981330
# Python, keep every statement on a single line
981330
%{!?__python2: %global __python2 /usr/bin/python2}
981330
%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
981330
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
3fd438
%global with_python3 1
2413b1
%else
2413b1
%global with_python3 0
981330
%endif
981330
981330
%if 0%{?rhel}
981330
# Package RHEL-specific RPMS Only
981330
%global package_rhel_packages 1
981330
# Package RHCS-specific RPMS Only
981330
%global package_rhcs_packages 0
b1e4e4
%define pki_core_rhel_version 10.5.18
981330
%else
981330
# Fedora always packages all RPMS
981330
%global package_fedora_packages 1
981330
%endif
981330
981330
# Java
981330
%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
f332ec
efcdb2
# Tomcat
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
efcdb2
%define with_tomcat7 0
efcdb2
%define with_tomcat8 1
efcdb2
%else
efcdb2
%define with_tomcat7 1
efcdb2
%define with_tomcat8 0
efcdb2
%endif
efcdb2
efcdb2
# RESTEasy
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
981330
%define jaxrs_api_jar /usr/share/java/resteasy-base/jaxrs-api.jar
efcdb2
%define resteasy_lib /usr/share/java/resteasy-base
efcdb2
%else
981330
%define jaxrs_api_jar /usr/share/java/jboss-jaxrs-2.0-api.jar
981330
%define resteasy_lib /usr/share/java/resteasy
981330
%endif
efcdb2
efcdb2
# Dogtag
efcdb2
%bcond_without    server
efcdb2
%bcond_without    javadoc
efcdb2
efcdb2
# ignore unpackaged files from native 'tpsclient'
efcdb2
# REMINDER:  Remove this '%%define' once 'tpsclient' is rewritten as a Java app
efcdb2
%define _unpackaged_files_terminate_build 0
efcdb2
efcdb2
# pkiuser and group. The uid and gid are preallocated
efcdb2
# see /usr/share/doc/setup/uidgid
efcdb2
%define pki_username pkiuser
efcdb2
%define pki_uid 17
efcdb2
%define pki_groupname pkiuser
efcdb2
%define pki_gid 17
efcdb2
%define pki_homedir /usr/share/pki
efcdb2
2413b1
# Optionally fetch the release from the environment variable 'PKI_RELEASE'
2413b1
%define use_pki_release %{getenv:USE_PKI_RELEASE}
2413b1
%if 0%{?use_pki_release}
2413b1
%define pki_release %{getenv:PKI_RELEASE}
2413b1
%endif
2413b1
f332ec
Name:             pki-core
b80204
%if 0%{?rhel}
b1e4e4
Version:                10.5.18
18a1d4
%define redhat_release  32
2413b1
%define redhat_stage    0
2413b1
#%define default_release %{redhat_release}.%{redhat_stage}
2413b1
%define default_release %{redhat_release}
2413b1
%else
b1e4e4
Version:                10.5.18
18a1d4
%define fedora_release  32
2413b1
%define fedora_stage    0
2413b1
#%define default_release %{fedora_release}.%{fedora_stage}
2413b1
%define default_release %{fedora_release}
2413b1
%endif
2413b1
2413b1
%if 0%{?use_pki_release}
67803c
Release:          %{pki_release}%{?dist}
b80204
%else
67803c
Release:          %{default_release}%{?dist}
b80204
%endif
2413b1
f332ec
Summary:          Certificate System - PKI Core Components
f332ec
URL:              http://pki.fedoraproject.org/
f332ec
License:          GPLv2
f332ec
Group:            System Environment/Daemons
f332ec
f332ec
BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
f332ec
f332ec
BuildRequires:    cmake >= 2.8.9-1
981330
BuildRequires:    gcc-c++
18a1d4
BuildRequires:    git
f332ec
BuildRequires:    zip
981330
BuildRequires:    java-1.8.0-openjdk-devel
f332ec
BuildRequires:    redhat-rpm-config
2413b1
BuildRequires:    ldapjdk >= 4.19-5
f332ec
BuildRequires:    apache-commons-cli
f332ec
BuildRequires:    apache-commons-codec
f332ec
BuildRequires:    apache-commons-io
efcdb2
BuildRequires:    apache-commons-lang
eb29d7
BuildRequires:    jakarta-commons-httpclient
b80204
BuildRequires:    slf4j
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
b80204
BuildRequires:    slf4j-jdk14
b80204
%endif
18a1d4
BuildRequires:    nspr-devel >= 4.35.0-1
18a1d4
BuildRequires:    nss-devel >= 3.90.0-2
efcdb2
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
67803c
BuildRequires:    nuxwdog-client-java >= 1.0.5-1
efcdb2
%else
62cf1a
BuildRequires:    nuxwdog-client-java >= 1.0.3-14
efcdb2
%endif
efcdb2
f332ec
BuildRequires:    openldap-devel
f332ec
BuildRequires:    pkgconfig
f332ec
BuildRequires:    policycoreutils
efcdb2
BuildRequires:    python-lxml
efcdb2
BuildRequires:    python-sphinx
f332ec
BuildRequires:    velocity
f332ec
BuildRequires:    xalan-j2
f332ec
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
efcdb2
# 'resteasy-base' is a subset of the complete set of
efcdb2
# 'resteasy' packages and consists of what is needed to
2413b1
# support the PKI Restful interface on certain RHEL platforms
eb29d7
BuildRequires:    resteasy-base-atom-provider >= 3.0.6-1
eb29d7
BuildRequires:    resteasy-base-client >= 3.0.6-1
eb29d7
BuildRequires:    resteasy-base-jaxb-provider >= 3.0.6-1
eb29d7
BuildRequires:    resteasy-base-jaxrs >= 3.0.6-1
eb29d7
BuildRequires:    resteasy-base-jaxrs-api >= 3.0.6-1
efcdb2
BuildRequires:    resteasy-base-jackson-provider >= 3.0.6-1
efcdb2
%else
981330
BuildRequires:    jboss-annotations-1.2-api
981330
BuildRequires:    jboss-jaxrs-2.0-api
981330
BuildRequires:    jboss-logging
981330
BuildRequires:    resteasy-atom-provider >= 3.0.17-1
981330
BuildRequires:    resteasy-client >= 3.0.17-1
981330
BuildRequires:    resteasy-jaxb-provider >= 3.0.17-1
981330
BuildRequires:    resteasy-core >= 3.0.17-1
981330
BuildRequires:    resteasy-jackson-provider >= 3.0.17-1
981330
%endif
f332ec
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
eb29d7
BuildRequires:    pylint
981330
BuildRequires:    python-flake8 >= 2.5.4
981330
BuildRequires:    python3-flake8 >= 2.5.4
981330
# python-flake8 2.5.4 package should require pyflakes >= 1.2.3
981330
BuildRequires:    pyflakes >= 1.2.3
981330
# python3-flake8 2.5.4 package should require python3-pyflakes >= 1.2.3
981330
BuildRequires:    python3-pyflakes >= 1.2.3
eb29d7
%endif
efcdb2
b80204
BuildRequires:    python2-cryptography
efcdb2
BuildRequires:    python-nss
981330
BuildRequires:    python-requests >= 2.6.0
981330
BuildRequires:    python-six
eb29d7
BuildRequires:    libselinux-python
eb29d7
BuildRequires:    policycoreutils-python
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
981330
BuildRequires:    policycoreutils-python-utils
981330
%endif
eb29d7
BuildRequires:    python-ldap
f332ec
BuildRequires:    junit
f332ec
BuildRequires:    jpackage-utils >= 0:1.7.5-10
18a1d4
BuildRequires:    jss >= 4.4.9-4
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
67803c
BuildRequires:    tomcatjss >= 7.2.5-1
981330
%else
306a87
BuildRequires:    tomcatjss >= 7.2.4-4
efcdb2
%endif
2413b1
BuildRequires:    systemd-units
efcdb2
981330
%if 0%{?with_python3}
b80204
BuildRequires:  python3-cryptography
981330
BuildRequires:  python3-devel
120910
BuildRequires:  python3-lxml
981330
BuildRequires:  python3-nss
b80204
BuildRequires:  python3-pyldap
981330
BuildRequires:  python3-requests >= 2.6.0
981330
BuildRequires:  python3-six
981330
%endif  # with_python3
981330
BuildRequires:  python-devel
f332ec
efcdb2
# additional build requirements needed to build native 'tpsclient'
efcdb2
# REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app
efcdb2
BuildRequires:    apr-devel
efcdb2
BuildRequires:    apr-util-devel
efcdb2
BuildRequires:    cyrus-sasl-devel
efcdb2
BuildRequires:    httpd-devel >= 2.4.2
efcdb2
BuildRequires:    pcre-devel
efcdb2
BuildRequires:    python
efcdb2
BuildRequires:    systemd
efcdb2
BuildRequires:    zlib
efcdb2
BuildRequires:    zlib-devel
f332ec
f332ec
%if 0%{?rhel}
efcdb2
# NOTE:  In the future, as a part of its path, this URL will contain a release
efcdb2
#        directory which consists of the fixed number of the upstream release
efcdb2
#        upon which this tarball was originally based.
efcdb2
Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/rhel/%{name}-%{version}%{?prerel}.tar.gz
