From ca25d3856c37febe4aa89d19ba143bd1e021f0d1 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Sat, 2 Jul 2016 11:03:53 +0530
Subject: [PATCH 36/96] Added instance and subsystem validation for pki-server
subsystem-* commands.
The pki-server subsystem-* commands have been updated to validate
the instance and subsystem before proceeding with the operation.
https://fedorahosted.org/pki/ticket/2399
---
base/server/python/pki/server/cli/subsystem.py | 66 +++++++++++++++++++++-----
1 file changed, 53 insertions(+), 13 deletions(-)
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 49215cf..a44243a 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -177,6 +177,10 @@ class SubsystemShowCLI(pki.cli.CLI):
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
+ sys.exit(1)
SubsystemCLI.print_subsystem(subsystem)
@@ -240,9 +244,17 @@ class SubsystemEnableCLI(pki.cli.CLI):
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
- subsystem.enable()
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
+ sys.exit(1)
- self.print_message('Enabled "%s" subsystem' % subsystem_name)
+ if subsystem.is_enabled():
+ self.print_message('Subsystem "%s" is already '
+ 'enabled' % subsystem_name)
+ else:
+ subsystem.enable()
+ self.print_message('Enabled "%s" subsystem' % subsystem_name)
SubsystemCLI.print_subsystem(subsystem)
@@ -308,9 +320,17 @@ class SubsystemDisableCLI(pki.cli.CLI):
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
- subsystem.disable()
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
+ sys.exit(1)
- self.print_message('Disabled "%s" subsystem' % subsystem_name)
+ if not subsystem.is_enabled():
+ self.print_message('Subsystem "%s" is already '
+ 'disabled' % subsystem_name)
+ else:
+ subsystem.disable()
+ self.print_message('Disabled "%s" subsystem' % subsystem_name)
SubsystemCLI.print_subsystem(subsystem)
@@ -403,6 +423,10 @@ class SubsystemCertFindCLI(pki.cli.CLI):
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
+ sys.exit(1)
results = subsystem.find_system_certs()
self.print_message('%s entries matched' % len(results))
@@ -436,7 +460,7 @@ class SubsystemCertShowCLI(pki.cli.CLI):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
- 'instance=', 'show-all',
+ 'instance=', 'show-all',
'verbose', 'help'])
except getopt.GetoptError as e:
@@ -471,7 +495,6 @@ class SubsystemCertShowCLI(pki.cli.CLI):
self.usage()
sys.exit(1)
-
if len(args) < 2:
print('ERROR: missing cert ID')
self.usage()
@@ -489,6 +512,10 @@ class SubsystemCertShowCLI(pki.cli.CLI):
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
+ sys.exit(1)
cert = subsystem.get_subsystem_cert(cert_id)
SubsystemCertCLI.print_subsystem_cert(cert, show_all)
@@ -611,6 +638,10 @@ class SubsystemCertExportCLI(pki.cli.CLI):
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
+ sys.exit(1)
subsystem_cert = None
if len(args) >= 2:
@@ -732,6 +763,10 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
instance.load()
subsystem = instance.get_subsystem(subsystem_name)
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
+ sys.exit(1)
subsystem_cert = subsystem.get_subsystem_cert(cert_id)
# get cert data from NSS database
@@ -749,6 +784,9 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
# get cert request from local CA
# TODO: add support for remote CA
ca = instance.get_subsystem('ca')
+ if not ca:
+ print('ERROR: No CA subsystem in instance %s.' % instance_name)
+ sys.exit(1)
results = ca.find_cert_requests(cert=data)
cert_request = results[-1]
request = cert_request['request']
@@ -820,7 +858,7 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
subsystem_name = args[0]
- if len(args) >=2:
+ if len(args) >= 2:
cert_id = args[1]
else:
cert_id = None
@@ -835,7 +873,8 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
subsystem = instance.get_subsystem(subsystem_name)
if not subsystem:
- self.print_message('ERROR: missing subsystem ' + subsystem_name)
+ print('ERROR: No %s subsystem in instance '
+ '%s.' % (subsystem_name, instance_name))
sys.exit(1)
if cert_id is not None:
@@ -909,16 +948,17 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
os.close(pwfile_handle)
try:
- cmd = ['pki', '-d', instance.nssdb_dir,
- '-C', pwfile_path ]
+ cmd = ['pki',
+ '-d', instance.nssdb_dir,
+ '-C', pwfile_path]
if token:
cmd.extend(['--token', token])
cmd.extend(['client-cert-validate',
- nickname,
- '--certusage', usage]
- )
+ nickname,
+ '--certusage', usage
+ ])
subprocess.check_output(cmd, stderr=subprocess.STDOUT)
print(' Status: VALID')
--
1.8.3.1
From 03926918b688d6634a46e322565bd1ab8ccdd811 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 6 Jul 2016 17:40:13 +0200
Subject: [PATCH 37/96] Fixed exception chain in SigningUnit.init().
The SigningUnit.init() has been modified to chain the exceptions
to help troubleshooting.
https://fedorahosted.org/pki/ticket/2399
---
base/ca/src/com/netscape/ca/SigningUnit.java | 45 +++++++++++++---------
.../certsrv/ca/CAMissingCertException.java | 3 ++
.../netscape/certsrv/ca/CAMissingKeyException.java | 3 ++
3 files changed, 32 insertions(+), 19 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
index 60bd84e..f708e55 100644
--- a/base/ca/src/com/netscape/ca/SigningUnit.java
+++ b/base/ca/src/com/netscape/ca/SigningUnit.java
@@ -22,10 +22,6 @@ import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SignatureException;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509Key;
-
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.NoSuchTokenException;
import org.mozilla.jss.crypto.CryptoToken;
@@ -42,15 +38,19 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.ISubsystem;
-import com.netscape.certsrv.ca.ECAException;
import com.netscape.certsrv.ca.CAMissingCertException;
import com.netscape.certsrv.ca.CAMissingKeyException;
+import com.netscape.certsrv.ca.ECAException;
import com.netscape.certsrv.common.Constants;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.security.ISigningUnit;
import com.netscape.cmscore.security.JssSubsystem;
import com.netscape.cmsutil.util.Cert;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
/**
* CA signing unit based on JSS.
*
@@ -171,7 +171,7 @@ public final class SigningUnit implements ISigningUnit {
mCert = mManager.findCertByNickname(mNickname);
CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
} catch (ObjectNotFoundException e) {
- throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+ throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
}
mCertImpl = new X509CertImpl(mCert.getEncoded());
@@ -181,7 +181,7 @@ public final class SigningUnit implements ISigningUnit {
mPrivk = mManager.findPrivKeyByCert(mCert);
CMS.debug("Got private key from cert");
} catch (ObjectNotFoundException e) {
- throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
+ throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
}
mPubk = mCert.getPublicKey();
@@ -194,32 +194,39 @@ public final class SigningUnit implements ISigningUnit {
CMS.debug(
"got signing algorithm " + mDefSigningAlgorithm);
mInited = true;
+
} catch (java.security.cert.CertificateException e) {
- CMS.debug("SigningUnit init: debug " + e.toString());
+ CMS.debug("SigningUnit: " + e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", e.getMessage()));
- throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()));
+ throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()), e);
+
} catch (CryptoManager.NotInitializedException e) {
- CMS.debug("SigningUnit init: debug " + e.toString());
+ CMS.debug("SigningUnit: " + e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", e.toString()));
- throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED"));
+ throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED"), e);
+
} catch (IncorrectPasswordException e) {
- CMS.debug("SigningUnit init: debug " + e.toString());
+ CMS.debug("SigningUnit: " + e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", e.toString()));
- throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD"));
+ throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD"), e);
+
} catch (NoSuchTokenException e) {
- CMS.debug("SigningUnit init: debug " + e.toString());
+ CMS.debug("SigningUnit: " + e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString()));
- throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname));
+ throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname), e);
+
} catch (CAMissingCertException | CAMissingKeyException e) {
- CMS.debug("SigningUnit init: debug " + e.toString());
+ CMS.debug("SigningUnit: " + e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString()));
throw e; // re-throw
+
} catch (TokenException e) {
- CMS.debug("SigningUnit init: debug " + e.toString());
+ CMS.debug("SigningUnit: " + e);
log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
- throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR"));
+ throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR"), e);
+
} catch (Exception e) {
- CMS.debug("SigningUnit init: debug " + e.toString());
+ CMS.debug(e);
}
}
diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
index 49c5063..e363647 100644
--- a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
@@ -12,4 +12,7 @@ public class CAMissingCertException extends ECAException {
super(msgFormat);
}
+ public CAMissingCertException(String msgFormat, Exception cause) {
+ super(msgFormat, cause);
+ }
}
diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
index 8f5e1e7..178857f 100644
--- a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
@@ -12,4 +12,7 @@ public class CAMissingKeyException extends ECAException {
super(msgFormat);
}
+ public CAMissingKeyException(String msgFormat, Exception cause) {
+ super(msgFormat, cause);
+ }
}
--
1.8.3.1
From 4bdb8793eddd8d6c26a08c8f871249aa9a5bde7a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 6 Jul 2016 21:12:35 +0200
Subject: [PATCH 38/96] Fixed CLI error message on connection problems
The CLI has been modified to display the actual error message
instead of generic ProcessingException.
https://fedorahosted.org/pki/ticket/2377
---
base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 797f3cb..8f3293d 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -31,6 +31,8 @@ import java.net.UnknownHostException;
import java.util.Collection;
import java.util.HashSet;
+import javax.ws.rs.ProcessingException;
+
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import org.apache.commons.lang.StringUtils;
@@ -571,11 +573,20 @@ public class MainCLI extends CLI {
MainCLI cli = new MainCLI();
cli.execute(args);
+ } catch (ProcessingException e) {
+ Throwable t = e.getCause();
+ if (verbose) {
+ t.printStackTrace(System.err);
+ } else {
+ System.err.println(t.getClass().getSimpleName() + ": " + t.getMessage());
+ }
+ System.exit(-1);
+
} catch (Throwable t) {
if (verbose) {
t.printStackTrace(System.err);
} else {
- System.err.println(t.getClass().getSimpleName()+": "+t.getMessage());
+ System.err.println(t.getClass().getSimpleName() + ": " + t.getMessage());
}
System.exit(-1);
}
--
1.8.3.1
From c595208f58a2c072f9a7a243434411f66f556242 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 6 Jul 2016 22:05:09 +0200
Subject: [PATCH 39/96] Added validation for pki client-cert-request
extractable parameter.
The pki client-cert-request CLI has been modified to validate the
boolean extractable parameter.
https://fedorahosted.org/pki/ticket/2383
---
.../src/com/netscape/cmstools/client/ClientCertRequestCLI.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index 3ec4745..0277774 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -194,6 +194,9 @@ public class ClientCertRequestCLI extends CLI {
if (s == null) {
extractable = -1;
} else {
+ if (!s.equalsIgnoreCase("true") && !s.equalsIgnoreCase("false")) {
+ throw new IllegalArgumentException("Invalid extractable parameter: " + s);
+ }
extractable = Boolean.parseBoolean(s) ? 1 : 0;
}
--
1.8.3.1
From db75d23cbb90b834b2b515ce6344346522067b7b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 6 Jul 2016 22:30:52 +0200
Subject: [PATCH 40/96] Added validation for pki client-cert-request sensitive
parameter.
The pki client-cert-request CLI has been modified to validate the
boolean sensitive parameter.
https://fedorahosted.org/pki/ticket/2383
---
.../src/com/netscape/cmstools/client/ClientCertRequestCLI.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index 0277774..aff3220 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -186,6 +186,9 @@ public class ClientCertRequestCLI extends CLI {
if (s == null) {
sensitive = -1;
} else {
+ if (!s.equalsIgnoreCase("true") && !s.equalsIgnoreCase("false")) {
+ throw new IllegalArgumentException("Invalid sensitive parameter: " + s);
+ }
sensitive = Boolean.parseBoolean(s) ? 1 : 0;
}
--
1.8.3.1
From 9bf9f9628420d133010ff994cdac0f01b764b603 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 6 Jul 2016 23:02:18 +0200
Subject: [PATCH 41/96] Added general exception handling for pki-server CLI.
The pki-server CLI has been modified to catch all exceptions and
display a simple exception message. In verbose mode it will
display the stack trace.
https://fedorahosted.org/pki/ticket/2381
---
base/server/sbin/pki-server | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server
index cea62b7..6df70dc 100644
--- a/base/server/sbin/pki-server
+++ b/base/server/sbin/pki-server
@@ -116,3 +116,9 @@ if __name__ == '__main__':
traceback.print_exc()
print('ERROR: %s' % e)
sys.exit(e.returncode)
+
+ except Exception as e: # pylint: disable=broad-except
+ if cli.verbose:
+ traceback.print_exc()
+ print('ERROR: %s' % e)
+ sys.exit(1)
--
1.8.3.1
From 59ba26cf9292a578d34d98344e4b1f4d20339508 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 7 Jul 2016 02:42:14 +0200
Subject: [PATCH 42/96] Fixed problem with pki pkcs12-import --no-trust-flags.
The pki pkcs12-import CLI has been fixed such that when it calls
pki pkcs12-cert-find internally it does not add --no-trust-flags
option.
https://fedorahosted.org/pki/ticket/2399
---
base/common/python/pki/cli/pkcs12.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index 3fcea35..145f125 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -159,9 +159,6 @@ class PKCS12ImportCLI(pki.cli.CLI):
if password_file:
cmd.extend(['--pkcs12-password-file', password_file])
- if no_trust_flags:
- cmd.extend(['--no-trust-flags'])
-
if self.verbose:
cmd.extend(['--verbose'])
--
1.8.3.1
From 12e24ae0eb3f6fb7e0f71b95e3911f45594c5965 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 7 Jul 2016 03:52:09 +0200
Subject: [PATCH 43/96] Fixed pki pkcs12-import output.
The pki pkcs12-import has been modified to suppress the output of
external command execution and display a completion message more
consistently.
https://fedorahosted.org/pki/ticket/2399
---
base/common/python/pki/cli/pkcs12.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index 145f125..ded79c7 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -314,4 +314,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
cmd.extend(nicknames)
- main_cli.execute_java(cmd)
+ with open(os.devnull, 'w') as f:
+ main_cli.execute_java(cmd, stdout=f)
+
+ self.print_message('Import complete')
--
1.8.3.1
From 7164c2064a7f069f0943f64167eaab982068593d Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Thu, 7 Jul 2016 14:02:18 -0700
Subject: [PATCH 44/96] Ticket #978 PPS connector man page: add revocation
routing info
---
base/tps/man/man5/pki-tps-connector.5 | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/base/tps/man/man5/pki-tps-connector.5 b/base/tps/man/man5/pki-tps-connector.5
index 6ee009a..b3e405e 100644
--- a/base/tps/man/man5/pki-tps-connector.5
+++ b/base/tps/man/man5/pki-tps-connector.5
@@ -62,12 +62,26 @@ This property contains the maximum number of HTTP connections.
.SS tps.connector.ca<n>.uri.<op>
This property contains the URI to contact CA for the operation <op>.
-Example ops: enrollment, renewal, revoke, unrevoke.
+Example ops: enrollment, renewal, revoke, unrevoke, getcert.
.SS tps.connector.ca<n>.timeout
This property contains the connection timeout.
+.SS tps.connector.connCAList
+
+This property is used for \fIRevocation Routing\fP. It contains a list of ordered ca id's separated by ',' that the revocation attempt should be made to.
+Example:
+tps.connCAList=ca1,ca2
+
+.SS tps.connector.ca<n>.caNickname
+
+This property is used for \fIRevocation Routing\fP. It contains the nickname of the CA signing certificate that represents this ca<n>.
+
+.SS tps.connector.ca<n>.caSKI
+
+This property is used for \fIRevocation Routing\fP . It contains the Subject Key Identifier of the CA signing certificate of this ca<n>. This value is automatically calculated by TPS once and should not need handling by the administrator.
+
.SH KRA CONNECTOR
A KRA connector is defined using properties that begin with tps.connector.kra<n> where
@@ -182,6 +196,13 @@ tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke
tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
+# in case of Revocation Routing
+# note that caSKI is automatically calculated by TPS
+tps.connCAList=ca1,ca2
+tps.connector.ca1.caNickname=caSigningCert cert-pki-tomcat CA
+tps.connector.ca1.caSKI=hAzNarQMlzit4BymAlbduZMwVCc
+# ca2 connector in case of Revocation Routing
+tps.connector.ca2.<etc.>
tps.connector.kra1.enable=true
tps.connector.kra1.host=server.example.com
--
1.8.3.1
From ee68baccc5510184ff67b903288410d3ccc6a831 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
Date: Mon, 11 Jul 2016 17:51:57 -0700
Subject: [PATCH 46/96] Ticket #2389 fix for regular CA installation This patch
addresses the issue that with the previous patch, the regular (non-external
and non-existing) CA installation fails.
---
.../src/com/netscape/cms/servlet/csadmin/CertUtil.java | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 495e4c0..ed762de 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -535,9 +535,14 @@ public class CertUtil {
CMS.debug("Creating local request exception:" + e.toString());
}
- // installAdjustValidity tells ValidityDefault to adjust the
- // notAfter value to that of the CA's signing cert if needed
- req.setExtData("installAdjustValidity", "true");
+ if (!certTag.equals("signing")) {
+ /*
+ * (applies to non-CA-signing cert only)
+ * installAdjustValidity tells ValidityDefault to adjust the
+ * notAfter value to that of the CA's signing cert if needed
+ */
+ req.setExtData("installAdjustValidity", "true");
+ }
processor.populate(req, info);
PrivateKey caPrik = null;
@@ -554,11 +559,11 @@ public class CertUtil {
}
if (caPrik == null) {
- CMS.debug("CertUtil::createSelfSignedCert() - "
+ CMS.debug("CertUtil::createLocalCert() - "
+ "CA private key is null!");
throw new IOException("CA private key is null");
} else {
- CMS.debug("CertUtil createSelfSignedCert: got CA private key");
+ CMS.debug("CertUtil createLocalCert: got CA private key");
}
String keyAlgo = x509key.getAlgorithm();
@@ -586,7 +591,7 @@ public class CertUtil {
}
if (cert != null) {
- CMS.debug("CertUtil createSelfSignedCert: got cert signed");
+ CMS.debug("CertUtil createLocalCert: got cert signed");
}
} catch (IOException e) {
--
1.8.3.1
From c3ff087bd07cde4cd272defad499fd4d8367e5c1 Mon Sep 17 00:00:00 2001
From: Geetika Kapoor <gkapoor@redhat.com>
Date: Wed, 13 Jul 2016 06:57:08 -0400
Subject: [PATCH 47/96] Added fix for pki-server for db-update
fixes: https://fedorahosted.org/pki/ticket/1667
Signed-off-by: Geetika Kapoor <gkapoor@redhat.com>
Reviewed-by: Fraser Tweedale <ftweedal@redhat.com>
---
base/server/python/pki/server/cli/db.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
index cc768da..17b1a2f 100644
--- a/base/server/python/pki/server/cli/db.py
+++ b/base/server/python/pki/server/cli/db.py
@@ -202,7 +202,7 @@ class DBUpgrade(pki.cli.CLI):
entries = conn.ldap.search_s(
repo_dn,
ldap.SCOPE_ONELEVEL,
- '(&(objectclass=certificateRecord)(!(issuerName=*)))',
+ '(&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=)))',
None)
for entry in entries:
@@ -227,7 +227,7 @@ class DBUpgrade(pki.cli.CLI):
issuer_name = str(cert.issuer)
try:
- conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
+ conn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', issuer_name)])
except ldap.LDAPError as e:
print(
'Failed to add issuerName to certificate {}: {}'
--
1.8.3.1
From 8c36ab242c99187a0356b85467e43f5b024718a2 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 13 Jul 2016 04:11:56 +0200
Subject: [PATCH 48/96] Fixed certificate validation error message.
The pkihelper.py has been modified to display the correct external
command name on system certificate validation error.
https://fedorahosted.org/pki/ticket/2399
---
base/server/python/pki/server/deployment/pkihelper.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 0145b49..54ffe27 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4663,7 +4663,7 @@ class SystemCertificateVerifier:
stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
config.pki_log.error(
- "pki subsystem-cert-validate return code: " + str(e.returncode),
+ "pki-server subsystem-cert-validate return code: " + str(e.returncode),
extra=config.PKI_INDENTATION_LEVEL_2
)
config.pki_log.error(
--
1.8.3.1
From 96ebbeadc61e5a4c9df5d5adbd062a58ac3dee3c Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
Date: Wed, 13 Jul 2016 17:15:14 -0700
Subject: [PATCH 50/96] [MAN] Apply 'generateCRMFRequest() removed from
Firefox' workarounds to appropriate 'pki' man page
This fix will involve the following changes to the source tree.
1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little chance of
working any more in Firefox.
3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
to have convenient profiles from which to enroll signing ONLY certificates.
---
base/ca/shared/conf/CS.cfg | 6 +-
base/ca/shared/profiles/ca/caDualCert.cfg | 2 +-
base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 86 ++++++++++++++++++++++
base/ca/shared/profiles/ca/caSigningUserCert.cfg | 86 ++++++++++++++++++++++
4 files changed, 178 insertions(+), 2 deletions(-)
create mode 100644 base/ca/shared/profiles/ca/caSigningECUserCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caSigningUserCert.cfg
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 288f0d5..68e79a4 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -966,7 +966,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
os.userid=nobody
-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
profile.caUUIDdeviceCert.class_id=caEnrollImpl
profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
profile.caManualRenewal.class_id=caEnrollImpl
@@ -1037,6 +1037,10 @@ profile.caServerCert.class_id=caEnrollImpl
profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg
profile.caSignedLogCert.class_id=caEnrollImpl
profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg
+profile.caSigningECUserCert.class_id=caEnrollImpl
+profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg
+profile.caSigningUserCert.class_id=caEnrollImpl
+profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg
profile.caSimpleCMCUserCert.class_id=caEnrollImpl
profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg
profile.caSubsystemCert.class_id=caEnrollImpl
diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg
index f90f78f..87036d1 100644
--- a/base/ca/shared/profiles/ca/caDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caDualCert.cfg
@@ -1,5 +1,5 @@
desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.
-visible=true
+visible=false
enable=true
enableBy=admin
name=Manual User Signing & Encryption Certificates Enrollment
diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
new file mode 100644
index 0000000..b410504
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox.
+visible=false
+enable=true
+enableBy=admin
+name=Manual User Signing ECC Certificate Enrollment
+auth.class_id=
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectNameInputImpl
+input.i3.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=signingCertSet
+policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.signingCertSet.1.constraint.name=Subject Name Constraint
+policyset.signingCertSet.1.constraint.params.pattern=CN=.*
+policyset.signingCertSet.1.constraint.params.accept=true
+policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.signingCertSet.1.default.name=Subject Name Default
+policyset.signingCertSet.1.default.params.name=
+policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.signingCertSet.2.constraint.name=Validity Constraint
+policyset.signingCertSet.2.constraint.params.range=365
+policyset.signingCertSet.2.constraint.params.notBeforeCheck=false
+policyset.signingCertSet.2.constraint.params.notAfterCheck=false
+policyset.signingCertSet.2.default.class_id=validityDefaultImpl
+policyset.signingCertSet.2.default.name=Validity Default
+policyset.signingCertSet.2.default.params.range=180
+policyset.signingCertSet.2.default.params.startTime=0
+policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.signingCertSet.3.constraint.name=Key Constraint
+policyset.signingCertSet.3.constraint.params.keyType=EC
+policyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp521
+policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.signingCertSet.3.default.name=Key Default
+policyset.signingCertSet.4.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.4.constraint.name=No Constraint
+policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.signingCertSet.4.default.name=Authority Key Identifier Default
+policyset.signingCertSet.5.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.5.constraint.name=No Constraint
+policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.signingCertSet.5.default.name=AIA Extension Default
+policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.signingCertSet.5.default.params.authInfoAccessCritical=false
+policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.signingCertSet.6.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.6.constraint.name=No Constraint
+policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.signingCertSet.6.default.name=Key Usage Default
+policyset.signingCertSet.6.default.params.keyUsageCritical=true
+policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
+policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.7.constraint.name=No Constraint
+policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
+policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.signingCertSet.8.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.8.constraint.name=No Constraint
+policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
+policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.signingCertSet.9.constraint.name=No Constraint
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.signingCertSet.9.default.name=Signing Alg
+policyset.signingCertSet.9.default.params.signingAlg=-
+
diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
new file mode 100644
index 0000000..f197ffa
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling user signing certificates.
