Blame SOURCES/pki-core-rhel-7-9-rhcs-9-7-post-beta-2.patch

b1e4e4
From d98aed0cbb25deaa954289e7f870c10edde688dd Mon Sep 17 00:00:00 2001
b1e4e4
From: Christina Fu <cfu@redhat.com>
b1e4e4
Date: Mon, 18 May 2020 19:14:41 -0400
b1e4e4
Subject: [PATCH 1/2] Bug 1794213 Add Directory-based-auth profile for
b1e4e4
 SeverSide Keygen
b1e4e4
b1e4e4
This patch adds caServerKeygen_DirUserCert.cfg, which is a profile using
b1e4e4
directory-based authentication for severSide Keygen enrollment.
b1e4e4
One is required to set up UserDirEnrollment in CS.cfg.
b1e4e4
b1e4e4
It also contains some misc cleanup such as removal of unneeded imports
b1e4e4
and debugs, as well as perfecting a couple error handling stemmed from
b1e4e4
upstream review.
b1e4e4
b1e4e4
https://bugzilla.redhat.com/show_bug.cgi?id=1794213
b1e4e4
(cherry picked from commit 9e2bb93bb435e658a15ab8572a61d6481bb4fed8)
b1e4e4
---
b1e4e4
 base/ca/shared/conf/CS.cfg                         |   4 +-
b1e4e4
 .../profiles/ca/caServerKeygen_DirUserCert.cfg     | 104 +++++++++++++++++++++
b1e4e4
 base/kra/src/com/netscape/kra/RecoveryService.java |   2 +-
b1e4e4
 .../cms/profile/common/CAEnrollProfile.java        |   2 +
b1e4e4
 .../profile/def/ServerKeygenUserKeyDefault.java    |  12 ++-
b1e4e4
 .../cms/servlet/connector/ConnectorServlet.java    |   1 -
b1e4e4
 .../netscape/cmscore/request/ARequestQueue.java    |   5 +-
b1e4e4
 7 files changed, 119 insertions(+), 11 deletions(-)
b1e4e4
 create mode 100644 base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
b1e4e4
b1e4e4
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
b1e4e4
index 004efdc..2c50831 100644
b1e4e4
--- a/base/ca/shared/conf/CS.cfg
b1e4e4
+++ b/base/ca/shared/conf/CS.cfg
b1e4e4
@@ -976,7 +976,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
b1e4e4
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
b1e4e4
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
b1e4e4
 os.userid=nobody
b1e4e4
-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
b1e4e4
+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caServerKeygen_DirUserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
b1e4e4
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
b1e4e4
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
b1e4e4
 profile.caManualRenewal.class_id=caEnrollImpl
b1e4e4
@@ -1133,6 +1133,8 @@ profile.caTransportCert.class_id=caEnrollImpl
b1e4e4
 profile.caTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTransportCert.cfg
b1e4e4
 profile.caServerKeygen_UserCert.class_id=caEnrollImpl
b1e4e4
 profile.caServerKeygen_UserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerKeygen_UserCert.cfg
b1e4e4
+profile.caServerKeygen_DirUserCert.class_id=caEnrollImpl
b1e4e4
+profile.caServerKeygen_DirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerKeygen_DirUserCert.cfg
b1e4e4
 profile.caUserCert.class_id=caEnrollImpl
b1e4e4
 profile.caUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUserCert.cfg
b1e4e4
 profile.caECUserCert.class_id=caEnrollImpl
b1e4e4
diff --git a/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg b/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
b1e4e4
new file mode 100644
b1e4e4
index 0000000..ea1acfb
b1e4e4
--- /dev/null
b1e4e4
+++ b/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
b1e4e4
@@ -0,0 +1,104 @@
b1e4e4
+desc=This certificate profile is for enrolling user certificates using server-side Key generation with Directory-based authentication.
b1e4e4
+visible=true
b1e4e4
+enable=true
b1e4e4
+enableBy=admin
b1e4e4
+name=Directory-authenticated User Dual-Use Certificate Enrollment using server-side Key generation
b1e4e4
+auth.instance_id=UserDirEnrollment
b1e4e4
+input.list=i1,i2,i3
b1e4e4
+input.i1.class_id=serverKeygenInputImpl
b1e4e4
+input.i2.class_id=subjectNameInputImpl
b1e4e4
+input.i3.class_id=submitterInfoInputImpl
b1e4e4
+output.list=o1
b1e4e4
+output.o1.class_id=pkcs12OutputImpl
b1e4e4
+policyset.list=userCertSet
b1e4e4
+policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9
b1e4e4
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
b1e4e4
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
b1e4e4
+policyset.userCertSet.1.constraint.params.pattern=UID=.*
b1e4e4
+policyset.userCertSet.1.constraint.params.accept=true
b1e4e4
+policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
b1e4e4
+policyset.userCertSet.1.default.name=Subject Name Default
b1e4e4
+policyset.userCertSet.1.default.params.name=
b1e4e4
+policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
b1e4e4
+policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
b1e4e4
+policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
b1e4e4
+policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
b1e4e4
+policyset.userCertSet.10.default.class_id=noDefaultImpl
b1e4e4
+policyset.userCertSet.10.default.name=No Default
b1e4e4
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
b1e4e4
+policyset.userCertSet.2.constraint.name=Validity Constraint
b1e4e4
+policyset.userCertSet.2.constraint.params.range=365
b1e4e4
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
b1e4e4
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
b1e4e4
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
b1e4e4
+policyset.userCertSet.2.default.name=Validity Default
b1e4e4
+policyset.userCertSet.2.default.params.range=180
b1e4e4
+policyset.userCertSet.2.default.params.startTime=0
b1e4e4
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
b1e4e4
+policyset.userCertSet.3.constraint.name=Key Constraint
