From efcdb25fbce54c1efbb4924ed496b6fbdd9a9df3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 19 2015 15:52:01 +0000 Subject: import pki-core-10.2.5-6.el7 --- diff --git a/.gitignore b/.gitignore index db47ce7..a8dc0a4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-core-10.1.2.tar.gz +SOURCES/pki-core-10.2.5.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index cdcdca8..9993b27 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -b0d1914fa03a09f341d30e5b1c0a178583174419 SOURCES/pki-core-10.1.2.tar.gz +05b09ee5181a3bcd7cc8bf23598fc65de3815ba7 SOURCES/pki-core-10.2.5.tar.gz diff --git a/SOURCES/pki-core-10.1.2-bz1151147.patch b/SOURCES/pki-core-10.1.2-bz1151147.patch deleted file mode 100644 index 0585660..0000000 --- a/SOURCES/pki-core-10.1.2-bz1151147.patch +++ /dev/null @@ -1,308 +0,0 @@ -From a8fe431dc77f03a8237ec0820c02c542762ecb9f Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 15 Oct 2014 10:30:31 -0700 -Subject: [PATCH] Bug1151147 issuerDN encoding correction - ---- - base/ca/src/com/netscape/ca/CAService.java | 13 ++++++-- - .../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++- - .../netscape/certsrv/ca/ICertificateAuthority.java | 5 +++ - .../netscape/cms/profile/common/EnrollProfile.java | 16 +++++++-- - .../com/netscape/cms/servlet/csadmin/CertUtil.java | 16 +++++++-- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 18 ++++++++-- - .../src/netscape/security/x509/X509CertImpl.java | 8 +++++ - .../src/netscape/security/x509/X509CertInfo.java | 8 +++++ - 8 files changed, 114 insertions(+), 9 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java -index 1977850..6edaf2a 100644 ---- a/base/ca/src/com/netscape/ca/CAService.java -+++ b/base/ca/src/com/netscape/ca/CAService.java -@@ -821,8 +821,17 @@ public class CAService implements ICAService, IService { - } - - try { -- certi.set(X509CertInfo.ISSUER, -- new CertificateIssuerName(mCA.getX500Name())); -+ if (mCA.getIssuerObj() != null) { -+ // this ensures the isserDN has the same encoding as the -+ // subjectDN of the CA signing cert -+ CMS.debug("CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding"); -+ certi.set(X509CertInfo.ISSUER, -+ mCA.getIssuerObj()); -+ } else { -+ CMS.debug("CAService: issueX509Cert: mCA.getIssuerObj() is null, creating new CertificateIssuerName"); -+ certi.set(X509CertInfo.ISSUER, -+ new CertificateIssuerName(mCA.getX500Name())); -+ } - } catch (CertificateException e) { - mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); -diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java -index 73ce6df..6529611 100644 ---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java -+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java -@@ -43,6 +43,8 @@ import netscape.security.util.DerOutputStream; - import netscape.security.util.DerValue; - import netscape.security.x509.AlgorithmId; - import netscape.security.x509.CertificateChain; -+import netscape.security.x509.CertificateIssuerName; -+import netscape.security.x509.CertificateSubjectName; - import netscape.security.x509.CertificateVersion; - import netscape.security.x509.X500Name; - import netscape.security.x509.X509CRLImpl; -@@ -143,6 +145,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori - protected SigningUnit mOCSPSigningUnit; - protected SigningUnit mCRLSigningUnit; - -+ protected CertificateIssuerName mIssuerObj = null; -+ protected CertificateSubjectName mSubjectObj = null; - protected X500Name mName = null; - protected X500Name mCRLName = null; - protected X500Name mOCSPName = null; -@@ -888,6 +892,14 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori - return mName; - } - -+ public CertificateIssuerName getIssuerObj() { -+ return mIssuerObj; -+ } -+ -+ public CertificateSubjectName getSubjectObj() { -+ return mSubjectObj; -+ } -+ - public X500Name getCRLX500Name() { - return mCRLName; - } -@@ -1199,6 +1211,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori - IConfigStore caSigningCfg = - mConfig.getSubStore(PROP_SIGNING_SUBSTORE); - -+ String caSigningCertStr = caSigningCfg.getString("cert", ""); -+ if (caSigningCertStr.equals("")) { -+ CMS.debug("CertificateAuthority:initSigUnit: ca.signing.cert not found"); -+ } else { //ca cert found -+ CMS.debug("CertificateAuthority:initSigUnit: ca cert found"); -+ mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr)); -+ // this ensures the isserDN and subjectDN have the same encoding -+ // as that of the CA signing cert -+ CMS.debug("CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj"); -+ mSubjectObj = mCaCert.getSubjectObj(); -+ // this mIssuerObj is the "issuerDN" obj for the certs this CA -+ // issues, NOT necessarily the isserDN obj of the CA signing cert -+ mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); -+ } -+ - mSigningUnit.init(this, caSigningCfg); - CMS.debug("CA signing unit inited"); - -@@ -1295,11 +1322,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori - } - mOCSPCertChain = new CertificateChain(ocspImplchain); - CMS.debug("in init - got OCSP chain from JSS."); -- // init issuer name - take name from the cert. - - mCaX509Cert = mSigningUnit.getCert(); - mCaCert = new X509CertImpl(mCaX509Cert.getEncoded()); - getCASigningAlgorithms(); -+ mSubjectObj = mCaCert.getSubjectObj(); -+ if (mSubjectObj != null) { -+ // this ensures the isserDN and subjectDN have the same encoding -+ // as that of the CA signing cert -+ CMS.debug("CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj"); -+ // this mIssuerObj is the "issuerDN" obj for the certs this CA -+ // issues, NOT necessarily the isserDN obj of the CA signing cert -+ // unless the CA is self-signed -+ mIssuerObj = -+ new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); -+ } - mName = (X500Name) mCaCert.getSubjectDN(); - - mCRLX509Cert = mCRLSigningUnit.getCert(); -diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java -index 39f336b..f87f154 100644 ---- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java -+++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java -@@ -23,6 +23,8 @@ import java.util.Map; - import javax.servlet.http.HttpServletRequest; - - import netscape.security.x509.CertificateChain; -+import netscape.security.x509.CertificateIssuerName; -+import netscape.security.x509.CertificateSubjectName; - import netscape.security.x509.CertificateVersion; - import netscape.security.x509.X500Name; - import netscape.security.x509.X509CRLImpl; -@@ -510,4 +512,7 @@ public interface ICertificateAuthority extends ISubsystem { - * @return processed times for OCSP requests - */ - public long getOCSPTotalData(); -+ -+ public CertificateIssuerName getIssuerObj(); -+ public CertificateSubjectName getSubjectObj(); - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index ca665ba..9e89e69 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -88,6 +88,7 @@ import com.netscape.certsrv.authority.IAuthority; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.EPropertyNotFound; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.EDeferException; - import com.netscape.certsrv.profile.EProfileException; -@@ -220,8 +221,19 @@ public abstract class EnrollProfile extends BasicProfile - new CertificateVersion(CertificateVersion.V3)); - info.set(X509CertInfo.SERIAL_NUMBER, - new CertificateSerialNumber(new BigInteger("0"))); -- info.set(X509CertInfo.ISSUER, -- new CertificateIssuerName(issuerName)); -+ ICertificateAuthority authority = -+ (ICertificateAuthority) getAuthority(); -+ if (authority.getIssuerObj() != null) { -+ // this ensures the isserDN has the same encoding as the -+ // subjectDN of the CA signing cert -+ CMS.debug("EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding"); -+ info.set(X509CertInfo.ISSUER, -+ authority.getIssuerObj()); -+ } else { -+ CMS.debug("EnrollProfile: setDefaultCertInfo: authority.getIssuerObj() is null, creating new CertificateIssuerName"); -+ info.set(X509CertInfo.ISSUER, -+ new CertificateIssuerName(issuerName)); -+ } - info.set(X509CertInfo.KEY, - new CertificateX509Key(X509Key.parse(new DerValue(dummykey)))); - info.set(X509CertInfo.SUBJECT, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java -index ede632e..22f0929 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java -@@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse; - - import netscape.security.pkcs.PKCS10; - import netscape.security.x509.CertificateExtensions; -+import netscape.security.x509.CertificateIssuerName; - import netscape.security.x509.X500Name; - import netscape.security.x509.X509CertImpl; - import netscape.security.x509.X509CertInfo; -@@ -390,6 +391,7 @@ public class CertUtil { - cr = ca.getCertificateRepository(); - BigInteger serialNo = cr.getNextSerialNumber(); - if (type.equals("selfsign")) { -+ CMS.debug("Creating local certificate... selfsign cert"); - CMS.debug("Creating local certificate... issuerdn=" + dn); - CMS.debug("Creating local certificate... dn=" + dn); - info = CryptoUtil.createX509CertInfo(x509key, serialNo, dn, dn, date, date, keyAlgorithm); -@@ -397,8 +399,18 @@ public class CertUtil { - String issuerdn = config.getString("preop.cert.signing.dn", ""); - CMS.debug("Creating local certificate... issuerdn=" + issuerdn); - CMS.debug("Creating local certificate... dn=" + dn); -- -- info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm); -+ if (ca.getIssuerObj() != null) { -+ // this ensures the isserDN has the same encoding as the -+ // subjectDN of the CA signing cert -+ CMS.debug("Creating local certificate... setting issuerDN using exact CA signing cert subjectDN encoding"); -+ CertificateIssuerName issuerdnObj = -+ ca.getIssuerObj(); -+ -+ info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdnObj, dn, date, date, keyAlgorithm); -+ } else { -+ CMS.debug("Creating local certificate... ca.getIssuerObj() is null, creating new CertificateIssuerName"); -+ info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm); -+ } - } - CMS.debug("Cert Template: " + info.toString()); - -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 5e8e323..c87ebb1 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -1050,14 +1050,28 @@ public class CryptoUtil { - CertificateException, - InvalidKeyException, - NoSuchAlgorithmException { -+ CertificateIssuerName issuernameObj = -+ new CertificateIssuerName(new X500Name(issuername)); -+ return createX509CertInfo(x509key, serialno, issuernameObj, subjname, notBefore, notAfter, alg); -+ } -+ -+ public static X509CertInfo createX509CertInfo(X509Key x509key, -+ BigInteger serialno, CertificateIssuerName issuernameObj, String subjname, -+ Date notBefore, Date notAfter, String alg) -+ throws IOException, -+ CertificateException, -+ InvalidKeyException, -+ NoSuchAlgorithmException { - X509CertInfo info = new X509CertInfo(); - - info.set(X509CertInfo.VERSION, new - CertificateVersion(CertificateVersion.V3)); - info.set(X509CertInfo.SERIAL_NUMBER, new - CertificateSerialNumber(serialno)); -- info.set(X509CertInfo.ISSUER, new -- CertificateIssuerName(new X500Name(issuername))); -+ if (issuernameObj != null) { -+ info.set(X509CertInfo.ISSUER, -+ issuernameObj); -+ } - info.set(X509CertInfo.SUBJECT, new - CertificateSubjectName(new X500Name(subjname))); - info.set(X509CertInfo.VALIDITY, new -diff --git a/base/util/src/netscape/security/x509/X509CertImpl.java b/base/util/src/netscape/security/x509/X509CertImpl.java -index 111cd3b..a021ee1 100755 ---- a/base/util/src/netscape/security/x509/X509CertImpl.java -+++ b/base/util/src/netscape/security/x509/X509CertImpl.java -@@ -725,6 +725,10 @@ public class X509CertImpl extends X509Certificate - } - } - -+ public CertificateSubjectName getSubjectObj() { -+ return info.getSubjectObj(); -+ } -+ - /** - * Gets the issuer distinguished name from the certificate. - * -@@ -743,6 +747,10 @@ public class X509CertImpl extends X509Certificate - } - } - -+ public CertificateIssuerName getIssuerObj() { -+ return info.getIssuerObj(); -+ } -+ - /** - * Gets the notBefore date from the validity period of the certificate. - * -diff --git a/base/util/src/netscape/security/x509/X509CertInfo.java b/base/util/src/netscape/security/x509/X509CertInfo.java -index 2ad17eb..29757ec 100644 ---- a/base/util/src/netscape/security/x509/X509CertInfo.java -+++ b/base/util/src/netscape/security/x509/X509CertInfo.java -@@ -873,6 +873,10 @@ public class X509CertInfo implements CertAttrSet, Serializable { - issuer = (CertificateIssuerName) val; - } - -+ public CertificateIssuerName getIssuerObj() { -+ return issuer; -+ } -+ - /** - * Set the validity interval of the certificate. - * -@@ -901,6 +905,10 @@ public class X509CertInfo implements CertAttrSet, Serializable { - subject = (CertificateSubjectName) val; - } - -+ public CertificateSubjectName getSubjectObj() { -+ return subject; -+ } -+ - /** - * Set the public key in the certificate. - * --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.1.2-bz1155654.patch b/SOURCES/pki-core-10.1.2-bz1155654.patch deleted file mode 100644 index df7bfed..0000000 --- a/SOURCES/pki-core-10.1.2-bz1155654.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 43de35ee65f5097abafb898210e7921a4a7d7665 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Thu, 13 Nov 2014 14:14:56 -0700 -Subject: [PATCH] Check for null values in GetConfigEntries - -* Bugzilla Bug #1155654 - Replica install fails when using --setup-ca option - (AKA - PKI TRAC Ticket #1142 - NPE in getconfigEntries when internaldb - password is removed from master) ---- - .../com/netscape/cms/servlet/csadmin/GetConfigEntries.java | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java -index ee013ef..dcb8bdf 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java -@@ -180,9 +180,11 @@ public class GetConfigEntries extends CMSServlet { - continue; - } - -- Node container = xmlObj.createContainer(root, "Config"); -- xmlObj.addItemToContainer(container, "name", name); -- xmlObj.addItemToContainer(container, "value", value); -+ if (value != null) { -+ Node container = xmlObj.createContainer(root, "Config"); -+ xmlObj.addItemToContainer(container, "name", name); -+ xmlObj.addItemToContainer(container, "value", value); -+ } - } - } - -@@ -192,7 +194,8 @@ public class GetConfigEntries extends CMSServlet { - - outputResult(httpResp, "application/xml", cb); - } catch (Exception e) { -- CMS.debug("Failed to send the XML output"); -+ CMS.debug("Failed to send the XML output: " + e); -+ e.printStackTrace(); - } - } - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.1.2-bz1158410.patch b/SOURCES/pki-core-10.1.2-bz1158410.patch deleted file mode 100644 index 9251af1..0000000 --- a/SOURCES/pki-core-10.1.2-bz1158410.patch +++ /dev/null @@ -1,240 +0,0 @@ -From 02eb00b312539f455d13b8a282cc523e11f2715e Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 12 Nov 2014 15:29:04 -0800 -Subject: [PATCH] Bug 1158410 add TLS range support to server.xml by default - and upgrade - ---- - base/server/config/pkislots.cfg | 3 + - .../python/pki/server/deployment/pkiparser.py | 43 ++++++++- - base/server/share/conf/server.xml | 8 +- - base/server/upgrade/10.1.2/.gitignore | 4 - - base/server/upgrade/10.1.2/01-AddTLSRangeSupport | 102 +++++++++++++++++++++ - 5 files changed, 153 insertions(+), 7 deletions(-) - delete mode 100644 base/server/upgrade/10.1.2/.gitignore - create mode 100755 base/server/upgrade/10.1.2/01-AddTLSRangeSupport - -diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg -index ce1ac78..ffcef2d 100644 ---- a/base/server/config/pkislots.cfg -+++ b/base/server/config/pkislots.cfg -@@ -101,4 +101,7 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] - TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] - TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] - TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] -+TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM] -+TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM] -+TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS] - TPS_DIR_SLOT=[TPS_DIR] -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index df636d4..2d7fadc 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -899,6 +899,45 @@ class PKIConfigParser: - "/var/run/pki/tomcat/" + self.pki_master_dict['pki_instance_name'] + ".pid" - self.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] = \ - self.pki_master_dict['pki_tomcat_server_port'] -+ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \ -+ "tls1_0:tls1_2" -+ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ -+ "tls1_1:tls1_2" -+ self.pki_master_dict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ -+ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ -+ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ -+ "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ -+ "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ -+ "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ -+ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ -+ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ -+ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ -+ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ -+ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ -+ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ -+ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ -+ "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ -+ "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ -+ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ -+ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ -+ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ -+ "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ -+ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ -+ "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ -+ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" - self.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ - "-SSL2_RC4_128_WITH_MD5," + \ - "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ -@@ -922,8 +961,8 @@ class PKIConfigParser: - "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ - "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - self.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] = \ -- "ssl2=true," + \ -- "ssl3=true," + \ -+ "ssl2=false," + \ -+ "ssl3=false," + \ - "tls=true" - self.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] = \ - "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ -diff --git a/base/server/share/conf/server.xml b/base/server/share/conf/server.xml -index 8fbdf0f..306ebf2 100644 ---- a/base/server/share/conf/server.xml -+++ b/base/server/share/conf/server.xml -@@ -142,6 +142,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - 'ssl2Ciphers' - 'ssl3Ciphers' - 'tlsCiphers' -+ 'sslVersionRangeStream' -+ 'sslVersionRangeDatagram' -+ 'sslRangeCiphers' - 'serverCertNickFile' - 'passwordFile' - 'passwordClass' -@@ -184,12 +187,15 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - ocspMinCacheEntryDuration="60" - ocspMaxCacheEntryDuration="120" - ocspTimeout="10" -- strictCiphers="false" -+ strictCiphers="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" - sslOptions="[TOMCAT_SSL_OPTIONS]" - ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" - ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" - tlsCiphers="[TOMCAT_TLS_CIPHERS]" -+ sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" -+ sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" -+ sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" -diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore -deleted file mode 100644 -index 5e7d273..0000000 ---- a/base/server/upgrade/10.1.2/.gitignore -+++ /dev/null -@@ -1,4 +0,0 @@ --# Ignore everything in this directory --* --# Except this file --!.gitignore -diff --git a/base/server/upgrade/10.1.2/01-AddTLSRangeSupport b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport -new file mode 100755 -index 0000000..b5b83f4 ---- /dev/null -+++ b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport -@@ -0,0 +1,102 @@ -+#!/usr/bin/python -+# Authors: -+# Christina Fu -+# Endi S. Dewata -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2014 Red Hat, Inc. -+# All rights reserved. -+# -+ -+import os -+from lxml import etree -+ -+import pki.server.upgrade -+ -+ -+class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet): -+ -+ def __init__(self): -+ -+ self.message = 'Add TLS Range Support' -+ -+ self.parser = etree.XMLParser(remove_blank_text=True) -+ -+ -+ def upgrade_instance(self, instance): -+ -+ server_xml = os.path.join(instance.conf_dir, 'server.xml') -+ #Backup the file before modify -+ self.backup(server_xml) -+ #Parse the server.xml into an XML object -+ document = etree.parse(server_xml, self.parser) -+ #perform the upgrade in memory -+ self.add_tls_range(document) -+ #Once all changes are made, write the XML back into the same server.xml -+ #This way we're preserving any other customization that has been done -+ # to the server.xml -+ with open(server_xml, 'w') as f: -+ f.write(etree.tostring(document, pretty_print=True)) -+ -+ def add_tls_range(self, document): -+ -+ # Find existing Connector -+ server = document.getroot() -+ connectors = server.findall('.//Connector') -+ -+ for connector in connectors: -+ -+ secure = connector.get('secure') -+ if secure == 'true': -+ # Update Connector's attributes -+ connector.set('strictCiphers', 'true') -+ connector.set('sslVersionRangeStream', 'tls1_0:tls1_2') -+ connector.set('sslVersionRangeDatagram', 'tls1_1:tls1_2') -+ connector.set('sslRangeCiphers', -+ '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,' \ -+ '-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,' \ -+ '+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,' \ -+ '+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,' \ -+ '+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,' \ -+ '-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,' \ -+ '+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,' \ -+ '+TLS_RSA_WITH_3DES_EDE_CBC_SHA,' \ -+ '+TLS_RSA_WITH_AES_128_CBC_SHA,' \ -+ '+TLS_RSA_WITH_AES_256_CBC_SHA,' \ -+ '+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,' \ -+ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,' \ -+ '-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,' \ -+ '-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,' \ -+ '-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,' \ -+ '+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,' \ -+ '+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,' \ -+ '+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,' \ -+ '+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,' \ -+ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,' \ -+ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,' \ -+ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,' \ -+ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,' \ -+ '+TLS_RSA_WITH_AES_128_CBC_SHA256,' \ -+ '+TLS_RSA_WITH_AES_256_CBC_SHA256,' \ -+ '+TLS_RSA_WITH_AES_128_GCM_SHA256,' \ -+ '+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,' \ -+ '+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,' \ -+ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,' \ -+ '+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,' \ -+ '+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,' \ -+ '+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,' \ -+ '+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,' \ -+ '+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256') -+ - - diff --git a/SOURCES/pki-core-10.1.2-bz1165351-2.patch b/SOURCES/pki-core-10.1.2-bz1165351-2.patch deleted file mode 100644 index 6fda15e..0000000 --- a/SOURCES/pki-core-10.1.2-bz1165351-2.patch +++ /dev/null @@ -1,77 +0,0 @@ -From b88754da750bc87fe9ae99d0571fc4432d87f8d3 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Wed, 26 Nov 2014 11:19:41 -0700 -Subject: [PATCH] Remove legacy multilib JNI_JAR_DIR logic (revised) - -* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages - not found - fixed shell tests ---- - base/java-tools/templates/pki_java_command_wrapper.in | 4 +--- - base/java-tools/templates/pretty_print_cert_command_wrapper.in | 4 +--- - base/java-tools/templates/pretty_print_crl_command_wrapper.in | 4 +--- - base/server/scripts/operations | 4 +--- - 4 files changed, 4 insertions(+), 12 deletions(-) - -diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in -index e9bea58..2c13d66 100644 ---- a/base/java-tools/templates/pki_java_command_wrapper.in -+++ b/base/java-tools/templates/pki_java_command_wrapper.in -@@ -125,9 +125,7 @@ fi - ## order this command wrapper uses to find jar files. ## - ############################################################################### - --JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` --# Override JNI_JAR_DIR using a user-defined value if one exists --JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` -+JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - CP=${JNI_JAR_DIR}/jss4.jar - CP=/usr/share/java/commons-codec.jar:${CP} - CP=/usr/share/java/ldapjdk.jar:${CP} -diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in -index 0c15184..cd4888a 100644 ---- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in -+++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in -@@ -125,9 +125,7 @@ fi - ## order this command wrapper uses to find jar files. ## - ############################################################################### - --JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` --# Override JNI_JAR_DIR using a user-defined value if one exists --JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` -+JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - CP=${JNI_JAR_DIR}/jss4.jar - CP=/usr/share/java/commons-codec.jar:${CP} - CP=/usr/share/java/ldapjdk.jar:${CP} -diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in -index 02e223c..3596fae 100644 ---- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in -+++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in -@@ -125,9 +125,7 @@ fi - ## order this command wrapper uses to find jar files. ## - ############################################################################### - --JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` --# Override JNI_JAR_DIR using a user-defined value if one exists --JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` -+JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - CP=${JNI_JAR_DIR}/jss4.jar - - CP=/usr/share/java/commons-codec.jar:${CP} -diff --git a/base/server/scripts/operations b/base/server/scripts/operations -index e89f1f6..92d01c3 100644 ---- a/base/server/scripts/operations -+++ b/base/server/scripts/operations -@@ -1059,9 +1059,7 @@ verify_symlinks() - declare -A systemd_symlinks - - # Dogtag 10 Conditional Variables -- jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` -- # Override jni_jar_dir using a user-defined value if one exists -- jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` -+ jni_jar_dir=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - - # Dogtag 10 Symbolic Link Target Variables - java_dir="/usr/share/java" --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.1.2-bz1165351.patch b/SOURCES/pki-core-10.1.2-bz1165351.patch deleted file mode 100644 index ee8270f..0000000 --- a/SOURCES/pki-core-10.1.2-bz1165351.patch +++ /dev/null @@ -1,91 +0,0 @@ -From d3b2f55279c540f70d468cd969a4ae16d0f2fbb3 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Wed, 19 Nov 2014 14:57:43 -0700 -Subject: [PATCH] Remove legacy multilib JNI_JAR_DIR logic - -* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not - found ---- - base/common/share/etc/pki.conf | 2 +- - base/java-tools/templates/pki_java_command_wrapper.in | 2 ++ - .../templates/pretty_print_cert_command_wrapper.in | 2 ++ - .../templates/pretty_print_crl_command_wrapper.in | 2 ++ - base/server/python/pki/server/deployment/pkiparser.py | 3 ++- - base/server/scripts/operations | 2 ++ - 6 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf -index f352344..a43d1d6 100644 ---- a/base/common/share/etc/pki.conf -+++ b/base/common/share/etc/pki.conf -@@ -1,2 +1,2 @@ - # JNI jar file location --JNI_JAR_DIR=${JNI_JAR_DIR} -+JNI_JAR_DIR=/usr/lib/java -diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in -index e9ff005..e9bea58 100644 ---- a/base/java-tools/templates/pki_java_command_wrapper.in -+++ b/base/java-tools/templates/pki_java_command_wrapper.in -@@ -126,6 +126,8 @@ fi - ############################################################################### - - JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` -+# Override JNI_JAR_DIR using a user-defined value if one exists -+JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - CP=${JNI_JAR_DIR}/jss4.jar - CP=/usr/share/java/commons-codec.jar:${CP} - CP=/usr/share/java/ldapjdk.jar:${CP} -diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in -index 811935e..0c15184 100644 ---- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in -+++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in -@@ -126,6 +126,8 @@ fi - ############################################################################### - - JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` -+# Override JNI_JAR_DIR using a user-defined value if one exists -+JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - CP=${JNI_JAR_DIR}/jss4.jar - CP=/usr/share/java/commons-codec.jar:${CP} - CP=/usr/share/java/ldapjdk.jar:${CP} -diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in -index e70b9ab..02e223c 100644 ---- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in -+++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in -@@ -126,6 +126,8 @@ fi - ############################################################################### - - JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` -+# Override JNI_JAR_DIR using a user-defined value if one exists -+JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - CP=${JNI_JAR_DIR}/jss4.jar - - CP=/usr/share/java/commons-codec.jar:${CP} -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index df636d4..971cb45 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -170,7 +170,8 @@ class PKIConfigParser: - - # JNI jar location - jni_jar_dir = subprocess.check_output( -- 'source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR', -+ '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf ' -+ '&& echo $JNI_JAR_DIR', - shell=True) - # workaround for pylint error E1103 - jni_jar_dir = str(jni_jar_dir).strip() -diff --git a/base/server/scripts/operations b/base/server/scripts/operations -index 7d026fe..e89f1f6 100644 ---- a/base/server/scripts/operations -+++ b/base/server/scripts/operations -@@ -1060,6 +1060,8 @@ verify_symlinks() - - # Dogtag 10 Conditional Variables - jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` -+ # Override jni_jar_dir using a user-defined value if one exists -+ jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` - - # Dogtag 10 Symbolic Link Target Variables - java_dir="/usr/share/java" - diff --git a/SOURCES/pki-core-10.1.2-bz790924.patch b/SOURCES/pki-core-10.1.2-bz790924.patch deleted file mode 100644 index d4b197d..0000000 --- a/SOURCES/pki-core-10.1.2-bz790924.patch +++ /dev/null @@ -1,406 +0,0 @@ -From 7da4d9802f058f2f78777928c7e259578ad6daef Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 25 Sep 2014 14:26:11 -0700 -Subject: [PATCH] ticket #1110 pkispawn (configuration) does not provide CA - extensions in subordinate certificate signing requests (CSR) - ---- - .../netscape/certsrv/system/SystemCertData.java | 40 ++++++++++++ - .../cms/servlet/csadmin/ConfigurationUtils.java | 76 +++++++++++++++++++++- - .../cms/servlet/csadmin/SystemConfigService.java | 10 +++ - base/server/etc/default.cfg | 5 ++ - .../python/pki/server/deployment/pkihelper.py | 25 +++++++ - .../python/pki/server/deployment/pkiparser.py | 3 + - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 53 ++++++++++++++- - 7 files changed, 208 insertions(+), 4 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/system/SystemCertData.java b/base/common/src/com/netscape/certsrv/system/SystemCertData.java -index a509e3f..064d8e1 100644 ---- a/base/common/src/com/netscape/certsrv/system/SystemCertData.java -+++ b/base/common/src/com/netscape/certsrv/system/SystemCertData.java -@@ -43,6 +43,9 @@ public class SystemCertData { - public static final String SUBJECT_DN = "subjectDN"; - public static final String CERT = "cert"; - public static final String CERT_CHAIN = "certChain"; -+ public static final String REQUEST_EXT_OID = "req_ext_oid"; -+ public static final String REQUEST_EXT_CRITICAL = "req_ext_critial"; -+ public static final String REQUEST_EXT_DATA = "req_ext_data"; - - @XmlElement - protected String tag; -@@ -80,6 +83,15 @@ public class SystemCertData { - @XmlElement - protected String certChain; - -+ @XmlElement -+ protected String req_ext_oid; -+ -+ @XmlElement -+ protected String req_ext_critical; -+ -+ @XmlElement -+ protected String req_ext_data; -+ - public SystemCertData() { - // required for JAXB - } -@@ -97,6 +109,10 @@ public class SystemCertData { - subjectDN = form.getFirst(SUBJECT_DN); - cert = form.getFirst(CERT); - certChain = form.getFirst(CERT_CHAIN); -+ //support extension in CSR -+ req_ext_oid = form.getFirst(REQUEST_EXT_OID); -+ req_ext_critical = form.getFirst(REQUEST_EXT_CRITICAL); -+ req_ext_data = form.getFirst(REQUEST_EXT_DATA); - } - - /** -@@ -267,4 +283,28 @@ public class SystemCertData { - this.certChain = certChain; - } - -+ /** -+ * @return the req_ext_oid -+ */ -+ public String getReqExtOID() { -+ return req_ext_oid; -+ } -+ -+ /** -+ * @return the req_ext_data -+ */ -+ public String getReqExtData() { -+ return req_ext_data; -+ } -+ -+ /** -+ * @return the req_ext_critical -+ */ -+ public boolean getReqExtCritical() { -+ if (req_ext_critical.equals("true")) -+ return true; -+ else -+ return false; -+ } -+ - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index 9f112ea..2ac2344 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -71,8 +71,14 @@ import netscape.security.pkcs.ContentInfo; - import netscape.security.pkcs.PKCS10; - import netscape.security.pkcs.PKCS7; - import netscape.security.pkcs.SignerInfo; -+import netscape.security.util.DerOutputStream; -+import netscape.security.util.ObjectIdentifier; - import netscape.security.x509.AlgorithmId; -+import netscape.security.x509.BasicConstraintsExtension; - import netscape.security.x509.CertificateChain; -+import netscape.security.x509.Extension; -+import netscape.security.x509.Extensions; -+import netscape.security.x509.KeyUsageExtension; - import netscape.security.x509.X500Name; - import netscape.security.x509.X509CertImpl; - import netscape.security.x509.X509Key; -@@ -2598,6 +2604,7 @@ public class ConfigurationUtils { - EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException, - NoSuchProviderException, CertificateException, SignatureException, IOException { - -+ CMS.debug("ConfigurationUtils: handleCertRequest() begins"); - // get public key - String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype"); - String algorithm = config.getString(PCERT_PREFIX + certTag + ".keyalgorithm"); -@@ -2631,7 +2638,12 @@ public class ConfigurationUtils { - String caDN = config.getString(PCERT_PREFIX + certTag + ".dn"); - - cert.setDN(caDN); -- PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, privk, algorithm); -+ Extensions exts = null; -+ if (certTag.equals("signing")) { -+ CMS.debug("handleCertRequest: certTag is siging -- about to call createBasicCAExtensions()"); -+ exts = createBasicCAExtensions(config); -+ } -+ PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, privk, algorithm, exts); - - CMS.debug("handleCertRequest: created cert request"); - byte[] certReqb = certReq.toByteArray(); -@@ -2645,6 +2657,68 @@ public class ConfigurationUtils { - - } - -+ /* -+ * createBasicCAExtensions creates the basic Extensions needed for a CSR to a -+ * CA signing certificate -+ */ -+ private static Extensions createBasicCAExtensions(IConfigStore config) throws IOException { -+ Extensions exts = new Extensions(); -+ CMS.debug("ConfigurationUtils: createBasicCAExtensions: begins"); -+ -+ // create BasicConstraintsExtension -+ BasicConstraintsExtension bcExt = new BasicConstraintsExtension(true, -1); -+ exts.add(bcExt); -+ -+ // create KeyUsageExtension -+ boolean[] kuBits = new boolean[KeyUsageExtension.NBITS]; -+ for (int i = 0; i < kuBits.length; i++) { -+ kuBits[i] = false; -+ } -+ kuBits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = true; -+ kuBits[KeyUsageExtension.NON_REPUDIATION_BIT] = true; -+ kuBits[KeyUsageExtension.KEY_CERTSIGN_BIT] = true; -+ kuBits[KeyUsageExtension.CRL_SIGN_BIT] = true; -+ KeyUsageExtension kuExt = new KeyUsageExtension(true, kuBits); -+ exts.add(kuExt); -+ /* save this for later when we want to allow more selection for pkispawn configuration -+ // create NSCertTypeExtension -+ boolean[] nsBits = new boolean[NSCertTypeExtension.NBITS]; -+ for (int i = 0; i < nsBits.length; i++) { -+ nsBits[i] = false; -+ } -+ nsBits[NSCertTypeExtension.SSL_CA_BIT] = true; -+ NSCertTypeExtension nsctExt = new NSCertTypeExtension(false, nsBits); -+ exts.add(nsctExt); -+ */ -+ -+ // add a generic extension -+ Extension genExt = null; -+ try { -+ String oidString = config.getString(PCERT_PREFIX + "signing.ext.oid"); -+ String dataString = config.getString(PCERT_PREFIX + "signing.ext.data"); -+ boolean critical = false; -+ if (oidString != null && dataString != null) { -+ CMS.debug("ConfigurationUtils: createBasicCAExtensions: processing generic extension"); -+ critical = config.getBoolean("preop.cert.signing.ext.critical"); -+ ObjectIdentifier oid = new ObjectIdentifier(oidString); -+ -+ byte data[] = CryptoUtil.hexString2Bytes(dataString); -+ DerOutputStream out = new DerOutputStream(); -+ out.putOctetString(data); -+ genExt = new Extension(oid, critical, out.toByteArray()); -+ out.close(); -+ -+ exts.add(genExt); -+ CMS.debug("ConfigurationUtils: createBasicCAExtensions: generic extension added: " + oidString); -+ } -+ } catch (EBaseException e) { -+ CMS.debug("ConfigurationUtils: createBasicCAExtensions: generic extension not processed:" + e); -+ } -+ -+ return exts; -+ } -+ -+ - public static X509Key getECCX509Key(IConfigStore config, String certTag) throws EPropertyNotFound, EBaseException, - InvalidKeyException { - X509Key pubk = null; -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java -index 252a584..b44cdf9 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java -@@ -275,6 +275,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - if (cdata.getTag().equals(ct)) { - cdata_found = true; - CMS.debug("Found data for '" + ct + "'"); -+ if (ct.equals("signing") && -+ cdata.getReqExtOID() != null && -+ cdata.getReqExtData() != null) { -+ CMS.debug("SystemConfigService:processCerts: adding request extension to config"); -+ cs.putString("preop.cert.signing.ext.oid", cdata.getReqExtOID()); -+ cs.putString("preop.cert.signing.ext.data", cdata.getReqExtData()); -+ cs.putBoolean("preop.cert.signing.ext.critical", cdata.getReqExtCritical()); -+ } -+ - break; - } - } -@@ -342,6 +351,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - cs.putString("preop.cert." + ct + ".signingalgorithm", signingalgorithm); - cs.putString("preop.cert." + ct + ".nickname", nickname); - cs.putString("preop.cert." + ct + ".dn", dn); -+ cs.commit(false); - - if (!data.getStepTwo()) { - if (keytype.equals("ecc")) { -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index 94d34b2..ba1f466 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -369,6 +369,11 @@ pki_external_csr_path=%(pki_instance_configuration_path)s/ca_signing.csr - pki_external_step_two=False - pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert - pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert -+pki_req_ext_add=False -+# MS subca request ext data -+pki_req_ext_oid=1.3.6.1.4.1.311.20.2 -+pki_req_ext_critical=False -+pki_req_ext_data=1E0A00530075006200430041 - pki_import_admin_cert=False - pki_ocsp_signing_key_algorithm=SHA256withRSA - pki_ocsp_signing_key_size=2048 -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 3d34edc..091c4de 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -432,7 +432,16 @@ class ConfigurationFile: - self.master_dict = deployer.master_dict - # set useful 'boolean' object variables for this class - self.clone = config.str2bool(self.master_dict['pki_clone']) -+ # generic extension support in CSR - for external CA -+ self.add_req_ext = config.str2bool( -+ self.master_dict['pki_req_ext_add']) - self.external = config.str2bool(self.master_dict['pki_external']) -+ if self.external: -+ # generic extension support in CSR - for external CA -+ if self.add_req_ext: -+ self.req_ext_oid = self.master_dict['pki_req_ext_oid'] -+ self.req_ext_critical = self.master_dict['pki_req_ext_critical'] -+ self.req_ext_data = self.master_dict['pki_req_ext_data'] - self.external_step_two = config.str2bool( - self.master_dict['pki_external_step_two']) - self.skip_configuration = config.str2bool( -@@ -657,6 +666,11 @@ class ConfigurationFile: - # External CA (Step 1) - self.confirm_data_exists("pki_external_csr_path") - self.confirm_missing_file("pki_external_csr_path") -+ # generic extension support in CSR - for external CA -+ if self.add_req_ext: -+ self.confirm_data_exists("pki_req_ext_oid") -+ self.confirm_data_exists("pki_req_ext_critical") -+ self.confirm_data_exists("pki_req_ext_data") - else: - # External CA (Step 2) - self.confirm_data_exists("pki_external_ca_cert_chain_path") -@@ -3178,6 +3192,9 @@ class ConfigClient: - self.subordinate = config.str2bool(self.master_dict['pki_subordinate']) - # set useful 'string' object variables for this class - self.subsystem = self.master_dict['pki_subsystem'] -+ # generic extension support in CSR - for external CA -+ self.add_req_ext = config.str2bool( -+ self.master_dict['pki_req_ext_add']) - - def configure_pki_data(self, data): - config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, -@@ -3486,6 +3503,14 @@ class ConfigClient: - cert1 = self.create_system_cert("ca_signing") - cert1.signingAlgorithm = \ - self.master_dict['pki_ca_signing_signing_algorithm'] -+ # generic extension support in CSR - for external CA -+ if self.add_req_ext: -+ cert1.req_ext_oid = \ -+ self.master_dict['pki_req_ext_oid'] -+ cert1.req_ext_critical = \ -+ self.master_dict['pki_req_ext_critical'] -+ cert1.req_ext_data = \ -+ self.master_dict['pki_req_ext_data'] - if self.external_step_two: - # External CA (Step 2) or Stand-alone PKI (Step 2) - if not self.subsystem == "CA": -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index b7cece7..df636d4 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -542,6 +542,9 @@ class PKIConfigParser: - if not self.pki_master_dict.has_key('pki_external') or\ - not len(self.pki_master_dict['pki_external']): - self.pki_master_dict['pki_external'] = "false" -+ if not self.pki_master_dict.has_key('pki_req_ext_add') or\ -+ not len(self.pki_master_dict['pki_req_ext_add']): -+ self.pki_master_dict['pki_req_ext_add'] = "false" - if not self.pki_master_dict.has_key('pki_external_step_two') or\ - not len(self.pki_master_dict['pki_external_step_two']): - self.pki_master_dict['pki_external_step_two'] = "false" -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 5e8e323..bcdb404 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -45,7 +45,10 @@ import java.util.Vector; - import javax.crypto.SecretKey; - - import netscape.security.pkcs.PKCS10; -+import netscape.security.pkcs.PKCS10Attribute; -+import netscape.security.pkcs.PKCS10Attributes; - import netscape.security.pkcs.PKCS7; -+import netscape.security.pkcs.PKCS9Attribute; - import netscape.security.util.BigInt; - import netscape.security.util.DerInputStream; - import netscape.security.util.DerOutputStream; -@@ -61,6 +64,7 @@ import netscape.security.x509.CertificateSubjectName; - import netscape.security.x509.CertificateValidity; - import netscape.security.x509.CertificateVersion; - import netscape.security.x509.CertificateX509Key; -+import netscape.security.x509.Extensions; - import netscape.security.x509.X500Name; - import netscape.security.x509.X500Signer; - import netscape.security.x509.X509CertImpl; -@@ -1176,14 +1180,38 @@ public class CryptoUtil { - public static PKCS10 createCertificationRequest(String subjectName, - X509Key pubk, PrivateKey prik, String alg) - throws NoSuchAlgorithmException, NoSuchProviderException, -- InvalidKeyException, IOException, CertificateException, -- SignatureException { -+ InvalidKeyException, IOException, CertificateException, -+ SignatureException { -+ return createCertificationRequest(subjectName, pubk, prik, alg, null); -+ } -+ -+ /* -+ * This createCertificationRequest() allows extensions to be added to the CSR -+ */ -+ public static PKCS10 createCertificationRequest(String subjectName, -+ X509Key pubk, PrivateKey prik, String alg, Extensions exts) -+ throws NoSuchAlgorithmException, NoSuchProviderException, -+ InvalidKeyException, IOException, CertificateException, -+ SignatureException { - X509Key key = pubk; - java.security.Signature sig = java.security.Signature.getInstance(alg, - "Mozilla-JSS"); - - sig.initSign(prik); -- PKCS10 pkcs10 = new PKCS10(key); -+ PKCS10 pkcs10 = null; -+ -+ if (exts != null) { -+ PKCS10Attribute attr = new -+ PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, -+ exts); -+ PKCS10Attributes attrs = new PKCS10Attributes(); -+ -+ attrs.setAttribute(attr.getAttributeValue().getName(), attr); -+ -+ pkcs10 = new PKCS10(key, attrs); -+ } else { -+ pkcs10 = new PKCS10(key); -+ } - X500Name name = new X500Name(subjectName); - X500Signer signer = new X500Signer(sig, name); - -@@ -1345,6 +1373,25 @@ public class CryptoUtil { - } - - /** -+ * Converts string containing pairs of characters in the range of '0' -+ * to '9', 'a' to 'f' to an array of bytes such that each pair of -+ * characters in the string represents an individual byte -+ */ -+ public static byte[] hexString2Bytes(String string) { -+ if (string == null) -+ return null; -+ int stringLength = string.length(); -+ if ((stringLength == 0) || ((stringLength % 2) != 0)) -+ return null; -+ byte[] bytes = new byte[(stringLength / 2)]; -+ for (int i = 0, b = 0; i < stringLength; i += 2, ++b) { -+ String nextByte = string.substring(i, (i + 2)); -+ bytes[b] = (byte) Integer.parseInt(nextByte, 0x10); -+ } -+ return bytes; -+ } -+ -+ /** - * Retrieves a private key from a unique key ID. - */ - public static PrivateKey findPrivateKeyFromID(byte id[]) --- -1.8.4.2 - diff --git a/SOURCES/pki-core-10.1.2-bz871171.patch b/SOURCES/pki-core-10.1.2-bz871171.patch deleted file mode 100644 index f35e120..0000000 --- a/SOURCES/pki-core-10.1.2-bz871171.patch +++ /dev/null @@ -1,235 +0,0 @@ -From 53134a2d0ba5a497ad789ee0412ba92c2d4ef11c Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 18 Nov 2014 18:28:53 -0800 -Subject: [PATCH] bugzilla 871171 (client-side code) Provide Tomcat support - for TLS v1.1 and TLS v1.2 - ---- - .../com/netscape/certsrv/client/PKIConnection.java | 19 +++++++ - .../src/com/netscape/cmstools/HttpClient.java | 59 +++++++------------- - .../cmscore/ldapconn/LdapJssSSLSocketFactory.java | 7 ++- - .../netscape/cmsutil/http/JssSSLSocketFactory.java | 62 ++-------------------- - 4 files changed, 44 insertions(+), 103 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -index cf103a9..4d298a7 100644 ---- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java -+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java -@@ -472,6 +472,23 @@ public class PKIConnection { - localAddr = localAddress.getAddress(); - } - -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = -+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); -+ -+ SSLSocket.setSSLVersionRangeDefault( -+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, -+ stream_range); -+ -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = -+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); -+ -+ SSLSocket.setSSLVersionRangeDefault( -+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, -+ datagram_range); - SSLSocket socket; - if (sock == null) { - socket = new SSLSocket(InetAddress.getByName(hostName), -@@ -484,6 +501,8 @@ public class PKIConnection { - } else { - socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null); - } -+// setSSLVersionRange needs to be exposed in jss -+// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - String certNickname = config.getCertNickname(); - if (certNickname != null) { -diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java -index cd6a6ea..1323752 100644 ---- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java -@@ -55,27 +55,6 @@ public class HttpClient { - private boolean _secure = false; - - public static final int ARGC = 1; -- static final int cipherSuites[] = { -- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, -- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA, -- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, -- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, -- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, -- SSLSocket.SSL3_RSA_WITH_NULL_MD5, -- SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, -- SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -- 0 -- }; - - public HttpClient(String host, int port, String secure) - throws Exception { -@@ -148,27 +127,27 @@ public class HttpClient { - - int i; - -- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) { -- try { -- SSLSocket.setCipherPreferenceDefault(i, false); -- } catch (SocketException e) { -- } -- } -- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5 -- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) { -- try { -- SSLSocket.setCipherPreferenceDefault(i, false); -- } catch (SocketException e) { -- } -- } -- for (i = 0; cipherSuites[i] != 0; ++i) { -- try { -- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); -- } catch (SocketException e) { -- } -- } - SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this); -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = -+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); -+ -+ SSLSocket.setSSLVersionRangeDefault( -+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, -+ stream_range); -+ -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = -+ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, -+ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); -+ -+ SSLSocket.setSSLVersionRangeDefault( -+ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, -+ datagram_range); - sslSocket = new SSLSocket(_host, _port); -+ // setSSLVersionRange needs to be exposed in jss -+ // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - sslSocket.addHandshakeCompletedListener(listener); - - CryptoToken tt = cm.getThreadToken(); -diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java -index 4d9e602..720882a 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java -@@ -51,12 +51,11 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt { - SSLSocket s = null; - - try { -- SSLSocket.enableSSL2Default(false); -+ /* -+ * let inherit TLS range and cipher settings -+ */ - s = new SSLSocket(host, port); - s.setUseClientMode(true); -- s.enableSSL2(false); -- //TODO Do we really want to set the default each time? -- SSLSocket.enableSSL2Default(false); - s.enableV2CompatibleHello(false); - - SSLHandshakeCompletedListener listener = null; -diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java -index fcf5fc1..2f8a40c 100644 ---- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java -+++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java -@@ -47,54 +47,6 @@ public class JssSSLSocketFactory implements ISocketFactory { - mClientAuthCertNickname = certNickname; - } - -- // XXX remove these static SSL cipher suite initializations later on. -- static final int cipherSuites[] = { -- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, -- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA, -- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, -- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, -- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, -- SSLSocket.SSL3_RSA_WITH_NULL_MD5, -- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -- //SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -- 0 -- }; -- -- static { -- int i; -- -- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) { -- try { -- SSLSocket.setCipherPreferenceDefault(i, false); -- } catch (SocketException e) { -- } -- } -- -- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5 -- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) { -- try { -- SSLSocket.setCipherPreferenceDefault(i, false); -- } catch (SocketException e) { -- } -- } -- for (i = 0; cipherSuites[i] != 0; ++i) { -- try { -- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); -- } catch (SocketException e) { -- } -- } -- } -- - public Socket makeSocket(String host, int port) - throws IOException, UnknownHostException { - return makeSocket(host, port, null, null); -@@ -106,20 +58,12 @@ public class JssSSLSocketFactory implements ISocketFactory { - throws IOException, UnknownHostException { - - try { -+ /* -+ * let inherit tls range and cipher settings -+ */ - s = new SSLSocket(host, port, null, 0, certApprovalCallback, - clientCertCallback); -- for (int i = 0; cipherSuites[i] != 0; ++i) { -- try { -- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); -- } catch (SocketException e) { -- } -- } -- - s.setUseClientMode(true); -- s.enableSSL2(false); -- //TODO Do we rally want to set the default each time? -- SSLSocket.enableSSL2Default(false); -- s.enableV2CompatibleHello(false); - - SSLHandshakeCompletedListener listener = null; - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-added-CLI-to-update-cert-data-and-request-in-CS-cfg.patch b/SOURCES/pki-core-added-CLI-to-update-cert-data-and-request-in-CS-cfg.patch new file mode 100644 index 0000000..b3e919e --- /dev/null +++ b/SOURCES/pki-core-added-CLI-to-update-cert-data-and-request-in-CS-cfg.patch @@ -0,0 +1,1103 @@ +commit 7ed1e32c574a2ee93a62297d16e07a7071e696d7 +Author: Endi S. Dewata +Date: Wed Sep 2 04:50:24 2015 +0200 + + Added CLI to update cert data and request in CS.cfg. + + A set of new pki-server commands have been added to simplify + updating the cert data and cert request stored in the CS.cfg with + the cert data and cert request stored in the NSS and LDAP database, + respectively. + + https://fedorahosted.org/pki/ticket/1551 + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 9777d22..d004465 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -20,7 +20,11 @@ + # + + from lxml import etree ++import getpass + import grp ++import io ++import ldap ++import operator + import os + import pwd + import re +@@ -31,7 +35,7 @@ import pki + INSTANCE_BASE_DIR = '/var/lib/pki' + REGISTRY_DIR = '/etc/sysconfig/pki' + SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps'] +- ++SUBSYSTEM_CLASSES = {} + + class PKIServer(object): + +@@ -65,6 +69,7 @@ class PKISubsystem(object): + self.base_dir = instance.base_dir + + self.conf_dir = os.path.join(self.base_dir, 'conf') ++ self.cs_conf = os.path.join(self.conf_dir, 'CS.cfg') + + self.context_xml_template = os.path.join( + pki.SHARE_DIR, self.name, 'conf', 'Catalina', 'localhost', self.name + '.xml') +@@ -72,9 +77,62 @@ class PKISubsystem(object): + self.context_xml = os.path.join( + instance.conf_dir, 'Catalina', 'localhost', self.name + '.xml') + ++ self.config = {} ++ self.type = None ++ self.prefix = None ++ + # custom subsystem location + self.doc_base = os.path.join(self.base_dir, 'webapps', self.name) + ++ def load(self): ++ self.config.clear() ++ ++ lines = open(self.cs_conf).read().splitlines() ++ ++ for line in lines: ++ parts = line.split('=', 1) ++ name = parts[0] ++ value = parts[1] ++ self.config[name] = value ++ ++ self.type = self.config['cs.type'] ++ self.prefix = self.type.lower() ++ ++ def find_subsystem_certs(self): ++ certs = [] ++ ++ cert_ids = self.config['%s.cert.list' % self.name].split(',') ++ for cert_id in cert_ids: ++ cert = self.create_subsystem_cert_object(cert_id) ++ certs.append(cert) ++ ++ return certs ++ ++ def get_subsystem_cert(self, cert_id): ++ return self.create_subsystem_cert_object(cert_id) ++ ++ def create_subsystem_cert_object(self, cert_id): ++ cert = {} ++ cert['id'] = cert_id ++ cert['nickname'] = self.config.get('%s.%s.nickname' % (self.name, cert_id), None) ++ cert['token'] = self.config.get('%s.%s.tokenname' % (self.name, cert_id), None) ++ cert['data'] = self.config.get('%s.%s.cert' % (self.name, cert_id), None) ++ cert['request'] = self.config.get('%s.%s.certreq' % (self.name, cert_id), None) ++ return cert ++ ++ def update_subsystem_cert(self, cert): ++ cert_id = cert['id'] ++ self.config['%s.%s.nickname' % (self.name, cert_id)] = cert.get('nickname', None) ++ self.config['%s.%s.tokenname' % (self.name, cert_id)] = cert.get('token', None) ++ self.config['%s.%s.cert' % (self.name, cert_id)] = cert.get('data', None) ++ self.config['%s.%s.certreq' % (self.name, cert_id)] = cert.get('request', None) ++ ++ def save(self): ++ sorted_config = sorted(self.config.items(), key=operator.itemgetter(0)) ++ with io.open(self.cs_conf, 'wb') as f: ++ for (key, value) in sorted_config: ++ f.write('%s=%s\n' % (key, value)) ++ + def is_valid(self): + return os.path.exists(self.conf_dir) + +@@ -102,6 +160,21 @@ class PKISubsystem(object): + def disable(self): + self.instance.undeploy(self.name) + ++ def open_database(self, name='internaldb'): ++ ++ hostname = self.config['%s.ldapconn.host' % name] ++ port = self.config['%s.ldapconn.port' % name] ++ bind_dn = self.config['%s.ldapauth.bindDN' % name] ++ ++ # TODO: add support for other authentication ++ # mechanisms (e.g. client cert authentication, LDAPI) ++ bind_password = self.instance.get_password(name) ++ ++ con = ldap.initialize('ldap://%s:%s' % (hostname, port)) ++ con.simple_bind_s(bind_dn, bind_password) ++ ++ return con ++ + def __repr__(self): + return str(self.instance) + '/' + self.name + +@@ -119,6 +192,9 @@ class PKIInstance(object): + self.base_dir = os.path.join(pki.BASE_DIR, name) + + self.conf_dir = os.path.join(self.base_dir, 'conf') ++ self.password_conf = os.path.join(self.conf_dir, 'password.conf') ++ ++ self.nssdb_dir = os.path.join(self.base_dir, 'alias') + self.lib_dir = os.path.join(self.base_dir, 'lib') + + self.registry_dir = os.path.join(pki.server.REGISTRY_DIR, 'tomcat', self.name) +@@ -132,6 +208,8 @@ class PKIInstance(object): + self.uid = None + self.gid = None + ++ self.passwords = {} ++ + self.subsystems = [] + + def is_valid(self): +@@ -153,6 +231,7 @@ class PKIInstance(object): + return rc == 0 + + def load(self): ++ # load UID and GID + with open(self.registry_file, 'r') as registry: + lines = registry.readlines() + +@@ -168,11 +247,41 @@ class PKIInstance(object): + self.group = m.group(1) + self.gid = grp.getgrnam(self.group).gr_gid + ++ # load passwords ++ self.passwords.clear() ++ lines = open(self.password_conf).read().splitlines() ++ ++ for line in lines: ++ parts = line.split('=', 1) ++ name = parts[0] ++ value = parts[1] ++ self.passwords[name] = value ++ ++ # load subsystems + for subsystem_name in os.listdir(self.registry_dir): +- if subsystem_name in pki.server.SUBSYSTEM_TYPES: +- subsystem = PKISubsystem(self, subsystem_name) ++ if subsystem_name in SUBSYSTEM_TYPES: ++ if subsystem_name in SUBSYSTEM_CLASSES: ++ subsystem = SUBSYSTEM_CLASSES[subsystem_name](self) ++ else: ++ subsystem = PKISubsystem(self, subsystem_name) ++ subsystem.load() + self.subsystems.append(subsystem) + ++ def get_password(self, name): ++ if name in self.passwords: ++ return self.passwords[name] ++ ++ password = getpass.getpass(prompt='Enter password for %s: ' % name) ++ self.passwords[name] = password ++ ++ return password ++ ++ def get_subsystem(self, name): ++ for subsystem in self.subsystems: ++ if name == subsystem.name: ++ return subsystem ++ return None ++ + def is_deployed(self, webapp_name): + context_xml = os.path.join( + self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml') +diff --git a/base/server/python/pki/server/ca.py b/base/server/python/pki/server/ca.py +new file mode 100644 +index 0000000..70ebf4d +--- /dev/null ++++ b/base/server/python/pki/server/ca.py +@@ -0,0 +1,92 @@ ++#!/usr/bin/python ++# Authors: ++# Endi S. Dewata ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2015 Red Hat, Inc. ++# All rights reserved. ++# ++ ++from __future__ import absolute_import ++import ldap ++import ldap.filter ++ ++import pki ++import pki.server ++ ++ ++class CASubsystem(pki.server.PKISubsystem): ++ ++ def __init__(self, instance): ++ super(CASubsystem, self).__init__(instance, 'ca') ++ ++ def find_cert_requests(self, cert=None): ++ ++ base_dn = self.config['internaldb.basedn'] ++ ++ if cert: ++ escaped_value = ldap.filter.escape_filter_chars(cert) ++ search_filter = '(extdata-req--005fissued--005fcert=%s)' % escaped_value ++ ++ else: ++ search_filter = '(objectClass=*)' ++ ++ con = self.open_database() ++ ++ entries = con.search_s( ++ 'ou=ca,ou=requests,%s' % base_dn, ++ ldap.SCOPE_ONELEVEL, ++ search_filter, ++ None) ++ ++ con.unbind_s() ++ ++ requests = [] ++ for entry in entries: ++ requests.append(self.create_request_object(entry)) ++ ++ return requests ++ ++ def get_cert_requests(self, request_id): ++ ++ base_dn = self.config['internaldb.basedn'] ++ ++ con = self.open_database() ++ ++ entries = con.search_s( ++ 'cn=%s,ou=ca,ou=requests,%s' % (request_id, base_dn), ++ ldap.SCOPE_BASE, ++ '(objectClass=*)', ++ None) ++ ++ con.unbind_s() ++ ++ entry = entries[0] ++ return self.create_request_object(entry) ++ ++ def create_request_object(self, entry): ++ ++ attrs = entry[1] ++ ++ request = {} ++ request['id'] = attrs['cn'][0] ++ request['type'] = attrs['requestType'][0] ++ request['status'] = attrs['requestState'][0] ++ request['request'] = attrs['extdata-cert--005frequest'][0] ++ ++ return request ++ ++ ++pki.server.SUBSYSTEM_CLASSES['ca'] = CASubsystem +diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py +new file mode 100644 +index 0000000..2ad8652 +--- /dev/null ++++ b/base/server/python/pki/server/cli/ca.py +@@ -0,0 +1,206 @@ ++#!/usr/bin/python ++# Authors: ++# Endi S. Dewata ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2015 Red Hat, Inc. ++# All rights reserved. ++# ++ ++from __future__ import absolute_import ++from __future__ import print_function ++import getopt ++import io ++import sys ++ ++import pki.cli ++import pki.server.ca ++ ++ ++class CACLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(CACLI, self).__init__( ++ 'ca', 'CA management commands') ++ ++ self.add_module(CACertCLI()) ++ ++ ++class CACertCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(CACertCLI, self).__init__( ++ 'cert', 'CA certificates management commands') ++ ++ self.add_module(CACertRequestCLI()) ++ ++ ++class CACertRequestCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(CACertRequestCLI, self).__init__( ++ 'request', 'CA certificate requests management commands') ++ ++ self.add_module(CACertRequestFindCLI()) ++ self.add_module(CACertRequestShowCLI()) ++ ++ @staticmethod ++ def print_request(request, details=False): ++ print(' Request ID: %s' % request['id']) ++ print(' Type: %s' % request['type']) ++ print(' Status: %s' % request['status']) ++ ++ if details: ++ print(' Request: %s' % request['request']) ++ ++ ++class CACertRequestFindCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(CACertRequestFindCLI, self).__init__( ++ 'find', 'Find CA certificate requests') ++ ++ def usage(self): ++ print('Usage: pki-server ca-cert-request-find [OPTIONS]') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' --cert Issued certificate.') ++ print(' --cert-file File containing issued certificate.') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, args): ++ ++ try: ++ opts, _ = getopt.gnu_getopt(args, 'i:v', [ ++ 'instance=', 'cert=', 'cert-file=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ instance_name = 'pki-tomcat' ++ cert = None ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o == '--cert': ++ cert = a ++ ++ elif o == '--cert-file': ++ with io.open(a, 'rb') as f: ++ cert = f.read() ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ instance.load() ++ ++ subsystem = instance.get_subsystem('ca') ++ results = subsystem.find_cert_requests(cert=cert) ++ ++ self.print_message('%s entries matched' % len(results)) ++ ++ first = True ++ for request in results: ++ if first: ++ first = False ++ else: ++ print() ++ ++ CACertRequestCLI.print_request(request) ++ ++ ++class CACertRequestShowCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(CACertRequestShowCLI, self).__init__( ++ 'show', 'Show CA certificate request') ++ ++ def usage(self): ++ print('Usage: pki-server ca-cert-request-show [OPTIONS]') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, args): ++ ++ try: ++ opts, args = getopt.gnu_getopt(args, 'i:v', [ ++ 'instance=', 'output-file=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ if len(args) != 1: ++ print('ERROR: missing request ID') ++ self.usage() ++ sys.exit(1) ++ ++ request_id = args[0] ++ instance_name = 'pki-tomcat' ++ output_file = None ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o == '--output-file': ++ output_file = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ instance.load() ++ ++ subsystem = instance.get_subsystem('ca') ++ request = subsystem.get_cert_requests(request_id) ++ ++ if output_file: ++ with io.open(output_file, 'wb') as f: ++ f.write(request['request']) ++ ++ else: ++ CACertRequestCLI.print_request(request, details=True) +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 43eb564..fc89c27 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -19,8 +19,12 @@ + # All rights reserved. + # + ++from __future__ import absolute_import ++from __future__ import print_function ++import base64 + import getopt +-import os ++import nss.nss as nss ++import string + import sys + + import pki.cli +@@ -38,11 +42,13 @@ class SubsystemCLI(pki.cli.CLI): + self.add_module(SubsystemFindCLI()) + self.add_module(SubsystemShowCLI()) + ++ self.add_module(SubsystemCertCLI()) ++ + @staticmethod + def print_subsystem(subsystem): +- print ' Subsystem ID: %s' % subsystem.name +- print ' Instance ID: %s' % subsystem.instance.name +- print ' Enabled: %s' % subsystem.is_enabled() ++ print(' Subsystem ID: %s' % subsystem.name) ++ print(' Instance ID: %s' % subsystem.instance.name) ++ print(' Enabled: %s' % subsystem.is_enabled()) + + + class SubsystemFindCLI(pki.cli.CLI): +@@ -51,12 +57,12 @@ class SubsystemFindCLI(pki.cli.CLI): + super(SubsystemFindCLI, self).