efcdb2
%else
efcdb2
Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz
f332ec
%endif
f332ec
b1e4e4
Patch0:  pki-core-Fix-RSA-PSS-for-IPA-installer.patch
b1e4e4
Patch1:  pki-core-rhel-7-9-rhcs-9-7-beta.patch
b1e4e4
Patch2:  pki-core-rhel-7-9-rhcs-9-7-post-beta.patch
b1e4e4
Patch3:  pki-core-Fix-RSA-PSS-for-SHA512.patch
b1e4e4
Patch4:  pki-core-rhel-7-9-rhcs-9-7-post-beta-2.patch
b1e4e4
Patch5:  pki-core-Fix-CMCResponse-tool.patch
e0d192
Patch6:  pki-core-rhel-7-9-rhcs-9-7-bu-2.patch
e0d192
Patch7:  pki-core-Fix-auditProfileUpgrade.patch
e0d192
Patch8:  pki-core-Fix-AddProfileCaAuditSigningCert.patch
e0d192
Patch9:  pki-core-rhel-7-9-rhcs-9-7-bu-4.patch
e0d192
Patch10: pki-core-Change-var-TPS-to-tps.patch
bdfa3c
Patch11: pki-core-rhel-7-9-rhcs-9-7-bu-6.0.patch
bdfa3c
Patch12: pki-core-rhel-7-9-rhcs-9-7-bu-6.1.patch
b9388a
Patch13: pki-core-rhel-7-9-rhcs-9-7-bu-7.patch
08c5c1
Patch14: pki-core-rhel-7-9-rhcs-9-7-bu-8.patch
963458
Patch15: pki-core-rhel-7-9-rhcs-9-7-bu-9.patch
92abab
Patch16: pki-core-rhel-7-9-rhcs-9-7-bu-10.patch
2a8f41
Patch17: pki-core-rhel-7-9-rhcs-9-7-bu-11.patch
7e2434
#Patch18: pki-core-rhel-7-9-rhcs-9-7-bu-14.patch
7e2434
Patch19: pki-core-rhel-7-9-rhcs-9-7-bu-15.patch
3863c8
#Patch20: pki-core-rhel-7-9-rhcs-9-7-bu-17.patch
3863c8
Patch21: pki-core-rhel-7-9-rhcs-9-7-bu-18.patch
947023
Patch22: pki-core-rhel-7-9-rhcs-9-7-bu-19.patch
708f38
Patch23: pki-core-rhel-7-9-rhcs-9-7-bu-21.patch
78720a
#Patch24: pki-core-rhel-7-9-rhcs-9-7-bu-22.patch
78720a
Patch25: pki-core-rhel-7-9-rhcs-9-7-bu-23.patch
18a1d4
Patch26: pki-core-rhel-7-9-rhcs-9-7-CY24Q2.patch
18a1d4
Patch27: pki-core-rhel-7-9-rhcs-9-7-CVE-2023-4727.patch
18a1d4
Patch28: pki-core-rhel-7-9-rhcs-9-7-CY24Q2.1.patch
18a1d4
Patch29: pki-core-rhel-7-9-rhcs-9-7-CY24Q2.2.patch
18a1d4
Patch30: pki-core-rhel-7-9-rhcs-9-7-CY24Q2.3.patch
18a1d4
Patch31: pki-core-rhel-7-9-rhcs-9-7-CY24Q2.4.patch
981330
981330
# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
981330
#
981330
#     NOTE:  For "alpha" releases, will be ".a1", ".a2", etc.
981330
#            For "beta" releases, will be ".b1", ".b2", etc.
981330
#
981330
%define version_phase "%(echo `echo %{version} | awk -F. '{ print $4 }'`)"
efcdb2
f332ec
%global saveFileContext() \
f332ec
if [ -s /etc/selinux/config ]; then \
f332ec
     . %{_sysconfdir}/selinux/config; \
f332ec
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
f332ec
     if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
f332ec
          cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \
f332ec
     fi \
f332ec
fi;
f332ec
f332ec
%global relabel() \
f332ec
. %{_sysconfdir}/selinux/config; \
f332ec
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
f332ec
selinuxenabled; \
f332ec
if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \
f332ec
     fixfiles -C ${FILE_CONTEXT}.%{name} restore; \
f332ec
     rm -f ${FILE_CONTEXT}.%name; \
f332ec
fi;
f332ec
f332ec
%global overview                                                       \
f332ec
==================================                                     \
f332ec
||  ABOUT "CERTIFICATE SYSTEM"  ||                                     \
f332ec
==================================                                     \
f332ec
                                                                       \
f332ec
Certificate System (CS) is an enterprise software system designed      \
f332ec
to manage enterprise Public Key Infrastructure (PKI) deployments.      \
f332ec
                                                                       \
f332ec
PKI Core contains ALL top-level java-based Tomcat PKI components:      \
f332ec
                                                                       \
f332ec
  * pki-symkey                                                         \
f332ec
  * pki-base                                                           \
981330
  * pki-base-python2 (alias for pki-base)                              \
981330
  * pki-base-python3                                                   \
981330
  * pki-base-java                                                      \
f332ec
  * pki-tools                                                          \
f332ec
  * pki-server                                                         \
f332ec
  * pki-ca                                                             \
eb29d7
  * pki-kra                                                            \
eb29d7
  * pki-ocsp                                                           \
eb29d7
  * pki-tks                                                            \
efcdb2
  * pki-tps                                                            \
f332ec
  * pki-javadoc                                                        \
f332ec
                                                                       \
f332ec
which comprise the following corresponding PKI subsystems:             \
f332ec
                                                                       \
f332ec
  * Certificate Authority (CA)                                         \
981330
  * Key Recovery Authority (KRA)                                        \
eb29d7
  * Online Certificate Status Protocol (OCSP) Manager                  \
eb29d7
  * Token Key Service (TKS)                                            \
eb29d7
  * Token Processing Service (TPS)                                     \
f332ec
                                                                       \
981330
Python clients need only install the pki-base package.  This           \
981330
package contains the python REST client packages and the client        \
981330
upgrade framework.                                                     \
f332ec
                                                                       \
981330
Java clients should install the pki-base-java package.  This package   \
981330
contains the legacy and REST Java client packages.  These clients      \
981330
should also consider installing the pki-tools package, which contain   \
981330
native and Java-based PKI tools and utilities.                         \
f332ec
                                                                       \
981330
Certificate Server instances require the fundamental classes and       \
981330
modules in pki-base and pki-base-java, as well as the utilities in     \
981330
pki-tools.  The main server classes are in pki-server, with subsystem  \
981330
specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.  \
f332ec
                                                                       \
f332ec
Finally, if Certificate System is being deployed as an individual or   \
f332ec
set of standalone rather than embedded server(s)/service(s), it is     \
f332ec
strongly recommended (though not explicitly required) to include at    \
f332ec
least one PKI Theme package:                                           \
f332ec
                                                                       \
f332ec
  * dogtag-pki-theme (Dogtag Certificate System deployments)           \
f332ec
    * dogtag-pki-server-theme                                          \
f332ec
  * redhat-pki-server-theme (Red Hat Certificate System deployments)   \
f332ec
    * redhat-pki-server-theme                                          \
f332ec
  * customized pki theme (Customized Certificate System deployments)   \
f332ec
    * <customized>-pki-server-theme                                    \
f332ec
                                                                       \
f332ec
  NOTE:  As a convenience for standalone deployments, top-level meta   \
f332ec
         packages may be provided which bind a particular theme to     \
f332ec
         these certificate server packages.                            \
f332ec
                                                                       \
f332ec
%{nil}
f332ec
f332ec
%description %{overview}
f332ec
f332ec
f332ec
%package -n       pki-symkey
f332ec
Summary:          Symmetric Key JNI Package
f332ec
Group:            System Environment/Libraries
f332ec
981330
Requires:         java-1.8.0-openjdk-headless
f332ec
Requires:         jpackage-utils >= 0:1.7.5-10
18a1d4
Requires:         jss >= 4.4.9-4
18a1d4
Requires:         nss >= 3.90.0-2
f332ec
f332ec
Provides:         symkey = %{version}-%{release}
f332ec
f332ec
Obsoletes:        symkey < %{version}-%{release}
f332ec
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
981330
## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all
981330
## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages:
981330
# pki-console
981330
Obsoletes:        pki-console < 10.3.0
981330
# pki-core
981330
Obsoletes:        pki-core-debug = 10.2.6
981330
Obsoletes:        pki-ocsp < 10.3.0
981330
Obsoletes:        pki-tks < 10.3.0
981330
Obsoletes:        pki-tps < 10.3.0
981330
# redhat-pki
981330
Obsoletes:        redhat-pki < 10.3.0
981330
# redhat-pki-theme
981330
Obsoletes:        redhat-pki-console-theme < 10.3.0
981330
Obsoletes:        redhat-pki-server-theme < 10.3.0
981330
%endif
981330
f332ec
%description -n   pki-symkey
f332ec
The Symmetric Key Java Native Interface (JNI) package supplies various native
f332ec
symmetric key operations to Java programs.
f332ec
f332ec
This package is a part of the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
f332ec
f332ec
f332ec
%package -n       pki-base
f332ec
Summary:          Certificate System - PKI Framework
f332ec
Group:            System Environment/Base
f332ec
f332ec
BuildArch:        noarch
f332ec
f332ec
Provides:         pki-common = %{version}-%{release}
f332ec
Provides:         pki-util = %{version}-%{release}
981330
Provides:         pki-base-python2 = %{version}-%{release}
f332ec
f332ec
Obsoletes:        pki-common < %{version}-%{release}
f332ec
Obsoletes:        pki-util < %{version}-%{release}
f332ec
f332ec
Conflicts:        freeipa-server < 3.0.0
b80204
18a1d4
Requires:         nss >= 3.90.0-2
b80204
Requires:         python2-cryptography
981330
Requires:         python-nss
981330
Requires:         python-requests >= 2.6.0
981330
Requires:         python-six
981330
981330
%description -n   pki-base
981330
The PKI Framework contains the common and client libraries and utilities
981330
written in Python.  This package is a part of the PKI Core used by the
981330
Certificate System.
981330
981330
%{overview}
981330
981330
%package -n       pki-base-java
981330
Summary:          Certificate System - Java Framework
981330
Group:            System Environment/Base
981330
BuildArch:        noarch
981330
b80204
Requires:         java-1.8.0-openjdk-headless
f332ec
Requires:         apache-commons-cli
f332ec
Requires:         apache-commons-codec
f332ec
Requires:         apache-commons-io
f332ec
Requires:         apache-commons-lang
f332ec
Requires:         apache-commons-logging
eb29d7
Requires:         jakarta-commons-httpclient
b80204
Requires:         slf4j
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
b80204
Requires:         slf4j-jdk14
b80204
%endif
f332ec
Requires:         javassist
f332ec
Requires:         jpackage-utils >= 0:1.7.5-10
18a1d4
Requires:         jss >= 4.4.9-4
2413b1
Requires:         ldapjdk >= 4.19-5
981330
Requires:         pki-base = %{version}-%{release}
efcdb2
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
efcdb2
# 'resteasy-base' is a subset of the complete set of
efcdb2
# 'resteasy' packages and consists of what is needed to
2413b1
# support the PKI Restful interface on certain RHEL platforms
eb29d7
Requires:    resteasy-base-atom-provider >= 3.0.6-1
efcdb2
Requires:    resteasy-base-client >= 3.0.6-1
eb29d7
Requires:    resteasy-base-jaxb-provider >= 3.0.6-1
eb29d7
Requires:    resteasy-base-jaxrs >= 3.0.6-1
eb29d7
Requires:    resteasy-base-jaxrs-api >= 3.0.6-1
efcdb2
Requires:    resteasy-base-jackson-provider >= 3.0.6-1
efcdb2
%else
981330
Requires:    resteasy-atom-provider >= 3.0.17-1
981330
Requires:    resteasy-client >= 3.0.17-1
981330
Requires:    resteasy-jaxb-provider >= 3.0.17-1
981330
Requires:    resteasy-core >= 3.0.17-1
981330
Requires:    resteasy-jackson-provider >= 3.0.17-1
981330
%endif
efcdb2
f332ec
Requires:         xalan-j2
f332ec
Requires:         xml-commons-apis
f332ec
Requires:         xml-commons-resolver
f332ec
981330
%description -n   pki-base-java
981330
The PKI Framework contains the common and client libraries and utilities
981330
written in Java.  This package is a part of the PKI Core used by the
981330
Certificate System.
981330
f332ec
This package is a part of the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
f332ec
981330
%if 0%{?with_python3}
981330
981330
%package -n       pki-base-python3
981330
Summary:          Certificate System - PKI Framework
981330
Group:            System Environment/Base
981330
981330
BuildArch:        noarch
981330
981330
Requires:         pki-base = %{version}-%{release}
981330
b80204
Requires:         python3-cryptography
120910
Requires:         python3-lxml
981330
Requires:         python3-nss
981330
Requires:         python3-requests >= 2.6.0
981330
Requires:         python3-six
981330
981330
%description -n   pki-base-python3
981330
This package contains PKI client library for Python 3.
981330
981330
This package is a part of the PKI Core used by the Certificate System.
981330
981330
%{overview}
981330
981330
%endif  # with_python3 for python3-pki
f332ec
f332ec
%package -n       pki-tools
f332ec
Summary:          Certificate System - PKI Tools
f332ec
Group:            System Environment/Base
f332ec
f332ec
Provides:         pki-native-tools = %{version}-%{release}
f332ec
Provides:         pki-java-tools = %{version}-%{release}
f332ec
f332ec
Obsoletes:        pki-native-tools < %{version}-%{release}
f332ec
Obsoletes:        pki-java-tools < %{version}-%{release}
f332ec
f332ec
Requires:         openldap-clients
18a1d4
Requires:         nss-tools >= 3.90.0-2
981330
Requires:         java-1.8.0-openjdk-headless
f332ec
Requires:         pki-base = %{version}-%{release}
981330
Requires:         pki-base-java = %{version}-%{release}
f332ec
Requires:         jpackage-utils >= 0:1.7.5-10
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
981330
Requires:         tomcat-servlet-3.1-api
981330
%endif
f332ec
f332ec
%description -n   pki-tools
f332ec
This package contains PKI executables that can be used to help make
f332ec
Certificate System into a more complete and robust PKI solution.
