################################################################################

Name:             pki-core

################################################################################

%global           vendor_id redhat

%global           brand Red Hat

Summary:          %{brand} PKI Core Package

URL:              https://www.dogtagpki.org

# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2

License:          GPLv2 and LGPLv2

# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.

# For official (i.e. supported) releases, use x.y.z-r where r >=1.

Version:          10.10.5

Release:          3%{?_timestamp}%{?_commit_id}%{?dist}

#global           _phase -beta1

# To create a tarball from a version tag:

# $ git archive \

#     --format=tar.gz \

#     --prefix pki-<version>/ \

#     -o pki-<version>.tar.gz \

#     <version tag>

Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{version}%{?_phase}.tar.gz

# To create a patch for all changes since a version tag:

# $ git format-patch \

#     --stdout \

#     <version tag> \

#     > pki-VERSION-RELEASE.patch

# Patch: pki-VERSION-RELEASE.patch

# Do not remove this!! pytest-runner isn't available on RHEL. Removing this

# patch will break RHEL builds. The error message is:

# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/:

#   [Errno 111] Connection refused -- Some packages may not be found!

Patch1: 0001-Removed-dependency-on-pytest-runner.patch

Patch2: 0001-Fix-renewal-profile-approval-process.patch

Patch3: 0001-Use-password-file-when-creating-admin-user.patch

Patch4: 0001-Fix-permission-for-new-installation-logs.patch

Patch5: 0001-Fix-permission-for-existing-installation-logs.patch

# md2man isn't available on i686. Additionally, we aren't generally multi-lib

# compatible (https://fedoraproject.org/wiki/Packaging:Java)

# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems

# safest.

%if ! 0%{?rhel} || 0%{?rhel} > 8

ExcludeArch: i686

%endif

################################################################################

# NSS

################################################################################

%global nss_default_db_type sql

################################################################################

# Python

################################################################################

%if 0%{?rhel} && 0%{?rhel} <= 8

%global python_executable /usr/libexec/platform-python

%else

%global python_executable /usr/bin/python3

%endif

################################################################################

# Java

################################################################################

%define java_devel java-devel

%define java_headless java-headless

%if 0%{?fedora} >= 33 || 0%{?rhel} > 8

%define min_java_version 1:11

%define java_home /usr/lib/jvm/java-11-openjdk

%else

%define min_java_version 1:1.8.0

%define java_home /usr/lib/jvm/java-1.8.0-openjdk

%endif

################################################################################

# RESTEasy

################################################################################

%define jaxrs_api_jar /usr/share/java/jboss-jaxrs-2.0-api.jar

%define resteasy_lib /usr/share/java/resteasy

################################################################################

# PKI

################################################################################

# By default the build will execute unit tests unless --without test

# option is specified.

# bcond_without test

%global with_test 1

# By default all packages will be built except the ones specified with

# --without <package> option (exclusion method).

# If --with pkgs option is specified, only packages specified with

# --with <package> will be built (inclusion method).

# bcond_with pkgs

%global with_pkgs 1

# Define package_option macro to wrap bcond_with or bcond_without macro

# depending on package selection method.

%if %{with pkgs}

%define package_option() %bcond_with %1

%else

%define package_option() %bcond_without %1

%endif

# Define --with <package> or --without <package> options depending on

# package selection method.

# package_option base

%global with_base 1

# package_option server

%global with_server 1

# package_option acme

%global with_acme 1

# package_option ca

%global with_ca 1

# package_option kra

%global with_kra 1

# package_option ocsp

# package_option tks

# package_option tps

# package_option javadoc

# package_option console

# package_option theme

# package_option meta

# package_option tests

# package_option debug

%global with_debug 1

%if ! %{with debug}

%define debug_package %{nil}

%endif

%bcond_without sdnotify

# ignore unpackaged files from native 'tpsclient'

# REMINDER:  Remove this '%%define' once 'tpsclient' is rewritten as a Java app

%define _unpackaged_files_terminate_build 0

# The PKI UID and GID are preallocated, see:

# https://bugzilla.redhat.com/show_bug.cgi?id=476316

# https://bugzilla.redhat.com/show_bug.cgi?id=476782

# https://pagure.io/setup/blob/master/f/uidgid

# /usr/share/doc/setup/uidgid

%define pki_username pkiuser

%define pki_uid 17

%define pki_groupname pkiuser

%define pki_gid 17

%define pki_homedir /usr/share/pki

%global saveFileContext() \

if [ -s /etc/selinux/config ]; then \

     . %{_sysconfdir}/selinux/config; \

     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

     if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \

          cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \

     fi \

fi;