__init__('find', 'Find subsystems') + + def usage(self): +- print 'Usage: pki-server subsystem-find [OPTIONS]' +- print +- print ' -i, --instance Instance ID.' +- print ' -v, --verbose Run in verbose mode.' +- print ' --help Show help message.' +- print ++ print('Usage: pki-server subsystem-find [OPTIONS]') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() + + def execute(self, args): + +@@ -66,11 +72,11 @@ class SubsystemFindCLI(pki.cli.CLI): + 'verbose', 'help']) + + except getopt.GetoptError as e: +- print 'ERROR: ' + str(e) ++ print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + +- instance_name = None ++ instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): +@@ -84,32 +90,17 @@ class SubsystemFindCLI(pki.cli.CLI): + sys.exit() + + else: +- print 'ERROR: unknown option ' + o ++ print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + +- if not instance_name: +- print 'ERROR: missing instance ID' +- self.usage() +- sys.exit(1) +- + instance = pki.server.PKIInstance(instance_name) + instance.load() + +- results = [] +- +- for name in os.listdir(instance.base_dir): +- +- subsystem = pki.server.PKISubsystem(instance, name) +- if not subsystem.is_valid(): +- continue +- +- results.append(subsystem) +- +- self.print_message('%s entries matched' % len(results)) ++ self.print_message('%s entries matched' % len(instance.subsystems)) + + first = True +- for subsystem in results: ++ for subsystem in instance.subsystems: + if first: + first = False + else: +@@ -124,12 +115,12 @@ class SubsystemShowCLI(pki.cli.CLI): + super(SubsystemShowCLI, self).__init__('show', 'Show subsystem') + + def usage(self): +- print 'Usage: pki-server subsystem-show [OPTIONS] ' +- print +- print ' -i, --instance Instance ID.' +- print ' -v, --verbose Run in verbose mode.' +- print ' --help Show help message.' +- print ++ print('Usage: pki-server subsystem-show [OPTIONS] ') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() + + def execute(self, argv): + +@@ -139,17 +130,17 @@ class SubsystemShowCLI(pki.cli.CLI): + 'verbose', 'help']) + + except getopt.GetoptError as e: +- print 'ERROR: ' + str(e) ++ print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: +- print 'ERROR: missing subsystem ID' ++ print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] +- instance_name = None ++ instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): +@@ -163,19 +154,14 @@ class SubsystemShowCLI(pki.cli.CLI): + sys.exit() + + else: +- print 'ERROR: unknown option ' + o ++ print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + +- if not instance_name: +- print 'ERROR: missing instance ID' +- self.usage() +- sys.exit(1) +- + instance = pki.server.PKIInstance(instance_name) + instance.load() + +- subsystem = pki.server.PKISubsystem(instance, subsystem_name) ++ subsystem = instance.get_subsystem(subsystem_name) + + SubsystemCLI.print_subsystem(subsystem) + +@@ -186,12 +172,12 @@ class SubsystemEnableCLI(pki.cli.CLI): + super(SubsystemEnableCLI, self).__init__('enable', 'Enable subsystem') + + def usage(self): +- print 'Usage: pki-server subsystem-enable [OPTIONS] ' +- print +- print ' -i, --instance Instance ID.' +- print ' -v, --verbose Run in verbose mode.' +- print ' --help Show help message.' +- print ++ print('Usage: pki-server subsystem-enable [OPTIONS] ') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() + + def execute(self, argv): + +@@ -201,17 +187,17 @@ class SubsystemEnableCLI(pki.cli.CLI): + 'verbose', 'help']) + + except getopt.GetoptError as e: +- print 'ERROR: ' + str(e) ++ print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: +- print 'ERROR: missing subsystem ID' ++ print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] +- instance_name = None ++ instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): +@@ -225,19 +211,14 @@ class SubsystemEnableCLI(pki.cli.CLI): + sys.exit() + + else: +- print 'ERROR: unknown option ' + o ++ print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + +- if not instance_name: +- print 'ERROR: missing instance ID' +- self.usage() +- sys.exit(1) +- + instance = pki.server.PKIInstance(instance_name) + instance.load() + +- subsystem = pki.server.PKISubsystem(instance, subsystem_name) ++ subsystem = instance.get_subsystem(subsystem_name) + subsystem.enable() + + self.print_message('Enabled "%s" subsystem' % subsystem_name) +@@ -251,12 +232,12 @@ class SubsystemDisableCLI(pki.cli.CLI): + super(SubsystemDisableCLI, self).__init__('disable', 'Disable subsystem') + + def usage(self): +- print 'Usage: pki-server subsystem-disable [OPTIONS] ' +- print +- print ' -i, --instance Instance ID.' +- print ' -v, --verbose Run in verbose mode.' +- print ' --help Show help message.' +- print ++ print('Usage: pki-server subsystem-disable [OPTIONS] ') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() + + def execute(self, argv): + +@@ -266,17 +247,17 @@ class SubsystemDisableCLI(pki.cli.CLI): + 'verbose', 'help']) + + except getopt.GetoptError as e: +- print 'ERROR: ' + str(e) ++ print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: +- print 'ERROR: missing subsystem ID' ++ print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] +- instance_name = None ++ instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): +@@ -290,21 +271,267 @@ class SubsystemDisableCLI(pki.cli.CLI): + sys.exit() + + else: +- print 'ERROR: unknown option ' + o ++ print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + +- if not instance_name: +- print 'ERROR: missing instance ID' +- self.usage() +- sys.exit(1) +- + instance = pki.server.PKIInstance(instance_name) + instance.load() + +- subsystem = pki.server.PKISubsystem(instance, subsystem_name) ++ subsystem = instance.get_subsystem(subsystem_name) + subsystem.disable() + + self.print_message('Disabled "%s" subsystem' % subsystem_name) + + SubsystemCLI.print_subsystem(subsystem) ++ ++ ++class SubsystemCertCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(SubsystemCertCLI, self).__init__( ++ 'cert', 'Subsystem certificate management commands') ++ ++ self.add_module(SubsystemCertFindCLI()) ++ self.add_module(SubsystemCertShowCLI()) ++ self.add_module(SubsystemCertUpdateCLI()) ++ ++ @staticmethod ++ def print_subsystem_cert(cert): ++ print(' Cert ID: %s' % cert['id']) ++ print(' Nickname: %s' % cert['nickname']) ++ print(' Token: %s' % cert['token']) ++ print(' Certificate: %s' % cert['data']) ++ print(' Request: %s' % cert['request']) ++ ++ ++class SubsystemCertFindCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(SubsystemCertFindCLI, self).__init__( ++ 'find', 'Find subsystem certificates') ++ ++ def usage(self): ++ print('Usage: pki-server subsystem-cert-find [OPTIONS] ') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ ++ try: ++ opts, args = getopt.getopt(argv, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ if len(args) != 1: ++ print('ERROR: missing subsystem ID') ++ self.usage() ++ sys.exit(1) ++ ++ subsystem_name = args[0] ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ instance.load() ++ ++ subsystem = instance.get_subsystem(subsystem_name) ++ results = subsystem.find_subsystem_certs() ++ ++ self.print_message('%s entries matched' % len(results)) ++ ++ first = True ++ for cert in results: ++ if first: ++ first = False ++ else: ++ print() ++ ++ SubsystemCertCLI.print_subsystem_cert(cert) ++ ++ ++class SubsystemCertShowCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(SubsystemCertShowCLI, self).__init__( ++ 'show', 'Show subsystem certificate') ++ ++ def usage(self): ++ print('Usage: pki-server subsystem-cert-show [OPTIONS] ') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ ++ try: ++ opts, args = getopt.getopt(argv, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ if len(args) < 1: ++ print('ERROR: missing subsystem ID') ++ self.usage() ++ sys.exit(1) ++ ++ if len(args) < 2: ++ print('ERROR: missing cert ID') ++ self.usage() ++ sys.exit(1) ++ ++ subsystem_name = args[0] ++ cert_id = args[1] ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ instance.load() ++ ++ subsystem = instance.get_subsystem(subsystem_name) ++ subsystem_cert = subsystem.get_subsystem_cert(cert_id) ++ ++ SubsystemCertCLI.print_subsystem_cert(subsystem_cert) ++ ++ ++class SubsystemCertUpdateCLI(pki.cli.CLI): ++ ++ def __init__(self): ++ super(SubsystemCertUpdateCLI, self).__init__( ++ 'update', 'Update subsystem certificate') ++ ++ def usage(self): ++ print('Usage: pki-server subsystem-cert-update [OPTIONS] ') ++ print() ++ print(' -i, --instance Instance ID (default: pki-tomcat).') ++ print(' -v, --verbose Run in verbose mode.') ++ print(' --help Show help message.') ++ print() ++ ++ def execute(self, argv): ++ ++ try: ++ opts, args = getopt.getopt(argv, 'i:v', [ ++ 'instance=', ++ 'verbose', 'help']) ++ ++ except getopt.GetoptError as e: ++ print('ERROR: ' + str(e)) ++ self.usage() ++ sys.exit(1) ++ ++ if len(args) < 1: ++ print('ERROR: missing subsystem ID') ++ self.usage() ++ sys.exit(1) ++ ++ if len(args) < 2: ++ print('ERROR: missing cert ID') ++ self.usage() ++ sys.exit(1) ++ ++ subsystem_name = args[0] ++ cert_id = args[1] ++ instance_name = 'pki-tomcat' ++ ++ for o, a in opts: ++ if o in ('-i', '--instance'): ++ instance_name = a ++ ++ elif o in ('-v', '--verbose'): ++ self.set_verbose(True) ++ ++ elif o == '--help': ++ self.print_help() ++ sys.exit() ++ ++ else: ++ print('ERROR: unknown option ' + o) ++ self.usage() ++ sys.exit(1) ++ ++ instance = pki.server.PKIInstance(instance_name) ++ instance.load() ++ ++ subsystem = instance.get_subsystem(subsystem_name) ++ subsystem_cert = subsystem.get_subsystem_cert(cert_id) ++ ++ # get cert data from NSS database ++ nss.nss_init(instance.nssdb_dir) ++ nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname']) ++ data = base64.b64encode(nss_cert.der_data) ++ del nss_cert ++ nss.nss_shutdown() ++ subsystem_cert['data'] = data ++ ++ # format cert data for LDAP database ++ lines = [data[i:i+64] for i in range(0, len(data), 64)] ++ data = string.join(lines, '\r\n') + '\r\n' ++ ++ # get cert request from local CA ++ # TODO: add support for remote CA ++ ca = instance.get_subsystem('ca') ++ results = ca.find_cert_requests(cert=data) ++ cert_request = results[-1] ++ request = cert_request['request'] ++ ++ # format cert request for CS.cfg ++ lines = request.splitlines() ++ if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': ++ lines = lines[1:] ++ if lines[-1] == '-----END CERTIFICATE REQUEST-----': ++ lines = lines[:-1] ++ request = string.join(lines, '') ++ subsystem_cert['request'] = request ++ ++ # store cert data and request in CS.cfg ++ subsystem.update_subsystem_cert(subsystem_cert) ++ subsystem.save() ++ ++ self.print_message('Updated "%s" subsystem certificate' % cert_id) ++ ++ SubsystemCertCLI.print_subsystem_cert(subsystem_cert) +diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py +index c9426a0..f82ffe6 100644 +--- a/base/server/python/pki/server/upgrade.py ++++ b/base/server/python/pki/server/upgrade.py +@@ -220,6 +220,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): + if self.subsystemName: + subsystem = pki.server.PKISubsystem(instance, self.subsystemName) + subsystem.validate() ++ subsystem.load() + return [subsystem] + + subsystem_list = [] +@@ -232,6 +233,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): + if subsystemName in pki.server.SUBSYSTEM_TYPES: + subsystem = pki.server.PKISubsystem(instance, subsystemName) + subsystem.validate() ++ subsystem.load() + subsystem_list.append(subsystem) + else: + for subsystemName in pki.server.SUBSYSTEM_TYPES: +@@ -242,6 +244,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): + if os.path.exists(registry_dir): + subsystem = pki.server.PKISubsystem(instance, subsystemName) + subsystem.validate() ++ subsystem.load() + subsystem_list.append(subsystem) + + subsystem_list.sort() +diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server +index 627a476..cdfd98e 100644 +--- a/base/server/sbin/pki-server ++++ b/base/server/sbin/pki-server +@@ -23,6 +23,7 @@ import getopt + import sys + + import pki.cli ++import pki.server.cli.ca + import pki.server.cli.instance + import pki.server.cli.subsystem + import pki.server.cli.migrate +@@ -35,6 +36,7 @@ class PKIServerCLI(pki.cli.CLI): + + super(PKIServerCLI, self).__init__('pki-server', 'PKI server command-line interface') + ++ self.add_module(pki.server.cli.ca.CACLI()) + self.add_module(pki.server.cli.instance.InstanceCLI()) + self.add_module(pki.server.cli.subsystem.SubsystemCLI()) + self.add_module(pki.server.cli.migrate.MigrateCLI()) diff --git a/SOURCES/pki-core-added-support-for-secure-database-connection-in-CLI.patch b/SOURCES/pki-core-added-support-for-secure-database-connection-in-CLI.patch new file mode 100644 index 0000000..21bb837 --- /dev/null +++ b/SOURCES/pki-core-added-support-for-secure-database-connection-in-CLI.patch @@ -0,0 +1,449 @@ +commit f153bd8a455953698e8af5085cd3cd7b368b1247 +Author: Endi S. Dewata +Date: Fri Sep 4 06:30:27 2015 +0200 + + Added support for secure database connection in CLI. + + The pki-server subsystem-cert-update has been modified to support + secure database connection with client certificate authentication. + The certificate and the private key will be exported temporarily + into PEM files so python-ldap can use them. + + The pki client-cert-show has been modified to provide an option + to export client certificate's private key. + + https://fedorahosted.org/pki/ticket/1551 + +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java +index f79501c..e44fae7 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java +@@ -29,10 +29,8 @@ import org.apache.commons.lang.RandomStringUtils; + import org.apache.commons.lang.StringUtils; + import org.mozilla.jss.crypto.X509Certificate; + +-import com.netscape.certsrv.cert.CertData; + import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; +-import com.netscape.cmsutil.util.Utils; + + /** + * @author Endi S. Dewata +@@ -57,6 +55,10 @@ public class ClientCertShowCLI extends CLI { + option.setArgName("path"); + options.addOption(option); + ++ option = new Option(null, "private-key", true, "PEM file to store the private key."); ++ option.setArgName("path"); ++ options.addOption(option); ++ + option = new Option(null, "client-cert", true, "PEM file to store the certificate and the private key."); + option.setArgName("path"); + options.addOption(option); +@@ -107,90 +109,82 @@ public class ClientCertShowCLI extends CLI { + + String nickname = cmdArgs[0]; + String certPath = cmd.getOptionValue("cert"); ++ String privateKeyPath = cmd.getOptionValue("private-key"); ++ String clientCertPath = cmd.getOptionValue("client-cert"); + String pkcs12Path = cmd.getOptionValue("pkcs12"); + String pkcs12Password = cmd.getOptionValue("pkcs12-password"); +- String clientCertPath = cmd.getOptionValue("client-cert"); +- +- if (certPath != null) { +- +- if (verbose) System.out.println("Exporting certificate to " + clientCertPath + "."); +- +- // late initialization +- mainCLI.init(); + +- client = mainCLI.getClient(); +- X509Certificate cert = client.getCert(nickname); ++ File pkcs12File; + +- try (PrintWriter out = new PrintWriter(new FileWriter(certPath))) { +- out.println(CertData.HEADER); +- out.println(Utils.base64encode(cert.getEncoded())); +- out.println(CertData.FOOTER); +- } ++ if (pkcs12Path != null) { ++ // exporting certificate to PKCS #12 file + +- } else if (pkcs12Path != null) { +- +- if (verbose) System.out.println("Exporting certificate chain and private key to " + pkcs12Path + "."); ++ pkcs12File = new File(pkcs12Path); + + if (pkcs12Password == null) { + throw new Exception("Missing PKCS #12 password"); + } + +- // store password into a temporary file +- File pkcs12PasswordFile = File.createTempFile("pki-client-cert-show-", ".pwd"); +- pkcs12PasswordFile.deleteOnExit(); ++ } else if (certPath != null || clientCertPath != null || privateKeyPath != null) { ++ // exporting certificate and/or private key to PEM files using temporary PKCS #12 file + +- try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { +- out.print(pkcs12Password); +- } ++ // prepare temporary PKCS #12 file ++ pkcs12File = File.createTempFile("pki-client-cert-show-", ".p12"); ++ pkcs12File.deleteOnExit(); + +- // export certificate chain and private key into PKCS #12 file +- exportPKCS12( +- mainCLI.certDatabase.getAbsolutePath(), +- mainCLI.config.getCertPassword(), +- pkcs12Path, +- pkcs12PasswordFile.getAbsolutePath(), +- nickname); ++ // generate random password ++ pkcs12Password = RandomStringUtils.randomAlphanumeric(16); + +- } else if (clientCertPath != null) { ++ } else { ++ // displaying certificate info + +- if (verbose) System.out.println("Exporting client certificate and private key to " + clientCertPath + "."); ++ mainCLI.init(); + +- // generate random PKCS #12 password +- pkcs12Password = RandomStringUtils.randomAlphanumeric(16); ++ client = mainCLI.getClient(); ++ X509Certificate cert = client.getCert(nickname); ++ ++ ClientCLI.printCertInfo(cert); ++ return; ++ } + +- // store password into a temporary file +- File pkcs12PasswordFile = File.createTempFile("pki-client-cert-show-", ".pwd"); +- pkcs12PasswordFile.deleteOnExit(); ++ // store password into a temporary file ++ File pkcs12PasswordFile = File.createTempFile("pki-client-cert-show-", ".pwd"); ++ pkcs12PasswordFile.deleteOnExit(); + +- try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { +- out.print(pkcs12Password); +- } ++ try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { ++ out.print(pkcs12Password); ++ } + +- // export certificate chain and private key into a temporary PKCS #12 file +- File pkcs12File = File.createTempFile("pki-client-cert-show-", ".p12"); +- pkcs12File.deleteOnExit(); ++ if (verbose) System.out.println("Exporting certificate chain and private key to " + pkcs12File + "."); ++ exportPKCS12( ++ mainCLI.certDatabase.getAbsolutePath(), ++ mainCLI.config.getCertPassword(), ++ pkcs12File.getAbsolutePath(), ++ pkcs12PasswordFile.getAbsolutePath(), ++ nickname); + +- exportPKCS12( +- mainCLI.certDatabase.getAbsolutePath(), +- mainCLI.config.getCertPassword(), ++ if (certPath != null) { ++ if (verbose) System.out.println("Exporting certificate to " + certPath + "."); ++ exportCertificate( + pkcs12File.getAbsolutePath(), + pkcs12PasswordFile.getAbsolutePath(), +- nickname); ++ certPath); ++ } + +- // export client certificate and private key into a PEM file +- exportClientCertificate( ++ if (privateKeyPath != null) { ++ if (verbose) System.out.println("Exporting private key to " + privateKeyPath + "."); ++ exportPrivateKey( + pkcs12File.getAbsolutePath(), + pkcs12PasswordFile.getAbsolutePath(), +- clientCertPath); +- +- } else { +- // late initialization +- mainCLI.init(); +- +- client = mainCLI.getClient(); +- X509Certificate cert = client.getCert(nickname); ++ privateKeyPath); ++ } + +- ClientCLI.printCertInfo(cert); ++ if (clientCertPath != null) { ++ if (verbose) System.out.println("Exporting client certificate and private key to " + clientCertPath + "."); ++ exportClientCertificateAndPrivateKey( ++ pkcs12File.getAbsolutePath(), ++ pkcs12PasswordFile.getAbsolutePath(), ++ clientCertPath); + } + } + +@@ -218,7 +212,53 @@ public class ClientCertShowCLI extends CLI { + } + } + +- public void exportClientCertificate( ++ public void exportCertificate( ++ String pkcs12Path, ++ String pkcs12PasswordPath, ++ String certPath) throws Exception { ++ ++ String[] command = { ++ "/bin/openssl", ++ "pkcs12", ++ "-clcerts", // certificate only ++ "-nokeys", ++ "-in", pkcs12Path, ++ "-passin", "file:" + pkcs12PasswordPath, ++ "-out", certPath ++ }; ++ ++ try { ++ run(command); ++ ++ } catch (Exception e) { ++ throw new Exception("Unable to export certificate", e); ++ } ++ } ++ ++ public void exportPrivateKey( ++ String pkcs12Path, ++ String pkcs12PasswordPath, ++ String privateKeyPath) throws Exception { ++ ++ String[] command = { ++ "/bin/openssl", ++ "pkcs12", ++ "-nocerts", // private key only ++ "-nodes", // no encryption ++ "-in", pkcs12Path, ++ "-passin", "file:" + pkcs12PasswordPath, ++ "-out", privateKeyPath ++ }; ++ ++ try { ++ run(command); ++ ++ } catch (Exception e) { ++ throw new Exception("Unable to export private key", e); ++ } ++ } ++ ++ public void exportClientCertificateAndPrivateKey( + String pkcs12Path, + String pkcs12PasswordPath, + String clientCertPath) throws Exception { +@@ -226,7 +266,7 @@ public class ClientCertShowCLI extends CLI { + String[] command = { + "/bin/openssl", + "pkcs12", +- "-clcerts", // client certificate only ++ "-clcerts", // client certificate and private key + "-nodes", // no encryption + "-in", pkcs12Path, + "-passin", "file:" + pkcs12PasswordPath, +@@ -237,7 +277,7 @@ public class ClientCertShowCLI extends CLI { + run(command); + + } catch (Exception e) { +- throw new Exception("Unable to export client certificate", e); ++ throw new Exception("Unable to export client certificate and private key", e); + } + } + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index d004465..89d4acf 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -28,7 +28,9 @@ import operator + import os + import pwd + import re ++import shutil + import subprocess ++import tempfile + + import pki + +@@ -162,18 +164,43 @@ class PKISubsystem(object): + + def open_database(self, name='internaldb'): + ++ # TODO: add LDAPI support + hostname = self.config['%s.ldapconn.host' % name] + port = self.config['%s.ldapconn.port' % name] +- bind_dn = self.config['%s.ldapauth.bindDN' % name] ++ secure = self.config['%s.ldapconn.secureConn' % name] + +- # TODO: add support for other authentication +- # mechanisms (e.g. client cert authentication, LDAPI) +- bind_password = self.instance.get_password(name) ++ if secure == 'true': ++ url = 'ldaps://%s:%s' % (hostname, port) + +- con = ldap.initialize('ldap://%s:%s' % (hostname, port)) +- con.simple_bind_s(bind_dn, bind_password) ++ elif secure == 'false': ++ url = 'ldap://%s:%s' % (hostname, port) + +- return con ++ else: ++ raise Exception('Invalid parameter value in %s.ldapconn.secureConn: %s' % (name, secure)) ++ ++ connection = PKIDatabaseConnection(url) ++ ++ connection.set_security_database(self.instance.nssdb_dir) ++ ++ auth_type = self.config['%s.ldapauth.authtype' % name] ++ if auth_type == 'BasicAuth': ++ connection.set_credentials( ++ bind_dn=self.config['%s.ldapauth.bindDN' % name], ++ bind_password=self.instance.get_password(name) ++ ) ++ ++ elif auth_type == 'SslClientAuth': ++ connection.set_credentials( ++ client_cert_nickname=self.config['%s.ldapauth.clientCertNickname' % name], ++ nssdb_password=self.instance.get_password('internal') ++ ) ++ ++ else: ++ raise Exception('Invalid parameter value in %s.ldapauth.authtype: %s' % (name, auth_type)) ++ ++ connection.open() ++ ++ return connection + + def __repr__(self): + return str(self.instance) + '/' + self.name +@@ -337,6 +364,64 @@ class PKIInstance(object): + return self.name + + ++class PKIDatabaseConnection(object): ++ ++ def __init__(self, url='ldap://localhost:389'): ++ ++ self.url = url ++ ++ self.nssdb_dir = None ++ ++ self.bind_dn = None ++ self.bind_password = None ++ ++ self.client_cert_nickname = None ++ self.nssdb_password = None ++ ++ self.temp_dir = None ++ self.ldap = None ++ ++ def set_security_database(self, nssdb_dir=None): ++ self.nssdb_dir = nssdb_dir ++ ++ def set_credentials(self, bind_dn=None, bind_password=None, ++ client_cert_nickname=None, nssdb_password=None): ++ self.bind_dn = bind_dn ++ self.bind_password = bind_password ++ self.client_cert_nickname = client_cert_nickname ++ self.nssdb_password = nssdb_password ++ ++ def open(self): ++ ++ self.temp_dir = tempfile.mkdtemp() ++ ++ if self.nssdb_dir: ++ ++ ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.nssdb_dir) ++ ++ if self.client_cert_nickname: ++ ++ password_file = os.path.join(self.temp_dir, 'password.txt') ++ with open(password_file, 'w') as f: ++ f.write(self.nssdb_password) ++ ++ ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self.client_cert_nickname) ++ ldap.set_option(ldap.OPT_X_TLS_KEYFILE, password_file) ++ ++ self.ldap = ldap.initialize(self.url) ++ ++ if self.bind_dn and self.bind_password: ++ self.ldap.simple_bind_s(self.bind_dn, self.bind_password) ++ ++ def close(self): ++ ++ if self.ldap: ++ self.ldap.unbind_s() ++ ++ if self.temp_dir: ++ shutil.rmtree(self.temp_dir) ++ ++ + class PKIServerException(pki.PKIException): + + def __init__(self, message, exception=None, +diff --git a/base/server/python/pki/server/ca.py b/base/server/python/pki/server/ca.py +index 70ebf4d..31e373a 100644 +--- a/base/server/python/pki/server/ca.py ++++ b/base/server/python/pki/server/ca.py +@@ -45,13 +45,13 @@ class CASubsystem(pki.server.PKISubsystem): + + con = self.open_database() + +- entries = con.search_s( ++ entries = con.ldap.search_s( + 'ou=ca,ou=requests,%s' % base_dn, + ldap.SCOPE_ONELEVEL, + search_filter, + None) + +- con.unbind_s() ++ con.close() + + requests = [] + for entry in entries: +@@ -65,13 +65,13 @@ class CASubsystem(pki.server.PKISubsystem): + + con = self.open_database() + +- entries = con.search_s( ++ entries = con.ldap.search_s( + 'cn=%s,ou=ca,ou=requests,%s' % (request_id, base_dn), + ldap.SCOPE_BASE, + '(objectClass=*)', + None) + +- con.unbind_s() ++ con.close() + + entry = entries[0] + return self.create_request_object(entry) +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index fc89c27..19db203 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -104,7 +104,7 @@ class SubsystemFindCLI(pki.cli.CLI): + if first: + first = False + else: +- print ++ print() + + SubsystemCLI.print_subsystem(subsystem) + +diff --git a/base/server/upgrade/10.2.0/01-AddTLSRangeSupport b/base/server/upgrade/10.2.0/01-AddTLSRangeSupport +index b5b83f4..e225924 100755 +--- a/base/server/upgrade/10.2.0/01-AddTLSRangeSupport ++++ b/base/server/upgrade/10.2.0/01-AddTLSRangeSupport +@@ -29,7 +29,7 @@ import pki.server.upgrade + class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): +- ++ super(AddTLSRangeSupport, self).__init__() + self.message = 'Add TLS Range Support' + + self.parser = etree.XMLParser(remove_blank_text=True) diff --git a/SOURCES/pki-core-fix-exception-when-talking-to-Dogtag-9-systems.patch b/SOURCES/pki-core-fix-exception-when-talking-to-Dogtag-9-systems.patch new file mode 100644 index 0000000..dc885ab --- /dev/null +++ b/SOURCES/pki-core-fix-exception-when-talking-to-Dogtag-9-systems.patch @@ -0,0 +1,57 @@ +commit b65d6a8095b864c912e2e0884e9b50f58353805b +Author: Ade Lee +Date: Thu Jul 16 16:48:51 2015 -0400 + + Fix exception when talking to dogtag 9 systems + + When getting a token from the security domain for a Dogtag 9 + system, we first attempt to reach the REST interfaces. When this + fails (with 404 exception), we catch the exception and try the + old interfaces. + + The exception being thrown has been changed from the deprecated + ClientResponseFailure to being wrapped in a PKIException, so the + code catching the exception needs to be modified accordingly. + + Ticket 1495 + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 5566e91..c8ab38c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -89,7 +89,6 @@ import netscape.security.x509.X509CertImpl; + import netscape.security.x509.X509Key; + + import org.apache.velocity.context.Context; +-import org.jboss.resteasy.client.ClientResponseFailure; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.CryptoManager.NicknameConflictException; + import org.mozilla.jss.CryptoManager.NotInitializedException; +@@ -152,6 +151,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.ISubsystem; ++import com.netscape.certsrv.base.PKIException; + import com.netscape.certsrv.base.ResourceNotFoundException; + import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.client.ClientConfig; +@@ -372,17 +372,14 @@ public class ConfigurationUtils { + InstallToken token = sdClient.getInstallToken(sdhost, csType); + accountClient.logout(); + return token.getToken(); +- +- } catch (ClientResponseFailure e) { +- +- if (e.getResponse().getResponseStatus() == Response.Status.NOT_FOUND) { ++ } catch (PKIException e) { ++ if (e.getCode() == Response.Status.NOT_FOUND.getStatusCode()) { + // try the old servlet + CMS.debug("Getting old cookie"); + String tokenString = getOldCookie(sdhost, sdport, user, passwd); + CMS.debug("Token: " + tokenString); + return tokenString; + } +- + throw e; + } + } diff --git a/SOURCES/pki-core-fixed-pkidbuser-group-memberships.patch b/SOURCES/pki-core-fixed-pkidbuser-group-memberships.patch new file mode 100644 index 0000000..6cd84bf --- /dev/null +++ b/SOURCES/pki-core-fixed-pkidbuser-group-memberships.patch @@ -0,0 +1,152 @@ +commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76 +Author: Matthew Harmsen +Date: Tue Sep 15 12:29:08 2015 -0600 + + Fixed pkidbuser group memberships. + + Due to a certificate mapping issue the subsystem certificate can + be mapped into either the subsystem user or pkidbuser, which may + cause problems since the users don't belong to the same groups. + As a temporary solution the pkidbuser is now added into the same + groups. This way the client subsystem can always access the + services regardless of which user the certificate is actually + mapped to. + + Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival + + https://fedorahosted.org/pki/ticket/1595 + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 708240b..d99929f 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -50,6 +50,7 @@ import java.security.cert.CertificateNotYetValidException; + import java.security.interfaces.RSAPublicKey; + import java.util.ArrayList; + import java.util.Arrays; ++import java.util.Collection; + import java.util.Enumeration; + import java.util.List; + import java.util.StringTokenizer; +@@ -62,32 +63,7 @@ import javax.ws.rs.core.MultivaluedMap; + import javax.ws.rs.core.Response; + import javax.xml.parsers.ParserConfigurationException; + +-import netscape.ldap.LDAPAttribute; +-import netscape.ldap.LDAPAttributeSet; +-import netscape.ldap.LDAPConnection; +-import netscape.ldap.LDAPDN; +-import netscape.ldap.LDAPEntry; +-import netscape.ldap.LDAPException; +-import netscape.ldap.LDAPModification; +-import netscape.ldap.LDAPSearchConstraints; +-import netscape.ldap.LDAPSearchResults; +-import netscape.ldap.LDAPv3; +-import netscape.security.pkcs.ContentInfo; +-import netscape.security.pkcs.PKCS10; +-import netscape.security.pkcs.PKCS7; +-import netscape.security.pkcs.SignerInfo; +-import netscape.security.util.DerOutputStream; +-import netscape.security.util.ObjectIdentifier; +-import netscape.security.x509.AlgorithmId; +-import netscape.security.x509.BasicConstraintsExtension; +-import netscape.security.x509.CertificateChain; +-import netscape.security.x509.Extension; +-import netscape.security.x509.Extensions; +-import netscape.security.x509.KeyUsageExtension; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509Key; +- ++import org.apache.commons.lang.StringUtils; + import org.apache.velocity.context.Context; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.CryptoManager.NicknameConflictException; +@@ -180,6 +156,32 @@ import com.netscape.cmsutil.http.JssSSLSocketFactory; + import com.netscape.cmsutil.ldap.LDAPUtil; + import com.netscape.cmsutil.xml.XMLObject; + ++import netscape.ldap.LDAPAttribute; ++import netscape.ldap.LDAPAttributeSet; ++import netscape.ldap.LDAPConnection; ++import netscape.ldap.LDAPDN; ++import netscape.ldap.LDAPEntry; ++import netscape.ldap.LDAPException; ++import netscape.ldap.LDAPModification; ++import netscape.ldap.LDAPSearchConstraints; ++import netscape.ldap.LDAPSearchResults; ++import netscape.ldap.LDAPv3; ++import netscape.security.pkcs.ContentInfo; ++import netscape.security.pkcs.PKCS10; ++import netscape.security.pkcs.PKCS7; ++import netscape.security.pkcs.SignerInfo; ++import netscape.security.util.DerOutputStream; ++import netscape.security.util.ObjectIdentifier; ++import netscape.security.x509.AlgorithmId; ++import netscape.security.x509.BasicConstraintsExtension; ++import netscape.security.x509.CertificateChain; ++import netscape.security.x509.Extension; ++import netscape.security.x509.Extensions; ++import netscape.security.x509.KeyUsageExtension; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509Key; ++ + /** + * Utility class for functions to be used both by the RESTful installer + * and the UI Panels. +@@ -3892,7 +3894,7 @@ public class ConfigurationUtils { + String groupName = "Trusted Managers"; + IGroup group = system.getGroupFromName(groupName); + if (!group.isMember(id)) { +- CMS.debug("setupClientAuthUser: adding user to the trusted managers group."); ++ CMS.debug("setupClientAuthUser: adding user to the " + groupName + " group."); + group.addMemberName(id); + system.modifyGroup(group); + } +@@ -4119,7 +4121,7 @@ public class ConfigurationUtils { + user.setX509Certificates(certs); + + system.addUser(user); +- CMS.debug("setupDBUser(): successfully added the user"); ++ CMS.debug("setupDBUser(): successfully added " + DBUSER); + + system.addUserCert(user); + CMS.debug("setupDBUser(): successfully add the user certificate"); +@@ -4130,6 +4132,36 @@ public class ConfigurationUtils { + // remove old db users + CMS.debug("setupDBUser(): removing seeAlso from old dbusers"); + removeOldDBUsers(certs[0].getSubjectDN().toString()); ++ ++ // workaround for ticket #1595 ++ IConfigStore cs = CMS.getConfigStore(); ++ String csType = cs.getString("cs.type").toUpperCase(); ++ ++ Collection groupNames = new ArrayList(); ++ ++ if ("CA".equals(csType)) { ++ groupNames.add("Subsystem Group"); ++ groupNames.add("Certificate Manager Agents"); ++ ++ } else if ("KRA".equals(csType)) { ++ groupNames.add("Data Recovery Manager Agents"); ++ groupNames.add("Trusted Managers"); ++ ++ } else if ("OCSP".equals(csType)) { ++ groupNames.add("Trusted Managers"); ++ ++ } else if ("TKS".equals(csType)) { ++ groupNames.add("Token Key Service Manager Agents"); ++ } ++ ++ for (String groupName : groupNames) { ++ IGroup group = system.getGroupFromName(groupName); ++ if (!group.isMember(DBUSER)) { ++ CMS.debug("setupDBUser(): adding " + DBUSER + " to the " + groupName + " group."); ++ group.addMemberName(DBUSER); ++ system.modifyGroup(group); ++ } ++ } + } + + public static void addProfilesToTPSUser(String adminID) throws EUsrGrpException, LDAPException { diff --git a/SOURCES/pki-core-handle-JSON-decode-error.patch b/SOURCES/pki-core-handle-JSON-decode-error.patch new file mode 100644 index 0000000..8d5d9c0 --- /dev/null +++ b/SOURCES/pki-core-handle-JSON-decode-error.patch @@ -0,0 +1,78 @@ +commit 9fa1d0c968977ef23e26556b0a8e8e76b32c7288 +Author: Christian Heimes +Date: Wed Jul 15 17:55:05 2015 +0200 + + Handle JSON decode error in handle_exceptions() + + pki.handle_exceptions() raises a JSON decode exception when the body of + the HTTPException is not a valid JSON string. The JSON exception hides + the true error message. + + The patch also fixes a bug in PKIException.from_json(). The code and + ClassName attribute are now correctly set. Finally we have our first + unit test. + + https://fedorahosted.org/pki/ticket/1488 + https://fedorahosted.org/freeipa/ticket/5129 + +diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py +index c383cdb..39a0db7 100644 +--- a/base/common/python/pki/__init__.py ++++ b/base/common/python/pki/__init__.py +@@ -24,6 +24,7 @@ This module contains top-level classes and functions used by the Dogtag project. + from functools import wraps + import os + import re ++import sys + import requests + + +@@ -205,10 +206,12 @@ class PKIException(Exception, ResourceMessage): + :type json_value: str + :return: pki.PKIException + """ +- ret = cls(json_value['Message'], json_value['Code'], +- json_value['ClassName']) ++ ret = cls( ++ message=json_value['Message'], ++ code=json_value['Code'], ++ class_name=json_value['ClassName'] ++ ) + for attr in json_value['Attributes']['Attribute']: +- print str(attr) + ret.add_attribute(attr["name"], attr["value"]) + return ret + +@@ -293,15 +296,25 @@ def handle_exceptions(): + """ Decorator to catch and re-throw PKIExceptions.""" + try: + return fn_call(inst, *args, **kwargs) +- except requests.exceptions.HTTPError as exc: +- clazz = exc.response.json()['ClassName'] +- if clazz in EXCEPTION_MAPPINGS: +- exception_class = EXCEPTION_MAPPINGS[clazz] +- pki_exception = exception_class.from_json( +- exc.response.json()) +- raise pki_exception ++ except requests.exceptions.HTTPError: ++ # store exception information. json may raise another ++ # exception. We want to re-raise the HTTPError. ++ exc_type, exc_val, exc_tb = sys.exc_info() ++ try: ++ json = exc_val.response.json() ++ except ValueError: ++ # json raises ValueError. simplejson raises ++ # JSONDecodeError, which is a subclass of ValueError. ++ # re-raise original exception ++ raise exc_type, exc_val, exc_tb + else: +- raise exc ++ # clear reference cycle ++ exc_type = exc_val = exc_tb = None ++ clazz = json.get('ClassName') ++ if clazz and clazz in EXCEPTION_MAPPINGS: ++ exception_class = EXCEPTION_MAPPINGS[clazz] ++ pki_exception = exception_class.from_json(json) ++ raise pki_exception + + return handler diff --git a/SOURCES/pki-core-rhel-7-2.patch b/SOURCES/pki-core-rhel-7-2.patch new file mode 100644 index 0000000..8bfeccd --- /dev/null +++ b/SOURCES/pki-core-rhel-7-2.patch @@ -0,0 +1,4468 @@ +From cc97f8628b23f8ea75308bb97a31307cb4f162b9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 23 Jun 2015 12:23:15 -0400 +Subject: [PATCH 01/21] Fixed selftests log message. + +The SelfTestSubsystem has been modified to display a 'successful' +message only if all tests have passed. If a test fails, it will +log a failure, subsequent tests will not be executed, and the +subsystem will shutdown immediately. + +The runSelfTest() in various tests have been cleaned up to throw +the original exception to help troubleshooting. The unused +RAPresence test has been removed. + +https://fedorahosted.org/pki/ticket/1249 +--- + .../com/netscape/certsrv/selftests/ISelfTest.java | 5 +- + .../certsrv/selftests/ISelfTestSubsystem.java | 5 +- + .../src/com/netscape/cms/selftests/ASelfTest.java | 5 +- + .../com/netscape/cms/selftests/ca/CAPresence.java | 97 +++----- + .../com/netscape/cms/selftests/ca/CAValidity.java | 102 ++++---- + .../selftests/common/SystemCertsVerification.java | 35 ++- + .../netscape/cms/selftests/kra/KRAPresence.java | 84 +++---- + .../netscape/cms/selftests/ocsp/OCSPPresence.java | 123 ++++------ + .../netscape/cms/selftests/ocsp/OCSPValidity.java | 127 ++++------ + .../com/netscape/cms/selftests/ra/RAPresence.java | 261 -------------------- + .../cms/selftests/tks/TKSKnownSessionKey.java | 56 +++-- + .../cms/servlet/admin/CMSAdminServlet.java | 6 +- + .../cmscore/selftests/SelfTestSubsystem.java | 271 ++++++++++----------- + .../server/tps/selftests/TPSPresence.java | 38 ++- + .../server/tps/selftests/TPSValidity.java | 43 ++-- + 15 files changed, 449 insertions(+), 809 deletions(-) + delete mode 100644 base/server/cms/src/com/netscape/cms/selftests/ra/RAPresence.java + +diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTest.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTest.java +index 24ad623..0ffc74b 100644 +--- a/base/common/src/com/netscape/certsrv/selftests/ISelfTest.java ++++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTest.java +@@ -126,8 +126,7 @@ public interface ISelfTest { + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException; ++ public void runSelfTest(ILogEventListener logger) throws Exception; + } +diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java +index 214ee17..29adde0 100644 +--- a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java ++++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java +@@ -206,10 +206,9 @@ public interface ISelfTestSubsystem + *

+ * + * @exception EMissingSelfTestException subsystem has missing name +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTestsAtStartup() +- throws EMissingSelfTestException, ESelfTestException; ++ public void runSelfTestsAtStartup() throws Exception; + + // + // methods associated with the list of self test instances +diff --git a/base/server/cms/src/com/netscape/cms/selftests/ASelfTest.java b/base/server/cms/src/com/netscape/cms/selftests/ASelfTest.java +index e77ece5..c77514f 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/ASelfTest.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/ASelfTest.java +@@ -186,8 +186,7 @@ public abstract class ASelfTest + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public abstract void runSelfTest(ILogEventListener logger) +- throws ESelfTestException; ++ public abstract void runSelfTest(ILogEventListener logger) throws Exception; + } +diff --git a/base/server/cms/src/com/netscape/cms/selftests/ca/CAPresence.java b/base/server/cms/src/com/netscape/cms/selftests/ca/CAPresence.java +index 83caa00..ab491c7 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/ca/CAPresence.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/ca/CAPresence.java +@@ -191,72 +191,55 @@ public class CAPresence + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; +- ICertificateAuthority ca = null; +- X509CertImpl caCert = null; +- X509Key caPubKey = null; +- +- ca = (ICertificateAuthority) CMS.getSubsystem(mCaSubId); ++ public void runSelfTest(ILogEventListener logger) throws Exception { + ++ ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(mCaSubId); + if (ca == null) { + // log that the CA is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_NOT_PRESENT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } else { +- // Retrieve the CA certificate +- caCert = ca.getCACert(); +- +- if (caCert == null) { +- // log that the CA is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_CA_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the CA certificate public key +- try { +- caPubKey = (X509Key) caCert.get(X509CertImpl.PUBLIC_KEY); +- +- if (caPubKey == null) { +- // log that something is seriously wrong with the CA +- logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_CORRUPT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_NOT_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- throw new ESelfTestException(logMessage); +- } +- } catch (CertificateParsingException e) { +- // log that something is seriously wrong with the CA +- mSelfTestSubsystem.log(logger, +- e.toString()); ++ // Retrieve the CA certificate ++ X509CertImpl caCert = ca.getCACert(); ++ if (caCert == null) { ++ // log that the CA is not yet initialized ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- throw new ESelfTestException(e.toString()); +- } ++ // Retrieve the CA certificate public key ++ X509Key caPubKey; ++ try { ++ caPubKey = (X509Key) caCert.get(X509CertImpl.PUBLIC_KEY); + +- // log that the CA is present +- logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_PRESENT", +- getSelfTestName()); ++ } catch (CertificateParsingException e) { ++ // log that something is seriously wrong with the CA ++ mSelfTestSubsystem.log(logger, e.toString()); ++ throw e; ++ } + +- mSelfTestSubsystem.log(logger, +- logMessage); ++ if (caPubKey == null) { ++ // log that something is seriously wrong with the CA ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_CORRUPT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); + } + +- return; ++ // log that the CA is present ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/selftests/ca/CAValidity.java b/base/server/cms/src/com/netscape/cms/selftests/ca/CAValidity.java +index b1751ec..4d90be1 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/ca/CAValidity.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/ca/CAValidity.java +@@ -191,72 +191,56 @@ public class CAValidity + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; +- ICertificateAuthority ca = null; +- X509CertImpl caCert = null; +- +- ca = (ICertificateAuthority) CMS.getSubsystem(mCaSubId); ++ public void runSelfTest(ILogEventListener logger) throws Exception { + ++ ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(mCaSubId); + if (ca == null) { + // log that the CA is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_NOT_PRESENT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } else { +- // Retrieve the CA certificate +- caCert = ca.getCACert(); +- +- if (caCert == null) { +- // log that the CA is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_CA_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the CA validity period +- try { +- caCert.checkValidity(); +- } catch (CertificateNotYetValidException e) { +- // log that the CA is not yet valid +- logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_NOT_YET_VALID", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } catch (CertificateExpiredException e) { +- // log that the CA is expired +- logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_EXPIRED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_NOT_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- // log that the CA is valid +- logMessage = CMS.getLogMessage("SELFTESTS_CA_IS_VALID", +- getSelfTestName()); ++ // Retrieve the CA certificate ++ X509CertImpl caCert = ca.getCACert(); ++ if (caCert == null) { ++ // log that the CA is not yet initialized ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- mSelfTestSubsystem.log(logger, +- logMessage); ++ // Retrieve the CA validity period ++ try { ++ caCert.checkValidity(); ++ ++ } catch (CertificateNotYetValidException e) { ++ // log that the CA is not yet valid ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_NOT_YET_VALID", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw e; ++ ++ } catch (CertificateExpiredException e) { ++ // log that the CA is expired ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_EXPIRED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw e; + } + +- return; ++ // log that the CA is valid ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_CA_IS_VALID", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java +index f5b0939..5c1e97b 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java +@@ -185,29 +185,22 @@ public class SystemCertsVerification + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; +- boolean rc = false; +- +- rc = CMS.verifySystemCerts(); +- if (rc == true) { +- logMessage = CMS.getLogMessage("SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- } else { +- logMessage = CMS.getLogMessage("SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- throw new ESelfTestException(logMessage); ++ public void runSelfTest(ILogEventListener logger) throws Exception { ++ ++ boolean status = CMS.verifySystemCerts(); ++ if (!status) { ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); + } + +- return; ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/selftests/kra/KRAPresence.java b/base/server/cms/src/com/netscape/cms/selftests/kra/KRAPresence.java +index 832d2b7..ff0c3fb 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/kra/KRAPresence.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/kra/KRAPresence.java +@@ -188,64 +188,46 @@ public class KRAPresence + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; +- IKeyRecoveryAuthority kra = null; +- org.mozilla.jss.crypto.X509Certificate kraCert = null; +- PublicKey kraPubKey = null; +- +- kra = (IKeyRecoveryAuthority) CMS.getSubsystem(mSubId); ++ public void runSelfTest(ILogEventListener logger) throws Exception { + ++ IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) CMS.getSubsystem(mSubId); + if (kra == null) { + // log that the KRA is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_KRA_IS_NOT_PRESENT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } else { +- // Retrieve the KRA certificate +- kraCert = kra.getTransportCert(); +- +- if (kraCert == null) { +- // log that the RA is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_KRA_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the KRA certificate public key +- kraPubKey = kraCert.getPublicKey(); +- +- if (kraPubKey == null) { +- // log that something is seriously wrong with the KRA +- logMessage = CMS.getLogMessage("SELFTESTS_KRA_IS_CORRUPT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_KRA_IS_NOT_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- // log that the KRA is present +- logMessage = CMS.getLogMessage("SELFTESTS_KRA_IS_PRESENT", +- getSelfTestName()); ++ // Retrieve the KRA certificate ++ org.mozilla.jss.crypto.X509Certificate kraCert = kra.getTransportCert(); ++ if (kraCert == null) { ++ // log that the RA is not yet initialized ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_KRA_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- mSelfTestSubsystem.log(logger, +- logMessage); ++ // Retrieve the KRA certificate public key ++ PublicKey kraPubKey = kraCert.getPublicKey(); ++ if (kraPubKey == null) { ++ // log that something is seriously wrong with the KRA ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_KRA_IS_CORRUPT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); + } + +- return; ++ // log that the KRA is present ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_KRA_IS_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java b/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java +index a3d9e3a..db9d237 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPPresence.java +@@ -192,89 +192,66 @@ public class OCSPPresence + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; +- IOCSPAuthority ocsp = null; +- ISigningUnit ocspSigningUnit = null; +- X509CertImpl ocspCert = null; +- X509Key ocspPubKey = null; +- +- ocsp = (IOCSPAuthority) CMS.getSubsystem(mOcspSubId); ++ public void runSelfTest(ILogEventListener logger) throws Exception { + ++ IOCSPAuthority ocsp = (IOCSPAuthority) CMS.getSubsystem(mOcspSubId); + if (ocsp == null) { + // log that the OCSP is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_NOT_PRESENT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } else { +- // Retrieve the OCSP signing unit +- ocspSigningUnit = ocsp.getSigningUnit(); +- +- if (ocspSigningUnit == null) { +- // log that the OCSP is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_OCSP_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the OCSP certificate +- ocspCert = ocspSigningUnit.getCertImpl(); +- +- if (ocspCert == null) { +- // log that the OCSP is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_OCSP_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the OCSP certificate public key +- try { +- ocspPubKey = (X509Key) +- ocspCert.get(X509CertImpl.PUBLIC_KEY); +- +- if (ocspPubKey == null) { +- // log that something is seriously wrong with the OCSP +- logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_CORRUPT", +- getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_NOT_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- mSelfTestSubsystem.log(logger, +- logMessage); ++ // Retrieve the OCSP signing unit ++ ISigningUnit ocspSigningUnit = ocsp.getSigningUnit(); ++ if (ocspSigningUnit == null) { ++ // log that the OCSP is not yet initialized ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- throw new ESelfTestException(logMessage); +- } +- } catch (CertificateParsingException e) { +- // log that something is seriously wrong with the OCSP +- mSelfTestSubsystem.log(logger, +- e.toString()); ++ // Retrieve the OCSP certificate ++ X509CertImpl ocspCert = ocspSigningUnit.getCertImpl(); ++ if (ocspCert == null) { ++ // log that the OCSP is not yet initialized ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- throw new ESelfTestException(e.toString()); +- } ++ // Retrieve the OCSP certificate public key ++ X509Key ocspPubKey; ++ try { ++ ocspPubKey = (X509Key)ocspCert.get(X509CertImpl.PUBLIC_KEY); + +- // log that the OCSP is present +- logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_PRESENT", +- getSelfTestName()); ++ } catch (CertificateParsingException e) { ++ // log that something is seriously wrong with the OCSP ++ mSelfTestSubsystem.log(logger, e.toString()); ++ throw e; ++ } + +- mSelfTestSubsystem.log(logger, +- logMessage); ++ if (ocspPubKey == null) { ++ // log that something is seriously wrong with the OCSP ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_CORRUPT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); + } + +- return; ++ // log that the OCSP is present ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java b/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java +index 383779d..6aadf84 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/ocsp/OCSPValidity.java +@@ -192,89 +192,68 @@ public class OCSPValidity + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { ++ public void runSelfTest(ILogEventListener logger) throws Exception { + String logMessage = null; +- IOCSPAuthority ocsp = null; +- ISigningUnit ocspSigningUnit = null; +- X509CertImpl ocspCert = null; +- +- ocsp = (IOCSPAuthority) CMS.getSubsystem(mOcspSubId); + ++ IOCSPAuthority ocsp = (IOCSPAuthority) CMS.getSubsystem(mOcspSubId); + if (ocsp == null) { + // log that the OCSP is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_NOT_PRESENT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } else { +- // Retrieve the OCSP signing unit +- ocspSigningUnit = ocsp.getSigningUnit(); +- +- if (ocspSigningUnit == null) { +- // log that the OCSP is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_OCSP_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the OCSP certificate +- ocspCert = ocspSigningUnit.getCertImpl(); +- +- if (ocspCert == null) { +- // log that the OCSP is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_OCSP_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the OCSP validity period +- try { +- ocspCert.checkValidity(); +- } catch (CertificateNotYetValidException e) { +- // log that the OCSP is not yet valid +- logMessage = CMS.getLogMessage( +- "SELFTESTS_OCSP_IS_NOT_YET_VALID", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } catch (CertificateExpiredException e) { +- // log that the OCSP is expired +- logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_EXPIRED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); ++ logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_NOT_PRESENT", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- throw new ESelfTestException(logMessage); +- } ++ // Retrieve the OCSP signing unit ++ ISigningUnit ocspSigningUnit = ocsp.getSigningUnit(); ++ if (ocspSigningUnit == null) { ++ // log that the OCSP is not yet initialized ++ logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- // log that the OCSP is valid +- logMessage = CMS.getLogMessage("SELFTESTS_OCSP_IS_VALID", +- getSelfTestName()); ++ // Retrieve the OCSP certificate ++ X509CertImpl ocspCert = ocspSigningUnit.getCertImpl(); ++ if (ocspCert == null) { ++ // log that the OCSP is not yet initialized ++ logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw new Exception(logMessage); ++ } + +- mSelfTestSubsystem.log(logger, +- logMessage); ++ // Retrieve the OCSP validity period ++ try { ++ ocspCert.checkValidity(); ++ ++ } catch (CertificateNotYetValidException e) { ++ // log that the OCSP is not yet valid ++ logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_NOT_YET_VALID", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw e; ++ ++ } catch (CertificateExpiredException e) { ++ // log that the OCSP is expired ++ logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_EXPIRED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw e; + } + +- return; ++ // log that the OCSP is valid ++ logMessage = CMS.getLogMessage( ++ "SELFTESTS_OCSP_IS_VALID", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); + } + } +diff --git a/base/server/cms/src/com/netscape/cms/selftests/ra/RAPresence.java b/base/server/cms/src/com/netscape/cms/selftests/ra/RAPresence.java +deleted file mode 100644 +index 6facd80..0000000 +--- a/base/server/cms/src/com/netscape/cms/selftests/ra/RAPresence.java ++++ /dev/null +@@ -1,261 +0,0 @@ +-// --- BEGIN COPYRIGHT BLOCK --- +-// This program is free software; you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation; version 2 of the License. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License along +-// with this program; if not, write to the Free Software Foundation, Inc., +-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-// +-// (C) 2007 Red Hat, Inc. +-// All rights reserved. +-// --- END COPYRIGHT BLOCK --- +-// package statement // +-/////////////////////// +- +-package com.netscape.cms.selftests.ra; +- +-/////////////////////// +-// import statements // +-/////////////////////// +- +-import java.security.PublicKey; +-import java.util.Locale; +- +-import com.netscape.certsrv.apps.CMS; +-import com.netscape.certsrv.base.EBaseException; +-import com.netscape.certsrv.base.IConfigStore; +-import com.netscape.certsrv.logging.ILogEventListener; +-import com.netscape.certsrv.ra.IRegistrationAuthority; +-import com.netscape.certsrv.selftests.EDuplicateSelfTestException; +-import com.netscape.certsrv.selftests.EInvalidSelfTestException; +-import com.netscape.certsrv.selftests.EMissingSelfTestException; +-import com.netscape.certsrv.selftests.ESelfTestException; +-import com.netscape.certsrv.selftests.ISelfTestSubsystem; +-import com.netscape.cms.selftests.ASelfTest; +- +-////////////////////// +-// class definition // +-////////////////////// +- +-/** +- * This class implements a self test to check for RA presence. +- *

+- * +- * 

+- * NOTE:  This self-test is for Registration Authorities prior to
+- *        Netscape Certificate Management System 7.0.  It does NOT
+- *        apply to the Registration Authority found in
+- *        Red Hat Certificate System 7.3 or later (including
+- *        ALL versions of Dogtag Certificate System).
+- *
+- *

+- * +- * @deprecated +- * @author mharmsen +- * @author thomask +- * @version $Revision$, $Date$ +- */ +-public class RAPresence +- extends ASelfTest { +- //////////////////////// +- // default parameters // +- //////////////////////// +- +- /////////////////////////// +- // RAPresence parameters // +- /////////////////////////// +- +- // parameter information +- public static final String PROP_RA_SUB_ID = "RaSubId"; +- private String mRaSubId = null; +- +- ///////////////////// +- // default methods // +- ///////////////////// +- +- //////////////////////// +- // RAPresence methods // +- //////////////////////// +- +- /** +- * Initializes this subsystem with the configuration store +- * associated with this instance name. +- *

+- * +- * @param subsystem the associated subsystem +- * @param instanceName the name of this self test instance +- * @param parameters configuration store (self test parameters) +- * @exception EDuplicateSelfTestException subsystem has duplicate name/value +- * @exception EInvalidSelfTestException subsystem has invalid name/value +- * @exception EMissingSelfTestException subsystem has missing name/value +- */ +- public void initSelfTest(ISelfTestSubsystem subsystem, +- String instanceName, +- IConfigStore parameters) +- throws EDuplicateSelfTestException, +- EInvalidSelfTestException, +- EMissingSelfTestException { +- super.initSelfTest(subsystem, instanceName, parameters); +- +- // retrieve mandatory parameter(s) +- try { +- mRaSubId = mConfig.getString(PROP_RA_SUB_ID); +- if (mRaSubId != null) { +- mRaSubId = mRaSubId.trim(); +- } else { +- mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(), +- CMS.getLogMessage( +- "SELFTESTS_MISSING_VALUES", +- getSelfTestName(), +- mPrefix +- + "." +- + PROP_RA_SUB_ID)); +- +- throw new EMissingSelfTestException(PROP_RA_SUB_ID); +- } +- } catch (EBaseException e) { +- mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(), +- CMS.getLogMessage( +- "SELFTESTS_MISSING_NAME", +- getSelfTestName(), +- mPrefix +- + "." +- + PROP_RA_SUB_ID)); +- +- throw new EMissingSelfTestException(mPrefix, +- PROP_RA_SUB_ID, +- null); +- } +- +- // retrieve optional parameter(s) +- +- return; +- } +- +- /** +- * Notifies this subsystem if it is in execution mode. +- *

+- * +- * @exception ESelfTestException failed to start +- */ +- public void startupSelfTest() +- throws ESelfTestException { +- return; +- } +- +- /** +- * Stops this subsystem. The subsystem may call shutdownSelfTest +- * anytime after initialization. +- *

+- */ +- public void shutdownSelfTest() { +- return; +- } +- +- /** +- * Returns the name associated with this self test. This method may +- * return null if the self test has not been intialized. +- *

+- * +- * @return instanceName of this self test +- */ +- public String getSelfTestName() { +- return super.getSelfTestName(); +- } +- +- /** +- * Returns the root configuration storage (self test parameters) +- * associated with this subsystem. +- *

+- * +- * @return configuration store (self test parameters) of this subsystem +- */ +- public IConfigStore getSelfTestConfigStore() { +- return super.getSelfTestConfigStore(); +- } +- +- /** +- * Retrieves description associated with an individual self test. +- * This method may return null. +- *

+- * +- * @param locale locale of the client that requests the description +- * @return description of self test +- */ +- public String getSelfTestDescription(Locale locale) { +- return CMS.getUserMessage(locale, +- "CMS_SELFTESTS_RA_PRESENCE_DESCRIPTION"); +- } +- +- /** +- * Execute an individual self test. +- *

+- * +- * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception +- */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; +- IRegistrationAuthority ra = null; +- org.mozilla.jss.crypto.X509Certificate raCert = null; +- PublicKey raPubKey = null; +- +- ra = (IRegistrationAuthority) CMS.getSubsystem(mRaSubId); +- +- if (ra == null) { +- // log that the RA is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_RA_IS_NOT_PRESENT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } else { +- // Retrieve the RA certificate +- raCert = ra.getRACert(); +- +- if (raCert == null) { +- // log that the RA is not yet initialized +- logMessage = CMS.getLogMessage( +- "SELFTESTS_RA_IS_NOT_INITIALIZED", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // Retrieve the RA certificate public key +- raPubKey = raCert.getPublicKey(); +- +- if (raPubKey == null) { +- // log that something is seriously wrong with the RA +- logMessage = CMS.getLogMessage("SELFTESTS_RA_IS_CORRUPT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- +- throw new ESelfTestException(logMessage); +- } +- +- // log that the RA is present +- logMessage = CMS.getLogMessage("SELFTESTS_RA_IS_PRESENT", +- getSelfTestName()); +- +- mSelfTestSubsystem.log(logger, +- logMessage); +- } +- +- return; +- } +-} +diff --git a/base/server/cms/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java b/base/server/cms/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java +index d5e7c11..1686ba5 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java +@@ -104,7 +104,7 @@ public class TKSKnownSessionKey + mMacKey = getConfigByteArray("macKey", 16); + mUseSoftToken = getConfigString("useSoftToken"); + +- // AC: KDF SPEC CHANGE ++ // AC: KDF SPEC CHANGE + // read CUID for the KDD field + mKDD = getConfigByteArray("CUID", 10); + // +@@ -143,7 +143,7 @@ public class TKSKnownSessionKey + getSelfTestName(), mPrefix + ".nistSP800-108KdfUseCuidAsKdd")); + throw new EMissingSelfTestException("nistSP800-108KdfUseCuidAsKdd"); + } +- ++ + String defKeySetMacKey = null; + tks = CMS.getSubsystem(mTksSubId); + if (tks != null) { +@@ -175,7 +175,7 @@ public class TKSKnownSessionKey + if (mSessionKey == null) { + mSessionKey = SessionKey.ComputeSessionKey(mToken, mKeyName, + mCardChallenge, mHostChallenge, +- mKeyInfo, ++ mKeyInfo, + mNistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration self-test value + mNistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration self-test value + mCUID, +@@ -320,13 +320,12 @@ public class TKSKnownSessionKey + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- IConfigStore cs = CMS.getConfigStore(); +- String sharedSecretName; ++ public void runSelfTest(ILogEventListener logger) throws Exception { ++ + try { ++ IConfigStore cs = CMS.getConfigStore(); + boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false); + if (useNewNames) { + String tpsList = cs.getString("tps.list", ""); +@@ -336,29 +335,39 @@ public class TKSKnownSessionKey + } + + for (String tpsID : tpsList.split(",")) { +- sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); ++ String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); + if (!sharedSecretName.isEmpty()) { + CMS.debug("TKSKnownSessionKey: testing with key " + sharedSecretName); +- generateSessionKey(logger, sharedSecretName); ++ generateSessionKey(sharedSecretName); + } + } ++ + } else { + // legacy systems +- sharedSecretName = cs.getString("tks.tksSharedSymKeyName", "sharedSecret"); +- generateSessionKey(logger, sharedSecretName); ++ String sharedSecretName = cs.getString("tks.tksSharedSymKeyName", "sharedSecret"); ++ generateSessionKey(sharedSecretName); + } +- } catch (EBaseException e) { +- e.printStackTrace(); +- CMS.debug("TKSKnownSessionKey: failed to read config file to set up test"); +- String logMessage = CMS.getLogMessage("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName()); ++ ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TKS_SUCCEEDED", ++ getSelfTestName(), ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ CMS.debug("TKSKnownSessionKey self test SUCCEEDED"); ++ ++ } catch (Exception e) { ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TKS_FAILED", ++ getSelfTestName(), ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw e; + } ++ + return; + } + +- private void generateSessionKey(ILogEventListener logger, String sharedSecretName) throws ESelfTestException { +- String logMessage; ++ private void generateSessionKey(String sharedSecretName) throws Exception { + String keySet = "defKeySet"; + + byte[] sessionKey = SessionKey.ComputeSessionKey( +@@ -374,14 +383,7 @@ public class TKSKnownSessionKey + // For FIPS compliance, the routine now returns a wrapped key, which can't be extracted and compared. + if (sessionKey == null) { + CMS.debug("TKSKnownSessionKey: generated no session key"); +- CMS.debug("TKSKnownSessionKey self test FAILED"); +- logMessage = CMS.getLogMessage("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName()); +- mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); +- } else { +- logMessage = CMS.getLogMessage("SELFTESTS_TKS_SUCCEEDED", getSelfTestName(), getSelfTestName()); +- mSelfTestSubsystem.log(logger, logMessage); +- CMS.debug("TKSKnownSessionKey self test SUCCEEDED"); ++ throw new Exception("No session key generated"); + } + } + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index b8cf27c..b6325b7 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -3248,7 +3248,11 @@ public final class CMSAdminServlet extends AdminServlet { + + // store this information for console notification + content += "COMPLETED SUCCESSFULLY\n"; +- } catch (ESelfTestException e) { ++ ++ } catch (Exception e) { ++ ++ CMS.debug(e); ++ + // Check to see if the self test was critical: + if (mSelfTestSubsystem.isSelfTestCriticalOnDemand( + instanceName)) { +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index ad1a1b0..d060f81 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -530,7 +530,11 @@ public class SelfTestSubsystem + } + + test.runSelfTest(mLogger); +- } catch (ESelfTestException e) { ++ ++ } catch (Exception e) { ++ ++ CMS.debug(e); ++ + // Check to see if the self test was critical: + if (isSelfTestCriticalOnDemand(instanceName)) { + log(mLogger, +@@ -810,146 +814,76 @@ public class SelfTestSubsystem + * + * + * @exception EMissingSelfTestException subsystem has missing name +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTestsAtStartup() +- throws EMissingSelfTestException, ESelfTestException { +- String auditMessage = null; ++ public void runSelfTestsAtStartup() throws Exception { + +- // ensure that any low-level exceptions are reported +- // to the signed audit log and stored as failures +- try { +- if (CMS.debugOn()) { +- CMS.debug("SelfTestSubsystem::runSelfTestsAtStartup():" +- + " ENTERING . . ."); +- } ++ // log that execution of startup self tests has begun ++ log(mLogger, ++ CMS.getLogMessage( ++ "CMSCORE_SELFTESTS_RUN_AT_STARTUP")); + +- // loop through all self test plugin instances +- // specified to be executed at server startup +- Enumeration instances = mStartupOrder.elements(); ++ // loop through all self test plugin instances ++ // specified to be executed at server startup ++ Enumeration instances = mStartupOrder.elements(); + +- while (instances.hasMoreElements()) { +- SelfTestOrderedInstance instance = instances.nextElement(); ++ while (instances.hasMoreElements()) { ++ SelfTestOrderedInstance instance = instances.nextElement(); + +- String instanceFullName = null; +- String instanceName = instance.getSelfTestName(); ++ String instanceFullName = null; ++ String instanceName = instance.getSelfTestName(); + +- if (instanceName != null) { +- instanceName = instanceName.trim(); +- instanceFullName = getFullName(mPrefix, +- instanceName); +- } else { +- log(mLogger, +- CMS.getLogMessage( +- "CMSCORE_SELFTESTS_PROPERTY_NAME_IS_NULL")); ++ if (instanceName == null) { ++ log(mLogger, ++ CMS.getLogMessage( ++ "CMSCORE_SELFTESTS_PROPERTY_NAME_IS_NULL")); + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, +- ILogger.SYSTEM_UID, +- ILogger.FAILURE); ++ throw new EMissingSelfTestException(); ++ } + +- audit(auditMessage); ++ instanceName = instanceName.trim(); ++ instanceFullName = getFullName(mPrefix, instanceName); + +- throw new EMissingSelfTestException(); +- } ++ if (!mSelfTestInstances.containsKey(instanceName)) { ++ // self test plugin instance property name is not present ++ log(mLogger, ++ CMS.getLogMessage( ++ "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME", ++ instanceFullName)); + +- if (mSelfTestInstances.containsKey(instanceName)) { +- ISelfTest test = mSelfTestInstances.get(instanceName); +- +- try { +- if (CMS.debugOn()) { +- CMS.debug("SelfTestSubsystem::runSelfTestsAtStartup():" +- + " running \"" +- + test.getSelfTestName() +- + "\""); +- } +- +- test.runSelfTest(mLogger); +- } catch (ESelfTestException e) { +- // Check to see if the self test was critical: +- if (isSelfTestCriticalAtStartup(instanceName)) { +- log(mLogger, +- CMS.getLogMessage( +- "CMSCORE_SELFTESTS_RUN_AT_STARTUP_FAILED", +- instanceFullName)); +- +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, +- ILogger.SYSTEM_UID, +- ILogger.FAILURE); +- +- audit(auditMessage); +- +- // shutdown the system gracefully +- CMS.shutdown(); +- +- IConfigStore cs = CMS.getConfigStore(); +- String instanceID = cs.get("instanceId"); +- String subsystemID = cs.get("cs.type").toLowerCase(); +- +- System.out.println("SelfTestSubsystem: Disabling \"" + subsystemID + "\" subsystem due to selftest failure."); +- +- try { +- ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceID, subsystemID); +- Process process = pb.inheritIO().start(); +- int rc = process.waitFor(); +- +- if (rc != 0) { +- System.out.println("SelfTestSubsystem: Unable to disable \"" + subsystemID + "\". RC: " + rc); +- } +- +- } catch (Exception e2) { +- e.printStackTrace(); +- } +- +- return; +- } +- } +- } else { +- // self test plugin instance property name is not present +- log(mLogger, +- CMS.getLogMessage( +- "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME", +- instanceFullName)); ++ throw new EMissingSelfTestException(instanceFullName); ++ } + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, +- ILogger.SYSTEM_UID, +- ILogger.FAILURE); ++ ISelfTest test = mSelfTestInstances.get(instanceName); + +- audit(auditMessage); ++ try { ++ CMS.debug("SelfTestSubsystem: running " + test.getSelfTestName()); ++ test.runSelfTest(mLogger); + +- throw new EMissingSelfTestException(instanceFullName); +- } +- } ++ } catch (Exception e) { + +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, +- ILogger.SYSTEM_UID, +- ILogger.SUCCESS); ++ CMS.debug(e); + +- audit(auditMessage); ++ // Check to see if the self test was critical: ++ if (!isSelfTestCriticalAtStartup(instanceName)) { ++ continue; ++ } ++ ++ log(mLogger, ++ CMS.getLogMessage( ++ "CMSCORE_SELFTESTS_RUN_AT_STARTUP_FAILED", ++ instanceFullName)); + +- if (CMS.debugOn()) { +- CMS.debug("SelfTestSubsystem::runSelfTestsAtStartup():" +- + " EXITING."); ++ throw e; + } +- } catch (EMissingSelfTestException eAudit1) { +- // store a message in the signed audit log file +- auditMessage = CMS.getLogMessage( +- LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, +- ILogger.SYSTEM_UID, +- ILogger.FAILURE); ++ } + +- audit(auditMessage); ++ // log that execution of all "critical" startup self tests ++ // has completed "successfully" ++ log(mLogger, ++ CMS.getLogMessage( ++ "CMSCORE_SELFTESTS_RUN_AT_STARTUP_SUCCEEDED")); + +- // rethrow the specific exception to be handled later +- throw eAudit1; +- } + } + + public void log(int level, String msg) { +@@ -1831,39 +1765,88 @@ public class SelfTestSubsystem + * + * @exception EBaseException base CMS exception + */ +- public void startup() +- throws EBaseException { ++ public void startup() throws EBaseException { ++ + // loop through all self test plugin instances + Enumeration instances = mSelfTestInstances.elements(); + + while (instances.hasMoreElements()) { + ISelfTest instance = instances.nextElement(); +- + instance.startupSelfTest(); + } + +- if (!CMS.isPreOpMode()) { +- // run all self test plugin instances (designated at startup) +- Enumeration selftests = mStartupOrder.elements(); ++ if (CMS.isPreOpMode()) { ++ // do not run selftests in pre-op mode ++ return; ++ } + +- if (selftests.hasMoreElements()) { +- // log that execution of startup self tests has begun +- log(mLogger, +- CMS.getLogMessage( +- "CMSCORE_SELFTESTS_RUN_AT_STARTUP")); ++ // run all self test plugin instances (designated at startup) ++ Enumeration selftests = mStartupOrder.elements(); + +- // execute all startup self tests +- runSelfTestsAtStartup(); ++ if (!selftests.hasMoreElements()) { ++ log(mLogger, ++ CMS.getLogMessage( ++ "CMSCORE_SELFTESTS_NOT_RUN_AT_STARTUP")); ++ return; ++ } + +- // log that execution of all "critical" startup self tests +- // has completed "successfully" +- log(mLogger, +- CMS.getLogMessage( +- "CMSCORE_SELFTESTS_RUN_AT_STARTUP_SUCCEEDED")); +- } else { +- log(mLogger, +- CMS.getLogMessage( +- "CMSCORE_SELFTESTS_NOT_RUN_AT_STARTUP")); ++ // ensure that any low-level exceptions are reported ++ // to the signed audit log and stored as failures ++ try { ++ // execute all startup self tests ++ runSelfTestsAtStartup(); ++ ++ // store a message in the signed audit log file ++ String auditMessage = CMS.getLogMessage( ++ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ ILogger.SYSTEM_UID, ++ ILogger.SUCCESS); ++ ++ audit(auditMessage); ++ ++ } catch (EMissingSelfTestException e) { ++ ++ // store a message in the signed audit log file ++ String auditMessage = CMS.getLogMessage( ++ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ ILogger.SYSTEM_UID, ++ ILogger.FAILURE); ++ ++ audit(auditMessage); ++ ++ // rethrow the specific exception to be handled later ++ throw e; ++ ++ } catch (Exception e) { ++ ++ // store a message in the signed audit log file ++ String auditMessage = CMS.getLogMessage( ++ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, ++ ILogger.SYSTEM_UID, ++ ILogger.FAILURE); ++ ++ audit(auditMessage); ++ ++ // shutdown the system gracefully ++ CMS.shutdown(); ++ ++ IConfigStore cs = CMS.getConfigStore(); ++ String instanceID = cs.get("instanceId"); ++ String subsystemID = cs.get("cs.type").toLowerCase(); ++ ++ System.out.println("SelfTestSubsystem: Disabling \"" + subsystemID + "\" subsystem due to selftest failure."); ++ ++ try { ++ ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceID, subsystemID); ++ Process process = pb.inheritIO().start(); ++ int rc = process.waitFor(); ++ ++ if (rc != 0) { ++ System.out.println("SelfTestSubsystem: Unable to disable \"" + subsystemID + "\". RC: " + rc); ++ } ++ ++ } catch (Exception e2) { ++ e.printStackTrace(); + } + } + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/selftests/TPSPresence.java b/base/tps/src/org/dogtagpki/server/tps/selftests/TPSPresence.java +index 65ac197..665f068 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/selftests/TPSPresence.java ++++ b/base/tps/src/org/dogtagpki/server/tps/selftests/TPSPresence.java +@@ -140,48 +140,60 @@ public class TPSPresence extends ASelfTest { + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; ++ public void runSelfTest(ILogEventListener logger) throws Exception { ++ + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(tpsSubId); + if (tps == null) { + // log that the TPS is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_NOT_PRESENT", getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_NOT_PRESENT", ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw new Exception(logMessage); + } + + // Retrieve the TPS certificate +- org.mozilla.jss.crypto.X509Certificate tpsCert = null; ++ org.mozilla.jss.crypto.X509Certificate tpsCert; + try { + tpsCert = tps.getSubsystemCert(); ++ + } catch (Exception e) { +- e.printStackTrace(); + // cert does not exist or is not yet configured + // tpsCert will remain null ++ // log that the TPS is not yet initialized ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_NOT_INITIALIZED", ++ getSelfTestName()); ++ mSelfTestSubsystem.log(logger, logMessage); ++ throw e; + } + + if (tpsCert == null) { + // log that the TPS is not yet initialized +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_NOT_INITIALIZED", ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_NOT_INITIALIZED", + getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw new Exception(logMessage); + } + + // Retrieve the TPS certificate public key + PublicKey tpsPubKey = tpsCert.getPublicKey(); + if (tpsPubKey == null) { + // log that something is seriously wrong with the TPS +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_CORRUPT", getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_CORRUPT", ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw new Exception(logMessage); + } + + // log that the TPS is present +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_PRESENT", getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_PRESENT", ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); + } + } +diff --git a/base/tps/src/org/dogtagpki/server/tps/selftests/TPSValidity.java b/base/tps/src/org/dogtagpki/server/tps/selftests/TPSValidity.java +index f140d6e..28ac38d 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/selftests/TPSValidity.java ++++ b/base/tps/src/org/dogtagpki/server/tps/selftests/TPSValidity.java +@@ -144,54 +144,59 @@ public class TPSValidity extends ASelfTest { + *

+ * + * @param logger specifies logging subsystem +- * @exception ESelfTestException self test exception ++ * @exception Exception self test exception + */ +- public void runSelfTest(ILogEventListener logger) +- throws ESelfTestException { +- String logMessage = null; +- TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(tpsSubId); ++ public void runSelfTest(ILogEventListener logger) throws Exception { + ++ TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(tpsSubId); + if (tps == null) { + // log that the TPS is not installed +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_NOT_PRESENT", getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_NOT_PRESENT", ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw new Exception(logMessage); + } + + // Retrieve the TPS subsystem certificate +- X509CertImpl tpsCert = null; ++ X509CertImpl tpsCert; + try { + tpsCert = new X509CertImpl(tps.getSubsystemCert().getEncoded()); + } catch (Exception e) { + // certificate is not present or has not been configured +- // tpsCert will remain null +- } +- +- if (tpsCert == null) { + // log that the TPS is not yet initialized +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_NOT_INITIALIZED", ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_NOT_INITIALIZED", + getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw e; + } + + // Check the TPS validity period + try { + tpsCert.checkValidity(); ++ + } catch (CertificateNotYetValidException e) { + // log that the TPS is not yet valid +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_NOT_YET_VALID", getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_NOT_YET_VALID", ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw e; ++ + } catch (CertificateExpiredException e) { + // log that the TPS is expired +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_EXPIRED", getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_EXPIRED", ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); +- throw new ESelfTestException(logMessage); ++ throw e; + } + + // log that the TPS is valid +- logMessage = CMS.getLogMessage("SELFTESTS_TPS_IS_VALID", getSelfTestName()); ++ String logMessage = CMS.getLogMessage( ++ "SELFTESTS_TPS_IS_VALID", ++ getSelfTestName()); + mSelfTestSubsystem.log(logger, logMessage); + } + } +-- +1.8.3.1 + + +From 9b62371172bbf0868e84e7f1d8d9ab48e5a0afff Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 24 Jun 2015 16:19:55 -0400 +Subject: [PATCH 03/21] Fixed Modutil.is_security_module_registered(). + +Due to issues with HSM the Modutil.is_security_module_registered() +has been modified to the get the list of all registered modules +and then use it to check if a module is registered. + +https://fedorahosted.org/pki/ticket/1444 +--- + .../python/pki/server/deployment/pkihelper.py | 90 +++++++++++----------- + 1 file changed, 45 insertions(+), 45 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 42ca0d9..5bc4ffa 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -2688,56 +2688,56 @@ class Modutil: + def __init__(self, deployer): + self.mdict = deployer.mdict + +- def is_security_module_registered(self, path, modulename, +- prefix=None, critical_failure=True): +- status = False +- try: +- # Compose this "modutil" command +- command = ["modutil"] +- # Provide a path to the NSS security databases +- if path: +- command.extend(["-dbdir", path]) +- else: +- config.pki_log.error( +- log.PKIHELPER_MODUTIL_MISSING_PATH, +- extra=config.PKI_INDENTATION_LEVEL_2) +- raise Exception(log.PKIHELPER_MODUTIL_MISSING_PATH) +- # Add optional security database prefix +- if prefix is not None: +- command.extend(["--dbprefix", prefix]) +- # Append '-nocertdb' switch +- command.extend(["-nocertdb"]) +- # Specify a 'modulename' +- if modulename: +- command.extend(["-list", modulename]) +- else: +- config.pki_log.error( +- log.PKIHELPER_MODUTIL_MISSING_MODULENAME, +- extra=config.PKI_INDENTATION_LEVEL_2) +- raise Exception(log.PKIHELPER_MODUTIL_MISSING_MODULENAME) +- # Display this "modutil" command +- config.pki_log.info( +- log.PKIHELPER_REGISTERED_SECURITY_MODULE_CHECK_1, +- ' '.join(command), ++ def is_security_module_registered(self, path, modulename, prefix=None): ++ ++ if not path: ++ config.pki_log.error( ++ log.PKIHELPER_MODUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) +- # Execute this "modutil" command +- subprocess.check_call(command) +- # 'modulename' is already registered +- status = True +- config.pki_log.info( +- log.PKIHELPER_REGISTERED_SECURITY_MODULE_1, modulename, ++ raise Exception(log.PKIHELPER_MODUTIL_MISSING_PATH) ++ ++ if not modulename: ++ config.pki_log.error( ++ log.PKIHELPER_MODUTIL_MISSING_MODULENAME, + extra=config.PKI_INDENTATION_LEVEL_2) +- except subprocess.CalledProcessError as exc: +- # 'modulename' is not registered ++ raise Exception(log.PKIHELPER_MODUTIL_MISSING_MODULENAME) ++ ++ command = [ ++ 'modutil', ++ '-list', ++ '-dbdir', path, ++ '-nocertdb'] ++ ++ if prefix: ++ command.extend(['--dbprefix', prefix]) ++ ++ config.pki_log.info( ++ log.PKIHELPER_REGISTERED_SECURITY_MODULE_CHECK_1, ++ ' '.join(command), ++ extra=config.PKI_INDENTATION_LEVEL_2) ++ ++ # execute command ++ p = subprocess.Popen(command, stdout=subprocess.PIPE) ++ output = p.communicate()[0] ++ ++ p.wait() ++ # ignore return code due to issues with HSM ++ # https://fedorahosted.org/pki/ticket/1444 ++ ++ # find modules from lines such as '1. NSS Internal PKCS #11 Module' ++ modules = re.findall(r'^ +\d+\. +(.*)$', output, re.MULTILINE) ++ ++ if modulename not in modules: + config.pki_log.info( + log.PKIHELPER_UNREGISTERED_SECURITY_MODULE_1, modulename, + extra=config.PKI_INDENTATION_LEVEL_2) +- except OSError as exc: +- config.pki_log.error(log.PKI_OSERROR_1, exc, +- extra=config.PKI_INDENTATION_LEVEL_2) +- if critical_failure: +- raise +- return status ++ return False ++ ++ config.pki_log.info( ++ log.PKIHELPER_REGISTERED_SECURITY_MODULE_1, modulename, ++ extra=config.PKI_INDENTATION_LEVEL_2) ++ return True ++ + + def register_security_module(self, path, modulename, libfile, + prefix=None, critical_failure=True): +-- +1.8.3.1 + + +From c9180f086971dcf6f183ed5f627510f2183cc61e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 29 Jun 2015 15:09:07 -0400 +Subject: [PATCH 04/21] Updated pki-cert man page. + +The man page for pki-cert has been modified to describe the file +format used to specify the search constraints. + +https://fedorahosted.org/pki/ticket/995 +--- + base/java-tools/man/man1/pki-cert.1 | 67 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 67 insertions(+) + +diff --git a/base/java-tools/man/man1/pki-cert.1 b/base/java-tools/man/man1/pki-cert.1 +index ad2f566..ffa1fea 100644 +--- a/base/java-tools/man/man1/pki-cert.1 ++++ b/base/java-tools/man/man1/pki-cert.1 +@@ -105,6 +105,73 @@ It is also possible to search for and list specific certificates by adding a sea + + .B pki ca-cert-find --issuedOnFrom 2012-06-15 + ++To list certificates with search constraints defined in a file: ++ ++.B pki ca-cert-find --input ++ ++where the file is in the following format: ++ ++.IP ++.nf ++ ++ ++ ++ true ++ ++ ++ ++ false ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ false ++ ++ ++ ++ false ++ ++ ++ false ++ ++ ++ false ++ ++ ++ false ++ ++ ++ false ++ ++ ++ ++ false ++ ++ ++ ++ false ++ ++ ++ ++ false ++ ++ ++ ++ ++ false ++ ++ ++ ++ ++ ++.fi ++ ++.PP + To view a particular certificate: + + .B pki ca-cert-show +-- +1.8.3.1 + + +From b9e461ca8a099b4535aa916886697c6eff01e431 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 29 Jun 2015 16:04:16 -0400 +Subject: [PATCH 05/21] Updated pki man page. + +The pki man page has been updated to describe results paging +parameters. + +https://fedorahosted.org/pki/ticket/1122 +--- + base/java-tools/man/man1/pki.1 | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/base/java-tools/man/man1/pki.1 b/base/java-tools/man/man1/pki.1 +index 9e174e1..41ee3d3 100644 +--- a/base/java-tools/man/man1/pki.1 ++++ b/base/java-tools/man/man1/pki.1 +@@ -220,6 +220,31 @@ Client-side password files generally store a password in an equals-sign-delimite + .B foobar + where: token="internal" (default), password="foobar" + ++.SS Results Paging ++ ++Some commands (e.g. cert-find) may return multiple results. Since the number ++of results may be large, the results are split into multiple pages. By default ++the command will return only the first page (e.g. the first 20 results). To ++retrieve results from another page, additional paging parameters can be ++specified: ++ ++.nf ++* start: index of the first result to return (default: 0) ++* size: number of results to return (default: 20) ++.fi ++ ++For example, to retrieve the first page (index #0-#19): ++ ++.B pki cert-find --start 0 --size 20 ++ ++To retrieve the second page (index #20-#39): ++ ++.B pki cert-find --start 20 --size 20 ++ ++To retrieve the third page (index #40-#59): ++ ++.B pki cert-find --start 40 --size 20 ++ + .SH FILES + .I /usr/bin/pki + +-- +1.8.3.1 + + +From f0637352f12faed2727ee6dcd4661835bf9e2c40 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 29 Jun 2015 10:00:08 -0400 +Subject: [PATCH 06/21] Cleaned up SystemConfigService.validateRequest(). + +The configure() in SystemConfigService method has been modified to +log only the error message in normal responses but log the full +stack trace when unexpected issues occur. + +The validateData() in SystemConfigService has been renamed to +validateRequest() for clarity. The log messages have been modified +to include the invalid values entered in the request. +--- + .../cms/servlet/test/ConfigurationTest.java | 2 +- + .../certsrv/system/SystemConfigClient.java | 2 +- + .../certsrv/system/SystemConfigResource.java | 2 +- + .../dogtagpki/server/rest/SystemConfigService.java | 69 ++++++++++++---------- + 4 files changed, 41 insertions(+), 34 deletions(-) + +diff --git a/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java b/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java +index bf4dc89..69994fa 100644 +--- a/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java ++++ b/base/common/functional/src/com/netscape/cms/servlet/test/ConfigurationTest.java +@@ -76,7 +76,7 @@ public class ConfigurationTest { + System.exit(1); + } + +- public static void main(String args[]) throws NoSuchAlgorithmException, TokenException, IOException, InvalidBERException { ++ public static void main(String args[]) throws Exception { + String host = null; + String port = null; + String cstype = null; +diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java b/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java +index 242f005..8208915 100644 +--- a/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java ++++ b/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java +@@ -40,7 +40,7 @@ public class SystemConfigClient extends Client { + configClient = createProxy(SystemConfigResource.class); + } + +- public ConfigurationResponse configure(ConfigurationRequest data) { ++ public ConfigurationResponse configure(ConfigurationRequest data) throws Exception { + return configClient.configure(data); + } + } +diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java +index 0cebb60..9c570eb 100644 +--- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java ++++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java +@@ -29,5 +29,5 @@ public interface SystemConfigResource { + + @POST + @Path("configure") +- public ConfigurationResponse configure(ConfigurationRequest data); ++ public ConfigurationResponse configure(ConfigurationRequest data) throws Exception; + } +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 2de087b..75e3065 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -111,28 +111,38 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData) + */ + @Override +- public ConfigurationResponse configure(ConfigurationRequest request) { ++ public ConfigurationResponse configure(ConfigurationRequest request) throws Exception { ++ ++ CMS.debug("SystemConfigService: configure()"); ++ + try { + ConfigurationResponse response = new ConfigurationResponse(); + configure(request, response); + return response; + +- } catch (Throwable t) { +- CMS.debug(t); +- throw t; ++ } catch (PKIException e) { // normal responses ++ CMS.debug(e.getMessage()); // log the response ++ throw e; ++ ++ } catch (Exception e) { // unexpected exceptions ++ CMS.debug(e); // show stack trace for troubleshooting ++ throw e; ++ ++ } catch (Error e) { // system errors ++ CMS.debug(e); // show stack trace for troubleshooting ++ throw e; + } + } + +- public void configure(ConfigurationRequest data, ConfigurationResponse response) { ++ public void configure(ConfigurationRequest data, ConfigurationResponse response) throws Exception { ++ + + if (csState.equals("1")) { + throw new BadRequestException("System is already configured"); + } + +- CMS.debug("SystemConfigService(): configure() called"); +- CMS.debug(data.toString()); +- +- validateData(data); ++ CMS.debug("SystemConfigService: request: " + data); ++ validateRequest(data); + + Collection certList = getCertList(data); + +@@ -1020,22 +1030,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + } + } + +- private void validateData(ConfigurationRequest data) { +- // get required info from CS.cfg +- String preopPin; +- try { +- preopPin = cs.getString("preop.pin"); +- } catch (Exception e) { +- CMS.debug("validateData: Failed to get required config form CS.cfg"); +- e.printStackTrace(); +- throw new PKIException("Unable to retrieve required configuration from configuration files"); +- } ++ private void validateRequest(ConfigurationRequest data) throws Exception { + +- // get the preop pin and validate it ++ // validate installation pin + String pin = data.getPin(); + if (pin == null) { + throw new BadRequestException("No preop pin provided"); + } ++ ++ String preopPin = cs.getString("preop.pin"); + if (!preopPin.equals(pin)) { + throw new BadRequestException("Incorrect pin provided"); + } +@@ -1067,6 +1070,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + if (data.getSecurityDomainName() == null) { + throw new BadRequestException("Security Domain Name is not provided"); + } ++ + } else if (domainType.equals(ConfigurationRequest.EXISTING_DOMAIN) || + domainType.equals(ConfigurationRequest.NEW_SUBDOMAIN)) { + if (data.getStandAlone()) { +@@ -1079,11 +1083,11 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + } + + try { +- @SuppressWarnings("unused") +- URL admin_u = new URL(domainURI); // check for invalid URL ++ new URL(domainURI); + } catch (MalformedURLException e) { +- throw new BadRequestException("Invalid security domain URI"); ++ throw new BadRequestException("Invalid security domain URI: " + domainURI, e); + } ++ + if ((data.getSecurityDomainUser() == null) || (data.getSecurityDomainPassword() == null)) { + throw new BadRequestException("Security domain user or password not provided"); + } +@@ -1109,11 +1113,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + throw new BadRequestException("Clone selected, but no clone URI provided"); + } + try { +- @SuppressWarnings("unused") +- URL url = new URL(cloneUri); // check for invalid URL ++ URL url = new URL(cloneUri); + // confirm protocol is https ++ if (!"https".equals(url.getProtocol())) { ++ throw new BadRequestException("Clone URI must use HTTPS protocol: " + cloneUri); ++ } + } catch (MalformedURLException e) { +- throw new BadRequestException("Invalid clone URI"); ++ throw new BadRequestException("Invalid clone URI: " + cloneUri, e); + } + + if (data.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT)) { +@@ -1133,6 +1139,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys"); + } + } ++ + } else { + data.setClone("false"); + } +@@ -1145,7 +1152,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + try { + Integer.parseInt(data.getDsPort()); // check for errors + } catch (NumberFormatException e) { +- throw new BadRequestException("Internal database port is invalid"); ++ throw new BadRequestException("Internal database port is invalid: " + data.getDsPort(), e); + } + + String basedn = data.getBaseDN(); +@@ -1173,7 +1180,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + try { + Integer.parseInt(masterReplicationPort); // check for errors + } catch (NumberFormatException e) { +- throw new BadRequestException("Master replication port is invalid"); ++ throw new BadRequestException("Master replication port is invalid: " + masterReplicationPort, e); + } + } + +@@ -1181,8 +1188,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + if (cloneReplicationPort != null && cloneReplicationPort.length() > 0) { + try { + Integer.parseInt(cloneReplicationPort); // check for errors +- } catch (Exception e) { +- throw new BadRequestException("Clone replication port is invalid"); ++ } catch (NumberFormatException e) { ++ throw new BadRequestException("Clone replication port is invalid: " + cloneReplicationPort, e); + } + } + +@@ -1293,7 +1300,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + try { + Integer.parseInt(data.getAuthdbPort()); // check for errors + } catch (NumberFormatException e) { +- throw new BadRequestException("Authdb port is invalid"); ++ throw new BadRequestException("Authentication Database port is invalid: " + data.getAuthdbPort(), e); + } + + // TODO check connection with authdb +-- +1.8.3.1 + + +From 3937d69c1dd5f9ecd7940809b474097d63cb97b3 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 29 Jun 2015 13:29:41 -0400 +Subject: [PATCH 07/21] Cleaned up SystemConfigService.configureClone(). + +The getCloningData() in SystemConfigService has been renamed to +configureClone(). Redundant try-catch blocks have been removed. +Some exception messages have been modified to include more info. +--- + .../dogtagpki/server/rest/SystemConfigService.java | 72 +++++++--------------- + .../server/tps/rest/TPSInstallerService.java | 2 +- + 2 files changed, 23 insertions(+), 51 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 75e3065..73d24a7 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -799,7 +799,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + } + } + +- private void getCloningData(ConfigurationRequest data, Collection certList, String token, String domainXML) { ++ private void configureClone(ConfigurationRequest data, Collection certList, String token, String domainXML) throws Exception { + for (String tag : certList) { + if (tag.equals("sslserver")) { + cs.putBoolean("preop.cert." + tag + ".enable", true); +@@ -809,73 +809,45 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + } + + String cloneUri = data.getCloneUri(); +- URL url = null; +- try { +- url = new URL(cloneUri); +- } catch (MalformedURLException e) { +- // should not reach here as this check is done in validate() +- } ++ URL url = new URL(cloneUri); + String masterHost = url.getHost(); + int masterPort = url.getPort(); + +- // check and store cloneURI information +- boolean validCloneUri; +- try { +- validCloneUri = ConfigurationUtils.isValidCloneURI(domainXML, masterHost, masterPort); +- } catch (Exception e) { +- CMS.debug(e); +- throw new PKIException("Error in determining whether clone URI is valid"); +- } ++ CMS.debug("SystemConfigService: validate clone URI: " + url); ++ boolean validCloneUri = ConfigurationUtils.isValidCloneURI(domainXML, masterHost, masterPort); + + if (!validCloneUri) { + throw new BadRequestException( +- "Invalid clone URI provided. Does not match the available subsystems in the security domain"); ++ "Clone URI does not match available subsystems: " + url); + } + + if (csType.equals("CA")) { +- try { +- int masterAdminPort = ConfigurationUtils.getPortFromSecurityDomain(domainXML, +- masterHost, masterPort, "CA", "SecurePort", "SecureAdminPort"); +- ConfigurationUtils.importCertChain(masterHost, masterAdminPort, "/ca/admin/ca/getCertChain", +- "clone"); +- } catch (Exception e) { +- CMS.debug(e); +- throw new PKIException("Failed to import certificate chain from master" + e); +- } ++ CMS.debug("SystemConfigService: import certificate chain from master"); ++ int masterAdminPort = ConfigurationUtils.getPortFromSecurityDomain(domainXML, ++ masterHost, masterPort, "CA", "SecurePort", "SecureAdminPort"); ++ ConfigurationUtils.importCertChain(masterHost, masterAdminPort, ++ "/ca/admin/ca/getCertChain", "clone"); + } + +- try { +- CMS.debug("SystemConfigService.getCloningData(): get config entries"); +- ConfigurationUtils.getConfigEntriesFromMaster(); +- } catch (Exception e) { +- CMS.debug(e); +- throw new PKIException("Failed to obtain configuration entries from the master for cloning " + e); +- } ++ CMS.debug("SystemConfigService: get configuration entries from master"); ++ ConfigurationUtils.getConfigEntriesFromMaster(); + + if (token.equals(ConfigurationRequest.TOKEN_DEFAULT)) { +- CMS.debug("SystemConfigService.getCloningData(): restore certs from P12 file"); ++ CMS.debug("SystemConfigService: restore certificates from P12 file"); + String p12File = data.getP12File(); + String p12Pass = data.getP12Password(); +- try { +- ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass); +- } catch (Exception e) { +- CMS.debug(e); +- throw new PKIException("Failed to restore certificates from p12 file" + e); +- } ++ ConfigurationUtils.restoreCertsFromP12(p12File, p12Pass); ++ + } else { +- CMS.debug("SystemConfigService.getCloningData(): set permissions for certs stored in hardware"); +- try { +- ConfigurationUtils.importAndSetCertPermissionsFromHSM(); +- } catch (Exception e) { +- CMS.debug(e); +- throw new PKIException("Failed to import certs from HSM and set permissions:" + e); +- } ++ CMS.debug("SystemConfigService: import certificates from HSM and set permission"); ++ ConfigurationUtils.importAndSetCertPermissionsFromHSM(); + } + +- CMS.debug("SystemConfigService.getCloningData(): verify certs"); ++ CMS.debug("SystemConfigService: verify certificates"); + boolean cloneReady = ConfigurationUtils.isCertdbCloned(); ++ + if (!cloneReady) { +- CMS.debug("clone does not have all the certificates."); ++ CMS.debug("SystemConfigService: clone does not have all the certificates."); + throw new PKIException("Clone does not have all the required certificates"); + } + } +@@ -992,7 +964,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + } + + public void