1495bf
%if 0%{?fedora} > 15 || 0%{?rhel} > 6
1495bf
%global systemd 1
1495bf
%global	sysvinit 0
1495bf
%else
1495bf
%global systemd 0
1495bf
%global	sysvinit 1
1495bf
%endif
1495bf
1495bf
%if 0%{?fedora} > 15 && 0%{?fedora} < 20
1495bf
%global systemdsysv 1
1495bf
%else
1495bf
%global systemdsysv 0
1495bf
%endif
1495bf
1495bf
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
1495bf
%global tmpfiles 1
1495bf
%else
1495bf
%global tmpfiles 0
1495bf
%endif
1495bf
1495bf
%if 0%{?fedora} > 9 || 0%{?rhel} > 5
1495bf
%global sysvinitdir %{_initddir}
1495bf
%else
1495bf
%global sysvinitdir %{_initrddir}
1495bf
%endif
1495bf
1495bf
Name:		certmonger
1495bf
Version:	0.78.4
1495bf
Release:	12%{?dist}
1495bf
Summary:	Certificate status monitor and PKI enrollment client
1495bf
1495bf
Group:		System Environment/Daemons
1495bf
License:	GPLv3+
1495bf
URL:		https://pagure.io/certmonger/
1495bf
Source0:	https://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
1495bf
Source1:	https://releases.pagure.org/released/certmonger/certmonger-%{version}.tar.gz.sig
1495bf
BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
1495bf
1495bf
Patch0001:	0001-Stop-assuming-RSA-512-works.patch
1495bf
Patch0002:	0002-Stop-assuming-RSA-512-works-part-two.patch
1495bf
Patch0003:	0003-Add-issuer-request-option-for-specifying-issuer.patch
1495bf
Patch0004:	0004-Documentation-mark-CERTMONGER_CA_ISSUER-as-0.79.patch
1495bf
Patch0005:	0005-Comment-whitespace-fixup.patch
1495bf
Patch0006:	0006-ipa-submit-Retry-without-ca-on-OptionError.patch
1495bf
Patch0007:	0007-getcert-fix-a-potential-out-of-bounds.patch
1495bf
Patch0008:	0008-Document-the-X-option-in-the-ipa-submit-man-page.patch
1495bf
Patch0009:	0009-Fix-a-flakiness-in-the-028-dbus-test.patch
1495bf
Patch0010:	0010-Set-all-bits-to-1-in-local-CA-Basic-Constraint-to-se.patch
1495bf
Patch0011:	0011-Fix-conversions-of-bit-lengths-to-byte-lengths.patch
1495bf
Patch0012:	0012-Remove-trailing-CR-LF-when-reading-passwords-from-a-.patch
1495bf
Patch0013:	0013-Disable-the-10-iterate-tests-which-randomly-fail.patch
1495bf
Patch0014:	0014-MS-cert-template-add-D-Bus-property-and-storage.patch
1495bf
Patch0015:	0015-MS-cert-template-add-template-extension-to-CSR.patch
1495bf
Patch0016:	0016-MS-cert-template-add-option-to-command-line-programs.patch
1495bf
Patch0017:	0017-MS-cert-template-validate-argument.patch
1495bf
Patch0018:	0018-MS-cert-template-add-tests.patch
1495bf
Patch0019:	0019-Fix-C99-build-error-on-EL7-systems.patch
1495bf
Patch0020:	0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch
1495bf
Patch0021:	0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch
1495bf
Patch0022:	0022-Allow-configuration-of-client-SCEP-algorithms.patch
1495bf
Patch0023:	0023-Updates-per-Feedback.patch
1495bf
Patch0024:	0024-Updated-tests.patch
1495bf
Patch0025:	0025-Add-cipher-and-digest-difference-messages.patch
1495bf
Patch0026:	0026-Document-key-cert-file-owner-and-mode-options.patch
1495bf
Patch0027:	0027-scep-correct-GetCAChain-to-GetCACertChain.patch
1495bf
Patch0028:	0028-No-message-ca-ident-from-GetCACaps-GetCACert-drop-Ge.patch
1495bf
Patch0029:	0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch
1495bf
1495bf
1495bf
Patch1001:	1001-Remove-rekey-feature.patch
1495bf
Patch1002:	1002-Fix-CA-option-name-for-ipa-cert-request.patch
1495bf
1495bf
BuildRequires:	openldap-devel
1495bf
BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel
1495bf
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
1495bf
BuildRequires:  libuuid-devel
1495bf
%else
1495bf
BuildRequires:  e2fsprogs-devel
1495bf
%endif
1495bf
BuildRequires:	libtalloc-devel, libtevent-devel
1495bf
%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9
1495bf
BuildRequires:	libcurl-devel
1495bf
%else
1495bf
BuildRequires:	curl-devel
1495bf
%endif
1495bf
BuildRequires:	libxml2-devel, xmlrpc-c-devel
1495bf
%if 0%{?rhel} < 6
1495bf
BuildRequires:	bind-libbind-devel
1495bf
%endif
1495bf
# Required for 'make check':
1495bf
#  for diff and cmp
1495bf
BuildRequires:	diffutils
1495bf
#  for expect
1495bf
BuildRequires:	expect
1495bf
#  for mktemp, which was absorbed into coreutils at some point
1495bf
BuildRequires:	mktemp
1495bf
#  for certutil and pk12util
1495bf
BuildRequires:	nss-tools
1495bf
#  for openssl
1495bf
BuildRequires:	openssl
1495bf
#  for dbus-launch
1495bf
BuildRequires:	/usr/bin/dbus-launch
1495bf
#  for dos2unix
1495bf
BuildRequires:	/usr/bin/dos2unix
1495bf
BuildRequires:	/usr/bin/unix2dos
1495bf
#  for which
1495bf
BuildRequires:	/usr/bin/which
1495bf
#  for dbus tests
1495bf
BuildRequires:	dbus-python
1495bf
#  for popt or popt-devel, depending on the build environment
1495bf
BuildRequires: /usr/include/popt.h
1495bf
BuildRequires:  autoconf
1495bf
BuildRequires:  automake
1495bf
BuildRequires:  pkgconfig
1495bf
BuildRequires:  libtool
1495bf
BuildRequires:	gettext-devel
1495bf
1495bf
# we need a running system bus
1495bf
Requires:	dbus
1495bf
1495bf
# for killall in post script
1495bf
Requires:      psmisc
1495bf
1495bf
%if %{systemd}
1495bf
BuildRequires:	systemd-units
1495bf
Requires(post):	systemd-units
1495bf
Requires(preun):	systemd-units, dbus, sed
1495bf
Requires(postun):	systemd-units
1495bf
%endif
1495bf
1495bf
%if %{systemdsysv}
1495bf
Requires(post):	systemd-sysv
1495bf
%global systemdsysvsave \
1495bf
# Save the current service runlevel info, in case the user wants \
1495bf
# to apply the enabled status manually later, by running \
1495bf
#   "systemd-sysv-convert --apply certmonger". \
1495bf
%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||:
1495bf
%else
1495bf
%global systemdsysvsave %{nil}
1495bf
%endif
1495bf
1495bf
%if %{sysvinit}
1495bf
Requires(post):	/sbin/chkconfig, /sbin/service
1495bf
Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
1495bf
%endif
1495bf
1495bf
%if 0%{?fedora} >= 15
1495bf
# Certain versions of libtevent have incorrect internal ABI versions.
1495bf
Conflicts: libtevent < 0.9.13
1495bf
%endif
1495bf
1495bf
%description
1495bf
Certmonger is a service which is primarily concerned with getting your
1495bf
system enrolled with a certificate authority (CA) and keeping it enrolled.