+visible=false
+enable=true
+enableBy=admin
+name=Manual User Signing Certificate Enrollment
+auth.class_id=
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=subjectNameInputImpl
+input.i3.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=signingCertSet
+policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.signingCertSet.1.constraint.name=Subject Name Constraint
+policyset.signingCertSet.1.constraint.params.pattern=CN=.*
+policyset.signingCertSet.1.constraint.params.accept=true
+policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.signingCertSet.1.default.name=Subject Name Default
+policyset.signingCertSet.1.default.params.name=
+policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.signingCertSet.2.constraint.name=Validity Constraint
+policyset.signingCertSet.2.constraint.params.range=365
+policyset.signingCertSet.2.constraint.params.notBeforeCheck=false
+policyset.signingCertSet.2.constraint.params.notAfterCheck=false
+policyset.signingCertSet.2.default.class_id=validityDefaultImpl
+policyset.signingCertSet.2.default.name=Validity Default
+policyset.signingCertSet.2.default.params.range=180
+policyset.signingCertSet.2.default.params.startTime=0
+policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.signingCertSet.3.constraint.name=Key Constraint
+policyset.signingCertSet.3.constraint.params.keyType=RSA
+policyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.signingCertSet.3.default.name=Key Default
+policyset.signingCertSet.4.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.4.constraint.name=No Constraint
+policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.signingCertSet.4.default.name=Authority Key Identifier Default
+policyset.signingCertSet.5.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.5.constraint.name=No Constraint
+policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.signingCertSet.5.default.name=AIA Extension Default
+policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.signingCertSet.5.default.params.authInfoAccessCritical=false
+policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.signingCertSet.6.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.6.constraint.name=No Constraint
+policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.signingCertSet.6.default.name=Key Usage Default
+policyset.signingCertSet.6.default.params.keyUsageCritical=true
+policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
+policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.7.constraint.name=No Constraint
+policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
+policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.signingCertSet.8.constraint.class_id=noConstraintImpl
+policyset.signingCertSet.8.constraint.name=No Constraint
+policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
+policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.signingCertSet.9.constraint.name=No Constraint
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.signingCertSet.9.default.name=Signing Alg
+policyset.signingCertSet.9.default.params.signingAlg=-
+
--
1.8.3.1
From 6bda601d3b4dea93e1a218662ae0814e3a2708a7 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 14 Jul 2016 23:11:46 +0200
Subject: [PATCH 51/96] Fixed cert usage list in pki client-cert-validate.
The pki client-cert-validate has been modified to add the missing
EmailRecipient and to list the supported cert usages.
https://fedorahosted.org/pki/ticket/2376
https://fedorahosted.org/pki/ticket/2399
---
.../src/com/netscape/cmstools/client/ClientCertValidateCLI.java | 7 ++++++-
base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java | 2 ++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
index 3988c71..50cd96f 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
@@ -45,7 +45,10 @@ public class ClientCertValidateCLI extends CLI {
}
public void createOptions() {
- Option option = new Option(null, "certusage", true, "Certificate usage.");
+ Option option = new Option(null, "certusage", true, "Certificate usage: " +
+ "CheckAllUsages, SSLServer, SSLServerWithStepUp, SSLClient, SSLCA, AnyCA, " +
+ "StatusResponder, ObjectSigner, UserCertImport, ProtectedObjectSigner, " +
+ "VerifyCA, EmailSigner, EmailRecipient.");
option.setArgName("certusage");
options.addOption(option);
}
@@ -188,6 +191,8 @@ public class ClientCertValidateCLI extends CLI {
cu = CryptoManager.CertificateUsage.VerifyCA;
else if (certusage.equalsIgnoreCase("EmailSigner"))
cu = CryptoManager.CertificateUsage.EmailSigner;
+ else if (certusage.equalsIgnoreCase("EmailRecipient"))
+ cu = CryptoManager.CertificateUsage.EmailRecipient;
return cu;
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
index 5b6382e..400ad0c 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
@@ -988,6 +988,8 @@ public class CertUtils {
cu = CryptoManager.CertificateUsage.VerifyCA;
else if (certusage.equalsIgnoreCase("EmailSigner"))
cu = CryptoManager.CertificateUsage.EmailSigner;
+ else if (certusage.equalsIgnoreCase("EmailRecipient"))
+ cu = CryptoManager.CertificateUsage.EmailRecipient;
return cu;
}
--
1.8.3.1
From 078dfc1f01dea30800f19eed6df4ed547edffee3 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
Date: Tue, 12 Jul 2016 18:18:39 -0700
Subject: [PATCH 52/96] Ticket #2246 [MAN] Man Page: AuditVerify This patch
contains the man page for AuditVerify.
---
base/java-tools/man/man1/AuditVerify.1 | 110 +++++++++++++++++++++++++++++++++
1 file changed, 110 insertions(+)
create mode 100644 base/java-tools/man/man1/AuditVerify.1
diff --git a/base/java-tools/man/man1/AuditVerify.1 b/base/java-tools/man/man1/AuditVerify.1
new file mode 100644
index 0000000..c0bd5ba
--- /dev/null
+++ b/base/java-tools/man/man1/AuditVerify.1
@@ -0,0 +1,110 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH AuditVerify 1 "July 7, 2016" "version 10.3" "PKI Signed Audit Log Verification Command" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+AuditVerify \- Command-Line utility for verifying Certificate System signed audit logs.
+
+.SH SYNOPSIS
+.nf
+\fBAuditVerify\fR -d <dbdir> -n <signing_certificate_nickname> -a <logListFile> [-P cert/key_db_prefix] [-v]
+.fi
+
+.SH DESCRIPTION
+.PP
+The \fBAuditVerify\fR command provides command-line utility to verify that signed audit logs were signed with the appropriate CS audit private signing key and that the audit logs have not been compromised. Auditors can verify the authenticity and integrity of signed audit logs using the \fBAuditVerify\fR tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file. The tool result indicates either that the signed audit log was successfully verified or that the signed audit log was not successfully verified. An unsuccessful verification warns the auditor that the signature failed to verify, indicating the log file may have been tampered with (compromised).
+.PP
+.B Note: An auditor can be any user that has the privilege to peruse the pki audit logs.
+
+.SH OPTIONS
+.TP
+.B -d <dbdir>
+Specifies the directory containing the security databases with the imported audit log signing certificate. This directory is almost always the auditor's own personal certificate databases in a personal directory, such as ~jsmith/auditVerifyDir/.
+
+.TP
+.B -n <signing_certificate_nickname>
+Gives the nickname of the certificate used to sign the log files. The nickname is whatever was used when the log signing certificate was imported into that database.
+
+.TP
+.B [-P cert/key_db_prefix]
+Optional. The prefix to prepend to the certificate and key database filenames. If used, a value of empty quotation marks (“”) should be specified for this argument, since the auditor is using separate certificate and key databases from the Certificate System instance and it is unlikely that the prefix should be prepended to the new audit security database files.
+
+.TP
+.B -a <logListFile>
+Specifies the file which contains the comma-separate list of file paths (in chronological order) of the signed audit logs to be verified.
+This file should be created in a directory which is writeable by the auditor, such as a special auditing directory like ~jsmith/auditDir.
+The contents of the logListFile are the full paths to the audit logs. For example:
+.PP
+.nf
+ /var/log/pki/pki-ca/ca/signedAudit/ca_audit,/var/log/pki/pki-ca/ca/signedAudit/ca_audit.20030227102711,/var/log/pki/pki-ca/ca/signedAudit/ca_audit.20030226094015
+.fi
+
+.TP
+.B [-v]
+Optional. Specifies verbose output.
+
+.SH Setting up the Auditor's Database
+
+\fBAuditVerify\fP needs access to a set of security databases (usually the auditor's personal security databases) containing the signed audit log signing certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be marked as trusted in the database.
+.PP
+Auditors should import the audit signing certificate into their personal certificate database before running \fBAuditVerify\fP. The auditor should not use the security databases of the Certificate System instance that generated the signed audit log files. If there are no readily accessible certificate and key database, the auditor must create a set of certificate and key databases and import the signed audit log signing certificate chain.
+.PP
+To create the security databases and import the certificate chain:
+
+.SS Create a special directory in the auditor's home directory to use to perform the verification. For example:
+
+mkdir ~jsmith/auditVerifyDir
+
+.SS Use the certutil tool to create an empty set of certificate databases in the auditor's home directory.
+
+certutil -d ~jsmith/auditVerifyDir -N
+
+.SS Download the CA certificate from the CA's Retrieval page. The certificates can be obtained from the CA in ASCII format.
+
+https://server.example.com:ca_https_port/ca/ee/ca/
+
+.SS Import the CA certificate and log signing certificate into the databases and set trust of the certificates
+
+If the CA certificate is in a file called cacert.txt and the log signing certificate is in a file called logsigncert.txt, then the certutil can be used to set the trust for the new audit security database directory pointing to those files, as follows:
+
+certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i cacert.txt
+
+certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate" -t ",,P" -a -i logsigncert.txt
+
+.B Note: The signedAudit directory kept by the subsystem is not writeable by any user, including auditors.
+
+.SH Operation
+After a separate audit database directory has been configured, do the following:
+.SS Create a text file containing a comma-separated list of the log files to be verified. The name of this file is referenced in the AuditVerify command.
+
+For example, this file could be logListFile in the ~jsmith/auditVerifyDir/ directory. The contents are the comma-separated list of audit logs to be verified, such as "auditlog.1213, auditlog.1214, auditlog.1215."
+
+.SS If the audit databases do not contain prefixes and are located in the user home directory, such as ~jsmith/.mozilla, and the signing certificate nickname is "Log Signing Certificate", the AuditVerify command is run as follows:
+
+AuditVerify -d ~jsmith/auditVerifyDir -n Log Signing Certificate -a ~jsmith/auditVerifyDir/logListFile -P "" -v
+
+.I Note: It has been observed that if audit signing is enabled after system is first started, the first audit signature would not be verified. What happens is that the signature starts calculating from it's in-memory audit log message when it signs, and since log signing is turned on mid-way (not from a fresh new log file), the previous content were not signed along for calculating the first signature (and rightfully so). When AuditVerify is run, it does not know where the log signing begins, so it assumes it starts from the beginning of the file till the first signature. This is why the first signature (if signing is turned on mid-way) will always appear to be incorrect.
+
+
+.SH AUTHORS
+Christina Fu <cfu@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR pki(1)
--
1.8.3.1
From d20638e2916fb99da5cf09d869a1fbc89cd6f17b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 16 Jul 2016 07:01:23 +0200
Subject: [PATCH 53/96] Removed redundant question in interactive pkispawn.
The pkispawn has been modified such that if the admin selects to
import the admin certificate the admin will not be asked where to
export the certificate.
https://fedorahosted.org/pki/ticket/2399
---
base/server/sbin/pkispawn | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index d3a111f..11745b4 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -226,9 +226,9 @@ def main(argv):
'pki_import_admin_cert',
'False')
- parser.read_text('Export certificate to',
- config.pki_subsystem,
- 'pki_client_admin_cert')
+ parser.read_text('Export certificate to',
+ config.pki_subsystem,
+ 'pki_client_admin_cert')
# if parser.mdict['pki_hsm_enable'] == 'True':
# use_hsm = 'Y'
@@ -261,7 +261,7 @@ def main(argv):
# parser.set_property(config.pki_subsystem,
# 'pki_hsm_libfile',
# libfile)
- # print
+ print()
print("Directory Server:")
while True:
--
1.8.3.1
From 28176087a94f74b451c2dbf3c59b4d13a20014c6 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 16 Jul 2016 09:22:27 +0200
Subject: [PATCH 54/96] Fixed pkispawn installation summary.
The pkispawn installation summary has been modified not to
show the admin certificate nickname and NSS database if
pki_client_database_purge or pki_clone is set to true since
the NSS database will not be created in those cases.
https://fedorahosted.org/pki/ticket/2399
---
base/server/sbin/pkispawn | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 11745b4..13139fa 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -754,16 +754,15 @@ def print_final_install_information(mdict):
print(" Administrator's PKCS #12 file:\n %s" %
mdict['pki_client_admin_cert_p12'])
- if not config.str2bool(mdict['pki_client_database_purge']):
+ if not config.str2bool(mdict['pki_client_database_purge']) and \
+ not config.str2bool(mdict['pki_clone']):
print()
print(" Administrator's certificate nickname:\n %s"
% mdict['pki_admin_nickname'])
-
- if not config.str2bool(mdict['pki_clone']):
print(" Administrator's certificate database:\n %s"
% mdict['pki_client_database_dir'])
- else:
+ if config.str2bool(mdict['pki_clone']):
print()
print(" This %s subsystem of the '%s' instance\n"
" is a clone." %
--
1.8.3.1
From eddbcedba312258cd4105f0353313c1423084593 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 20 Jul 2016 00:38:41 +0200
Subject: [PATCH 55/96] Fixed error handling in SystemConfigService.
To help troubleshooting the SystemConfigService has been modified
to chain the original exception and to log stack trace into the
debug log.
https://fedorahosted.org/pki/ticket/2399
---
.../src/org/dogtagpki/server/rest/SystemConfigService.java | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 6fc37b5..95afa4c 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -782,7 +782,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
ConfigurationUtils.populateVLVIndexes();
}
} catch (Exception e) {
- e.printStackTrace();
+ CMS.debug(e);
throw new PKIException("Error in populating database: " + e, e);
}
}
@@ -1029,14 +1029,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
String tokenpwd = data.getTokenPassword();
ConfigurationUtils.loginToken(ctoken, tokenpwd);
} catch (NotInitializedException e) {
- throw new PKIException("Token is not initialized");
+ throw new PKIException("Token is not initialized", e);
} catch (NoSuchTokenException e) {
- throw new BadRequestException("Invalid Token provided. No such token.");
+ throw new BadRequestException("Invalid Token provided. No such token.", e);
} catch (TokenException e) {
- e.printStackTrace();
- throw new PKIException("Token Exception" + e);
+ CMS.debug(e);
+ throw new PKIException("Token Exception: " + e, e);
} catch (IncorrectPasswordException e) {
- throw new BadRequestException("Incorrect Password provided for token.");
+ throw new BadRequestException("Incorrect Password provided for token.", e);
}
}
}
--
1.8.3.1
From 3998429da6e4a96b1ec667436f1da6b96d0ca33c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 22 Jul 2016 13:35:54 +0200
Subject: [PATCH 56/96] Fixed param substitution problem.
The string splice operation in substitute_deployment_params() has
been fixed to include the rest of the string.
https://fedorahosted.org/pki/ticket/2399
---
base/server/python/pki/server/deployment/pkihelper.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 54ffe27..6ac68b1 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1810,8 +1810,8 @@ class File:
line[begin:end + 1], value,
extra=config.PKI_INDENTATION_LEVEL_3)
- # replace parameter with value
- line = line[0:begin] + value + line[end + 1]
+ # replace parameter with value, keep the rest of the line
+ line = line[0:begin] + value + line[end + 1:]
# calculate the new end position
end = begin + len(value) + 1
--
1.8.3.1
From 215d07d0754a5397e5008e98fe42626e8de9e399 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
Date: Fri, 22 Jul 2016 14:43:21 -0700
Subject: [PATCH 57/96] Stop using a java8 only constant. Will allow
compilation with java7. Trivial fix.
---
.../cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
index 9593816..db42cab 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
@@ -56,6 +56,8 @@ public class SecureChannelProtocol {
static final int PROTOCOL_THREE = 3;
static final int HOST_CRYPTOGRAM = 0;
static final int CARD_CRYPTOGRAM = 1;
+ //Size of long type in bytes, since java7 has no define for this
+ static final int LONG_SIZE = 8;
private SymmetricKey transportKey = null;
CryptoManager cryptoManager = null;
@@ -762,7 +764,7 @@ public class SecureChannelProtocol {
}
public static byte[] longToBytes(long x) {
- ByteBuffer buffer = ByteBuffer.allocate(Long.BYTES);
+ ByteBuffer buffer = ByteBuffer.allocate(LONG_SIZE);
buffer.putLong(x);
return buffer.array();
}
--
1.8.3.1
From a307cf68e91327ddbef4b9d7e2bbd3991354831f Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Fri, 22 Jul 2016 18:38:19 -0600
Subject: [PATCH 58/96] Allow PrettyPrintCert to process HEADERs and TRAILERs.
* PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements
Checked-in under one-liner/trivial rule.
---
base/java-tools/templates/pretty_print_cert_command_wrapper.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
index 63451d0..882e7a1 100644
--- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in
+++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
@@ -137,7 +137,7 @@ if [ $# -eq 1 ] ||
then
if [ "$1" = "-simpleinfo" ]
then
- file $2 | grep 'ASCII text' > /dev/null
+ file $2 | grep -E 'ASCII text|PEM certificate' > /dev/null
if [ $? -ne 0 ] ; then
${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND}
printf "\n"
@@ -147,7 +147,7 @@ then
exit 255
fi
else
- file $1 | grep 'ASCII text' > /dev/null
+ file $1 | grep -E 'ASCII text|PEM certificate' > /dev/null
if [ $? -ne 0 ] ; then
${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND}
printf "\n"
--
1.8.3.1
From 3f4c9e4e7946f3f330b71cfe36a00ae933de2575 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 21 Jul 2016 02:26:24 +0200
Subject: [PATCH 59/96] Added CMake target dependencies.
To help troubleshooting build issues, some CMake dependencies have
been added to some targets even though the actual codes do not
require those dependencies. This will ensure the targets are built
sequentially so build failures can be found more easily at the end
of the build log.
https://fedorahosted.org/pki/ticket/2403
---
base/native-tools/src/tkstool/CMakeLists.txt | 2 +-
base/server/tomcat/src/CMakeLists.txt | 2 ++
base/tps-client/src/CMakeLists.txt | 1 +
base/tps-client/src/authentication/CMakeLists.txt | 1 +
base/tps-client/src/modules/tokendb/CMakeLists.txt | 1 +
base/tps-client/src/modules/tps/CMakeLists.txt | 1 +
base/tps-client/src/tus/CMakeLists.txt | 1 +
7 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/base/native-tools/src/tkstool/CMakeLists.txt b/base/native-tools/src/tkstool/CMakeLists.txt
index 8b07950..8c65717 100644
--- a/base/native-tools/src/tkstool/CMakeLists.txt
+++ b/base/native-tools/src/tkstool/CMakeLists.txt
@@ -34,7 +34,7 @@ set(tkstool_SRCS
include_directories(${TKSTOOL_PRIVATE_INCLUDE_DIRS})
add_executable(tkstool ${tkstool_SRCS})
-
+add_dependencies(tkstool pki-certsrv-jar)
target_link_libraries(tkstool ${TKSTOOL_LINK_LIBRARIES})
install(
diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt
index 4cb40ad..c589758 100644
--- a/base/server/tomcat/src/CMakeLists.txt
+++ b/base/server/tomcat/src/CMakeLists.txt
@@ -135,4 +135,6 @@ javac(pki-tomcat-classes
${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR}
OUTPUT_DIR
${CMAKE_BINARY_DIR}/../../tomcat
+ DEPENDS
+ pki-certsrv-jar
)
diff --git a/base/tps-client/src/CMakeLists.txt b/base/tps-client/src/CMakeLists.txt
index b0276f8..28ca2e4 100644
--- a/base/tps-client/src/CMakeLists.txt
+++ b/base/tps-client/src/CMakeLists.txt
@@ -129,6 +129,7 @@ set(tps_library_SRCS
include_directories(${TPS_PRIVATE_INCLUDE_DIRS})
add_library(${TPS_SHARED_LIBRARY} SHARED ${tps_library_SRCS})
+add_dependencies(${TPS_SHARED_LIBRARY} pki-tps-jar)
target_link_libraries(${TPS_SHARED_LIBRARY} ${TPS_LINK_LIBRARIES})
set_target_properties(
diff --git a/base/tps-client/src/authentication/CMakeLists.txt b/base/tps-client/src/authentication/CMakeLists.txt
index ba8ca07..b0ca83a 100644
--- a/base/tps-client/src/authentication/CMakeLists.txt
+++ b/base/tps-client/src/authentication/CMakeLists.txt
@@ -37,6 +37,7 @@ set(ldapauth_library_SRCS
include_directories(${LDAPAUTH_PRIVATE_INCLUDE_DIRS})
add_library(${LDAPAUTH_SHARED_LIBRARY} SHARED ${ldapauth_library_SRCS})
+add_dependencies(${LDAPAUTH_SHARED_LIBRARY} pki-tps-jar)
target_link_libraries(${LDAPAUTH_SHARED_LIBRARY} ${LDAPAUTH_LINK_LIBRARIES})
set_target_properties(${LDAPAUTH_SHARED_LIBRARY}
diff --git a/base/tps-client/src/modules/tokendb/CMakeLists.txt b/base/tps-client/src/modules/tokendb/CMakeLists.txt
index 7b6edae..94db88e 100644
--- a/base/tps-client/src/modules/tokendb/CMakeLists.txt
+++ b/base/tps-client/src/modules/tokendb/CMakeLists.txt
@@ -31,6 +31,7 @@ set(tokendb_module_SRCS
include_directories(${TOKENDB_PRIVATE_INCLUDE_DIRS})
add_library(${TOKENDB_MODULE} MODULE ${tokendb_module_SRCS})
+add_dependencies(${TOKENDB_MODULE} pki-tps-jar)
target_link_libraries(${TOKENDB_MODULE} ${TOKENDB_LINK_LIBRARIES})
set_target_properties(${TOKENDB_MODULE}
diff --git a/base/tps-client/src/modules/tps/CMakeLists.txt b/base/tps-client/src/modules/tps/CMakeLists.txt
index 275d8b3..ac990e5 100644
--- a/base/tps-client/src/modules/tps/CMakeLists.txt
+++ b/base/tps-client/src/modules/tps/CMakeLists.txt
@@ -35,6 +35,7 @@ set(tps_module_SRCS
include_directories(${TPS_PRIVATE_INCLUDE_DIRS})
add_library(${TPS_MODULE} MODULE ${tps_module_SRCS})
+add_dependencies(${TPS_MODULE} pki-tps-jar)
target_link_libraries(${TPS_MODULE} ${TPS_LINK_LIBRARIES})
set_target_properties(${TPS_MODULE}
diff --git a/base/tps-client/src/tus/CMakeLists.txt b/base/tps-client/src/tus/CMakeLists.txt
index 3148d9e..912075f 100644
--- a/base/tps-client/src/tus/CMakeLists.txt
+++ b/base/tps-client/src/tus/CMakeLists.txt
@@ -35,6 +35,7 @@ set(tokendb_library_SRCS
include_directories(${TOKENDB_PRIVATE_INCLUDE_DIRS})
add_library(${TOKENDB_SHARED_LIBRARY} SHARED ${tokendb_library_SRCS})
+add_dependencies(${TOKENDB_SHARED_LIBRARY} pki-tps-jar)
target_link_libraries(${TOKENDB_SHARED_LIBRARY} ${TOKENDB_LINK_LIBRARIES})
set_target_properties(${TOKENDB_SHARED_LIBRARY}
--
1.8.3.1
From 9e77b42d88da07e91a42966bc2d1ea9237e62f47 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 22 Jul 2016 17:31:20 +0200
Subject: [PATCH 60/96] Removed hard-coded paths in pki.policy.