b1e4e4
+policyset.userCertSet.3.constraint.params.keyType=-
b1e4e4
+policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
b1e4e4
+policyset.userCertSet.3.default.class_id=serverKeygenUserKeyDefaultImpl
b1e4e4
+policyset.userCertSet.3.default.name=Server-Side Keygen Default
b1e4e4
+policyset.userCertSet.3.default.params.keyType=RSA
b1e4e4
+policyset.userCertSet.3.default.params.keySize=2048
b1e4e4
+policyset.userCertSet.3.default.params.enableArchival=true
b1e4e4
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
b1e4e4
+policyset.userCertSet.4.constraint.name=No Constraint
b1e4e4
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
b1e4e4
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
b1e4e4
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
b1e4e4
+policyset.userCertSet.5.constraint.name=No Constraint
b1e4e4
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
b1e4e4
+policyset.userCertSet.5.default.name=AIA Extension Default
b1e4e4
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
b1e4e4
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
b1e4e4
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
b1e4e4
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
b1e4e4
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
b1e4e4
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
b1e4e4
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
b1e4e4
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
b1e4e4
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
b1e4e4
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
b1e4e4
+policyset.userCertSet.6.default.name=Key Usage Default
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageCritical=true
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
b1e4e4
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
b1e4e4
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
b1e4e4
+policyset.userCertSet.7.constraint.name=No Constraint
b1e4e4
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
b1e4e4
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
b1e4e4
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
b1e4e4
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
b1e4e4
+policyset.userCertSet.8.constraint.class_id=noConstraintImpl
b1e4e4
+policyset.userCertSet.8.constraint.name=No Constraint
b1e4e4
+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
b1e4e4
+policyset.userCertSet.8.default.name=Subject Alt Name Constraint
b1e4e4
+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
b1e4e4
+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
b1e4e4
+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
b1e4e4
+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
b1e4e4
+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
b1e4e4
+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
b1e4e4
+policyset.userCertSet.9.constraint.name=No Constraint
b1e4e4
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
b1e4e4
+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
b1e4e4
+policyset.userCertSet.9.default.name=Signing Alg
b1e4e4
+policyset.userCertSet.9.default.params.signingAlg=-
b1e4e4
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
b1e4e4
index c5229ea..529cb57 100644
b1e4e4
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
b1e4e4
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
b1e4e4
@@ -637,7 +637,7 @@ public class RecoveryService implements IService {
b1e4e4
                     pass,
b1e4e4
                     /* NSS has a bug that causes any AES CBC encryption
b1e4e4
                      * to use AES-256, but AlgorithmID contains chosen
b1e4e4
-                     * alg.  To avoid mismatch, use AES_128_CBC. */
b1e4e4
+                     * alg.  To avoid mismatch, use AES_256_CBC. */
b1e4e4
                     EncryptionAlgorithm.AES_256_CBC,
b1e4e4
                     0 /* iterations (use default) */,
b1e4e4
                     priKey);
b1e4e4
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
b1e4e4
index f8b547d..b0dd773 100644
b1e4e4
--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
b1e4e4
+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
b1e4e4
@@ -156,6 +156,8 @@ public class CAEnrollProfile extends EnrollProfile {
b1e4e4
                 if (kraConnector == null) {
b1e4e4
                     String message = "KRA connector not configured";
b1e4e4
                     CMS.debug(method + message);
b1e4e4
+
b1e4e4
+                    throw new EProfileException(message);
b1e4e4
                 } else {
b1e4e4
                     CMS.debug(method + "request");
b1e4e4
                     kraConnector.send(request);
b1e4e4
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
b1e4e4
index b1eb58e..3c4e3d0 100644
b1e4e4
--- a/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
b1e4e4
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
b1e4e4
@@ -20,7 +20,6 @@ package com.netscape.cms.profile.def;
b1e4e4
 import java.io.ByteArrayInputStream;
b1e4e4
 import java.math.BigInteger;
b1e4e4
 import java.security.interfaces.DSAParams;
b1e4e4
-import java.util.Enumeration;
b1e4e4
 import java.util.Locale;
b1e4e4
 import java.util.Vector;
b1e4e4
 import java.security.KeyPair;
b1e4e4
@@ -271,6 +270,7 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4
         CertificateX509Key certKey = null;
b1e4e4
         String method = "ServerKeygenUserKeyDefault: populate: ";
b1e4e4
         CMS.debug(method + "begins");
b1e4e4
+        String errmsg = "";
b1e4e4
 
