From 5c96e5d0a8cc71122ea0cc2f0579e2ff1f501890 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 10:01:50 +0000 Subject: import pki-core-10.11.2-2.module+el8.5.0+12735+8eb38ccc --- diff --git a/.gitignore b/.gitignore index 2e17446..eed9bac 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-10.10.5.tar.gz +SOURCES/pki-10.11.2.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index a910798..9ffef46 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -61641f173fb9de15b4f16bdcef95ca97479bc947 SOURCES/pki-10.10.5.tar.gz +864e86742b5462527a677c060d5b3b1d0f11b299 SOURCES/pki-10.11.2.tar.gz diff --git a/SOURCES/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch b/SOURCES/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch new file mode 100644 index 0000000..71510c7 --- /dev/null +++ b/SOURCES/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch @@ -0,0 +1,26 @@ +From 607300e57ea05a1475656f1493745f7c7a28b747 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Thu, 23 Sep 2021 13:50:41 -0400 +Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server + in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our + standalone java tools. + +--- + base/tools/templates/pki_java_command_wrapper.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in +index 05650630d..d68ed93a3 100644 +--- a/base/tools/templates/pki_java_command_wrapper.in ++++ b/base/tools/templates/pki_java_command_wrapper.in +@@ -90,6 +90,7 @@ JAVA_OPTIONS="" + + ${JAVA} ${JAVA_OPTIONS} \ + -cp "${PKI_LIB}/*" \ ++ -Dcom.redhat.fips=false \ + -Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \ + com.netscape.cmstools.${COMMAND} "$@" + +-- +2.31.1 + diff --git a/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch b/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch deleted file mode 100644 index d6b5032..0000000 --- a/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 17 May 2021 17:39:50 -0500 -Subject: [PATCH] Fix permission for existing installation logs - -The spec file has been updated to remove world access -from existing installation logs in /var/log/pki. - -Resolves: CVE-2021-3551 ---- - pki.spec | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/pki.spec b/pki.spec -index a9ea345d8f..64bfd4fe7d 100644 ---- a/pki.spec -+++ b/pki.spec -@@ -991,6 +991,10 @@ fi - ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new - ## PKI deployment process - -+# CVE-2021-3551 -+# Remove world access from existing installation logs -+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; -+ - # Reload systemd daemons on upgrade only - if [ "$1" == "2" ] - then --- -2.30.2 - diff --git a/SOURCES/0001-Fix-permission-for-new-installation-logs.patch b/SOURCES/0001-Fix-permission-for-new-installation-logs.patch deleted file mode 100644 index 5f97ff3..0000000 --- a/SOURCES/0001-Fix-permission-for-new-installation-logs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 17 May 2021 15:39:44 -0500 -Subject: [PATCH] Fix permission for new installation logs - -The enable_pki_logger() has been updated to disable -world access for new installation logs to be created -in /var/log/pki. - -Resolves: CVE-2021-3551 ---- - .../python/pki/server/deployment/pkilogging.py | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py -index 089a292559..0926173700 100644 ---- a/base/server/python/pki/server/deployment/pkilogging.py -+++ b/base/server/python/pki/server/deployment/pkilogging.py -@@ -21,8 +21,12 @@ - # System Imports - from __future__ import absolute_import - import logging -+import os -+import pathlib - import pprint - -+import pki -+ - sensitive_parameters = [] - - # Initialize 'pretty print' for objects -@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name): - console_format = logging.Formatter('%(levelname)s: %(message)s') - console.setFormatter(console_format) - -- # Configure file handler -- log_file = logging.FileHandler(filename, 'w') -+ # Create an empty file with the proper permission -+ pathlib.Path(filename).touch() -+ os.chmod(filename, pki.server.DEFAULT_FILE_MODE) -+ -+ # Configure file handler with append mode to preserve the permission -+ log_file = logging.FileHandler(filename) - file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s', - '%Y-%m-%d %H:%M:%S') - log_file.setFormatter(file_format) --- -2.30.2 - diff --git a/SOURCES/0001-Fix-renewal-profile-approval-process.patch b/SOURCES/0001-Fix-renewal-profile-approval-process.patch deleted file mode 100644 index 2aa7f35..0000000 --- a/SOURCES/0001-Fix-renewal-profile-approval-process.