configureSubsystem(ConfigurationRequest request, +- Collection certList, String token, String domainXML) { ++ Collection certList, String token, String domainXML) throws Exception { + + cs.putString("preop.subsystem.name", request.getSubsystemName()); + +@@ -1004,7 +976,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + } else { + cs.putString("preop.subsystem.select", "clone"); + cs.putString("subsystem.select", "Clone"); +- getCloningData(request, certList, token, domainXML); ++ configureClone(request, certList, token, domainXML); + } + } + +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java +index 9c4943b..fe4e124 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java +@@ -44,7 +44,7 @@ public class TPSInstallerService extends SystemConfigService { + + @Override + public void configureSubsystem(ConfigurationRequest request, +- Collection certList, String token, String domainXML) { ++ Collection certList, String token, String domainXML) throws Exception { + + super.configureSubsystem(request, certList, token, domainXML); + +-- +1.8.3.1 + + +From 7c1af7f7dac89363c7923802ec759ccb84813bfb Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 29 Jun 2015 15:34:01 -0700 +Subject: [PATCH 08/21] Ticket 1438 pkispawn: SSL_ForceHandshake issue for + non-CA on HSM on both shared and nonshared tomcat instances + +--- + .../python/pki/server/deployment/pkiparser.py | 107 ++++++++++++++------- + 1 file changed, 72 insertions(+), 35 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 7e1813c..4b3dabb 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -921,41 +921,78 @@ class PKIConfigParser: + "tls1_0:tls1_2" + self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ + "tls1_1:tls1_2" +- self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ +- "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ +- "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ +- "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ +- "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ +- "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ +- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ +- "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ +- "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ +- "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ +- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ +- "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ +- "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" ++ if self.mdict['pki_ssl_server_key_type'] == "ecc": ++ self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ ++ "+TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" ++ else: ++ self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ ++ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ ++ "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ ++ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ ++ "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ ++ "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" + self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ + "-SSL2_RC4_128_WITH_MD5," + \ + "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ +-- +1.8.3.1 + + +From b253cad196f57e79a5aede53aceffede1c9edfbe Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Wed, 1 Jul 2015 15:01:45 -0700 +Subject: [PATCH 09/21] Ability to toggle profile usablity in Web vs CLI tools. + +Ticket #1442. + +This fix gives the command line enrollment commands the ability to enroll a cert against a profile +that has been marked as not visible but "enabled". + +With the simple fix the following scenarios tested to work: + +The "caUserCert" Profile was marked as not visible, but enabled. + +1. pki -c Secret123 client-cert-request --profile caUserCert uid=jmagne + This is the simplest form of user cert enrollment. + +2. pki ca-cert-request-profile-show caUserCert --output testuser.xml + pki ca-cert-request-submit testuser.xml + + The first command gives us the profile's xml file, which after modification is used to enroll. + +3. pki -d ~/.dogtag/pki -c "" -n "PKI Administrator for localdomain" ca-profile-show caUserCert + + This one shows that we can view the contents of a non visible profile. Listing is not allowed. + We felt this appropiate to allow a command line user to get the details of a non visible profile that + they know aobut and want to use. +--- + base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +index 969cfd1..a11cb47 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +@@ -336,9 +336,8 @@ public class CertRequestService extends PKIService implements CertRequestResourc + } + + if (! profile.isVisible()) { +- CMS.debug("getEnrollmentTemplate(): attempt to get enrollment template for non-visible profile"); +- throw new BadRequestException("Cannot provide enrollment template for profile `" + profileId + +- "`. Profile not marked as visible"); ++ CMS.debug("getEnrollmentTemplate(): attempt to get enrollment template for non-visible profile. This is ok since command line enrollments should be able to use enabled but non visible profiles."); ++ + } + + CertEnrollmentRequest request = new CertEnrollmentRequest(); +-- +1.8.3.1 + + +From 4af223feb262a707b65d4860f6e8552873306209 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 2 Jul 2015 11:09:14 -0600 +Subject: [PATCH 12/21] Limited Interactive Installation Support + +- PKI TRAC Ticket #1441 - Lack of Interactive Installation Support + (Cloning, Subordinates, Externals, HSMs, ECC) +--- + .../python/pki/server/deployment/pkimessages.py | 19 ++++++ + base/server/sbin/pkispawn | 70 ++++++++++++---------- + 2 files changed, 56 insertions(+), 33 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py +index 6528407..ff3d370 100644 +--- a/base/server/python/pki/server/deployment/pkimessages.py ++++ b/base/server/python/pki/server/deployment/pkimessages.py +@@ -146,6 +146,25 @@ REMINDER: + Finally, if an optional '-p ' is defined, this value WILL NOT + be prepended in front of the mandatory '-f '. + """ + PKI_VERBOSITY ++PKISPAWN_INTERACTIVE_INSTALLATION=''' ++IMPORTANT: ++ ++ Interactive installation currently only exists for very basic deployments! ++ ++ For example, deployments intent upon using advanced features such as: ++ ++ * Cloning, ++ * Elliptic Curve Cryptography (ECC), ++ * External CA, ++ * Hardware Security Module (HSM), ++ * Subordinate CA, ++ * etc., ++ ++ must provide the necessary override parameters in a separate ++ configuration file. ++ ++ Run 'man pkispawn' for details. ++''' + + + # PKI Deployment "Helper" Messages +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 893a22a..bebbf0b 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -125,8 +125,12 @@ def main(argv): + parser.validate() + interactive = False + +- while True: ++ if config.user_deployment_cfg is None: ++ interactive = True ++ parser.indent = 0 ++ print log.PKISPAWN_INTERACTIVE_INSTALLATION + ++ while True: + # -s + if args.pki_subsystem is None: + interactive = True +@@ -215,38 +219,38 @@ def main(argv): + config.pki_subsystem, + 'pki_client_admin_cert') + +- if parser.mdict['pki_hsm_enable'] == 'True': +- use_hsm = 'Y' +- else: +- use_hsm = 'N' +- +- use_hsm = parser.read_text( +- 'Using hardware security module (HSM) (Yes/No)', +- default=use_hsm, options=['Yes', 'Y', 'No', 'N'], +- sign='?', case_sensitive=False).lower() +- +- if use_hsm == 'y' or use_hsm == 'yes': +- # XXX: Suppress interactive HSM installation +- print "Interactive HSM installation is currently unsupported." +- sys.exit(0) +- +- # TBD: Interactive HSM installation +- # parser.set_property(config.pki_subsystem, +- # 'pki_hsm_enable', +- # 'True') +- # modulename = parser.read_text( +- # 'HSM Module Name (e. g. - nethsm)', allow_empty=False) +- # parser.set_property(config.pki_subsystem, +- # 'pki_hsm_modulename', +- # modulename) +- # libfile = parser.read_text( +- # 'HSM Lib File ' + +- # '(e. g. - /opt/nfast/toolkits/pkcs11/libcknfast.so)', +- # allow_empty=False) +- # parser.set_property(config.pki_subsystem, +- # 'pki_hsm_libfile', +- # libfile) +- print ++ # if parser.mdict['pki_hsm_enable'] == 'True': ++ # use_hsm = 'Y' ++ # else: ++ # use_hsm = 'N' ++ ++ # use_hsm = parser.read_text( ++ # 'Using hardware security module (HSM) (Yes/No)', ++ # default=use_hsm, options=['Yes', 'Y', 'No', 'N'], ++ # sign='?', case_sensitive=False).lower() ++ ++ # if use_hsm == 'y' or use_hsm == 'yes': ++ # # XXX: Suppress interactive HSM installation ++ # print "Interactive HSM installation is currently unsupported." ++ # sys.exit(0) ++ ++ # TBD: Interactive HSM installation ++ # parser.set_property(config.pki_subsystem, ++ # 'pki_hsm_enable', ++ # 'True') ++ # modulename = parser.read_text( ++ # 'HSM Module Name (e. g. - nethsm)', allow_empty=False) ++ # parser.set_property(config.pki_subsystem, ++ # 'pki_hsm_modulename', ++ # modulename) ++ # libfile = parser.read_text( ++ # 'HSM Lib File ' + ++ # '(e. g. - /opt/nfast/toolkits/pkcs11/libcknfast.so)', ++ # allow_empty=False) ++ # parser.set_property(config.pki_subsystem, ++ # 'pki_hsm_libfile', ++ # libfile) ++ # print + + print "Directory Server:" + while True: +-- +1.8.3.1 + + +From bbd2feaa1f0ca4c338ca490f191184f2bd5c1a41 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Tue, 30 Jun 2015 17:22:23 -0700 +Subject: [PATCH 13/21] Unable to select ECC Curves from EE fix. + +Ticket #1446: + +Without the crypto object, the user is now presented with a very bared bones +keygen tag powered UI. ONe can only select a key strength and only use RSA. + +This fix adds simple UI to make better use of the keygen tag: + +1. Allows the use of ECC. +2. Gives simple info on how the key strengths map to RSA key size and +ECC curves. + +When the user selects High, they get RSA 2043, and ECC nistp384. +When the user selects Medium, they get RSA 1024, and ECC nistp256. +--- + .../shared/webapps/ca/ee/ca/ProfileSelect.template | 81 +++++++++++++++++++++- + 1 file changed, 80 insertions(+), 1 deletion(-) + +diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template +index 0e68e36..5075962 100644 +--- a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template ++++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template +@@ -47,6 +47,71 @@ var key = new Object(); + key.type = "EC"; + keyList[1] = key; + ++function getKeyStrengthTableForKeyGen() { ++ ++ document.writeln(""); ++ document.writeln(""); ++ document.writeln(""); ++ document.writeln("
KeyGen Key Strength Info
Key Type High Grade Medium Grade
RSA 2048 1024
ECC nistp384 nistp256
"); ++ ++} ++ ++function getKeyTypesOptionsForKeyGen() { ++ var keyTypesDef = "RSA"; ++ var keyTypes = null; ++ for (var i = 0; i < policySetListSet.length; i++) { ++ for (var j = 0; j < policySetListSet[i].policySet.length; j++) { ++ if (typeof(policySetListSet[i].policySet[j].constraintSet) != "undefined") { ++ for (var k = 0; k < policySetListSet[i].policySet[j].constraintSet.length; k++) { ++ if (policySetListSet[i].policySet[j].constraintSet[k].name == "keyType") { ++ if (policySetListSet[i].policySet[j].constraintSet[k].value == "-") { ++ keyTypes = "RSA,EC"; ++ } else { ++ keyTypes = policySetListSet[i].policySet[j].constraintSet[k].value; ++ } ++ } ++ } ++ } ++ } ++ } ++ ++ if(keyTypes == null) { ++ keyTypes = keyTypesDef; ++ } ++ ++ var keyTypesRet = keyTypes.split(","); ++ var options = ""; ++ var optionLabel = ""; ++ var selected = ""; ++ for(types= 0 ; types < keyTypesRet.length ; types ++) { ++ if(keyTypesRet[types] == "EC") { ++ optionLabel = "ECC"; ++ } else { ++ optionLabel = keyTypesRet[types]; ++ } ++ ++ if( types == 0 ) { ++ selected = "SELECTED"; ++ } else { ++ selected = ""; ++ } ++ ++ options += ' '; ++ } ++ ++ return options; ++} ++ ++function keyGenKeyTypeSelected(keygenObj,keyTypeSelectObj) { ++ ++ if(keygenObj == null || keyTypeSelectObj == null) ++ return; ++ ++ var selectedValue = keyTypeSelectObj.options[keyTypeSelectObj.selectedIndex].value; ++ ++ keygenObj.setAttribute("keytype", selectedValue); ++} ++ + function keyTypeOptions (keyPurpose) + { + var keyType = "RSA"; +@@ -682,7 +747,21 @@ for (var m = 0; m < inputPluginListSet.length; m++) { + } + document.writeln(''); + } else { +- document.writeln(''); ++ ++ getKeyStrengthTableForKeyGen(); ++ ++ var keyTypesOptions = getKeyTypesOptionsForKeyGen(); ++ ++ var keygendata = ' ' ; ++ document.writeln(keygendata); ++ ++ var keygenObj = document.getElementById("keygentag"); ++ var selectKeyTypeData = ' ' ; ++ ++ document.writeln(selectKeyTypeData); ++ ++ var selectKeyTypeObject = document.getElementById("keyTypeSelectedId"); ++ keyGenKeyTypeSelected(keygenObj,selectKeyTypeObject); + } + } else if (inputListSet[n].inputSyntax == 'dual_keygen_request_type') { + keygen_request = 'true'; +-- +1.8.3.1 + + +From 067cbce6c015a50f4a1747f8894b13c9052c2ed9 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 30 Jun 2015 22:49:11 -0400 +Subject: [PATCH 14/21] Fixed pki help CLI. + +A new findModules() method has been added to the CLI class to find +the list of modules handling a command. The list will be used by the +pki help CLI to find the proper man page for the specified command. +--- + .../src/com/netscape/cmstools/cert/CertCLI.java | 5 ++ + .../src/com/netscape/cmstools/cli/CLI.java | 72 ++++++++++++++++++++++ + .../src/com/netscape/cmstools/cli/HelpCLI.java | 27 ++++++-- + .../src/com/netscape/cmstools/cli/MainCLI.java | 5 ++ + .../com/netscape/cmstools/client/ClientCLI.java | 5 ++ + .../src/com/netscape/cmstools/group/GroupCLI.java | 5 ++ + .../netscape/cmstools/group/GroupMemberCLI.java | 5 ++ + .../src/com/netscape/cmstools/key/KeyCLI.java | 5 ++ + .../com/netscape/cmstools/logging/AuditCLI.java | 5 ++ + .../com/netscape/cmstools/profile/ProfileCLI.java | 5 ++ + .../cmstools/system/SecurityDomainCLI.java | 5 ++ + .../src/com/netscape/cmstools/user/UserCLI.java | 5 ++ + .../com/netscape/cmstools/user/UserCertCLI.java | 5 ++ + 13 files changed, 148 insertions(+), 6 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java +index 9ffa3ad..e0924d3 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java +@@ -67,6 +67,11 @@ public class CertCLI extends CLI { + } + } + ++ @Override ++ public String getManPage() { ++ return "pki-cert"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java +index ed01edc..1338749 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java +@@ -21,6 +21,7 @@ package com.netscape.cmstools.cli; + import java.util.ArrayList; + import java.util.Collection; + import java.util.LinkedHashMap; ++import java.util.List; + import java.util.Map; + + import org.apache.commons.cli.CommandLineParser; +@@ -113,6 +114,75 @@ public class CLI { + return modules.remove(name); + } + ++ /** ++ * Find the list of modules that handle the specified command. ++ */ ++ public List findModules(String command) throws Exception { ++ ++ List results = new ArrayList(); ++ ++ // split command into list of names: ++ // ---...- ++ String[] names = command.split("-"); ++ ++ CLI current = this; ++ int i = 0; ++ ++ // translate all names into modules starting from the beginning ++ while (i < names.length) { ++ ++ String moduleName = null; ++ CLI module = null; ++ int j = i; ++ ++ // find module that matches the shortest sequence of names ++ while (j < names.length) { ++ ++ // construct module name ++ if (moduleName == null) { ++ moduleName = names[j]; ++ } else { ++ moduleName = moduleName + "-" + names[j]; ++ } ++ ++ // find module with name -...- ++ module = current.getModule(moduleName); ++ ++ if (module != null) { ++ // module found, stop ++ break; ++ } ++ ++ // try again with longer sequence ++ j++; ++ } ++ ++ if (module == null) ++ throw new Error("Invalid module \"" + moduleName + "\"."); ++ ++ // module found ++ results.add(module); ++ ++ // repeat for the remaining parts ++ current = module; ++ i = j + 1; ++ } ++ ++ return results; ++ } ++ ++ /** ++ * Find the last module that handles the specified command. ++ */ ++ public CLI findModule(String command) throws Exception { ++ List modules = findModules(command); ++ return modules.get(modules.size() - 1); ++ } ++ ++ public String getManPage() { ++ return null; ++ } ++ + public PKIClient getClient() { + return client; + } +@@ -182,6 +252,8 @@ public class CLI { + System.exit(0); + } + ++ // TODO: Rewrite using findModules(). ++ + // A command consists of parts joined by dashes: --...-. + // For example: cert-request-find + String command = args[0]; +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/HelpCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/HelpCLI.java +index 6b2a123..b348ffc 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/HelpCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/HelpCLI.java +@@ -18,6 +18,8 @@ + + package com.netscape.cmstools.cli; + ++import java.util.List; ++ + import org.apache.commons.cli.CommandLine; + + /** +@@ -51,19 +53,32 @@ public class HelpCLI extends CLI { + + String[] cmdArgs = cmd.getArgs(); + +- String command; ++ String manPage = null; + if (cmdArgs.length == 0) { +- command = "pki"; ++ // no command specified, show the pki man page ++ manPage = parent.getManPage(); + + } else { +- command = "pki-" + cmdArgs[0]; ++ // find all modules handling the specified command ++ List modules = parent.findModules(cmdArgs[0]); ++ ++ // find the module that has a man page starting from the last one ++ for (int i = modules.size() - 1; i >= 0; i--) { ++ CLI module = modules.get(i); ++ manPage = module.getManPage(); ++ if (manPage != null) break; ++ } ++ ++ // if no module has a man page, show the pki man page ++ if (manPage == null) ++ manPage = parent.getManPage(); + } + + while (true) { + // display man page for the command + ProcessBuilder pb = new ProcessBuilder( + "/bin/man", +- command); ++ manPage); + + pb.inheritIO(); + Process p = pb.start(); +@@ -71,10 +86,10 @@ public class HelpCLI extends CLI { + + if (rc == 16) { + // man page not found, find the parent command +- int i = command.lastIndexOf('-'); ++ int i = manPage.lastIndexOf('-'); + if (i >= 0) { + // parent command exists, try again +- command = command.substring(0, i); ++ manPage = manPage.substring(0, i); + continue; + + } else { +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 1792922..77245ec 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -89,6 +89,11 @@ public class MainCLI extends CLI { + return moduleName; + } + ++ @Override ++ public String getManPage() { ++ return "pki"; ++ } ++ + public void printVersion() { + Package pkg = MainCLI.class.getPackage(); + System.out.println("PKI Command-Line Interface "+pkg.getImplementationVersion()); +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java +index c9c7152..f09ea74 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java +@@ -50,6 +50,11 @@ public class ClientCLI extends CLI { + } + } + ++ @Override ++ public String getManPage() { ++ return "pki-client"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java +index 973e0ba..ca15130 100644 +--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java +@@ -54,6 +54,11 @@ public class GroupCLI extends CLI { + } + } + ++ @Override ++ public String getManPage() { ++ return "pki-group"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberCLI.java +index e21d817..1df404b 100644 +--- a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberCLI.java +@@ -40,6 +40,11 @@ public class GroupMemberCLI extends CLI { + addModule(new GroupMemberRemoveCLI(this)); + } + ++ @Override ++ public String getManPage() { ++ return "pki-group-member"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java +index fb324be..d83bcf2 100644 +--- a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java +@@ -65,6 +65,11 @@ public class KeyCLI extends CLI { + } + } + ++ @Override ++ public String getManPage() { ++ return "pki-key"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java +index 11e5300..531d920 100644 +--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java +@@ -41,6 +41,11 @@ public class AuditCLI extends CLI { + addModule(new AuditShowCLI(this)); + } + ++ @Override ++ public String getManPage() { ++ return "pki-audit"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/profile/ProfileCLI.java b/base/java-tools/src/com/netscape/cmstools/profile/ProfileCLI.java +index e9e2159..ecfa753 100644 +--- a/base/java-tools/src/com/netscape/cmstools/profile/ProfileCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/profile/ProfileCLI.java +@@ -51,6 +51,11 @@ public class ProfileCLI extends CLI { + } + } + ++ @Override ++ public String getManPage() { ++ return "pki-ca-profile"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java +index b1a3597..0c2ed37 100644 +--- a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java +@@ -47,6 +47,11 @@ public class SecurityDomainCLI extends CLI { + } + } + ++ @Override ++ public String getManPage() { ++ return "pki-securitydomain"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java +index 7a03d33..5382c47 100644 +--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java +@@ -57,6 +57,11 @@ public class UserCLI extends CLI { + } + } + ++ @Override ++ public String getManPage() { ++ return "pki-user"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertCLI.java +index ead915a..d8ea917 100644 +--- a/base/java-tools/src/com/netscape/cmstools/user/UserCertCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertCLI.java +@@ -40,6 +40,11 @@ public class UserCertCLI extends CLI { + addModule(new UserCertRemoveCLI(this)); + } + ++ @Override ++ public String getManPage() { ++ return "pki-user-cert"; ++ } ++ + public void execute(String[] args) throws Exception { + + client = parent.getClient(); +-- +1.8.3.1 + + +From 433e1dba905f9d45f9eefcbf39e5b11ddfbfbc94 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 2 Jul 2015 18:33:48 -0400 +Subject: [PATCH 15/21] Fixed NPE in key-archive CLI. + +The pki CLI has been modified such that if the security database +location (-d) is not specified, the config.certDatabase will be +initialized with the default value (i.e. ~/.dogtag/nssdb). The +config.certDatabase is needed by the CLI to prepare the client +library for key archival operations. +--- + .../src/com/netscape/cmstools/cli/MainCLI.java | 21 ++++++++------------- + .../src/com/netscape/cmstools/key/KeyCLI.java | 10 ++++++++-- + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 77245ec..4d63d9b 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -330,9 +330,14 @@ public class MainCLI extends CLI { + } + } + +- // store security database path +- if (certDatabase != null) ++ if (certDatabase != null) { ++ // store user-provided security database location + config.setCertDatabase(new File(certDatabase).getAbsolutePath()); ++ } else { ++ // store default security database location ++ config.setCertDatabase(System.getProperty("user.home") + ++ File.separator + ".dogtag" + File.separator + "nssdb"); ++ } + + // store token name + config.setTokenName(tokenName); +@@ -395,17 +400,7 @@ public class MainCLI extends CLI { + list = cmd.getOptionValue("ignore-cert-status"); + convertCertStatusList(list, ignoredCertStatuses); + +- if (config.getCertDatabase() == null) { +- // Use default client security database +- this.certDatabase = new File( +- System.getProperty("user.home") + File.separator + +- ".dogtag" + File.separator + "nssdb"); +- +- } else { +- // Use existing client security database +- this.certDatabase = new File(config.getCertDatabase()); +- } +- ++ this.certDatabase = new File(config.getCertDatabase()); + if (verbose) System.out.println("Client security database: "+this.certDatabase.getAbsolutePath()); + + String messageFormat = cmd.getOptionValue("message-format"); +diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java +index d83bcf2..f242ece 100644 +--- a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java +@@ -81,14 +81,20 @@ public class KeyCLI extends CLI { + + // create new key client + keyClient = new KeyClient(client, subsystem); +- if (client.getConfig().getCertDatabase() != null && client.getConfig().getCertPassword() != null) { ++ ++ // if security database password is specified, ++ // prepare key client for archival/retrieval ++ if (client.getConfig().getCertPassword() != null) { ++ // create crypto provider for key client + keyClient.setCrypto(new NSSCryptoProvider(client.getConfig())); + +- // Set the transport cert for crypto operations ++ // download transport cert + systemCertClient = new SystemCertClient(client, subsystem); + String transportCert = systemCertClient.getTransportCert().getEncoded(); + transportCert = transportCert.substring(CertData.HEADER.length(), + transportCert.indexOf(CertData.FOOTER)); ++ ++ // set transport cert for key client + keyClient.setTransportCert(transportCert); + } + +-- +1.8.3.1 + + +From cc8f6468bb9f509d16ed526e42d546aaa2ae9ed3 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 1 Jul 2015 14:41:51 -0400 +Subject: [PATCH 16/21] Fixed fail-over in HttpConnection. + +The HttpConnection class has been modified to support fail-over +and timeout more consistently. The targets are parsed into a list +during initialization. All direct calls to HttpClient.connect() +are replaced with a method that will connect to the first available +target. All connections are now created with a timeout (which by +default is 0). + +https://fedorahosted.org/pki/ticket/891 +--- + base/ca/src/com/netscape/ca/CAService.java | 5 +- + .../netscape/cmscore/connector/HttpConnection.java | 214 +++++++++++---------- + .../src/com/netscape/cmsutil/http/HttpClient.java | 40 ++-- + .../netscape/cmsutil/http/JssSSLSocketFactory.java | 27 ++- + .../com/netscape/cmsutil/net/ISocketFactory.java | 10 +- + 5 files changed, 154 insertions(+), 142 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index 6edaf2a..36f0bd5 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -435,9 +435,8 @@ public class CAService implements ICAService, IService { + // send request to KRA first + if (type.equals(IRequest.ENROLLMENT_REQUEST) && + isPKIArchiveOptionPresent(request) && mKRAConnector != null) { +- if (Debug.ON) { +- Debug.trace("*** Sending enrollment request to KRA"); +- } ++ ++ CMS.debug("CAService: Sending enrollment request to KRA"); + boolean sendStatus = mKRAConnector.send(request); + + if (mArchivalRequired == true) { +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java +index c179f4b..c480478 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java +@@ -18,7 +18,9 @@ + package com.netscape.cmscore.connector; + + import java.io.IOException; +-import java.util.StringTokenizer; ++import java.net.InetSocketAddress; ++import java.util.ArrayList; ++import java.util.List; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; +@@ -33,50 +35,32 @@ import com.netscape.cmsutil.http.HttpResponse; + import com.netscape.cmsutil.net.ISocketFactory; + + public class HttpConnection implements IHttpConnection { ++ + protected IRemoteAuthority mDest = null; + protected HttpRequest mHttpreq = new HttpRequest(); + protected IRequestEncoder mReqEncoder = null; + protected HttpClient mHttpClient = null; + +- protected boolean Connect(String host, HttpClient client) { +- StringTokenizer st = new StringTokenizer(host, " "); +- while (st.hasMoreTokens()) { +- String hp = st.nextToken(); // host:port +- StringTokenizer st1 = new StringTokenizer(hp, ":"); +- try { +- String h = st1.nextToken(); +- int p = Integer.parseInt(st1.nextToken()); +- client.connect(h, p); +- return true; +- } catch (Exception e) { +- // may want to log the failure +- } +- try { +- Thread.sleep(5000); // 5 seconds +- } catch (Exception e) { +- } ++ int timeout = 0; ++ List targets; + +- } +- return false; +- } ++ public HttpConnection(IRemoteAuthority dest, ISocketFactory factory, ++ int timeout // seconds ++ ) { + +- public void setRequestURI(String uri) +- throws EBaseException { +- mHttpreq.setURI(uri); +- } ++ CMS.debug("HttpConnection: Creating HttpConnection with timeout=" + timeout); + +- public String getRequestURI() { +- return mHttpreq.getURI(); +- } +- +- public HttpConnection(IRemoteAuthority dest, ISocketFactory factory) { + mDest = dest; + mReqEncoder = new HttpRequestEncoder(); + mHttpClient = new HttpClient(factory); +- if (Debug.ON) +- Debug.trace("Created HttpClient"); ++ ++ this.timeout = timeout; ++ ++ targets = parseTarget(dest.getHost(), dest.getPort()); ++ + try { + mHttpreq.setMethod("POST"); ++ + // in case of multi-uri, uri will be set right before send + // by calling setRequestURI(uri) + if (mDest.getURI() != null) +@@ -89,62 +73,85 @@ public class HttpConnection implements IHttpConnection { + } + + mHttpreq.setHeader("Connection", "Keep-Alive"); +- CMS.debug("HttpConnection: connecting to " + dest.getHost() + ":" + dest.getPort()); +- String host = dest.getHost(); +- // we could have a list of host names in the host parameters +- // the format is, for example, +- // "directory.knowledge.com:1050 people.catalog.com 199.254.1.2" +- if (host != null && host.indexOf(' ') != -1) { +- // try to do client-side failover +- boolean connected = false; +- do { +- connected = Connect(host, mHttpClient); +- } while (!connected); +- } else { +- mHttpClient.connect(host, dest.getPort()); +- } +- CMS.debug("HttpConnection: connected to " + dest.getHost() + ":" + dest.getPort()); ++ ++ connect(); ++ + } catch (IOException e) { + // server's probably down. that's fine. try later. +- //System.out.println( +- //"Can't connect to server in connection creation"); ++ CMS.debug("HttpConnection: Unable to create connection: " + e); + } + } + +- /* +- * @param op operation to determine the receiving servlet (multi-uri support) +- */ +- public HttpConnection(IRemoteAuthority dest, ISocketFactory factory, int timeout) { +- mDest = dest; +- mReqEncoder = new HttpRequestEncoder(); +- mHttpClient = new HttpClient(factory); +- CMS.debug("HttpConn:Created HttpConnection: factory " + factory + "client " + mHttpClient); +- try { +- mHttpreq.setMethod("POST"); +- // in case of multi-uri, uri will be set right before send +- // by calling setRequestURI(op) +- if (mDest.getURI() != null) +- mHttpreq.setURI(mDest.getURI()); ++ public HttpConnection(IRemoteAuthority dest, ISocketFactory factory) { ++ this(dest, factory, 0); ++ } + +- String contentType = dest.getContentType(); +- if (contentType != null) { +- CMS.debug("HttpConnection: setting Content-Type"); +- mHttpreq.setHeader("Content-Type", contentType ); +- } ++ List parseTarget(String target, int port) { + +- mHttpreq.setHeader("Connection", "Keep-Alive"); +- CMS.debug("HttpConnection: connecting to " + dest.getHost() + ":" + dest.getPort() + " timeout:" + timeout); +- mHttpClient.connect(dest.getHost(), dest.getPort(), timeout); +- CMS.debug("HttpConnection: connected to " + dest.getHost() + ":" + dest.getPort() + " timeout:" + timeout); +- } catch (IOException e) { +- // server's probably down. that's fine. try later. +- //System.out.println( +- //"Can't connect to server in connection creation"); +- CMS.debug("CMSConn:IOException in creating HttpConnection " + e.toString()); ++ List results = new ArrayList(); ++ ++ if (target == null || target.indexOf(' ') < 0) { ++ // target is a single hostname ++ ++ // add hostname and the global port to the results ++ results.add(new InetSocketAddress(target, port)); ++ return results; ++ } ++ ++ // target is a list of hostname:port, for example: ++ // "server1.example.com:8443 server2.example.com:8443" ++ ++ for (String hostnamePort : target.split(" ")) { ++ ++ // parse hostname and port, and ignore the global port ++ String[] parts = hostnamePort.split(":"); ++ String hostname = parts[0]; ++ port = Integer.parseInt(parts[1]); ++ ++ // add hostname and port to the results ++ results.add(new InetSocketAddress(hostname, port)); + } ++ ++ return results; + } + +- // Insert end ++ void connect() throws IOException { ++ ++ IOException exception = null; ++ ++ // try all targets ++ for (InetSocketAddress target : targets) { ++ ++ String hostname = target.getHostString(); ++ int port = target.getPort(); ++ ++ try { ++ CMS.debug("HttpConnection: Connecting to " + hostname + ":" + port + " with timeout " + timeout + "s"); ++ ++ mHttpClient.connect(hostname, port, timeout * 1000); ++ ++ CMS.debug("HttpConnection: Connected to " + hostname + ":" + port); ++ return; ++ ++ } catch (IOException e) { ++ exception = e; ++ CMS.debug("HttpConnection: Unable to connect to " + hostname + ":" + port + ": " + e); ++ // try the next target immediately ++ } ++ } ++ ++ // throw the last exception ++ throw exception; ++ } ++ ++ public void setRequestURI(String uri) ++ throws EBaseException { ++ mHttpreq.setURI(uri); ++ } ++ ++ public String getRequestURI() { ++ return mHttpreq.getURI(); ++ } + /** + * sends a request to remote RA/CA, returning the result. + * +@@ -207,16 +214,17 @@ public class HttpConnection implements IHttpConnection { + CMS.debug("HttpConnection.send: with String content: null or empty"); + throw new EBaseException("HttpConnection.send: with String content: null or empty"); + } +- // CMS.debug("HttpConnection.send: with String content: " + content); ++ ++ CMS.debug("HttpConnection.send: with String content: " + content); + + resp = doSend(content); + return resp; + } + +- private HttpResponse doSend(String content) +- throws EBaseException { ++ private HttpResponse doSend(String content) throws EBaseException { ++ + HttpResponse resp = null; +- boolean reconnect = false; ++ boolean reconnected = false; + + if (getRequestURI() == null) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "URI not set in HttpRequest")); +@@ -229,18 +237,21 @@ public class HttpConnection implements