The operations script has been modified to generate pki.policy
dynamically from links in the <instance>/common/lib directory.
This allows the pki.policy to match the actual paths in different
platforms.
https://fedorahosted.org/pki/ticket/2403
---
base/server/scripts/operations | 16 ++++-
base/server/share/conf/pki.policy | 132 +-------------------------------------
2 files changed, 17 insertions(+), 131 deletions(-)
diff --git a/base/server/scripts/operations b/base/server/scripts/operations
index 14443c4..5991670 100644
--- a/base/server/scripts/operations
+++ b/base/server/scripts/operations
@@ -1352,10 +1352,24 @@ start_instance()
return $rv
fi
+ # Copy pki.policy template
+ /bin/cp /usr/share/pki/server/conf/pki.policy /var/lib/pki/$PKI_INSTANCE_NAME/conf
+
+ # Add permissions for all JAR files in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib
+ for path in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib/*; do
+
+ cat >> /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy << EOF
+
+grant codeBase "file:$(realpath $path)" {
+ permission java.security.AllPermission;
+};
+EOF
+ done
+
# Generate catalina.policy dynamically.
cat /usr/share/pki/server/conf/catalina.policy \
/usr/share/tomcat/conf/catalina.policy \
- /usr/share/pki/server/conf/pki.policy \
+ /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy \
/var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \
/var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy
diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy
index e281e01..7d8cfec 100644
--- a/base/server/share/conf/pki.policy
+++ b/base/server/share/conf/pki.policy
@@ -4,10 +4,10 @@
// --- END COPYRIGHT BLOCK ---
// ============================================================================
-// pki.policy - Default Security Policy Permissions for PKI on Tomcat 7
+// pki.policy - Default Security Policy Permissions for PKI on Tomcat
//
// This file contains a default set of security policies for PKI running inside
-// Tomcat 7.
+// Tomcat.
// ============================================================================
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
@@ -22,42 +22,6 @@ grant codeBase "file:${catalina.base}/lib/-" {
permission java.security.AllPermission;
};
-grant codeBase "file:/usr/lib/java/jss4.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/lib/java/symkey.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/lib64/java/jss4.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/lib64/java/symkey.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/commons-codec.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/apache-commons-collections.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/apache-commons-io.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/apache-commons-lang.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/apache-commons-logging.jar" {
- permission java.security.AllPermission;
-};
-
grant codeBase "file:/usr/share/java/ecj.jar" {
permission java.security.AllPermission;
};
@@ -70,18 +34,6 @@ grant codeBase "file:/usr/share/java/glassfish-jsp.jar" {
permission java.security.AllPermission;
};
-grant codeBase "file:/usr/share/java/httpcomponents/httpclient.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/httpcomponents/httpcore.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/javassist.jar" {
- permission java.security.AllPermission;
-};
-
grant codeBase "file:/usr/share/java/jaxb-api.jar" {
permission java.security.AllPermission;
};
@@ -98,66 +50,10 @@ grant codeBase "file:/usr/share/java/jboss-web.jar" {
permission java.security.AllPermission;
};
-grant codeBase "file:/usr/share/java/jackson/jackson-core-asl.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/jackson/jackson-jaxrs.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/jackson/jackson-mapper-asl.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/jackson/jackson-mrbean.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/jackson/jackson-smile.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/jackson/jackson-xc.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/ldapjdk.jar" {
- permission java.security.AllPermission;
-};
-
grant codeBase "file:/usr/share/java/log4j.jar" {
permission java.security.AllPermission;
};
-grant codeBase "file:${RESTEASY_LIB}/jaxrs-api.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:${RESTEASY_LIB}/resteasy-atom-provider.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:${RESTEASY_LIB}/resteasy-client.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxb-provider.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxrs.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:${RESTEASY_LIB}/resteasy-jackson-provider.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/scannotation.jar" {
- permission java.security.AllPermission;
-};
-
grant codeBase "file:/usr/share/java/servlet.jar" {
permission java.security.AllPermission;
};
@@ -166,10 +62,6 @@ grant codeBase "file:/usr/share/java/tomcat/-" {
permission java.security.AllPermission;
};
-grant codeBase "file:/usr/share/java/tomcatjss.jar" {
- permission java.security.AllPermission;
-};
-
grant codeBase "file:/usr/share/java/tomcat-el-api.jar" {
permission java.security.AllPermission;
};
@@ -178,22 +70,6 @@ grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" {
permission java.security.AllPermission;
};
-grant codeBase "file:/usr/share/java/velocity.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/xerces-j2.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/xml-commons-apis.jar" {
- permission java.security.AllPermission;
-};
-
-grant codeBase "file:/usr/share/java/xml-commons-resolver.jar" {
- permission java.security.AllPermission;
-};
-
grant codeBase "file:/usr/share/java/pki/-" {
permission java.security.AllPermission;
};
@@ -221,7 +97,3 @@ grant codeBase "file:${catalina.base}/webapps/tks/-" {
grant codeBase "file:${catalina.base}/webapps/ROOT/-" {
permission java.security.AllPermission;
};
-
-grant codeBase "file:/usr/lib/java/nuxwdog.jar" {
- permission java.security.AllPermission;
-};
--
1.8.3.1
From ecbf1cded60cec973316584baf272ae4c7bae1dd Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 21 Jul 2016 05:08:25 +0200
Subject: [PATCH 61/96] Removed hard-coded paths in pki CLI.
The pki CLI has been modified to use java.ext.dirs property to
load the dependencies instead of listing them individually. The
dependencies are stored as links in /usr/share/pki/lib folder.
This allows the RPM spec to customize the links for different
platforms.
https://fedorahosted.org/pki/ticket/2403
---
base/common/CMakeLists.txt | 45 ++++++++++++++++++++++++++++++++++++++++++
base/common/share/etc/pki.conf | 3 +++
base/java-tools/bin/pki | 43 ++++------------------------------------
3 files changed, 52 insertions(+), 39 deletions(-)
diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index 1213925..dc5cecf 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -11,6 +11,51 @@ configure_file(
${CMAKE_CURRENT_BINARY_DIR}/etc/pki.conf
)
+# Create /usr/share/pki/lib. This can be customized for different platforms in RPM spec.
+
+add_custom_target(pki-lib ALL)
+
+add_custom_command(
+ TARGET pki-lib
+ COMMAND ${CMAKE_COMMAND} -E make_directory lib
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-cli.jar lib/commons-cli.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-codec.jar lib/commons-codec.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-httpclient.jar lib/commons-httpclient.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-io.jar lib/commons-io.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-lang.jar lib/commons-lang.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-logging.jar lib/commons-logging.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpclient.jar lib/httpclient.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpcore.jar lib/httpcore.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-core-asl.jar lib/jackson-core-asl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-jaxrs.jar lib/jackson-jaxrs.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mapper-asl.jar lib/jackson-mapper-asl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mrbean.jar lib/jackson-mrbean.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-smile.jar lib/jackson-smile.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-xc.jar lib/jackson-xc.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jaxb-api.jar lib/jaxb-api.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar lib/jss4.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar lib/ldapjdk.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-certsrv.jar lib/pki-certsrv.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-cmsutil.jar lib/pki-cmsutil.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-nsutil.jar lib/pki-nsutil.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tools.jar lib/pki-tools.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar lib/resteasy-atom-provider.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar lib/resteasy-client.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar lib/resteasy-jackson-provider.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxb-provider.jar lib/resteasy-jaxb-provider.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar lib/resteasy-jaxrs-api.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs-jandex.jar lib/resteasy-jaxrs-jandex.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar lib/resteasy-jaxrs.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/servlet.jar lib/servlet.jar
+)
+
+install(
+ DIRECTORY
+ ${CMAKE_CURRENT_BINARY_DIR}/lib/
+ DESTINATION
+ ${DATA_INSTALL_DIR}/lib
+)
+
install(
FILES
${CMAKE_CURRENT_SOURCE_DIR}/share/etc/logging.properties
diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index f43d914..97f3777 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -4,5 +4,8 @@ JAVA_HOME=${JAVA_HOME}
# JNI jar file location
JNI_JAR_DIR=/usr/lib/java
+# PKI library
+PKI_LIB=/usr/share/pki/lib
+
# logging configuration location
LOGGING_CONFIG=/usr/share/pki/etc/logging.properties
diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
index c1ba34e..ba321be 100644
--- a/base/java-tools/bin/pki
+++ b/base/java-tools/bin/pki
@@ -76,11 +76,11 @@ class PKICLI(pki.cli.CLI):
shell=True)
java_home = value.decode(sys.getfilesystemencoding()).strip()
- # read RESTEasy library path
+ # read PKI library
value = subprocess.check_output(
- '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $RESTEASY_LIB',
+ '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_LIB',
shell=True)
- resteasy_lib = value.decode(sys.getfilesystemencoding()).strip()
+ pki_lib = value.decode(sys.getfilesystemencoding()).strip()
# read logging configuration path
value = subprocess.check_output(
@@ -88,44 +88,9 @@ class PKICLI(pki.cli.CLI):
shell=True)
logging_config = value.decode(sys.getfilesystemencoding()).strip()
- # construct classpath
- classpath = [
- '/usr/share/java/commons-cli.jar',
- '/usr/share/java/commons-codec.jar',
- '/usr/share/java/commons-httpclient.jar',
- '/usr/share/java/commons-io.jar',
- '/usr/share/java/commons-lang.jar',
- '/usr/share/java/commons-logging.jar',
- '/usr/share/java/httpcomponents/httpclient.jar',
- '/usr/share/java/httpcomponents/httpcore.jar',
- '/usr/share/java/jackson/jackson-core-asl.jar',
- '/usr/share/java/jackson/jackson-jaxrs.jar',
- '/usr/share/java/jackson/jackson-mapper-asl.jar',
- '/usr/share/java/jackson/jackson-mrbean.jar',
- '/usr/share/java/jackson/jackson-smile.jar',
- '/usr/share/java/jackson/jackson-xc.jar',
- '/usr/share/java/jaxb-api.jar',
- '/usr/share/java/ldapjdk.jar',
- '/usr/share/java/servlet.jar',
- resteasy_lib + '/jaxrs-api.jar',
- resteasy_lib + '/resteasy-atom-provider.jar',
- resteasy_lib + '/resteasy-client.jar',
- resteasy_lib + '/resteasy-jaxb-provider.jar',
- resteasy_lib + '/resteasy-jaxrs.jar',
- resteasy_lib + '/resteasy-jaxrs-jandex.jar',
- resteasy_lib + '/resteasy-jackson-provider.jar',
- '/usr/share/java/pki/pki-nsutil.jar',
- '/usr/share/java/pki/pki-cmsutil.jar',
- '/usr/share/java/pki/pki-certsrv.jar',
- '/usr/share/java/pki/pki-tools.jar',
- '/usr/lib64/java/jss4.jar',
- '/usr/lib/java/jss4.jar'
- ]
-
cmd = [
java_home + '/bin/java',
- '-cp',
- ':'.join(classpath),
+ '-Djava.ext.dirs=' + pki_lib,
'-Djava.util.logging.config.file=' + logging_config,
'com.netscape.cmstools.cli.MainCLI'
]
--
1.8.3.1
From 4926aace5cf0be65ddddf51c031e6cac6646a1dd Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 21 Jul 2016 05:08:25 +0200
Subject: [PATCH 63/96] Removed hard-coded paths in deployment tool.
The deployment tool has been modified to link <instance>/common
to /usr/share/pki/server/common instead of creating separate links
for each dependency. This allows the RPM spec to customize the
links for different platforms.
https://fedorahosted.org/pki/ticket/2403
---
base/server/CMakeLists.txt | 47 +++++++
base/server/etc/default.cfg | 82 ------------
.../deployment/scriptlets/instance_layout.py | 143 +--------------------
base/server/scripts/operations | 79 ------------
4 files changed, 54 insertions(+), 297 deletions(-)
diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
index 5a6aea9..27470f3 100644
--- a/base/server/CMakeLists.txt
+++ b/base/server/CMakeLists.txt
@@ -21,6 +21,53 @@ set(APACHE_SUBSYSTEMS
tps
)
+# Create /usr/share/pki/server/common/lib. This can be customized for different platforms in RPM spec.
+
+add_custom_target(pki-server-common-lib ALL)
+
+add_custom_command(
+ TARGET pki-server-common-lib
+ COMMAND ${CMAKE_COMMAND} -E make_directory common/lib
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-codec.jar common/lib/commons-codec.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-collections.jar common/lib/commons-collections.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-io.jar common/lib/commons-io.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-lang.jar common/lib/commons-lang.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-logging.jar common/lib/commons-logging.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpclient.jar common/lib/httpclient.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpcore.jar common/lib/httpcore.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-core-asl.jar common/lib/jackson-core-asl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-jaxrs.jar common/lib/jackson-jaxrs.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mapper-asl.jar common/lib/jackson-mapper-asl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mrbean.jar common/lib/jackson-mrbean.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-smile.jar common/lib/jackson-smile.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-xc.jar common/lib/jackson-xc.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/javassist.jar common/lib/javassist.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar common/lib/jss4.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar common/lib/ldapjdk.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/nuxwdog.jar common/lib/nuxwdog.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tomcat.jar common/lib/pki-tomcat.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar common/lib/resteasy-atom-provider.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar common/lib/resteasy-client.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar common/lib/resteasy-jackson-provider.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxb-provider.jar common/lib/resteasy-jaxb-provider.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar common/lib/resteasy-jaxrs-api.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar common/lib/resteasy-jaxrs.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/scannotation.jar common/lib/scannotation.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/symkey.jar common/lib/symkey.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/tomcatjss.jar common/lib/tomcatjss.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/velocity.jar common/lib/velocity.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xerces-j2.jar common/lib/xerces-j2.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-apis.jar common/lib/xml-commons-apis.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-resolver.jar common/lib/xml-commons-resolver.jar
+)
+
+install(
+ DIRECTORY
+ ${CMAKE_CURRENT_BINARY_DIR}/common/lib/
+ DESTINATION
+ ${DATA_INSTALL_DIR}/server/common/lib
+)
+
install(
DIRECTORY
man/
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index edd2632..4919cb4 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -268,88 +268,6 @@ pki_tomcat_subsystem_webapps_path=%(pki_subsystem_path)s/webapps
pki_tomcat_webapps_subsystem_path=%(pki_tomcat_subsystem_webapps_path)s/%(pki_subsystem_type)s
pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes
pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib
-pki_certsrv_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-certsrv.jar
-pki_cmsbundle_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsbundle.jar
-pki_cmscore_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmscore.jar
-pki_cms_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cms.jar
-pki_cmsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsutil.jar
-pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.jar
-
-
-# JAR paths
-# These are used in the processing of pkispawn and are not supposed
-# to be overwritten by user configuration files
-pki_jss_jar=%(jni_jar_dir)s/jss4.jar
-pki_symkey_jar=%(jni_jar_dir)s/symkey.jar
-pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar
-pki_apache_commons_io_jar=/usr/share/java/apache-commons-io.jar
-pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar
-pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar
-pki_commons_codec_jar=/usr/share/java/commons-codec.jar
-pki_httpclient_jar=/usr/share/java/httpcomponents/httpclient.jar
-pki_httpcore_jar=/usr/share/java/httpcomponents/httpcore.jar
-pki_javassist_jar=/usr/share/java/javassist.jar
-pki_ldapjdk_jar=/usr/share/java/ldapjdk.jar
-pki_certsrv_jar=/usr/share/java/pki/pki-certsrv.jar
-pki_cmsbundle=/usr/share/java/pki/pki-cmsbundle.jar
-pki_cmscore=/usr/share/java/pki/pki-cmscore.jar
-pki_cms=/usr/share/java/pki/pki-cms.jar
-pki_cmsutil=/usr/share/java/pki/pki-cmsutil.jar
-pki_nsutil=/usr/share/java/pki/pki-nsutil.jar
-pki_tomcat_jar=/usr/share/java/pki/pki-tomcat.jar
-pki_scannotation_jar=/usr/share/java/scannotation.jar
-pki_tomcatjss_jar=/usr/share/java/tomcatjss.jar
-pki_velocity_jar=/usr/share/java/velocity.jar
-pki_xerces_j2_jar=/usr/share/java/xerces-j2.jar
-pki_xml_commons_apis_jar=/usr/share/java/xml-commons-apis.jar
-pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar
-pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar
-pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar
-pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar
-pki_apache_commons_io_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-io.jar
-pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar
-pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar
-pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar
-pki_httpclient_jar_link=%(pki_tomcat_common_lib_path)s/httpclient.jar
-pki_httpcore_jar_link=%(pki_tomcat_common_lib_path)s/httpcore.jar
-pki_javassist_jar_link=%(pki_tomcat_common_lib_path)s/javassist.jar
-pki_ldapjdk_jar_link=%(pki_tomcat_common_lib_path)s/ldapjdk.jar
-pki_tomcat_jar_link=%(pki_tomcat_common_lib_path)s/pki-tomcat.jar
-pki_scannotation_jar_link=%(pki_tomcat_common_lib_path)s/scannotation.jar
-pki_tomcatjss_jar_link=%(pki_tomcat_common_lib_path)s/tomcatjss.jar
-pki_velocity_jar_link=%(pki_tomcat_common_lib_path)s/velocity.jar
-pki_xerces_j2_jar_link=%(pki_tomcat_common_lib_path)s/xerces-j2.jar
-pki_xml_commons_apis_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-apis.jar
-pki_xml_commons_resolver_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-resolver.jar
-pki_ca_jar=/usr/share/java/pki/pki-ca.jar
-pki_ca_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ca.jar
-pki_kra_jar=/usr/share/java/pki/pki-kra.jar
-pki_kra_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-kra.jar
-pki_ocsp_jar=/usr/share/java/pki/pki-ocsp.jar
-pki_ocsp_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ocsp.jar
-pki_tks_jar=/usr/share/java/pki/pki-tks.jar
-pki_tks_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tks.jar
-pki_tps_jar=/usr/share/java/pki/pki-tps.jar
-pki_tps_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tps.jar
-
-# Jackson
-pki_jackson_core_asl_jar=/usr/share/java/jackson/jackson-core-asl.jar
-pki_jackson_jaxrs_jar=/usr/share/java/jackson/jackson-jaxrs.jar
-pki_jackson_mapper_asl_jar=/usr/share/java/jackson/jackson-mapper-asl.jar
-pki_jackson_mrbean_jar=/usr/share/java/jackson/jackson-mrbean.jar
-pki_jackson_smile_jar=/usr/share/java/jackson/jackson-smile.jar
-pki_jackson_xc_jar=/usr/share/java/jackson/jackson-xc.jar
-
-# RESTEasy
-pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar
-pki_resteasy_client_jar=%(resteasy_lib)s/resteasy-client.jar
-pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar
-pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar
-pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar
-pki_resteasy_jackson_provider_jar=%(resteasy_lib)s/resteasy-jackson-provider.jar
-
-# nuxwdog
-pki_nuxwdog_client_jar=/usr/lib/java/nuxwdog.jar
###############################################################################
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
index 57f8537..c470c7f 100644
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
@@ -122,11 +122,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
"localhost",
"pki#js.xml"))
- # establish Tomcat instance base
- deployer.directory.create(deployer.mdict['pki_tomcat_common_path'])
- deployer.directory.create(
- deployer.mdict['pki_tomcat_common_lib_path'])
- # establish Tomcat instance library
+ # Create Tomcat instance library
deployer.directory.create(deployer.mdict['pki_instance_lib'])
for name in os.listdir(deployer.mdict['pki_tomcat_lib_path']):
deployer.symlink.create(
@@ -139,6 +135,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
deployer.symlink.create(
deployer.mdict['pki_instance_conf_log4j_properties'],
deployer.mdict['pki_instance_lib_log4j_properties'])
+
+ # Link /var/lib/pki/<instance>/common to /usr/share/pki/server/common
+ deployer.symlink.create(
+ '/usr/share/pki/server/common',
+ deployer.mdict['pki_tomcat_common_path'])
+
deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path'])
deployer.directory.create(deployer.mdict['pki_tomcat_work_path'])
@@ -160,129 +162,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
deployer.mdict['pki_tomcat_systemd'],
deployer.mdict['pki_instance_systemd_link'],
uid=0, gid=0)
- # establish Tomcat instance common lib jar symbolic links
- deployer.symlink.create(
- deployer.mdict['pki_apache_commons_collections_jar'],
- deployer.mdict['pki_apache_commons_collections_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_apache_commons_io_jar'],
- deployer.mdict['pki_apache_commons_io_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_apache_commons_lang_jar'],
- deployer.mdict['pki_apache_commons_lang_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_apache_commons_logging_jar'],
- deployer.mdict['pki_apache_commons_logging_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_commons_codec_jar'],
- deployer.mdict['pki_commons_codec_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_httpclient_jar'],
- deployer.mdict['pki_httpclient_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_httpcore_jar'],
- deployer.mdict['pki_httpcore_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_javassist_jar'],
- deployer.mdict['pki_javassist_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_jss_jar'],
- deployer.mdict['pki_jss_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_ldapjdk_jar'],
- deployer.mdict['pki_ldapjdk_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_tomcat_jar'],
- deployer.mdict['pki_tomcat_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_scannotation_jar'],
- deployer.mdict['pki_scannotation_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_tomcatjss_jar'],
- deployer.mdict['pki_tomcatjss_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_velocity_jar'],
- deployer.mdict['pki_velocity_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_xerces_j2_jar'],
- deployer.mdict['pki_xerces_j2_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_xml_commons_apis_jar'],
- deployer.mdict['pki_xml_commons_apis_jar_link'])
- deployer.symlink.create(
- deployer.mdict['pki_xml_commons_resolver_jar'],
- deployer.mdict['pki_xml_commons_resolver_jar_link'])
-
- # Jackson
- deployer.symlink.create(
- deployer.mdict['pki_jackson_core_asl_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'jackson-core-asl.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_jackson_jaxrs_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'jackson-jaxrs.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_jackson_mapper_asl_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'jackson-mapper-asl.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_jackson_mrbean_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'jackson-mrbean.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_jackson_smile_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'jackson-smile.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_jackson_xc_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'jackson-xc.jar'))
-
- # RESTEasy
- deployer.symlink.create(
- deployer.mdict['pki_resteasy_atom_provider_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'resteasy-atom-provider.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_resteasy_client_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'resteasy-client.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_resteasy_jaxb_provider_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'resteasy-jaxb-provider.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_resteasy_jaxrs_api_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'jaxrs-api.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_resteasy_jaxrs_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'resteasy-jaxrs.jar'))
- deployer.symlink.create(
- deployer.mdict['pki_resteasy_jackson_provider_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'resteasy-jackson-provider.jar'))
-
- # nuxwdog
- deployer.symlink.create(
- deployer.mdict['pki_nuxwdog_client_jar'],
- os.path.join(
- deployer.mdict['pki_tomcat_common_lib_path'],
- 'nuxwdog.jar'))
# establish shared NSS security databases for this instance
deployer.directory.create(deployer.mdict['pki_database_path'])
@@ -297,14 +176,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
deployer.mdict['pki_instance_log_path'],
deployer.mdict['pki_instance_logs_link'])
- # create the sym link to symkey regardless of subsystem
- # as long as pki-symkey is installed on the system
- if os.path.exists(deployer.mdict['pki_symkey_jar']):
- if not os.path.exists(deployer.mdict['pki_symkey_jar_link']):
- deployer.symlink.create(
- deployer.mdict['pki_symkey_jar'],
- deployer.mdict['pki_symkey_jar_link'])
-
# create Tomcat instance systemd service link
deployer.symlink.create(deployer.mdict['pki_systemd_service'],
deployer.mdict['pki_systemd_service_link'])
diff --git a/base/server/scripts/operations b/base/server/scripts/operations
index 5991670..5b50178 100644
--- a/base/server/scripts/operations
+++ b/base/server/scripts/operations
@@ -909,7 +909,6 @@ verify_symlinks()
declare -A ocsp_symlinks
declare -A tks_symlinks
declare -A tps_symlinks
- declare -A common_jar_symlinks
declare -A ca_jar_symlinks
declare -A kra_jar_symlinks
declare -A ocsp_jar_symlinks
@@ -985,75 +984,6 @@ verify_symlinks()
[logs]=/var/log/pki/${PKI_INSTANCE_NAME}/tps
[registry]=${pki_registry_dir})
- # '${pki_common_jar_dir}' symlinks
- if ! $debian; then
- common_jar_symlinks=(
- [apache-commons-codec.jar]=${java_dir}/commons-codec.jar
- [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar
- [apache-commons-io.jar]=${java_dir}/apache-commons-io.jar
- [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar
- [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar
- [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar
- [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar
- [javassist.jar]=${java_dir}/javassist.jar
- [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar
- [jackson-core-asl.jar]=${java_dir}/jackson/jackson-core-asl.jar
- [jackson-jaxrs.jar]=${java_dir}/jackson/jackson-jaxrs.jar
- [jackson-mapper-asl.jar]=${java_dir}/jackson/jackson-mapper-asl.jar
- [jackson-mrbean.jar]=${java_dir}/jackson/jackson-mrbean.jar
- [jackson-smile.jar]=${java_dir}/jackson/jackson-smile.jar
- [jackson-xc.jar]=${java_dir}/jackson/jackson-xc.jar
- [jss4.jar]=${jni_jar_dir}/jss4.jar
- [ldapjdk.jar]=${java_dir}/ldapjdk.jar
- [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar
- [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar
- [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar
- [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar
- [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar
- [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar
- [scannotation.jar]=${java_dir}/scannotation.jar
- [tomcatjss.jar]=${java_dir}/tomcatjss.jar
- [velocity.jar]=${java_dir}/velocity.jar
- [xerces-j2.jar]=${java_dir}/xerces-j2.jar
- [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar
- [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar)
- else
- common_jar_symlinks=(
- [apache-commons-codec.jar]=${java_dir}/commons-codec.jar
- [apache-commons-collections.jar]=${java_dir}/commons-collections3.jar
- [apache-commons-io.jar]=${java_dir}/commons-io.jar
- [apache-commons-lang.jar]=${java_dir}/commons-lang.jar
- [apache-commons-logging.jar]=${java_dir}/commons-logging.jar
- [httpclient.jar]=${java_dir}/httpclient.jar
- [httpcore.jar]=${java_dir}/httpcore.jar
- [javassist.jar]=${java_dir}/javassist.jar
- [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar
- [jackson-core-asl.jar]=${java_dir}/jackson-core-asl.jar
- [jackson-jaxrs.jar]=${java_dir}/jackson-jaxrs.jar
- [jackson-mapper-asl.jar]=${java_dir}/jackson-mapper-asl.jar
- [jackson-mrbean.jar]=${java_dir}/jackson-mrbean.jar
- [jackson-smile.jar]=${java_dir}/jackson-smile.jar
- [jackson-xc.jar]=${java_dir}/jackson-xc.jar
- [jss4.jar]=${jni_jar_dir}/jss4.jar
- [ldapjdk.jar]=${java_dir}/ldapjdk.jar
- [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar
- [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar
- [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar
- [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar
- [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar
- [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar
- [scannotation.jar]=${java_dir}/scannotation.jar
- [tomcatjss.jar]=${java_dir}/tomcatjss.jar
- [velocity.jar]=${java_dir}/velocity.jar
- [xerces-j2.jar]=${java_dir}/xercesImpl.jar
- [xml-commons-apis.jar]=${java_dir}/xml-apis.jar
- [xml-commons-resolver.jar]=${java_dir}/xml-resolver.jar)
- fi
-
- if [ -e ${PKI_INSTANCE_PATH}/tks ]; then
- common_jar_symlinks[symkey.jar]=${jni_jar_dir}/symkey.jar
- fi
-
# '${pki_systemd_dir}' symlinks
systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service}
@@ -1132,15 +1062,6 @@ verify_symlinks()
fi
fi
- # Detect and correct 'common_jar_symlinks'
- common_jar_symlinks_string=$(declare -p common_jar_symlinks)
- eval "declare -A symlinks=${common_jar_symlinks_string#*=}"
- check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP}
- rv=$?