1495bf
1495bf
%prep
1495bf
%autosetup -p1
1495bf
1495bf
%if 0%{?rhel} > 0
1495bf
# Enabled by default for RHEL for bug #765600, still disabled by default for
1495bf
# Fedora pending a similar bug report there.
1495bf
sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
1495bf
%endif
1495bf
1495bf
%build
1495bf
autoreconf -i -f
1495bf
%configure \
1495bf
%if %{systemd}
1495bf
	--enable-systemd \
1495bf
%endif
1495bf
%if %{sysvinit}
1495bf
	--enable-sysvinit=%{sysvinitdir} \
1495bf
%endif
1495bf
%if %{tmpfiles}
1495bf
	--enable-tmpfiles \
1495bf
%endif
1495bf
	--with-homedir=/var/run/certmonger \
1495bf
	--with-tmpdir=/var/run/certmonger --enable-pie --enable-now
1495bf
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
1495bf
# tell us about libxmlrpc_client, but we need more.  Work around.
1495bf
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
1495bf
1495bf
%install
1495bf
rm -rf $RPM_BUILD_ROOT
1495bf
make install DESTDIR=$RPM_BUILD_ROOT
1495bf
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests}
1495bf
install -m755 -d $RPM_BUILD_ROOT/var/run/certmonger
1495bf
%{find_lang} %{name}
1495bf
1495bf
%check
1495bf
make check
1495bf
1495bf
%clean
1495bf
rm -rf $RPM_BUILD_ROOT
1495bf
1495bf
%post
1495bf
if test $1 -eq 1 ; then
1495bf
	killall -HUP dbus-daemon 2>&1 > /dev/null
1495bf
fi
1495bf
%if %{systemd}
1495bf
if test $1 -eq 1 ; then
1495bf
	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
1495bf
fi
1495bf
%endif
1495bf
%if %{sysvinit}
1495bf
/sbin/chkconfig --add certmonger
1495bf
%endif
1495bf
1495bf
%triggerin -- certmonger < 0.58
1495bf
if test $1 -gt 1 ; then
1495bf
	# If the daemon is running, remove knowledge of the dogtag renewer.
1495bf
	objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true`
1495bf
	if test -n "$objpath" ; then
1495bf
		dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null
1495bf
	fi
1495bf
	# Remove the data file, in case it isn't running.
1495bf
	for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do
1495bf
		if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then
1495bf
			rm -f "$cafile"
1495bf
		fi
1495bf
	done
1495bf
fi
1495bf
exit 0
1495bf
1495bf
%postun
1495bf
%if %{systemd}
1495bf
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
1495bf
if [ $1 -ge 1 ] ; then
1495bf
	/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
1495bf
fi
1495bf
%endif
1495bf
%if %{sysvinit}
1495bf
if test $1 -gt 0 ; then
1495bf
	/sbin/service certmonger condrestart 2>&1 > /dev/null
1495bf
fi
1495bf
%endif
1495bf
exit 0
1495bf
1495bf
%preun
1495bf
%if %{systemd}
1495bf
if test $1 -eq 0 ; then
1495bf
	/bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || :
1495bf
	/bin/systemctl stop certmonger.service > /dev/null 2>&1 || :
1495bf
fi
1495bf
%endif
1495bf
%if %{sysvinit}
1495bf
if test $1 -eq 0 ; then
1495bf
	/sbin/service certmonger stop 2>&1 > /dev/null
1495bf
	/sbin/chkconfig --del certmonger
1495bf
fi
1495bf
%endif
1495bf
exit 0
1495bf
1495bf
%if %{systemd}
1495bf
%triggerun -- certmonger < 0.43
1495bf
%{systemdsysvsave}
1495bf
# Do this because the old package's %%postun doesn't know we need to do it.
1495bf
/sbin/chkconfig --del certmonger >/dev/null 2>&1 || :
1495bf
# Do this because the old package's %%postun wouldn't have tried.
1495bf
/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
1495bf
exit 0
1495bf
%endif
1495bf
1495bf
%files -f %{name}.lang
1495bf
%defattr(-,root,root,-)
1495bf
%doc README LICENSE STATUS doc/*.txt
1495bf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
1495bf
%{_datadir}/dbus-1/services/*
1495bf
%dir %{_sysconfdir}/certmonger
1495bf
%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf
1495bf
%dir /var/run/certmonger
1495bf
%{_bindir}/*
1495bf
%{_sbindir}/certmonger
1495bf
%{_mandir}/man*/*
1495bf
%{_libexecdir}/%{name}
1495bf
%{_localstatedir}/lib/certmonger
1495bf
%if %{sysvinit}
1495bf
%{sysvinitdir}/certmonger
1495bf
%endif
1495bf
%if %{tmpfiles}
1495bf
%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf
1495bf
%endif
1495bf
%if %{systemd}
1495bf
%{_unitdir}/*
1495bf
%{_datadir}/dbus-1/system-services/*
1495bf
%endif
1495bf
1495bf
%changelog
1495bf
* Wed Jul 31 2019 Rob Crittenden <rcritten@redhat.com> - 0.78.4-12
1495bf
- Add documentation for the '-N' option to the dogtag-ipa-renew-agent-submit
1495bf
  man page (#1651368)
1495bf
- SCEP: Don't set message=<ca ident> with GetCaps and GetCACert (#1608781)
1495bf
- SCEP operation GetCAChain is not valid. Should be GetCACertChain (#1590727)
1495bf
- Document owner and permission parameters to getcert (#1549585)
1495bf
1495bf
* Tue Feb 12 2019 Rob Crittenden <rcritten@redhat.com> - 0.78.4-11
1495bf
- Increase SCEP spec compliance, set more secure default cipher and hash.