IHttpConnection { + + try { + if (!mHttpClient.connected()) { +- mHttpClient.connect(mDest.getHost(), mDest.getPort()); +- CMS.debug("HttpConnection.doSend: reconnected to " + mDest.getHost() + ":" + mDest.getPort()); +- reconnect = true; ++ connect(); ++ reconnected = true; + } ++ + } catch (IOException e) { ++ ++ CMS.debug(e); ++ + if (e.getMessage().indexOf("Peer's certificate issuer has been marked as not trusted") != -1) { + throw new EBaseException( + CMS.getUserMessage( + "CMS_BASE_CONN_FAILED", + "(This local authority cannot connect to the remote authority. The local authority's signing certificate must chain to a CA certificate trusted for client authentication in the certificate database. Use the certificate manager, or command line tool such as certutil to verify that the trust permissions of the local authority's issuer cert have 'CT' setting in the SSL client auth field.)")); + } +- CMS.debug("HttpConn:Couldn't reconnect " + e); ++ + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CONN_FAILED", "Couldn't reconnect " + e)); + } + +@@ -249,28 +260,35 @@ public class HttpConnection implements IHttpConnection { + try { + CMS.debug("HttpConnection.doSend: sending request"); + resp = mHttpClient.send(mHttpreq); ++ + } catch (IOException e) { +- CMS.debug("HttpConn: mHttpClient.send failed " + e.toString()); +- if (reconnect) { +- CMS.debug("HttpConnection.doSend:resend failed again. " + e); +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_CONN_FAILED", "resend failed again. " + e)); ++ ++ CMS.debug(e); ++ ++ if (reconnected) { ++ CMS.debug("HttpConnection.doSend: resend failed again."); ++ throw new EBaseException( ++ CMS.getUserMessage("CMS_BASE_CONN_FAILED", "resend failed again: " + e), e); + } ++ + try { + CMS.debug("HttpConnection.doSend: trying a reconnect "); +- mHttpClient.connect(mDest.getHost(), mDest.getPort()); ++ connect(); ++ + } catch (IOException ex) { + CMS.debug("HttpConnection.doSend: reconnect for resend failed. " + ex); +- throw new EBaseException(CMS.getUserMessage("CMS_BASE_CONN_FAILED", "reconnect for resend failed." +- + ex)); ++ throw new EBaseException( ++ CMS.getUserMessage("CMS_BASE_CONN_FAILED", "reconnect for resend failed: " + ex), e); + } +- reconnect = true; ++ ++ reconnected = true; + } + } //while + + // got reply; check status + String statusStr = resp.getStatusCode(); + +- CMS.debug("HttpConnection.doSend:server returned status " + statusStr); ++ CMS.debug("HttpConnection.doSend: server returned status " + statusStr); + int statuscode = -1; + + try { +@@ -287,16 +305,18 @@ public class HttpConnection implements IHttpConnection { + // XXX what to do here. + String msg = "request no good " + statuscode + " " + resp.getReasonPhrase(); + +- CMS.debug(msg); ++ CMS.debug("HttpConnection: " + msg); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_AUTHENTICATE_FAILED", msg)); ++ + } else { + // XXX what to do here. +- String msg = "HttpConn:request no good " + statuscode + " " + resp.getReasonPhrase(); ++ String msg = "HttpConnection: request no good " + statuscode + " " + resp.getReasonPhrase(); + + CMS.debug(msg); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", msg)); + } + } ++ + return resp; + } + } +diff --git a/base/util/src/com/netscape/cmsutil/http/HttpClient.java b/base/util/src/com/netscape/cmsutil/http/HttpClient.java +index 438c70c..db042a7 100644 +--- a/base/util/src/com/netscape/cmsutil/http/HttpClient.java ++++ b/base/util/src/com/netscape/cmsutil/http/HttpClient.java +@@ -59,22 +59,24 @@ public class HttpClient { + mCertApprovalCallback = certApprovalCallback; + } + +- public void connect(String host, int port) +- throws IOException { ++ public void connect(String host, int port, ++ int timeout // milliseconds ++ ) throws IOException { ++ + if (mFactory != null) { + if (mCertApprovalCallback == null) { +- mSocket = mFactory.makeSocket(host, port); ++ mSocket = mFactory.makeSocket(host, port, timeout); + } else { +- mSocket = mFactory.makeSocket(host, port, mCertApprovalCallback, null); ++ mSocket = mFactory.makeSocket(host, port, mCertApprovalCallback, null, timeout); + } ++ + } else { + mSocket = new Socket(host, port); ++ mSocket.setSoTimeout(timeout); + } + + if (mSocket == null) { +- IOException e = new IOException("Couldn't make connection"); +- +- throw e; ++ throw new IOException("Couldn't make connection"); + } + + mInputStream = mSocket.getInputStream(); +@@ -85,30 +87,10 @@ public class HttpClient { + mConnected = true; + } + +- // Inserted by beomsuk +- public void connect(String host, int port, int timeout) +- throws IOException { +- if (mFactory != null) { +- mSocket = mFactory.makeSocket(host, port, timeout); +- } else { +- mSocket = new Socket(host, port); +- } +- +- if (mSocket == null) { +- IOException e = new IOException("Couldn't make connection"); +- +- throw e; +- } +- +- mInputStream = mSocket.getInputStream(); +- mOutputStream = mSocket.getOutputStream(); +- mInputStreamReader = new InputStreamReader(mInputStream, "UTF8"); +- mBufferedReader = new BufferedReader(mInputStreamReader); +- mOutputStreamWriter = new OutputStreamWriter(mOutputStream, "UTF8"); +- mConnected = true; ++ public void connect(String host, int port) throws IOException { ++ connect(host, port, 0); + } + +- // Insert end + public boolean connected() { + return mConnected; + } +diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +index 166479d..8c70480 100644 +--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java ++++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +@@ -48,13 +48,14 @@ public class JssSSLSocketFactory implements ISocketFactory { + + public Socket makeSocket(String host, int port) + throws IOException, UnknownHostException { +- return makeSocket(host, port, null, null); ++ return makeSocket(host, port, null, null, 0); + } + + public Socket makeSocket(String host, int port, + SSLCertificateApprovalCallback certApprovalCallback, +- SSLClientCertificateSelectionCallback clientCertCallback) +- throws IOException, UnknownHostException { ++ SSLClientCertificateSelectionCallback clientCertCallback, ++ int timeout // milliseconds ++ ) throws IOException, UnknownHostException { + + try { + /* +@@ -63,6 +64,7 @@ public class JssSSLSocketFactory implements ISocketFactory { + s = new SSLSocket(host, port, null, 0, certApprovalCallback, + clientCertCallback); + s.setUseClientMode(true); ++ s.setSoTimeout(timeout); + + SSLHandshakeCompletedListener listener = null; + +@@ -79,27 +81,34 @@ public class JssSSLSocketFactory implements ISocketFactory { + s.setClientCertNickname(mClientAuthCertNickname); + } + s.forceHandshake(); ++ + } catch (org.mozilla.jss.crypto.ObjectNotFoundException e) { +- throw new IOException(e.toString()); ++ throw new IOException(e.toString(), e); ++ + } catch (org.mozilla.jss.crypto.TokenException e) { +- throw new IOException(e.toString()); ++ throw new IOException(e.toString(), e); ++ + } catch (UnknownHostException e) { + throw e; ++ + } catch (IOException e) { + throw e; ++ + } catch (Exception e) { +- throw new IOException(e.toString()); ++ throw new IOException(e.toString(), e); + } ++ + return s; + } + +- public Socket makeSocket(String host, int port, int timeout) +- throws IOException, UnknownHostException { ++ public Socket makeSocket(String host, int port, ++ int timeout // milliseconds ++ ) throws IOException, UnknownHostException { + Thread t = new ConnectAsync(this, host, port); + + t.start(); + try { +- t.join(1000 * timeout); ++ t.join(timeout); + } catch (InterruptedException e) { + } + +diff --git a/base/util/src/com/netscape/cmsutil/net/ISocketFactory.java b/base/util/src/com/netscape/cmsutil/net/ISocketFactory.java +index 18f6cac..0dd6963 100644 +--- a/base/util/src/com/netscape/cmsutil/net/ISocketFactory.java ++++ b/base/util/src/com/netscape/cmsutil/net/ISocketFactory.java +@@ -28,11 +28,13 @@ public interface ISocketFactory { + Socket makeSocket(String host, int port) + throws IOException, UnknownHostException; + +- Socket makeSocket(String host, int port, int timeout) +- throws IOException, UnknownHostException; ++ Socket makeSocket(String host, int port, ++ int timeout // milliseconds ++ ) throws IOException, UnknownHostException; + + Socket makeSocket(String host, int port, + SSLCertificateApprovalCallback certApprovalCallback, +- SSLClientCertificateSelectionCallback clientCertCallback) +- throws IOException, UnknownHostException; ++ SSLClientCertificateSelectionCallback clientCertCallback, ++ int timeout // milliseconds ++ ) throws IOException, UnknownHostException; + } +-- +1.8.3.1 + + +From 6db01bd091ce991322b004cdd74bf7c15c57fe8c Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 30 Jun 2015 18:46:33 -0700 +Subject: [PATCH 17/21] Ticket 1447 pkispawn: findCertByNickname fails to find + cert in creating shared tomcat subsystems on HSM + +--- + .../src/org/dogtagpki/server/rest/SystemConfigService.java | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 73d24a7..e7a9960 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -345,6 +345,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + throw new BadRequestException("No data for '" + tag + "' was found!"); + } + ++ String tokenName = certData.getToken() != null ? certData.getToken() : token; + if (request.getStandAlone() && request.getStepTwo()) { + // Stand-alone PKI (Step 2) + if (tag.equals("external_signing")) { +@@ -355,7 +356,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + + if (request.getIssuingCA().equals("External CA")) { + String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA"; +- String tokenName = certData.getToken() != null ? certData.getToken() : token; + Cert cert = new Cert(tokenName, nickname, tag); + ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert); + +@@ -387,7 +387,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + updateConfiguration(request, certData, "subsystem"); + + // get parameters needed for cloning +- updateCloneConfiguration(certData, "subsystem"); ++ updateCloneConfiguration(certData, "subsystem", tokenName); + continue; + } + +@@ -439,7 +439,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'"); + } + +- String tokenName = certData.getToken() != null ? certData.getToken() : token; + Cert cert = new Cert(tokenName, nickname, tag); + cert.setDN(dn); + cert.setSubsystem(cs.getString("preop.cert." + tag + ".subsystem")); +@@ -529,11 +528,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + } + } + +- private void updateCloneConfiguration(SystemCertData cdata, String tag) throws NotInitializedException, ++ private void updateCloneConfiguration(SystemCertData cdata, String tag, String tokenName) throws NotInitializedException, + ObjectNotFoundException, TokenException { + // TODO - some of these parameters may only be valid for RSA + CryptoManager cryptoManager = CryptoManager.getInstance(); +- X509Certificate cert = cryptoManager.findCertByNickname(cdata.getNickname()); ++ if (!tokenName.isEmpty()) ++ CMS.debug("SystemConfigService:updateCloneConfiguration: tokenName=" + tokenName); ++ else ++ CMS.debug("SystemConfigService:updateCloneConfiguration: tokenName empty; using internal"); ++ ++ X509Certificate cert = cryptoManager.findCertByNickname(!tokenName.isEmpty()? tokenName + ":" + cdata.getNickname() : cdata.getNickname()); + PublicKey pubk = cert.getPublicKey(); + byte[] exponent = CryptoUtil.getPublicExponent(pubk); + byte[] modulus = CryptoUtil.getModulus(pubk); +-- +1.8.3.1 + + +From a3773d042de25120803154c96763de55bc0bd7c4 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Mon, 6 Jul 2015 15:09:54 -0600 +Subject: [PATCH 18/21] Note on overriding pki_client_dir when using an HSM + +- PKI TRAC Ticket #1425 - pkispawn CA with HSM - if the config file has + pki_client related params the dir is not created and the admin cert p12 file + is stored nowhere +--- + base/server/man/man5/pki_default.cfg.5 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 +index f3db6a8..2c8dbbd 100644 +--- a/base/server/man/man5/pki_default.cfg.5 ++++ b/base/server/man/man5/pki_default.cfg.5 +@@ -152,6 +152,9 @@ Set to True to back up the subsystem certificates and keys to a PKCS #12 file. + .B pki_client_dir + .IP + This is the location where all client data used during the installation is stored. At the end of the invocation of \fBpkispawn\fP, the administrative user's certificate and keys are stored in a PKCS #12 file in this location. ++.IP ++\fBNote:\fP ++When using an HSM, it is currently recommended to NOT specify a value for \fBpki_client_dir\fP that is different from the default value. + .TP + .B pki_client_database_dir, pki_client_database_password + .IP +-- +1.8.3.1 + + +From 02c50813a2f5054ad1b6b0a42e919e3ae1472fe0 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Mon, 6 Jul 2015 14:05:57 -0700 +Subject: [PATCH 19/21] Omit OCSP from clone description. + +Ticket #1358. +Also note that OCSP cloning is unsupported as of now. +--- + base/server/man/man8/pkispawn.8 | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 +index 33c36e3..ef1857d 100644 +--- a/base/server/man/man8/pkispawn.8 ++++ b/base/server/man/man8/pkispawn.8 +@@ -277,10 +277,10 @@ A cloned CA is a CA which uses the same signing, OCSP signing, and audit signing + .PP + Before the clone can be generated, the Directory Server must be created that is separate from the master CA's Directory Server. The example assumes that the master CA and cloned CA are on different machines, and that their Directory Servers are on port 389. In addition, the master's system certs and keys have been stored in a PKCS #12 file that is copied over to the clone subsystem in the location specified in . This file is created when the master CA is installed; it can also be generated using \fBPKCS12Export\fP. The file needs to be readable by the user the Certificate Server runs as (by default, pkiuser) and be given the SELinux context pki_tomcat_cert_t. + .PP +-.SS Installing a KRA, OCSP, or TKS clone ++.SS Installing a KRA or TKS clone (OCSP unsupported as of now) + \x'-1'\fBpkispawn \-s \-f myconfig.txt\fR + .PP +-where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: ++where subsystem is KRA or TKS and \fImyconfig.txt\fP contains the following text: + .IP + .nf + [DEFAULT] +@@ -302,9 +302,9 @@ pki_clone_uri=https://: + pki_issuing_ca=https://: + .fi + .PP +-As with a CA clone, a KRA, OCSP, or TKS clone uses the same certificates and basic configuration as the original subsystem. The configuration points to the original subsystem to copy its configuration. This example also assumes that the CA is on a remote machine and specifies the CA and security domain information. ++As with a CA clone, a KRA or TKS clone uses the same certificates and basic configuration as the original subsystem. The configuration points to the original subsystem to copy its configuration. This example also assumes that the CA is on a remote machine and specifies the CA and security domain information. + .PP +-The subsystem section is [KRA], [OCSP], or [TKS]. ++The subsystem section is [KRA] or [TKS]. + .SS Installing a subordinate CA + \x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR + .PP +-- +1.8.3.1 + + +From c48c52703c374c8e7e65c11fdeee9eeda464290f Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Sat, 4 Jul 2015 11:00:29 -0400 +Subject: [PATCH 20/21] Verify raw profile config before accepting it + +Creating or modifying a profile with bad profile data in the "raw" +format succeeds and saves the bad data. After restart, the profile +cannot be loaded and attempting to use, modify or delete or recreate +the profile will fail. + +Verify raw profile data by instantiating a temporary profile and +attempting to initialise it with the received configuration. + +Fixes: https://fedorahosted.org/pki/ticket/1462 +--- + .../dogtagpki/server/ca/rest/ProfileService.java | 43 +++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +index f7d82b0..a1dba80 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +@@ -81,6 +81,7 @@ import com.netscape.cms.servlet.base.PKIService; + import com.netscape.cms.servlet.profile.PolicyConstraintFactory; + import com.netscape.cms.servlet.profile.PolicyDefaultFactory; + import com.netscape.cmscore.base.SimpleProperties; ++import com.netscape.cmscore.base.PropConfigStore; + + /** + * @author alee +@@ -583,8 +584,27 @@ public class ProfileService extends PKIService implements ProfileResource { + auditParams.put("class_id", classId); + + IPluginInfo info = registry.getPluginInfo("profile", classId); ++ String className = info.getClassName(); + +- profile = ps.createProfile(profileId, classId, info.getClassName()); ++ // create temporary profile to verify profile configuration ++ IProfile tempProfile; ++ try { ++ tempProfile = (IProfile) Class.forName(className).newInstance(); ++ } catch (Exception e) { ++ throw new PKIException( ++ "Error instantiating profile class: " + className); ++ } ++ tempProfile.setId(profileId); ++ try { ++ PropConfigStore tempConfig = new PropConfigStore(null); ++ tempConfig.load(new ByteArrayInputStream(data)); ++ tempProfile.init(ps, tempConfig); ++ } catch (Exception e) { ++ throw new BadRequestException("Invalid profile data", e); ++ } ++ ++ // no error thrown, proceed with profile creation ++ profile = ps.createProfile(profileId, classId, className); + profile.getConfigStore().commit(false); + profile.getConfigStore().load(new ByteArrayInputStream(data)); + ps.disableProfile(profileId); +@@ -698,6 +718,27 @@ public class ProfileService extends PKIService implements ProfileResource { + simpleProperties.store(out, null); + data = out.toByteArray(); // original data sans profileId, classId + ++ // create temporary profile to verify profile configuration ++ String classId = ps.getProfileClassId(profileId); ++ String className = ++ registry.getPluginInfo("profile", classId).getClassName(); ++ IProfile tempProfile; ++ try { ++ tempProfile = (IProfile) Class.forName(className).newInstance(); ++ } catch (Exception e) { ++ throw new PKIException( ++ "Error instantiating profile class: " + className); ++ } ++ tempProfile.setId(profileId); ++ try { ++ PropConfigStore tempConfig = new PropConfigStore(null); ++ tempConfig.load(new ByteArrayInputStream(data)); ++ tempProfile.init(ps, tempConfig); ++ } catch (Exception e) { ++ throw new BadRequestException("Invalid profile data", e); ++ } ++ ++ // no error thrown, so commit updated profile config + profile.getConfigStore().load(new ByteArrayInputStream(data)); + ps.disableProfile(profileId); + profile.getConfigStore().commit(false); +-- +1.8.3.1 + + +From ac5447a8e0bac5112882be700a17a9274e322adc Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 6 Jul 2015 13:31:22 -0400 +Subject: [PATCH 21/21] Fixed default cert-find filter. + +To improve the performance the default LDAP filter generated by +cert-find has been changed to (certStatus=*) to match an existing +VLV index. + +https://fedorahosted.org/pki/ticket/1449 +--- + .../org/dogtagpki/server/ca/rest/CertService.java | 16 +- + .../com/netscape/cmstools/cert/CertFindCLI.java | 1 - + .../netscape/cms/servlet/cert/FilterBuilder.java | 248 +++++++++++---------- + 3 files changed, 136 insertions(+), 129 deletions(-) + +diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java +index ee974d4..e43909b 100644 +--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java ++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java +@@ -367,15 +367,13 @@ public class CertService extends PKIService implements CertResource { + } + + private String createSearchFilter(String status) { +- String filter = ""; ++ String filter; + +- if ((status == null)) { +- filter = "(serialno=*)"; +- return filter; +- } ++ if (status == null) { ++ filter = "(certstatus=*)"; // allCerts VLV + +- if (status != null) { +- filter += "(certStatus=" + LDAPUtil.escapeFilter(status) + ")"; ++ } else { ++ filter = "(certStatus=" + LDAPUtil.escapeFilter(status) + ")"; + } + + return filter; +@@ -398,7 +396,7 @@ public class CertService extends PKIService implements CertResource { + size = size == null ? DEFAULT_SIZE : size; + + String filter = createSearchFilter(status); +- CMS.debug("listCerts: filter is " + filter); ++ CMS.debug("CertService.listCerts: filter: " + filter); + + CertDataInfos infos = new CertDataInfos(); + try { +@@ -450,7 +448,9 @@ public class CertService extends PKIService implements CertResource { + + start = start == null ? 0 : start; + size = size == null ? DEFAULT_SIZE : size; ++ + String filter = createSearchFilter(data); ++ CMS.debug("CertService.searchCerts: filter: " + filter); + + CertDataInfos infos = new CertDataInfos(); + try { +diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java +index 8c7a4df..cb2d80e 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java +@@ -254,7 +254,6 @@ public class CertFindCLI extends CLI { + + } else { + searchData = new CertSearchRequest(); +- searchData.setSerialNumberRangeInUse(true); + } + + String s = cmd.getOptionValue("start"); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java b/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java +index 5c337af..be44c47 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java +@@ -18,7 +18,9 @@ + + package com.netscape.cms.servlet.cert; + ++import java.util.ArrayList; + import java.util.Calendar; ++import java.util.List; + import java.util.StringTokenizer; + + import com.netscape.certsrv.cert.CertSearchRequest; +@@ -30,210 +32,214 @@ import com.netscape.cmsutil.ldap.LDAPUtil; + * + */ + public class FilterBuilder { +- private final static String MATCH_EXACTLY = "exact"; +- private String searchFilter = null; +- private CertSearchRequest request = null; ++ ++ private List filters = new ArrayList(); ++ private CertSearchRequest request; + + public FilterBuilder(CertSearchRequest request) { + this.request = request; + } + + public String buildFilter() { +- StringBuffer filter = new StringBuffer(); +- buildSerialNumberRangeFilter(filter); +- buildSubjectFilter(filter); +- buildStatusFilter(filter); +- buildRevokedByFilter(filter); +- buildRevokedOnFilter(filter); +- buildRevocationReasonFilter(filter); +- buildIssuedByFilter(filter); +- buildIssuedOnFilter(filter); +- buildValidNotBeforeFilter(filter); +- buildValidNotAfterFilter(filter); +- buildValidityLengthFilter(filter); +- buildCertTypeFilter(filter); +- +- searchFilter = filter.toString(); +- +- if (searchFilter != null && !searchFilter.equals("")) { +- searchFilter = "(&" + searchFilter + ")"; +- } + +- return searchFilter; ++ buildSerialNumberRangeFilter(); ++ buildSubjectFilter(); ++ buildStatusFilter(); ++ buildRevokedByFilter(); ++ buildRevokedOnFilter(); ++ buildRevocationReasonFilter(); ++ buildIssuedByFilter(); ++ buildIssuedOnFilter(); ++ buildValidNotBeforeFilter(); ++ buildValidNotAfterFilter(); ++ buildValidityLengthFilter(); ++ buildCertTypeFilter(); ++ ++ if (filters.size() == 0) { ++ return "(certstatus=*)"; // allCerts VLV ++ ++ } else if (filters.size() == 1) { ++ return filters.get(0); ++ ++ } else { ++ StringBuilder sb = new StringBuilder(); ++ for (String filter : filters) { ++ sb.append(filter); ++ } ++ return "(&" + sb + ")"; ++ } + } + +- private void buildSerialNumberRangeFilter(StringBuffer filter) { ++ private void buildSerialNumberRangeFilter() { + +- if (!request.getSerialNumberRangeInUse()) { +- return; +- } +- boolean changed = false; + String serialFrom = request.getSerialFrom(); + if (serialFrom != null && !serialFrom.equals("")) { +- filter.append("(certRecordId>=" + LDAPUtil.escapeFilter(serialFrom) + ")"); +- changed = true; ++ filters.add("(certRecordId>=" + LDAPUtil.escapeFilter(serialFrom) + ")"); + } ++ + String serialTo = request.getSerialTo(); + if (serialTo != null && !serialTo.equals("")) { +- filter.append("(certRecordId<=" + LDAPUtil.escapeFilter(serialTo) + ")"); +- changed = true; ++ filters.add("(certRecordId<=" + LDAPUtil.escapeFilter(serialTo) + ")"); + } +- if (!changed) { +- filter.append("(certRecordId=*)"); +- } +- + } + +- private void buildSubjectFilter(StringBuffer filter) { ++ private void buildSubjectFilter() { ++ + if (!request.getSubjectInUse()) { + return; + } +- StringBuffer lf = new StringBuffer(); + +- String matchStr = null; ++ StringBuffer lf = new StringBuffer(); + boolean match = request.getMatchExactly(); + +- if (match == true) { +- matchStr = MATCH_EXACTLY; +- } +- +- buildAVAFilter(request.getEmail(), "E", lf, matchStr); +- buildAVAFilter(request.getCommonName(), "CN", lf, matchStr); +- buildAVAFilter(request.getUserID(), "UID", lf, matchStr); +- buildAVAFilter(request.getOrgUnit(), "OU", lf, matchStr); +- buildAVAFilter(request.getOrg(), "O", lf, matchStr); +- buildAVAFilter(request.getLocality(), "L", lf, matchStr); +- buildAVAFilter(request.getState(), "ST", lf, matchStr); +- buildAVAFilter(request.getCountry(), "C", lf, matchStr); ++ buildAVAFilter(request.getEmail(), "E", lf, match); ++ buildAVAFilter(request.getCommonName(), "CN", lf, match); ++ buildAVAFilter(request.getUserID(), "UID", lf, match); ++ buildAVAFilter(request.getOrgUnit(), "OU", lf, match); ++ buildAVAFilter(request.getOrg(), "O", lf, match); ++ buildAVAFilter(request.getLocality(), "L", lf, match); ++ buildAVAFilter(request.getState(), "ST", lf, match); ++ buildAVAFilter(request.getCountry(), "C", lf, match); + + if (lf.length() == 0) { +- filter.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*)"); +- return; +- } +- if (matchStr != null && matchStr.equals(MATCH_EXACTLY)) { +- filter.append("(&"); +- filter.append(lf); +- filter.append(")"); ++ filters.add("(" + ICertRecord.ATTR_X509CERT_SUBJECT + "=*)"); ++ ++ } else if (match) { ++ filters.add("(&" + lf + ")"); ++ + } else { +- filter.append("(|"); +- filter.append(lf); +- filter.append(")"); ++ filters.add("(|" + lf + ")"); + } + } + +- private void buildStatusFilter(StringBuffer filter) { ++ private void buildStatusFilter() { ++ + String status = request.getStatus(); + if (status == null || status.equals("")) { + return; + } +- filter.append("(certStatus="); +- filter.append(LDAPUtil.escapeFilter(status)); +- filter.append(")"); ++ ++ filters.add("(certStatus=" + LDAPUtil.escapeFilter(status) + ")"); + } + +- private void buildRevokedByFilter(StringBuffer filter) { ++ private void buildRevokedByFilter() { ++ + if (!request.getRevokedByInUse()) { + return; + } + + String revokedBy = request.getRevokedBy(); + if (revokedBy == null || revokedBy.equals("")) { +- filter.append("(certRevokedBy=*)"); ++ filters.add("(certRevokedBy=*)"); ++ + } else { +- filter.append("(certRevokedBy="); +- filter.append(LDAPUtil.escapeFilter(revokedBy)); +- filter.append(")"); ++ filters.add("(certRevokedBy=" + LDAPUtil.escapeFilter(revokedBy) + ")"); + } + } + + private void buildDateFilter(String prefix, +- String outStr, long adjustment, +- StringBuffer filter) { ++ String outStr, long adjustment) { ++ + if (prefix == null || prefix.length() == 0) return; ++ + long epoch = Long.parseLong(prefix); + Calendar from = Calendar.getInstance(); + from.setTimeInMillis(epoch); ++ ++ StringBuilder filter = new StringBuilder(); + filter.append("("); + filter.append(LDAPUtil.escapeFilter(outStr)); + filter.append(Long.toString(from.getTimeInMillis() + adjustment)); + filter.append(")"); ++ ++ filters.add(filter.toString()); + } + +- private void buildRevokedOnFilter(StringBuffer filter) { ++ private void buildRevokedOnFilter() { ++ + if (!request.getRevokedOnInUse()) { + return; + } +- buildDateFilter(request.getRevokedOnFrom(), "certRevokedOn>=", 0, filter); +- buildDateFilter(request.getRevokedOnTo(), "certRevokedOn<=", 86399999, filter); ++ ++ buildDateFilter(request.getRevokedOnFrom(), "certRevokedOn>=", 0); ++ buildDateFilter(request.getRevokedOnTo(), "certRevokedOn<=", 86399999); + } + +- private void buildRevocationReasonFilter(StringBuffer filter) { ++ private void buildRevocationReasonFilter() { ++ + if (!request.getRevocationReasonInUse()) { + return; + } ++ + String reasons = request.getRevocationReason(); + if (reasons == null) { + return; + } +- String queryCertFilter = null; ++ ++ StringBuilder filter = new StringBuilder(); + StringTokenizer st = new StringTokenizer(reasons, ","); + int count = st.countTokens(); + if (st.hasMoreTokens()) { +- if (count >=2) filter.append("(|"); ++ if (count >= 2) filter.append("(|"); + while (st.hasMoreTokens()) { + String token = st.nextToken(); +- if (queryCertFilter == null) { +- queryCertFilter = ""; +- } + filter.append("(x509cert.certRevoInfo="); + filter.append(LDAPUtil.escapeFilter(token)); + filter.append(")"); + } + if (count >= 2) filter.append(")"); + } ++ ++ filters.add(filter.toString()); + } + +- private void buildIssuedByFilter(StringBuffer filter) { ++ private void buildIssuedByFilter() { ++ + if (!request.getIssuedByInUse()) { + return; + } ++ + String issuedBy = request.getIssuedBy(); + if (issuedBy == null || issuedBy.equals("")) { +- filter.append("(certIssuedBy=*)"); ++ filters.add("(certIssuedBy=*)"); + } else { +- filter.append("(certIssuedBy="); +- filter.append(LDAPUtil.escapeFilter(issuedBy)); +- filter.append(")"); ++ filters.add("(certIssuedBy=" + LDAPUtil.escapeFilter(issuedBy) + ")"); + } + } + +- private void buildIssuedOnFilter(StringBuffer filter) { ++ private void buildIssuedOnFilter() { ++ + if (!request.getIssuedOnInUse()) { + return; + } +- buildDateFilter(request.getIssuedOnFrom(), "certCreateTime>=", 0, filter); +- buildDateFilter(request.getIssuedOnTo(), "certCreateTime<=", 86399999, filter); ++ ++ buildDateFilter(request.getIssuedOnFrom(), "certCreateTime>=", 0); ++ buildDateFilter(request.getIssuedOnTo(), "certCreateTime<=", 86399999); + } + +- private void buildValidNotBeforeFilter(StringBuffer filter) { ++ private void buildValidNotBeforeFilter() { ++ + if (!request.getValidNotBeforeInUse()) { + return; + } +- buildDateFilter(request.getValidNotBeforeFrom(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+">=", 0, filter); +- buildDateFilter(request.getValidNotBeforeTo(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+"<=", 86399999, filter); ++ ++ buildDateFilter(request.getValidNotBeforeFrom(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+">=", 0); ++ buildDateFilter(request.getValidNotBeforeTo(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+"<=", 86399999); + + } + +- private void buildValidNotAfterFilter(StringBuffer filter) { ++ private void buildValidNotAfterFilter() { ++ + if (!request.getValidNotAfterInUse()) { + return; + } +- buildDateFilter(request.getValidNotAfterFrom(), ICertRecord.ATTR_X509CERT_NOT_AFTER+">=", 0, filter); +- buildDateFilter(request.getValidNotAfterTo(), ICertRecord.ATTR_X509CERT_NOT_AFTER+"<=", 86399999, filter); ++ ++ buildDateFilter(request.getValidNotAfterFrom(), ICertRecord.ATTR_X509CERT_NOT_AFTER+">=", 0); ++ buildDateFilter(request.getValidNotAfterTo(), ICertRecord.ATTR_X509CERT_NOT_AFTER+"<=", 86399999); + + } + +- private void buildValidityLengthFilter(StringBuffer filter) { ++ private void buildValidityLengthFilter() { + if (!request.getValidityLengthInUse()) { + return; + } +@@ -242,70 +248,72 @@ public class FilterBuilder { + Integer count = request.getValidityCount(); + Long unit = request.getValidityUnit(); + ++ StringBuilder filter = new StringBuilder(); + filter.append("("); + filter.append(ICertRecord.ATTR_X509CERT_DURATION); + filter.append(LDAPUtil.escapeFilter(op)); + filter.append(count * unit); + filter.append(")"); ++ ++ filters.add(filter.toString()); + } + +- private void buildCertTypeFilter(StringBuffer filter) { ++ private void buildCertTypeFilter() { ++ + if (!request.getCertTypeInUse()) { + return; + } ++ + if (isOn(request.getCertTypeSSLClient())) { +- filter.append("(x509cert.nsExtension.SSLClient=on)"); ++ filters.add("(x509cert.nsExtension.SSLClient=on)"); + } else if (isOff(request.getCertTypeSSLClient())) { +- filter.append("(x509cert.nsExtension.SSLClient=off)"); ++ filters.add("(x509cert.nsExtension.SSLClient=off)"); + } ++ + if (isOn(request.getCertTypeSSLServer())) { +- filter.append("(x509cert.nsExtension.SSLServer=on)"); ++ filters.add("(x509cert.nsExtension.SSLServer=on)"); + } else if (isOff(request.getCertTypeSSLServer())) { +- filter.append("(x509cert.nsExtension.SSLServer=off)"); ++ filters.add("(x509cert.nsExtension.SSLServer=off)"); + } ++ + if (isOn(request.getCertTypeSecureEmail())) { +- filter.append("(x509cert.nsExtension.SecureEmail=on)"); ++ filters.add("(x509cert.nsExtension.SecureEmail=on)"); + } else if (isOff(request.getCertTypeSecureEmail())) { +- filter.append("(x509cert.nsExtension.SecureEmail=off)"); ++ filters.add("(x509cert.nsExtension.SecureEmail=off)"); + } ++ + if (isOn(request.getCertTypeSubSSLCA())) { +- filter.append("(x509cert.nsExtension.SubordinateSSLCA=on)"); ++ filters.add("(x509cert.nsExtension.SubordinateSSLCA=on)"); + } else if (isOff(request.getCertTypeSubSSLCA())) { +- filter.append("(x509cert.nsExtension.SubordinateSSLCA=off)"); ++ filters.add("(x509cert.nsExtension.SubordinateSSLCA=off)"); + } ++ + if (isOn(request.getCertTypeSubEmailCA())) { +- filter.append("(x509cert.nsExtension.SubordinateEmailCA=on)"); ++ filters.add("(x509cert.nsExtension.SubordinateEmailCA=on)"); + } else if (isOff(request.getCertTypeSubEmailCA())) { +- filter.append("(x509cert.nsExtension.SubordinateEmailCA=off)"); ++ filters.add("(x509cert.nsExtension.SubordinateEmailCA=off)"); + } + } + + private boolean isOn(String value) { +- String inUse = value; +- if (inUse == null) { +- return false; +- } +- if (inUse.equals("on")) { ++ if (value != null && value.equals("on")) { + return true; + } + return false; + } + + private boolean isOff(String value) { +- String inUse = value; +- if (inUse == null) { +- return false; +- } +- if (inUse.equals("off")) { ++ if (value != null && value.equals("off")) { + return true; + } + return false; + } + + private void buildAVAFilter(String param, +- String avaName, StringBuffer lf, String match) { ++ String avaName, StringBuffer lf, boolean match) { ++ + if (param != null && !param.equals("")) { +- if (match != null && match.equals(MATCH_EXACTLY)) { ++ if (match) { + lf.append("(|"); + lf.