%global relabel() \

. %{_sysconfdir}/selinux/config; \

FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

selinuxenabled; \

if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \

     fixfiles -C ${FILE_CONTEXT}.%{name} restore; \

     rm -f ${FILE_CONTEXT}.%name; \

fi;

################################################################################

# Build Dependencies

################################################################################

# autosetup

BuildRequires:    git

BuildRequires:    make

BuildRequires:    cmake >= 3.0.2

BuildRequires:    gcc-c++

BuildRequires:    zip

BuildRequires:    %java_devel >= %{min_java_version}

BuildRequires:    javapackages-tools

BuildRequires:    redhat-rpm-config

BuildRequires:    ldapjdk >= 4.22.0

BuildRequires:    apache-commons-cli

BuildRequires:    apache-commons-codec

BuildRequires:    apache-commons-io

BuildRequires:    apache-commons-lang3 >= 3.2

BuildRequires:    apache-commons-net

BuildRequires:    jakarta-commons-httpclient

BuildRequires:    glassfish-jaxb-api

BuildRequires:    slf4j

BuildRequires:    slf4j-jdk14

BuildRequires:    nspr-devel

BuildRequires:    nss-devel >= 3.36.1

BuildRequires:    openldap-devel

BuildRequires:    pkgconfig

BuildRequires:    policycoreutils

BuildRequires:    python3-lxml

BuildRequires:    python3-sphinx

BuildRequires:    velocity

BuildRequires:    xalan-j2

BuildRequires:    xerces-j2

%if 0%{?rhel} && ! 0%{?eln}

BuildRequires:    resteasy >= 3.0.26

%else

BuildRequires:    jboss-annotations-1.2-api

BuildRequires:    jboss-jaxrs-2.0-api

BuildRequires:    jboss-logging

BuildRequires:    resteasy-atom-provider >= 3.0.17-1

BuildRequires:    resteasy-client >= 3.0.17-1

BuildRequires:    resteasy-jaxb-provider >= 3.0.17-1

BuildRequires:    resteasy-core >= 3.0.17-1

BuildRequires:    resteasy-jackson2-provider >= 3.0.17-1

%endif

BuildRequires:    python3 >= 3.5

BuildRequires:    python3-devel

BuildRequires:    python3-setuptools

BuildRequires:    python3-cryptography

BuildRequires:    python3-lxml

BuildRequires:    python3-ldap

BuildRequires:    python3-libselinux

BuildRequires:    python3-nss

BuildRequires:    python3-requests >= 2.6.0

BuildRequires:    python3-six

%if 0%{?fedora} || 0%{?rhel} > 8

BuildRequires:    python3-pytest-runner

%endif

BuildRequires:    junit

BuildRequires:    jpackage-utils >= 0:1.7.5-10

BuildRequires:    jss >= 4.8.1

BuildRequires:    tomcatjss >= 7.6.1

# JNA is used to bind to libsystemd

%if %{with sdnotify}

BuildRequires:    jna

%endif

BuildRequires:    systemd-units

%if 0%{?rhel} && ! 0%{?eln}

BuildRequires:    pki-servlet-engine

%else

BuildRequires:    tomcat >= 1:9.0.7

%endif

# additional build requirements needed to build native 'tpsclient'

# REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app

BuildRequires:    apr-devel

BuildRequires:    apr-util-devel

BuildRequires:    cyrus-sasl-devel

BuildRequires:    httpd-devel >= 2.4.2

BuildRequires:    pcre-devel

BuildRequires:    systemd

BuildRequires:    zlib

BuildRequires:    zlib-devel

# build dependency to build man pages

%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel} && 0%{?rhel} <= 8

BuildRequires:    go-md2man

%else

BuildRequires:    golang-github-cpuguy83-md2man

%endif

# pki-healthcheck depends on the following library

%if 0%{?rhel}

BuildRequires:    ipa-healthcheck-core

%else

BuildRequires:    freeipa-healthcheck-core

%endif

# PKICertImport depends on certutil and openssl

BuildRequires:    nss-tools

BuildRequires:    openssl

# description for top-level package (if there is a separate meta package)

%if "%{name}" != "%{vendor_id}-pki"

%description

%{brand} PKI is an enterprise software system designed

to manage enterprise Public Key Infrastructure deployments.