1495bf
  (#1533216)
1495bf
1495bf
* Fri Aug 24 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-10
1495bf
- Backport patches to add support for the MS Certificate Template V2
1495bf
  extension (#1622184)
1495bf
1495bf
* Mon Aug 13 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-9
1495bf
- Remove patch to pass _PROXY, _proxy, LANG and LC_* environment
1495bf
  variables to helpers. The root cause was a bug in IPA (#1596161)
1495bf
1495bf
* Tue Jul 17 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-8
1495bf
- Disable iterate-10 test which fails intermitently (#1596161)
1495bf
- Add BuildRequires for running autoreconf
1495bf
1495bf
* Tue Jul 17 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-7
1495bf
- Pass _PROXY, _proxy, LANG and LC_* environment variables to
1495bf
  helpers (#1596161)
1495bf
1495bf
* Tue May 29 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-6
1495bf
- Remove reference to unused patch
1495bf
1495bf
* Mon May 21 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-5
1495bf
- Add Requires on psmsic for killall in post script (#1458890)
1495bf
- upstream project migrated from fedorahosted.org to pagure.io (#1501723)
1495bf
- Strip CR/LF from passwords read from a file (#1545935)
1495bf
1495bf
* Mon Mar  5 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-4
1495bf
- Use required DER encoding when setting CA basic constraint (#1551635)
1495bf
- NSS 3.34 more strictly enforces length checking when verifying signatures
1495bf
  (#1551702)
1495bf
1495bf
* Tue Sep  6 2016 Jan Cholasta <jcholast@redhat.com> - 0.78.4-3
1495bf
- Resolves: #1367683 getcert request command fails to use Sub CA using -X
1495bf
  argument
1495bf
  - Fix CA option name for ipa cert-request
1495bf
1495bf
* Fri Jul  1 2016 Jan Cholasta <jcholast@redhat.com> - 0.78.4-2
1495bf
- Resolves: #1345755 Support for specifying IPA lightweight CA
1495bf
  - Add 'issuer' request option for specifying issuer
1495bf
  - Documentation: mark $CERTMONGER_CA_ISSUER as 0.79
1495bf
  - Comment/whitespace fixup
1495bf
  - ipa-submit: Retry without "ca" on OptionError
1495bf
  - getcert: fix a potential out-of-bounds
1495bf
  - Document the -X option in the ipa-submit man page
1495bf
- Resolves: #1351052 certmonger build for RHEL 7.3 failure
1495bf
  - Stop assuming RSA 512 works
1495bf
  - Stop assuming RSA 512 works, part two
1495bf
  - Fix a flakiness in the 028-dbus test
1495bf
1495bf
* Mon Aug 10 2015 Jan Cholasta <jcholast@redhat.com> - 0.78.4-1
1495bf
- Resolves: #1249753 challenge password not added in csr using start-tracking
1495bf
- Resolves: #1250397 Remove certmonger rekey feature in 7.2
1495bf
  - Remove rekey feature
1495bf
- Related:  #1205756 Rebase certmonger to 0.77 or later
1495bf
  - Update to upstream 0.78.4
1495bf
1495bf
* Fri Jul 24 2015 Jan Cholasta <jcholast@redhat.com> - 0.78.3-1
1495bf
- Resolves: #1244914 scep ca helper does not parse command line options
1495bf
  correctly
1495bf
- Related:  #1205756 Rebase certmonger to 0.77 or later
1495bf
  - Update to upstream 0.78.3
1495bf
1495bf
* Mon Jun 22 2015 Jan Cholasta <jcholast@redhat.com> - 0.78.1-1
1495bf
- Resolves: #1140241 RFE: Add SCEP support to certmonger
1495bf
- Resolves: #1148001 ipa-getcert killed by SIGABRT
1495bf
- Resolves: #1205756 Rebase certmonger to 0.77 or later
1495bf
  - Update to upstream 0.78.1
1495bf
1495bf
* Tue Jan 13 2015 Jan Cholasta <jcholast@redhat.com> - 0.75.14-3
1495bf
- backport change from git to correctly retrieve string values from DBus
1495bf
  property interface replies (#1181022)
1495bf
1495bf
* Wed Nov 19 2014 Jan Cholasta <jcholast@redhat.com> - 0.75.14-2
1495bf
- backport dogtag-submit: accept additional options to pass to the server when
1495bf
  approving requests using agent creds (#1165155)
1495bf
1495bf
* Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.14-1
1495bf
- make pathname canonicalization slightly smarter, to handle ".." in
1495bf
  locations (#1131758)
1495bf
- updates to self-tests (#1144082)
1495bf
1495bf
* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 0.75.13-2
1495bf
- Rebuild for rpm bug 1131960
1495bf
1495bf
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.13-1
1495bf
- add a missing test case file (whoops)
1495bf
1495bf
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.12-1
1495bf
- correct encoding/decoding of variant-typed data which we receive and send
1495bf
  as part of the org.freedesktop.DBus.Properties interface over the bus, and
1495bf
  add some tests for them (based on patch from David Kupka, ticket #36)
1495bf
1495bf
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.75.10-2
1495bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
1495bf
1495bf
* Tue Aug 12 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.11-1
1495bf
- when getcert is passed a -a flag, to indicate that CA root certificates
1495bf
  should be stored in the specified database, don't ignore locations which
1495bf
  don't include a storage scheme (#1129537)
1495bf
- when called to 'start-tracking' with the -a or -F flags, if we have
1495bf
  applicable certificates on-hand for a CA that we're either told to use
1495bf
  or which we decide is the correct one, save the certificates (#1129696)
1495bf
1495bf
* Tue Aug  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.10-1
1495bf
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
1495bf
  default.conf, and no "host" is set either, try to construct the server URI
1495bf
  using the "server" setting (#1126985)
1495bf
1495bf
* Thu Jul 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.9-1
1495bf
- avoid potential use-after-free after a CA is removed dynamically (thanks to
1495bf
  Keenan Brock) (#1125342)
1495bf
- add a "external-helper" property to CA objects
1495bf
1495bf
* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.8-1
1495bf
- add a 'refresh' option to the getcert command
1495bf
- add a '-a' flag to the getcert command's 'refresh-ca' option
1495bf
1495bf
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-2
1495bf
- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older,
1495bf
  conditionalized it so that it's ignored on newer releases, and make
1495bf
  whether or not we call systemd-sysv-convert in triggers depend on that,
1495bf
  too (#1104138)
1495bf
1495bf
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-1
1495bf
- fix an inconsistency in how we parse cookie values returned by CA helpers,
1495bf
  in that single-line values would lose the end-of-line after a daemon
1495bf
  restart, but not before
1495bf
- handle timeout values and exit status values when calling CA helpers
1495bf
  in non-SUBMIT, non-POLL modes (#1118468)
1495bf
- rework how we save CA certificates so that we save CA certificates associated
1495bf
  with end-entity certificates when we save that end-entity certificate, which
1495bf
  requires running all of the involved pre- and post-save commands
1495bf
- drop package Requires: on systemd-sysv (#1104138)
1495bf
1495bf
* Thu Jun 26 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.6-1
1495bf
- avoid potential use-after-free and read overrun after a CA is added
1495bf
  dynamically (thanks to Jan Cholasta)
1495bf
1495bf
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.5-1
1495bf
- documentation updates
1495bf
1495bf
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-2
1495bf
- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
1495bf
  when we detect certmonger versions prior to 0.58 being installed, to
1495bf
  avoid cases where some older versions choke on CAs with nicknames that
1495bf
  contain characters that can't legally be part of a D-Bus name (#948993)
1495bf
1495bf
* Thu Jun 19 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-1
1495bf