f332ec
f332ec
This package is a part of the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
f332ec
f332ec
efcdb2
%if %{with server}
efcdb2
f332ec
%package -n       pki-server
f332ec
Summary:          Certificate System - PKI Server Framework
f332ec
Group:            System Environment/Base
f332ec
f332ec
BuildArch:        noarch
f332ec
f332ec
Provides:         pki-deploy = %{version}-%{release}
f332ec
Provides:         pki-setup = %{version}-%{release}
f332ec
Provides:         pki-silent = %{version}-%{release}
f332ec
f332ec
Obsoletes:        pki-deploy < %{version}-%{release}
f332ec
Obsoletes:        pki-setup < %{version}-%{release}
f332ec
Obsoletes:        pki-silent < %{version}-%{release}
f332ec
981330
Requires:         java-1.8.0-openjdk-headless
981330
Requires:         hostname
f332ec
Requires:         net-tools
efcdb2
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
67803c
Requires:    nuxwdog-client-java >= 1.0.5-1
efcdb2
%else
62cf1a
Requires:    nuxwdog-client-java >= 1.0.3-14
efcdb2
%endif
efcdb2
f332ec
Requires:         policycoreutils
b80204
Requires:         procps-ng
f332ec
Requires:         openldap-clients
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
2413b1
Requires:         openssl >= 1.0.2k-11
2413b1
%else
b9ff42
Requires:         openssl
2413b1
%endif
f332ec
Requires:         pki-base = %{version}-%{release}
981330
Requires:         pki-base-java = %{version}-%{release}
f332ec
Requires:         pki-tools = %{version}-%{release}
981330
Requires:         python-ldap
981330
Requires:         python-lxml
981330
Requires:         libselinux-python
eb29d7
Requires:         policycoreutils-python
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
981330
Requires:         policycoreutils-python-utils
981330
%endif
f332ec
b80204
Requires:         selinux-policy-targeted >= 3.13.1-159
f332ec
Obsoletes:        pki-selinux
eb29d7
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
981330
Requires:         tomcat >= 7.0.69
eb29d7
%else
981330
Requires:         tomcat >= 7.0.68
efcdb2
Requires:         tomcat-el-3.0-api
efcdb2
Requires:         tomcat-jsp-2.3-api
efcdb2
Requires:         tomcat-servlet-3.1-api
f332ec
%endif
f332ec
f332ec
Requires:         velocity
f332ec
Requires(post):   systemd-units
f332ec
Requires(preun):  systemd-units
f332ec
Requires(postun): systemd-units
efcdb2
Requires(pre):    shadow-utils
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
67803c
Requires:         tomcatjss >= 7.2.5-1
efcdb2
%else
306a87
Requires:         tomcatjss >= 7.2.4-4
981330
%endif
981330
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
981330
## Because RHCS 9.0 does not run on RHEL 7.3+, obsolete all
981330
## RHCS 9.0 packages that can be replaced by RHCS 9.1 packages:
981330
# pki-console
981330
Obsoletes:        pki-console < 10.3.0
981330
# pki-core
981330
Obsoletes:        pki-core-debug = 10.2.6
981330
Obsoletes:        pki-ocsp < 10.3.0
981330
Obsoletes:        pki-tks < 10.3.0
981330
Obsoletes:        pki-tps < 10.3.0
981330
# redhat-pki
981330
Obsoletes:        redhat-pki < 10.3.0
981330
# redhat-pki-theme
981330
Obsoletes:        redhat-pki-console-theme < 10.3.0
981330
Obsoletes:        redhat-pki-server-theme < 10.3.0
efcdb2
%endif
f332ec
e0d192
Provides:         bundled(js-backbone) = 1.4.0
e0d192
Provides:         bundled(js-bootstrap) = 3.4.1
e0d192
Provides:         bundled(js-jquery) = 3.5.1
e0d192
Provides:         bundled(js-jquery-i18n-properties) = 1.2.7
e0d192
Provides:         bundled(js-patternfly) = 3.59.2
e0d192
Provides:         bundled(js-underscore) = 1.9.2
e0d192
f332ec
%description -n   pki-server
f332ec
The PKI Server Framework is required by the following four PKI subsystems:
f332ec
f332ec
    the Certificate Authority (CA),
981330
    the Key Recovery Authority (KRA),
eb29d7
    the Online Certificate Status Protocol (OCSP) Manager,
eb29d7
    the Token Key Service (TKS), and
eb29d7
    the Token Processing Service (TPS).
f332ec
f332ec
This package is a part of the PKI Core used by the Certificate System.
f332ec
The package contains scripts to create and remove PKI subsystems.
f332ec
f332ec
%{overview}
f332ec
f332ec
%package -n       pki-ca
f332ec
Summary:          Certificate System - Certificate Authority
f332ec
Group:            System Environment/Daemons
f332ec
f332ec
BuildArch:        noarch
f332ec
981330
Requires:         java-1.8.0-openjdk-headless
f332ec
Requires:         pki-server = %{version}-%{release}
f332ec
Requires(post):   systemd-units
f332ec
Requires(preun):  systemd-units
f332ec
Requires(postun): systemd-units
f332ec
f332ec
%description -n   pki-ca
f332ec
The Certificate Authority (CA) is a required PKI subsystem which issues,
f332ec
renews, revokes, and publishes certificates as well as compiling and
f332ec
publishing Certificate Revocation Lists (CRLs).
f332ec
f332ec
The Certificate Authority can be configured as a self-signing Certificate
f332ec
Authority, where it is the root CA, or it can act as a subordinate CA,
f332ec
where it obtains its own signing certificate from a public CA.
f332ec
f332ec
This package is one of the top-level java-based Tomcat PKI subsystems
f332ec
provided by the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
f332ec
f332ec
f332ec
%package -n       pki-kra
981330
Summary:          Certificate System - Key Recovery Authority
f332ec
Group:            System Environment/Daemons
f332ec
f332ec
BuildArch:        noarch
f332ec
981330
Requires:         java-1.8.0-openjdk-headless
f332ec
Requires:         pki-server = %{version}-%{release}
f332ec
Requires(post):   systemd-units
f332ec
Requires(preun):  systemd-units
f332ec
Requires(postun): systemd-units
f332ec
f332ec
%description -n   pki-kra
981330
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
981330
as a key archival facility.  When configured in conjunction with the
981330
Certificate Authority (CA), the KRA stores private encryption keys as part of
f332ec
the certificate enrollment process.  The key archival mechanism is triggered
f332ec
when a user enrolls in the PKI and creates the certificate request.  Using the
f332ec
Certificate Request Message Format (CRMF) request format, a request is
f332ec
generated for the user's private encryption key.  This key is then stored in
981330
the KRA which is configured to store keys in an encrypted format that can only
f332ec
be decrypted by several agents requesting the key at one time, providing for
f332ec
protection of the public encryption keys for the users in the PKI deployment.
f332ec
981330
Note that the KRA archives encryption keys; it does NOT archive signing keys,
f332ec
since such archival would undermine non-repudiation properties of signing keys.
f332ec
f332ec
This package is one of the top-level java-based Tomcat PKI subsystems
f332ec
provided by the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
f332ec
f332ec
f332ec
%package -n       pki-ocsp
f332ec
Summary:          Certificate System - Online Certificate Status Protocol Manager
f332ec
Group:            System Environment/Daemons
f332ec
f332ec
BuildArch:        noarch
f332ec
981330
Requires:         java-1.8.0-openjdk-headless
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
Requires:         pki-server = %{version}-%{release}
981330
%else
981330
Requires:         pki-server >= %{pki_core_rhel_version}
981330
%endif
f332ec
Requires(post):   systemd-units
f332ec
Requires(preun):  systemd-units
f332ec
Requires(postun): systemd-units
f332ec
f332ec
%description -n   pki-ocsp
f332ec
The Online Certificate Status Protocol (OCSP) Manager is an optional PKI
f332ec
subsystem that can act as a stand-alone OCSP service.  The OCSP Manager
f332ec
performs the task of an online certificate validation authority by enabling
f332ec
OCSP-compliant clients to do real-time verification of certificates.  Note
f332ec
that an online certificate-validation authority is often referred to as an
f332ec
OCSP Responder.
f332ec
f332ec
Although the Certificate Authority (CA) is already configured with an
f332ec
internal OCSP service.  An external OCSP Responder is offered as a separate
f332ec
subsystem in case the user wants the OCSP service provided outside of a
f332ec
firewall while the CA resides inside of a firewall, or to take the load of
f332ec
requests off of the CA.
f332ec
f332ec
The OCSP Manager can receive Certificate Revocation Lists (CRLs) from
f332ec
multiple CA servers, and clients can query the OCSP Manager for the
f332ec
revocation status of certificates issued by all of these CA servers.
f332ec
f332ec
When an instance of OCSP Manager is set up with an instance of CA, and
f332ec
publishing is set up to this OCSP Manager, CRLs are published to it
f332ec
whenever they are issued or updated.
f332ec
f332ec
This package is one of the top-level java-based Tomcat PKI subsystems
f332ec
provided by the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
f332ec
f332ec
f332ec
%package -n       pki-tks
f332ec
Summary:          Certificate System - Token Key Service
f332ec
Group:            System Environment/Daemons
f332ec
f332ec
BuildArch:        noarch
f332ec
981330
Requires:         java-1.8.0-openjdk-headless
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
Requires:         pki-server = %{version}-%{release}
eb29d7
Requires:         pki-symkey = %{version}-%{release}
981330
%else
981330
Requires:         pki-server >= %{pki_core_rhel_version}
981330
Requires:         pki-symkey >= %{pki_core_rhel_version}
981330
%endif
f332ec
Requires(post):   systemd-units
f332ec
Requires(preun):  systemd-units
f332ec
Requires(postun): systemd-units
f332ec
f332ec
%description -n   pki-tks
f332ec
The Token Key Service (TKS) is an optional PKI subsystem that manages the
f332ec
master key(s) and the transport key(s) required to generate and distribute
f332ec
keys for hardware tokens.  TKS provides the security between tokens and an
f332ec
instance of Token Processing System (TPS), where the security relies upon the
f332ec
relationship between the master key and the token keys.  A TPS communicates
f332ec
with a TKS over SSL using client authentication.
f332ec
f332ec
TKS helps establish a secure channel (signed and encrypted) between the token
f332ec
and the TPS, provides proof of presence of the security token during
f332ec
enrollment, and supports key changeover when the master key changes on the
f332ec
TKS.  Tokens with older keys will get new token keys.
f332ec
f332ec
Because of the sensitivity of the data that TKS manages, TKS should be set up
f332ec
behind the firewall with restricted access.
f332ec
f332ec
This package is one of the top-level java-based Tomcat PKI subsystems
f332ec
provided by the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
eb29d7
eb29d7
efcdb2
%package -n       pki-tps
eb29d7
Summary:          Certificate System - Token Processing Service
eb29d7
Group:            System Environment/Daemons
eb29d7
efcdb2
Provides:         pki-tps-tomcat
efcdb2
Provides:         pki-tps-client
efcdb2
efcdb2
Obsoletes:        pki-tps-tomcat
efcdb2
Obsoletes:        pki-tps-client
eb29d7
981330
Requires:         java-1.8.0-openjdk-headless
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
eb29d7
Requires:         pki-server = %{version}-%{release}
981330
%else
981330
Requires:         pki-server >= %{pki_core_rhel_version}
981330
%endif
eb29d7
Requires(post):   systemd-units
eb29d7
Requires(preun):  systemd-units
eb29d7
Requires(postun): systemd-units
eb29d7
efcdb2
# additional runtime requirements needed to run native 'tpsclient'
efcdb2
# REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app
b80204
18a1d4
Requires:         nss-tools >= 3.90.0-2
efcdb2
Requires:         openldap-clients
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
efcdb2
Requires:         pki-symkey = %{version}-%{release}
981330
%else
981330
Requires:         pki-symkey >= %{pki_core_rhel_version}
981330
%endif
efcdb2
efcdb2
%description -n   pki-tps
eb29d7
The Token Processing System (TPS) is an optional PKI subsystem that acts
eb29d7
as a Registration Authority (RA) for authenticating and processing
eb29d7
enrollment requests, PIN reset requests, and formatting requests from
eb29d7
the Enterprise Security Client (ESC).
eb29d7
eb29d7
TPS is designed to communicate with tokens that conform to
eb29d7
Global Platform's Open Platform Specification.
eb29d7
eb29d7
TPS communicates over SSL with various PKI backend subsystems (including
981330
the Certificate Authority (CA), the Key Recovery Authority (KRA), and the
eb29d7
Token Key Service (TKS)) to fulfill the user's requests.
eb29d7
eb29d7
TPS also interacts with the token database, an LDAP server that stores
eb29d7
information about individual tokens.
