diff --git a/.certmonger.metadata b/.certmonger.metadata index f48d9d2..c02a279 100644 --- a/.certmonger.metadata +++ b/.certmonger.metadata @@ -1 +1 @@ -ad584e16e8d457e97ddff8049411cdc45dc5122f SOURCES/certmonger-0.70.tar.gz +b5c636304b1d31d110d6f4fba03f9b100ad6aafa SOURCES/certmonger-0.75.14.tar.gz diff --git a/.gitignore b/.gitignore index d27ab9f..d2881f8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/certmonger-0.70.tar.gz +SOURCES/certmonger-0.75.14.tar.gz diff --git a/SOURCES/certmonger-0.70.tar.gz.sig b/SOURCES/certmonger-0.70.tar.gz.sig deleted file mode 100644 index 3b12651..0000000 Binary files a/SOURCES/certmonger-0.70.tar.gz.sig and /dev/null differ diff --git a/SOURCES/certmonger-0.75.14.tar.gz.sig b/SOURCES/certmonger-0.75.14.tar.gz.sig new file mode 100644 index 0000000..18eae39 Binary files /dev/null and b/SOURCES/certmonger-0.75.14.tar.gz.sig differ diff --git a/SOURCES/certmonger-dbus-string-properties.patch b/SOURCES/certmonger-dbus-string-properties.patch new file mode 100644 index 0000000..c7d96eb --- /dev/null +++ b/SOURCES/certmonger-dbus-string-properties.patch @@ -0,0 +1,91 @@ +From fa734ee402ee1f41281ac89c3a376b24ae7e9112 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Wed, 7 Jan 2015 21:34:15 -0500 +Subject: [PATCH] Retrieve string value from DBus property interface reply + correctly. + +org.freedesktop.DBus.Properties.Get method always returns variant data type. +The basic type inside it can't be accessed directly. +--- + src/getcert.c | 2 +- + src/tdbusm.c | 38 ++++++++++++++++++++++++++++++++++++++ + src/tdbusm.h | 1 + + 3 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/src/getcert.c b/src/getcert.c +index 5ea5e538e5f3beb840f88e6dbe21957b155b873b..8b2cb8a937947ca3d932cc9405a82c90acefabb3 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -474,7 +474,7 @@ query_prop_s(enum cm_tdbus_type which, + DBusMessage *rep; + char *s; + rep = query_prop(which, path, interface, prop, verbose); +- if (cm_tdbusm_get_s(rep, parent, &s) != 0) { ++ if (cm_tdbusm_get_vs(rep, parent, &s) != 0) { + s = ""; + } + dbus_message_unref(rep); +diff --git a/src/tdbusm.c b/src/tdbusm.c +index dd3e800d1a5f2fe9c2d7feff3e3938a6adb4c1ab..f7aaea82e20994a7382518153980e14fb0405453 100644 +--- a/src/tdbusm.c ++++ b/src/tdbusm.c +@@ -175,6 +175,44 @@ cm_tdbusm_get_p(DBusMessage *msg, void *parent, char **p) + } + + int ++cm_tdbusm_get_vs(DBusMessage *msg, void *parent, char **s) ++{ ++ DBusError err; ++ DBusMessageIter iter, sub_iter; ++ ++ *s = NULL; ++ dbus_error_init(&err); ++ ++ if (dbus_message_iter_init(msg, &iter) == FALSE) { ++ if (dbus_error_is_set(&err)) { ++ cm_log(3, "DBus error: %s", err.message); ++ dbus_error_free(&err); ++ } else { ++ cm_log(3, "Unknown DBus error."); ++ } ++ return -1; ++ } ++ ++ if (dbus_message_iter_get_arg_type(&iter) == DBUS_TYPE_VARIANT) { ++ dbus_message_iter_recurse(&iter, &sub_iter); ++ if (dbus_message_iter_get_arg_type(&sub_iter) == DBUS_TYPE_STRING) { ++ dbus_message_iter_get_basic(&sub_iter, s); ++ *s = *s ? talloc_strdup(parent, *s) : NULL; ++ return 0; ++ } ++ } ++ ++ if (dbus_error_is_set(&err)) { ++ cm_log(3, "Failed to extract data from DBus message: %s", err.message); ++ dbus_error_free(&err); ++ } else { ++ cm_log(3, "Failed to extract data from DBus message."); ++ } ++ *s = NULL; ++ return -1; ++} ++ ++int + cm_tdbusm_get_s(DBusMessage *msg, void *parent, char **s) + { + DBusError err; +diff --git a/src/tdbusm.h b/src/tdbusm.h +index b926b4941985509696b965fc955b2f204ce856df..813fae2f4a4a72da512e7559b5ed437cab4766e1 100644 +--- a/src/tdbusm.h ++++ b/src/tdbusm.h +@@ -22,6 +22,7 @@ int cm_tdbusm_get_b(DBusMessage *msg, void *parent, dbus_bool_t *b); + int cm_tdbusm_get_n(DBusMessage *msg, void *parent, long *n); + int cm_tdbusm_get_p(DBusMessage *msg, void *parent, char **p); + int