- fix creation and packaging of the "local" CA's data directory
1495bf
1495bf
* Wed Jun 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.3-1
1495bf
- read and cache whether or not we saw a noOCSPcheck extension in certificates
1495bf
- documentation updates
1495bf
1495bf
* Mon Jun 16 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.2-1
1495bf
- when generating keys using OpenSSL, if key generation fails, try
1495bf
  again with the default key size, in case we're in FIPS mode
1495bf
- documentation updates
1495bf
1495bf
* Sat Jun 14 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.1-1
1495bf
- log the state in 'getcert status' verbose mode
1495bf
1495bf
* Fri Jun 13 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75-1
1495bf
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
1495bf
  commands, and add a non-waiting status command
1495bf
1495bf
* Wed Jun 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.96-1
1495bf
- make the trust settings we apply to CA-supplied certificates while
1495bf
  saving them to NSS databases run-time configurable
1495bf
- fix compiling against EL5-era OpenSSL
1495bf
- when saving CA certificates we pull from an IPA server, nickname
1495bf
  it using the realm name with " IPA CA" appended rather than just
1495bf
  naming it "IPA CA"
1495bf
- fix the local signer so that when it issues itself a new certificate,
1495bf
  it uses the same subject name
1495bf
- add a -w flag to getcert's request, resubmit, and start-tracking
1495bf
  commands, telling it to wait until either the certificate is issued,
1495bf
  we get to a state where we know that we won't be able to get one, or
1495bf
  we are waiting for a CA
1495bf
1495bf
* Mon Jun  9 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.95-1
1495bf
- add the "local" signer, a local toy CA that signs anything you'll
1495bf
  ask it to sign
1495bf
1495bf
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.74-2
1495bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
1495bf
1495bf
* Fri Jun  6 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.94-1
1495bf
- fix self-test errors that we trigger with new OpenSSL
1495bf
- fix a build error that would sometimes happen when we're told to
1495bf
  build PIE binaries
1495bf
- quiet a compile warning
1495bf
1495bf
* Thu Jun  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.93-1
1495bf
- add some self-tests
1495bf
- simplify the internal submit-to-CA logic
1495bf
- fixes for more problems found through static analysis
1495bf
1495bf
* Tue Jun  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.92-1
1495bf
- retrieve CA information from CAs, if the helpers can do so, and
1495bf
  add a command to explicitly refresh that data: "getcert refresh-ca"
1495bf
- offer to save CA certificates to files and databases, when specified with
1495bf
  new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
1495bf
  trac #31)
1495bf
- add IP address subject alternate names when getcert request/resubmit
1495bf
  is passed the -A option (trac #35)
1495bf
- read and cache the freshestCRL extension in certificates
1495bf
- properly interpret KDC-unreachable errors encountered in the IPA
1495bf
  submission error as a server-unreachable error that we will retry,
1495bf
  rather than a misconfiguration error which we won't
1495bf
- don't let tests get tripped up by new formatting used in dos2unix status
1495bf
  messages (#1099080)
1495bf
- updated translations
1495bf
- be explicit that we are going to use bashisms in test scripts by calling
1495bf
  the shell interpreter as 'bash' rather than 'sh' (trac #27)
1495bf
1495bf
* Thu Apr  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74-1
1495bf
- also save state when we exit due to SIGHUP
1495bf
- don't get tripped up when enrollment helpers hand us certificates which
1495bf
  include CRLF line terminators (ticket #25)
1495bf
- be tolerant of certificate issuer names, subject names, DNS, email, and
1495bf
  Kerberos principal namem subjectAltNames, and crl distribution point URLs
1495bf
  that contain newlines
1495bf
- read and cache the certificate template extension in certificates
1495bf
- enforce different minimum key sizes depending on the type of key we're
1495bf
  trying to generate
1495bf
- store DER versions of subject, issuer and template subject, if we have
1495bf
  them (Jan Cholasta, ticket #26)
1495bf
- when generating signing requests with subject names that don't quite parse
1495bf
  as subject names, encode what we're given as PrintableString rather than
1495bf
  as a UTF8String
1495bf
- always chdir() to a known location at startup, even if we're not becoming
1495bf
  a daemon
1495bf
- fix a couple of memory leaks (static analysis)
1495bf
- add missing buildrequires: on which
1495bf
1495bf
* Thu Feb 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.73-1
1495bf
- updates to 0.73
1495bf
  - getcert no longer claims to be stuck when a CA is unreachable,
1495bf
    because the daemon isn't actually stuck
1495bf
1495bf
* Mon Feb 17 2014 Nalin Dahyabhai <nalin@redhat.com>
1495bf
- updates to 0.73
1495bf
  - also pass the key type to enrollment helpers in the environment as
1495bf
    a the value of "CERTMONGER_KEY_TYPE"
1495bf
1495bf
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
1495bf
- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
1495bf
  where it belongs (#1180978)
1495bf
1495bf
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
1495bf
- updates for 0.73
1495bf
  - set the flag to encode EC public key parameters using named curves
1495bf
    instead of the default of all-the-details when using OpenSSL
1495bf
  - don't break when NSS supports secp521r1 but OpenSSL doesn't
1495bf
  - also pass the CA nickname to enrollment helpers in the environment as
1495bf
    a text value in "CERTMONGER_CA_NICKNAME", so they can use that value
1495bf
    when reading configuration settings
1495bf
  - also pass the SPKAC value to enrollment helpers in the environment as
1495bf
    a base64 value in "CERTMONGER_SPKAC"
1495bf
  - also pass the request's SubjectPublicKeyInfo value to enrollment helpers
1495bf
    in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16)
1495bf
  - when generating signing requests using NSS, be more accommodating of
1495bf
    requested subject names that don't parse properly
1495bf
1495bf
* Mon Feb  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.72-1
1495bf
- update to 0.72
1495bf
  - support generating DSA parameters and keys on sufficiently-new OpenSSL
1495bf
    and NSS
1495bf
  - support generating EC keys when OpenSSL and NSS support it, using key
1495bf
    size to select the curve to use from among secp256r1, secp384r1,
1495bf
    secp521r1 (which are the ones that are usually available, though
1495bf
    secp521r1 isn't always, even if the other two are)
1495bf
  - stop trying to cache public key parameters at all and instead cache public
1495bf
    key info properly
1495bf
  - encode the friendlyName attribute in signing requests as a BMPString,
1495bf
    not as a PrintableString
1495bf
  - catch more filesystem permissions problems earlier (more of #996581)
1495bf
1495bf
* Mon Jan 27 2014 Nalin Dahyabhai <nalin@redhat.com> 0.71-1
1495bf
- check for cases where we fail to allocate memory while reading a request
1495bf
  or CA entry from disk (John Haxby)
1495bf
- only handle one watch at a time, which should avoid abort() during
1495bf
  attempts to reconnect to the message bus after losing our connection
1495bf
  to it (#1055521)
1495bf
1495bf
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.70-2
1495bf
- Mass rebuild 2014-01-24
1495bf
1495bf
* Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> 0.70-1
1495bf
- add a --with-homedir option to configure, and use it, since subprocesses