eb29d7
efcdb2
The utility "tpsclient" is a test tool that interacts with TPS.  This
efcdb2
tool is useful to test TPS server configs without risking an actual
efcdb2
smart card.
efcdb2
eb29d7
%{overview}
f332ec
f332ec
f332ec
%package -n       pki-javadoc
f332ec
Summary:          Certificate System - PKI Framework Javadocs
f332ec
Group:            Documentation
f332ec
f332ec
BuildArch:        noarch
f332ec
f332ec
Provides:         pki-util-javadoc = %{version}-%{release}
f332ec
Provides:         pki-java-tools-javadoc = %{version}-%{release}
f332ec
Provides:         pki-common-javadoc = %{version}-%{release}
f332ec
f332ec
Obsoletes:        pki-util-javadoc < %{version}-%{release}
f332ec
Obsoletes:        pki-java-tools-javadoc < %{version}-%{release}
f332ec
Obsoletes:        pki-common-javadoc < %{version}-%{release}
f332ec
f332ec
%description -n   pki-javadoc
f332ec
This documentation pertains exclusively to version %{version} of
f332ec
the PKI Framework and Tools.
f332ec
f332ec
This package is a part of the PKI Core used by the Certificate System.
f332ec
f332ec
%{overview}
f332ec
efcdb2
%endif # %{with server}
efcdb2
18a1d4
# Replace "%setup -q -n %{name}-%{version}%{?prerel}" with "%autosetup -S git"
18a1d4
# in order to use "git apply <binary patch>" since "%patch0 -p1" doesn't
18a1d4
# support binary patches!
f332ec
%prep
18a1d4
18a1d4
18a1d4
%autosetup -S git
18a1d4
f332ec
f332ec
%clean
f332ec
%{__rm} -rf %{buildroot}
f332ec
f332ec
%build
f332ec
%{__mkdir_p} build
f332ec
cd build
306a87
%cmake \
306a87
    --no-warn-unused-cli \
306a87
    -DVERSION=%{version}-%{release} \
f332ec
	-DVAR_INSTALL_DIR:PATH=/var \
f332ec
	-DBUILD_PKI_CORE:BOOL=ON \
981330
	-DJAVA_HOME=%{java_home} \
f332ec
	-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
f332ec
	-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
981330
%if %{version_phase}
981330
	-DAPPLICATION_VERSION_PHASE="%{version_phase}" \
981330
%endif
efcdb2
%if ! %{with_tomcat7}
efcdb2
	-DWITH_TOMCAT7:BOOL=OFF \
efcdb2
%endif
efcdb2
%if ! %{with_tomcat8}
efcdb2
	-DWITH_TOMCAT8:BOOL=OFF \
efcdb2
%endif
981330
	-DJAXRS_API_JAR=%{jaxrs_api_jar} \
efcdb2
	-DRESTEASY_LIB=%{resteasy_lib} \
efcdb2
%if ! %{with server}
efcdb2
	-DWITH_SERVER:BOOL=OFF \
efcdb2
%endif
efcdb2
%if ! %{with server}
efcdb2
	-DWITH_SERVER:BOOL=OFF \
efcdb2
%endif
efcdb2
%if ! %{with javadoc}
efcdb2
	-DWITH_JAVADOC:BOOL=OFF \
f332ec
%endif
f332ec
	..
f332ec
f332ec
%install
306a87
f332ec
cd build
306a87
306a87
# Do not use _smp_mflags to preserve build order
306a87
%{__make} \
306a87
    VERBOSE=%{?_verbose} \
306a87
    CMAKE_NO_VERBOSE=1 \
306a87
    DESTDIR=%{buildroot} \
306a87
    INSTALL="install -p" \
306a87
    --no-print-directory \
306a87
     all unit-test install
f332ec
efcdb2
# Create symlinks for admin console (TPS does not use admin console)
efcdb2
for subsystem in ca kra ocsp tks; do
efcdb2
    %{__mkdir_p} %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin
efcdb2
    ln -s %{_datadir}/pki/server/webapps/pki/admin/console %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin
efcdb2
done
efcdb2
981330
# Create compatibility symlink for DRMTool -> KRATool
981330
ln -s %{_bindir}/KRATool %{buildroot}%{_bindir}/DRMTool
981330
# Create compatibility symlink for DRMTool.cfg -> KRATool.cfg
981330
ln -s %{_datadir}/pki/java-tools/KRATool.cfg %{buildroot}%{_datadir}/pki/java-tools/DRMTool.cfg
981330
# Create compatibility symlink for DRMTool.1.gz -> KRATool.1.gz
981330
ln -s %{_mandir}/man1/KRATool.1.gz %{buildroot}%{_mandir}/man1/DRMTool.1.gz
981330
981330
# Customize client library links in /usr/share/pki/lib
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
981330
    rm -f %{buildroot}%{_datadir}/pki/lib/scannotation.jar
981330
    rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-api.jar
981330
    rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-jandex.jar
981330
    ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/lib/jboss-jaxrs-2.0-api.jar
981330
    ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar
981330
    ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar
981330
%else
981330
981330
if [ -f /etc/debian_version ]; then
981330
    ln -sf /usr/share/java/httpclient.jar %{buildroot}%{_datadir}/pki/lib/httpclient.jar
981330
    ln -sf /usr/share/java/httpcore.jar %{buildroot}%{_datadir}/pki/lib/httpcore.jar
981330
    ln -sf /usr/share/java/jackson-core-asl.jar %{buildroot}%{_datadir}/pki/lib/jackson-core-asl.jar
981330
    ln -sf /usr/share/java/jackson-jaxrs.jar %{buildroot}%{_datadir}/pki/lib/jackson-jaxrs.jar
981330
    ln -sf /usr/share/java/jackson-mapper-asl.jar %{buildroot}%{_datadir}/pki/lib/jackson-mapper-asl.jar
981330
    ln -sf /usr/share/java/jackson-mrbean.jar %{buildroot}%{_datadir}/pki/lib/jackson-mrbean.jar
981330
    ln -sf /usr/share/java/jackson-smile.jar %{buildroot}%{_datadir}/pki/lib/jackson-smile.jar
981330
    ln -sf /usr/share/java/jackson-xc.jar %{buildroot}%{_datadir}/pki/lib/jackson-xc.jar
981330
    ln -sf /usr/share/java/jss4.jar %{buildroot}%{_datadir}/pki/lib/jss4.jar
981330
fi
981330
981330
%endif
981330
efcdb2
%if %{with server}
efcdb2
981330
# Customize server upgrade scripts in /usr/share/pki/server/upgrade
2413b1
%if 0%{?rhel} && 0%{?rhel} <= 7
b80204
b80204
# merge newer upgrade scripts into 10.3.3 for RHEL
b80204
mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/01-FixServerLibrary \
b80204
   %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/02-FixServerLibrary
b80204
mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/02-FixDeploymentDescriptor \
b80204
   %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/03-FixDeploymentDescriptor
981330
/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5
b80204
b80204
# merge newer upgrade scripts into 10.4.1 for RHEL
306a87
%{__mkdir_p} %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1
b80204
mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin \
b80204
   %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/01-AddSessionAuthenticationPlugin
b80204
mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/02-AddKRAWrappingParams \
b80204
   %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/02-AddKRAWrappingParams
b80204
mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout \
b80204
   %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/03-UpdateKeepAliveTimeout
b80204
/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2
b80204
/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6
b80204
306a87
# merge newer upgrade scripts into 10.5.1 for RHEL 7.5
306a87
%{__mkdir_p} %{buildroot}%{_datadir}/pki/server/upgrade/10.5.1
2413b1
mv %{buildroot}%{_datadir}/pki/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams \
2413b1
   %{buildroot}%{_datadir}/pki/server/upgrade/10.5.1/01-AddTPSExternalRegISEtokenParams
2413b1
/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.5.5
2413b1
306a87
# merge newer upgrade scripts into 10.5.9 for RHEL 7.6
306a87
%{__mkdir_p} %{buildroot}%{_datadir}/pki/server/upgrade/10.5.9
306a87
mv %{buildroot}%{_datadir}/pki/server/upgrade/10.5.14/01-UpdateAuditEvents \
306a87
   %{buildroot}%{_datadir}/pki/server/upgrade/10.5.9/01-UpdateAuditEvents
306a87
/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.5.14
306a87
981330
%endif
981330
981330
# Customize server library links in /usr/share/pki/server/common/lib
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
981330
    rm -f %{buildroot}%{_datadir}/pki/server/common/lib/scannotation.jar
981330
    rm -f %{buildroot}%{_datadir}/pki/server/common/lib/resteasy-jaxrs-api.jar
981330
    ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar
981330
    ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar
981330
    ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar
981330
981330
%else
981330
981330
if [ -f /etc/debian_version ]; then
981330
    ln -sf /usr/share/java/commons-collections3.jar %{buildroot}%{_datadir}/pki/server/common/lib/commons-collections.jar
981330
    ln -sf /usr/share/java/httpclient.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpclient.jar
981330
    ln -sf /usr/share/java/httpcore.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpcore.jar
981330
    ln -sf /usr/share/java/jackson-core-asl.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-core-asl.jar
981330
    ln -sf /usr/share/java/jackson-jaxrs.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-jaxrs.jar
981330
    ln -sf /usr/share/java/jackson-mapper-asl.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-mapper-asl.jar
981330
    ln -sf /usr/share/java/jackson-mrbean.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-mrbean.jar
981330
    ln -sf /usr/share/java/jackson-smile.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-smile.jar
981330
    ln -sf /usr/share/java/jackson-xc.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-xc.jar
981330
    ln -sf /usr/share/java/jss4.jar %{buildroot}%{_datadir}/pki/server/common/lib/jss4.jar
981330
    ln -sf /usr/share/java/symkey.jar %{buildroot}%{_datadir}/pki/server/common/lib/symkey.jar
981330
    ln -sf /usr/share/java/xml-apis.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-apis.jar
981330
    ln -sf /usr/share/java/xml-resolver.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-resolver.jar
981330
fi
981330
981330
%endif
981330
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
efcdb2
# Scanning the python code with pylint.
981330
%{__python2} ../pylint-build-scan.py rpm --prefix %{buildroot}
efcdb2
if [ $? -ne 0 ]; then
efcdb2
    echo "pylint failed. RC: $?"
eb29d7
    exit 1
eb29d7
fi
981330
981330
%{__python2} ../pylint-build-scan.py rpm --prefix %{buildroot} -- --py3k
981330
if [ $? -ne 0 ]; then
981330
    echo "pylint --py3k failed. RC: $?"
981330
    exit 1
981330
fi
981330
981330
flake8 --config ../tox.ini %{buildroot}
981330
if [ $? -ne 0 ]; then
981330
    echo "flake8 for Python 2 failed. RC: $?"
981330
    exit 1
981330
fi
981330
981330
python3-flake8 --config ../tox.ini %{buildroot}
981330
if [ $? -ne 0 ]; then
981330
    echo "flake8 for Python 3 failed. RC: $?"