- if [ $rv -ne 0 ]; then
- return $rv
- fi
-
# Detect and correct 'systemd_symlinks'
systemd_symlinks_string=$(declare -p systemd_symlinks)
eval "declare -A symlinks=${systemd_symlinks_string#*=}"
--
1.8.3.1
From 0c502a387c90d2e2d8ebe9e3edf3dfeaf1d6eba4 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
Date: Wed, 27 Jul 2016 11:43:33 -0700
Subject: [PATCH 66/96] Make starting CRL Number configurable.
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
---
base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 65 +++++++++++++++-------
.../server/ca/rest/CAInstallerService.java | 7 +++
.../certsrv/system/ConfigurationRequest.java | 12 ++++
base/server/etc/default.cfg | 1 +
.../python/pki/server/deployment/pkihelper.py | 4 ++
5 files changed, 69 insertions(+), 20 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
index fc9e6a3..a593eb8 100644
--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
@@ -31,6 +31,23 @@ import java.util.StringTokenizer;
import java.util.TimeZone;
import java.util.Vector;
+import netscape.security.util.BitArray;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLNumberExtension;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.DeltaCRLIndicatorExtension;
+import netscape.security.x509.Extension;
+import netscape.security.x509.FreshestCRLExtension;
+import netscape.security.x509.IssuingDistributionPoint;
+import netscape.security.x509.IssuingDistributionPointExtension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.RevokedCertificate;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509ExtensionException;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
@@ -66,23 +83,6 @@ import com.netscape.cmscore.dbs.CertRecord;
import com.netscape.cmscore.dbs.CertificateRepository;
import com.netscape.cmscore.util.Debug;
-import netscape.security.util.BitArray;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLNumberExtension;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.DeltaCRLIndicatorExtension;
-import netscape.security.x509.Extension;
-import netscape.security.x509.FreshestCRLExtension;
-import netscape.security.x509.IssuingDistributionPoint;
-import netscape.security.x509.IssuingDistributionPointExtension;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.RevokedCertificate;
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509ExtensionException;
-
/**
* This class encapsulates CRL issuing mechanism. CertificateAuthority
* contains a map of CRLIssuingPoint indexed by string ids. Each issuing
@@ -112,6 +112,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
private static final int CRL_PAGE_SIZE = 10000;
+ private static final String PROP_CRL_STARTING_NUMBER = "startingCrlNumber";
+
/* configuration file property names */
public IPublisherProcessor mPublisherProcessor = null;
@@ -923,13 +925,36 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
if (crlRecord == null) {
// no crl was ever created, or crl in db is corrupted.
// create new one.
+
+ IConfigStore ipStore = mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE).getSubStore(mId);
try {
- crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, Long.valueOf(-1),
+
+ BigInteger startingCrlNumberBig = ipStore.getBigInteger(PROP_CRL_STARTING_NUMBER, BigInteger.ZERO);
+ CMS.debug("startingCrlNumber: " + startingCrlNumberBig);
+
+ // Check for bogus negative value
+
+ if(startingCrlNumberBig.compareTo(BigInteger.ZERO) < 0) {
+ //Make it the default of ZERO
+ startingCrlNumberBig = BigInteger.ZERO;
+ }
+
+ crlRecord = new CRLIssuingPointRecord(mId, startingCrlNumberBig, Long.valueOf(-1),
null, null, BigInteger.ZERO, Long.valueOf(-1),
mRevokedCerts, mUnrevokedCerts, mExpiredCerts);
mCRLRepository.addCRLIssuingPointRecord(crlRecord);
- mCRLNumber = BigInteger.ZERO; //BIG_ZERO;
- mNextCRLNumber = BigInteger.ONE; //BIG_ONE;
+ mCRLNumber = startingCrlNumberBig;
+
+ // The default case calls for ZERO being the starting point where
+ // it is then incremented by one to ONE
+ // If we specificy an explicit starting point,
+ // We want that exact number to be the next CRL Number.
+ if(mCRLNumber.compareTo(BigInteger.ZERO) == 0) {
+ mNextCRLNumber = BigInteger.ONE;
+ } else {
+ mNextCRLNumber = mCRLNumber;
+ }
+
mLastCRLNumber = mCRLNumber;
mDeltaCRLNumber = mCRLNumber;
mNextDeltaCRLNumber = mNextCRLNumber;
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
index e1b7160..3c7e483 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
@@ -80,6 +80,8 @@ public class CAInstallerService extends SystemConfigService {
disableCRLCachingAndGenerationForClone(request);
}
+ configureStartingCRLNumber(request);
+
} catch (Exception e) {
CMS.debug(e);
throw new PKIException("Errors in determining if security domain host is a master CA");
@@ -187,6 +189,11 @@ public class CAInstallerService extends SystemConfigService {
configStore.commit(false /* no backup */);
}
+ private void configureStartingCRLNumber(ConfigurationRequest data) {
+ CMS.debug("CAInstallerService:configureStartingCRLNumber entering.");
+ cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber() );
+
+ }
private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException {
CMS.debug("CAInstallerService:disableCRLCachingAndGenerationForClone entering.");
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index 890f7d0..cd9d3c8 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -234,6 +234,9 @@ public class ConfigurationRequest {
@XmlElement
protected String sharedDBUserDN;
+ @XmlElement
+ protected String startingCRLNumber;
+
public ConfigurationRequest() {
// required for JAXB
}
@@ -932,6 +935,14 @@ public class ConfigurationRequest {
this.subordinateSecurityDomainName = subordinateSecurityDomainName;
}
+ public String getStartingCRLNumber() {
+ return startingCRLNumber;
+ }
+
+ public void setStartingCRLNumber(String startingCRLNumber) {
+ this.startingCRLNumber = startingCRLNumber;
+ }
+
@Override
public String toString() {
return "ConfigurationRequest [pin=XXXX" +
@@ -995,6 +1006,7 @@ public class ConfigurationRequest {
", setupReplication=" + setupReplication +
", subordinateSecurityDomainName=" + subordinateSecurityDomainName +
", reindexData=" + reindexData +
+ ", startingCrlNumber=" + startingCRLNumber +
"]";
}
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 4919cb4..3a7e005 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -296,6 +296,7 @@ pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name
pki_ca_signing_token=Internal Key Storage Token
pki_ca_signing_csr_path=
pki_ca_signing_cert_path=
+pki_ca_starting_crl_number=0
pki_external=False
pki_req_ext_add=False
# MS subca request ext data
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 6ac68b1..8a1dbdd 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4113,6 +4113,10 @@ class ConfigClient:
if self.subsystem == "TPS":
self.set_tps_parameters(data)
+ # Misc CA parameters
+ if self.subsystem == "CA":
+ data.startingCRLNumber = self.mdict['pki_ca_starting_crl_number']
+
return data
def save_admin_csr(self):
--
1.8.3.1
From f990cb0dee46df211c2c7212ca0165465b5f3531 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sun, 24 Jul 2016 07:36:36 +0200
Subject: [PATCH 67/96] Added upgrade scripts to fix server library.
An upgrade script has been added to replace the <instance>/common
in existing instances with a link to /usr/share/pki/server/common
which contains links to server dependencies.
https://fedorahosted.org/pki/ticket/2403
---
base/common/upgrade/10.3.4/.gitignore | 4 +++
base/common/upgrade/10.3.5/.gitignore | 4 +++
base/server/upgrade/10.3.4/.gitignore | 4 +++
base/server/upgrade/10.3.5/01-FixServerLibrary | 46 ++++++++++++++++++++++++++
4 files changed, 58 insertions(+)
create mode 100644 base/common/upgrade/10.3.4/.gitignore
create mode 100644 base/common/upgrade/10.3.5/.gitignore
create mode 100644 base/server/upgrade/10.3.4/.gitignore
create mode 100644 base/server/upgrade/10.3.5/01-FixServerLibrary
diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore
new file mode 100644
index 0000000..5e7d273
--- /dev/null
+++ b/base/common/upgrade/10.3.4/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore
new file mode 100644
index 0000000..5e7d273
--- /dev/null
+++ b/base/common/upgrade/10.3.5/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore
new file mode 100644
index 0000000..5e7d273
--- /dev/null
+++ b/base/server/upgrade/10.3.4/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/server/upgrade/10.3.5/01-FixServerLibrary b/base/server/upgrade/10.3.5/01-FixServerLibrary
new file mode 100644
index 0000000..79d4965
--- /dev/null
+++ b/base/server/upgrade/10.3.5/01-FixServerLibrary
@@ -0,0 +1,46 @@
+#!/usr/bin/python
+# Authors:
+# Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import os.path
+import shutil
+import pki.server.upgrade
+
+
+class FixServerLibrary(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+ def __init__(self):
+ super(FixServerLibrary, self).__init__()
+ self.message = 'Fix server library'
+
+ def upgrade_instance(self, instance):
+
+ common_dir = os.path.join(instance.base_dir, 'common')
+
+ # if <instance>/common is already a link, skip
+ if os.path.islink(common_dir):
+ return
+
+ # remove old <instance>/common
+ shutil.rmtree(common_dir)
+
+ # link <instance>/common to /usr/share/pki/server/common
+ os.symlink('/usr/share/pki/server/common', common_dir)
+ os.lchown(common_dir, instance.uid, instance.gid)
--
1.8.3.1
From ba1e18ba4c9c47930efa0cdfc46fe326f71d3cd4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 27 Jul 2016 19:51:37 +0200
Subject: [PATCH 68/96] Fixed SELinux contexts.
The deployment tool has been modified to set up SELinux contexts
after all instance files have been created to ensure they have the
correct contexts.
An upgrade script has been added to fix existing instances.
https://fedorahosted.org/pki/ticket/2421
---
base/server/etc/default.cfg | 2 +-
base/server/python/pki/server/__init__.py | 7 ++++-
base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 ++++++++++++++++++++++++
3 files changed, 43 insertions(+), 2 deletions(-)
create mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 3a7e005..24e4a43 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -39,10 +39,10 @@ spawn_scriplets=
infrastructure_layout
instance_layout
subsystem_layout
- selinux_setup
webapp_deployment
slot_substitution
security_databases
+ selinux_setup
configuration
finalization
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 03bb225..13b3258 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -39,7 +39,10 @@ import pki.nssdb
import pki.util
INSTANCE_BASE_DIR = '/var/lib/pki'
+CONFIG_BASE_DIR = '/etc/pki'
+LOG_BASE_DIR = '/var/log/pki'
REGISTRY_DIR = '/etc/sysconfig/pki'
+
SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps']
SUBSYSTEM_CLASSES = {}
@@ -476,7 +479,9 @@ class PKIInstance(object):
else:
self.base_dir = os.path.join(pki.BASE_DIR, name)
- self.conf_dir = os.path.join(self.base_dir, 'conf')
+ self.conf_dir = os.path.join(CONFIG_BASE_DIR, name)
+ self.log_dir = os.path.join(LOG_BASE_DIR, name)
+
self.password_conf = os.path.join(self.conf_dir, 'password.conf')
self.external_certs_conf = os.path.join(
self.conf_dir, 'external_certs.conf')
diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
new file mode 100644
index 0000000..f3d981e
--- /dev/null
+++ b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
@@ -0,0 +1,36 @@
+#!/usr/bin/python
+# Authors:
+# Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import selinux
+import pki.server.upgrade
+
+
+class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+ def __init__(self):
+ super(FixSELinuxContexts, self).__init__()
+ self.message = 'Fix SELinux contexts'
+
+ def upgrade_instance(self, instance):
+
+ selinux.restorecon(instance.base_dir, True)
+ selinux.restorecon(instance.conf_dir, True)
+ selinux.restorecon(instance.log_dir, True)
--
1.8.3.1
From 0f6ddc442d2ac2c166126295dbce32f0c682e0fe Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 28 Jul 2016 10:36:50 +0100
Subject: [PATCH 70/96] Re-license the python client files to LGPLv3
---
base/common/LICENSE.LESSER | 170 +++++++++++++++++++++++++++++++++
base/common/python/pki/__init__.py | 13 +--
base/common/python/pki/account.py | 13 +--
base/common/python/pki/authority.py | 13 +--
base/common/python/pki/cert.py | 13 +--
base/common/python/pki/cli/__init__.py | 13 +--
base/common/python/pki/cli/pkcs12.py | 13 +--
base/common/python/pki/client.py | 13 +--
base/common/python/pki/crypto.py | 13 +--
base/common/python/pki/encoder.py | 17 ++++
base/common/python/pki/feature.py | 13 +--
base/common/python/pki/key.py | 13 +--
base/common/python/pki/kra.py | 13 +--
base/common/python/pki/nssdb.py | 13 +--
base/common/python/pki/profile.py | 13 +--
base/common/python/pki/system.py | 13 +--
base/common/python/pki/systemcert.py | 13 +--
base/common/python/pki/upgrade.py | 13 +--
base/common/python/pki/util.py | 13 +--
base/common/python/setup.py | 16 ++--
20 files changed, 314 insertions(+), 110 deletions(-)
create mode 100644 base/common/LICENSE.LESSER
diff --git a/base/common/LICENSE.LESSER b/base/common/LICENSE.LESSER
new file mode 100644
index 0000000..ca70b83
--- /dev/null
+++ b/base/common/LICENSE.LESSER
@@ -0,0 +1,170 @@
+The Python client code is released under LGPLv3+.
+This license is provided below:
+******************************************************************************
+
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
+ 4. Combined Works.
+
+ You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+ a) Give prominent notice with each copy of the Combined Work that
+ the Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the Combined Work with a copy of the GNU GPL and this license
+ document.
+
+ c) For a Combined Work that displays copyright notices during
+ execution, include the copyright notice for the Library among
+ these notices, as well as a reference directing the user to the
+ copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+ 0) Convey the Minimal Corresponding Source under the terms of this
+ License, and the Corresponding Application Code in a form
+ suitable for, and under terms that permit, the user to
+ recombine or relink the Application with a modified version of
+ the Linked Version to produce a modified Combined Work, in the
+ manner specified by section 6 of the GNU GPL for conveying
+ Corresponding Source.
+
+ 1) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (a) uses at run time
+ a copy of the Library already present on the user's computer
+ system, and (b) will operate properly with a modified version
+ of the Library that is interface-compatible with the Linked
+ Version.
+
+ e) Provide Installation Information, but only if you would otherwise
+ be required to provide such information under section 6 of the
+ GNU GPL, and only to the extent that such information is
+ necessary to install and execute a modified version of the
+ Combined Work produced by recombining or relinking the
+ Application with a modified version of the Linked Version. (If
+ you use option 4d0, the Installation Information must accompany
+ the Minimal Corresponding Source and Corresponding Application
+ Code. If you use option 4d1, you must provide the Installation
+ Information in the manner specified by section 6 of the GNU GPL
+ for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+ You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+ a) Accompany the combined library with a copy of the same work based
+ on the Library, uncombined with any other library facilities,
+ conveyed under the terms of this License.
+
+ b) Give prominent notice with the combined library that part of it
+ is a work based on the Library, and explaining where to find the
+ accompanying uncombined form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+ The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+ If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+
diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
index 4c4b88a..5d2a143 100644
--- a/base/common/python/pki/__init__.py
+++ b/base/common/python/pki/__init__.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/account.py b/base/common/python/pki/account.py
index ee7507b..62d22fc 100644
--- a/base/common/python/pki/account.py
+++ b/base/common/python/pki/account.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
index 8827db8..00c6fd9 100644
--- a/base/common/python/pki/authority.py
+++ b/base/common/python/pki/authority.py
@@ -1,15 +1,16 @@
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2014 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/cert.py b/base/common/python/pki/cert.py
index 05db87c..c53d757 100644
--- a/base/common/python/pki/cert.py
+++ b/base/common/python/pki/cert.py
@@ -1,15 +1,16 @@
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2014 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/cli/__init__.py b/base/common/python/pki/cli/__init__.py
index 3be9cce..2bed317 100644
--- a/base/common/python/pki/cli/__init__.py
+++ b/base/common/python/pki/cli/__init__.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2015 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index ded79c7..8934d33 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2016 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
index 230c236..7e91046 100644
--- a/base/common/python/pki/client.py
+++ b/base/common/python/pki/client.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
index 60e83c9..86fa16e 100644
--- a/base/common/python/pki/crypto.py
+++ b/base/common/python/pki/crypto.py
@@ -2,17 +2,18 @@
# Ade Lee <alee@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py
index f830601..8485ab8 100644
--- a/base/common/python/pki/encoder.py
+++ b/base/common/python/pki/encoder.py
@@ -1,3 +1,20 @@
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
from __future__ import absolute_import
import base64
diff --git a/base/common/python/pki/feature.py b/base/common/python/pki/feature.py
index 45af63c..0e5171d 100644
--- a/base/common/python/pki/feature.py
+++ b/base/common/python/pki/feature.py
@@ -1,15 +1,16 @@
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2014 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
index 28c0e96..14e0b14 100644
--- a/base/common/python/pki/key.py
+++ b/base/common/python/pki/key.py
@@ -1,15 +1,16 @@
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py
index 522773b..b98f856 100644
--- a/base/common/python/pki/kra.py
+++ b/base/common/python/pki/kra.py
@@ -3,17 +3,18 @@
# Ade Lee <alee@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index f563fd8..a0b0302 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2015 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/profile.py b/base/common/python/pki/profile.py
index c463a6b..a2e7621 100644
--- a/base/common/python/pki/profile.py
+++ b/base/common/python/pki/profile.py
@@ -1,15 +1,16 @@
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2014 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/system.py b/base/common/python/pki/system.py
index 45aa0d6..cbb908f 100644
--- a/base/common/python/pki/system.py
+++ b/base/common/python/pki/system.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/systemcert.py b/base/common/python/pki/systemcert.py
index ed41be9..9bf4678 100644
--- a/base/common/python/pki/systemcert.py
+++ b/base/common/python/pki/systemcert.py
@@ -2,17 +2,18 @@
# Ade Lee <alee@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py
index 2261ba8..3106c70 100644
--- a/base/common/python/pki/upgrade.py
+++ b/base/common/python/pki/upgrade.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 2cac1d8..95a3670 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -2,17 +2,18 @@
# Endi S. Dewata <edewata@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2013 Red Hat, Inc.
# All rights reserved.
diff --git a/base/common/python/setup.py b/base/common/python/setup.py
index 2ab0337..86e0704 100644
--- a/base/common/python/setup.py
+++ b/base/common/python/setup.py
@@ -2,17 +2,17 @@
# Christian Heimes <cheimes@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2015 Red Hat, Inc.
# All rights reserved.
@@ -81,7 +81,7 @@ hardened by real-world deployments. It supports all aspects of certificate
lifecycle management, including key archival, OCSP and smartcard management,
and much more. The Dogtag Certificate System can be downloaded for free
and set up in less than an hour.""",
- license='GPL',
+ license='LGPLv3+',
keywords='pki x509 cert certificate',
url='http://pki.fedoraproject.org/',
packages=['pki', 'pki.cli'],
@@ -93,7 +93,7 @@ and set up in less than an hour.""",
'Operating System :: OS Independent',
'Programming Language :: Python :: 2.7',
'Programming Language :: Python :: 3.4',
- 'License :: OSI Approved :: GNU General Public License v2 (GPLv2)',
+ 'License :: OSI Approved :: GNU Lesser General Public License v3+ (LGPLv3+)',
'Topic :: Security :: Cryptography',
],
)
--
1.8.3.1
From d85080be85eb54756d9db69302a6117cef063017 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 29 Jul 2016 12:23:39 +0100
Subject: [PATCH 71/96] Do slot substitution for SERVER_KEYGEN
Ticket 2418
---
base/server/config/pkislots.cfg | 1 +
base/server/python/pki/server/deployment/pkiparser.py | 2 ++
2 files changed, 3 insertions(+)
diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
index 473b0da..3873b83 100644
--- a/base/server/config/pkislots.cfg
+++ b/base/server/config/pkislots.cfg
@@ -64,6 +64,7 @@ PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
PKI_USER_SLOT=[PKI_USER]
PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE]
PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME]
+SERVER_KEYGEN_SLOT=[SERVER_KEYGEN]
TOKENDB_HOST_SLOT=[TOKENDB_HOST]
TOKENDB_PORT_SLOT={TOKENDB_PORT]
TOKENDB_ROOT_SLOT=[TOKENDB_ROOT]
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index d940e2c..622f87e 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -941,6 +941,8 @@ class PKIConfigParser:
"tomcat"
self.mdict['PKI_WEBAPPS_NAME_SLOT'] = \
"webapps"
+ self.mdict['SERVER_KEYGEN_SLOT'] = \
+ self.mdict['pki_enable_server_side_keygen']
self.mdict['TOMCAT_CFG_SLOT'] = \
self.mdict['pki_target_tomcat_conf']
self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \
--
1.8.3.1
From 7cfff9fb0c08d08f57d6229cb8a67d7c94f785aa Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 29 Jul 2016 14:42:35 +0100
Subject: [PATCH 72/96] Fix client-cert-import to set provided trust bits
Ticket 2412
---
.../netscape/cmstools/client/ClientCertImportCLI.java | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
index 9625440..a920079 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
@@ -83,7 +83,7 @@ public class ClientCertImportCLI extends CLI {
option.setArgName("serial number");
options.addOption(option);
- option = new Option(null, "trust", true, "Trust attributes. Default: u,u,u.");
+ option = new Option(null, "trust", true, "Trust attributes.");
option.setArgName("trust attributes");
options.addOption(option);
}
@@ -140,13 +140,16 @@ public class ClientCertImportCLI extends CLI {
String pkcs12PasswordPath = cmd.getOptionValue("pkcs12-password-file");
boolean importFromCAServer = cmd.hasOption("ca-server");
String serialNumber = cmd.getOptionValue("serial");
- String trustAttributes = cmd.getOptionValue("trust", "u,u,u");
+ String trustAttributes = cmd.getOptionValue("trust");
// load the certificate
if (certPath != null) {
if (verbose) System.out.println("Importing certificate from " + certPath + ".");
+ if (trustAttributes == null)
+ trustAttributes = "u,u,u";
+
importCert(
mainCLI.certDatabase.getAbsolutePath(),
certPath,
@@ -157,7 +160,8 @@ public class ClientCertImportCLI extends CLI {
if (verbose) System.out.println("Importing CA certificate from " + caCertPath + ".");
- trustAttributes = "CT,c,";
+ if (trustAttributes == null)
+ trustAttributes = "CT,c,";
importCert(
mainCLI.certDatabase.getAbsolutePath(),
@@ -218,7 +222,8 @@ public class ClientCertImportCLI extends CLI {
out.write(bytes);
}
- trustAttributes = "CT,c,";
+ if (trustAttributes == null)
+ trustAttributes = "CT,c,";
importCert(
mainCLI.certDatabase.getAbsolutePath(),
@@ -250,6 +255,9 @@ public class ClientCertImportCLI extends CLI {
out.write(encoded);
}
+ if (trustAttributes == null)
+ trustAttributes = "u,u,u";
+
importCert(
mainCLI.certDatabase.getAbsolutePath(),
certFile.getAbsolutePath(),
--
1.8.3.1
From e46fdb07d014368bb506b02d4ca9fafda672800a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 30 Jul 2016 00:23:48 +0200
Subject: [PATCH 73/96] Added log message in PKIClient.
