From 9148273bca67a967f5920516f7111ec26d5cf952 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 29 2022 17:34:44 +0000 Subject: import pki-core-10.12.0-2.module+el8.6.0+14115+8b467244 --- diff --git a/.gitignore b/.gitignore index d9c4942..102e165 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-10.11.0.tar.gz +SOURCES/pki-10.12.0.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index e5fd7ce..78529e8 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -f125333c7e88d7aae11f51527681018319bba19c SOURCES/pki-10.11.0.tar.gz +14942c7bda42ccd0f57ea5b2e538eb13a559572f SOURCES/pki-10.12.0.tar.gz diff --git a/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch b/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch deleted file mode 100644 index f0ec3e0..0000000 --- a/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 63cf2895f5d5a37bb09f3e889b8584b0bb0dce06 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 11 Aug 2021 09:19:59 -0700 -Subject: [PATCH] Bug 1992337 - Double issuance of non-CA subsystem certs at - installation - -This patch removes an extra profile.submit() call that was accidentally left -off during manual cherry-picking of another bug (1905374): -commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH) - -fixes https://bugzilla.redhat.com/show_bug.cgi?id=1905374 ---- - .../main/java/com/netscape/cms/servlet/cert/CertProcessor.java | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java b/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java -index a5626d032..849d6b368 100644 ---- a/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java -+++ b/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java -@@ -250,7 +250,6 @@ public class CertProcessor extends CAProcessor { - - logger.info("CertProcessor: Submitting certificate request to " + profile.getId() + " profile"); - -- profile.submit(authToken, req); - profile.submit(authToken, req, explicitApprovalRequired); - - req.setRequestStatus(RequestStatus.COMPLETE); --- -2.31.1 - diff --git a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch b/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch new file mode 100644 index 0000000..065a9d9 --- /dev/null +++ b/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch @@ -0,0 +1,332 @@ +From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 25 Jan 2022 16:29:53 -0600 +Subject: [PATCH] Fix pki-healthcheck for clones + +Previously the ClonesConnectivyAndDataCheck.check_kra_clones() +was trying to check KRA clone status by retrieving a key using +the subsystem cert. This operation did not work since the user +associated with the cert did not have access to the keys. The +code has been changed to get the status from GetStatus service +instead. The original code might be moved into IPA later so it +could run with IPA's RA agent credentials which would allow +access to the keys. + +Previously the ClonesPlugin.contact_subsystem_using_sslget() +used sslget to call GetStatus service and returned the entire +output which was then incorrectly processed in XML format. The +method has been renamed to get_status() and changed to use +PKIConnection and process the response in either JSON or XML +format, then only return the subsystem status. All callers +have been updated accordingly. + +The ClonesPlugin.contact_subsystem_using_pki() is no longer +used so it has been removed. +--- + .../clones/connectivity_and_data.py | 130 ++++++++---------- + .../pki/server/healthcheck/clones/plugin.py | 75 ++++------ + base/server/python/pki/server/__init__.py | 8 +- + 3 files changed, 91 insertions(+), 122 deletions(-) + +diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py +index ca5d6dae48..d9bb480f7f 100644 +--- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py ++++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py +@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin): + + def check_kra_clones(self): + for host in self.clone_kras: +- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort +- # Reach out and get some keys or requests , to serve as a data and connectivity check ++ ++ url = 'https://' + host.Hostname + ':' + host.SecurePort ++ + try: +- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName') +- +- output = self.contact_subsystem_using_pki( +- host.SecurePort, host.Hostname, client_nick, +- self.passwd, self.db_dir, 'kra-key-show', ['0x01']) +- +- # check to see if we either got a key or a key not found exception +- # of which either will imply a successful connection +- if output is not None: +- key_found = output.find('Key ID:') +- key_not_found = output.find('KeyNotFoundException:') +- if key_found >= 0: +- logger.info('Key material found from kra clone.') +- +- if key_not_found >= 0: +- logger.info('key not found, possibly empty kra') +- +- if key_not_found == -1 and key_found == -1: +- logger.info('Failure to get key material from kra') +- raise BaseException('KRA clone problem detected ' + cur_clone_msg) +- else: +- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg) ++ status = self.get_status( ++ host.Hostname, ++ host.SecurePort, ++ '/kra/admin/kra/getStatus') + +- except BaseException as e: +- logger.error("Internal error testing KRA clone. %s", e) +- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg) ++ logger.info('KRA at %s is %s', url, status) + +- return ++ if status != 'running': ++ raise Exception('KRA at %s is %s' % (url, status)) ++ ++ except Exception as e: ++ logger.error('Unable to reach KRA at %s: %s', url, e) ++ raise Exception('Unable to reach KRA at %s: %s' % (url, e)) + + def check_ocsp_clones(self): + for host in self.clone_ocsps: +- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort +- # Reach out to the ocsp clones ++ ++ url = 'https://' + host.Hostname + ':' + host.SecurePort ++ + try: +- output = self.contact_subsystem_using_sslget( +- host.SecurePort, host.Hostname, None, +- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus') +- +- good_status = output.find('1') +- if good_status == -1: +- raise BaseException('OCSP clone problem detected.' + cur_clone_msg) +- logger.info('good_status %s ', good_status) +- except BaseException as e: +- logger.error("Internal error testing OCSP clone. %s", e) +- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg) ++ status = self.get_status( ++ host.Hostname, ++ host.SecurePort, ++ '/ocsp/admin/ocsp/getStatus') + +- return ++ logger.info('OCSP at %s is %s', url, status) ++ ++ if status != 'running': ++ raise Exception('OCSP at %s is %s' % (url, status)) ++ ++ except Exception as e: ++ logger.error('Unable to reach OCSP at %s: %s', url, e) ++ raise Exception('Unable to reach OCSP at %s: %s' % (url, e)) + + def check_tks_clones(self): + for host in self.clone_tkss: +- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort +- # Reach out to the tks clones ++ ++ url = 'https://' + host.Hostname + ':' + host.SecurePort ++ + try: +- output = self.contact_subsystem_using_sslget( +- host.SecurePort, host.Hostname, None, +- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus') +- +- good_status = output.find('1') +- if good_status == -1: +- raise BaseException('TKS clone problem detected.' + cur_clone_msg) +- logger.info('good_status %s ', good_status) +- except BaseException as e: +- logger.error("Internal error testing TKS clone. %s", e) +- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg) ++ status = self.get_status( ++ host.Hostname, ++ host.SecurePort, ++ '/tks/admin/tks/getStatus') + +- return ++ logger.info('TKS at %s is %s', url, status) ++ ++ if status != 'running': ++ raise Exception('TKS at %s is %s' % (url, status)) ++ ++ except Exception as e: ++ logger.error('Unable to reach TKS at %s: %s', url, e) ++ raise Exception('Unable to reach TKS at %s: %s' % (url, e)) + + def check_tps_clones(self): + for host in self.clone_tpss: +- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort +- # Reach out to the tps clones ++ ++ url = 'https://' + host.Hostname + ':' + host.SecurePort ++ + try: +- output = self.contact_subsystem_using_sslget( +- host.SecurePort, host.Hostname, None, +- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus') +- +- good_status = output.find('1') +- if good_status == -1: +- raise BaseException('TPS clone problem detected.' + cur_clone_msg) +- logger.info('good_status %s ', good_status) +- except BaseException as e: +- logger.error("Internal