cm_tdbusm_get_s(DBusMessage *msg, void *parent, char **s); ++int cm_tdbusm_get_vs(DBusMessage *msg, void *parent, char **s); + int cm_tdbusm_get_bp(DBusMessage *msg, void *parent, dbus_bool_t *b, char **p); + int cm_tdbusm_get_bs(DBusMessage *msg, void *parent, dbus_bool_t *b, char **s); + int cm_tdbusm_get_sb(DBusMessage *msg, void *parent, char **s, dbus_bool_t *b); +-- +2.1.0 + diff --git a/SOURCES/certmonger-dogtag-approval-options.patch b/SOURCES/certmonger-dogtag-approval-options.patch new file mode 100644 index 0000000..0ddee2f --- /dev/null +++ b/SOURCES/certmonger-dogtag-approval-options.patch @@ -0,0 +1,154 @@ +Backported from master. + +From de03df73802956143fd1fa743706b803938a610f Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 18 Nov 2014 13:25:08 +0000 +Subject: [PATCH] Allow overriding parameter values in Dogtag request approval + +--- + src/certmonger-dogtag-ipa-renew-agent-submit.8.in | 8 +++ + src/dogtag.c | 61 ++++++++++++++++++++++- + 2 files changed, 68 insertions(+), 1 deletion(-) + +diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in +index 45129d4818aad0d91960a1bfe35a79e4e2406f02..d6d0c4c122014ac77e04ab8c3fc4a2742dfb8bdb 100644 +--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in ++++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in +@@ -17,6 +17,7 @@ dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL + [-D serial (decimal)] + [-S state] + [-T profile] ++[-O param=value] + [-v] + [csrfile] + +@@ -125,6 +126,13 @@ The name of the type of certificate which the client should request from the CA + if it is not renewing a certificate (per the \fB-s\fR option above). The + default value is \fBcaServerCert\fP. + .TP ++\fB-O\fR param=value ++An additional parameter to pass to the server when approving the signing ++request using the agent's credentials. By default, any server-supplied default ++settings are applied. This option can be used either to override a ++server-supplied default setting, or to supply one which would otherwise have ++not been used. ++.TP + \fB-v\fR + Increases the logging level. Use twice for more logging. This option is mainly + useful for troubleshooting. +diff --git a/src/dogtag.c b/src/dogtag.c +index 700fe7f516a54f0581d94068e9066de9e4621f5d..6bd284327ffc1ab29d32deb8529fc5ef69314295 100644 +--- a/src/dogtag.c ++++ b/src/dogtag.c +@@ -76,6 +76,7 @@ help(const char *cmd) + "\t[-D serial (decimal)]\n" + "\t[-S state]\n" + "\t[-T profile]\n" ++ "\t[-O param=value]\n" + "\t[-v]\n" + "\t[-N]\n" + "\t[-V dogtag_version]\n" +@@ -140,6 +141,11 @@ main(int argc, char **argv) + const char *sslcert = NULL, *sslkey = NULL; + const char *sslpin = NULL, *sslpinfile = NULL; + const char *host = NULL, *csr = NULL, *serial = NULL, *template = NULL; ++ struct { ++ char *name; ++ char *value; ++ } *options = NULL; ++ size_t num_options = 0, j; + const char *dogtag_version = NULL; + char *ipaconfig = NULL, *savedstate = NULL; + char *p, *q, *params = NULL, *params2 = NULL; +@@ -178,7 +184,7 @@ main(int argc, char **argv) + + savedstate = getenv(CM_SUBMIT_COOKIE_ENV); + +- while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:vV:NR")) != -1) { ++ while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:O:vV:NR")) != -1) { + switch (c) { + case 'E': + eeurl = optarg; +@@ -220,6 +226,26 @@ main(int argc, char **argv) + case 'T': + template = optarg; + break; ++ case 'O': ++ if (strchr(optarg, '=') == NULL) { ++ printf(_("Profile params (-O) must be in the form of param=value.\n")); ++ help(argv[0]); ++ return CM_SUBMIT_STATUS_UNCONFIGURED; ++ } ++ options = realloc(options, ++ ++num_options * sizeof(*options)); ++ if (options == NULL) { ++ printf(_("Out of memory.\n")); ++ return CM_SUBMIT_STATUS_UNCONFIGURED; ++ } ++ options[num_options - 1].name = strdup(optarg); ++ if (options[num_options - 1].name == NULL) { ++ printf(_("Out of memory.