To help troubleshooting the PKIClient class has been modified to
log the certificate chain retrieved from the CA.
https://fedorahosted.org/pki/ticket/2399
---
base/common/src/com/netscape/certsrv/client/PKIClient.java | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java
index 5c13554..8cad382 100644
--- a/base/common/src/com/netscape/certsrv/client/PKIClient.java
+++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java
@@ -32,6 +32,7 @@ import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
+import org.apache.commons.codec.binary.Base64;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.CryptoManager.NicknameConflictException;
import org.mozilla.jss.CryptoManager.NotInitializedException;
@@ -177,7 +178,15 @@ public class PKIClient {
Element element = (Element)list.item(0);
String encodedChain = element.getTextContent();
- return Utils.base64decode(encodedChain);
+ byte[] bytes = Utils.base64decode(encodedChain);
+
+ if (verbose) {
+ System.out.println("-----BEGIN PKCS7-----");
+ System.out.print(new Base64(64).encodeToString(bytes));
+ System.out.println("-----END PKCS7-----");
+ }
+
+ return bytes;
}
public X509Certificate importCertPackage(byte[] bytes, String nickname)
--
1.8.3.1
From 1b246d46671472d0b395957d3e550e54c3068758 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Mon, 1 Aug 2016 16:36:00 -0600
Subject: [PATCH 74/96] pki-tools man pages
* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
- AtoB,
- BtoA,
- KRATool,
- PrettyPrintCert, and
- PrettyPrintCrl
---
base/java-tools/man/man1/AtoB.1 | 56 ++++
base/java-tools/man/man1/BtoA.1 | 56 ++++
base/java-tools/man/man1/KRATool.1 | 459 +++++++++++++++++++++++++++++
base/java-tools/man/man1/PrettyPrintCert.1 | 204 +++++++++++++
base/java-tools/man/man1/PrettyPrintCrl.1 | 141 +++++++++
5 files changed, 916 insertions(+)
create mode 100644 base/java-tools/man/man1/AtoB.1
create mode 100644 base/java-tools/man/man1/BtoA.1
create mode 100644 base/java-tools/man/man1/KRATool.1
create mode 100644 base/java-tools/man/man1/PrettyPrintCert.1
create mode 100644 base/java-tools/man/man1/PrettyPrintCrl.1
diff --git a/base/java-tools/man/man1/AtoB.1 b/base/java-tools/man/man1/AtoB.1
new file mode 100644
index 0000000..228e3e0
--- /dev/null
+++ b/base/java-tools/man/man1/AtoB.1
@@ -0,0 +1,56 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH AtoB 1 "July 20, 2016" "version 10.3" "PKI ASCII to Binary Conversion Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+AtoB \- Convert ASCII base-64 encoded data to binary base-64 encoded data.
+
+.SH SYNOPSIS
+.PP
+\fBAtoB <input_file> <output_file>\fP
+
+.SH DESCRIPTION
+.PP
+The \fBAtoB\fP command provides a command-line utility used to convert ASCII base-64 encoded data to binary base-64 encoded data.
+
+.SH OPTIONS
+.PP
+The following parameters are mandatory:
+.TP
+.B <input_file>
+Specifies the path to the file containing the base-64 encoded ASCII data.
+
+.TP
+.B <output_file>
+Specifies the path to the file where the utility should write the binary output.
+
+.SH EXAMPLES
+.PP
+This example command takes the base-64 ASCII data in the \fBascii_data.pem\fP file and writes the binary equivalent of the data to the \fBbinary_data.der\fP file:
+.IP
+.nf
+AtoB ascii_data.pem binary_data.der
+.if
+
+.SH AUTHORS
+Matthew Harmsen <mharmsen@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR BtoA(1), pki(1)
diff --git a/base/java-tools/man/man1/BtoA.1 b/base/java-tools/man/man1/BtoA.1
new file mode 100644
index 0000000..95c742d
--- /dev/null
+++ b/base/java-tools/man/man1/BtoA.1
@@ -0,0 +1,56 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH BtoA 1 "July 20, 2016" "version 10.3" "PKI Binary to ASCII Conversion Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+BtoA \- Convert binary base-64 encoded data to ASCII base-64 encoded data.
+
+.SH SYNOPSIS
+.PP
+\fBBtoA <input_file> <output_file>\fP
+
+.SH DESCRIPTION
+.PP
+The \fBBtoA\fP command provides a command-line utility used to convert binary base-64 encoded data to ASCII base-64 encoded data.
+
+.SH OPTIONS
+.PP
+The following parameters are mandatory:
+.TP
+.B <input_file>
+Specifies the path to the file which contains the base-64 encoded binary data.
+
+.TP
+.B <output_file>
+Specifies the path to the file where the utility should write the ASCII output.
+
+.SH EXAMPLES
+.PP
+This example command takes the base-64 binary data in the \fBbinary_data.der\fP file and writes the ASCII equivalent of the data to the \fBascii_data.pem\fP file:
+.IP
+.nf
+BtoA binary_data.der ascii_data.pem
+.if
+
+.SH AUTHORS
+Matthew Harmsen <mharmsen@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR AtoB(1), pki(1)
diff --git a/base/java-tools/man/man1/KRATool.1 b/base/java-tools/man/man1/KRATool.1
new file mode 100644
index 0000000..b04cd2b
--- /dev/null
+++ b/base/java-tools/man/man1/KRATool.1
@@ -0,0 +1,459 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH KRATool 1 "July 18, 2016" "version 10.3" "PKI Key Recovery Authority (KRA) Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+KRATool \- Command-Line utility used to export private keys from one or more KRA instances (generally legacy) into a KRA instance (generally modern); during the process of moving the keys, the KRATool can rewrap keys, renumber keys, or both.
+
+.SH SYNOPSIS
+.PP
+The syntax for rewrapping keys:
+.IP
+.nf
+\fBKRATool\fR -kratool_config_file </path/to/tool_config_file>
+ -source_ldif_file </path/to/original_ldif_file>
+ -target_ldif_file </path/to/newinstance_ldif_file>
+ -log_file </path/to/tool_log_file>
+ [-source_pki_security_database_path </path/to/nss_databases>
+ -source_storage_token_name </path/to/token>
+ -source_storage_certificate_nickname <storage_certificate_nickname>
+ -target_storage_certificate_file </path/to/new_ASCII_storage_cert>
+ [-source_pki_security_database_pwdfile </path/to/password_file>]]
+ [-source_kra_naming_context <name> -target_kra_naming_context <name>]
+ [-process_requests_and_key_records_only]
+.fi
+.PP
+The syntax for renumbering keys:
+.IP
+.nf
+\fBKRATool\fR -kratool_config_file </path/to/tool_config_file>
+ -source_ldif_file </path/to/original_ldif_file>
+ -target_ldif_file </path/to/newinstance_ldif_file>
+ -log_file </path/to/tool_log_file>
+ [-append_id_offset <prefix_to_add> | -remove_id_offset <prefix_to_remove>]
+ [-source_kra_naming_context <name> -target_kra_naming_context <name>]
+ [-process_requests_and_key_records_only]
+.fi
+
+.SH DESCRIPTION
+.PP
+The \fBKRATool\fR command provides a command-line utility used to rewrap keys, renumber keys, or both. For example, some private keys (mainly in older deployments) were wrapped in SHA-1, 1024-bit storage keys when they were archived in the Key Recovery Authority (KRA). These algorithms have become less secure as processor speeds improve and algorithms have been broken. As a security measure, it is possible to rewrap the private keys in a new, stronger storage key (SHA-256, 2048-bit keys).
+.TP
+\fBNote:\fP
+Because the KRATool utility can export private keys from one KRA, rewrap them with a new storage key, and then import them into a new KRA, this tool can be used as part of a process of combining multiple KRA instances into a single KRA.
+
+.SH OPTIONS
+.PP
+The following parameters are mandatory for both rewrapping and renumbering keys:
+.TP
+.B -kratool_config_file </path/to/tool_config_file>
+Gives the complete path and filename of the configuration file used by the tool. This configuration process tells the tool how to process certain parameters in the existing key records, whether to apply any formatting changes (like changing the naming context or adding an offset) or even whether to update the modify date. The configuration file is required and a default file is included with the tool. The file format is described in the section entitled
+.B Configuration File (.cfg).
+
+.TP
+.B -source_ldif_file </path/to/original_ldif_file>
+Gives the complete path and filename of the Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file which contains all of the key data from the old KRA.
+
+.TP
+.B -target_ldif_file </path/to/newinstance_ldif_file>
+Gives the complete path and filename of the LDIF file to which the tool will write all of the key data from the new KRA. This file is created by the tool as it runs.
+
+.TP
+.B -log_file </path/to/tool_log_file>
+Gives the path and filename of the log file to use to log the tool progress and messages. This file is created by the tool as it runs.
+
+.PP
+The following parameters are optional for both rewrapping and renumbering keys:
+
+.TP
+.B -source_kra_naming_context <name>
+Gives the naming context of the original KRA instance, the Distinguished Name (DN) element that refers to the original KRA. Key-related LDIF entries have a DN with the KRA instance name in it, such as \fIcn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra\fP. The naming context for that entry is the DN value, \fIalpha.example.com-pki-kra\fP. These entries can be renamed, automatically, from the old KRA instance naming context to the new KRA instance naming context.
+
+While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA.
+If this argument is used, then the \fB-target_kra_naming_context\fP argument must also be used.
+
+.TP
+.B -target_kra_naming_context <name>
+Gives the naming context of the new KRA instance, the name that the original key entries should be changed too. Key-related LDIF entries have a DN with the KRA instance name in it, such as \fIcn=1,ou=kra,ou=requests,dc=omega.example.com-pki-kra\fP. The naming context for that entry is the DN value, \fIomega.example.com-pki-kra\fP.These entries can be renamed, automatically, from the old KRA instance to the new KRA instance naming context.
+
+While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA.
+If this argument is used, then the \fB-source_kra_naming_context\fP argument must also be used.
+
+.TP
+.B -process_requests_and_key_records_only
+Removes configuration entries from the source LDIF file, leaving only the key and request entries.
+
+While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA.
+
+.PP
+The following parameters are optional for rewrapping keys:
+
+.TP
+.B -source_pki_security_database_path </path/to/nss_databases>
+Gives the full path to the directory which contains the Network Security Services (NSS) security databases used by the old KRA instance.
+
+This option is required if any other rewrap parameters are used.
+
+.TP
+.B -source_storage_token_name </path/to/token>
+Gives the name of the token which stores the KRA data, like \fIInternal Key Storage Token\fP for internal tokens or a name like \fINHSM6000-OCS\fP for the hardware token name.
+
+This option is required if any other rewrap parameters are used.
+
+.TP
+.B -source_storage_certificate_nickname <storage_certificate_nickname>
+Gives the nickname of the KRA storage certificate for the old KRA instance. Either this certificate will be located in the security database for the old KRA instance or the security database will contain a pointer to the certificate in the hardware token.
+
+This option is required if any other rewrap parameters are used.
+
+.TP
+.B -target_storage_certificate_file </path/to/new_ASCII_storage_cert>
+Gives the path and filename of an ASCII-formatted file of the storage certificate for the new KRA instance. The storage certificate should be exported from the new KRA's databases and stored in an accessible location before running KRATool.
+
+This option is required if any other rewrap parameters are used.
+
+.TP
+.B -source_pki_security_database_pwdfile </path/to/password_file>
+Gives the path and filename to a password file that contains only the password for the storage token given in the \fB-source_storage_token_name\fP option.
+
+This argument is optional when other rewrap parameters are used. If this argument is not used, then the script prompts for the password.
+
+.PP
+The following parameters are optional for renumbering keys:
+
+.TP
+.B -append_id_offset <prefix_to_add>
+Gives an ID number which will be preprended to every imported key, to prevent possible collisions. A unique ID offset should be used for every KRA instance which has keys exported using KRATool.
+
+If \fB-append_id_offset\fP is used, then do not use the \fB-remove_id_offset\fP option.
+
+.TP
+.B -remove_id_offset <prefix_to_remove>
+Gives an ID number to remove from the beginning of every imported key.
+
+If \fB-remove_id_offset\fP is used, then do not use the \fB-append_id_offset\fP option.
+
+.SH Configuration File (.cfg)
+.PP
+The required configuration file instructs the KRATool how to process attributes in the key archival and key request entries in the LDIF file. There are six types of entries:
+.IP
+* CA enrollment requests
+* TPS enrollment requests
+* CA key records
+* TPS key records
+* CA and TPS recovery requests (which are treated the same in the KRA)
+.PP
+Each key and key request has an LDAP entry with attributes that are specific to that kind of record. For example, for a recovery request:
+.IP
+.nf
+dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra
+objectClass: top
+objectClass: request
+objectClass: extensibleObject
+requestId: 011
+requestState: complete
+dateOfCreate: 20110121181006Z
+dateOfModify: 20110524094652Z
+extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n#
+ F#9E#98#B3
+extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1
+ yTWvwIDAQAB
+extdata-archive: true
+extdata-requesttype: netkeyKeygen
+extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10
+extdata-requestversion: 8.1.0
+extdata-requestortype: NETKEY_RA
+extdata-keyrecord: 1
+extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6
+ F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79
+extdata-userid: jmagne
+extdata-keysize: 1024
+extdata-updatedby: TPS-alpha.example.com-7889
+extdata-dbstatus: UPDATED
+extdata-cuid: 40906145C76224192D2B
+extdata-requeststatus: complete
+extdata-requestid: 1
+extdata-result: 1
+requestType: netkeyKeygen
+cn: 1
+creatorsName: cn=directory manager
+modifiersName: cn=directory manager
+createTimestamp: 20110122021010Z
+modifyTimestamp: 20110122021010Z
+nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000
+.if
+
+.PP
+Much of that information passes through the script processing unchanged, so it is entered into the new, target KRA just the same. However, some of those attributes can and should be edited, like the Common Name (CN) and DN being changed to match the new KRA instance. The fields which can safely be changed are listed in the configuration file for each type of key entry. (Any attribute not listed is not touched by the tool under any circumstances.)
+.PP
+If a field /fIshould/fP be edited — meaning, the tool can update the record ID number or rename the entry — then the value is set to true in the configuration file. For example, this configuration updates the CN, DN, ID number, last modified date, and associated entry notes for all CA enrollment requests:
+.IP
+.nf
+kratool.ldif.caEnrollmentRequest.cn=true
+kratool.ldif.caEnrollmentRequest.dateOfModify=true
+kratool.ldif.caEnrollmentRequest.dn=true
+kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
+kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
+kratool.ldif.caEnrollmentRequest.requestId=true
+.if
+
+.PP
+If a line is set to true, then the attribute is processed in the LDIF file. By default, all possible attributes are processed. Setting a line to false means that the KRATool skips that attribute and passes the value unchanged. For example, this leaves the last modified time unchanged so that it doesn't update for when the KRATool runs:
+.IP
+.nf
+kratool.ldif.caEnrollmentRequest.dateOfModify=false
+.if
+
+.TP
+\fBNOTE:\fP
+Key enrollments, records, and requests all have an optional notes attribute where administrators can enter notes about the process. When the KRATool runs, it appends a note to that attribute or adds the attribute with information about the tool running, what operations were performed, and a timestamp:
+.IP
+.nf
+extdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetric session key' with the '2048-bit RSA public key' obtained from the target storage certificate + APPENDED ID offset '100000000000' + RENAMED source KRA naming context 'alpha.example.com-pki-kra' to target KRA naming context 'omega.example.com-pki-kra' + PROCESSED requests and key records ONLY!
+.if
+
+.TP
+\fB\fP
+This information is very useful for both audit and maintenance of the KRA, so it is beneficial to keep the extdata.requestNotes parameter for all of the key record types set to true.
+
+.TP
+\fBIMPORTANT:\fP
+Every parameter line in the default \fBkratool.cfg\fP must be present in the \fI.cfg\fP file used when the tool is invoked. No line can be omitted and every line must have a valid value (true or false). If the file is not properly formatted, the KRATool will fail.
+
+.PP
+The formatting of the \fI.cfg\fP file is the same as the formatting used in the instance \fBCS.cfg\fP files.
+
+.PP
+A default \fI.cfg\fP file is included with the KRATool script. This file (shown in the example entitled \fBDefault kratool.cfg File\fP) can be copied and edited into a custom file or edited directly and used with the tool.