1495bf
  which we run and which use NSS may attempt to write to $HOME/.pki, and
1495bf
  0.69's strategy of setting that to "/" was rightly hitting SELinux policy
1495bf
  denials (#1047798)
1495bf
1495bf
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.69-2
1495bf
- Mass rebuild 2013-12-27
1495bf
1495bf
* Mon Dec  9 2013 Nalin Dahyabhai <nalin@redhat.com> 0.69-1
1495bf
- tweak how we decide whether we're on the master or a minion when we're
1495bf
  told to use certmaster as a CA
1495bf
- clean up one of the tests so that it doesn't have to work around internal
1495bf
  logging producing duplicate messages
1495bf
- when logging errors while setting up to contact xmlrpc servers, explicitly
1495bf
  note that the error is client-side
1495bf
- don't abort() due to incorrect locking when an attempt to save an issued
1495bf
  certificate to the designated location fails (part of #1032760/#1033333,
1495bf
  ticket #22)
1495bf
- when reading an issued certificate from an enrollment helper, ignore
1495bf
  noise before or after the certificate itself (more of #1032760/1033333,
1495bf
  ticket #22)
1495bf
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
1495bf
  ticket #22)
1495bf
- clear the ca-error that we saved when we had an error talking to the CA if we
1495bf
  subsequently succeed in talking to the CA
1495bf
- various other static-analysis fixes
1495bf
1495bf
* Thu Aug 29 2013 Nalin Dahyabhai <nalin@redhat.com> 0.68-1
1495bf
- notice when the OpenSSL RNG isn't seeded
1495bf
- notice when saving certificates or keys fails due to filesystem-related
1495bf
  permission denial (#996581)
1495bf
1495bf
* Tue Aug  6 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-3
1495bf
- pull up a patch from master to adapt self-tests to certutil's diagnostic
1495bf
  output having changed (#992050)
1495bf
1495bf
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.67-2
1495bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
1495bf
1495bf
* Mon Mar 11 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-1
1495bf
- when saving certificates to NSS databases, try to preserve the trust
1495bf
  value assigned to a previously-present certificate with the same nickname
1495bf
  and subject, if one is found
1495bf
- when saving certificates to NSS databases, also prune certificates from
1495bf
  the database which have both the same nickname and subject as the one
1495bf
  we're adding, to avoid tripping up tools that only fetch one certificate
1495bf
  by nickname
1495bf
1495bf
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.65-2
1495bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
1495bf
1495bf
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.66-1
1495bf
- build as position-independent executables with early binding (#883966)
1495bf
- also don't tag the unit file as a configuration file (internal tooling)
1495bf
1495bf
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-2
1495bf
- don't tag the D-Bus session .service file as a configuration file (internal
1495bf
  tooling)
1495bf
1495bf
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-1
1495bf
- fix a crash in the self-tests
1495bf
1495bf
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.64-1
1495bf
- at startup, if we resume the state machine for a given certificate to a state
1495bf
  which expects to have the newly-added lock already acquired, acquire it
1495bf
  before moving on with the certificate's work (still aimed at fixing #883484)
1495bf
1495bf
* Tue Dec 18 2012 Nalin Dahyabhai <nalin@redhat.com> 0.63-1
1495bf
- serialize access to NSS databases and the running of pre- and post-save
1495bf
  commands which might also access them (possibly fixing part of #883484)
1495bf
1495bf
* Thu Nov 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.62-1
1495bf
- add a -u flag to getcert to enable requesting a keyUsage extension value
1495bf
- request subjectKeyIdentifier extensions from CAs, and include them in
1495bf
  self-signed certificates
1495bf
- request basicConstraints from CAs, defaulting to requests for end-entity
1495bf
  certificates
1495bf
- when requesting CA certificates, also request authorityKeyIdentifier
1495bf
- add support for requesting CRL distribution point and authorityInfoAccess
1495bf
  extensions that specify OCSP responder locations
1495bf
- don't crash when OpenSSL can't build a template certificate from a request
1495bf
  when we're in FIPS mode
1495bf
- put NSS in FIPS mode, when the system booted that way, except when we're
1495bf
  trying to write certificates to a database
1495bf
- fix CSR generation and self-signing in FIPS mode with NSS
1495bf
- fix self-signing in FIPS mode with OpenSSL
1495bf
- new languages from the translation team: mai, ml, nn, ga
1495bf
1495bf
* Tue Nov 27 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-3
1495bf
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
1495bf
  self-signing using OpenSSL
1495bf
- backport another change from git to represent this as a CA-rejected error
1495bf
1495bf
* Mon Sep 24 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-1
1495bf
- fix a regression in reading old request tracking files where the
1495bf
  request was in state NEED_TO_NOTIFY or NOTIFYING
1495bf
1495bf
* Wed Sep  5 2012 Nalin Dahyabhai <nalin@redhat.com> 0.60-1
1495bf
- adjust internals of logic for talking to dogtag to at least have a
1495bf
  concept of non-agent cases
1495bf
- when talking to an IPA server's internal Dogtag instance, infer which
1495bf
  ports the CA is listening on from the "dogtag_version" setting in the
1495bf
  IPA configuration (Ade Lee)
1495bf
- send a notification (or log a message, whatever) when we save a new
1495bf
  certificate (#766167)
1495bf
1495bf
* Mon Jul 30 2012 Nalin Dahyabhai <nalin@redhat.com>
1495bf
- fix a bad %%preun scriptlet
1495bf
1495bf
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.59-2
1495bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
1495bf
1495bf
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.59-1
1495bf
- mostly documentation updates
1495bf
1495bf
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.58-1
1495bf
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
1495bf
  an IPA server's internal Dogtag instance
1495bf
- export the requested profile and old certificate to enrollment helpers
1495bf
- make libxml and libcurl into hard build-time requirements
1495bf
- serialize all pre/save/post sequences to make sure that stop/save/start
1495bf
  doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
1495bf
  a service while we muck with more than one of its certificates
1495bf
1495bf
* Fri Jun 15 2012 Nalin Dahyabhai <nalin@redhat.com>
1495bf
- add a command option (-T) to getcert for specifying which enrollment
1495bf
  profile to tell a CA that we're using, in case it cares (#10)
1495bf
1495bf
* Thu Jun 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.57-1
1495bf
- clarify that the command passed to getcert -C is a "post"-save command
1495bf
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
1495bf
- after we notify of an impending not-valid-after approaching, don't do it
1495bf
  again immediately
1495bf
1495bf
* Sat Mar  3 2012 Nalin Dahyabhai <nalin@redhat.com> 0.56-1
1495bf
- when a caller sets the is-default flag on a CA, and another CA is no longer
1495bf
  the default, emit the PropertiesChanged signal on the CA which is not the
1495bf
  default, instead on the new default a second time
1495bf
- drop some dead code from the D-Bus message handlers (static analysis,
1495bf
  #796813)
1495bf
- cache public keys when we read private keys
1495bf
- go back to printing an error indicating that we're missing a required
1495bf
  argument when we're missing a required argument, not that the option is