PKI consists of the following components:

  * Automatic Certificate Management Environment (ACME) Responder

  * Certificate Authority (CA)

  * Key Recovery Authority (KRA)

  * Online Certificate Status Protocol (OCSP) Manager

  * Token Key Service (TKS)

  * Token Processing Service (TPS)

%endif

%if %{with meta}

%if "%{name}" != "%{vendor_id}-pki"

################################################################################

%package -n       %{vendor_id}-pki

################################################################################

Summary:          %{brand} PKI Package

%endif

# Make certain that this 'meta' package requires the latest version(s)

# of ALL PKI theme packages

Requires:         %{vendor_id}-pki-server-theme = %{version}

Requires:         %{vendor_id}-pki-console-theme = %{version}

# Make certain that this 'meta' package requires the latest version(s)

# of ALL PKI core packages

Requires:         pki-acme = %{version}

Requires:         pki-ca = %{version}

Requires:         pki-kra = %{version}

Requires:         pki-ocsp = %{version}

Requires:         pki-tks = %{version}

Requires:         pki-tps = %{version}

# Make certain that this 'meta' package requires the latest version(s)

# of PKI console

Requires:         pki-console = %{version}

Requires:         pki-javadoc = %{version}

# Make certain that this 'meta' package requires the latest version(s)

# of ALL PKI clients -- except for s390/s390x where 'esc' is not built

%ifnarch s390 s390x

Requires:         esc >= 1.1.1

%endif

# description for top-level package (unless there is a separate meta package)

%if "%{name}" == "%{vendor_id}-pki"

%description

%else

%description -n   %{vendor_id}-pki

%endif

%{brand} PKI is an enterprise software system designed

to manage enterprise Public Key Infrastructure deployments.

PKI consists of the following components:

  * Automatic Certificate Management Environment (ACME) Responder

  * Certificate Authority (CA)

  * Key Recovery Authority (KRA)

  * Online Certificate Status Protocol (OCSP) Manager

  * Token Key Service (TKS)

  * Token Processing Service (TPS)

# with meta

%endif

%if %{with base}

################################################################################

%package -n       pki-symkey

################################################################################

Summary:          PKI Symmetric Key Package

Requires:         %java_headless >= %{min_java_version}

Requires:         jpackage-utils >= 0:1.7.5-10

Requires:         jss >= 4.8.0

Requires:         nss >= 3.38.0

# Ensure we end up with a useful installation

Conflicts:        pki-symkey < %{version}

Conflicts:        pki-javadoc < %{version}

Conflicts:        pki-server-theme < %{version}

Conflicts:        pki-console-theme < %{version}

%description -n   pki-symkey

The PKI Symmetric Key Java Package supplies various native

symmetric key operations to Java programs.

################################################################################

%package -n       pki-base

################################################################################

Summary:          PKI Base Package

BuildArch:        noarch

Requires:         nss >= 3.36.1

Requires:         python3-pki = %{version}-%{release}

Requires(post):   python3-pki = %{version}-%{release}

# Ensure we end up with a useful installation

Conflicts:        pki-symkey < %{version}

Conflicts:        pki-javadoc < %{version}

Conflicts:        pki-server-theme < %{version}

Conflicts:        pki-console-theme < %{version}

%description -n   pki-base

The PKI Base Package contains the common and client libraries and utilities

written in Python.