+
+.SS Default kratool.cfg File
+.BR
+.IP
+.nf
+kratool.ldif.caEnrollmentRequest._000=########################################
+kratool.ldif.caEnrollmentRequest._001=## KRA CA Enrollment Request ##
+kratool.ldif.caEnrollmentRequest._002=########################################
+kratool.ldif.caEnrollmentRequest._003=## ##
+kratool.ldif.caEnrollmentRequest._004=## NEVER allow 'KRATOOL' the ability ##
+kratool.ldif.caEnrollmentRequest._005=## to change the CA 'naming context' ##
+kratool.ldif.caEnrollmentRequest._006=## data in the following fields: ##
+kratool.ldif.caEnrollmentRequest._007=## ##
+kratool.ldif.caEnrollmentRequest._008=## extdata-auth--005ftoken;uid ##
+kratool.ldif.caEnrollmentRequest._009=## extdata-auth--005ftoken;userid ##
+kratool.ldif.caEnrollmentRequest._010=## extdata-updatedby ##
+kratool.ldif.caEnrollmentRequest._011=## ##
+kratool.ldif.caEnrollmentRequest._012=## NEVER allow 'KRATOOL' the ability ##
+kratool.ldif.caEnrollmentRequest._013=## to change CA 'numeric' data in ##
+kratool.ldif.caEnrollmentRequest._014=## the following fields: ##
+kratool.ldif.caEnrollmentRequest._015=## ##
+kratool.ldif.caEnrollmentRequest._016=## extdata-requestId ##
+kratool.ldif.caEnrollmentRequest._017=## ##
+kratool.ldif.caEnrollmentRequest._018=########################################
+kratool.ldif.caEnrollmentRequest.cn=true
+kratool.ldif.caEnrollmentRequest.dateOfModify=true
+kratool.ldif.caEnrollmentRequest.dn=true
+kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
+kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
+kratool.ldif.caEnrollmentRequest.requestId=true
+kratool.ldif.caKeyRecord._000=#########################################
+kratool.ldif.caKeyRecord._001=## KRA CA Key Record ##
+kratool.ldif.caKeyRecord._002=#########################################
+kratool.ldif.caKeyRecord._003=## ##
+kratool.ldif.caKeyRecord._004=## NEVER allow 'KRATOOL' the ability ##
+kratool.ldif.caKeyRecord._005=## to change the CA 'naming context' ##
+kratool.ldif.caKeyRecord._006=## data in the following fields: ##
+kratool.ldif.caKeyRecord._007=## ##
+kratool.ldif.caKeyRecord._008=## archivedBy ##
+kratool.ldif.caKeyRecord._009=## ##
+kratool.ldif.caKeyRecord._010=#########################################
+kratool.ldif.caKeyRecord.cn=true
+kratool.ldif.caKeyRecord.dateOfModify=true
+kratool.ldif.caKeyRecord.dn=true
+kratool.ldif.caKeyRecord.privateKeyData=true
+kratool.ldif.caKeyRecord.serialno=true
+kratool.ldif.namingContext._000=############################################
+kratool.ldif.namingContext._001=## KRA Naming Context Fields ##
+kratool.ldif.namingContext._002=############################################
+kratool.ldif.namingContext._003=## ##
+kratool.ldif.namingContext._004=## NEVER allow 'KRATOOL' the ability to ##
+kratool.ldif.namingContext._005=## change the CA 'naming context' data ##
+kratool.ldif.namingContext._006=## in the following 'non-KeyRecord / ##
+kratool.ldif.namingContext._007=## non-Request' fields (as these records ##
+kratool.ldif.namingContext._008=## should be removed via the option to ##
+kratool.ldif.namingContext._009=## process requests and key records only ##
+kratool.ldif.namingContext._010=## if this is a KRA migration): ##
+kratool.ldif.namingContext._011=## ##
+kratool.ldif.namingContext._012=## cn ##
+kratool.ldif.namingContext._013=## sn ##
+kratool.ldif.namingContext._014=## uid ##
+kratool.ldif.namingContext._015=## uniqueMember ##
+kratool.ldif.namingContext._016=## ##
+kratool.ldif.namingContext._017=## NEVER allow 'KRATOOL' the ability to ##
+kratool.ldif.namingContext._018=## change the KRA 'naming context' data ##
+kratool.ldif.namingContext._019=## in the following 'non-KeyRecord / ##
+kratool.ldif.namingContext._020=## non-Request' fields (as these records ##
+kratool.ldif.namingContext._021=## should be removed via the option to ##
+kratool.ldif.namingContext._022=## process requests and key records only ##
+kratool.ldif.namingContext._023=## if this is a KRA migration): ##
+kratool.ldif.namingContext._024=## ##
+kratool.ldif.namingContext._025=## dc ##
+kratool.ldif.namingContext._026=## dn ##
+kratool.ldif.namingContext._027=## uniqueMember ##
+kratool.ldif.namingContext._028=## ##
+kratool.ldif.namingContext._029=## NEVER allow 'KRATOOL' the ability to ##
+kratool.ldif.namingContext._030=## change the TPS 'naming context' data ##
+kratool.ldif.namingContext._031=## in the following 'non-KeyRecord / ##
+kratool.ldif.namingContext._032=## non-Request' fields (as these records ##
+kratool.ldif.namingContext._033=## should be removed via the option to ##
+kratool.ldif.namingContext._034=## process requests and key records only ##
+kratool.ldif.namingContext._035=## if this is a KRA migration): ##
+kratool.ldif.namingContext._036=## ##
+kratool.ldif.namingContext._037=## uid ##
+kratool.ldif.namingContext._038=## uniqueMember ##
+kratool.ldif.namingContext._039=## ##
+kratool.ldif.namingContext._040=## If '-source_naming_context ##
+kratool.ldif.namingContext._041=## original source KRA naming context' ##
+kratool.ldif.namingContext._042=## and '-target_naming_context ##
+kratool.ldif.namingContext._043=## renamed target KRA naming context' ##
+kratool.ldif.namingContext._044=## options are specified, ALWAYS ##
+kratool.ldif.namingContext._045=## require 'KRATOOL' to change the ##
+kratool.ldif.namingContext._046=## KRA 'naming context' data in ALL of ##
+kratool.ldif.namingContext._047=## the following fields in EACH of the ##
+kratool.ldif.namingContext._048=## following types of records: ##
+kratool.ldif.namingContext._049=## ##
+kratool.ldif.namingContext._050=## caEnrollmentRequest: ##
+kratool.ldif.namingContext._051=## ##
+kratool.ldif.namingContext._052=## dn ##
+kratool.ldif.namingContext._053=## extdata-auth--005ftoken;user ##
+kratool.ldif.namingContext._054=## extdata-auth--005ftoken;userdn ##
+kratool.ldif.namingContext._055=## ##
+kratool.ldif.namingContext._056=## caKeyRecord: ##
+kratool.ldif.namingContext._057=## ##
+kratool.ldif.namingContext._058=## dn ##
+kratool.ldif.namingContext._059=## ##
+kratool.ldif.namingContext._060=## recoveryRequest: ##
+kratool.ldif.namingContext._061=## ##
+kratool.ldif.namingContext._062=## dn ##
+kratool.ldif.namingContext._063=## ##
+kratool.ldif.namingContext._064=## tpsKeyRecord: ##
+kratool.ldif.namingContext._065=## ##
+kratool.ldif.namingContext._066=## dn ##
+kratool.ldif.namingContext._067=## ##
+kratool.ldif.namingContext._068=## tpsNetkeyKeygenRequest: ##
+kratool.ldif.namingContext._069=## ##
+kratool.ldif.namingContext._070=## dn ##
+kratool.ldif.namingContext._071=## ##
+kratool.ldif.namingContext._072=############################################
+kratool.ldif.recoveryRequest._000=#####################################
+kratool.ldif.recoveryRequest._001=## KRA CA / TPS Recovery Request ##
+kratool.ldif.recoveryRequest._002=#####################################
+kratool.ldif.recoveryRequest.cn=true
+kratool.ldif.recoveryRequest.dateOfModify=true
+kratool.ldif.recoveryRequest.dn=true
+kratool.ldif.recoveryRequest.extdata.requestId=true
+kratool.ldif.recoveryRequest.extdata.requestNotes=true
+kratool.ldif.recoveryRequest.extdata.serialnumber=true
+kratool.ldif.recoveryRequest.requestId=true
+kratool.ldif.tpsKeyRecord._000=#########################################
+kratool.ldif.tpsKeyRecord._001=## KRA TPS Key Record ##
+kratool.ldif.tpsKeyRecord._002=#########################################
+kratool.ldif.tpsKeyRecord._003=## ##
+kratool.ldif.tpsKeyRecord._004=## NEVER allow 'KRATOOL' the ability ##
+kratool.ldif.tpsKeyRecord._005=## to change the TPS 'naming context' ##
+kratool.ldif.tpsKeyRecord._006=## data in the following fields: ##
+kratool.ldif.tpsKeyRecord._007=## ##
+kratool.ldif.tpsKeyRecord._008=## archivedBy ##
+kratool.ldif.tpsKeyRecord._009=## ##
+kratool.ldif.tpsKeyRecord._010=#########################################
+kratool.ldif.tpsKeyRecord.cn=true
+kratool.ldif.tpsKeyRecord.dateOfModify=true
+kratool.ldif.tpsKeyRecord.dn=true
+kratool.ldif.tpsKeyRecord.privateKeyData=true
+kratool.ldif.tpsKeyRecord.serialno=true
+kratool.ldif.tpsNetkeyKeygenRequest._000=#####################################
+kratool.ldif.tpsNetkeyKeygenRequest._001=## KRA TPS Netkey Keygen Request ##
+kratool.ldif.tpsNetkeyKeygenRequest._002=#####################################
+kratool.ldif.tpsNetkeyKeygenRequest._003=## ##
+kratool.ldif.tpsNetkeyKeygenRequest._004=## NEVER allow 'KRATOOL' the ##
+kratool.ldif.tpsNetkeyKeygenRequest._005=## ability to change the ##
+kratool.ldif.tpsNetkeyKeygenRequest._006=## TPS 'naming context' data in ##
+kratool.ldif.tpsNetkeyKeygenRequest._007=## the following fields: ##
+kratool.ldif.tpsNetkeyKeygenRequest._008=## ##
+kratool.ldif.tpsNetkeyKeygenRequest._009=## extdata-updatedby ##
+kratool.ldif.tpsNetkeyKeygenRequest._010=## ##
+kratool.ldif.tpsNetkeyKeygenRequest._011=#####################################
+kratool.ldif.tpsNetkeyKeygenRequest.cn=true
+kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true
+kratool.ldif.tpsNetkeyKeygenRequest.dn=true
+kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true
+kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true
+kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true
+kratool.ldif.tpsNetkeyKeygenRequest.requestId=true
+.if
+
+.SH EXAMPLES
+.PP
+The KRATool performs two operations: it can rewrap keys with a new private key, and it can renumber attributes in the LDIF file entries for key records, including enrollments and recovery requests. At least one operation (rewrap or renumber) must be performed and both can be performed in a single invocation.
+
+.SS Rewrapping Keys
+.BR
+.PP
+When rewrapping keys, the tool needs to be able to access the original NSS databases for the source KRA and its storage certificate to unwrap the keys, as well as the storage certificate for the new KRA, which is used to rewrap the keys.
+.IP
+.nf
+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-kra" -target_storage_certificate_file "/tmp/files/omega.cert"
+.if
+
+.SS Renumbering Keys
+.BR
+.PP
+When multiple KRA instances are being merged into a single instance, it is important to make sure that no key or request records have conflicting CNs, DNs, serial numbers, or request ID numbers. These values can be processed to append a new, larger number to the existing values.
+.PP
+For the CN, the new number is the addition of the original CN plus the appended number. For example, if the CN is 4 and the append number is 1000000, the new CN is 1000004.
+.PP
+For serial numbers and request IDs, the value is always a digit count plus the value. So a CN of 4 has a serial number of 014, or one digit and the CN value. If the append number is 1000000, the new serial number is 071000004, for seven digits and then the sum of the append number (1000000) and the original value (4).
+.IP
+.nf
+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -append_id_offset 100000000000
+.if
+
+.SS Restoring the Original Numbering
+.BR
+.PP
+If a number has been appended to key entries, as in the example entitled \fBRenumbering Keys\fP, that number can also be removed. Along with updating the CN, it also reconstructs any associated numbers, like serial numbers and request ID numbers. Undoing a renumbering action may be necessary if the original number wasn't large enough to prevent conflicts or as part of testing a migration or KRA consolidation process.
+.IP
+.nf
+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -remove_id_offset 100000000000
+.if
+
+.SS Renumbering and Rewrapping in a Single Command
+.BR
+.PP
+Rewrapping and renumbering operations can be performed in the same invocation.
+.IP
+.nf
+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-kra" -target_storage_certificate_file "/tmp/files/omega.cert" -append_id_offset 100000000000
+.if
+
+.SH AUTHORS
+Matthew Harmsen <mharmsen@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR pki(1)
diff --git a/base/java-tools/man/man1/PrettyPrintCert.1 b/base/java-tools/man/man1/PrettyPrintCert.1
new file mode 100644
index 0000000..3cfb2f9
--- /dev/null
+++ b/base/java-tools/man/man1/PrettyPrintCert.1
@@ -0,0 +1,204 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH PrettyPrintCert 1 "July 20, 2016" "version 10.3" "PKI Certificate Print Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+PrettyPrintCert \- print the contents of a certificate stored as ASCII base-64 encoded data to a readable format.
+
+.SH SYNOPSIS
+.PP
+\fBPrettyPrintCert [-simpleinfo] <input_file> [output_file]\fP
+
+.SH DESCRIPTION
+.PP
+The \fBPrettyPrintCert\fP command provides a command-line utility used to print the contents of a certificate stored as ASCII base-64 encoded data to a readable format. The output of this command is displayed to standard output, but can be optionally saved into a specified file. An additional non-mandatory option is available which limits the certificate information output of this command for easier parsing.
+
+.SH OPTIONS
+.TP
+.B [-simpleinfo]
+\fBOptional\fP. Prints limited certificate information in an easy to parse format; if this option is not specified, the entire contents of the certificate will be printed.
+
+.TP
+.B <input_file>
+\fBMandatory\fP. Specifies the path to the file containing the ASCII base-64 encoded certificate.
+
+.TP
+.B [output_file]
+\fBOptional\fP. Specifies the path to the file in which the tool should write the certificate. If this option is not specified, the certificate information is written to the standard output.
+
+.SH EXAMPLES
+.PP
+The following example converts the ASCII base-64 encoded certificate in the \fBascii_data.cert\fP file and writes the certificate in the pretty-print form to the output file \fBcert.out\fP:
+.IP
+.nf
+PrettyPrintCert ascii_data.cert cert.out
+.if
+
+.PP
+For this example, the base-64 encoded certificate data in the \fBascii_data.cert\fP looks like the following:
+.IP
+.nf
+-----BEGIN CERTIFICATE-----
+MIIECjCCAvKgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjIwMzEzOFoXDTE3MDExODIxMzEzOFow
+gZwxCzAJBgNVBAYTAlVTMRwwGgYDVQQKDBNFeGFtcGxlIENvcnBvcmF0aW9uMQsw
+CQYDVQQLDAJJUzEpMCcGA1UEAwwgUHJldHR5UHJpbnRDZXJ0IFRlc3QgQ2VydGlm
+aWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMRUwEwYKCZIm
+iZPyLGQBAQwFYWRtaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn
+Jv8ADWpC7C3Bzb13n9zQwaDW8YfyshZd7lXI0cghJOSfRLT6C10LOi1yhI+7W3NN
+MgYeLDCiRmKfHnqq6lpPg9aZmrxBwrn+30OdP+m1K6Crf6X9wqAWSR/r2hG4NuYi
+ovcJg7ani5h4BL+V0hbUvfEs4o7QfOWjQZcoo2KbOKmRrodAA21XVjWGB1ELQLNN
+hGwmZ6l1rtnN04Ruoclu8LaKMAAzFSH8cHEBtdCgxeDNy+bNnXbjO1wdruFNrars
+W6wdc230AvHRcEUWEvQVq86vHfS4UZ5q0N1ychibrHZXB0/+TUtyKDQGx0K7ELSB
+xgwt9QxEjKlXHiStcGupAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCH
+IzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzABhjJodHRwOi8v
+cGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAOBgNV
+HQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqG
+SIb3DQEBCwUAA4IBAQCgQ/vTCyQ+lHKNDNCtvbul2l6V3Sjzvj0il9t4HtorxoBF
+3FIE6VNpUYFq0AkNS/LjV7ek7LRl8kuuiKaNpqF6RvAIPrABPDh7hE1Gi3Vm+Xw/
+ndodT1AVII3x6xUbRsHu2iUVdZM5xO9ZFwA18nJUznL9q8lEGjj8vVCyFZuplUL+
+pdKqL3SgBNUdyfiV6vywevI9jFoZBlsQbn4EjBs2nNeaFSZhZ1NG6tktSt85fJ51
+IAiZv9Ipq0deHxFgpEywPq9lSrMZnm178PFlzRQUySHSm1pA+ngTydUKqZqAU0vr
+XIDTmj4lE93VPZspnPS94p/0OT4Pe3NKAe+IbIv/
+-----END CERTIFICATE-----
+.if
+
+.PP
+The certificate in pretty-print format in the \fBcert.out\fP file looks like the following:
+.IP
+.nf
+ Certificate:
+ Data:
+ Version: v3
+ Serial Number: 0x9
+ Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+ Issuer: CN=CA Signing Certificate,O=example.com Security Domain
+ Validity:
+ Not Before: Friday, July 22, 2016 2:31:38 PM MDT America/Denver
+ Not After: Wednesday, January 18, 2017 2:31:38 PM MST America/Denver
+ Subject: UID=admin,E=admin@example.com,CN=PrettyPrintCert Test Certificate,OU=IS,O=Example Corporation,C=US
+ Subject Public Key Info:
+ Algorithm: RSA - 1.2.840.113549.1.1.1
+ Public Key:
+ Exponent: 65537
+ Public Key Modulus: (2048 bits) :
+ E7:26:FF:00:0D:6A:42:EC:2D:C1:CD:BD:77:9F:DC:D0:
+ C1:A0:D6:F1:87:F2:B2:16:5D:EE:55:C8:D1:C8:21:24:
+ E4:9F:44:B4:FA:0B:5D:0B:3A:2D:72:84:8F:BB:5B:73:
+ 4D:32:06:1E:2C:30:A2:46:62:9F:1E:7A:AA:EA:5A:4F:
+ 83:D6:99:9A:BC:41:C2:B9:FE:DF:43:9D:3F:E9:B5:2B:
+ A0:AB:7F:A5:FD:C2:A0:16:49:1F:EB:DA:11:B8:36:E6:
+ 22:A2:F7:09:83:B6:A7:8B:98:78:04:BF:95:D2:16:D4:
+ BD:F1:2C:E2:8E:D0:7C:E5:A3:41:97:28:A3:62:9B:38:
+ A9:91:AE:87:40:03:6D:57:56:35:86:07:51:0B:40:B3:
+ 4D:84:6C:26:67:A9:75:AE:D9:CD:D3:84:6E:A1:C9:6E:
+ F0:B6:8A:30:00:33:15:21:FC:70:71:01:B5:D0:A0:C5:
+ E0:CD:CB:E6:CD:9D:76:E3:3B:5C:1D:AE:E1:4D:AD:AA:
+ EC:5B:AC:1D:73:6D:F4:02:F1:D1:70:45:16:12:F4:15:
+ AB:CE:AF:1D:F4:B8:51:9E:6A:D0:DD:72:72:18:9B:AC:
+ 76:57:07:4F:FE:4D:4B:72:28:34:06:C7:42:BB:10:B4:
+ 81:C6:0C:2D:F5:0C:44:8C:A9:57:1E:24:AD:70:6B:A9
+ Extensions:
+ Identifier: Authority Key Identifier - 2.5.29.35
+ Critical: no
+ Key Identifier:
+ BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
+ 8A:EB:BA:B5
+ Identifier: 1.3.6.1.5.5.7.1.1
+ Critical: no
+ Value:
+ 30:40:30:3E:06:08:2B:06:01:05:05:07:30:01:86:32:
+ 68:74:74:70:3A:2F:2F:70:6B:69:2D:64:65:73:6B:74:
+ 6F:70:2E:75:73:65:72:73:79:73:2E:72:65:64:68:61:
+ 74:2E:63:6F:6D:3A:38:30:38:30:2F:63:61:2F:6F:63:
+ 73:70
+ Identifier: Key Usage: - 2.5.29.15
+ Critical: yes
+ Key Usage:
+ Digital Signature
+ Non Repudiation
+ Key Encipherment
+ Identifier: Extended Key Usage: - 2.5.29.37
+ Critical: no
+ Extended Key Usage:
+ 1.3.6.1.5.5.7.3.2
+ 1.3.6.1.5.5.7.3.4
+ Signature:
+ Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+ Signature:
+ A0:43:FB:D3:0B:24:3E:94:72:8D:0C:D0:AD:BD:BB:A5:
+ DA:5E:95:DD:28:F3:BE:3D:22:97:DB:78:1E:DA:2B:C6:
+ 80:45:DC:52:04:E9:53:69:51:81:6A:D0:09:0D:4B:F2:
+ E3:57:B7:A4:EC:B4:65:F2:4B:AE:88:A6:8D:A6:A1:7A:
+ 46:F0:08:3E:B0:01:3C:38:7B:84:4D:46:8B:75:66:F9:
+ 7C:3F:9D:DA:1D:4F:50:15:20:8D:F1:EB:15:1B:46:C1:
+ EE:DA:25:15:75:93:39:C4:EF:59:17:00:35:F2:72:54:
+ CE:72:FD:AB:C9:44:1A:38:FC:BD:50:B2:15:9B:A9:95:
+ 42:FE:A5:D2:AA:2F:74:A0:04:D5:1D:C9:F8:95:EA:FC:
+ B0:7A:F2:3D:8C:5A:19:06:5B:10:6E:7E:04:8C:1B:36:
+ 9C:D7:9A:15:26:61:67:53:46:EA:D9:2D:4A:DF:39:7C:
+ 9E:75:20:08:99:BF:D2:29:AB:47:5E:1F:11:60:A4:4C:
+ B0:3E:AF:65:4A:B3:19:9E:6D:7B:F0:F1:65:CD:14:14:
+ C9:21:D2:9B:5A:40:FA:78:13:C9:D5:0A:A9:9A:80:53:
+ 4B:EB:5C:80:D3:9A:3E:25:13:DD:D5:3D:9B:29:9C:F4:
+ BD:E2:9F:F4:39:3E:0F:7B:73:4A:01:EF:88:6C:8B:FF
+ FingerPrint
+ MD2:
+ EC:AE:A5:A3:E5:FA:30:3B:34:0E:FD:9D:ED:46:56:03
+ MD5:
+ CB:E1:80:0C:B3:66:DF:CF:3A:2B:A9:C1:F4:88:88:23
+ SHA-1:
+ B6:BA:84:0D:AE:4E:B0:CD:84:71:D8:A4:61:60:A7:2D:
+ 3A:7C:55:46
+ SHA-256:
+ B2:95:9C:8C:B9:3C:7B:9F:FF:8E:BD:92:90:BC:75:F5:
+ BB:0D:96:2C:93:05:20:1B:4C:9D:B9:59:6F:54:25:5B
+ SHA-512:
+ B9:7A:1E:2E:59:8C:6F:76:F5:52:36:AD:A6:62:E9:DD:
+ 00:6E:82:7A:BA:38:1E:29:FC:F8:80:F1:DD:7C:81:92:
+ F1:C2:E3:34:27:1A:7A:EB:95:36:DB:65:41:A2:46:19:
+ FB:14:89:00:B5:8B:DB:AA:33:41:8C:6C:C4:75:CF:17
+.if
+
+.PP
+The following example command takes the same ASCII base-64 encoded certificate in the \fBascii_data.cert\fP file and writes the information contained within the certificate to the simple format output file \fBcert.simple\fP:
+.IP
+.nf
+PrettyPrintCert -simpleinfo ascii_data.cert cert.simple
+.if
+
+.PP
+The simple certificate information in the \fBcert.simple\fP output file looks like the following:
+.IP
+.nf
+UID=admin
+E=admin@example.com
+CN=PrettyPrintCert Test Certificate
+OU=IS
+O=Example Corporation
+C=US
+.if
+
+.SH AUTHORS
+Matthew Harmsen <mharmsen@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR PrettyPrintCrl(1), pki(1)
diff --git a/base/java-tools/man/man1/PrettyPrintCrl.1 b/base/java-tools/man/man1/PrettyPrintCrl.1
new file mode 100644
index 0000000..31a73a0
--- /dev/null
+++ b/base/java-tools/man/man1/PrettyPrintCrl.1
@@ -0,0 +1,141 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH PrettyPrintCrl 1 "July 20, 2016" "version 10.3" "PKI CRL Print Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+PrettyPrintCrl \- reads a certificate revocation list (CRL) stored in an ASCII base-64 encoded file and outputs it in a readable format.
+
+.SH SYNOPSIS
+.PP
+\fBPrettyPrintCrl <input_file> [output_file]\fP
+
+.SH DESCRIPTION
+.PP
+The \fBPrettyPrintCrl\fP command provides a command-line utility used to print the contents of a CRL stored as ASCII base-64 encoded data in a file to a readable format. The output of this command is displayed to standard output, but can be optionally saved into a specified file.
+
+.SH OPTIONS
+.TP
+.B <input_file>
+\fBMandatory\fP. Specifies the path to the file that contains the ASCII base-64 encoded CRL.
+
+.TP
+.B [output_file]
+\fBOptional\fP. Specifies the path to the file to write the CRL. If the output file is not specified, the CRL information is written to the standard output.