b1e4e4
         // trigger serverSide keygen enrollment
b1e4e4
         try {
b1e4e4
@@ -439,8 +439,9 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4
                     pubKeyStr = TEMP_PUBKEY_RSA_4096;
b1e4e4
                     break;
b1e4e4
                 default:
b1e4e4
-                    CMS.debug("ServerKeygenUserKeyDefault: populate: unsupported keySize: " + keySize);
b1e4e4
-                    break;
b1e4e4
+                    errmsg = "unsupported keySize: " + keySize;
b1e4e4
+                    CMS.debug("ServerKeygenUserKeyDefault: populate: " + errmsg);
b1e4e4
+                    throw new EProfileException(errmsg);
b1e4e4
               }
b1e4e4
             } else {
b1e4e4
               switch (curveName) {
b1e4e4
@@ -454,8 +455,9 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4
                     pubKeyStr = TEMP_PUBKEY_EC_NISTP521;
b1e4e4
                     break;
b1e4e4
                 default:
b1e4e4
-                    CMS.debug("ServerKeygenUserKeyDefault: populate: unsupported cureveName: " + curveName);
b1e4e4
-                    break;
b1e4e4
+                    errmsg = "unsupported curveName: " + curveName;
b1e4e4
+                    CMS.debug("ServerKeygenUserKeyDefault: populate: " + errmsg);
b1e4e4
+                    throw new EProfileException(errmsg);
b1e4e4
               }
b1e4e4
             }
b1e4e4
             byte[] certKeyData = CryptoUtil.base64Decode(pubKeyStr);
b1e4e4
diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
b1e4e4
index fb9ed65..0e72559 100644
b1e4e4
--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
b1e4e4
+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
b1e4e4
@@ -28,7 +28,6 @@ import java.security.cert.Certificate;
b1e4e4
 import java.security.cert.CertificateException;
b1e4e4
 import java.security.cert.X509Certificate;
b1e4e4
 import java.util.Enumeration;
b1e4e4
-import java.util.Hashtable;
b1e4e4
 
b1e4e4
 import javax.servlet.ServletConfig;
b1e4e4
 import javax.servlet.ServletException;
b1e4e4
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java
b1e4e4
index 24c2f77..3941fa0 100644
b1e4e4
--- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java
b1e4e4
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java
b1e4e4
@@ -568,12 +568,11 @@ public abstract class ARequestQueue
b1e4e4
 
b1e4e4
         // by default, write request to LDAP
b1e4e4
         if (delayLDAPCommit == null || !delayLDAPCommit.equals("true")) {
b1e4e4
-            CMS.debug("ARequestQueue: updateRequest(): delayLDAPCommit is false");
b1e4e4
+            // CMS.debug("ARequestQueue: updateRequest(): delayLDAPCommit is false");
b1e4e4
             // TODO: use a state flag to determine whether to call
b1e4e4
             // addRequest or modifyRequest (see newRequest as well)
b1e4e4
             modifyRequest(r);
b1e4e4
-        }  else //: delay the write to ldap
b1e4e4
-            CMS.debug("ARequestQueue: updateRequest(): delayLDAPCommit is true");
b1e4e4
+        }
b1e4e4
     }
b1e4e4
 