981330
    exit 1
981330
fi
981330
f332ec
%endif
f332ec
f332ec
%{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib
f332ec
efcdb2
%endif # %{with server}
efcdb2
f332ec
%{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki
f332ec
%{__mkdir_p} %{buildroot}%{_sharedstatedir}/pki
f332ec
2413b1
%if 0%{?fedora} || 0%{?rhel} > 7
f332ec
%pretrans -n pki-base -p <lua>
f332ec
function test(a)
f332ec
    if posix.stat(a) then
f332ec
        for f in posix.files(a) do
f332ec
            if f~=".." and f~="." then
f332ec
                return true
f332ec
            end
f332ec
        end
f332ec
    end
f332ec
    return false
f332ec
end
f332ec
f332ec
if (test("/etc/sysconfig/pki/ca") or
f332ec
    test("/etc/sysconfig/pki/kra") or
f332ec
    test("/etc/sysconfig/pki/ocsp") or
f332ec
    test("/etc/sysconfig/pki/tks")) then
eb29d7
   msg = "Unable to upgrade to Fedora 20.  There are Dogtag 9 instances\n" ..
f332ec
         "that will no longer work since they require Tomcat 6, and \n" ..
eb29d7
         "Tomcat 6 is no longer available in Fedora 20.\n\n" ..
f332ec
         "Please follow these instructions to migrate the instances to \n" ..
f332ec
         "Dogtag 10:\n\n" ..
f332ec
         "http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10"
f332ec
   error(msg)
f332ec
end
f332ec
%endif
f332ec
981330
%if %{with server}
981330
efcdb2
%pre -n pki-server
efcdb2
getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
efcdb2
if ! getent passwd %{pki_username} >/dev/null ; then
efcdb2
    if ! getent passwd %{pki_uid} >/dev/null ; then
efcdb2
      useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
efcdb2
    else
efcdb2
      useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
efcdb2
    fi
efcdb2
fi
efcdb2
exit 0
efcdb2
981330
%endif # %{with server}
981330
f332ec
%post -n pki-base
f332ec
f332ec
if [ $1 -eq 1 ]
f332ec
then
f332ec
    # On RPM installation create system upgrade tracker
f332ec
    echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version
f332ec
f332ec
else
f332ec
    # On RPM upgrade run system upgrade
981330
    echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
f332ec
    /sbin/pki-upgrade --silent >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
f332ec
    echo >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
f332ec
fi
f332ec
f332ec
%postun -n pki-base
f332ec
f332ec
if [ $1 -eq 0 ]
f332ec
then
f332ec
    # On RPM uninstallation remove system upgrade tracker
f332ec
    rm -f %{_sysconfdir}/pki/pki.version
f332ec
fi
f332ec
efcdb2
%if %{with server}
f332ec
f332ec
%post -n pki-server
f332ec
## NOTE:  At this time, NO attempt has been made to update ANY PKI subsystem
f332ec
##        from EITHER 'sysVinit' OR previous 'systemd' processes to the new
f332ec
##        PKI deployment process
f332ec
981330
echo "Upgrading PKI server configuration at `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
f332ec
/sbin/pki-server-upgrade --silent >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
f332ec
echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
f332ec
981330
# Migrate Tomcat configuration
981330
/sbin/pki-server migrate >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
981330
echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
981330
b80204
# Reload systemd daemons on upgrade only
b80204
if [ "$1" == "2" ]
b80204
then
b80204
    systemctl daemon-reload
b80204
fi
f332ec
f332ec
## %preun -n pki-server
f332ec
## NOTE:  At this time, NO attempt has been made to update ANY PKI subsystem
f332ec
##        from EITHER 'sysVinit' OR previous 'systemd' processes to the new
f332ec
##        PKI deployment process
f332ec
f332ec
f332ec
## %postun -n pki-server
f332ec
## NOTE:  At this time, NO attempt has been made to update ANY PKI subsystem
f332ec
##        from EITHER 'sysVinit' OR previous 'systemd' processes to the new
f332ec
##        PKI deployment process
f332ec
efcdb2
%endif # %{with server}
efcdb2
efcdb2
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
%files -n pki-symkey
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/symkey/LICENSE
f332ec
%{_jnidir}/symkey.jar
f332ec
%{_libdir}/symkey/
981330
%endif
f332ec
f332ec
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
%files -n pki-base
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/common/LICENSE
981330
%doc base/common/LICENSE.LESSER
efcdb2
%doc %{_datadir}/doc/pki-base/html
f332ec
%dir %{_datadir}/pki
f332ec
%{_datadir}/pki/VERSION
f332ec
%{_datadir}/pki/etc/
f332ec
%{_datadir}/pki/upgrade/
efcdb2
%{_datadir}/pki/key/templates
f332ec
%dir %{_sysconfdir}/pki
f332ec
%config(noreplace) %{_sysconfdir}/pki/pki.conf
981330
%exclude %{python2_sitelib}/pki/server
981330
%{python2_sitelib}/pki
f332ec
%dir %{_localstatedir}/log/pki
f332ec
%{_sbindir}/pki-upgrade
efcdb2
%{_mandir}/man1/pki-python-client.1.gz
dd68f4
%{_mandir}/man5/pki-logging.5.gz
dd68f4
%{_mandir}/man8/pki-upgrade.8.gz
981330
%endif
f332ec
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
981330
%files -n pki-base-java
b80204
%{_datadir}/pki/examples/java/
981330
%{_datadir}/pki/lib/
981330
%dir %{_javadir}/pki
981330
%{_javadir}/pki/pki-cmsutil.jar
981330
%{_javadir}/pki/pki-nsutil.jar
981330
%{_javadir}/pki/pki-certsrv.jar
981330
%endif
981330
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
981330
%if %{with_python3}
981330
%files -n pki-base-python3
981330
%defattr(-,root,root,-)
981330
%doc base/common/LICENSE
981330
%doc base/common/LICENSE.LESSER
981330
%exclude %{python3_sitelib}/pki/server
981330
%{python3_sitelib}/pki
981330
%endif # with_python3
981330
%endif
981330
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
%files -n pki-tools
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/native-tools/LICENSE base/native-tools/doc/README
f332ec
%{_bindir}/pki
f332ec
%{_bindir}/p7tool
67803c
%{_bindir}/pistool
f332ec
%{_bindir}/revoker
f332ec
%{_bindir}/setpin
f332ec
%{_bindir}/sslget
f332ec
%{_bindir}/tkstool
f332ec
%{_datadir}/pki/native-tools/
f332ec
%{_bindir}/AtoB
f332ec
%{_bindir}/AuditVerify
f332ec
%{_bindir}/BtoA
f332ec
%{_bindir}/CMCEnroll
f332ec
%{_bindir}/CMCRequest
f332ec
%{_bindir}/CMCResponse
f332ec
%{_bindir}/CMCRevoke
2413b1
%{_bindir}/CMCSharedToken
f332ec
%{_bindir}/CRMFPopClient
f332ec
%{_bindir}/DRMTool
f332ec
%{_bindir}/ExtJoiner
f332ec
%{_bindir}/GenExtKeyUsage
f332ec
%{_bindir}/GenIssuerAltNameExt
f332ec
%{_bindir}/GenSubjectAltNameExt
f332ec
%{_bindir}/HttpClient
981330
%{_bindir}/KRATool
f332ec
%{_bindir}/OCSPClient
f332ec
%{_bindir}/PKCS10Client
f332ec
%{_bindir}/PKCS12Export
306a87
%{_bindir}/PKICertImport
f332ec
%{_bindir}/PrettyPrintCert
f332ec
%{_bindir}/PrettyPrintCrl
f332ec
%{_bindir}/TokenInfo
f332ec
%{_javadir}/pki/pki-tools.jar
f332ec
%{_datadir}/pki/java-tools/
981330
%{_mandir}/man1/AtoB.1.gz
981330
%{_mandir}/man1/AuditVerify.1.gz
981330
%{_mandir}/man1/BtoA.1.gz
981330
%{_mandir}/man1/CMCEnroll.1.gz
2413b1
%{_mandir}/man1/CMCRequest.1.gz
2413b1
%{_mandir}/man1/CMCResponse.1.gz
2413b1
%{_mandir}/man1/CMCSharedToken.1.gz
981330
%{_mandir}/man1/DRMTool.1.gz
981330
%{_mandir}/man1/KRATool.1.gz
981330
%{_mandir}/man1/PrettyPrintCert.1.gz
981330
%{_mandir}/man1/PrettyPrintCrl.1.gz
f332ec
%{_mandir}/man1/pki.1.gz
981330
%{_mandir}/man1/pki-audit.1.gz
981330
%{_mandir}/man1/pki-ca-kraconnector.1.gz
981330
%{_mandir}/man1/pki-ca-profile.1.gz
efcdb2
%{_mandir}/man1/pki-cert.1.gz
efcdb2
%{_mandir}/man1/pki-client.1.gz
efcdb2
%{_mandir}/man1/pki-group.1.gz
efcdb2
%{_mandir}/man1/pki-group-member.1.gz
efcdb2
%{_mandir}/man1/pki-key.1.gz
dd68f4
%{_mandir}/man1/pki-pkcs12-cert.1.gz
dd68f4
%{_mandir}/man1/pki-pkcs12-key.1.gz
dd68f4
%{_mandir}/man1/pki-pkcs12.1.gz
efcdb2
%{_mandir}/man1/pki-securitydomain.1.gz
981330
%{_mandir}/man1/pki-tps-profile.1.gz
efcdb2
%{_mandir}/man1/pki-user.1.gz
efcdb2
%{_mandir}/man1/pki-user-cert.1.gz
981330
%{_mandir}/man1/pki-user-membership.1.gz
2413b1
%{_mandir}/man1/PKCS10Client.1.gz
306a87
%{_mandir}/man1/PKICertImport.1.gz
981330
%endif
f332ec
efcdb2
%if %{with server}
f332ec
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
%files -n pki-server
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/common/THIRD_PARTY_LICENSES
f332ec
%doc base/server/LICENSE
efcdb2
%doc base/server/README
f332ec
%{_sysconfdir}/pki/default.cfg
fe6b0b
%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki
fe6b0b
%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki/tomcat
f332ec
%{_sbindir}/pkispawn
f332ec
%{_sbindir}/pkidestroy
efcdb2
%{_sbindir}/pki-server
efcdb2
%{_sbindir}/pki-server-nuxwdog
f332ec
%{_sbindir}/pki-server-upgrade
981330
%{python2_sitelib}/pki/server/
f332ec
%dir %{_datadir}/pki/deployment
f332ec
%{_datadir}/pki/deployment/config/
f332ec
%dir %{_datadir}/pki/scripts
f332ec
%{_datadir}/pki/scripts/operations
f332ec
%{_bindir}/pkidaemon
f332ec
%dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants
981330
%attr(644,-,-) %{_unitdir}/pki-tomcatd@.service
981330
%attr(644,-,-) %{_unitdir}/pki-tomcatd.target
efcdb2
%dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants
981330
%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service
981330
%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target
f332ec
%{_javadir}/pki/pki-cms.jar
f332ec
%{_javadir}/pki/pki-cmsbundle.jar
f332ec
%{_javadir}/pki/pki-cmscore.jar
f332ec
%{_javadir}/pki/pki-tomcat.jar
f332ec
%dir %{_sharedstatedir}/pki
981330
%{_mandir}/man1/pkidaemon.1.gz
f332ec
%{_mandir}/man5/pki_default.cfg.5.gz
dd68f4
%{_mandir}/man5/pki-server-logging.5.gz
f332ec
%{_mandir}/man8/pki-server-upgrade.8.gz
f332ec
%{_mandir}/man8/pkidestroy.8.gz
f332ec
%{_mandir}/man8/pkispawn.8.gz
981330
%{_mandir}/man8/pki-server.8.gz
981330
%{_mandir}/man8/pki-server-instance.8.gz
981330
%{_mandir}/man8/pki-server-subsystem.8.gz
981330
%{_mandir}/man8/pki-server-nuxwdog.8.gz
981330
%{_mandir}/man8/pki-server-migrate.8.gz
2413b1
%{_mandir}/man8/pki-server-cert.8.gz
f332ec
f332ec
%{_datadir}/pki/setup/
f332ec
%{_datadir}/pki/server/
981330
%endif
f332ec
efcdb2
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
%files -n pki-ca
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/ca/LICENSE
f332ec
%{_javadir}/pki/pki-ca.jar
f332ec
%dir %{_datadir}/pki/ca
f332ec
%{_datadir}/pki/ca/conf/
f332ec
%{_datadir}/pki/ca/emails/
f332ec
%dir %{_datadir}/pki/ca/profiles
f332ec
%{_datadir}/pki/ca/profiles/ca/
f332ec
%{_datadir}/pki/ca/setup/
f332ec
%{_datadir}/pki/ca/webapps/
981330
%endif
f332ec
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
f332ec
%files -n pki-kra
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/kra/LICENSE
f332ec
%{_javadir}/pki/pki-kra.jar
f332ec
%dir %{_datadir}/pki/kra
f332ec
%{_datadir}/pki/kra/conf/
f332ec
%{_datadir}/pki/kra/setup/
f332ec
%{_datadir}/pki/kra/webapps/
981330
%endif
f332ec
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhcs_packages}
f332ec
%files -n pki-ocsp
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/ocsp/LICENSE
f332ec
%{_javadir}/pki/pki-ocsp.jar
f332ec
%dir %{_datadir}/pki/ocsp
f332ec
%{_datadir}/pki/ocsp/conf/
f332ec
%{_datadir}/pki/ocsp/setup/
f332ec
%{_datadir}/pki/ocsp/webapps/
981330
%endif
f332ec
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhcs_packages}
f332ec
%files -n pki-tks
f332ec
%defattr(-,root,root,-)
f332ec
%doc base/tks/LICENSE
f332ec
%{_javadir}/pki/pki-tks.jar
f332ec
%dir %{_datadir}/pki/tks
f332ec
%{_datadir}/pki/tks/conf/
f332ec
%{_datadir}/pki/tks/setup/
f332ec
%{_datadir}/pki/tks/webapps/
981330
%endif
f332ec
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhcs_packages}
efcdb2
%files -n pki-tps
eb29d7
%defattr(-,root,root,-)
eb29d7
%doc base/tps/LICENSE
eb29d7
%{_javadir}/pki/pki-tps.jar
eb29d7
%dir %{_datadir}/pki/tps
efcdb2
%{_datadir}/pki/tps/applets/
eb29d7
%{_datadir}/pki/tps/conf/
eb29d7
%{_datadir}/pki/tps/setup/
eb29d7
%{_datadir}/pki/tps/webapps/
efcdb2
%{_mandir}/man5/pki-tps-connector.5.gz
efcdb2
%{_mandir}/man5/pki-tps-profile.5.gz
981330
%{_mandir}/man1/tpsclient.1.gz
efcdb2
# files for native 'tpsclient'
efcdb2
# REMINDER:  Remove this comment once 'tpsclient' is rewritten as a Java app
efcdb2
%{_bindir}/tpsclient
efcdb2
%{_libdir}/tps/libtps.so
efcdb2
%{_libdir}/tps/libtokendb.so
981330
%endif
efcdb2
981330
%if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
efcdb2
%if %{with javadoc}
f332ec
%files -n pki-javadoc
f332ec
%defattr(-,root,root,-)
f332ec
%{_javadocdir}/pki-%{version}/
f332ec
%endif
981330
%endif
f332ec
efcdb2
%endif # %{with server}
f332ec