\n")); ++ return CM_SUBMIT_STATUS_UNCONFIGURED; ++ } ++ *strchr(options[num_options - 1].name, '=') = '\0'; ++ options[num_options - 1].value = strchr(optarg, '=') + 1; ++ break; + case 'v': + verbose++; + break; +@@ -374,6 +400,18 @@ main(int argc, char **argv) + printf(_("No profile/template (-T) given, and no default known.\n")); + missing_args = TRUE; + } ++ if (options != NULL) { ++ if (agenturl == NULL) { ++ printf(_("No agent URL (-A) given, and no default " ++ "known.\n")); ++ missing_args = TRUE; ++ } ++ if (!can_agent) { ++ printf(_("No agent credentials specified, and no " ++ "default known.\n")); ++ missing_args = TRUE; ++ } ++ } + if (missing_args) { + help(argv[0]); + return CM_SUBMIT_STATUS_UNCONFIGURED; +@@ -544,12 +582,33 @@ main(int argc, char **argv) + for (i = 0; + (defaults != NULL) && (defaults[i] != NULL); + i++) { ++ /* Check if this default is one of the ++ * paramters we've been explicitly provided. */ ++ for (j = 0; j < num_options; j++) { ++ if (strcmp(defaults[i]->name, ++ options[j].name) == 0) { ++ break; ++ } ++ } ++ /* If we have a non-default value for it, skip ++ * this default. */ ++ if (j < num_options) { ++ continue; ++ } + p = cm_submit_u_url_encode(defaults[i]->name); + q = cm_submit_u_url_encode(defaults[i]->value); + params2 = talloc_asprintf(ctx, + "%s&%s=%s", + params2, p, q); + }; ++ /* Add parameters specified on command line */ ++ for (j = 0; j < num_options; j++) { ++ p = cm_submit_u_url_encode(options[j].name); ++ q = cm_submit_u_url_encode(options[j].value); ++ params2 = talloc_asprintf(ctx, ++ "%s&%s=%s", ++ params2, p, q); ++ } + break; + case op_none: + case op_submit: +-- +2.1.0 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 77d8c7a..0678f85 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -6,6 +6,12 @@ %global sysvinit 1 %endif +%if 0%{?fedora} > 15 && 0%{?fedora} < 20 +%global systemdsysv 1 +%else +%global systemdsysv 0 +%endif + %if 0%{?fedora} > 14 || 0%{?rhel} > 6 %global tmpfiles 1 %else @@ -19,8 +25,8 @@ %endif Name: certmonger -Version: 0.70 -Release: 2%{?dist} +Version: 0.75.14 +Release: 3%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -29,8 +35,11 @@ URL: http://certmonger.fedorahosted.org Source0: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz Source1: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +Patch0: certmonger-dogtag-approval-options.patch +Patch1: certmonger-dbus-string-properties.patch -BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel +BuildRequires: openldap-devel +BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 BuildRequires: libuuid-devel %else @@ -59,6 +68,10 @@ BuildRequires: /usr/bin/dbus-launch # for dos2unix BuildRequires: /usr/bin/dos2unix BuildRequires: /usr/bin/unix2dos +# for which +BuildRequires: /usr/bin/which +# for dbus tests +BuildRequires: dbus-python # we need a running system bus Requires: dbus @@ -66,14 +79,24 @@ Requires: dbus %if %{systemd} BuildRequires: systemd-units Requires(post): systemd-units -Requires(preun): systemd-units +Requires(preun): systemd-units, dbus, sed Requires(postun): systemd-units +%endif + +%if %{systemdsysv} Requires(post): systemd-sysv +%global systemdsysvsave \ +# Save the current service runlevel info, in case the user wants \ +# to apply the enabled status manually later, by running \ +# "systemd-sysv-convert --apply certmonger". \ +%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||: +%else +%global systemdsysvsave %{nil} %endif %if %{sysvinit} Requires(post): /sbin/chkconfig, /sbin/service -Requires(preun): /sbin/chkconfig, /sbin/service +Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed %endif %if 0%{?fedora} >= 15 @@ -87,6 +110,8 @@ system enrolled with a certificate authority (CA) and keeping it enrolled. %prep %setup -q +%patch0 -p1 -b .dogtag-approval-options +%patch1 -p1 -b .dbus-string-properties %if 0%{?rhel} > 0 # Enabled by default for RHEL for bug #765600, still disabled by default for # Fedora pending a similar bug report there. @@ -136,6 +161,22 @@ fi /sbin/chkconfig --add certmonger %endif +%triggerin -- certmonger < 0.58 +if test $1 -gt 1 ; then + # If the daemon is running, remove knowledge of the dogtag renewer. + objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true` + if test -n "$objpath" ; then + dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null + fi + # Remove the data file, in case it isn't running. + for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do + if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then + rm -f "$cafile" + fi + done +fi +exit 0 + %postun %if %{systemd} /bin/systemctl daemon-reload >/dev/null 2>&1 || : @@ -167,10 +208,7 @@ exit 0 %if %{systemd} %triggerun -- certmonger < 0.43 -# Save the current service runlevel info, in case the user wants to apply -# the enabled status manually later, by running -# "systemd-sysv-convert --apply certmonger". -%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||: +%{systemdsysvsave} # Do this because the old package's %%postun doesn't know we need to do it. /sbin/chkconfig --del certmonger >/dev/null 2>&1 || : # Do this because the old package's %%postun wouldn't have tried. @@ -195,13 +233,231 @@ exit 0 %{sysvinitdir}/certmonger %endif %if %{tmpfiles} -%attr(0644,root,root) %config(noreplace) /etc/tmpfiles.d/certmonger.conf +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf %endif %if %{systemd} %{_unitdir}/* %endif %changelog +* Tue Jan 13 2015 Jan Cholasta - 0.75.14-3 +- backport change from git to correctly retrieve string values from DBus + property interface replies (#1181022) + +* Wed Nov 19 2014 Jan Cholasta - 0.75.14-2 +- backport dogtag-submit: accept additional options to pass to the server when + approving requests using agent creds (#1165155) + +* Thu Aug 28 2014 Nalin Dahyabhai 0.75.14-1 +- make pathname canonicalization slightly smarter, to handle ".." in + locations +- updates to self-tests + +* Thu Aug 21 2014 Kevin Fenzi - 0.75.13-2 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.13-1 +- add a missing test case file (whoops) + +* Mon Aug 18 2014 Nalin Dahyabhai 0.75.12-1 +- correct encoding/decoding of variant-typed data which we receive and send + as part of the org.freedesktop.DBus.Properties interface over the bus, and + add some tests for them (based on patch from David Kupka, ticket #36) + +* Fri Aug 15 2014 Fedora Release Engineering - 0.75.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 12 2014 Nalin Dahyabhai 0.75.11-1 +- when getcert is passed a -a flag, to indicate that CA root certificates + should be stored in the specified database, don't ignore locations which + don't include a storage scheme (#1129537) +- when called to 'start-tracking' with the -a or -F flags, if we have + applicable certificates on-hand for a CA that we're either told to use + or which we decide is the correct one, save the certificates (#1129696) + +* Tue Aug 5 2014 Nalin Dahyabhai 0.75.10-1 +- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in + default.conf, and no "host" is set either, try to construct the server URI + using the "server" setting (#1126985) + +* Thu Jul 31 2014 Nalin Dahyabhai 0.75.9-1 +- avoid potential use-after-free after a CA is removed dynamically (thanks to + Keenan Brock) (#1125342) +- add a "external-helper" property to CA objects + +* Mon Jul 21 2014 Nalin Dahyabhai 0.75.8-1 +- add a 'refresh' option to the getcert command +- add a '-a' flag to the getcert command's 'refresh-ca' option + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-2 +- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older, + conditionalized it so that it's ignored