+
+.SH EXAMPLES
+.PP
+The following example \fBPrettyPrintCrl\fP command takes the ASCII base-64 encoded CRL in the \fBascii_data.crl\fP file and writes the CRL in the pretty-print format to the output file \fBcrl.out\fP:
+.IP
+.nf
+PrettyPrintCrl ascii_data.crl crl.out
+.if
+
+.PP
+For this example, the base-64 encoded CRL data in the \fBascii_data.crl\fP looks like the following:
+.IP
+.nf
+-----BEGIN X509 CRL-----
+MIICVDCCATwCAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5y
+ZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBD
+ZXJ0aWZpY2F0ZRcNMTYwNzIyMjExMjUwWhcNMTYwNzIyMjMwMDAwWjCBiDAgAgEK
+Fw0xNjA3MjIyMDU1MTZaMAwwCgYDVR0VBAMKAQYwIAIBCRcNMTYwNzIyMjEwMTU2
+WjAMMAoGA1UdFQQDCgEGMCACAQgXDTE2MDcyMjIxMTIyNVowDDAKBgNVHRUEAwoB
+ATAgAgEHFw0xNjA3MjIyMTAxNTZaMAwwCgYDVR0VBAMKAQagLzAtMB8GA1UdIwQY
+MBaAFLs2mF1ly4jghyM3b1v3r4uK67q1MAoGA1UdFAQDAgEKMA0GCSqGSIb3DQEB
+CwUAA4IBAQCjnwpdLVU4sg3GnOFQiHpBuWspevzj0poHQs9b4Uv17o0MC4irftkR
+zRBVgwLvdSd5WFEUSbhWVjhS4o4w84BXdmti/+UBS+mOVNxiKqs3Z7Fxcg+mCsiH
+SDWT3iiqZVqlPMOKDzIQGj4XeArSBK13qjNdwKzVJZlXYfwzdDtyVKBJcoETXGZ3
+irU8RTXo7OhO6xKDAaHjzVVynjfGdIDaavl1fjwXFufwZBeiXm1zyyFSvDUdny4G
+29NTmM2945jCESeR7DV2q1LHG/v2rzCOKTWdPdXTPCics05KzUA4S6X+mp051wkh
+yJM2LYpV6lKV6JiczHLrgf5QcqfwSkTX
+-----END X509 CRL-----
+.if
+
+.PP
+The CRL in pretty-print format in the \fBcrl.out\fP file looks like the following:
+.IP
+.nf
+ Certificate Revocation List:
+ Data:
+ Version: v2
+ Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+ Issuer: CN=CA Signing Certificate,O=example.com Security Domain
+ This Update: Friday, July 22, 2016 3:12:50 PM MDT America/Denver
+ Next Update: Friday, July 22, 2016 5:00:00 PM MDT America/Denver
+ Revoked Certificates:
+ Serial Number: 0xA
+ Revocation Date: Friday, July 22, 2016 2:55:16 PM MDT America/Denver
+ Extensions:
+ Identifier: Revocation Reason - 2.5.29.21
+ Critical: no
+ Reason: CA_Compromise
+ Serial Number: 0x9
+ Revocation Date: Friday, July 22, 2016 3:01:56 PM MDT America/Denver
+ Extensions:
+ Identifier: Revocation Reason - 2.5.29.21
+ Critical: no
+ Reason: Affiliation_Changed
+ Serial Number: 0x8
+ Revocation Date: Friday, July 22, 2016 3:12:25 PM MDT America/Denver
+ Extensions:
+ Identifier: Revocation Reason - 2.5.29.21
+ Critical: no
+ Reason: Key_Compromise
+ Serial Number: 0x7
+ Revocation Date: Friday, July 22, 2016 3:01:56 PM MDT America/Denver
+ Extensions:
+ Identifier: Revocation Reason - 2.5.29.21
+ Critical: no
+ Reason: Certificate_Hold
+ Extensions:
+ Identifier: Authority Key Identifier - 2.5.29.35
+ Critical: no
+ Key Identifier:
+ BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
+ 8A:EB:BA:B5
+ Identifier: CRL Number - 2.5.29.20
+ Critical: no
+ Number: 10
+ Signature:
+ Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
+ Signature:
+ A3:9F:0A:5D:2D:55:38:B2:0D:C6:9C:E1:50:88:7A:41:
+ B9:6B:29:7A:FC:E3:D2:9A:07:42:CF:5B:E1:4B:F5:EE:
+ 8D:0C:0B:88:AB:7E:D9:11:CD:10:55:83:02:EF:75:27:
+ 79:58:51:14:49:B8:56:56:38:52:E2:8E:30:F3:80:57:
+ 76:6B:62:FF:E5:01:4B:E9:8E:54:DC:62:2A:AB:37:67:
+ B1:71:72:0F:A6:0A:C8:87:48:35:93:DE:28:AA:65:5A:
+ A5:3C:C3:8A:0F:32:10:1A:3E:17:78:0A:D2:04:AD:77:
+ AA:33:5D:C0:AC:D5:25:99:57:61:FC:33:74:3B:72:54:
+ A0:49:72:81:13:5C:66:77:8A:B5:3C:45:35:E8:EC:E8:
+ 4E:EB:12:83:01:A1:E3:CD:55:72:9E:37:C6:74:80:DA:
+ 6A:F9:75:7E:3C:17:16:E7:F0:64:17:A2:5E:6D:73:CB:
+ 21:52:BC:35:1D:9F:2E:06:DB:D3:53:98:CD:BD:E3:98:
+ C2:11:27:91:EC:35:76:AB:52:C7:1B:FB:F6:AF:30:8E:
+ 29:35:9D:3D:D5:D3:3C:28:9C:B3:4E:4A:CD:40:38:4B:
+ A5:FE:9A:9D:39:D7:09:21:C8:93:36:2D:8A:55:EA:52:
+ 95:E8:98:9C:CC:72:EB:81:FE:50:72:A7:F0:4A:44:D7
+.if
+
+.SH AUTHORS
+Matthew Harmsen <mharmsen@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR PrettyPrintCert(1), pki(1)
--
1.8.3.1
From ad454dedb6ba7b5161f962fe65f78fb236c1a7fe Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 2 Aug 2016 11:18:31 -0400
Subject: [PATCH 76/96] Fix deployment issue
Need to put pki_server_side_keygen in a conditional to avoid
breaking other subsystem deployments.
Ticket 2418
---
base/server/python/pki/server/deployment/pkiparser.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 622f87e..3e5d355 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -941,8 +941,11 @@ class PKIConfigParser:
"tomcat"
self.mdict['PKI_WEBAPPS_NAME_SLOT'] = \
"webapps"
- self.mdict['SERVER_KEYGEN_SLOT'] = \
- self.mdict['pki_enable_server_side_keygen']
+
+ if self.mdict['pki_subsystem'] == "TPS":
+ self.mdict['SERVER_KEYGEN_SLOT'] = \
+ self.mdict['pki_enable_server_side_keygen']
+
self.mdict['TOMCAT_CFG_SLOT'] = \
self.mdict['pki_target_tomcat_conf']
self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \
--
1.8.3.1
From e6c426eb69e294207a657897fdce0a7b07e4c41d Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 2 Aug 2016 05:15:17 +0200
Subject: [PATCH 77/96] Fixed problem creating links to PKI JAR files.
The CMake create_symlink command fails if the link target does not
exist already. Since PKI JAR files may not exist at build time, the
commands to create the links to those files have been replaced with
the ln -sf command which will create the links regardless of the
targets' existence.
https://fedorahosted.org/pki/ticket/2403
---
base/common/CMakeLists.txt | 8 ++++----
base/server/CMakeLists.txt | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index dc5cecf..d4b0d7f 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -35,10 +35,10 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jaxb-api.jar lib/jaxb-api.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar lib/ldapjdk.jar
- COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-certsrv.jar lib/pki-certsrv.jar
- COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-cmsutil.jar lib/pki-cmsutil.jar
- COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-nsutil.jar lib/pki-nsutil.jar
- COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tools.jar lib/pki-tools.jar
+ COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar
+ COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-cmsutil.jar
+ COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-nsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-nsutil.jar
+ COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-tools.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-tools.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar lib/resteasy-atom-provider.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar lib/resteasy-client.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar lib/resteasy-jackson-provider.jar
diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
index 27470f3..be58c05 100644
--- a/base/server/CMakeLists.txt
+++ b/base/server/CMakeLists.txt
@@ -45,7 +45,7 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar common/lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar common/lib/ldapjdk.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/nuxwdog.jar common/lib/nuxwdog.jar
- COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tomcat.jar common/lib/pki-tomcat.jar
+ COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-tomcat.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-tomcat.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar common/lib/resteasy-atom-provider.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar common/lib/resteasy-client.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar common/lib/resteasy-jackson-provider.jar
@@ -53,7 +53,7 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar common/lib/resteasy-jaxrs-api.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar common/lib/resteasy-jaxrs.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/scannotation.jar common/lib/scannotation.jar
- COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/symkey.jar common/lib/symkey.jar
+ COMMAND /usr/bin/ln -sf /usr/lib/java/symkey.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/symkey.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/tomcatjss.jar common/lib/tomcatjss.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/velocity.jar common/lib/velocity.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xerces-j2.jar common/lib/xerces-j2.jar
--
1.8.3.1
From c73f98926d6c3b5bd1fe5e6d7d1f48d5f4e77220 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 3 Aug 2016 23:55:53 -0400
Subject: [PATCH 78/96] Add pkispawn option to disable Master CRL
---
base/ca/shared/conf/CS.cfg | 2 +-
base/server/config/pkislots.cfg | 1 +
base/server/etc/default.cfg | 1 +
base/server/python/pki/server/deployment/pkiparser.py | 4 ++++
4 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 68e79a4..3beb45c 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -578,7 +578,7 @@ ca.crl.MasterCRL.unexpectedExceptionLoopMax=10
ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint
ca.crl.MasterCRL.dailyUpdates=1:00
ca.crl.MasterCRL.description=CA's complete Certificate Revocation List
-ca.crl.MasterCRL.enable=true
+ca.crl.MasterCRL.enable=[MASTER_CRL_ENABLE]
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ca.crl.MasterCRL.enableCacheTesting=false
diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
index 3873b83..d806c1f 100644
--- a/base/server/config/pkislots.cfg
+++ b/base/server/config/pkislots.cfg
@@ -1,6 +1,7 @@
[Tomcat]
application_version=[APPLICATION_VERSION]
INSTALL_TIME_SLOT=[INSTALL_TIME]
+MASTER_CRL_ENABLE_SLOT=[MASTER_CRL_ENABLE]
NUXWDOG_JNI_PATH_SLOT=[NUXWDOG_JNI_PATH]
PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT]
PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 24e4a43..cfbd289 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -335,6 +335,7 @@ pki_ds_database=%(pki_instance_name)s-CA
pki_ds_hostname=%(pki_hostname)s
pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
pki_share_db=False
+pki_master_crl_enable=True
# Default OCSP URI added by AuthInfoAccessExtDefault if the profile
# config is blank. If both are blank, the value is constructed
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 3e5d355..115f3ca 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -946,6 +946,10 @@ class PKIConfigParser:
self.mdict['SERVER_KEYGEN_SLOT'] = \
self.mdict['pki_enable_server_side_keygen']
+ if self.mdict['pki_subsystem'] == "CA":
+ self.mdict['MASTER_CRL_ENABLE_SLOT'] = \
+ self.mdict['pki_master_crl_enable']
+
self.mdict['TOMCAT_CFG_SLOT'] = \
self.mdict['pki_target_tomcat_conf']
self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \
--
1.8.3.1
From d2e8c9c5fb54e39884ecf304a234f8cb52c5a40e Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
Date: Thu, 4 Aug 2016 16:40:06 -0700
Subject: [PATCH 79/96] Ticket#2428 broken request links for CA's system certs
in agent request viewing This patch fixes the issue that when an agent visit
one of the CA's system cert request records, exception is thrown.
---
.../cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
index 3cbf0f9..caf2cf1 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
@@ -431,7 +431,7 @@ public class ProfileReviewServlet extends ProfileServlet {
defset.set(ARG_DEF_SYNTAX, defSyntax);
defset.set(ARG_DEF_CONSTRAINT, defConstraint);
defset.set(ARG_DEF_NAME, defValueName);
- defset.set(ARG_DEF_VAL, defValue);
+ defset.set(ARG_DEF_VAL, (defValue!=null)? defValue:"");
deflist.add(defset);
}
}
--
1.8.3.1
From 7702dae72b59a39b31b52640a9d1a4b5b6ca62ca Mon Sep 17 00:00:00 2001
From: Geetika Kapoor <gkapoor@redhat.com>
Date: Thu, 28 Jul 2016 02:59:40 -0400
Subject: [PATCH 80/96] Fixed NumberFormatException in tps-cert-find
Signed-off-by: Geetika Kapoor <gkapoor@redhat.com>
---
.../netscape/cmstools/tps/cert/TPSCertFindCLI.java | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
index 9cbdad6..83c977b 100644
--- a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
@@ -84,12 +84,24 @@ public class TPSCertFindCLI extends CLI {
String filter = cmdArgs.length > 0 ? cmdArgs[0] : null;
String tokenID = cmd.getOptionValue("token");
+ String string3 = cmd.getOptionValue("start");
+ String string4 = cmd.getOptionValue("size");
+ Integer start = null;
+ Integer size = null;
- String s = cmd.getOptionValue("start");
- Integer start = s == null ? null : Integer.valueOf(s);
+ try {
+ start = string3 == null ? null : Integer.valueOf(string3);
+ } catch (NumberFormatException e) {
+ System.err.println("Error: Invalid value for --start parameter: " + string3);
+ System.exit(-1);
+ }
- s = cmd.getOptionValue("size");
- Integer size = s == null ? null : Integer.valueOf(s);
+ try {
+ size = string4 == null ? null : Integer.valueOf(string4);
+ } catch (NumberFormatException e) {
+ System.err.println("Error: Invalid value for --size parameter: " + string4);
+ System.exit(-1);
+ }
TPSCertCollection result = certCLI.certClient.findCerts(filter, tokenID, start, size);
--
1.8.3.1
From 5178567bf5c65d23d3903b0956a47813bdc1fe23 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 2 Aug 2016 16:46:29 +0530
Subject: [PATCH 81/96] Added check for Subsystem data and request in
'pki-server subsystem-cert-export'
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
base/server/python/pki/server/cli/subsystem.py | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index a44243a..4651d74 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -1,5 +1,6 @@
# Authors:
# Endi S. Dewata <edewata@redhat.com>
+# Abhijeet Kasurde <akasurde@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -14,7 +15,7 @@
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-# Copyright (C) 2015 Red Hat, Inc.
+# Copyright (C) 2015-2016 Red Hat, Inc.
# All rights reserved.
#
@@ -654,14 +655,22 @@ class SubsystemCertExportCLI(pki.cli.CLI):
sys.exit(1)
if cert_file:
+ cert_data = subsystem_cert.get('data', None)
+ if cert_data is None:
+ print("ERROR: Unable to find certificate data for %s" % cert_id)
+ sys.exit(1)
- cert_data = pki.nssdb.convert_cert(subsystem_cert['data'], 'base64', 'pem')
+ cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
with open(cert_file, 'w') as f:
f.write(cert_data)
if csr_file:
+ cert_request = subsystem_cert.get('request', None)
+ if cert_request is None:
+ print("ERROR: Unable to find certificate request for %s" % cert_id)
+ sys.exit(1)
- csr_data = pki.nssdb.convert_csr(subsystem_cert['request'], 'base64', 'pem')
+ csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem')
with open(csr_file, 'w') as f:
f.write(csr_data)
--
1.8.3.1
From f0b1854a8f5cfe97d2d267ea16e4556d94666bb6 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
Date: Wed, 3 Aug 2016 18:01:23 -0700
Subject: [PATCH 82/96] Fix to sort the output of a cert search by serialno.
---
.../src/com/netscape/certsrv/dbs/IDBSSession.java | 35 +++++++-
.../certsrv/dbs/certdb/ICertificateRepository.java | 27 ++++++
.../com/netscape/cms/servlet/cert/SrchCerts.java | 4 +-
.../cmscore/dbs/CertificateRepository.java | 37 ++++++++-
.../src/com/netscape/cmscore/dbs/DBSSession.java | 97 +++++++++++++++++++---
.../cmscore/dbs/DBSSessionDefaultStub.java | 15 +++-
6 files changed, 197 insertions(+), 18 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
index 6569505..9ab2fde 100644
--- a/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
+++ b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
@@ -17,11 +17,11 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.certsrv.dbs;
+import netscape.ldap.LDAPSearchResults;
+
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.ISubsystem;
-import netscape.ldap.LDAPSearchResults;
-
/**
* An interface represents the database session. Operations
* can be performed with a session.
@@ -132,6 +132,21 @@ public interface IDBSSession extends AutoCloseable {
* @param base starting point of the search
* @param filter search filter
* @param maxSize max number of entries
+ * @param sortAttribute Field to sort the records on
+ * @return search results
+ * @exception EBaseException failed to search
+ */
+ public IDBSearchResults search(String base, String filter, int maxSize,String sortAttribute)
+ throws EBaseException;
+
+
+ /**
+ * Searchs for a list of objects that match the
+ * filter.
+ *
+ * @param base starting point of the search
+ * @param filter search filter
+ * @param maxSize max number of entries
* @param timeLimit timeout limit
* @return search results
* @exception EBaseException failed to search
@@ -140,6 +155,22 @@ public interface IDBSSession extends AutoCloseable {
int timeLimit) throws EBaseException;
/**
+ * Searchs for a list of objects that match the
+ * filter.
+ *
+ * @param base starting point of the search
+ * @param filter search filter
+ * @param maxSize max number of entries
+ * @param timeLimit timeout limit
+ * @param sortAttribute Field to sort the records on
+ * @return search results
+ * @exception EBaseException failed to search
+ */
+ public IDBSearchResults search(String base, String filter, int maxSize,
+ int timeLimit, String sortAttribute) throws EBaseException;
+
+
+ /**
* Retrieves a list of object that satifies the given
* filter.
*
diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
index f113ea0..2efb023 100644
--- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
@@ -239,6 +239,33 @@ public interface ICertificateRepository extends IRepository {
* the filter.
*
* @param filter search filter
+ * @param maxSize max size to return
+ * @param timeLimit timeout value
+ * @param sortAttribute Attribute of ICertRecord to sort the results
+ * @return a list of certificates
+ * @exception EBaseException failed to search
+ */
+ public Enumeration<ICertRecord> searchCertificates(String filter, int maxSize,
+ int timeLimit,String sortAttribute) throws EBaseException;
+
+ /**
+ * Finds a list of certificate records that satisifies
+ * the filter.
+ *
+ * @param filter search filter
+ * @param maxSize max size to return
+ * @param sortAttribute Attribute of ICertRecord to sort the results
+ * @return a list of certificates
+ * @exception EBaseException failed to search
+ */
+ public Enumeration<Object> searchCertificates(String filter, int maxSize,
+ String sortAttribute) throws EBaseException;
+
+ /**
+ * Finds a list of certificate records that satisifies
+ * the filter.
+ *
+ * @param filter search filter
* @param attrs selected attribute
* @param pageSize page size
* @return a list of certificates
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java b/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java
index 508a8df..c55dfea 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java
@@ -608,7 +608,9 @@ public class SrchCerts extends CMSServlet {
}
CMS.debug("Start searching ... "
+ "filter=" + filter + " maxreturns=" + maxResults + " timelimit=" + timeLimit);
- Enumeration<ICertRecord> e = mCertDB.searchCertificates(filter, maxResults, timeLimit);
+
+ // Do the search with the optional sortAtribute field, giving an assured list of certs sorted by serialno
+ Enumeration<ICertRecord> e = mCertDB.searchCertificates(filter, maxResults, timeLimit, "serialno");
int count = 0;
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
index d0a604e..8406f36 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
@@ -1124,7 +1124,7 @@ public class CertificateRepository extends Repository
ModificationSet mods = new ModificationSet();
if (isAlreadyOnHold) {
mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_REPLACE, info);
- } else {
+ } else {
mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_ADD, info);
}
SessionContext ctx = SessionContext.getContext();
@@ -1190,6 +1190,21 @@ public class CertificateRepository extends Repository
modifyCertificateRecord(id, mods);
}
+ public Enumeration<Object> searchCertificates(String filter, int maxSize,String sortAttribute)
+ throws EBaseException {
+ IDBSSession s = mDBService.createSession();
+ Enumeration<Object> e = null;
+
+ CMS.debug("searchCertificates filter " + filter + " maxSize " + maxSize);
+ try {
+ e = s.search(getDN(), filter, maxSize,sortAttribute);
+ } finally {
+ if (s != null)
+ s.close();
+ }
+ return e;
+ }
+
public Enumeration<Object> searchCertificates(String filter, int maxSize)
throws EBaseException {
IDBSSession s = mDBService.createSession();
@@ -1223,6 +1238,26 @@ public class CertificateRepository extends Repository
return v.elements();
}
+ public Enumeration<ICertRecord> searchCertificates(String filter, int maxSize,
+ int timeLimit,String sortAttribute) throws EBaseException {
+ IDBSSession s = mDBService.createSession();
+ Vector<ICertRecord> v = new Vector<ICertRecord>();
+
+ CMS.debug("searchCertificateswith time limit filter " + filter);
+ try {
+ IDBSearchResults sr = s.search(getDN(), filter, maxSize, timeLimit,sortAttribute);
+ while (sr.hasMoreElements()) {
+ v.add((ICertRecord) sr.nextElement());
+ }
+ } finally {
+ if (s != null)
+ s.close();
+ }
+ return v.elements();
+
+ }
+
+
/**
* Returns a list of X509CertImp that satisfies the filter.
*
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java
index 2bfd5f2..853dfe4 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java
@@ -19,6 +19,20 @@ package com.netscape.cmscore.dbs;
import java.util.Enumeration;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSearchConstraints;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPSortKey;
+import netscape.ldap.LDAPv2;
+import netscape.ldap.controls.LDAPPersistSearchControl;
+import netscape.ldap.controls.LDAPSortControl;
+
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.ISubsystem;
@@ -34,18 +48,6 @@ import com.netscape.certsrv.dbs.Modification;
import com.netscape.certsrv.dbs.ModificationSet;
import com.netscape.certsrv.logging.ILogger;
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPModification;
-import netscape.ldap.LDAPModificationSet;
-import netscape.ldap.LDAPSearchConstraints;
-import netscape.ldap.LDAPSearchResults;
-import netscape.ldap.LDAPv2;
-import netscape.ldap.controls.LDAPPersistSearchControl;
-
/**
* A class represents the database session. Operations
* can be performed with a session.
@@ -295,6 +297,40 @@ public class DBSSession implements IDBSSession {
}
@SuppressWarnings("unchecked")
+ public IDBSearchResults search(String base, String filter, int maxSize,String sortAttribute)
+ throws EBaseException {
+ try {
+ String ldapattrs[] = null;
+ String ldapfilter =
+ mDBSystem.getRegistry().getFilter(filter);
+
+ LDAPSearchConstraints cons = new LDAPSearchConstraints();
+
+ cons.setMaxResults(maxSize);
+
+ if(sortAttribute != null) {
+ LDAPSortKey sortOrder = new LDAPSortKey( sortAttribute );
+ LDAPSortControl sortCtrl = new LDAPSortControl(sortOrder,true);
+ cons.setServerControls( sortCtrl );
+ }
+
+ LDAPSearchResults res = mConn.search(base,
+ LDAPv2.SCOPE_ONE, ldapfilter, ldapattrs, false, cons);
+
+ return new DBSearchResults(mDBSystem.getRegistry(),
+ res);
+ } catch (LDAPException e) {
+ if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE)
+ throw new EDBNotAvailException(
+ CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_UNAVAILABLE"));
+ // XXX error handling, should not raise exception if
+ // entry not found
+ throw new EDBException(CMS.getUserMessage("CMS_DBS_LDAP_OP_FAILURE",
+ e.toString()));
+ }
+ }
+
+ @SuppressWarnings("unchecked")
public IDBSearchResults search(String base, String filter, int maxSize, int timeLimit)
throws EBaseException {
try {
@@ -323,6 +359,43 @@ public class DBSSession implements IDBSSession {
}
}
+ @SuppressWarnings("unchecked")
+ public IDBSearchResults search(String base, String filter, int maxSize,
+ int timeLimit, String sortAttribute) throws EBaseException {
+
+ try {
+ String ldapattrs[] = null;
+ String ldapfilter =
+ mDBSystem.getRegistry().getFilter(filter);
+
+ LDAPSearchConstraints cons = new LDAPSearchConstraints();
+
+ cons.setMaxResults(maxSize);
+ cons.setServerTimeLimit(timeLimit);
+
+ if(sortAttribute != null) {
+ LDAPSortKey sortOrder = new LDAPSortKey( sortAttribute );
+ LDAPSortControl sortCtrl = new LDAPSortControl(sortOrder,true);
+ cons.setServerControls( sortCtrl );
+ }
+
+ LDAPSearchResults res = mConn.search(base,
+ LDAPv2.SCOPE_ONE, ldapfilter, ldapattrs, false, cons);
+
+ return new DBSearchResults(mDBSystem.getRegistry(),
+ res);
+ } catch (LDAPException e) {
+ if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE)
+ throw new EDBNotAvailException(
+ CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_UNAVAILABLE"));
+ // XXX error handling, should not raise exception if
+ // entry not found
+ throw new EDBException(CMS.getUserMessage("CMS_DBS_LDAP_OP_FAILURE",
+ e.toString()));
+ }
+
+ }
+
/**
* Retrieves a list of object that satifies the given
* filter.
diff --git a/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java b/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java
index e4e7157..8d7bbc0 100644
--- a/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java
+++ b/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java
@@ -1,5 +1,7 @@
package com.netscape.cmscore.dbs;
+import netscape.ldap.LDAPSearchResults;
+
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.ISubsystem;
import com.netscape.certsrv.dbs.EDBException;
@@ -9,8 +11,6 @@ import com.netscape.certsrv.dbs.IDBSearchResults;
import com.netscape.certsrv.dbs.IDBVirtualList;
import com.netscape.certsrv.dbs.ModificationSet;
-import netscape.ldap.LDAPSearchResults;
-
/**
* A default stub ojbect for tests to extend.