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 608e9bbe537aba314b124ceef70f9b606ab7e121 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 13 Jan 2021 18:27:46 +1100 -Subject: [PATCH] Fix renewal profile approval process - -Due to a recent change in PKI CLI, the CLI now passes along user -authentication with submissions to the renewal endpoint. Unlike the EE -pages, the REST API has passed along this authentication for a while. -Due to a bug in the RenewalProcessor, requests with credentials against -profiles with no authentication method and no ACLs result in the -certificiate automatically being approved. This occurs because, when -an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified -the code to allow Light-Weight SubCAs to issue certificates, validation -wasn't done on the passed principal, to see if it was a trusted agent. -Because profiles requring Agent approval have an empty ACL list (as, no -user should be able to submit a certificate request and have it -automatically signed without agent approval), authorize allows any user -to approve this request and thus accepts the AuthToken. - -Critical analysis: the RenewalProcessor code interprets (authToken -!= null) as evidence that the authenticated user is /authorized/ to -immediately issue the certificate. This mismatch of concerns (authn -vs authz) resulted in a misunderstanding of system behaviour. The -"latent" AuthToken (from the HTTP request) was assigned to authToken -without realising that authorization needed to be performed. - -We fix this by splitting the logic on whether the profile defines an -authenticator. If so, we (re)authenticate and authorize the user -according to the profile configuration. - -If the profile does not define an authenticator but there is a -principal in the HTTP request, if (and only if) the user has -permission to approve certificate requests *and* the requested -renewal profile is caManualRenewal (which is hardcoded to be used -for LWCA renewal), then we issue the certificate immediately. This -special case ensures that LWCA renewal keeps working. - -Otherwise, if there is no principal in the HTTP request or the -principal does not have permission to approve certificate requests, -we leave the authToken unset. The resulting renewal request will be -created with status PENDING, i.e. enqueued for agent review. - -Signed-off-by: Fraser Tweedale -Signed-off-by: Alexander Scheel ---- - .../com/netscape/ca/CertificateAuthority.java | 10 +++ - .../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++-- - 2 files changed, 79 insertions(+), 6 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java -index 560507168a..431ce9ff78 100644 ---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java -+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java -@@ -1929,6 +1929,16 @@ public class CertificateAuthority - } - - ProfileSubsystem ps = engine.getProfileSubsystem(); -+ /* NOTE: hard-coding the profile to use for Lightweight CA renewal -+ * might be OK, but caManualRenewal was not the right one to use. -+ * As a consequence, we have an undesirable special case in -+ * RenewalProcessor.processRenewal(). -+ * -+ * We should introduce a new profile specifically for LWCA renewal, -+ * with an authenticator and ACLs to match the authz requirements -+ * for the renewAuthority REST resource itself. Then we can use -+ * it here, and remove the workaround from RenewalProcessor. -+ */ - Profile profile = ps.getProfile("caManualRenewal"); - CertEnrollmentRequest req = CertEnrollmentRequestFactory.create( - new ArgBlock(), profile, httpReq.getLocale()); -diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java -index 4293cdd064..fd20f48267 100644 ---- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java -+++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java -@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest; - - import org.apache.commons.lang3.StringUtils; - import org.dogtagpki.server.ca.CAEngine; -+import org.dogtagpki.server.authorization.AuthzToken; - import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension; - import org.mozilla.jss.netscape.security.x509.X509CertImpl; - -@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor { - - // before creating the request, authenticate the request - IAuthToken authToken = null; -- Principal principal = request.getUserPrincipal(); -- if (principal instanceof PKIPrincipal) -- authToken = ((PKIPrincipal) principal).getAuthToken(); -- if (authToken == null && authenticator != null) { -- authToken = authenticate(request, origReq, authenticator, context, true, credentials); -+ -+ if (authenticator != null) { -+ /* The profile specifies an authenticator. Use it to -+ * authenticate the user. Ignore the "latent" session -+ * principal (if any). -+ */ -+ authToken = authenticate( -+ request, -+ origReq, -+ authenticator, -+ context, -+ true /* isRenewal */, -+ credentials); -+ } else { -+ /* When authenticator is null, we expect manual agent -+ * review (leave authToken as null). -+ * -+ * But as a special case to ensure Lightweight CA (LWCA) -+ * renewal works, if there is a latent user in the HTTP -+ * request, we use that user (i.e. set authToken to the -+ * principal's IAuthToken) if and only if: -+ * -+ * - The renewal profile is caManualRenewal (LWCA renewal -+ * is hardcoded to use this profile); AND -+ * -+ * - The latent user is authorized to "execute" -+ * certificate requests (i.e. agent approval) -+ * -+ * See also CertificateAuthority.renewAuthority(). -+ */ -+ -+ Principal principal = request.getUserPrincipal(); -+ if ( -+ renewProfileId.equals("caManualRenewal") -+ && principal instanceof PKIPrincipal -+ ) { -+ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken(); -+ AuthzToken authzToken = authorize( -+ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute"); -+ if (authzToken != null) { -+ // Success (no exception); user is authorized to approve -+ // cert requests. Set the authToken. -+ // -+ // NOTE: This authz does not replace or subsume the -+ // profile-specific authz check below. -+ authToken = latentToken; -+ } else { -+ // leave authToken as null to enqueue a pending request. -+ } -+ } else { -+ // not caManualRenewal or no latent principal; -+ // leave authToken as null to enqueue a pending request. -+ } - } - -- // authentication success, now authorize -+ /* Authorize the request. -+ * -+ * If authToken != null, it will be checked against ACLs specified -+ * in the profile (if any). If ACLs are defined and authToken does -+ * not match, throws an authorization exception. -+ * -+ * If authToken == null, no check is performed (even if the profile -+ * defines ACLs). This is fine, because null authToken will cause -+ * the request status to be 'pending' [agent approval]. -+ */ - authorize(profileId, renewProfile, authToken); - -+ /* At this point, the request will be created. If authToken -+ * is non-null, then the certificate will be issued -+ * immediately. Otherwise the request will be pending. */ -+ -+ - /////////////////////////////////////////////// - // create and populate requests - /////////////////////////////////////////////// --- -2.26.2 - diff --git a/SOURCES/0001-Removed-dependency-on-pytest-runner.patch b/SOURCES/0001-Removed-dependency-on-pytest-runner.patch deleted file mode 100644 index 5d5c1b1..0000000 --- a/SOURCES/0001-Removed-dependency-on-pytest-runner.patch +++ /dev/null @@ -1,23 +0,0 @@ -From ab8b87af09b26c3c7ec257e0fb8e5ae931153120 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 8 Feb 2020 21:56:41 -0600 -Subject: [PATCH] Removed dependency on pytest-runner - ---- - base/server/healthcheck/setup.py | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/base/server/healthcheck/setup.py b/base/server/healthcheck/setup.py -index 22db8bd0f..c629e34c0 100644 ---- a/base/server/healthcheck/setup.py -+++ b/base/server/healthcheck/setup.py -@@ -32,6 +32,5 @@ setup( - 'Programming Language :: Python :: 3.6', - ], - python_requires='!