f332ec
%changelog
18a1d4
* Mon Jun 3 2024 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-32
18a1d4
- ##########################################################################
18a1d4
- # RHEL 7.9 (Async Security Update CY24Q2.4):
18a1d4
- ##########################################################################
18a1d4
- Updated nspr-devel and nss-devel build requirements as well as nss and
18a1d4
  nss-tools runtime requirements (mharmsen)
18a1d4
- Updated jss dependencies (mharmsen)
18a1d4
- Added git build dependency (mharmsen)
18a1d4
- Additional trivial fix (jmagne)
18a1d4
- RHEL-9917 - EMBARGOED CVE-2023-4727 pki-core: dogtag ca:
18a1d4
  token authentication bypass vulnerability [rhel-7.9.z] (jmagne)
18a1d4
- RHEL-24339 - pki-core - PrettyPrintCert does not properly
18a1d4
  translate AIA information into a readable format [RHEL 7.9.z] (mfargett)
18a1d4
- RHEL-26881 - Fix additional OID mappings [RHEL 7.9.z] (mfargett)
18a1d4
- ##########################################################################
18a1d4
- # RHCS 9.7 (Async Security Update CY24Q2.4):
18a1d4
- ##########################################################################
18a1d4
- Bug 2047831 - Coolkey Hardcoded RSA Max Key Size
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2121463 - Add Secure Channel Support for AES-256 Keys
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2177785 - TPS missing Host header field in HTTP/1.1 request
18a1d4
  message [RHCS 9.7.z] (mfargett)
18a1d4
- Bug 2180920 - add AES support for TMS server-side keygen on latest
18a1d4
  HSM / FIPS environment [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2233158 - Make key wrapping algorithm configurable
18a1d4
  between AES-KWP and AES-CBC [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2253682 - pkidestroy log keeps HSM token password
18a1d4
  [RHCS 9.7.z] (mfargett, jmagne)
18a1d4
- Bug 2265180 - Add Support for Symmetric Key Rollover
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2280722 - Shared token is not generated for TPS and TKS
18a1d4
  during install despite adding pki_import_shared_secret=True param
18a1d4
  at install [RHCS 9.7.z] (jmagne)
18a1d4
18a1d4
* Fri May 31 2024 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-31
18a1d4
- ##########################################################################
18a1d4
- # RHEL 7.9 (Async Security Update CY24Q2.3):
18a1d4
- ##########################################################################
18a1d4
- Updated nspr-devel and nss-devel build requirements as well as nss and
18a1d4
  nss-tools runtime requirements (mharmsen)
18a1d4
- Updated jss dependencies (mharmsen)
18a1d4
- Added git build dependency (mharmsen)
18a1d4
- Additional trivial fix (jmagne)
18a1d4
- RHEL-9917 - EMBARGOED CVE-2023-4727 pki-core: dogtag ca:
18a1d4
  token authentication bypass vulnerability [rhel-7.9.z] (jmagne)
18a1d4
- RHEL-24339 - pki-core - PrettyPrintCert does not properly
18a1d4
  translate AIA information into a readable format [RHEL 7.9.z] (mfargett)
18a1d4
- RHEL-26881 - Fix additional OID mappings [RHEL 7.9.z] (mfargett)
18a1d4
- ##########################################################################
18a1d4
- # RHCS 9.7 (Async Security Update CY24Q2.3):
18a1d4
- ##########################################################################
18a1d4
- Bug 2047831 - Coolkey Hardcoded RSA Max Key Size
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2121463 - Add Secure Channel Support for AES-256 Keys
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2177785 - TPS missing Host header field in HTTP/1.1 request
18a1d4
  message [RHCS 9.7.z] (mfargett)
18a1d4
- Bug 2180920 - add AES support for TMS server-side keygen on latest
18a1d4
  HSM / FIPS environment [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2233158 - Make key wrapping algorithm configurable
18a1d4
  between AES-KWP and AES-CBC [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2253682 - pkidestroy log keeps HSM token password
18a1d4
  [RHCS 9.7.z] (mfargett, jmagne)
18a1d4
- Bug 2265180 - Add Support for Symmetric Key Rollover
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2280722 - Shared token is not generated for TPS and TKS
18a1d4
  during install despite adding pki_import_shared_secret=True param
18a1d4
  at install [RHCS 9.7.z] (jmagne)
18a1d4
18a1d4
* Thu May 23 2024 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-30
18a1d4
- ##########################################################################
18a1d4
- # RHEL 7.9 (Async Security Update CY24Q2.2):
18a1d4
- ##########################################################################
18a1d4
- Updated nspr-devel and nss-devel build requirements as well as nss and
18a1d4
  nss-tools runtime requirements (mharmsen)
18a1d4
- Updated jss dependencies (mharmsen)
18a1d4
- Added git build dependency (mharmsen)
18a1d4
- Additional trivial fix (jmagne)
18a1d4
- RHEL-9917 - EMBARGOED CVE-2023-4727 pki-core: dogtag ca:
18a1d4
  token authentication bypass vulnerability [rhel-7.9.z] (jmagne)
18a1d4
- RHEL-24339 - pki-core - PrettyPrintCert does not properly
18a1d4
  translate AIA information into a readable format [RHEL 7.9.z] (mfargett)
18a1d4
- RHEL-26881 - Fix additional OID mappings [RHEL 7.9.z] (mfargett)
18a1d4
- ##########################################################################
18a1d4
- # RHCS 9.7 (Async Security Update CY24Q2.2):
18a1d4
- ##########################################################################
18a1d4
- Bug 2047831 - Coolkey Hardcoded RSA Max Key Size
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2121463 - Add Secure Channel Support for AES-256 Keys
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2177785 - TPS missing Host header field in HTTP/1.1 request
18a1d4
  message [RHCS 9.7.z] (mfargett)
18a1d4
- Bug 2180920 - add AES support for TMS server-side keygen on latest
18a1d4
  HSM / FIPS environment [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2233158 - Make key wrapping algorithm configurable
18a1d4
  between AES-KWP and AES-CBC [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2253682 - pkidestroy log keeps HSM token password
18a1d4
  [RHCS 9.7.z] (mfargett, jmagne)
18a1d4
- Bug 2265180 - Add Support for Symmetric Key Rollover
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2280722 - Shared token is not generated for TPS and TKS
18a1d4
  during install despite adding pki_import_shared_secret=True param
18a1d4
  at install [RHCS 9.7.z] (jmagne)
18a1d4
18a1d4
* Fri May 17 2024 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-29
18a1d4
- ##########################################################################
18a1d4
- # RHEL 7.9 (Async Security Update CY24Q2.1):
18a1d4
- ##########################################################################
18a1d4
- Updated nspr-devel and nss-devel build requirements as well as nss and
18a1d4
  nss-tools runtime requirements (mharmsen)
18a1d4
- Updated jss dependencies (mharmsen)
18a1d4
- Added git build dependency (mharmsen)
18a1d4
- Additional trivial fix (jmagne)
18a1d4
- RHEL-9917 - EMBARGOED CVE-2023-4727 pki-core: dogtag ca:
18a1d4
  token authentication bypass vulnerability [rhel-7.9.z] (jmagne)
18a1d4
- RHEL-24339 - pki-core - PrettyPrintCert does not properly
18a1d4
  translate AIA information into a readable format [RHEL 7.9.z] (mfargett)
18a1d4
- RHEL-26881 - Fix additional OID mappings [RHEL 7.9.z] (mfargett)
18a1d4
- ##########################################################################
18a1d4
- # RHCS 9.7 (Async Security Update CY24Q2.1):
18a1d4
- ##########################################################################
18a1d4
- Bug 2047831 - Coolkey Hardcoded RSA Max Key Size
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2121463 - Add Secure Channel Support for AES-256 Keys
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2177785 - TPS missing Host header field in HTTP/1.1 request
18a1d4
  message [RHCS 9.7.z] (mfargett)
18a1d4
- Bug 2180920 - add AES support for TMS server-side keygen on latest
18a1d4
  HSM / FIPS environment [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2233158 - Make key wrapping algorithm configurable
18a1d4
  between AES-KWP and AES-CBC [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2253682 - pkidestroy log keeps HSM token password
18a1d4
  [RHCS 9.7.z] (mfargett, jmagne)
18a1d4
- Bug 2265180 - Add Support for Symmetric Key Rollover
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2280722 - Shared token is not generated for TPS and TKS
18a1d4
  during install despite adding pki_import_shared_secret=True param
18a1d4
  at install [RHCS 9.7.z] (jmagne)
18a1d4
18a1d4
* Thu Apr 18 2024 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-28
18a1d4
- ##########################################################################
18a1d4
- # RHEL 7.9 (Async Security Update CY24Q2):
18a1d4
- ##########################################################################
18a1d4
- Updated nspr-devel and nss-devel build requirements as well as nss and
18a1d4
  nss-tools runtime requirements (mharmsen)
18a1d4
- Updated jss dependencies (mharmsen)
18a1d4
- Added git build dependency (mharmsen)
18a1d4
- RHEL-9917 - EMBARGOED CVE-2023-4727 pki-core: dogtag ca:
18a1d4
  token authentication bypass vulnerability [rhel-7.9.z] (jmagne)
18a1d4
- RHEL-24339 - pki-core - PrettyPrintCert does not properly
18a1d4
  translate AIA information into a readable format [RHEL 7.9.z] (mfargett)
18a1d4
- RHEL-26881 - Fix additional OID mappings [RHEL 7.9.z] (mfargett)
18a1d4
- ##########################################################################
18a1d4
- # RHCS 9.7 (Async Security Update CY24Q2):
18a1d4
- ##########################################################################
18a1d4
- Bug 2047831 - Coolkey Hardcoded RSA Max Key Size
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2121463 - Add Secure Channel Support for AES-256 Keys
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2177785 - TPS missing Host header field in HTTP/1.1 request
18a1d4
  message [RHCS 9.7.z] (mfargett)
18a1d4
- Bug 2180920 - add AES support for TMS server-side keygen on latest
18a1d4
  HSM / FIPS environment [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2233158 - Make key wrapping algorithm configurable
18a1d4
  between AES-KWP and AES-CBC [RHCS 9.7.z] (jmagne)
18a1d4
- Bug 2253682 - pkidestroy log keeps HSM token password
18a1d4
  [RHCS 9.7.z] (mfargett)
18a1d4
- Bug 2265180 - Add Support for Symmetric Key Rollover
18a1d4
  [RHCS 9.7.z] (jmagne)
18a1d4
78720a
* Mon May  1 2023 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-27
78720a
- ##########################################################################
78720a
- # RHEL 7.9 (Batch Update 23):
78720a
- ##########################################################################
78720a
- ##########################################################################
78720a
- # RHCS 9.7 (Batch Update 23):
78720a
- ##########################################################################
78720a
- Bugzilla Bug #2179305 - Unable to use the TPS UI "Token Filter" to filter
78720a
  a list of tokens [RHCS 9.7] (ckelley)
78720a
- Bugzilla Bug #2092522 - TPS Not allowing Token Status Change based on
78720a
  Revoke True/False and Hold till last True/False [RHCS 9.7.z] (cfu)
78720a
- Bugzilla Bug #2176233 - TPS Not allowing Token Status Change based on
78720a
  Revoke True/False and Hold till last True/False (part 2) [RHCS 9.7.z] (cfu)
78720a
78720a
* Fri Mar 24 2023 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-26
78720a
- ##########################################################################
78720a
- # RHEL 7.9 (Batch Update 22):
78720a
- ##########################################################################
78720a
- ##########################################################################
78720a
- # RHCS 9.7 (Batch Update 22):
78720a
- ##########################################################################
78720a
- Bugzilla Bug #2179305 - Unable to use the TPS UI "Token Filter" to filter
78720a
  a list of tokens [RHCS 9.7] (ckelley)
78720a
- Bugzilla Bug #2092522 - TPS Not allowing Token Status Change based on
78720a
  Revoke True/False and Hold till last True/False [RHCS 9.7.z] (cfu)
78720a
- Bugzilla Bug #2176233 - TPS Not allowing Token Status Change based on
78720a
  Revoke True/False and Hold till last True/False (part 2) [RHCS 9.7.z] (cfu)