1495bf
  invalid (broken since 0.51, #796542)
1495bf
1495bf
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.55-1
1495bf
- allow root to use our implementation of org.freedesktop.DBus.Properties
1495bf
- take more care to not emit useless PropertiesChanged signals
1495bf
1495bf
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.54-1
1495bf
- fix setting the group ID when spawning the post-save command
1495bf
1495bf
* Tue Feb 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.53-1
1495bf
- large changes to the D-Bus glue, exposing a lot of data which we were
1495bf
  providing via D-Bus getter methods as properties, and providing more
1495bf
  accurate introspection data
1495bf
- emit a signal when the daemon saves a certificate to the destination
1495bf
  location, and provide an option to have the daemon spawn an arbitrary
1495bf
  command at that point, too (#766167)
1495bf
- enable starting the service by default on RHEL (#765600)
1495bf
1495bf
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.52-2
1495bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
1495bf
1495bf
* Fri Dec 16 2011 Nalin Dahyabhai <nalin@redhat.com> 0.52-1
1495bf
- note that SELinux usually confines us to writing only to cert_t in
1495bf
  doc/getting-started.txt (#765599)
1495bf
- fix crashes when we add a request during our first run when we're
1495bf
  populating the hard-coded CA list
1495bf
- properly deal with cases where a path is passed to us is "./XXX"
1495bf
- in session mode, create our data directories as we go
1495bf
1495bf
* Tue Dec  6 2011 Nalin Dahyabhai <nalin@redhat.com> 0.51-1
1495bf
- api: lift restrictions on characters used in request and CA nicknames by
1495bf
  making their object names not incorporate their nicknames
1495bf
- api: add find_request_by_nickname and find_ca_by_nickname
1495bf
- certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K
1495bf
- getcert: print "invalid option" error messages ourselves (#756291)
1495bf
- ipa-submit: supply a Referer: header when submitting requests to IPA
1495bf
  (#750617, needed for #747710)
1495bf
1495bf
* Fri Oct 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.50-1
1495bf
- really fix these this time:
1495bf
 - getcert: error out when "list -c" finds no matching CA (#743488)
1495bf
 - getcert: error out when "list -i" finds no matching request (#743485)
1495bf
1495bf
* Wed Oct 12 2011 Nalin Dahyabhai <nalin@redhat.com> 0.49-1
1495bf
- when using an NSS database, skip loading the module database (#743042)
1495bf
- when using an NSS database, skip loading root certs
1495bf
- generate SPKAC values when generating CSRs, though we don't do anything
1495bf
  with SPKAC values yet
1495bf
- internally maintain and use challenge passwords, if we have them
1495bf
- behave better when certificates have shorter lifetimes
1495bf
- add/recognize/handle notification type "none"
1495bf
- getcert: error out when "list -c" finds no matching CA (#743488)
1495bf
- getcert: error out when "list -i" finds no matching request (#743485)
1495bf
1495bf
* Thu Sep 29 2011 Nalin Dahyabhai <nalin@redhat.com> 0.48-1
1495bf
- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated
1495bf
  array (#742348)
1495bf
1495bf
* Tue Sep 27 2011 Nalin Dahyabhai <nalin@redhat.com> 0.47-1
1495bf
- getcert: distinguish between {stat() succeeds but isn't a directory} and
1495bf
  {stat() failed} when printing an error message (#739903)
1495bf
- getcert resubmit/start-tracking: when we're looking for an existing request
1495bf
  by ID, and we don't find one, note that specifically (#741262)
1495bf
1495bf
* Mon Aug 29 2011 Stephen Gallagher <sgallagh@redhat.com> - 0.46-1.1
1495bf
- Rebuild against fixed libtevent version
1495bf
1495bf
* Mon Aug 15 2011 Nalin Dahyabhai <nalin@redhat.com> 0.46-1
1495bf
- treat the ability to access keys in an NSS database without using a PIN,
1495bf
  when we've been told we need one, as an error (#692766, really this time)
1495bf
1495bf
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.45-1
1495bf
- modify the systemd .service file to be a proper 'dbus' service (more
1495bf
  of #718172)
1495bf
1495bf
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.44-1
1495bf
- check specifically for cases where a specified token that we need to
1495bf
  use just isn't present for whatever reason (#697058)
1495bf
1495bf
* Wed Aug 10 2011 Nalin Dahyabhai <nalin@redhat.com> 0.43-1
1495bf
- add a -K option to ipa-submit, to use the current ccache, which makes
1495bf
  it easier to test
1495bf
1495bf
* Fri Aug  5 2011 Nalin Dahyabhai <nalin@redhat.com>
1495bf
- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set
1495bf
  it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866)
1495bf
1495bf
* Wed Jul 13 2011 Nalin Dahyabhai <nalin@redhat.com>
1495bf
- treat the ability to access keys in an NSS database without using a PIN,
1495bf
  when we've been told we need one, as an error (#692766)
1495bf
- when handling "getcert resubmit" requests, if we don't have a key yet,
1495bf
  make sure we go all the way back to generating one (#694184)
1495bf
- getcert: try to clean up tests for NSS and PEM file locations (#699059)
1495bf
- don't try to set reconnect-on-exit policy unless we managed to connect
1495bf
  to the bus (#712500)
1495bf
- handle cases where we specify a token but the storage token isn't
1495bf
  known (#699552)
1495bf
- getcert: recognize -i and storage options to narrow down which requests
1495bf
  the user wants to know about (#698772)
1495bf
- output hints when the daemon has startup problems, too (#712075)
1495bf
- add flags to specify whether we're bus-activated or not, so that we can
1495bf
  exit if we have nothing to do after handling a request received over
1495bf
  the bus if some specified amount of time has passed
1495bf
- explicitly disallow non-root access in the D-Bus configuration (#712072)
1495bf
- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172)
1495bf
- fix a couple of incorrect calls to talloc_asprintf() (#721392)
1495bf
1495bf
* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.42-1
1495bf
- getcert: fix a buffer overrun preparing a request for the daemon when
1495bf
  there are more parameters to encode than space in the array (#696185)
1495bf
- updated translations: de, es, id, pl, ru, uk
1495bf
1495bf
* Mon Apr 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.41-1
1495bf
- read information about the keys we've just generated before proceeding
1495bf
  to generating a CSR (part of #694184, part of #695675)
1495bf
- when processing a "resubmit" request from getcert, go back to key
1495bf
  generation if we don't have keys yet, else go back to CSR generation as
1495bf
  before (#694184, #695675)
1495bf
- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger
1495bf
  (#687899), and add a systemd tmpfiles.d control file for creating
1495bf
  /var/run/certmonger on Fedora 15 and later
1495bf
- let session instances exit when they get disconnected from the bus
1495bf
- use a lock file to make sure there's only one session instance messing
1495bf
  around with the user's files at a time
1495bf
- fix errors saving certificates to NSS databases when there's already a
1495bf
  certificate there with the same nickname (#695672)
1495bf
- make key and certificate location output from 'getcert list' more properly
1495bf
  translatable (#7)
1495bf
1495bf
* Mon Mar 28 2011 Nalin Dahyabhai <nalin@redhat.com> 0.40-1
1495bf
- update to 0.40
1495bf
  - fix validation check on EKU OIDs in getcert (#691351)
1495bf
  - get session bus mode sorted
1495bf
  - add a list of recognized EKU values to the getcert-request man page
1495bf
1495bf
* Fri Mar 25 2011 Nalin Dahyabhai <nalin@redhat.com> 0.39-1
1495bf
- update to 0.39
1495bf
