log/pki/pki-upgrade-%{version}.log
fi
%postun -n pki-base
%postun -n %{product_id}-base
if [ $1 -eq 0 ]
then
@ -992,11 +1013,7 @@ fi
%if %{with server}
%post -n pki-server
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
%post -n %{product_id}-server
# CVE-2021-3551
# Remove world access from existing installation logs
find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
@ -1007,24 +1024,13 @@ then
systemctl daemon-reload
fi
## preun -n pki-server
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
## postun -n pki-server
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
# with server
%endif
%if %{with meta}
%if "%{name}" != "%{vendor_id}-pki"
%if "%{name}" != "%{product_id}"
################################################################################
%files -n %{vendor_id}-pki
%files -n %{product_id}
################################################################################
%else
%files
@ -1037,7 +1043,7 @@ fi
%if %{with base}
################################################################################
%files -n pki-symkey
%files -n %{product_id}-symkey
################################################################################
%license base/symkey/LICENSE
@ -1045,7 +1051,7 @@ fi
%{_libdir}/symkey/
################################################################################
%files -n pki-base
%files -n %{product_id}-base
################################################################################
%license base/common/LICENSE
@ -1071,7 +1077,7 @@ fi
%{_mandir}/man8/pki-upgrade.8.gz
################################################################################
%files -n pki-base-java
%files -n %{product_id}-base-java
################################################################################
%license base/common/LICENSE
@ -1083,7 +1089,7 @@ fi
%{_javadir}/pki/pki-certsrv.jar
################################################################################
%files -n python3-pki
%files -n python3-%{product_id}
################################################################################
%license base/common/LICENSE
@ -1094,12 +1100,13 @@ fi
%{python3_sitelib}/pki
################################################################################
%files -n pki-tools
%files -n %{product_id}-tools
################################################################################
%license base/tools/LICENSE
%doc base/tools/doc/README
%{_bindir}/p7tool
%{_bindir}/p12tool
%{_bindir}/pistool
%{_bindir}/pki
%{_bindir}/revoker
@ -1168,7 +1175,7 @@ fi
%if %{with server}
################################################################################
%files -n pki-server
%files -n %{product_id}-server
################################################################################
%license base/common/THIRD_PARTY_LICENSES
@ -1229,7 +1236,7 @@ fi
%if %{with acme}
################################################################################
%files -n pki-acme
%files -n %{product_id}-acme
################################################################################
%{_javadir}/pki/pki-acme.jar
@ -1240,7 +1247,7 @@ fi
%if %{with ca}
################################################################################
%files -n pki-ca
%files -n %{product_id}-ca
################################################################################
%license base/ca/LICENSE
@ -1252,7 +1259,7 @@ fi
%if %{with kra}
################################################################################
%files -n pki-kra
%files -n %{product_id}-kra
################################################################################
%license base/kra/LICENSE
@ -1264,7 +1271,7 @@ fi
%if %{with ocsp}
################################################################################
%files -n pki-ocsp
%files -n %{product_id}-ocsp
################################################################################
%license base/ocsp/LICENSE
@ -1276,7 +1283,7 @@ fi
%if %{with tks}
################################################################################
%files -n pki-tks
%files -n %{product_id}-tks
################################################################################
%license base/tks/LICENSE
@ -1288,7 +1295,7 @@ fi
%if %{with tps}
################################################################################
%files -n pki-tps
%files -n %{product_id}-tps
################################################################################
%license base/tps/LICENSE
@ -1310,17 +1317,17 @@ fi
%if %{with javadoc}
################################################################################
%files -n pki-javadoc
%files -n %{product_id}-javadoc
################################################################################
%{_javadocdir}/pki-%{version}/
%{_javadocdir}/pki/
# with javadoc
%endif
%if %{with console}
################################################################################
%files -n pki-console
%files -n %{product_id}-console
################################################################################
%license base/console/LICENSE
@ -1332,10 +1339,10 @@ fi
%if %{with theme}
################################################################################
%files -n %{vendor_id}-pki-server-theme
%files -n %{product_id}-server-theme
################################################################################
%license themes/%{vendor_id}/common-ui/LICENSE
%license themes/%{theme}/common-ui/LICENSE
%dir %{_datadir}/pki
%{_datadir}/pki/CS_SERVER_VERSION
%{_datadir}/pki/common-ui/
@ -1351,10 +1358,10 @@ fi
%if %{with console}
################################################################################
%files -n %{vendor_id}-pki-console-theme
%files -n %{product_id}-console-theme
################################################################################
%license themes/%{vendor_id}/console-ui/LICENSE
%license themes/%{theme}/console-ui/LICENSE
%{_javadir}/pki/pki-console-theme.jar
# with console
@ -1365,7 +1372,7 @@ fi
%if %{with tests}
################################################################################
%files -n pki-tests
%files -n %{product_id}-tests
################################################################################
%{_datadir}/pki/tests/
@ -1375,6 +1382,10 @@ fi
################################################################################
%changelog
* Thu Sep 30 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.6.beta1
- Rebase to PKI 11.0.0-beta1
- Bug #1999052 - pki instance creation fails for IPA server
* Thu Sep 09 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.5.alpha1
- Drop BuildRequires and Requires on glassfish-jaxb-api and jaxb-impl
Resolves #2002594

2
sources
View File

@ -1 +1 @@
SHA512 (pki-11.0.0-alpha1.tar.gz) = 7dd458897d63a2aaba7e8cf62f74537cc7ba7798b5a5f6df5b6b3bee15ff00e1f6397540a23556eb25e86da3562d9723f66a14c619c25014e542a664023769d5
SHA512 (pki-11.0.0-beta1.tar.gz) = 66762825f9120d65712e33708199be4f9951fe1328e924d134b89e47b440bb862b8bbfe1dfa025d1e532439324c4a46ca2fd0e2451fc433ff6d5c9a61613ed61