78720a
708f38
* Fri Feb 10 2023 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-25
708f38
- ##########################################################################
708f38
- # RHEL 7.9 (Batch Update 21):
708f38
- ##########################################################################
708f38
- Bugzilla Bug #2160355 - RA Separation by KeyType - Set Token Status
708f38
  [RHCS 9.7 bu 21] (cfu, ckelley)
708f38
- ##########################################################################
708f38
- # RHCS 9.7 (Batch Update 21):
708f38
- ##########################################################################
708f38
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
708f38
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
708f38
947023
* Wed Oct 26 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-24
947023
- ##########################################################################
947023
- # RHEL 7.9 (Batch Update 19):
947023
- ##########################################################################
947023
- Bugzilla Bug #2107329 - CVE-2022-2414 pki-core: access to external
947023
  entities when parsing XML can lead to XXE [rhel-7.9.z] (ckelley, mharmsen)
947023
- ##########################################################################
947023
- # RHCS 9.7 (Batch Update 19):
947023
- ##########################################################################
947023
- Bugzilla Bug #2107325 - CVE-2022-2414 pki-core: access to external
947023
  entities when parsing XML can lead to XXE [certificate_system_9.7.z]
947023
  (ckelley, mharmsen)
947023
3863c8
* Mon Oct 10 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-23
3863c8
- ##########################################################################
3863c8
- # RHEL 7.9 (Batch Update 18):
3863c8
- ##########################################################################
3863c8
- Bugzilla Bug #2107329 - CVE-2022-2414 pki-core: access to external
3863c8
  entities when parsing XML can lead to XXE [rhel-7.9.z] (ckelley, mharmsen)
3863c8
- Bugzilla Bug #2111514 - CVE-2022-2393 pki-core: When using the
3863c8
  caServerKeygen_DirUserCert profile, user can get certificates for other
3863c8
  UIDs by entering name in Subject field [rhel-7.9] (cfu, ckelley)
3863c8
- ##########################################################################
3863c8
- # RHCS 9.7 (Batch Update 18):
3863c8
- ##########################################################################
3863c8
- Bugzilla Bug #2107325 - CVE-2022-2414 pki-core: access to external
3863c8
  entities when parsing XML can lead to XXE [certificate_system_9.7.z]
3863c8
  (ckelley, mharmsen)
3863c8
- Bugzilla Bug #2111493 - CVE-2022-2393 pki-core: When using the
3863c8
  caServerKeygen_DirUserCert profile, user can get certificates for other
3863c8
  UIDs by entering name in Subject field [rhcs_9.7] (cfu, ckelley)
3863c8
3863c8
* Mon Aug 22 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-22
3863c8
- ##########################################################################
3863c8
- # RHEL 7.9 (Batch Update 17):
3863c8
- ##########################################################################
3863c8
- Bugzilla Bug #2107329 - CVE-2022-2414 pki-core: access to external
3863c8
  entities when parsing XML can lead to XXE [rhel-7.9.z] (ckelley, mharmsen)
3863c8
- Bugzilla Bug #2111514 - CVE-2022-2393 pki-core: When using the
3863c8
  caServerKeygen_DirUserCert profile, user can get certificates for other
3863c8
  UIDs by entering name in Subject field [rhel-7.9] (cfu, ckelley)
3863c8
- ##########################################################################
3863c8
- # RHCS 9.7 (Batch Update 17):
3863c8
- ##########################################################################
3863c8
- Bugzilla Bug #2107325 - CVE-2022-2414 pki-core: access to external
3863c8
  entities when parsing XML can lead to XXE [certificate_system_9.7.z]
3863c8
  (ckelley, mharmsen)
3863c8
- Bugzilla Bug #2111493 - CVE-2022-2393 pki-core: When using the
3863c8
  caServerKeygen_DirUserCert profile, user can get certificates for other
3863c8
  UIDs by entering name in Subject field [rhcs_9.7] (cfu, ckelley)
3863c8
7e2434
* Tue May 31 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-21
7e2434
- ##########################################################################
7e2434
- # RHEL 7.9 (Batch Update 15):
7e2434
- ##########################################################################
7e2434
- Bugzilla Bug #2074722 - user password and pkcs12 password exposure when
7e2434
  debug level set to maximum [RHEL 7.9.z] (cfu)
7e2434
- Bugzilla Bug #2082717 - SCEP manual approval failure (cfu)
7e2434
- ##########################################################################
7e2434
- # RHCS 9.7:
7e2434
- ##########################################################################
7e2434
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
7e2434
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
7e2434
7e2434
* Mon Apr 25 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-20
7e2434
- ##########################################################################
7e2434
- # RHEL 7.9 (Batch Update 14):
7e2434
- ##########################################################################
7e2434
- Bugzilla Bug #2074722 - user password and pkcs12 password exposure when
7e2434
  debug level set to maximum [RHEL 7.9.z] (cfu)
7e2434
- ##########################################################################
7e2434
- # RHCS 9.7:
7e2434
- ##########################################################################
7e2434
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
7e2434
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
7e2434
2a8f41
* Thu Dec 16 2021 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-19
2a8f41
- ##########################################################################
2a8f41
- # RHEL 7.9 (Batch Update 11):
2a8f41
- ##########################################################################
2a8f41
- Bugzilla Bug 1998597 - TPS RA Separation Issues (cfu)
2a8f41
- Bugzilla Bug 2008319 - PKISpawn with ECC Signing Algorithms fail
2a8f41
  in FIPS Mode (cfu)
2a8f41
- Bugzilla Bug 2018608 - Invalid certificates with creation of subCA
2a8f41
  (pkispawn single step) [rhel-7.9.0.z] (cfu)
2a8f41
- ##########################################################################
2a8f41
- # RHCS 9.7:
2a8f41
- ##########################################################################
2a8f41
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
2a8f41
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
2a8f41
92abab
* Sat Oct 23 2021 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-18
92abab
- ##########################################################################
92abab
- # RHEL 7.9 (Batch Update 10):
92abab
- ##########################################################################
92abab
- Bugzillla Bug 1978345 - End Entity's List Certificates Page Back/Forward
92abab
  Buttons are Broken (ckelley, jonahon.d.parrish@mail.mil, mharmsen)
92abab
- Bugzilla Bug 2008707 - pkispawn bails out too easily for things that could
92abab
  have been worked around after installation [RHEL 7.9.z] (cfu)
92abab
- Bugzilla Bug 2016773 - Directory authentication plugin requires directory
92abab
  admin password just for user authentication (rhel-7.9.z)
92abab
  (awnuk@purestorage.com, jmagne)
92abab
- ##########################################################################
92abab
- # RHCS 9.7:
92abab
- ##########################################################################
92abab
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
92abab
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
92abab
963458
* Wed Sep 15 2021 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-17
963458
- ##########################################################################
92abab
- # RHEL 7.9 (Batch Update 9):
963458
- ##########################################################################
963458
- Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500: Non-2xx
963458
  response from CA REST API: 500 [ftweedal, ckelley]
963458
- ##########################################################################
963458
- # RHCS 9.7:
963458
- ##########################################################################
963458
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
963458
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
963458
08c5c1
* Mon Aug  9 2021 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-16
08c5c1
- ##########################################################################
08c5c1
- # RHEL 7.9 (Batch Update 8):
08c5c1
- ##########################################################################
08c5c1
- Bugzilla Bug 1958277 - PKCS10Client EC Attribute Encoding [cfu]
08c5c1
- Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500:
08c5c1
  Non-2xx response from CA REST API: 500 [ftweedale, ckelley]
08c5c1
- ##########################################################################
08c5c1
- # RHCS 9.7 (Batch Update 8):
08c5c1
- ##########################################################################
08c5c1
- Bugzilla Bug 1959937 - TPS Allowing Token Transactions while
08c5c1
  the CA is Down [cfu]
08c5c1
- Bugzilla Bug 1979710 - TPS Not properly enforcing Token Profile
08c5c1
  Separation [cfu]
08c5c1
b9388a
* Fri Jun 25 2021 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-15
b9388a
- ##########################################################################
b9388a
- # RHEL 7.9:
b9388a
- ##########################################################################
b9388a
- Bugzilla Bug 1905374 - restrict EE profile list and enrollment submission
b9388a
  per LDAP group without immediate issuance [rhel-7.9.z] (cfu)
b9388a
- ##########################################################################
b9388a
- # RHCS 9.7:
b9388a
- ##########################################################################
b9388a
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
b9388a
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
b9388a
bdfa3c
* Thu May 13 2021 Dogtag Team <pki-devel@redhat.com> 10.5.18-14
bdfa3c
- ##########################################################################
bdfa3c
- # RHEL 7.9:
bdfa3c
- ##########################################################################
bdfa3c
- Bugzilla Bug 1911472 - Revoke via REST API not working when Agent
bdfa3c
  certificate not issued by CA [rhel-7.9.z] (cfu)
bdfa3c
- Bugzilla Bug 1914587 - RHEL IPA PKI - Failed to read product version
bdfa3c
  String.java.io.FileNotFoundException (ckelley)
bdfa3c
- Bugzilla Bug 1942687 - TPS not populating Token Policy, or switching
bdfa3c
  PIN_RESET=YES to NO [rhel-7.9.z] (jmagne)
bdfa3c
- Bugzilla Bug 1955633 - Recovery of Keys migrated to latest version of KRA
bdfa3c
  fail to recover and result in Null Point Exception [rhel-7.9.z] (jmagne)
bdfa3c
- ##########################################################################
bdfa3c
- # RHCS 9.7:
bdfa3c
- ##########################################################################
bdfa3c
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
bdfa3c
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 6)
bdfa3c
bdfa3c
* Thu Apr 22 2021 Dogtag Team <pki-devel@redhat.com> 10.5.18-13
bdfa3c
- ##########################################################################
bdfa3c
- # RHEL 7.9:
bdfa3c
- ##########################################################################
bdfa3c
- Bugzilla Bug 1949136 - PKI instance creation failed with new 389-ds-base
bdfa3c
  build (jmagne)
bdfa3c
- Bugzilla Bug 1949656 - CRMF requests with extensions other than SKID cannot
bdfa3c
  be processed (cfu)
bdfa3c
- ##########################################################################
bdfa3c
- # RHCS 9.7:
bdfa3c
- ##########################################################################
bdfa3c
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
bdfa3c
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 6)
bdfa3c
e0d192
* Wed Feb 24 2021 Dogtag Team <pki-devel@redhat.com> 10.5.18-12
e0d192
- Change variable 'TPS' to 'tps'
e0d192
- ##########################################################################
e0d192
- # RHEL 7.9:
e0d192
- ##########################################################################
e0d192
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
