From 86b426748f2e496f6e2ab29617747ced76583cb4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 10 2020 01:34:34 +0000 Subject: import pki-core-10.9.0-0.4.module+el8.3.0+7178+12af6fad --- diff --git a/.gitignore b/.gitignore index 71256c5..2bb3dbc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-10.9.0-a1.tar.gz +SOURCES/pki-10.9.0-b2.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index ec73bba..0f8efb1 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -7b88b43d6ab71715a8089422bee8392fdcddef1f SOURCES/pki-10.9.0-a1.tar.gz +7a900dcf24422f7756649fbed42b6a033f9204b7 SOURCES/pki-10.9.0-b2.tar.gz diff --git a/SOURCES/0002-acme-log-in-CAClient-when-submitting-certificate-req.patch b/SOURCES/0002-acme-log-in-CAClient-when-submitting-certificate-req.patch deleted file mode 100644 index b5fe63d..0000000 --- a/SOURCES/0002-acme-log-in-CAClient-when-submitting-certificate-req.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a589107d8362bed238f3cdf1662914665b705c0b Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 27 May 2020 16:55:05 +1000 -Subject: [PATCH 1/2] acme: log in CAClient when submitting certificate request - -It is possible to use a lower-privileged RA account to issue -certificates, if the target profile is set up to allow it. -Therefore log in the user before submitting the certificate request. ---- - base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java b/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java -index ecc074a5f..dd7fc3f85 100644 ---- a/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java -+++ b/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java -@@ -123,6 +123,7 @@ public class PKIIssuer extends ACMEIssuer { - AuthorityID aid = null; - X500Name adn = null; - -+ caClient.login(); - CACertClient certClient = new CACertClient(caClient); - CertEnrollmentRequest certEnrollmentRequest = certClient.getEnrollmentTemplate(profile); - --- -2.21.0 - diff --git a/SOURCES/0003-acme-PKIIssuer-handle-immediate-issuance.patch b/SOURCES/0003-acme-PKIIssuer-handle-immediate-issuance.patch deleted file mode 100644 index 2bc9068..0000000 --- a/SOURCES/0003-acme-PKIIssuer-handle-immediate-issuance.patch +++ /dev/null @@ -1,50 +0,0 @@ -From bd23745577a65c3f39ed1262a0e1f5ef80ffdb5f Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 27 May 2020 17:05:27 +1000 -Subject: [PATCH 2/2] acme: PKIIssuer: handle immediate issuance - -Depending on profile configuration and user privileges, the cert -could be immediately issued. Furthermore the user may not have -agent permissions to review/approve a request, but a profile -configuration could allow immediate issuance for particular -users/groups. - -Therefore we must detect when the certificate was immediately issued -and if so, skip the review/approve behaviour. ---- - .../org/dogtagpki/acme/issuer/PKIIssuer.java | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java b/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java -index dd7fc3f85..c01be6f36 100644 ---- a/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java -+++ b/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java -@@ -159,15 +159,19 @@ public class PKIIssuer extends ACMEIssuer { - throw new Exception("Unable to generate certificate: " + error); - } - -- CertReviewResponse reviewInfo = certClient.reviewRequest(requestId); -- certClient.approveRequest(requestId, reviewInfo); -+ CertId id = null; -+ if (info.getRequestStatus() == RequestStatus.COMPLETE) { -+ id = info.getCertId(); -+ } else { -+ CertReviewResponse reviewInfo = certClient.reviewRequest(requestId); -+ certClient.approveRequest(requestId, reviewInfo); - -- info = certClient.getRequest(requestId); -- logger.info("Serial number: " + info.getCertId().toHexString()); -+ info = certClient.getRequest(requestId); -+ id = info.getCertId(); -+ } - -- CertId id = info.getCertId(); -+ logger.info("Serial number: " + id.toHexString()); - BigInteger serialNumber = id.toBigInteger(); -- - return Base64.encodeBase64URLSafeString(serialNumber.toByteArray()); - } - --- -2.21.0 - diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index a5fa8e0..cf0485a 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -11,8 +11,8 @@ URL: http://www.dogtagpki.org/ License: GPLv2 and LGPLv2 Version: 10.9.0 -Release: 0.1%{?_timestamp}%{?_commit_id}%{?dist} -%global _phase -a1 +Release: 0.4%{?_timestamp}%{?