|
 |
e0d192 |
From df372adab25c9e4081eb89c77c61f0ab80605c0d Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
Date: Tue, 1 Dec 2020 09:57:43 -0800
|
|
|
e0d192 |
Subject: [PATCH 1/2] Bug1883639 -additional support on upgrade for audit cert
|
|
|
e0d192 |
profile
|
|
|
e0d192 |
|
|
|
e0d192 |
It was discovered that upgrading from 10.5.18-7 to 10.5.18-8 the script was
|
|
|
e0d192 |
never executed.
|
|
|
e0d192 |
|
|
|
e0d192 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1883639
|
|
|
e0d192 |
|
|
|
e0d192 |
(cherry picked from commit 2b922a1d53fc222444c0ee7be6da41609e29cc7c)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
.../10.5.17/02-AddProfileCaAuditSigningCert | 52 ----------------------
|
|
|
e0d192 |
.../10.5.18/01-AddProfileCaAuditSigningCert | 52 ++++++++++++++++++++++
|
|
|
e0d192 |
2 files changed, 52 insertions(+), 52 deletions(-)
|
|
|
e0d192 |
delete mode 100644 base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
create mode 100644 base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert b/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
deleted file mode 100644
|
|
|
e0d192 |
index 02b8477..0000000
|
|
|
e0d192 |
--- a/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
+++ /dev/null
|
|
|
e0d192 |
@@ -1,52 +0,0 @@
|
|
|
e0d192 |
-# Authors:
|
|
|
e0d192 |
-# Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
-#
|
|
|
e0d192 |
-# Copyright Red Hat, Inc.
|
|
|
e0d192 |
-#
|
|
|
e0d192 |
-# SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
e0d192 |
-
|
|
|
e0d192 |
-from __future__ import absolute_import
|
|
|
e0d192 |
-import logging
|
|
|
e0d192 |
-import os
|
|
|
e0d192 |
-import shutil
|
|
|
e0d192 |
-
|
|
|
e0d192 |
-import pki
|
|
|
e0d192 |
-
|
|
|
e0d192 |
-logger = logging.getLogger(__name__)
|
|
|
e0d192 |
-
|
|
|
e0d192 |
-
|
|
|
e0d192 |
-class AddProfileCaAuditSigningCert(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- def __init__(self):
|
|
|
e0d192 |
- super(AddProfileCaAuditSigningCert, self).__init__()
|
|
|
e0d192 |
- self.message = 'Add caAuditSigningCert profile'
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- def upgrade_subsystem(self, instance, subsystem):
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- if subsystem.name != 'ca':
|
|
|
e0d192 |
- return
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caAuditSigningCert.cfg')
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- if not os.path.exists(path):
|
|
|
e0d192 |
- logger.info('Creating caAuditSigningCert.cfg')
|
|
|
e0d192 |
- self.backup(path)
|
|
|
e0d192 |
- shutil.copyfile('/usr/share/pki/ca/profiles/ca/caAuditSigningCert.cfg', path)
|
|
|
e0d192 |
- os.chown(path, instance.uid, instance.gid)
|
|
|
e0d192 |
- os.chmod(path, 0o0660)
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- logger.info('Adding caAuditSigningCert into profile.list')
|
|
|
e0d192 |
- profile_list = subsystem.config.get('profile.list').split(',')
|
|
|
e0d192 |
- if 'caAuditSigningCert' not in profile_list:
|
|
|
e0d192 |
- profile_list.append('caAuditSigningCert')
|
|
|
e0d192 |
- profile_list.sort()
|
|
|
e0d192 |
- subsystem.config['profile.list'] = ','.join(profile_list)
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- logger.info('Adding profile.caAuditSigningCert.class_id')
|
|
|
e0d192 |
- subsystem.config['profile.caAuditSigningCert.class_id'] = 'caEnrollImpl'
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- logger.info('Adding profile.caAuditSigningCert.config')
|
|
|
e0d192 |
- subsystem.config['profile.caAuditSigningCert.config'] = path
|
|
|
e0d192 |
-
|
|
|
e0d192 |
- self.backup(subsystem.cs_conf)
|
|
|
e0d192 |
- subsystem.save()
|
|
|
e0d192 |
diff --git a/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert b/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
new file mode 100644
|
|
|
e0d192 |
index 0000000..02b8477
|
|
|
e0d192 |
--- /dev/null
|
|
|
e0d192 |
+++ b/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
@@ -0,0 +1,52 @@
|
|
|
e0d192 |
+# Authors:
|
|
|
e0d192 |
+# Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
+#
|
|
|
e0d192 |
+# Copyright Red Hat, Inc.