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*', -- setup_requires=['pytest-runner'], - tests_require=['pytest'], - ) --- -2.21.0 - diff --git a/SOURCES/0001-Use-password-file-when-creating-admin-user.patch b/SOURCES/0001-Use-password-file-when-creating-admin-user.patch deleted file mode 100644 index f873dd3..0000000 --- a/SOURCES/0001-Use-password-file-when-creating-admin-user.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 17 May 2021 18:17:26 -0500 -Subject: [PATCH] Use password file when creating admin user - -The pki-server -user-add has been updated to -provide a --password-file option. The deployment tool -has been modified to use this option when creating the -admin user to avoid the password from getting logged in -the debug mode. - -Resolves: CVE-2021-3551 ---- - base/server/python/pki/server/cli/user.py | 9 ++- - .../python/pki/server/deployment/__init__.py | 5 +- - base/server/python/pki/server/subsystem.py | 74 +++++++++++-------- - .../server/cli/SubsystemUserAddCLI.java | 11 +++ - 4 files changed, 66 insertions(+), 33 deletions(-) - -diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py -index c00a1acb50..c5c8d52956 100644 ---- a/base/server/python/pki/server/cli/user.py -+++ b/base/server/python/pki/server/cli/user.py -@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI): - print(' --full-name Full name') - print(' --email Email') - print(' --password Password') -+ print(' --password-file Password file') - print(' --phone Phone') - print(' --type Type') - print(' --state State') -@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI): - def execute(self, argv): - try: - opts, args = getopt.gnu_getopt(argv, 'i:v', [ -- 'instance=', 'full-name=', 'email=', 'password=', -+ 'instance=', 'full-name=', 'email=', -+ 'password=', 'password-file=', - 'phone=', 'type=', 'state=', 'tps-profiles=', - 'verbose', 'debug', 'help']) - -@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI): - full_name = None - email = None - password = None -+ password_file = None - phone = None - user_type = None - state = None -@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI): - elif o == '--password': - password = a - -+ elif o == '--password-file': -+ password_file = a -+ - elif o == '--phone': - phone = a - -@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI): - full_name=full_name, - email=email, - password=password, -+ password_file=password_file, - phone=phone, - user_type=user_type, - tps_profiles=tps_profiles, -diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py -index 347ab1acdd..6d5f083b47 100644 ---- a/base/server/python/pki/server/deployment/__init__.py -+++ b/base/server/python/pki/server/deployment/__init__.py -@@ -373,6 +373,8 @@ class PKIDeployer: - - response = client.setupAdmin(request) - -+ # Run the command as current user such that -+ # it can read the temporary password file. - subsystem.add_user( - uid, - full_name=full_name, -@@ -380,7 +382,8 @@ class PKIDeployer: - password=password, - user_type='adminType', - state='1', -- tps_profiles=tps_profiles) -+ tps_profiles=tps_profiles, -+ as_current_user=True) - - admin_groups = subsystem.config['preop.admin.group'] - groups = [x.strip() for x in admin_groups.split(',')] -diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py -index a3ed0c7f3a..41d8d67c2e 100644 ---- a/base/server/python/pki/server/subsystem.py -+++ b/base/server/python/pki/server/subsystem.py -@@ -1335,54 +1335,66 @@ class PKISubsystem(object): - full_name=None, - email=None, - password=None, -+ password_file=None, - phone=None, - user_type=None, - state=None, - tps_profiles=None, - as_current_user=False): - -- cmd = [self.name + '-user-add'] -+ tmpdir = tempfile.mkdtemp() - -- if full_name: -- cmd.append('--full-name') -- cmd.append(full_name) -+ try: -+ if password and not password_file: -+ password_file = os.path.join(tmpdir, 'password.txt') -+ with open(password_file, 'w') as f: -+ f.write(password) - -- if