_commit_id}%{?dist} +%global _phase -b2 # To create a tarball from a version tag: # $ git archive \ @@ -29,8 +29,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch Patch1: 0001-Removed-dependency-on-pytest-runner.patch -Patch2: 0002-acme-log-in-CAClient-when-submitting-certificate-req.patch -Patch3: 0003-acme-PKIIssuer-handle-immediate-issuance.patch ################################################################################ # NSS @@ -161,7 +159,7 @@ BuildRequires: gcc-c++ BuildRequires: zip BuildRequires: java-1.8.0-openjdk-devel BuildRequires: redhat-rpm-config -BuildRequires: ldapjdk >= 4.21.0 +BuildRequires: ldapjdk >= 4.22.0 BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io @@ -198,16 +196,9 @@ BuildRequires: resteasy-core >= 3.0.17-1 BuildRequires: resteasy-jackson2-provider >= 3.0.17-1 %endif -%if 0%{?rhel} -# no pylint -%else -BuildRequires: python3-pylint -BuildRequires: python3-flake8 >= 2.5.4 -BuildRequires: python3-pyflakes >= 1.2.3 -%endif - BuildRequires: python3 >= 3.5 BuildRequires: python3-devel +BuildRequires: python3-setuptools BuildRequires: python3-cryptography BuildRequires: python3-lxml BuildRequires: python3-ldap @@ -363,8 +354,8 @@ BuildArch: noarch Requires: nss >= 3.36.1 -Requires: python3-pki = %{version} -Requires(post): python3-pki = %{version} +Requires: python3-pki = %{version}-%{release} +Requires(post): python3-pki = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-symkey < %{version} @@ -389,7 +380,7 @@ Provides: pki-base-python3 = %{version} %{?python_provide:%python_provide python3-pki} %endif -Requires: pki-base = %{version} +Requires: pki-base = %{version}-%{release} Requires: python3 >= 3.5 Requires: python3-cryptography Requires: python3-lxml @@ -413,14 +404,15 @@ Requires: apache-commons-codec Requires: apache-commons-io Requires: apache-commons-lang Requires: apache-commons-logging +Requires: apache-commons-net Requires: jakarta-commons-httpclient Requires: glassfish-jaxb-api Requires: slf4j Requires: slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 Requires: jss >= 4.7.0 -Requires: ldapjdk >= 4.21.0 -Requires: pki-base = %{version} +Requires: ldapjdk >= 4.22.0 +Requires: pki-base = %{version}-%{release} %if 0%{?rhel} Requires: resteasy >= 3.0.26 @@ -449,7 +441,7 @@ Summary: PKI Tools Package Requires: openldap-clients Requires: nss-tools >= 3.36.1 -Requires: pki-base-java = %{version} +Requires: pki-base-java = %{version}-%{release} Requires: p11-kit-trust # PKICertImport depends on certutil and openssl @@ -478,8 +470,8 @@ Requires: policycoreutils Requires: procps-ng Requires: openldap-clients Requires: openssl -Requires: pki-symkey = %{version} -Requires: pki-tools = %{version} +Requires: pki-symkey = %{version}-%{release} +Requires: pki-tools = %{version}-%{release} Requires: keyutils @@ -547,7 +539,7 @@ following PKI subsystems: Summary: PKI CA Package BuildArch: noarch -Requires: pki-server = %{version} +Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -572,7 +564,7 @@ where it obtains its own signing certificate from a public CA. Summary: PKI KRA Package BuildArch: noarch -Requires: pki-server = %{version} +Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -895,32 +887,6 @@ ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxr ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar -%if 0%{?rhel} -# no pylint -%else - -################################################################################ -echo "Scanning Python code with pylint" -################################################################################ - -%{python_executable} -I ../tools/pylint-build-scan.py rpm --prefix %{buildroot} -if [ $? -ne 0 ]; then - echo "pylint for Python 3 failed. RC: $?" - exit 1 -fi - -################################################################################ -echo "Scanning Python code with flake8" -################################################################################ - -python3-flake8 --config ../tox.ini %{buildroot} -if [ $? -ne 0 ]; then - echo "flake8 for Python 3 failed. RC: $?" - exit 1 -fi - -%endif - # with server %endif @@ -1350,6 +1316,12 @@ fi ################################################################################ %changelog +* Thu Jun 25 2020 Red Hat PKI Team 10.9.0-0.4 +- Rebased to PKI 10.9.0-b2 + +* Mon Jun 22 2020 Red Hat PKI Team 10.9.0-0.3 +- Rebased to PKI 10.9.0-b1 + * Tue May 26 2020 Red Hat PKI Team 10.9.0-0.1 - Rebased to PKI 10.9.0-a1