on newer releases, and make + whether or not we call systemd-sysv-convert in triggers depend on that, + too (#1104138) + +* Thu Jul 17 2014 Nalin Dahyabhai 0.75.7-1 +- fix an inconsistency in how we parse cookie values returned by CA helpers, + in that single-line values would lose the end-of-line after a daemon + restart, but not before +- handle timeout values and exit status values when calling CA helpers + in non-SUBMIT, non-POLL modes (#1118468) +- rework how we save CA certificates so that we save CA certificates associated + with end-entity certificates when we save that end-entity certificate, which + requires running all of the involved pre- and post-save commands +- drop package Requires: on systemd-sysv (#1104138) + +* Thu Jun 26 2014 Nalin Dahyabhai 0.75.6-1 +- avoid potential use-after-free and read overrun after a CA is added + dynamically (thanks to Jan Cholasta) + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.5-1 +- documentation updates + +* Fri Jun 20 2014 Nalin Dahyabhai 0.75.4-2 +- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA + when we detect certmonger versions prior to 0.58 being installed, to + avoid cases where some older versions choke on CAs with nicknames that + contain characters that can't legally be part of a D-Bus name (#948993) + +* Thu Jun 19 2014 Nalin Dahyabhai 0.75.4-1 +- fix creation and packaging of the "local" CA's data directory + +* Wed Jun 18 2014 Nalin Dahyabhai 0.75.3-1 +- read and cache whether or not we saw a noOCSPcheck extension in certificates +- documentation updates + +* Mon Jun 16 2014 Nalin Dahyabhai 0.75.2-1 +- when generating keys using OpenSSL, if key generation fails, try + again with the default key size, in case we're in FIPS mode +- documentation updates + +* Sat Jun 14 2014 Nalin Dahyabhai 0.75.1-1 +- log the state in 'getcert status' verbose mode + +* Fri Jun 13 2014 Nalin Dahyabhai 0.75-1 +- add a -w (wait) flag to the getcert's request/resubmit/start-tracking + commands, and add a non-waiting status command + +* Wed Jun 11 2014 Nalin Dahyabhai 0.74.96-1 +- make the trust settings we apply to CA-supplied certificates while + saving them to NSS databases run-time configurable +- fix compiling against EL5-era OpenSSL +- when saving CA certificates we pull from an IPA server, nickname + it using the realm name with " IPA CA" appended rather than just + naming it "IPA CA" +- fix the local signer so that when it issues itself a new certificate, + it uses the same subject name +- add a -w flag to getcert's request, resubmit, and start-tracking + commands, telling it to wait until either the certificate is issued, + we get to a state where we know that we won't be able to get one, or + we are waiting for a CA + +* Mon Jun 9 2014 Nalin Dahyabhai 0.74.95-1 +- add the "local" signer, a local toy CA that signs anything you'll + ask it to sign + +* Sat Jun 07 2014 Fedora Release Engineering - 0.74-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Jun 6 2014 Nalin Dahyabhai 0.74.94-1 +- fix self-test errors that we trigger with new OpenSSL +- fix a build error that would sometimes happen when we're told to + build PIE binaries +- quiet a compile warning + +* Thu Jun 5 2014 Nalin Dahyabhai 0.74.93-1 +- add some self-tests +- simplify the internal submit-to-CA logic +- fixes for more problems found through static analysis + +* Tue Jun 3 2014 Nalin Dahyabhai 0.74.92-1 +- retrieve CA information from CAs, if the helpers can do so, and + add a command to explicitly refresh that data: "getcert refresh-ca" +- offer to save CA certificates to files and databases, when specified with + new -a and -F flags to getcert request/resubmit/start-tracking (#1098208, + trac #31) +- add IP address subject alternate names when getcert request/resubmit + is passed the -A option (trac #35) +- read and cache