email: -- cmd.append('--email') -- cmd.append(email) -+ cmd = [self.name + '-user-add'] - -- if password: -- cmd.append('--password') -- cmd.append(password) -+ if full_name: -+ cmd.append('--full-name') -+ cmd.append(full_name) - -- if phone: -- cmd.append('--phone') -- cmd.append(phone) -+ if email: -+ cmd.append('--email') -+ cmd.append(email) - -- if user_type: -- cmd.append('--type') -- cmd.append(user_type) -+ if password_file: -+ cmd.append('--password-file') -+ cmd.append(password_file) - -- if state: -- cmd.append('--state') -- cmd.append(state) -+ if phone: -+ cmd.append('--phone') -+ cmd.append(phone) - -- if tps_profiles: -- cmd.append('--tps-profiles') -- cmd.append(','.join(tps_profiles)) -+ if user_type: -+ cmd.append('--type') -+ cmd.append(user_type) - -- if logger.isEnabledFor(logging.DEBUG): -- cmd.append('--debug') -+ if state: -+ cmd.append('--state') -+ cmd.append(state) - -- elif logger.isEnabledFor(logging.INFO): -- cmd.append('--verbose') -+ if tps_profiles: -+ cmd.append('--tps-profiles') -+ cmd.append(','.join(tps_profiles)) - -- cmd.append(user_id) -+ if logger.isEnabledFor(logging.DEBUG): -+ cmd.append('--debug') - -- self.run( -- cmd, -- as_current_user=as_current_user, -- capture_output=True) -+ elif logger.isEnabledFor(logging.INFO): -+ cmd.append('--verbose') -+ -+ cmd.append(user_id) -+ -+ self.run( -+ cmd, -+ as_current_user=as_current_user, -+ capture_output=True) -+ -+ finally: -+ shutil.rmtree(tmpdir) - - def modify_user(self, user_id, add_see_also=None, del_see_also=None, - as_current_user=False): -diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java -index 5a385c359f..04d68de758 100644 ---- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java -+++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java -@@ -6,6 +6,8 @@ - package org.dogtagpki.server.cli; - - import java.io.File; -+import java.nio.file.Files; -+import java.nio.file.Paths; - import java.util.Arrays; - import java.util.List; - -@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI { - option.setArgName("password"); - options.addOption(option); - -+ option = new Option(null, "password-file", true, "Password file"); -+ option.setArgName("path"); -+ options.addOption(option); -+ - option = new Option(null, "phone", true, "Phone"); - option.setArgName("phone"); - options.addOption(option); -@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI { - - String email = cmd.getOptionValue("email"); - String password = cmd.getOptionValue("password"); -+ String passwordFile = cmd.getOptionValue("password-file"); - String phone = cmd.getOptionValue("phone"); - String type = cmd.getOptionValue("type"); - String state = cmd.getOptionValue("state"); - String tpsProfiles = cmd.getOptionValue("tps-profiles"); - -+ if (passwordFile != null) { -+ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim(); -+ } -+ - String catalinaBase = System.getProperty("catalina.base"); - - TomcatJSS tomcatjss = TomcatJSS.getInstance(); --- -2.30.2 - diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 7ff4063..aa5c113 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -12,9 +12,9 @@ License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. -Version: 10.10.5 -Release: 3%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -beta1 +Version: 10.11.2 +Release: 2%{?_timestamp}%{?_commit_id}%{?dist} +#global _phase -alpha1 # To create a tarball from a version tag: # $ git archive \ @@ -30,16 +30,7 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # \ # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch - -# Do not remove this!! pytest-runner isn't available on RHEL. Removing this -# patch will break RHEL builds. The error message is: -# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/: -# [Errno 111] Connection refused -- Some packages may not be found! -Patch1: 0001-Removed-dependency-on-pytest-runner.patch -Patch2: 0001-Fix-renewal-profile-approval-process.patch -Patch3: 0001-Use-password-file-when-creating-admin-user.patch -Patch4: 0001-Fix-permission-for-new-installation-logs.patch -Patch5: 0001-Fix-permission-for-existing-installation-logs.patch +Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch # md2man isn't available on i686. Additionally, we aren't generally multi-lib # compatible (https://fedoraproject.org/wiki/Packaging:Java) @@ -69,15 +60,14 @@ ExcludeArch: i686 # Java ################################################################################ -%define java_devel java-devel -%define java_headless java-headless - -%if 0%{?fedora} >= 33 || 0%{?rhel} > 8 -%define min_java_version 1:11 -%define java_home /usr/lib/jvm/java-11-openjdk +%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8 +%define java_devel java-1.8.0-openjdk-devel +%define java_headless java-1.8.0-openjdk-headless +%define java_home /usr/lib/jvm/jre-1.8.0-openjdk %else -%define min_java_version 1:1.8.0 -%define java_home /usr/lib/jvm/java-1.8.0-openjdk +%define java_devel java-11-openjdk-devel +%define java_headless java-11-openjdk-headless +%define java_home /usr/lib/jvm/jre-11-openjdk %endif ################################################################################ @@ -94,8 +84,7 @@ ExcludeArch: i686 # By default the build will execute unit tests unless --without test # option is specified. -# bcond_without test -%global with_test 1 +%bcond_without test # By default all packages will be built except the ones specified with # --without option (exclusion method). @@ -143,8 +132,6 @@ ExcludeArch: i686 %define debug_package %{nil} %endif -%bcond_without sdnotify - # ignore unpackaged files from native 'tpsclient' # REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app %define _unpackaged_files_terminate_build 0 @@ -182,23 +169,20 @@ fi; # Build Dependencies ################################################################################ -# autosetup -BuildRequires: git BuildRequires: make - BuildRequires: cmake >= 3.0.2 BuildRequires: gcc-c++ BuildRequires: zip -BuildRequires: %java_devel >= %{min_java_version} +BuildRequires: %{java_devel} BuildRequires: javapackages-tools BuildRequires: redhat-rpm-config -BuildRequires: ldapjdk >= 4.22.0 +BuildRequires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0 BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io BuildRequires: apache-commons-lang3 >= 3.2 +BuildRequires: apache-commons-logging BuildRequires: apache-commons-net -BuildRequires: jakarta-commons-httpclient BuildRequires: glassfish-jaxb-api BuildRequires: slf4j BuildRequires: slf4j-jdk14 @@ -212,22 +196,10 @@ BuildRequires: policycoreutils BuildRequires: python3-lxml BuildRequires: python3-sphinx -BuildRequires: velocity BuildRequires: xalan-j2 BuildRequires: xerces-j2 -%if 0%{?rhel} && ! 0%{?eln} BuildRequires: resteasy >= 3.0.26 -%else -BuildRequires: jboss-annotations-1.2-api -BuildRequires: jboss-jaxrs-2.0-api -BuildRequires: jboss-logging -BuildRequires: resteasy-atom-provider >= 3.0.17-1 -BuildRequires: resteasy-client >= 3.0.17-1 -BuildRequires: resteasy-jaxb-provider >= 3.0.17-1 -BuildRequires: resteasy-core >= 3.0.17-1 -BuildRequires: resteasy-jackson2-provider >= 3.0.17-1 -%endif BuildRequires: python3 >= 3.5 BuildRequires: python3-devel @@ -236,23 +208,14 @@ BuildRequires: python3-cryptography BuildRequires: python3-lxml BuildRequires: python3-ldap BuildRequires: python3-libselinux -BuildRequires: python3-nss BuildRequires: python3-requests >= 2.6.0 BuildRequires: python3-six -%if 0%{?fedora} || 0%{?rhel} > 8 -BuildRequires: python3-pytest-runner -%endif - BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.8.1 -BuildRequires: tomcatjss >= 7.6.1 +BuildRequires: jss >= 4.9.0, jss < 5.0.0 +BuildRequires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0 -# JNA is used to bind to libsystemd -%if %{with sdnotify} -BuildRequires: jna -%endif BuildRequires: systemd-units %if 0%{?rhel} && ! 