*/
@@ -81,4 +81,15 @@ public class DBSSessionDefaultStub implements IDBSSession {
String sortKey, int pageSize) throws EBaseException {
return null;
}
+
+ @Override
+ public IDBSearchResults search(String base, String filter, int maxSize, int timeLimit, String sortAttribute)
+ throws EBaseException {
+ return null;
+ }
+
+ @Override
+ public IDBSearchResults search(String base, String filter, int maxSize, String sortAttribute) throws EBaseException {
+ return null;
+ }
}
--
1.8.3.1
From f726f9a668b523c4e5a9438d8ea301f4b556efd4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 1 Aug 2016 22:35:32 +0200
Subject: [PATCH 83/96] Added log messages for certificate validation.
The ConfigCertApprovalCallback has been modified such that it
logs the server certificate being validated and can be configured
to ignore certain validation errors.
The ConfigurationUtils has been modified to use the
ConfigCertApprovalCallback to show and validate the server
certificate in all GET and POST operations except for the
importCertChain() in which the code needs to ignore untrusted
issuer in order to get the certificate chain via SSL.
https://fedorahosted.org/pki/ticket/2424
---
.../csadmin/ConfigCertApprovalCallback.java | 63 +++++++++++++++++++++-
.../cms/servlet/csadmin/ConfigurationUtils.java | 63 ++++++++++++----------
2 files changed, 97 insertions(+), 29 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
index 956c285..9b741af 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
@@ -17,17 +17,78 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.servlet.csadmin;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Set;
+
import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+import com.netscape.certsrv.apps.CMS;
+
public class ConfigCertApprovalCallback
implements SSLCertificateApprovalCallback {
+ public Set<Integer> ignoredErrors = new HashSet<Integer>();
+
public ConfigCertApprovalCallback() {
}
+ public void ignoreError(int error) {
+ ignoredErrors.add(error);
+ }
+
+ public String getErrorDescription(int reason) {
+
+ // iterate through all constants in ValidityStatus
+ for (Field f : ValidityStatus.class.getDeclaredFields()) {
+ int mod = f.getModifiers();
+ if (Modifier.isPublic(mod) &&
+ Modifier.isFinal(mod) &&
+ Modifier.isStatic(mod)) {
+
+ try {
+ int value = f.getInt(null);
+
+ // if value matches the reason, return the name
+ if (value == reason) {
+ return f.getName();
+ }
+
+ } catch (IllegalAccessException e) {
+ return "ERROR #" + reason;
+ }
+ }
+ }
+
+ return "UNKNOWN_ERROR";
+ }
+
public boolean approve(X509Certificate cert,
SSLCertificateApprovalCallback.ValidityStatus status) {
- return true;
+
+ CMS.debug("Server certificate:");
+ CMS.debug(" - subject: " + cert.getSubjectDN());
+ CMS.debug(" - issuer: " + cert.getIssuerDN());
+
+ Enumeration<?> errors = status.getReasons();
+ boolean result = true;
+
+ while (errors.hasMoreElements()) {
+ SSLCertificateApprovalCallback.ValidityItem item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement();
+ int reason = item.getReason();
+ String description = getErrorDescription(reason);
+
+ if (ignoredErrors.contains(reason)) {
+ CMS.debug("WARNING: " + description);
+ } else {
+ CMS.debug("ERROR: " + description);
+ result = false;
+ }
+ }
+
+ return result;
}
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index ab5e4d6..fe65bb8 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -58,34 +58,6 @@ import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.xml.parsers.ParserConfigurationException;
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPDN;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPModification;
-import netscape.ldap.LDAPSearchConstraints;
-import netscape.ldap.LDAPSearchResults;
-import netscape.ldap.LDAPv3;
-import netscape.security.pkcs.ContentInfo;
-import netscape.security.pkcs.PKCS10;
-import netscape.security.pkcs.PKCS12;
-import netscape.security.pkcs.PKCS12Util;
-import netscape.security.pkcs.PKCS7;
-import netscape.security.pkcs.SignerInfo;
-import netscape.security.util.DerOutputStream;
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.Extension;
-import netscape.security.x509.Extensions;
-import netscape.security.x509.KeyUsageExtension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509Key;
-
import org.apache.commons.lang.StringUtils;
import org.apache.velocity.context.Context;
import org.mozilla.jss.CryptoManager;
@@ -131,6 +103,7 @@ import org.mozilla.jss.pkix.primitive.Attribute;
import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo;
import org.mozilla.jss.pkix.primitive.PrivateKeyInfo;
import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+import org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus;
import org.mozilla.jss.util.IncorrectPasswordException;
import org.mozilla.jss.util.Password;
import org.w3c.dom.Document;
@@ -180,6 +153,34 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
import com.netscape.cmsutil.util.Utils;
import com.netscape.cmsutil.xml.XMLObject;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPDN;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPSearchConstraints;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv3;
+import netscape.security.pkcs.ContentInfo;
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS12;
+import netscape.security.pkcs.PKCS12Util;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.SignerInfo;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.Extension;
+import netscape.security.x509.Extensions;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
/**
* Utility class for functions to be used by the RESTful installer.
*
@@ -196,6 +197,8 @@ public class ConfigurationUtils {
public static final Long MINUS_ONE = Long.valueOf(-1);
public static final String DBUSER = "pkidbuser";
+ public static ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
+
public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException,
IncorrectPasswordException {
boolean rv = true;
@@ -229,6 +232,7 @@ public class ConfigurationUtils {
CMS.debug("ConfigurationUtils: GET " + config.getServerURI() + path);
PKIConnection connection = new PKIConnection(config);
+ if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback;
connection.setCallback(certApprovalCallback);
return connection.get(path);
}
@@ -245,6 +249,7 @@ public class ConfigurationUtils {
CMS.debug("ConfigurationUtils: POST " + config.getServerURI() + path);
PKIConnection connection = new PKIConnection(config);
+ if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback;
connection.setCallback(certApprovalCallback);
return connection.post(path, content);
}
@@ -256,6 +261,8 @@ public class ConfigurationUtils {
IConfigStore cs = CMS.getConfigStore();
ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
+ // Ignore untrusted issuer to get cert chain.
+ certApprovalCallback.ignoreError(ValidityStatus.UNTRUSTED_ISSUER);
String c = get(host, port, true, serverPath, null, certApprovalCallback);
if (c != null) {
--
1.8.3.1
From da66600e8ae07fa4169d24909c7d04ed69d2906c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 1 Aug 2016 22:35:32 +0200
Subject: [PATCH 84/96] Added log messages for certificate import during
cloning.
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
---
base/common/python/pki/nssdb.py | 10 +++
base/common/python/pki/pkcs12.py | 73 ++++++++++++++++++++++
.../deployment/scriptlets/security_databases.py | 42 ++++++++++---
3 files changed, 118 insertions(+), 7 deletions(-)
create mode 100644 base/common/python/pki/pkcs12.py
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index a0b0302..ed45654 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -398,6 +398,16 @@ class NSSDatabase(object):
if rc:
raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc)
+ def show_certs(self):
+
+ cmd = [
+ 'certutil',
+ '-L',
+ '-d', self.directory
+ ]
+
+ subprocess.check_call(cmd)
+
def get_cert(self, nickname, output_format='pem'):
if output_format == 'pem':
diff --git a/base/common/python/pki/pkcs12.py b/base/common/python/pki/pkcs12.py
new file mode 100644
index 0000000..a62ca09
--- /dev/null
+++ b/base/common/python/pki/pkcs12.py
@@ -0,0 +1,73 @@
+# Authors:
+# Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+import os
+import shutil
+import subprocess
+import tempfile
+
+
+class PKCS12(object):
+
+ def __init__(self, path, password=None, password_file=None, nssdb=None):
+
+ # The pki CLI needs an NSS database to run PKCS #12 operations
+ # as required by JSS. If the nssdb parameter is provided, the CLI
+ # will use the specified NSS database object. Otherwise, it will use
+ # the default NSS database in ~/.dogtag/nssdb.
+
+ self.path = path
+ self.nssdb = nssdb
+
+ self.tmpdir = tempfile.mkdtemp()
+
+ if password:
+ self.password_file = os.path.join(self.tmpdir, 'password.txt')
+ with open(self.password_file, 'w') as f:
+ f.write(password)
+
+ elif password_file:
+ self.password_file = password_file
+
+ else:
+ raise Exception('Missing PKCS #12 password')
+
+ def close(self):
+ shutil.rmtree(self.tmpdir)
+
+ def show_certs(self):
+
+ cmd = ['pki']
+
+ if self.nssdb:
+ cmd.extend([
+ '-d', self.nssdb.directory,
+ '-C', self.nssdb.password_file
+ ])
+
+ cmd.extend([
+ 'pkcs12-cert-find',
+ '--pkcs12-file', self.path,
+ '--pkcs12-password-file', self.password_file
+ ])
+
+ subprocess.check_call(cmd)
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 18fc3e1..99daf15 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -19,9 +19,11 @@
#
from __future__ import absolute_import
+from __future__ import print_function
import os
import pki.nssdb
+import pki.pkcs12
import pki.server
# PKI Deployment Imports
@@ -104,9 +106,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
directory=deployer.mdict['pki_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
- nssdb.import_pkcs12(
- pkcs12_file=pki_server_pkcs12_path,
- pkcs12_password=pki_server_pkcs12_password)
+ try:
+ nssdb.import_pkcs12(
+ pkcs12_file=pki_server_pkcs12_path,
+ pkcs12_password=pki_server_pkcs12_password)
+ finally:
+ nssdb.close()
# update external CA file (if needed)
external_certs_path = deployer.mdict['pki_server_external_certs_path']
@@ -127,10 +132,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
directory=deployer.mdict['pki_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
- nssdb.import_pkcs12(
- pkcs12_file=pki_clone_pkcs12_path,
- pkcs12_password=pki_clone_pkcs12_password,
- no_user_certs=True)
+ try:
+ print('Importing certificates from %s:' % pki_clone_pkcs12_path)
+
+ # The PKCS12 class requires an NSS database to run. For simplicity
+ # it uses the NSS database that has just been created.
+ pkcs12 = pki.pkcs12.PKCS12(
+ path=pki_clone_pkcs12_path,
+ password=pki_clone_pkcs12_password,
+ nssdb=nssdb)
+
+ try:
+ pkcs12.show_certs()
+ finally:
+ pkcs12.close()
+
+ # Import certificates
+ nssdb.import_pkcs12(
+ pkcs12_file=pki_clone_pkcs12_path,
+ pkcs12_password=pki_clone_pkcs12_password,
+ no_user_certs=True)
+
+ print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
+
+ nssdb.show_certs()
+
+ finally:
+ nssdb.close()
if len(deployer.instance.tomcat_instance_subsystems()) < 2:
--
1.8.3.1
From b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 1 Aug 2016 22:35:32 +0200
Subject: [PATCH 85/96] Fixed PKCS #12 import for cloning.
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
---
.../cms/servlet/csadmin/ConfigurationUtils.java | 9 +++-
.../deployment/scriptlets/security_databases.py | 13 ++++-
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 60 ++++++++++++----------
3 files changed, 51 insertions(+), 31 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index fe65bb8..3494882 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -834,7 +834,8 @@ public class ConfigurationUtils {
BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
NoSuchItemOnTokenException, InvalidBERException, IOException {
- // TODO: refactor into a PKCS #12 utility class
+ // TODO: The PKCS #12 file is already imported in security_database.py.
+ // This method should be removed.
byte b[] = new byte[1000000];
FileInputStream fis = new FileInputStream(p12File);
@@ -1109,10 +1110,14 @@ public class ConfigurationUtils {
InternalCertificate icert = (InternalCertificate) xcert;
if (isCASigningCert) {
- // we need to change the trust attribute to CT
+ // set trust flags to CT,C,C
icert.setSSLTrust(InternalCertificate.TRUSTED_CA
| InternalCertificate.TRUSTED_CLIENT_CA
| InternalCertificate.VALID_CA);
+ icert.setEmailTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
+ icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
} else if (isAuditSigningCert(name)) {
icert.setObjectSigningTrust(InternalCertificate.USER
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 99daf15..e80a1d0 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -150,8 +150,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Import certificates
nssdb.import_pkcs12(
pkcs12_file=pki_clone_pkcs12_path,
- pkcs12_password=pki_clone_pkcs12_password,
- no_user_certs=True)
+ pkcs12_password=pki_clone_pkcs12_password)
+
+ # Set certificate trust flags
+ if subsystem.type == 'CA':
+ nssdb.modify_cert(
+ nickname=deployer.mdict['pki_ca_signing_nickname'],
+ trust_attributes='CTu,Cu,Cu')
+
+ nssdb.modify_cert(
+ nickname=deployer.mdict['pki_audit_signing_nickname'],
+ trust_attributes='u,u,Pu')
print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 9cabdc5..b02c363 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -47,33 +47,6 @@ import java.util.Random;
import java.util.StringTokenizer;
import java.util.Vector;
-import netscape.security.pkcs.PKCS10;
-import netscape.security.pkcs.PKCS10Attribute;
-import netscape.security.pkcs.PKCS10Attributes;
-import netscape.security.pkcs.PKCS7;
-import netscape.security.pkcs.PKCS9Attribute;
-import netscape.security.util.BigInt;
-import netscape.security.util.DerInputStream;
-import netscape.security.util.DerOutputStream;
-import netscape.security.util.DerValue;
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.CertificateAlgorithmId;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateIssuerName;
-import netscape.security.x509.CertificateSerialNumber;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.Extensions;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X500Signer;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509Key;
-
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.CryptoManager.NotInitializedException;
import org.mozilla.jss.NoSuchTokenException;
@@ -132,6 +105,33 @@ import org.mozilla.jss.util.Password;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS10Attribute;
+import netscape.security.pkcs.PKCS10Attributes;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.PKCS9Attribute;
+import netscape.security.util.BigInt;
+import netscape.security.util.DerInputStream;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateIssuerName;
+import netscape.security.x509.CertificateSerialNumber;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.Extensions;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500Signer;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
@SuppressWarnings("serial")
public class CryptoUtil {
@@ -1164,10 +1164,16 @@ public class CryptoUtil {
if (certchains != null) {
cert = certchains[certchains.length - 1];
}
+
+ // set trust flags to CT,C,C
InternalCertificate icert = (InternalCertificate) cert;
icert.setSSLTrust(InternalCertificate.TRUSTED_CA
| InternalCertificate.TRUSTED_CLIENT_CA
| InternalCertificate.VALID_CA);
+ icert.setEmailTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
+ icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
}
public static SEQUENCE parseCRMFMsgs(byte cert_request[])
--
1.8.3.1
From 018b5c1f3295fadd263d256d00866dd7b9d31163 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 26 Jul 2016 14:07:10 +1000
Subject: [PATCH 90/96] Fix CA OCSP responder when LWCAs are not in use
The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request. Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred. If they
have not, the OCSP responder always fails.
Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.
Fixes: https://fedorahosted.org/pki/ticket/2420
---
base/ca/src/com/netscape/ca/CertificateAuthority.java | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 502ab18..a5397da 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2240,6 +2240,10 @@ public class CertificateAuthority
* employ some heuristic to deal with this case. Our
* heuristic is:
*
+ * 0. If caMap contains no CAs, then lightweight CAs are not
+ * enabled. There is only one CA, and 'this' is it. Go
+ * straight to validation.
+ *
* 1. Find the issuer of the cert identified by the first
* CertID in the request.
*
@@ -2254,7 +2258,7 @@ public class CertificateAuthority
* aggregate OCSP response.
*/
ICertificateAuthority ocspCA = this;
- if (tbsReq.getRequestCount() > 0) {
+ if (caMap.size() > 0 && tbsReq.getRequestCount() > 0) {
com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0);
BigInteger serialNo = req.getCertID().getSerialNumber();
X509CertImpl cert = mCertRepot.getX509Certificate(serialNo);
--
1.8.3.1
From 7bed80ef6b1529f948da260a6b43f2052c6ffb21 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 8 Aug 2016 14:39:01 +1000
Subject: [PATCH 91/96] Fix lightweight CA PEM-encoded PKCS #7 cert chain
retrieval
The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
Return proper PKCS #7 data.
Fixes: https://fedorahosted.org/pki/ticket/2433
---
base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 7bca10f..246a3f0 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -173,7 +173,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
@Override
public Response getChainPEM(String aidString) {
- byte[] der = (byte[]) getCert(aidString).getEntity();
+ byte[] der = (byte[]) getChain(aidString).getEntity();
return Response.ok(toPem("PKCS7", der)).build();
}
--
1.8.3.1
From e948a42f8bf7823b18ad4551a8fe8a5db991e966 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 8 Aug 2016 13:08:17 +0200
Subject: [PATCH 92/96] Improve setup.py for standalone Dogtag client releases
PyPI requires a different spelling of LGPLv3+ classifier.
The correct name for installation requirements is 'install_requires',
not 'requirements'.
Add a new version_info command that rewrites setup.py in place to
include the current version. This fixes a problem with source
distributions of the client package.
---
base/common/python/setup.cfg | 2 +-
base/common/python/setup.py | 83 +++++++++++++++++++++++++++++++++-----------
2 files changed, 63 insertions(+), 22 deletions(-)
diff --git a/base/common/python/setup.cfg b/base/common/python/setup.cfg
index ad43486..32f2126 100644
--- a/base/common/python/setup.cfg
+++ b/base/common/python/setup.cfg
@@ -2,5 +2,5 @@
universal = 1
[aliases]
-packages = clean --all egg_info bdist_wheel sdist --format=zip
+packages = clean --all version_info egg_info bdist_wheel sdist --format=zip
release = packages register upload
diff --git a/base/common/python/setup.py b/base/common/python/setup.py
index 86e0704..e0920c1 100644
--- a/base/common/python/setup.py
+++ b/base/common/python/setup.py
@@ -43,28 +43,67 @@ try:
except ImportError:
from distutils.core import setup
+from distutils.cmd import Command
+
+
+class VersionInfo(Command):
+ user_options = []
-def get_version(specfile='../../../specs/pki-core.spec'):
version_re = re.compile('^Version:\s*(\d+\.\d+\.\d+)')
release_re = re.compile('^Release:.*?([\d\.]+)')
- version = release = None
- with open(specfile) as f:
- for line in f:
- if version is None:
- match = version_re.match(line)
- if match is not None:
- version = match.group(1)
- if release is None:
- match = release_re.match(line)
- if match is not None:
- release = match.group(1)
- if version is not None and release is not None:
- break
- if version is None or release is None:
- raise ValueError(version, release)
- return "%s.%s" % (version, release)
-
-VERSION = get_version()
+ specfile = '../../../specs/pki-core.spec'
+
+ def initialize_options(self):
+ self.rpm_version = None
+
+ def finalize_options(self):
+ try:
+ version, release = self.get_version()
+ except IOError:
+ pass
+ else:
+ self.rpm_version = "%s.%s" % (version, release)
+
+ def run(self):
+ if self.rpm_version is not None:
+ self.distribution.metadata.version = self.rpm_version
+ self.rewrite_setup_py()
+ else:
+ raise ValueError(
+ 'Cannot load version from {}'.format(self.specfile)
+ )
+
+ def get_version(self):
+ version = release = None
+ with open(self.specfile) as f:
+ for line in f:
+ if version is None:
+ match = self.version_re.match(line)
+ if match is not None:
+ version = match.group(1)
+ if release is None:
+ match = self.release_re.match(line)
+ if match is not None:
+ release = match.group(1)
+ if version is not None and release is not None:
+ break
+ if version is None or release is None:
+ raise ValueError(version, release)
+ return version, release
+
+ def rewrite_setup_py(self):
+ with open(__file__) as f:
+ lines = list(f)
+ for i, line in enumerate(lines):
+ if line.startswith('VERSION ='):
+ lines[i] = "VERSION = '{}'\n".format(self.rpm_version)
+ with open(__file__, 'w') as f:
+ f.write(''.join(lines))
+
+
+# auto-generated by version_info
+VERSION = None
+
setup(
author='Dogtag Certificate System Team',
@@ -85,7 +124,8 @@ and set up in less than an hour.""",
keywords='pki x509 cert certificate',
url='http://pki.fedoraproject.org/',
packages=['pki', 'pki.cli'],
- requirements=['python-nss', 'requests', 'six'],
+ install_requires=['python-nss', 'requests', 'six'],
+ cmdclass={'version_info': VersionInfo},
classifiers=[
'Development Status :: 5 - Production/Stable',
'Environment :: Web Environment',
@@ -93,7 +133,8 @@ and set up in less than an hour.""",
'Operating System :: OS Independent',
'Programming Language :: Python :: 2.7',
'Programming Language :: Python :: 3.4',
- 'License :: OSI Approved :: GNU Lesser General Public License v3+ (LGPLv3+)',
+ 'License :: OSI Approved :: GNU Lesser General Public License ' +
+ 'v3 or later (LGPLv3+)',
'Topic :: Security :: Cryptography',
],
)
--
1.8.3.1
From a38b8b875e40d0d8551752af7aa2567d2891384a Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
Date: Mon, 8 Aug 2016 11:34:52 -0700
Subject: [PATCH 93/96] Ticket #2428 - part2 handle NullPointerException
---
.../src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
index caf2cf1..0073bd2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
@@ -423,8 +423,8 @@ public class ProfileReviewServlet extends ProfileServlet {
try {
defValue = def.getValue(defName, locale, req);
- } catch (EPropertyException ee) {
- CMS.debug("ProfileReviewServlet: " + ee.toString());
+ } catch (Exception exp) {
+ CMS.debug("ProfileReviewServlet: " + exp.toString());
}
defset.set(ARG_DEF_ID, defName);
--
1.8.3.1
From a808013629d4b4de886ec1563daebf6ea5138f0c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 8 Aug 2016 19:19:16 +0200
Subject: [PATCH 94/96] Improved SystemConfigService.configure() error message.
The pkispawn has been modified to improve the way it displays the
error message returned by SystemConfigService.configure(). If the
method throws a PKIException, the response is returned as a JSON
message, so pkispawn will parse it and display the actual error
message. For other exceptions pkispawn will display the entire
HTML message returned by Tomcat.
https://fedorahosted.org/pki/ticket/2399
---
.../python/pki/server/deployment/pkihelper.py | 23 +---------------------
base/server/sbin/pkispawn | 20 +++++++++++++++++--
2 files changed, 19 insertions(+), 24 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 8a1dbdd..b6eacf1 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3959,28 +3959,7 @@ class ConfigClient:
admin_cert = response['adminCert']['cert']
self.process_admin_cert(admin_cert)
- except Exception as e:
- config.pki_log.error(
- log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e),
- extra=config.PKI_INDENTATION_LEVEL_2)
-
- if hasattr(e, 'response'):
- text = e.response.text # pylint: disable=E1101
- try:
- root = ET.fromstring(text)
- except ET.ParseError as pe:
- config.pki_log.error(
- "ParseError: %s: %s " % (pe, text),
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise
-
- if root.tag == 'PKIException':
- message = root.findall('.//Message')[0].text
- if message is not None:
- config.pki_log.error(
- log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " +
- message,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ except:
raise
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 13139fa..c87c49a 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -527,8 +527,24 @@ def main(argv):
scriptlet.spawn(deployer)
- # pylint: disable=W0703
- except Exception as e:
+ except requests.HTTPError as e:
+ r = e.response
+ print()
+
+ print('Installation failed:')
+ if r.headers['content-type'] == 'application/json':
+ data = r.json()
+ print('%s: %s' % (data['ClassName'], data['Message']))
+ else:
+ print(r.text)
+
+ print()
+ print('Please check the %s logs in %s.' %
+ (config.pki_subsystem, deployer.mdict['pki_subsystem_log_path']))
+
+ sys.exit(1)
+
+ except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
print("Installation failed: %s" % e)
--
1.8.3.1