|
|
|
e0d192 |
+#
|
|
|
e0d192 |
+# SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+from __future__ import absolute_import
|
|
|
e0d192 |
+import logging
|
|
|
e0d192 |
+import os
|
|
|
e0d192 |
+import shutil
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+import pki
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+logger = logging.getLogger(__name__)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+class AddProfileCaAuditSigningCert(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ def __init__(self):
|
|
|
e0d192 |
+ super(AddProfileCaAuditSigningCert, self).__init__()
|
|
|
e0d192 |
+ self.message = 'Add caAuditSigningCert profile'
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ def upgrade_subsystem(self, instance, subsystem):
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ if subsystem.name != 'ca':
|
|
|
e0d192 |
+ return
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caAuditSigningCert.cfg')
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ if not os.path.exists(path):
|
|
|
e0d192 |
+ logger.info('Creating caAuditSigningCert.cfg')
|
|
|
e0d192 |
+ self.backup(path)
|
|
|
e0d192 |
+ shutil.copyfile('/usr/share/pki/ca/profiles/ca/caAuditSigningCert.cfg', path)
|
|
|
e0d192 |
+ os.chown(path, instance.uid, instance.gid)
|
|
|
e0d192 |
+ os.chmod(path, 0o0660)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ logger.info('Adding caAuditSigningCert into profile.list')
|
|
|
e0d192 |
+ profile_list = subsystem.config.get('profile.list').split(',')
|
|
|
e0d192 |
+ if 'caAuditSigningCert' not in profile_list:
|
|
|
e0d192 |
+ profile_list.append('caAuditSigningCert')
|
|
|
e0d192 |
+ profile_list.sort()
|
|
|
e0d192 |
+ subsystem.config['profile.list'] = ','.join(profile_list)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ logger.info('Adding profile.caAuditSigningCert.class_id')
|
|
|
e0d192 |
+ subsystem.config['profile.caAuditSigningCert.class_id'] = 'caEnrollImpl'
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ logger.info('Adding profile.caAuditSigningCert.config')
|
|
|
e0d192 |
+ subsystem.config['profile.caAuditSigningCert.config'] = path
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ self.backup(subsystem.cs_conf)
|
|
|
e0d192 |
+ subsystem.save()
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|
|
|
e0d192 |
|
|
|
e0d192 |
From 3057354b81d16212d54693eef743c4cb3dbe38b5 Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
Date: Tue, 1 Dec 2020 13:26:20 -0800
|
|
|
e0d192 |
Subject: [PATCH 2/2] Bug1883639-part2-auditProfileUpgrade
|
|
|
e0d192 |
|
|
|
e0d192 |
This patch addresses the issue where when caSignedLogCert.cfg was renamed
|
|
|
e0d192 |
caAuditSigningCert where
|
|
|
e0d192 |
* The profileIDMapping and profileSetIDMapping params in the following
|
|
|
e0d192 |
profile still contains the old names:
|
|
|
e0d192 |
base/ca/shared/conf/caAuditSigningCert.profile
|
|
|
e0d192 |
* at renewal time, the profile will no longer be available
|
|
|
e0d192 |
|
|
|
e0d192 |
The solution provided is to
|
|
|
e0d192 |
* correct the two mapping param names in caAuditSigningCert.profile
|
|
|
e0d192 |
* re-enable caSignedLogCert.cfg (but kept invisible)
|
|
|
e0d192 |
|
|
|
e0d192 |
fixes issue relating to https://bugzilla.redhat.com/show_bug.cgi?id=1883639
|
|
|
e0d192 |
|
|
|
e0d192 |
(cherry picked from commit de51aaf50bc44bb72a749736fa84268f8caf9ffb)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
base/ca/shared/conf/caAuditSigningCert.profile | 4 ++--
|
|
|
e0d192 |
base/ca/shared/profiles/ca/caSignedLogCert.cfg | 6 +++---
|
|
|
e0d192 |
.../upgrade/10.5.18/01-AddProfileCaAuditSigningCert | 15 +++++++++++++++
|
|
|
e0d192 |
3 files changed, 20 insertions(+), 5 deletions(-)
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/ca/shared/conf/caAuditSigningCert.profile b/base/ca/shared/conf/caAuditSigningCert.profile
|
|
|
e0d192 |
index 5983a18..cb9b5e1 100644
|
|
|
e0d192 |
--- a/base/ca/shared/conf/caAuditSigningCert.profile
|
|
|
e0d192 |
+++ b/base/ca/shared/conf/caAuditSigningCert.profile
|
|
|
e0d192 |
@@ -4,8 +4,8 @@
|
|
|
e0d192 |
id=caAuditSigningCert.profile
|
|
|
e0d192 |
name=CA Audit Signing Certificate Profile
|
|
|
e0d192 |
description=This profile creates a CA Audit signing certificate that is valid for audit log signing purpose.