  - fix use of an uninitialized variable in the xmlrpc-based submission
1495bf
    helpers (#690886)
1495bf
1495bf
* Thu Mar 24 2011 Nalin Dahyabhai <nalin@redhat.com> 0.38-1
1495bf
- update to 0.38
1495bf
  - catch cases where we can't read a PIN file, but we never have to log
1495bf
    in to the token to access the private key (more of #688229)
1495bf
1495bf
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.37-1
1495bf
- update to 0.37
1495bf
  - be more careful about checking if we can read a PIN file successfully
1495bf
    before we even call an API that might need us to try (#688229)
1495bf
  - fix strict aliasing warnings
1495bf
1495bf
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.36-1
1495bf
- update to 0.36
1495bf
  - fix some use-after-free bugs in the daemon (#689776)
1495bf
  - fix a copy/paste error in certmonger-ipa-submit(8)
1495bf
  - getcert now suppresses error details when not given its new -v option
1495bf
    (#683926, more of #681641/#652047)
1495bf
  - updated translations
1495bf
    - de, es, pl, ru, uk
1495bf
    - indonesian translation is now for "id" rather than "in"
1495bf
1495bf
* Wed Mar  2 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35.1-1
1495bf
- fix a self-test that broke because one-year-from-now is now a day's worth
1495bf
  of seconds further out than it was a few days ago
1495bf
1495bf
* Mon Feb 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35-1
1495bf
- update to 0.35
1495bf
  - self-test fixes to rebuild properly in mock (#670322)
1495bf
1495bf
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.34-2
1495bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
1495bf
1495bf
* Fri Jan 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.34-1
1495bf
- update to 0.34
1495bf
  - explicitly note the number of requests we're tracking in the output of
1495bf
    "getcert list" (#652049)
1495bf
  - try to offer some suggestions when we get certain specific errors back
1495bf
    in "getcert" (#652047)
1495bf
  - updated translations
1495bf
    - es
1495bf
1495bf
* Thu Dec 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.33-1
1495bf
- update to 0.33
1495bf
  - new translations
1495bf
    - id by Okta Purnama Rahadian!
1495bf
  - updated translations
1495bf
    - pl, uk
1495bf
  - roll up assorted fixes for defects
1495bf
1495bf
* Fri Nov 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-2
1495bf
- depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's
1495bf
  not part of util-linux-ng
1495bf
1495bf
* Wed Oct 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-1
1495bf
- oops, rfc5280 says we shouldn't be populating unique identifiers, so
1495bf
  make it a configuration option and default the behavior to off
1495bf
1495bf
* Tue Oct 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.31-1
1495bf
- start populating the optional unique identifier fields in self-signed
1495bf
  certificates
1495bf
1495bf
* Thu Sep 30 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-4
1495bf
- explicitly require "dbus" to try to ensure we have a running system bus
1495bf
  when we get started (#639126)
1495bf
1495bf
* Wed Sep 29 2010 jkeating - 0.30-3
1495bf
- Rebuilt for gcc bug 634757
1495bf
1495bf
* Thu Sep 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-2
1495bf
- try to SIGHUP the messagebus daemon at first install so that it'll
1495bf
  let us claim our service name if it isn't restarted before we are
1495bf
  first started (#636876)
1495bf
1495bf
* Wed Aug 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-1
1495bf
- update to 0.30
1495bf
  - fix errors computing the time at the end of an interval that were
1495bf
    caught by self-tests
1495bf
1495bf
* Mon Aug 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.29-1
1495bf
- update to 0.29
1495bf
  - fix 64-bit cleanliness issue using libdbus
1495bf
  - actually include the full set of tests in tarballs
1495bf
1495bf
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.28-1
1495bf
- update to 0.28
1495bf
  - fix self-signing certificate notBefore and notAfter values on 32-bit
1495bf
    machines
1495bf
1495bf
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.27-1
1495bf
- update to 0.27
1495bf
  - portability and test fixes
1495bf
1495bf
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.26-1
1495bf
- update to 0.26
1495bf
  - when canceling a submission request that's being handled by a helper,
1495bf
    reap the child process's status after killing it (#624120)
1495bf
1495bf
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.25-1
1495bf
- update to 0.25
1495bf
  - new translations
1495bf
    - in by Okta Purnama Rahadian!
1495bf
  - fix detection of cases where we can't access a private key in an NSS
1495bf
    database because we don't have the PIN
1495bf
  - teach '*getcert start-tracking' about the -p and -P options which the
1495bf
    '*getcert request' commands already understand (#621670), and also
1495bf
    the -U, -K, -E, and -D flags
1495bf
  - double-check that the nicknames of keys we get back from
1495bf
    PK11_ListPrivKeysInSlot() match the desired nickname before accepting
1495bf
    them as matches, so that our tests won't all blow up on EL5
1495bf
  - fix dynamic addition and removal of CAs implemented through helpers
1495bf
1495bf
* Mon Jun 28 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-4
1495bf
- init script: ensure that the subsys lock is created whenever we're called to
1495bf
  "start" when we're already running (even more of #596719)
1495bf
1495bf
* Tue Jun 15 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-3
1495bf
- more gracefully handle manual daemon startups and cleaning up of unexpected
1495bf
  crashes (still more of #596719)
1495bf
1495bf
* Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-2
1495bf
- don't create the daemon pidfile until after we've connected to the D-Bus
1495bf
  (still more of #596719)
1495bf
1495bf
* Tue Jun  8 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-1
1495bf
- update to 0.24
1495bf
  - keep the lock on the pid file, if we have one, when we fork, and cancel
1495bf
    daemon startup if we can't gain ownership of the lock (the rest of #596719)
1495bf
  - make the man pages note which external configuration files we consult when
1495bf
    submitting requests to certmaster and ipa CAs
1495bf
1495bf
* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.23-1
1495bf
- update to 0.23
1495bf
  - new translations
1495bf
    - pl by Piotr Drąg!
1495bf
  - cancel daemon startup if we can't gain ownership of our well-known
1495bf
    service name on the DBus (#596719)
1495bf
1495bf
* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.22-1
1495bf
- update to 0.22
1495bf
  - new translations
1495bf
    - de by Fabian Affolter!
1495bf
  - certmaster-submit: don't fall over when we can't find a certmaster.conf
1495bf
    or a minion.conf (i.e., certmaster isn't installed) (#588932)
1495bf
  - when reading extension values from certificates, prune out duplicate
1495bf
    principal names, email addresses, and hostnames
1495bf
1495bf
* Tue May  4 2010 Nalin Dahyabhai <nalin@redhat.com> 0.21-1
1495bf
- update to 0.21
1495bf
  - getcert/*-getcert: relay the desired CA to the local service, whether
1495bf
    specified on the command line (in getcert) or as a built-in hard-wired
1495bf
    default (in *-getcert) (#584983)
1495bf
  - flesh out the default certmonger.conf so that people can get a feel for
1495bf
    the expected formatting (Jenny Galipeau)
1495bf
1495bf
* Wed Apr 21 2010 Nalin Dahyabhai <nalin@redhat.com> 0.20-1
1495bf
- update to 0.20
1495bf
  - correctly parse certificate validity periods given in years (spotted by
1495bf
    Stephen Gallagher)
1495bf
  - setup for translation
1495bf
    - es by Héctor Daniel Cabrera!