b1e4e4
     // PRIVATE functions
b1e4e4
-- 
b1e4e4
1.8.3.1
b1e4e4
b1e4e4
b1e4e4
From b12e75b4314c9d017763130683b99008d7fc22ca Mon Sep 17 00:00:00 2001
b1e4e4
From: jmagne <jmagne@redhat.com>
b1e4e4
Date: Mon, 18 May 2020 20:35:31 -0400
b1e4e4
Subject: [PATCH 2/2] Additional fix Bug# 1710109 - add RSA PSS support. (#414)
b1e4e4
b1e4e4
Remove minor log message which was causing problems.
b1e4e4
Fix a typo in the pkispawn code that detects PSS signing algorithms.
b1e4e4
b1e4e4
Co-authored-by: Jack Magne <jmagne@test.host.com>
b1e4e4
(cherry picked from commit f30d2a26d6484cd85415b338fd721efc6499a937)
b1e4e4
---
b1e4e4
 base/server/python/pki/server/deployment/pkihelper.py  | 2 +-
b1e4e4
 base/util/src/netscape/security/x509/X509CertInfo.java | 6 ------
b1e4e4
 2 files changed, 1 insertion(+), 7 deletions(-)
b1e4e4
b1e4e4
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
b1e4e4
index 8c7ef51..214c9ae 100644
b1e4e4
--- a/base/server/python/pki/server/deployment/pkihelper.py
b1e4e4
+++ b/base/server/python/pki/server/deployment/pkihelper.py
b1e4e4
@@ -4596,7 +4596,7 @@ class ConfigClient:
b1e4e4
         if ('pki_subsystem_signing_algorithm' in self.mdict):
b1e4e4
             if ('RSA' in self.mdict['pki_subsystem_signing_algorithm'] and
b1e4e4
                 'PSS' not in self.mdict['pki_subsystem_signing_algorithm']):
b1e4e4
-                self.mdict[''] = \
b1e4e4
+                self.mdict['pki_subsystem_signing_algorithm'] = \
b1e4e4
                     self.mdict['pki_subsystem_signing_algorithm'] + '/PSS'
b1e4e4
                     
b1e4e4
 
b1e4e4
diff --git a/base/util/src/netscape/security/x509/X509CertInfo.java b/base/util/src/netscape/security/x509/X509CertInfo.java
b1e4e4
index 93377f4..083ec41 100644
b1e4e4
--- a/base/util/src/netscape/security/x509/X509CertInfo.java
b1e4e4
+++ b/base/util/src/netscape/security/x509/X509CertInfo.java
b1e4e4
@@ -34,9 +34,6 @@ import netscape.security.util.DerInputStream;
b1e4e4
 import netscape.security.util.DerOutputStream;
b1e4e4
 import netscape.security.util.DerValue;
b1e4e4
 
b1e4e4
-import org.slf4j.Logger;
b1e4e4
-import org.slf4j.LoggerFactory;
b1e4e4
-
b1e4e4
 /**
b1e4e4
  * The X509CertInfo class represents X.509 certificate information.
b1e4e4
  *
b1e4e4
@@ -75,8 +72,6 @@ public class X509CertInfo implements CertAttrSet, Serializable {
b1e4e4
      * get, set, delete methods of Certificate, x509 type.
b1e4e4
      */
b1e4e4
 
b1e4e4
-     private static Logger logger = LoggerFactory.getLogger(X509CertInfo.class);
b1e4e4
-
b1e4e4
     public static final String IDENT = "x509.info";
b1e4e4
     // Certificate attribute names
b1e4e4
     public static final String NAME = "info";
b1e4e4
@@ -621,7 +616,6 @@ public class X509CertInfo implements CertAttrSet, Serializable {
b1e4e4
                 return (serialNum.get(attrName.getSuffix()));
b1e4e4
             }
b1e4e4
         case (ATTR_ALGORITHM):
b1e4e4
-            logger.warn("X509CertInfo.get(alg): " + this.toString());
b1e4e4
             if (attrName.getSuffix() == null) {
b1e4e4
                 return (algId);
b1e4e4
             } else {
b1e4e4
-- 
b1e4e4
1.8.3.1
b1e4e4