e0d192
  profiles, audit for IPA (edewata)
e0d192
- ##########################################################################
e0d192
- # Backported CVEs (ascheel):
e0d192
- ##########################################################################
e0d192
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
e0d192
  parameters in TPS resulting in stored XSS [certificate_system_9-default]
e0d192
  (edewata, ascheel)
e0d192
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
e0d192
  scripting (XSS) in the pki-tps web Activity tab
e0d192
  [certificate_system_9-default] (edewata, ascheel)
e0d192
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
e0d192
  creation [certificate_system_9-default] (edewata, ascheel)
e0d192
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
e0d192
  Scripting in 'path length' constraint field in CA's Agent page
e0d192
  [rhel-7.9.z] (dmoluguw, ascheel)
e0d192
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
e0d192
  scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
e0d192
  (dmoluguw, ascheel)
e0d192
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
e0d192
  Reflected XSS in recoveryID search field at KRA's DRM agent page in
e0d192
  authorize recovery tab [rhel-7.9.z] (ascheel)
e0d192
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
e0d192
  reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
e0d192
- ##########################################################################
e0d192
- Update to jquery v3.4.1 (ascheel)
e0d192
- Update to jquery-i18n-properties v1.2.7 (ascheel)
e0d192
- Update to backbone v1.4.0 (ascheel)
e0d192
- Upgrade to underscore v1.9.2 (ascheel)
e0d192
- Update to patternfly v3.59.3 (ascheel)
e0d192
- Update to jQuery v3.5.1 (ascheel)
e0d192
- Upgrade to bootstrap v3.4.1 (ascheel)
e0d192
- Link in new Bootstrap CSS file (ascheel)
e0d192
- ##########################################################################
e0d192
- # RHCS 9.7:
e0d192
- ##########################################################################
e0d192
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
e0d192
  # pki-console to 10.5.18 in RHCS 9.7
e0d192
e0d192
* Thu Feb 11 2021 Dogtag Team <pki-devel@redhat.com> 10.5.18-11
e0d192
- ##########################################################################
e0d192
- # RHEL 7.9:
e0d192
- ##########################################################################
e0d192
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
e0d192
  profiles, audit for IPA (edewata)
e0d192
- ##########################################################################
e0d192
- # Backported CVEs (ascheel):
e0d192
- ##########################################################################
e0d192
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
e0d192
  parameters in TPS resulting in stored XSS [certificate_system_9-default]
e0d192
  (edewata, ascheel)
e0d192
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
e0d192
  scripting (XSS) in the pki-tps web Activity tab
e0d192
  [certificate_system_9-default] (edewata, ascheel)
e0d192
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
e0d192
  creation [certificate_system_9-default] (edewata, ascheel)
e0d192
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
e0d192
  Scripting in 'path length' constraint field in CA's Agent page
e0d192
  [rhel-7.9.z] (dmoluguw, ascheel)
e0d192
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
e0d192
  scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
e0d192
  (dmoluguw, ascheel)
e0d192
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
e0d192
  Reflected XSS in recoveryID search field at KRA's DRM agent page in
e0d192
  authorize recovery tab [rhel-7.9.z] (ascheel)
e0d192
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
e0d192
  reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
e0d192
- ##########################################################################
e0d192
- Update to jquery v3.4.1 (ascheel)
e0d192
- Update to jquery-i18n-properties v1.2.7 (ascheel)
e0d192
- Update to backbone v1.4.0 (ascheel)
e0d192
- Upgrade to underscore v1.9.2 (ascheel)
e0d192
- Update to patternfly v3.59.3 (ascheel)
e0d192
- Update to jQuery v3.5.1 (ascheel)
e0d192
- Upgrade to bootstrap v3.4.1 (ascheel)
e0d192
- Link in new Bootstrap CSS file (ascheel)
e0d192
- ##########################################################################
e0d192
- # RHCS 9.7:
e0d192
- ##########################################################################
e0d192
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
e0d192
  # pki-console to 10.5.18 in RHCS 9.7
e0d192
e0d192
* Fri Dec  4 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-10
e0d192
- Bugzilla Bug #1883639 - additional fix to upgrade script (edewata)
e0d192
e0d192
* Thu Dec  3 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-9
e0d192
- Bugzilla Bug #1883639 - additional support on upgrade for audit
e0d192
  cert profile and auditProfileUpgrade + auditProfileUpgrade part 2 (cfu)
e0d192
e0d192
* Tue Nov 17 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-8
e0d192
- ##########################################################################
e0d192
- # RHEL 7.9:
e0d192
- ##########################################################################
e0d192
- Bugzilla Bug #1883639 - add profile caAuditSigningCert (cfu)
e0d192
- ##########################################################################
e0d192
- # RHCS 9.7:
e0d192
- ##########################################################################
e0d192
- # Bugzilla Bug #1710978 - TPS - Add logging to tdbAddCertificatesForCUID if
e0d192
  # adding or searching for cert record fails (jmagne)
e0d192
- # Bugzilla Bug #1858860 - TPS - Update Error Codes returned to client
e0d192
  # (CIW/ESC) to Match CS8. (jmagne)
e0d192
- # Bugzilla Bug #1858861 - TPS - Server side key generation is not working
e0d192
  # for Identity only tokens Missing some commits (cfu)
e0d192
- # Bugzilla Bug #1858867 - TPS does not check token cuid on the user
e0d192
  # externalReg record during PIN reset (cfu)
e0d192
b1e4e4
* Wed May 27 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-7
b1e4e4
- Patch for CMCResponse tool
b1e4e4
- Bugzilla Bug #1710109 - add RSA PSS support - fix CMCResponse tool (jmagne)
b1e4e4
b1e4e4
* Tue May 19 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-6
b1e4e4
- Patch for CMC Credential Error, RSA PSS typo, and new profile
b1e4e4
  for directory-authentication-based Server-Side keygen
b1e4e4
- ##########################################################################
b1e4e4
- # RHEL 7.9:
b1e4e4
- ##########################################################################
b1e4e4
- Bugzilla Bug #1710109 - add RSA PSS support (jmagne)
b1e4e4
- Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE (cfu)
b1e4e4
- ##########################################################################
b1e4e4
- # RHCS 9.7:
b1e4e4
- ##########################################################################
b1e4e4
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
b1e4e4
  # pki-console to 10.5.18 in RHCS 9.7
b1e4e4
b1e4e4
* Thu May  7 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-5
b1e4e4
- Updated jss dependencies
b1e4e4
- Bugzilla Bug #1710109 - add RSA PSS support - fix SHA512 (jmagne)
b1e4e4
b1e4e4
* Tue May  5 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-4
b1e4e4
- ##########################################################################
b1e4e4
- # RHEL 7.9:
b1e4e4
- ##########################################################################
b1e4e4
- Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE
b1e4e4
  additional support and touch-up (cfu)
b1e4e4
- ##########################################################################
b1e4e4
- # RHCS 9.7:
b1e4e4
- ##########################################################################
b1e4e4
- # Bugzilla Bug #1710975 - TPS - Searching the certificate DB for a brand new
b1e4e4
  # token takes too long. Bad search filter (rhcs-maint, ascheel, jmagne)
b1e4e4
b1e4e4
* Sun Apr 19 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-3
b1e4e4
- Updated jss dependencies
b1e4e4
- ##########################################################################
b1e4e4
- # RHEL 7.9:
b1e4e4
- ##########################################################################
b1e4e4
- Bugzilla Bug #1794213 - Server-Side keygen Enrollment for EE (cfu)
b1e4e4
- Bugzilla Bug #1809273 - CRL generation performs an unindexed search (jmagne)
b1e4e4
- ##########################################################################
b1e4e4
- # RHCS 9.7:
b1e4e4
- ##########################################################################
b1e4e4
- # Bugzilla Bug #1549307 - No default TPS Auditor group (ascheel)
b1e4e4
b1e4e4
* Mon Mar 30 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-2
b1e4e4
- Bugzilla Bug #1710109 - add RSA PSS support - fix IPA installer (jmagne)
b1e4e4
b1e4e4
* Sun Mar 29 2020 Dogtag Team <pki-devel@redhat.com> 10.5.18-1
b1e4e4
- Updated jss dependencies
b1e4e4
- ##########################################################################
b1e4e4
- # RHEL 7.9:
b1e4e4
- ##########################################################################
b1e4e4
- Bugzilla Bug #1774174 - Rebase pki-core from 10.5.17 to 10.5.18 (RHEL)
b1e4e4
- ##########################################################################
b1e4e4
- # RHCS 9.7:
b1e4e4
- ##########################################################################
b1e4e4
- # Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
b1e4e4
  # pki-console to 10.5.18 in RHCS 9.7
b1e4e4
- # Bugzilla Bug #1774181 - Update RHCS version of CA, KRA, OCSP, and TKS so
b1e4e4
  # that it can be identified using a browser [RHCS]
b1e4e4
67803c
* Mon Dec  2 2019 Dogtag Team <pki-devel@redhat.com> 10.5.17-6
feffdc
- ##########################################################################
67803c
- # RHEL 7.8:
feffdc
- ##########################################################################
67803c
- Bugzilla Bug #1723008 - ECC Key recovery failure with
67803c
  CKR_TEMPLATE_INCONSISTENT (cfu)
67803c
- Bugzilla Bug #1774282 - pki-server-nuxwdog template has pid file name with
67803c
  non-breakable space char encoded instead of 0x20 space char (ascheel)
feffdc
- ##########################################################################
67803c
- # RHCS 9.6:
feffdc
- ##########################################################################
67803c
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
67803c
  # pki-console to 10.5.17 in RHCS 9.6
feffdc
67803c
* Thu Oct 24 2019 Dogtag Team <pki-devel@redhat.com> 10.5.17-5
abcaba
- ##########################################################################
67803c
- # RHEL 7.8:
abcaba
- ##########################################################################
67803c
- Bugzilla Bug #1523330 - CC: missing audit event for CS acting as TLS client
67803c
  (cfu)
abcaba
- ##########################################################################
67803c
- # RHCS 9.6:
abcaba
- ##########################################################################
67803c
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
67803c
  # pki-console to 10.5.17 in RHCS 9.6
67803c
67803c
* Mon Sep 30 2019 Dogtag Team <pki-devel@redhat.com> 10.5.17-4
67803c
- Include 'pistool' in the 'pki-tools' package
abcaba
67803c
* Mon Sep 23 2019 Dogtag Team <pki-devel@redhat.com> 10.5.17-3
abcaba
- ##########################################################################
67803c
- # RHEL 7.8:
abcaba
- ##########################################################################
67803c
- Bugzilla Bug #1445479 - KRATool does not support netkeyKeyRecovery
67803c
  attribute (dmoluguw)
67803c
- Bugzilla Bug #1534013 - Attempting to add new keys using a PUT KEY APDU
67803c
  to a token that is loaded only with the default/factory keys (Key Version
67803c
  Number 0xFF) returns an APDU with error code 0x6A88. (jmagne)
67803c
- Bugzilla Bug #1709585 - PKI (test support) for PKCS#11 standard
67803c
  AES KeyWrap for HSM support (cfu, ftweedal)
67803c
- Bugzilla Bug #1748766 - number range depletion when multiple clones
67803c
  created from same master (ftweedal)
abcaba
- ##########################################################################
67803c
- # RHCS 9.6:
abcaba
- ##########################################################################