error testing TPS clone. %s", e) +- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg) +- return ++ status = self.get_status( ++ host.Hostname, ++ host.SecurePort, ++ '/tps/admin/tps/getStatus') ++ ++ logger.info('TPS at %s is %s', url, status) ++ ++ if status != 'running': ++ raise Exception('TPS at %s is %s' % (url, status)) ++ ++ except Exception as e: ++ logger.error('Unable to reach TPS at %s: %s', url, e) ++ raise Exception('Unable to reach TPS at %s: %s' % (url, e)) + + @duration + def check(self): +diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py +index 2472f35b5b..824c36a1a9 100644 +--- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py ++++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py +@@ -6,6 +6,10 @@ + # SPDX-License-Identifier: GPL-2.0-or-later + # + ++import json ++import logging ++import xml.etree.ElementTree as ET ++ + from ipahealthcheck.core.plugin import Plugin, Registry + from pki.server.instance import PKIInstance + from pki.client import PKIConnection +@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient + + from pki.server.healthcheck.core.main import merge_dogtag_config + +-import logging +-import subprocess +- + logger = logging.getLogger(__name__) + + # Temporary workaround to skip VERBOSE data. Fix already pushed to upstream +@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin): + + self.instance = PKIInstance(self.config.instance_name) + +- def contact_subsystem_using_pki( +- self, subport, subhost, subsystemnick, +- token_pwd, db_path, cmd, exts=None): +- command = ["/usr/bin/pki", +- "-p", str(subport), +- "-h", subhost, +- "-n", subsystemnick, +- "-P", "https", +- "-d", db_path, +- "-c", token_pwd, +- cmd] +- +- if exts is not None: +- command.extend(exts) +- +- output = None +- try: +- output = subprocess.check_output(command, stderr=subprocess.STDOUT) +- except subprocess.CalledProcessError as e: +- output = e.output.decode('utf-8') +- return output ++ def get_status(self, host, port, path): + +- output = output.decode('utf-8') ++ self.instance.export_ca_cert() + +- return output ++ connection = PKIConnection( ++ protocol='https', ++ hostname=host, ++ port=port, ++ cert_paths=self.instance.ca_cert) + +- def contact_subsystem_using_sslget( +- self, port, host, subsystemnick, +- token_pwd, db_path, params, url): ++ response = connection.get(path) + +- command = ["/usr/bin/sslget"] ++ content_type = response.headers['Content-Type'] ++ content = response.text ++ logger.info('Content:\n%s', content) + +- if subsystemnick is not None: +- command.extend(["-n", subsystemnick]) ++ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service ++ if content_type == 'application/json': ++ json_response = json.loads(content) ++ status = json_response['Response']['Status'] + +- command.extend(["-p", token_pwd, "-d", db_path]) +- +- if params is not None: +- command.extend(["-e", params]) +- +- command.extend([ +- "-r", url, host + ":" + port]) +- +- logger.info(' command : %s ', command) +- output = None +- try: +- output = subprocess.check_output(command, stderr=subprocess.STDOUT) +- except subprocess.CalledProcessError as e: +- output = e.output.decode('utf-8') +- return output ++ elif content_type == 'application/xml': ++ root = ET.fromstring(content) ++ status = root.findtext('Status') + +- output = output.decode('utf-8') ++ else: ++ raise Exception('Unsupported content-type: %s' % content_type) + +- return output ++ logger.info('Status: %s', status) ++ return status + + def get_security_domain_data(self, host, port): + domain_data = None +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 4fbb74684b..0515bbb197 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -241,6 +241,10 @@ class PKIServer(object): + def jss_conf(self): + return os.path.join(self.conf_dir, 'jss.conf') + ++ @property ++ def ca_cert(self): ++ return os.path.join(self.nssdb_dir, 'ca.crt') ++ + def is_valid(self): + return self.exists() + +@@ -259,8 +263,6 @@ class PKIServer(object): + + def export_ca_cert(self): + +- ca_path = os.path.join(self.nssdb_dir, 'ca.crt') +- + token = pki.nssdb.INTERNAL_TOKEN_NAME + nickname = self.get_sslserver_cert_nickname() + +@@ -272,7 +274,7 @@ class PKIServer(object): + nssdb = self.open_nssdb(token=token) + + try: +- nssdb.extract_ca_cert(ca_path, nickname) ++ nssdb.extract_ca_cert(self.ca_cert, nickname) + finally: + nssdb.close() + +-- +2.33.