diff --git a/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch b/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch new file mode 100644 index 0000000..615721b --- /dev/null +++ b/SOURCES/pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch @@ -0,0 +1,151 @@ +From cf8ba1882bd5349f53d3171824d1eb4c56bc7348 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 28 Aug 2017 23:50:33 +0200 +Subject: [PATCH] Displaying tokenType and tokenOrigin in TPS UI and CLI. + +The TPSCertService has been modified to include tokenType and +tokenOrigin fields in the returned token certificate data. The +TPS UI and CLI have been modified to display the fields. + +https://pagure.io/dogtagpki/issue/2793 + +Change-Id: I740fa69b81de3033e186f8d99c335814275b7218 +(cherry picked from commit 062c99a9012b2d7b00fabc2d2b565415800ce6a7) +--- + .../com/netscape/certsrv/tps/cert/TPSCertData.java | 52 +++++++++++++++++----- + .../com/netscape/cmstools/tps/cert/TPSCertCLI.java | 4 +- + 2 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java b/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java +index 7cefc791d..63ea26667 100644 +--- a/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java ++++ b/base/common/src/com/netscape/certsrv/tps/cert/TPSCertData.java +@@ -53,10 +53,12 @@ public class TPSCertData { + String id; + String serialNumber; + String subject; ++ String userID; + String tokenID; ++ String origin; ++ String type; + String keyType; + String status; +- String userID; + Date createTime; + Date modifyTime; + +@@ -89,6 +91,15 @@ public class TPSCertData { + this.subject = subject; + } + ++ @XmlElement(name="UserID") ++ public String getUserID() { ++ return userID; ++ } ++ ++ public void setUserID(String userID) { ++ this.userID = userID; ++ } ++ + @XmlElement(name="TokenID") + public String getTokenID() { + return tokenID; +@@ -98,6 +109,24 @@ public class TPSCertData { + this.tokenID = tokenID; + } + ++ @XmlElement(name="Origin") ++ public String getOrigin() { ++ return origin; ++ } ++ ++ public void setOrigin(String origin) { ++ this.origin = origin; ++ } ++ ++ @XmlElement(name="Type") ++ public String getType() { ++ return type; ++ } ++ ++ public void setType(String type) { ++ this.type = type; ++ } ++ + @XmlElement(name="KeyType") + public String getKeyType() { + return keyType; +@@ -116,15 +145,6 @@ public class TPSCertData { + this.status = status; + } + +- @XmlElement(name="UserID") +- public String getUserID() { +- return userID; +- } +- +- public void setUserID(String userID) { +- this.userID = userID; +- } +- + @XmlElement(name="CreateTime") + public Date getCreateTime() { + return createTime; +@@ -161,10 +181,12 @@ public class TPSCertData { + result = prime * result + ((keyType == null) ? 0 : keyType.hashCode()); + result = prime * result + ((link == null) ? 0 : link.hashCode()); + result = prime * result + ((modifyTime == null) ? 0 : modifyTime.hashCode()); ++ result = prime * result + ((origin == null) ? 0 : origin.hashCode()); + result = prime * result + ((serialNumber == null) ? 0 : serialNumber.hashCode()); + result = prime * result + ((status == null) ? 0 : status.hashCode()); + result = prime * result + ((subject == null) ? 0 : subject.hashCode()); + result = prime * result + ((tokenID == null) ? 0 : tokenID.hashCode()); ++ result = prime * result + ((type == null) ? 0 : type.hashCode()); + result = prime * result + ((userID == null) ? 0 : userID.hashCode()); + return result; + } +@@ -203,6 +225,11 @@ public class TPSCertData { + return false; + } else if (!modifyTime.equals(other.modifyTime)) + return false; ++ if (origin == null) { ++ if (other.origin != null) ++ return false; ++ } else if (!origin.equals(other.origin)) ++ return false; + if (serialNumber == null) { + if (other.serialNumber != null) + return false; +@@ -223,6 +250,11 @@ public class TPSCertData { + return false; + } else if (!tokenID.equals(other.tokenID)) + return false; ++ if (type == null) { ++ if (other.type != null) ++ return false; ++ } else if (!type.equals(other.type)) ++ return false; + if (userID == null) { + if (other.userID != null) + return false; +diff --git a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java +index 835a522e1..db6867b2d 100644 +--- a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertCLI.java +@@ -53,10 +53,12 @@ public class TPSCertCLI extends CLI { + System.out.println(" Cert ID: " + cert.getID()); + if (cert.getSerialNumber() != null) System.out.println(" Serial Number: " + cert.getSerialNumber()); + if (cert.getSubject() != null) System.out.println(" Subject: " + cert.getSubject()); ++ if (cert.getUserID() != null) System.out.println(" User ID: " + cert.getUserID()); + if (cert.getTokenID() != null) System.out.println(" Token ID: " + cert.getTokenID()); ++ if (cert.getOrigin() != null) System.out.println(" Origin: " + cert.getOrigin()); ++ if (cert.getType() != null) System.out.println(" Type: " + cert.getType()); + if (cert.getKeyType() != null) System.out.println(" Key Type: " + cert.getKeyType()); + if (cert.getStatus() != null) System.out.println(" Status: " + cert.getStatus()); +- if (cert.getUserID() != null) System.out.println(" User ID: " + cert.getUserID()); + if (cert.getCreateTime() != null) System.out.println(" Create Time: " + cert.getCreateTime()); + if (cert.getModifyTime() != null) System.out.println(" Modify Time: " + cert.getModifyTime()); + +-- +2.13.5 + diff --git a/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch b/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch new file mode 100644 index 0000000..8ae52e9 --- /dev/null +++ b/SOURCES/pki-core-Fix-JSON-encoding-in-Python-3.patch @@ -0,0 +1,59 @@ +From 4e76af1fe276a3b9b1392c97ef427a1ecfa42759 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 28 Aug 2017 14:43:55 +1000 +Subject: [PATCH] KeyClient: fix json encoding in Python 3 + +Fixes: https://pagure.io/dogtagpki/issue/2746 +Change-Id: Iec2912bb90192fec403ac94006ff5927d3526533 +(cherry picked from commit b654e60f20b9e83833313ab89006db8f063bff1f) +--- + base/common/python/pki/key.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py +index d2b82970e..a5fc7928c 100644 +--- a/base/common/python/pki/key.py ++++ b/base/common/python/pki/key.py +@@ -668,7 +668,7 @@ class KeyClient(object): + raise TypeError("Must specify Client Key ID") + + if trans_wrapped_session_key is not None: +- twsk = base64.b64encode(trans_wrapped_session_key) ++ twsk = base64.b64encode(trans_wrapped_session_key).decode('ascii') + # noinspection PyUnusedLocal + request = SymKeyGenerationRequest( + client_key_id=client_key_id, +@@ -861,9 +861,9 @@ class KeyClient(object): + if not nonce_iv: + raise TypeError('Missing nonce IV') + +- data = base64.b64encode(encrypted_data) +- twsk = base64.b64encode(wrapped_session_key) +- symkey_params = base64.b64encode(nonce_iv) ++ data = base64.b64encode(encrypted_data).decode('ascii') ++ twsk = base64.b64encode(wrapped_session_key).decode('ascii') ++ symkey_params = base64.b64encode(nonce_iv).decode('ascii') + + request = KeyArchivalRequest(client_key_id=client_key_id, + data_type=data_type, +@@ -904,7 +904,7 @@ class KeyClient(object): + if pki_archive_options is None: + raise TypeError("No data provided to be archived") + +- data = base64.b64encode(pki_archive_options) ++ data = base64.b64encode(pki_archive_options).decode('ascii') + request = KeyArchivalRequest(client_key_id=client_key_id, + data_type=data_type, + pki_archive_options=data, +@@ -1022,7 +1022,7 @@ class KeyClient(object): + key_id=key_id, + request_id=request_id, + trans_wrapped_session_key=base64.b64encode( +- trans_wrapped_session_key), ++ trans_wrapped_session_key).decode('ascii'), + payload_encryption_oid=self.encrypt_alg_oid, + payload_wrapping_name=self.wrap_name + ) +-- +2.13.5 + diff --git a/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch b/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch new file mode 100644 index 0000000..374da35 --- /dev/null +++ b/SOURCES/pki-core-Fix-lightweight-CA-replication-NPE-failure.patch @@ -0,0 +1,30 @@ +From 606027b188fee6d20c17323d7c464d6630024a20 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 23 Aug 2017 20:53:25 +1000 +Subject: [PATCH] Fix regression in lightweight CA replication + +Fixes: https://pagure.io/dogtagpki/issue/2796 +Change-Id: Ic5e42b80156f777299f4e487932305160c2d48f6 +--- + base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index eca8dddb6..2daf0d797 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -2307,8 +2307,9 @@ public class CryptoUtil { + BIT_STRING encSymKey = encVal.getEncSymmKey(); + BIT_STRING encPrivKey = encVal.getEncValue(); + +- SymmetricKey sk = unwrap(token, SymmetricKey.Type.DES3, 0, null, unwrappingKey, encSymKey.getBits(), +- KeyWrapAlgorithm.RSA); ++ SymmetricKey sk = unwrap( ++ token, SymmetricKey.Type.DES3, 0, SymmetricKey.Usage.UNWRAP, ++ unwrappingKey, encSymKey.getBits(), KeyWrapAlgorithm.RSA); + + ASN1Value v = algId.getParameters(); + v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); +-- +2.13.5 + diff --git a/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch b/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch new file mode 100644 index 0000000..9d0628e --- /dev/null +++ b/SOURCES/pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch @@ -0,0 +1,71 @@ +From ab0cb37875648abfc07e7d781fa91c368f67d313 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 25 Jul 2017 18:02:02 -0700 +Subject: [PATCH] Ticket #2788 Missing CN in user signing cert would cause + error in cmc user-signed This patch takes care of the issue that + CMCUserSignedAuth cannot handle cases when CN is not in the subjectDN + +Change-Id: Ieac0712d051dcb993498d9680f005c04158b5549 +(cherry picked from commit 507a8888b6eccfe716ca7bc4647f71cee973afcf) +--- + .../netscape/cms/authentication/CMCUserSignedAuth.java | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index e11a34427..7f872c83d 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -371,9 +371,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + } else { + CMS.debug(method + "signed