################################################################################

%package -n       python3-pki

################################################################################

Summary:          PKI Python 3 Package

BuildArch:        noarch

Obsoletes:        pki-base-python3 < %{version}

Provides:         pki-base-python3 = %{version}

%if 0%{?fedora} || 0%{?rhel} > 8

%{?python_provide:%python_provide python3-pki}

%endif

Requires:         pki-base = %{version}-%{release}

Requires:         python3 >= 3.5

Requires:         python3-cryptography

Requires:         python3-ldap

Requires:         python3-lxml

Requires:         python3-nss

Requires:         python3-requests >= 2.6.0

Requires:         python3-six

%description -n   python3-pki

This package contains PKI client library for Python 3.

################################################################################

%package -n       pki-base-java

################################################################################

Summary:          PKI Base Java Package

BuildArch:        noarch

Requires:         %java_headless >= %{min_java_version}

Requires:         apache-commons-cli

Requires:         apache-commons-codec

Requires:         apache-commons-io

Requires:         apache-commons-lang3 >= 3.2

Requires:         apache-commons-logging

Requires:         apache-commons-net

Requires:         jakarta-commons-httpclient

Requires:         glassfish-jaxb-api

Requires:         slf4j

Requires:         slf4j-jdk14

Requires:         jpackage-utils >= 0:1.7.5-10

Requires:         jss >= 4.7.0

Requires:         ldapjdk >= 4.22.0

Requires:         pki-base = %{version}-%{release}

%if 0%{?rhel} && 0%{?rhel} <= 8

Requires:         resteasy >= 3.0.26

%else

Requires:         resteasy-atom-provider >= 3.0.17-1

Requires:         resteasy-client >= 3.0.17-1

Requires:         resteasy-jaxb-provider >= 3.0.17-1

Requires:         resteasy-core >= 3.0.17-1

Requires:         resteasy-jackson2-provider >= 3.0.17-1

%endif

%if 0%{?fedora} >= 33 || 0%{?rhel} > 8

Requires:         jaxb-impl >= 2.3.3

Requires:         jakarta-activation >= 1.2.2

%endif

Requires:         xalan-j2

Requires:         xerces-j2

Requires:         xml-commons-apis

Requires:         xml-commons-resolver

%description -n   pki-base-java

The PKI Base Java Package contains the common and client libraries and utilities

written in Java.

################################################################################

%package -n       pki-tools

################################################################################

Summary:          PKI Tools Package

Requires:         openldap-clients

Requires:         nss-tools >= 3.36.1

Requires:         pki-base-java = %{version}-%{release}

Requires:         p11-kit-trust

# PKICertImport depends on certutil and openssl

Requires:         nss-tools

Requires:         openssl

%description -n   pki-tools

This package contains PKI executables that can be used to help make

Certificate System into a more complete and robust PKI solution.

# with base

%endif

%if %{with server}

################################################################################

%package -n       pki-server

################################################################################

Summary:          PKI Server Package

BuildArch:        noarch

Requires:         hostname

Requires:         policycoreutils

Requires:         procps-ng

Requires:         openldap-clients

Requires:         openssl

Requires:         pki-symkey = %{version}-%{release}

Requires:         pki-tools = %{version}-%{release}

Requires:         keyutils

Requires:         policycoreutils-python-utils

Requires:         python3-lxml

Requires:         python3-libselinux

Requires:         python3-policycoreutils

Requires:         selinux-policy-targeted >= 3.13.1-159

%if 0%{?rhel} && ! 0%{?eln}

Requires:         pki-servlet-engine

%else

Requires:         tomcat >= 1:9.0.7

%endif

Requires:         velocity

Requires:         sudo

Requires:         systemd

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

Requires(pre):    shadow-utils

Requires:         tomcatjss >= 7.6.1

# JNA is used to bind to libsystemd

%if %{with sdnotify}

Requires:         jna

%endif

# pki-healthcheck depends on the following library

%if 0%{?rhel}

Requires:         ipa-healthcheck-core

%else

Requires:         freeipa-healthcheck-core

%endif

# https://pagure.io/freeipa/issue/7742

%if 0%{?rhel}

Conflicts:        ipa-server < 4.7.1

%else

Conflicts:        freeipa-server < 4.7.1

%endif

Provides:         bundled(js-backbone) = 1.4.0

Provides:         bundled(js-bootstrap) = 3.4.1

Provides:         bundled(js-jquery) = 3.5.1

Provides:         bundled(js-jquery-i18n-properties) = 1.2.7

Provides:         bundled(js-patternfly) = 3.59.2

Provides:         bundled(js-underscore) = 1.9.2

%description -n   pki-server

The PKI Server Package contains libraries and utilities needed by other

PKI subsystems.