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 0664616..de5664f 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -12,10 +12,11 @@ License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. -Version: 10.11.0 +Version: 10.12.0 Release: 2%{?_timestamp}%{?_commit_id}%{?dist} #global _phase -alpha1 + # To create a tarball from a version tag: # $ git archive \ # --format=tar.gz \ @@ -30,7 +31,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # \ # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -Patch1: 0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch + +Patch: 0001-Fix-pki-healthcheck-for-clones.patch # md2man isn't available on i686. Additionally, we aren't generally multi-lib # compatible (https://fedoraproject.org/wiki/Packaging:Java) @@ -356,6 +358,9 @@ symmetric key operations to Java programs. Summary: PKI Base Package BuildArch: noarch +Obsoletes: pki-base < %{version}-%{release} +Provides: pki-base = %{version}-%{release} + Requires: nss >= 3.36.1 Requires: python3-pki = %{version}-%{release} @@ -380,6 +385,7 @@ BuildArch: noarch Obsoletes: pki-base-python3 < %{version} Provides: pki-base-python3 = %{version}-%{release} + %if 0%{?fedora} || 0%{?rhel} > 8 %{?python_provide:%python_provide python3-pki} %endif @@ -405,6 +411,9 @@ This package contains PKI client library for Python 3. Summary: PKI Base Java Package BuildArch: noarch +Obsoletes: pki-base-java < %{version}-%{release} +Provides: pki-base-java = %{version}-%{release} + Requires: %{java_headless} Requires: apache-commons-cli Requires: apache-commons-codec @@ -473,6 +482,9 @@ Certificate System into a more complete and robust PKI solution. Summary: PKI Server Package BuildArch: noarch +Obsoletes: pki-server < %{version}-%{release} +Provides: pki-server = %{version}-%{release} + Requires: hostname Requires: policycoreutils @@ -726,6 +738,9 @@ smart card. Summary: PKI Javadoc Package BuildArch: noarch +Obsoletes: pki-javadoc < %{version}-%{release} +Provides: pki-javadoc = %{version}-%{release} + # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-symkey < %{version} @@ -746,6 +761,9 @@ This package contains PKI API documentation. Summary: PKI Console Package BuildArch: noarch +Obsoletes: pki-console < %{version}-%{release} +Provides: pki-console = %{version}-%{release} + BuildRequires: idm-console-framework >= 1.2.0 Requires: idm-console-framework >= 1.2.0 @@ -766,6 +784,7 @@ The PKI Console is a Java application used to administer PKI server. Summary: %{brand} PKI Server Theme Package BuildArch: noarch +Obsoletes: pki-server-theme < %{version}-%{release} Provides: pki-server-theme = %{version}-%{release} # Ensure we end up with a useful installation @@ -785,6 +804,7 @@ This PKI Server Theme Package contains Summary: %{brand} PKI Console Theme Package BuildArch: noarch +Obsoletes: pki-console-theme < %{version}-%{release} Provides: pki-console-theme = %{version}-%{release} # Ensure we end up with a useful installation @@ -1091,6 +1111,7 @@ fi %license base/tools/LICENSE %doc base/tools/doc/README %{_bindir}/p7tool +%{_bindir}/p12tool %{_bindir}/pistool %{_bindir}/pki %{_bindir}/revoker @@ -1362,6 +1383,17 @@ fi ################################################################################ %changelog +* Thu Feb 03 2022 Red Hat PKI Team 10.12.0-2 +- Bug 2027470 - pki-healthcheck ClonesConnectivyAndDataCheck fails + +* Tue Nov 09 2021 Red Hat PKI Team 10.12.0-0.1 +- Rebase to PKI 10.12.0 +- Bug 1904112 - pki fails to start if empty dir /var/lib/pki/pki-tomcat/kra exists +- Bug 1984455 - [RFE] Date Format on the TPS Agent Page +- Bug 1980378 - 'keyctl_search: Required key not available' message when running 'ipa-healthcheck' +- Bug 2004084 - Reinstall of the same ipa-replica fails with 'RuntimeError: CA configuration failed.' +- Bug 2006070 - Upgrades incorrectly add secret attribute to connectors + * Thu Aug 12 2021 Red Hat PKI Team 10.11.0-2 - Bug 1992337 - Double issuance of non-CA subsystem certs at installation