0%{?eln} @@ -319,22 +282,22 @@ Summary: %{brand} PKI Package # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI theme packages -Requires: %{vendor_id}-pki-server-theme = %{version} -Requires: %{vendor_id}-pki-console-theme = %{version} +Requires: %{vendor_id}-pki-server-theme = %{version}-%{release} +Requires: %{vendor_id}-pki-console-theme = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI core packages -Requires: pki-acme = %{version} -Requires: pki-ca = %{version} -Requires: pki-kra = %{version} -Requires: pki-ocsp = %{version} -Requires: pki-tks = %{version} -Requires: pki-tps = %{version} +Requires: pki-acme = %{version}-%{release} +Requires: pki-ca = %{version}-%{release} +Requires: pki-kra = %{version}-%{release} +Requires: pki-ocsp = %{version}-%{release} +Requires: pki-tks = %{version}-%{release} +Requires: pki-tps = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of PKI console -Requires: pki-console = %{version} -Requires: pki-javadoc = %{version} +Requires: pki-console = %{version}-%{release} +Requires: pki-javadoc = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI clients -- except for s390/s390x where 'esc' is not built @@ -371,9 +334,9 @@ PKI consists of the following components: Summary: PKI Symmetric Key Package -Requires: %java_headless >= %{min_java_version} +Requires: %{java_headless} Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 4.8.0 +Requires: jss >= 4.9.0, jss < 5.0.0 Requires: nss >= 3.38.0 # Ensure we end up with a useful installation @@ -416,7 +379,7 @@ Summary: PKI Python 3 Package BuildArch: noarch Obsoletes: pki-base-python3 < %{version} -Provides: pki-base-python3 = %{version} +Provides: pki-base-python3 = %{version}-%{release} %if 0%{?fedora} || 0%{?rhel} > 8 %{?python_provide:%python_provide python3-pki} %endif @@ -426,9 +389,11 @@ Requires: python3 >= 3.5 Requires: python3-cryptography Requires: python3-ldap Requires: python3-lxml -Requires: python3-nss Requires: python3-requests >= 2.6.0 Requires: python3-six +%if 0%{?rhel} < 9 || 0%{?fedora} < 34 +Recommends: python3-nss +%endif %description -n python3-pki This package contains PKI client library for Python 3. @@ -440,26 +405,24 @@ This package contains PKI client library for Python 3. Summary: PKI Base Java Package BuildArch: noarch -Requires: %java_headless >= %{min_java_version} +Requires: %{java_headless} Requires: apache-commons-cli Requires: apache-commons-codec Requires: apache-commons-io Requires: apache-commons-lang3 >= 3.2 Requires: apache-commons-logging Requires: apache-commons-net -Requires: jakarta-commons-httpclient Requires: glassfish-jaxb-api Requires: slf4j Requires: slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 4.7.0 -Requires: ldapjdk >= 4.22.0 +Requires: jss >= 4.9.0, jss < 5.0.0 +Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0 Requires: pki-base = %{version}-%{release} %if 0%{?rhel} && 0%{?rhel} <= 8 Requires: resteasy >= 3.0.26 %else -Requires: resteasy-atom-provider >= 3.0.17-1 Requires: resteasy-client >= 3.0.17-1 Requires: resteasy-jaxb-provider >= 3.0.17-1 Requires: resteasy-core >= 3.0.17-1 @@ -535,19 +498,13 @@ Requires: pki-servlet-engine Requires: tomcat >= 1:9.0.7 %endif -Requires: velocity Requires: sudo Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -Requires: tomcatjss >= 7.6.1 - -# JNA is used to bind to libsystemd -%if %{with sdnotify} -Requires: jna -%endif +Requires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0 # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -658,7 +615,7 @@ since such archival would undermine non-repudiation properties of signing keys. Summary: PKI OCSP Package BuildArch: noarch -Requires: pki-server = %{version} +Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -696,7 +653,7 @@ whenever they are issued or updated. Summary: PKI TKS Package BuildArch: noarch -Requires: pki-server = %{version} +Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -727,7 +684,7 @@ behind the firewall with restricted access. Summary: PKI TPS Package -Requires: pki-server = %{version} +Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -792,8 +749,8 @@ BuildArch: noarch BuildRequires: idm-console-framework >= 1.2.0 Requires: idm-console-framework >= 1.2.0 -Requires: pki-base-java = %{version} -Requires: pki-console-theme = %{version} +Requires: pki-base-java = %{version}-%{release} +Requires: pki-console-theme = %{version}-%{release} %description -n pki-console The PKI Console is a Java application used to administer PKI server. @@ -809,7 +766,7 @@ The PKI Console is a Java application used to administer PKI server. Summary: %{brand} PKI Server Theme Package BuildArch: noarch -Provides: pki-server-theme = %{version} +Provides: pki-server-theme = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} @@ -828,7 +785,7 @@ This PKI Server Theme Package contains Summary: %{brand} PKI Console Theme Package BuildArch: noarch -Provides: pki-console-theme = %{version} +Provides: pki-console-theme = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} @@ -861,7 +818,7 @@ This package contains PKI test suite. %prep ################################################################################ -%autosetup -n pki-%{version}%{?_phase} -p 1 -S git +%autosetup -n pki-%{version}%{?_phase} -p 1 ################################################################################ %build @@ -875,7 +832,7 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'` # assume tomcat app_server -app_server=tomcat-8.5 +app_server=tomcat-9.0 %if 0%{?rhel} && 0%{?rhel} <= 8 %{__mkdir_p} build @@ -888,8 +845,8 @@ cd build -DVAR_INSTALL_DIR:PATH=/var \ -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \ -DJAVA_VERSION=${java_version} \ - -DJAVA_HOME=%java_home \ - -DPKI_JAVA_PATH=%java_home/bin/java \ + -DJAVA_HOME=%{java_home} \ + -DPKI_JAVA_PATH=%{java_home}/bin/java \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ -DAPP_SERVER=$app_server \ @@ -907,7 +864,6 @@ cd build -DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \ -DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \ -DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \ - -DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \ -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ @@ -949,7 +905,7 @@ cd %{_vpath_builddir} --no-print-directory \ install -%if %{with_test} +%if %{with test} ctest --output-on-failure %endif @@ -966,14 +922,22 @@ EOF # Customize client library links in /usr/share/pki/lib ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar +%if 0%{?fedora} && 0%{?fedora} <= 34 || 0%{?rhel} && 0%{?rhel} <= 8 ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar +%else +ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/lib/jakarta.annotation-api.jar +%endif %if %{with server} # Customize server common library links in /usr/share/pki/server/common/lib ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar +%if 0%{?fedora} && 0%{?fedora} <= 34 || 0%{?rhel} && 0%{?rhel} <= 8 ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar +%else +ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/server/common/lib/jakarta.annotation-api.jar +%endif # with server %endif @@ -1127,6 +1091,7 @@ fi %license base/tools/LICENSE %doc base/tools/doc/README %{_bindir}/p7tool +%{_bindir}/p12tool %{_bindir}/pistool %{_bindir}/pki %{_bindir}/revoker @@ -1251,10 +1216,6 @@ fi %{_datadir}/pki/setup/ %{_datadir}/pki/server/ -%if %{with sdnotify} -%{_javadir}/pki/pki-systemd.jar -%endif - # with server %endif @@ -1402,15 +1363,26 @@ fi ################################################################################ %changelog -* Wed May 19 2021 Red Hat PKI Team 10.10.5-3 -- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file +* Fri Sep 24 2021 Red Hat PKI Team 10.11.2-2 +- Bug 2001576 - pki instance creation fails for IPA in FIPS mode + +* Fri Sep 17 2021 Red Hat PKI Team 10.11.2-1 +- Rebase to PKI 10.11.2 + +* Thu Aug 12 2021 Red Hat PKI Team 10.11.0-2 +- Bug 1992337 - Double issuance of non-CA subsystem certs at installation + +* Mon Jul 26 2021 Red Hat PKI Team 10.11.0-1 +- Rebase to PKI 10.11.0 + +* Mon Jun 14 2021 Red Hat PKI Team 10.11.0-0.3 +- Rebase to PKI 10.11.0-alpha3 -* Tue Mar 23 2021 Red Hat PKI Team 10.10.5-2 -- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate +* Thu Jun 03 2021 Red Hat PKI Team 10.11.0-0.2 +- Fix JAVA_HOME -* Tue Feb 23 2021 Red Hat PKI Team 10.10.5-1 -- Rebase to PKI 10.10.5 -- Bug 1929067 - PKI instance creation failed with new 389-ds-base build +* Wed Jun 02 2021 Red Hat PKI Team 10.11.0-0.1 +- Rebase to PKI 10.11.0-alpha2 * Mon Feb 08 2021 Red Hat PKI Team 10.10.4-1 - Rebase to PKI 10.10.4