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*"); + lf.append(avaName); +@@ -318,6 +326,7 @@ public class FilterBuilder { + lf.append(LDAPUtil.escapeFilter(LDAPUtil.escapeRDNValue(param))); + lf.append(")"); + lf.append(")"); ++ + } else { + lf.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*"); + lf.append(avaName); +@@ -327,6 +336,5 @@ public class FilterBuilder { + lf.append("*)"); + } + } +- + } + } +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index c3bc788..b2e4cf7 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -1,11 +1,46 @@ +# Python %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} +# Tomcat +%if 0%{?fedora} >= 23 +%define with_tomcat7 0 +%define with_tomcat8 1 +%else +# 0%{?rhel} || 0%{?fedora} <= 22 +%define with_tomcat7 1 +%define with_tomcat8 0 +%endif + +# RESTEasy +%if 0%{?rhel} +%define resteasy_lib /usr/share/java/resteasy-base +%else +# 0%{?fedora} +%define resteasy_lib /usr/share/java/resteasy +%endif + +# Dogtag +%bcond_without server +%bcond_without javadoc + +# ignore unpackaged files from native 'tpsclient' +# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app +%define _unpackaged_files_terminate_build 0 + +# pkiuser and group. The uid and gid are preallocated +# see /usr/share/doc/setup/uidgid +%define pki_username pkiuser +%define pki_uid 17 +%define pki_groupname pkiuser +%define pki_gid 17 +%define pki_homedir /usr/share/pki + Name: pki-core -Version: 10.1.2 -Release: 7%{?dist} +Version: 10.2.5 +Release: 6%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -21,30 +56,56 @@ BuildRequires: ldapjdk BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io +BuildRequires: apache-commons-lang BuildRequires: jakarta-commons-httpclient BuildRequires: nspr-devel -BuildRequires: nss-devel +BuildRequires: nss-devel >= 3.14.3 + +%if 0%{?rhel} +BuildRequires: nuxwdog-client-java >= 1.0.1-11 +%else +BuildRequires: nuxwdog-client-java >= 1.0.3 +%endif + BuildRequires: openldap-devel BuildRequires: pkgconfig BuildRequires: policycoreutils +BuildRequires: python-lxml +BuildRequires: python-sphinx BuildRequires: velocity BuildRequires: xalan-j2 BuildRequires: xerces-j2 %if 0%{?rhel} +# 'resteasy-base' is a subset of the complete set of +# 'resteasy' packages and consists of what is needed to +# support the PKI Restful interface on RHEL platforms BuildRequires: resteasy-base-atom-provider >= 3.0.6-1 BuildRequires: resteasy-base-client >= 3.0.6-1 BuildRequires: resteasy-base-jaxb-provider >= 3.0.6-1 BuildRequires: resteasy-base-jaxrs >= 3.0.6-1 BuildRequires: resteasy-base-jaxrs-api >= 3.0.6-1 -BuildRequires: resteasy-base-jettison-provider >= 3.0.6-1 +BuildRequires: resteasy-base-jackson-provider >= 3.0.6-1 +%else +%if 0%{?fedora} >= 22 +# Starting from Fedora 22, resteasy packages were split into +# subpackages. +BuildRequires: resteasy-atom-provider >= 3.0.6-7 +BuildRequires: resteasy-client >= 3.0.6-7 +BuildRequires: resteasy-jaxb-provider >= 3.0.6-7 +BuildRequires: resteasy-core >= 3.0.6-7 +BuildRequires: resteasy-jaxrs-api >= 3.0.6-7 +BuildRequires: resteasy-jackson-provider >= 3.0.6-7 %else -BuildRequires: resteasy >= 3.0.1-3 +BuildRequires: resteasy >= 3.0.6-2 +%endif %endif %if ! 0%{?rhel} BuildRequires: pylint %endif + +BuildRequires: python-nss BuildRequires: python-requests BuildRequires: libselinux-python BuildRequires: policycoreutils-python @@ -53,22 +114,43 @@ BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 BuildRequires: jss >= 4.2.6-35 BuildRequires: systemd-units -BuildRequires: tomcatjss >= 7.1.0-5 -Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz +%if 0%{?rhel} +BuildRequires: tomcatjss >= 7.1.0-6 +%else +BuildRequires: tomcatjss >= 7.1.2 +%endif + -Patch0: %{name}-%{version}-bz790924.patch -Patch1: %{name}-%{version}-bz1151147.patch -Patch2: %{name}-%{version}-bz1155654.patch -Patch3: %{name}-%{version}-bz871171.patch -Patch4: %{name}-%{version}-bz1158410.patch -Patch5: %{name}-%{version}-bz1165351.patch -Patch6: %{name}-%{version}-bz1165351-2.patch +# additional build requirements needed to build native 'tpsclient' +# REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app +BuildRequires: apr-devel +BuildRequires: apr-util-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: httpd-devel >= 2.4.2 +BuildRequires: pcre-devel +BuildRequires: python +BuildRequires: systemd +BuildRequires: svrcore-devel +BuildRequires: zlib +BuildRequires: zlib-devel %if 0%{?rhel} -ExcludeArch: ppc ppc64 ppcle ppc64le s390 s390x +# NOTE: In the future, as a part of its path, this URL will contain a release +# directory which consists of the fixed number of the upstream release +# upon which this tarball was originally based. +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/rhel/%{name}-%{version}%{?prerel}.tar.gz +%else +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz %endif +Patch1: pki-core-rhel-7-2.patch +Patch2: pki-core-handle-JSON-decode-error.patch +Patch3: pki-core-fix-exception-when-talking-to-Dogtag-9-systems.patch +Patch4: pki-core-added-CLI-to-update-cert-data-and-request-in-CS-cfg.patch +Patch5: pki-core-fixed-pkidbuser-group-memberships.patch +Patch6: pki-core-added-support-for-secure-database-connection-in-CLI.patch + %global saveFileContext() \ if [ -s /etc/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ @@ -105,7 +187,7 @@ PKI Core contains ALL top-level java-based Tomcat PKI components: \ * pki-kra \ * pki-ocsp \ * pki-tks \ - * pki-tps-tomcat \ + * pki-tps \ * pki-javadoc \ \ which comprise the following corresponding PKI subsystems: \ @@ -159,7 +241,7 @@ least one PKI Theme package: \ Summary: Symmetric Key JNI Package Group: System Environment/Libraries -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: nss Requires: jpackage-utils >= 0:1.7.5-10 Requires: jss >= 4.2.6-35 @@ -196,24 +278,40 @@ Requires: apache-commons-io Requires: apache-commons-lang Requires: apache-commons-logging Requires: jakarta-commons-httpclient -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: javassist -Requires: jettison Requires: jpackage-utils >= 0:1.7.5-10 Requires: jss >= 4.2.6-35 Requires: ldapjdk Requires: python-ldap Requires: python-lxml Requires: python-requests >= 1.1.0-3 + %if 0%{?rhel} +# 'resteasy-base' is a subset of the complete set of +# 'resteasy' packages and consists of what is needed to +# support the PKI Restful interface on RHEL platforms Requires: resteasy-base-atom-provider >= 3.0.6-1 +Requires: resteasy-base-client >= 3.0.6-1 Requires: resteasy-base-jaxb-provider >= 3.0.6-1 Requires: resteasy-base-jaxrs >= 3.0.6-1 Requires: resteasy-base-jaxrs-api >= 3.0.6-1 -Requires: resteasy-base-jettison-provider >= 3.0.6-1 +Requires: resteasy-base-jackson-provider >= 3.0.6-1 +%else +%if 0%{?fedora} >= 22 +# Starting from Fedora 22, resteasy packages were split into +# subpackages. +Requires: resteasy-atom-provider >= 3.0.6-7 +Requires: resteasy-client >= 3.0.6-7 +Requires: resteasy-jaxb-provider >= 3.0.6-7 +Requires: resteasy-core >= 3.0.6-7 +Requires: resteasy-jaxrs-api >= 3.0.6-7 +Requires: resteasy-jackson-provider >= 3.0.6-7 %else -Requires: resteasy >= 3.0.1-3 +Requires: resteasy >= 3.0.6-2 %endif +%endif + Requires: xalan-j2 Requires: xerces-j2 Requires: xml-commons-apis @@ -239,7 +337,7 @@ Obsoletes: pki-java-tools < %{version}-%{release} Requires: openldap-clients Requires: nss Requires: nss-tools -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: pki-base = %{version}-%{release} Requires: jpackage-utils >= 0:1.7.5-10 @@ -252,6 +350,8 @@ This package is a part of the PKI Core used by the Certificate System. %{overview} +%if %{with server} + %package -n pki-server Summary: Certificate System - PKI Server Framework Group: System Environment/Base @@ -266,33 +366,56 @@ Obsoletes: pki-deploy < %{version}-%{release} Obsoletes: pki-setup < %{version}-%{release} Obsoletes: pki-silent < %{version}-%{release} -Requires: java >= 1:1.7.0 -Requires: java-atk-wrapper +Requires: java-headless >= 1:1.7.0 Requires: net-tools + +%if 0%{?rhel} +Requires: nuxwdog-client-java >= 1.0.1-11 +%else +Requires: nuxwdog-client-java >= 1.0.3 +%endif + Requires: perl(File::Slurp) -Requires: perl(XML::LibXML) -Requires: perl-Crypt-SSLeay Requires: policycoreutils Requires: openldap-clients Requires: pki-base = %{version}-%{release} Requires: pki-tools = %{version}-%{release} Requires: policycoreutils-python -Requires: selinux-policy-base >= 3.11.1-43 +%if 0%{?fedora} >= 21 +Requires: selinux-policy-targeted >= 3.13.1-9 +%else +# 0%{?rhel} || 0%{?fedora} < 21 +Requires: selinux-policy-targeted >= 3.12.1-153 +%endif Obsoletes: pki-selinux %if 0%{?rhel} Requires: tomcat >= 7.0.54 %else Requires: tomcat >= 7.0.47 +%if 0%{?fedora} >= 23 +Requires: tomcat-el-3.0-api +Requires: tomcat-jsp-2.3-api +Requires: tomcat-servlet-3.1-api +%else +Requires: tomcat-el-2.2-api +Requires: tomcat-jsp-2.2-api +Requires: tomcat-servlet-3.0-api +%endif %endif Requires: velocity Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +Requires(pre): shadow-utils -Requires: tomcatjss >= 7.1.0-5 +%if 0%{?rhel} +Requires: tomcatjss >= 7.1.0-6 +%else +Requires: tomcatjss >= 7.1.2 +%endif %description -n pki-server The PKI Server Framework is required by the following four PKI subsystems: @@ -314,7 +437,7 @@ Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units @@ -341,7 +464,7 @@ Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units @@ -374,7 +497,7 @@ Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units @@ -414,7 +537,7 @@ Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires: pki-symkey = %{version}-%{release} Requires(post): systemd-units @@ -443,20 +566,32 @@ provided by the PKI Core used by the Certificate System. %{overview} -%package -n pki-tps-tomcat +%package -n pki-tps Summary: Certificate System - Token Processing Service Group: System Environment/Daemons -BuildArch: noarch +Provides: pki-tps-tomcat +Provides: pki-tps-client + +Obsoletes: pki-tps-tomcat +Obsoletes: pki-tps-client -Provides: pki-tps -Requires: java >= 1:1.7.0 +Requires: java-headless >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-tps-tomcat +# additional runtime requirements needed to run native 'tpsclient' +# REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app +Requires: mod_nss +Requires: mod_revocator +Requires: nss >= 3.14.3 +Requires: nss-tools >= 3.14.3 +Requires: openldap-clients +Requires: pki-symkey = %{version}-%{release} + +%description -n pki-tps The Token Processing System (TPS) is an optional PKI subsystem that acts as a Registration Authority (RA) for authenticating and processing enrollment requests, PIN reset requests, and formatting requests from @@ -472,6 +607,10 @@ Token Key Service (TKS)) to fulfill the user's requests. TPS also interacts with the token database, an LDAP server that stores information about individual tokens. +The utility "tpsclient" is a test tool that interacts with TPS. This +tool is useful to test TPS server configs without risking an actual +smart card. + %{overview} @@ -497,11 +636,11 @@ This package is a part of the PKI Core used by the Certificate System. %{overview} +%endif # %{with server} + %prep %setup -q -n %{name}-%{version}%{?prerel} - -%patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -520,15 +659,25 @@ cd build -DBUILD_PKI_CORE:BOOL=ON \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ -%if 0%{?rhel} - -DRESTEASY_LIB=/usr/share/java/resteasy-base \ -%else - -DRESTEASY_LIB=/usr/share/java/resteasy \ +%if ! %{with_tomcat7} + -DWITH_TOMCAT7:BOOL=OFF \ +%endif +%if ! %{with_tomcat8} + -DWITH_TOMCAT8:BOOL=OFF \ +%endif + -DRESTEASY_LIB=%{resteasy_lib} \ +%if ! %{with server} + -DWITH_SERVER:BOOL=OFF \ +%endif +%if ! %{with server} + -DWITH_SERVER:BOOL=OFF \ +%endif +%if ! %{with javadoc} + -DWITH_JAVADOC:BOOL=OFF \ %endif - %{?_without_javadoc:-DWITH_JAVADOC:BOOL=OFF} \ .. %{__make} VERBOSE=1 %{?_smp_mflags} all -# %{__make} VERBOSE=1 %{?_smp_mflags} test +# %{__make} VERBOSE=1 %{?_smp_mflags} unit-test %install @@ -536,36 +685,39 @@ cd build cd build %{__make} install DESTDIR=%{buildroot} INSTALL="install -p" +# Create symlinks for admin console (TPS does not use admin console) +for subsystem in ca kra ocsp tks; do + %{__mkdir_p} %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin + ln -s %{_datadir}/pki/server/webapps/pki/admin/console %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin +done + +# Create symlinks for subsystem libraries +for subsystem in ca kra ocsp tks tps; do + %{__mkdir_p} %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib + ln -s %{_javadir}/pki/pki-nsutil.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib + ln -s %{_javadir}/pki/pki-cmsutil.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib + ln -s %{_javadir}/pki/pki-certsrv.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib + ln -s %{_javadir}/pki/pki-cms.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib + ln -s %{_javadir}/pki/pki-cmscore.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib + ln -s %{_javadir}/pki/pki-cmsbundle.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib + ln -s %{_javadir}/pki/pki-$subsystem.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib +done + +%if %{with server} + %if ! 0%{?rhel} -# Scanning the python code with pylint. A return value of 0 represents there are no -# errors or warnings reported by pylint. +# Scanning the python code with pylint. sh ../pylint-build-scan.sh %{buildroot} `pwd` -if [ $? -eq 1 ]; then +if [ $? -ne 0 ]; then + echo "pylint failed. RC: $?" exit 1 fi %endif -%{__rm} %{buildroot}%{_initrddir}/pki-cad -%{__rm} %{buildroot}%{_initrddir}/pki-krad -%{__rm} %{buildroot}%{_initrddir}/pki-ocspd -%{__rm} %{buildroot}%{_initrddir}/pki-tksd -%{__rm} %{buildroot}%{_initrddir}/pki-tpsd - %{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib -# tomcat6 has changed how TOMCAT_LOG is used. -# Need to adjust accordingly -# This macro will be executed in the postinstall scripts -%define fix_tomcat_log() ( \ -if [ -d /etc/sysconfig/pki/%i ]; then \ - for F in `find /etc/sysconfig/pki/%1 -type f`; do \ - instance=`basename $F` \ - if [ -f /etc/sysconfig/$instance ]; then \ - sed -i -e 's/catalina.out/tomcat-initd.log/' /etc/sysconfig/$instance \ - fi \ - done \ -fi \ -) +%endif # %{with server} + %{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki %{__mkdir_p} %{buildroot}%{_sharedstatedir}/pki @@ -596,6 +748,17 @@ if (test("/etc/sysconfig/pki/ca") or end %endif +%pre -n pki-server +getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} +if ! getent passwd %{pki_username} >/dev/null ; then + if ! getent passwd %{pki_uid} >/dev/null ; then + useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} + else + useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} + fi +fi +exit 0 + %post -n pki-base if [ $1 -eq 1 ] @@ -618,129 +781,7 @@ then rm -f %{_sysconfdir}/pki/pki.version fi -%post -n pki-ca -# Attempt to update ALL old "CA" instances to "systemd" -if [ -d /etc/sysconfig/pki/ca ]; then - for inst in `ls /etc/sysconfig/pki/ca`; do - if [ ! -e "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-cad@.service" \ - "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-cad@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-cad@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log ca - - -%post -n pki-kra -# Attempt to update ALL old "KRA" instances to "systemd" -if [ -d /etc/sysconfig/pki/kra ]; then - for inst in `ls /etc/sysconfig/pki/kra`; do - if [ ! -e "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-krad@.service" \ - "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-krad@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-krad@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log kra - - -%post -n pki-ocsp -# Attempt to update ALL old "OCSP" instances to "systemd" -if [ -d /etc/sysconfig/pki/ocsp ]; then - for inst in `ls /etc/sysconfig/pki/ocsp`; do - if [ ! -e "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-ocspd@.service" \ - "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-ocspd@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-ocspd@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log ocsp - - -%post -n pki-tks -# Attempt to update ALL old "TKS" instances to "systemd" -if [ -d /etc/sysconfig/pki/tks ]; then - for inst in `ls /etc/sysconfig/pki/tks`; do - if [ ! -e "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" ]; then - ln -s "/lib/systemd/system/pki-tksd@.service" \ - "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" - [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} - ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} - - if [ -e /var/run/${inst}.pid ]; then - kill -9 `cat /var/run/${inst}.pid` || : - rm -f /var/run/${inst}.pid - echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - /bin/systemctl restart pki-tksd@${inst}.service || : - else - echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ - /var/lib/${inst}/conf/CS.cfg || : - fi - else - # Conditionally restart this Dogtag 9 instance - /bin/systemctl condrestart pki-tksd@${inst}.service - fi - done -fi -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -%fix_tomcat_log tks - +%if %{with server} %post -n pki-server ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem @@ -751,34 +792,7 @@ echo "Upgrading server at `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{ver /sbin/pki-server-upgrade --silent >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 - -%preun -n pki-ca -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-cad.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-cad.target > /dev/null 2>&1 || : -fi - - -%preun -n pki-kra -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-krad.target > /dev/null 2>&1 || : -fi - - -%preun -n pki-ocsp -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || : -fi - - -%preun -n pki-tks -if [ $1 = 0 ] ; then - /bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || : - /bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || : -fi - +systemctl daemon-reload ## %preun -n pki-server ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem @@ -786,39 +800,14 @@ fi ## PKI deployment process -%postun -n pki-ca -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-cad.target >/dev/null 2>&1 || : -fi - - -%postun -n pki-kra -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || : -fi - - -%postun -n pki-ocsp -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || : -fi - - -%postun -n pki-tks -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ "$1" -ge "1" ] ; then - /bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || : -fi - - ## %postun -n pki-server ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new ## PKI deployment process +%endif # %{with server} + + %files -n pki-symkey %defattr(-,root,root,-) %doc base/symkey/LICENSE @@ -829,10 +818,12 @@ fi %files -n pki-base %defattr(-,root,root,-) %doc base/common/LICENSE +%doc %{_datadir}/doc/pki-base/html %dir %{_datadir}/pki %{_datadir}/pki/VERSION %{_datadir}/pki/etc/ %{_datadir}/pki/upgrade/ +%{_datadir}/pki/key/templates %dir %{_sysconfdir}/pki %config(noreplace) %{_sysconfdir}/pki/pki.conf %dir %{_javadir}/pki @@ -846,6 +837,7 @@ fi %dir %{_localstatedir}/log/pki %{_sbindir}/pki-upgrade %{_mandir}/man8/pki-upgrade.8.gz +%{_mandir}/man1/pki-python-client.1.gz %files -n pki-tools %defattr(-,root,root,-) @@ -880,15 +872,29 @@ fi %{_javadir}/pki/pki-tools.jar %{_datadir}/pki/java-tools/ %{_mandir}/man1/pki.1.gz +%{_mandir}/man1/pki-cert.1.gz +%{_mandir}/man1/pki-client.1.gz +%{_mandir}/man1/pki-group.1.gz +%{_mandir}/man1/pki-group-member.1.gz +%{_mandir}/man1/pki-key.1.gz +%{_mandir}/man1/pki-securitydomain.1.gz +%{_mandir}/man1/pki-user.1.gz +%{_mandir}/man1/pki-user-cert.1.gz +%{_mandir}/man1/pki-ca-profile.1.gz + +%if %{with server} %files -n pki-server %defattr(-,root,root,-) %doc base/common/THIRD_PARTY_LICENSES %doc base/server/LICENSE +%doc base/server/README %{_sysconfdir}/pki/default.cfg %{_sbindir}/pkispawn %{_sbindir}/pkidestroy +%{_sbindir}/pki-server +%{_sbindir}/pki-server-nuxwdog %{_sbindir}/pki-server-upgrade #%{_bindir}/pki-setup-proxy %{python_sitelib}/pki/server/ @@ -897,24 +903,19 @@ fi %dir %{_datadir}/pki/scripts %{_datadir}/pki/scripts/operations %{_datadir}/pki/scripts/pkicommon.pm -%{_datadir}/pki/scripts/functions -%{_datadir}/pki/scripts/pki_apache_initscript %{_bindir}/pkidaemon %dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants %{_unitdir}/pki-tomcatd@.service %{_unitdir}/pki-tomcatd.target +%dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants +%{_unitdir}/pki-tomcatd-nuxwdog@.service +%{_unitdir}/pki-tomcatd-nuxwdog.target %{_javadir}/pki/pki-cms.jar %{_javadir}/pki/pki-cmsbundle.jar %{_javadir}/pki/pki-cmscore.jar -%{_javadir}/pki/pki-silent.jar %{_javadir}/pki/pki-tomcat.jar %dir %{_sharedstatedir}/pki -%{_bindir}/pkicreate -%{_bindir}/pkiremove %{_bindir}/pki-setup-proxy -%{_bindir}/pkisilent -%{_datadir}/pki/silent/ -%{_bindir}/pkicontrol %{_mandir}/man5/pki_default.cfg.5.gz %{_mandir}/man8/pki-server-upgrade.8.gz %{_mandir}/man8/pkidestroy.8.gz @@ -923,12 +924,10 @@ fi %{_datadir}/pki/setup/ %{_datadir}/pki/server/ + %files -n pki-ca %defattr(-,root,root,-) %doc base/ca/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-cad.target.wants -%{_unitdir}/pki-cad@.service -%{_unitdir}/pki-cad.target %{_javadir}/pki/pki-ca.jar %dir %{_datadir}/pki/ca %{_datadir}/pki/ca/conf/ @@ -941,9 +940,6 @@ fi %files -n pki-kra %defattr(-,root,root,-) %doc base/kra/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-krad.target.wants -%{_unitdir}/pki-krad@.service -%{_unitdir}/pki-krad.target %{_javadir}/pki/pki-kra.jar %dir %{_datadir}/pki/kra %{_datadir}/pki/kra/conf/ @@ -953,9 +949,6 @@ fi %files -n pki-ocsp %defattr(-,root,root,-) %doc base/ocsp/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-ocspd.target.wants -%{_unitdir}/pki-ocspd@.service -%{_unitdir}/pki-ocspd.target %{_javadir}/pki/pki-ocsp.jar %dir %{_datadir}/pki/ocsp %{_datadir}/pki/ocsp/conf/ @@ -965,95 +958,214 @@ fi %files -n pki-tks %defattr(-,root,root,-) %doc base/tks/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-tksd.target.wants -%{_unitdir}/pki-tksd@.service -%{_unitdir}/pki-tksd.target %{_javadir}/pki/pki-tks.jar %dir %{_datadir}/pki/tks %{_datadir}/pki/tks/conf/ %{_datadir}/pki/tks/setup/ %{_datadir}/pki/tks/webapps/ -%files -n pki-tps-tomcat +%files -n pki-tps %defattr(-,root,root,-) %doc base/tps/LICENSE -%dir %{_sysconfdir}/systemd/system/pki-tpsd.target.wants -%{_unitdir}/pki-tpsd@.service -%{_unitdir}/pki-tpsd.target %{_javadir}/pki/pki-tps.jar %dir %{_datadir}/pki/tps +%{_datadir}/pki/tps/applets/ %{_datadir}/pki/tps/conf/ %{_datadir}/pki/tps/setup/ %{_datadir}/pki/tps/webapps/ - -%if %{?_without_javadoc:0}%{!?_without_javadoc:1} +%{_mandir}/man5/pki-tps-connector.5.gz +%{_mandir}/man5/pki-tps-profile.5.gz +# files for native 'tpsclient' +# REMINDER: Remove this comment once 'tpsclient' is rewritten as a Java app +%{_bindir}/tpsclient +%{_libdir}/tps/libtps.so +%{_libdir}/tps/libtokendb.so + +%if %{with javadoc} %files -n pki-javadoc %defattr(-,root,root,-) %{_javadocdir}/pki-%{version}/ %endif +%endif # %{with server} %changelog -* Wed Nov 26 2014 Matthew Harmsen 10.1.2-7 -- Bugzilla Bug #1165351 - Errata TPS test fails due to dependent - packages not found - fixed shell tests - -* Wed Nov 19 2014 Matthew Harmsen 10.1.2-6 -- Bugzilla Bug #1165351 - Errata TPS test fails due to dependent - packages not found - -* Thu Nov 13 2014 Christina Fu 10.1.2-5 -- Bugzilla Bug #1155654 - Check for null values in GetConfigEntries (alee) -- Bugzilla Bug #1158410 - Add TLS Range in server.xml (cfu) -- Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and TLS v1.2 - (client-side code) (cfu) -- Updated JSS from "4.2.6-28" to "4.2.6-35" (TLS) -- Require tomcatjss "7.1.0-5" (TLS) - -* Tue Oct 28 2014 Christina Fu 10.1.2-4 -- Bugzilla Bug #1151147 - External CA install does not work - with CA certificates signed by Microsoft Certificate Services - -* Fri Sep 26 2014 Christina Fu 10.1.2-3 -- Bugzilla Bug #790924 - pkispawn (configuration) does not provide CA - extensions in subordinate certificate signing requests (CSR) - -* Fri Sep 19 2014 Matthew Harmsen 10.1.2-2 -- Bugzilla Bug #1108303 - Rebase pki-core to 10.1 (RHEL) -- Bugzilla Bug #1117073 - pki-core ppc64le is missing from ExcludeArch line - of spec file (RHEL) -- Bumped required runtime version of tomcat >= 7.0.54 (RHEL) -- Changed buildtime requirement from 'resteasy-base-jackson-provider >= 3.0.6-1' - to 'resteasy-base-jettison-provider >= 3.0.6-1' (RHEL) -- Added version number of '>= 3.0.6-1' to runtime requirements for all - 'resteasy-base' packages (RHEL) - -* Thu Sep 18 2014 Ade Lee 10.1.2-1 -- Backport fix for ticket 499 -- Bump version to ensure migration scripts are run - -* Thu Sep 11 2014 Matthew Harmsen 10.1.1-2 -- Add missing 'jakarta-commons-httpclient' build and runtime requirement -- Exclude the 'ppcle' and 'ppc64le' platforms from being built on RHEL platforms -- Update 'resteasy-base' requirements on RHEL platforms -- Suppress pylint on RHEL platforms - -* Fri Mar 21 2014 Matthew Harmsen 10.1.1-1 -- PKI TRAC Ticket #840 - pkispawn requires policycoreutils-python (mharmsen) -- Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python (mharmsen) -- PKI TRAC Ticket #868 - REST API get certs links missing segment - (alee, mharmsen) -- PKI TRAC Ticket #869 - f19 ipa-server-install fails at step 6/22 of cert sys - install - systemctl start pki-tomcatd.target fails - (mharmsen) -- PKI TRAC Ticket #816 - pki-tomcat cannot be started after installation of - ipa replica with ca - (alee, cfu, edewata, mharmsen) -- Updated version number. - -* Wed Jan 29 2014 Matthew Harmsen 10.1.0-2 +* Mon Sep 21 2015 Dogtag Team 10.2.5-6 +- Bugzilla Bug #1258630 - Upgraded CA lacks ca.sslserver.certreq + in CS.cfg [edewata] +- Bugzilla Bug #1258634 - CA fails to authenticate to KRA for + archival [edewata] + +* Wed Aug 12 2015 Dogtag Team 10.2.5-5 +- Bugzilla Bug #1253045 - handle_exceptions() raises JSONDecodeError [cheimes] + 'pki-core-handle-JSON-decode-error.patch' +- modified for RHEL 7.2 by removing changes to '.gitignore', + 'tests/python/test_pki.py', and 'tox.ini' [mharmsen] +- Bugzilla Bug #1253047 - issues in cloning from dogtag 9 to 10 [alee] + 'pki-core-fix-exception-when-talking-to-Dogtag-9-systems.patch' + +* Wed Jul 15 2015 Dogtag Team 10.2.5-4 +- Bugzilla Bug #1143067 - The pkiuser user/group should be created in + rpm %%pre, and ideally with fixed uid/gid [cheimes] + +* Mon Jul 6 2015 Dogtag Team 10.2.5-3 +- Dogtag 10.2.5-3 patch for RHEL 7.2 Re-base +- git format-patch cc97f8628b23f8ea75308bb97a31307cb4f162b9^.. + ac5447a8e0bac5112882be700a17a9274e322adc --stdout > pki-core-rhel-7-2.patch +- remove e5c4e87ac5ce881efa160352ce87ad81026f3446 (QE test) +- Contents of 'pki-core-rhel-7-2.patch': +- PKI TRAC Ticket #1249 - Misleading self test log message [edewata] +- PKI TRAC Ticket #1444 - pkispawn: installation aborts when HSM contains + empty slots [edewata] +- PKI TRAC Ticket #995 - Provide more info on how to use --input with pki + cert-find in the man page [edewata] +- PKI TRAC Ticket #1122 - Need to describe paging options in 'pki' man page + [edewata] +- Cleaned up SystemConfigService.validateRequest() [edewata] +- Cleaned up SystemConfigService.configureClone() [edewata] +- PKI TRAC Ticket #1438 - pkispawn: SSL_ForceHandshake issue for non-CA on + HSM on both shared and nonshared tomcat instances [cfu] +- PKI TRAC Ticket #1442 - Ability to toggle profile usablity in Web vs CLI + tools [jmagne] +- PKI TRAC Ticket #1441 - Lack of Interactive Installation Support + (Cloning, Subordinates, Externals, HSMs, ECC) [mharmsen] +- PKI TRAC Ticket #1446 - Unable to select ECC Curves from EE [jmagne] +- Fixed pki help CLI [edewata] +- Fixed NPE in key-archive CLI [edewata] +- PKI TRAC Ticket #891 - Missing fail-over code in HttpConnection [edewata] +- PKI TRAC Ticket #1447 - pkispawn: findCertByNickname fails to find cert in + creating shared tomcat subsystems on HSM [cfu] +- PKI TRAC Ticket #1425 - pkispawn CA with HSM - if the config file has + pki_client related params the dir is not created and the admin cert p12 + file is stored nowhere [mharmsen] +- PKI TRAC Ticket #1358 - Retrying failed OCSP clone results duplicate + replecation id and a failure [jmagne] +- PKI TRAC Ticket #1462 - profile update in raw format accepts bad config + [ftweedal] +- PKI TRAC Ticket #1449 - pki cert-find could be time consuming: add VLV + index for new installations [edewata] + +* Sat Jun 20 2015 Dogtag Team 10.2.5-2 +- Remove ExcludeArch directive + +* Fri Jun 19 2015 Dogtag Team 10.2.5-1 +- Update release number for release build + +* Fri May 29 2015 Dogtag Team 10.2.4-2 +- Fixed issues found during testing previous build +- Update release number for release build + +* Tue May 26 2015 Dogtag Team 10.2.4-1 +- Update release number for release build + +* Tue May 12 2015 Dogtag Team 10.2.4-0.2 +- Updated nuxwdog and tomcatjss requirements (alee) + +* Thu Apr 23 2015 Dogtag Team 10.2.4-0.1 +- Updated version number to 10.2.4-0.1 +- Added nuxwdog systemd files + +* Thu Apr 23 2015 Dogtag Team 10.2.3-1 +- Update release number for release build + +* Thu Apr 9 2015 Dogtag Team 10.2.3-0.1 +- Reverted version number back to 10.2.3-0.1 +- Added support for Tomcat 8. + +* Mon Apr 6 2015 Dogtag Team 10.3.0-0.1 +- Updated version number to 10.3.0-0.1 + +* Wed Mar 18 2015 Dogtag Team 10.2.3-0.1 +- Updated version number to 10.2.3-0.1 + +* Tue Mar 17 2015 Dogtag Team 10.2.2-1 +- Update release number for release build + +* Mon Jan 19 2015 Dogtag Team 10.2.1-1 +- Change resteasy dependencies for F22+ +- Added CLIs to simplify generating user certificates +- Added enhancements to KRA Python API +- Added a man page for pki ca-profile commands. +- Added python api docs +- Update release number for release build +- Updated Resteasy and Jackson dependencies. + +* Tue Dec 16 2014 Matthew Harmsen - 10.2.0-6 +- Bugzilla Bug #1160435 - Remove obsolete packages from CS 9.0 +- PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2 +- PKI TRAC Ticket #1205 - Outdated selinux-policy dependency. +- Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime + dependencies + +* Tue Dec 2 2014 Matthew Harmsen - 10.2.0-5 +- Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not + found (mharmsen) +- PKI Trac Ticket #1211 - New release overwrites old source tarball (mharmsen) +- Bugzilla Bug #1151147 - issuerDN encoding correction (cfu) + +* Mon Nov 24 2014 Christina Fu 10.2.0-4 +- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade +- up the release number to 4 + +* Wed Oct 1 2014 Ade Lee 10.2.0-3 +- Disable pylint dependency for RHEL builds +- Added jakarta-commons-httpclient requirements +- Added tomcat version for RHEL build +- Added resteasy-base-client for RHEL build + +* Wed Sep 24 2014 Matthew Harmsen - 10.2.0-2 +- PKI TRAC Ticket #1130 - Add RHEL/CentOS conditionals to spec + +* Wed Sep 3 2014 Dogtag Team 10.2.0-1 +- Update release number for release build + +* Wed Sep 3 2014 Matthew Harmsen - 10.2.0-0.10 +- PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps + +* Fri Aug 29 2014 Matthew Harmsen - 10.2.0-0.9 +- Merged jmagne@redhat.com's spec file changes from the stand-alone + 'pki-tps-client' package needed to build/run the native 'tpsclient' + command line utility into this 'pki-core' spec file under the 'tps' package. +- Original tps libararies must be built to support this native utility. +- Modifies tps package from 'noarch' into 'architecture-specific' package + +* Wed Aug 27 2014 Matthew Harmsen - 10.2.0-0.8 +- PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and 'pki-silent' + packages . . . + +* Sun Aug 17 2014 Fedora Release Engineering - 10.2.0-0.5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 13 2014 Jack Magne - 10.2.0-0.7 +- Respin to include the applet files with the rpm install. No change + to spec file needed. + +* Tue Jul 15 2014 Matthew Harmsen - 10.2.0-0.6 +- Bugzilla Bug #1120045 - pki-core: Switch to java-headless (build)requires -- + drop dependency on java-atk-wrapper +- Removed 'java-atk-wrapper' dependency from 'pki-server' + +* Wed Jul 2 2014 Matthew Harmsen - 10.2.0-0.5 +- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . . + +* Tue Jul 1 2014 Ade Lee - 10.2.0-0.4 +- Update rawhide build + +* Sat Jun 07 2014 Fedora Release Engineering - 10.2.0-0.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Mar 28 2014 Michael Simacek - 10.2.0-0.2 +- Use Requires: java-headless rebuild (#1067528) + +* Fri Nov 22 2013 Dogtag Team 10.2.0-0.1 +- Added option to build without server packages. +- Replaced Jettison with Jackson. +- Added python-nss build requirement - Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python - TRAC Ticket #840 - pkispawn requires policycoreutils-python +- Updated requirements for resteasy +- Added template files for archive, retrieve and generate key + requests to the client package. * Fri Nov 15 2013 Ade Lee 10.1.0-1 - Trac Ticket 788 - Clean up spec files