the freshestCRL extension in certificates +- properly interpret KDC-unreachable errors encountered in the IPA + submission error as a server-unreachable error that we will retry, + rather than a misconfiguration error which we won't +- don't let tests get tripped up by new formatting used in dos2unix status + messages (#1099080) +- updated translations +- be explicit that we are going to use bashisms in test scripts by calling + the shell interpreter as 'bash' rather than 'sh' (trac #27) + +* Thu Apr 3 2014 Nalin Dahyabhai 0.74-1 +- also save state when we exit due to SIGHUP +- don't get tripped up when enrollment helpers hand us certificates which + include CRLF line terminators (ticket #25) +- be tolerant of certificate issuer names, subject names, DNS, email, and + Kerberos principal namem subjectAltNames, and crl distribution point URLs + that contain newlines +- read and cache the certificate template extension in certificates +- enforce different minimum key sizes depending on the type of key we're + trying to generate +- store DER versions of subject, issuer and template subject, if we have + them (Jan Cholasta, ticket #26) +- when generating signing requests with subject names that don't quite parse + as subject names, encode what we're given as PrintableString rather than + as a UTF8String +- always chdir() to a known location at startup, even if we're not becoming + a daemon +- fix a couple of memory leaks (static analysis) +- add missing buildrequires: on which + +* Thu Feb 20 2014 Nalin Dahyabhai 0.73-1 +- updates to 0.73 + - getcert no longer claims to be stuck when a CA is unreachable, + because the daemon isn't actually stuck + +* Mon Feb 17 2014 Nalin Dahyabhai +- updates to 0.73 + - also pass the key type to enrollment helpers in the environment as + a the value of "CERTMONGER_KEY_TYPE" + +* Mon Feb 10 2014 Nalin Dahyabhai +- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir}, + where it belongs + +* Mon Feb 10 2014 Nalin Dahyabhai +- updates for 0.73 + - set the flag to encode EC public key parameters using named curves + instead of the default of all-the-details when using OpenSSL + - don't break when NSS supports secp521r1 but OpenSSL doesn't + - also pass the CA nickname to enrollment helpers in the environment as + a text value in "CERTMONGER_CA_NICKNAME", so they can use that value + when reading configuration settings + - also pass the SPKAC value to enrollment helpers in the environment as + a base64 value in "CERTMONGER_SPKAC" + - also pass the request's SubjectPublicKeyInfo value to enrollment helpers + in the environment as a base64 value in "CERTMONGER_SPKI" + - when generating signing requests using NSS, be more accommodating of + requested subject names that don't parse properly + +* Mon Feb 3 2014 Nalin Dahyabhai 0.72-1 +- update to 0.72 + - support generating DSA parameters and keys on sufficiently-new OpenSSL + and NSS + - support generating EC keys when OpenSSL and NSS support it, using key + size to select the curve to use from among secp256r1, secp384r1, + secp521r1 (which are the ones that are usually available, though + secp521r1 isn't always, even if the other two are) + - stop trying to cache public key parameters at all and instead cache public + key info properly + - encode the friendlyName attribute in signing requests as a BMPString, + not as a PrintableString + - catch more filesystem permissions problems earlier (more of #996581) + +* Mon Jan 27 2014 Nalin Dahyabhai 0.71-1 +- check for cases where we fail to allocate memory while reading a request + or CA entry from disk (John Haxby) +- only handle one watch at a time, which should avoid abort() during + attempts to reconnect to the message bus after losing our connection + to it (#1055521) + * Fri Jan 24 2014 Daniel Mach - 0.70-2 - Mass rebuild 2014-01-24