1495bf
    - ru by Yulia Poyarkova!
1495bf
    - uk by Yuri Chornoivan!
1495bf
  - fix unpreprocessed defaults in certmonger.conf's man page
1495bf
  - tweak the IPA-specific message that indicates a principal name also needs
1495bf
    to be specified if we're not using the default subject name (#579542)
1495bf
  - make the validity period of self-signed certificates into a configuration
1495bf
    setting and not a piece of the state information we track about the signer
1495bf
  - init script: exit with status 2 instead of 1 when invoked with an
1495bf
    unrecognized argument (#584517)
1495bf
1495bf
* Tue Mar 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.19-1
1495bf
- update to 0.19
1495bf
  - correctly initialize NSS databases that need to be using a PIN
1495bf
  - add certmonger.conf, for customizing notification timings and settings,
1495bf
    and use of digests other than the previously-hard-coded SHA256, and
1495bf
    drop those settings from individual requests
1495bf
  - up the default self-sign validity interval from 30 days to 365 days
1495bf
  - drop the first default notification interval from 30 days to 28 days
1495bf
    (these two combined to create a fun always-reissuing loop earlier)
1495bf
  - record the token which contains the key or certificate when we're
1495bf
    storing them in an NSS database, and report it
1495bf
  - improve handling of cases where we're supposed to use a PIN but we
1495bf
    either don't have one or we have the wrong one
1495bf
  - teach getcert to accept a PIN file's name or a PIN value when adding
1495bf
    a new entry
1495bf
  - update the IPA submission helper to use the new 'request_cert' signature
1495bf
    that's landing soon
1495bf
  - more tests
1495bf
1495bf
* Fri Feb 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.18-1
1495bf
- update to 0.18
1495bf
  - add support for using encrypted storage for keys, using PIN values
1495bf
    supplied directly or read from files whose names are supplied
1495bf
  - don't choke on NSS database locations that use the "sql:" or "dbm:"
1495bf
    prefix
1495bf
1495bf
* Mon Jan 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-2
1495bf
- make the D-Bus configuration file (noreplace) (#541072)
1495bf
- make the %%check section and the deps we have just for it conditional on
1495bf
  the same macro (#541072)
1495bf
1495bf
* Wed Jan  6 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-1
1495bf
- update to 0.17
1495bf
  - fix a hang in the daemon (Rob Crittenden)
1495bf
  - documentation updates
1495bf
  - fix parsing of submission results from IPA (Rob Crittenden)
1495bf
1495bf
* Fri Dec 11 2009 Nalin Dahyabhai <nalin@redhat.com> 0.16-1
1495bf
- update to 0.16
1495bf
  - set a umask at startup (Dan Walsh)
1495bf
1495bf
* Tue Dec  8 2009 Nalin Dahyabhai <nalin@redhat.com> 0.15-1
1495bf
- update to 0.15
1495bf
  - notice that a directory with a trailing '/' is the same location as the
1495bf
    directory without it
1495bf
  - fix handling of the pid file when we write one (by actually giving it
1495bf
    contents)
1495bf
1495bf
* Wed Nov 25 2009 Nalin Dahyabhai <nalin@redhat.com> 0.14-1
1495bf
- update to 0.14
1495bf
  - check key and certificate location at add-time to make sure they're
1495bf
    absolute paths to files or directories, as appropriate
1495bf
  - IPA: dig into the 'result' item if the named result value we're looking
1495bf
    for isn't in the result struct
1495bf
1495bf
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.13-1
1495bf
- update to 0.13
1495bf
  - change the default so that we default to trying to auto-refresh
1495bf
    certificates unless told otherwise
1495bf
  - preemptively enforce limitations on request nicknames so that they
1495bf
    make valid D-Bus object path components
1495bf
1495bf
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.12-1
1495bf
- update to 0.12
1495bf
  - add a crucial bit of error reporting when CAs reject our requests
1495bf
  - count the number of configured CAs correctly
1495bf
1495bf
* Mon Nov 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.11-1
1495bf
- update to 0.11
1495bf
  - add XML-RPC submission for certmaster and IPA
1495bf
  - prune entries with duplicate names from the data store
1495bf
1495bf
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.10-1
1495bf
- update to 0.10
1495bf
  - add some compiler warnings and then fix them
1495bf
1495bf
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.9-1
1495bf
- update to 0.9
1495bf
  - run external submission helpers correctly
1495bf
  - fix signing of signing requests generated for keys stored in files
1495bf
  - only care about new interface and route notifications from netlink,
1495bf
    and ignore notifications that don't come from pid 0
1495bf
  - fix logic for determining expiration status
1495bf
  - correct the version number in self-signed certificates
1495bf
1495bf
* Tue Nov 10 2009 Nalin Dahyabhai <nalin@redhat.com> 0.8-1
1495bf
- update to 0.8
1495bf
  - encode windows UPN values in requests correctly
1495bf
  - watch for netlink routing changes and restart stalled submission requests
1495bf
  - 'getcert resubmit' can force a regeneration of the CSR and submission
1495bf
1495bf
* Fri Nov  6 2009 Nalin Dahyabhai <nalin@redhat.com> 0.7-1
1495bf
- update to 0.7
1495bf
  - first cut at a getting-started document
1495bf
  - refactor some internal key handling with NSS
1495bf
  - check for duplicate request nicknames at add-time
1495bf
1495bf
* Tue Nov  3 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6-1
1495bf
- update to 0.6
1495bf
  - man pages
1495bf
  - 'getcert stop-tracking' actually makes the server forget now
1495bf
  - 'getcert request -e' was redundant, dropped the -e option
1495bf
  - 'getcert request -i' now sets the request nickname
1495bf
  - 'getcert start-tracking -i' now sets the request nickname
1495bf
1495bf
* Mon Nov  2 2009 Nalin Dahyabhai <nalin@redhat.com> 0.5-1
1495bf
- update to 0.5
1495bf
  - packaging fixes
1495bf
  - add a selfsign-getcert client
1495bf
  - self-signed certs now get basic constraints and their own serial numbers
1495bf
  - accept id-ms-kp-sc-logon as a named EKU value in a request
1495bf
1495bf
* Thu Oct 29 2009 Nalin Dahyabhai <nalin@redhat.com> 0.4-1
1495bf
- update to 0.4
1495bf
1495bf
* Thu Oct 22 2009 Nalin Dahyabhai <nalin@redhat.com> 0.1-1
1495bf
- update to 0.1
1495bf
1495bf
* Sun Oct 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.0-1
1495bf
- initial package