# with server

%endif

%if %{with acme}

################################################################################

%package -n       pki-acme

################################################################################

Summary:          PKI ACME Package

BuildArch:        noarch

Requires:         pki-server = %{version}-%{release}

%description -n   pki-acme

The PKI ACME responder is a service that provides an automatic certificate

management via ACME v2 protocol defined in RFC 8555.

# with acme

%endif

%if %{with ca}

################################################################################

%package -n       pki-ca

################################################################################

Summary:          PKI CA Package

BuildArch:        noarch

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ca

The Certificate Authority (CA) is a required PKI subsystem which issues,

renews, revokes, and publishes certificates as well as compiling and

publishing Certificate Revocation Lists (CRLs).

The Certificate Authority can be configured as a self-signing Certificate

Authority, where it is the root CA, or it can act as a subordinate CA,

where it obtains its own signing certificate from a public CA.

# with ca

%endif

%if %{with kra}

################################################################################

%package -n       pki-kra

################################################################################

Summary:          PKI KRA Package

BuildArch:        noarch

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-kra

The Key Recovery Authority (KRA) is an optional PKI subsystem that can act

as a key archival facility.  When configured in conjunction with the

Certificate Authority (CA), the KRA stores private encryption keys as part of

the certificate enrollment process.  The key archival mechanism is triggered

when a user enrolls in the PKI and creates the certificate request.  Using the

Certificate Request Message Format (CRMF) request format, a request is

generated for the user's private encryption key.  This key is then stored in

the KRA which is configured to store keys in an encrypted format that can only

be decrypted by several agents requesting the key at one time, providing for

protection of the public encryption keys for the users in the PKI deployment.

Note that the KRA archives encryption keys; it does NOT archive signing keys,

since such archival would undermine non-repudiation properties of signing keys.

# with kra

%endif

%if %{with ocsp}

################################################################################

%package -n       pki-ocsp

################################################################################

Summary:          PKI OCSP Package

BuildArch:        noarch

Requires:         pki-server = %{version}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ocsp

The Online Certificate Status Protocol (OCSP) Manager is an optional PKI

subsystem that can act as a stand-alone OCSP service.  The OCSP Manager

performs the task of an online certificate validation authority by enabling

OCSP-compliant clients to do real-time verification of certificates.  Note

that an online certificate-validation authority is often referred to as an

OCSP Responder.

Although the Certificate Authority (CA) is already configured with an

internal OCSP service.  An external OCSP Responder is offered as a separate

subsystem in case the user wants the OCSP service provided outside of a

firewall while the CA resides inside of a firewall, or to take the load of

requests off of the CA.

The OCSP Manager can receive Certificate Revocation Lists (CRLs) from

multiple CA servers, and clients can query the OCSP Manager for the

revocation status of certificates issued by all of these CA servers.

When an instance of OCSP Manager is set up with an instance of CA, and

publishing is set up to this OCSP Manager, CRLs are published to it

whenever they are issued or updated.

# with ocsp

%endif

%if %{with tks}

################################################################################

%package -n       pki-tks

################################################################################

Summary:          PKI TKS Package

BuildArch:        noarch

Requires:         pki-server = %{version}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-tks

The Token Key Service (TKS) is an optional PKI subsystem that manages the

master key(s) and the transport key(s) required to generate and distribute

keys for hardware tokens.  TKS provides the security between tokens and an

instance of Token Processing System (TPS), where the security relies upon the

relationship between the master key and the token keys.  A TPS communicates

with a TKS over SSL using client authentication.

TKS helps establish a secure channel (signed and encrypted) between the token

and the TPS, provides proof of presence of the security token during

enrollment, and supports key changeover when the master key changes on the

TKS.  Tokens with older keys will get new token keys.

Because of the sensitivity of the data that TKS manages, TKS should be set up

behind the firewall with restricted access.