|
|
|
e0d192 |
-profileIDMapping=caSignedLogCert
|
|
|
e0d192 |
-profileSetIDMapping=caLogSigningSet
|
|
|
e0d192 |
+profileIDMapping=caAuditSigningCert
|
|
|
e0d192 |
+profileSetIDMapping=auditSigningCertSet
|
|
|
e0d192 |
list=2,4,6,8
|
|
|
e0d192 |
2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
e0d192 |
2.default.name=Validity Default
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
e0d192 |
index 01e21f1..cc058b0 100644
|
|
|
e0d192 |
--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
e0d192 |
@@ -1,9 +1,9 @@
|
|
|
e0d192 |
-desc=This profile is for enrolling audit log signing certificates
|
|
|
e0d192 |
+desc=(deprecated; use caAuditSigningCert) This profile is for enrolling audit log signing certificates
|
|
|
e0d192 |
visible=false
|
|
|
e0d192 |
-enable=false
|
|
|
e0d192 |
+enable=true
|
|
|
e0d192 |
enableBy=admin
|
|
|
e0d192 |
auth.class_id=
|
|
|
e0d192 |
-name=Manual Audit Log Signing Certificate Enrollment
|
|
|
e0d192 |
+name=(deprecated; use caAuditSigningCert) Manual Audit Log Signing Certificate Enrollment
|
|
|
e0d192 |
input.list=i1,i2
|
|
|
e0d192 |
input.i1.class_id=certReqInputImpl
|
|
|
e0d192 |
input.i2.class_id=submitterInfoInputImpl
|
|
|
e0d192 |
diff --git a/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert b/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
index 02b8477..5cec8d9 100644
|
|
|
e0d192 |
--- a/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
+++ b/base/server/upgrade/10.5.18/01-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
@@ -26,6 +26,21 @@ class AddProfileCaAuditSigningCert(pki.server.upgrade.PKIServerUpgradeScriptlet)
|
|
|
e0d192 |
if subsystem.name != 'ca':
|
|
|
e0d192 |
return
|
|
|
e0d192 |
|
|
|
e0d192 |
+ # enable old profile caSignedLogCert to properly deprecate
|
|
|
e0d192 |
+ opath = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caSignedLogCert.cfg')
|
|
|
e0d192 |
+ self.backup(opath)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ oconfig = {}
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ pki.util.load_properties(opath, oconfig)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ oconfig['enable'] = 'true'
|
|
|
e0d192 |
+ oconfig['desc'] = '(deprecated; use caAuditSigningCert) This profile is for enrolling audit log signing certificates'
|
|
|
e0d192 |
+ oconfig['name'] = '(deprecated; use caAuditSigningCert) Manual Audit Log Signing Certificate Enrollment'
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ pki.util.store_properties(opath, oconfig)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ # now handle new profile
|
|
|
e0d192 |
path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caAuditSigningCert.cfg')
|
|
|
e0d192 |
|
|
|
e0d192 |
if not os.path.exists(path):
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|