with user cert"); + userid = userToken.getInString("userid"); +- uid = userToken.getInString("cn"); ++ uid = userToken.getInString("id"); + if (userid == null && uid == null) { +- msg = " verifySignerInfo failure... missing userid and cn"; ++ msg = " verifySignerInfo failure... missing id"; + CMS.debug(method + msg); + throw new EBaseException(msg); + } +@@ -1069,7 +1069,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // cert subject principal later in CMCOutputTemplate + // in case of user signed revocation + auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, cmcPrincipal); +- auditContext.put(SessionContext.CMC_SIGNER_INFO, cmcPrincipal.getCommonName()); ++ auditContext.put(SessionContext.CMC_SIGNER_INFO, ++ cmcPrincipal.toString()); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { +@@ -1160,13 +1161,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + IAuthToken tempToken = new AuthToken(null); + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); +- String CN = tempPrincipal.getCommonName(); //tempToken.get("userid"); +- CMS.debug(method + " Principal name = " + CN); ++ String ID = tempPrincipal.toString(); //tempToken.get("userid"); ++ CMS.debug(method + " Principal name = " + ID); + + BigInteger certSerial = x509Certs[0].getSerialNumber(); + CMS.debug(method + " verified cert serial=" + certSerial.toString()); + authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString()); +- tempToken.set("cn", CN); ++ tempToken.set("id", ID); + + s.close(); + return tempToken; +@@ -1221,9 +1222,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + netscape.security.x509.X500Name principal = + (X500Name) cert.getSubjectDN(); + +- String CN = principal.getCommonName(); +- CMS.debug(method + " Principal name = " + CN); +- auditContext.put(SessionContext.USER_ID, CN); ++ CMS.debug(method + " Principal name = " + principal.toString()); ++ auditContext.put(SessionContext.USER_ID, principal.toString()); + } + + public String[] getExtendedPluginInfo(Locale locale) { +-- +2.13.5 + diff --git a/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch b/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch new file mode 100644 index 0000000..38d1c4e --- /dev/null +++ b/SOURCES/pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch @@ -0,0 +1,34 @@ +From 09b673f3f4bbc5e9b70722bbe240e0347e3dd3fc Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 11 Aug 2017 15:17:09 +1000 +Subject: [PATCH] Fix FixDeploymentDescriptor upgrade script if source file is + missing + +On RHEL, the pki#admin.xml file may be absent, causing the +FixDeploymentDescriptor to break (and subsequent upgrade scriptlets +to not be executed). Add a check that the source file exists. + +Fixes: https://pagure.io/dogtagpki/issue/2789 +Change-Id: I686e8fae534f8044cb1ce40b31e2462c4f0ac988 +(cherry picked from commit d0a861923a27672d8633c87e21fb8596080e84af) +--- + base/server/upgrade/10.3.5/02-FixDeploymentDescriptor | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor +index 27c895980..858dbed43 100644 +--- a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor ++++ b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor +@@ -46,6 +46,9 @@ class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet): + source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml + target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml + ++ if not os.path.exists(source_xml): ++ return ++ + # if deployment descriptor doesn't exist, install the default + if not os.path.exists(target_xml): + self.copy_file(instance, source_xml, target_xml) +-- +2.13.5 + diff --git a/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch b/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch new file mode 100644 index 0000000..6a28873 --- /dev/null +++ b/SOURCES/pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch @@ -0,0 +1,77 @@ +From b16956b856e9bb8ffa8d2cd356f4120b36ebe6e9 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 6 Apr 2017 13:27:56 +1000 +Subject: [PATCH] KRA: use AES in PKCS #12 recovery for encrypted keys + +The KRA has two private key recovery code paths: one dealing with +keys wrapped to the storage key, and one dealing with symmetrically +encrypted keys. Each has a separate function for constructing a +PKCS #12 file for the recovered key. + +This commit updates the PKCS #12 generation for encrypted keys to +use AES encryption. From the KRA recovery process we start with a +byte[] of PrivateKeyInfo. The previous procedure used +EncryptedPrivateKeyInfo.createPBE(), the encryption algorithm being +PBEAlgorithm.PBE_SHA1_DES3_CBC. This commit changes the procedure +to use AES, using the new EncryptedPrivateKeyInfo.createPBES2() JSS +method and AES_128_CBC_PAD. + +The old codepath is retained and selected by the kra.legacyPKCS12 +CMS config. It is needed if the token/HSM does not support the +CKM_PKCS5_PBKD2 PKCS #11 mechanism. + +Fixes: https://pagure.io/dogtagpki/issue/2664 + +Change-Id: Ie292147caab357679b2be5cf3b6cd739e5bed8e0 +(cherry picked from commit ae97f21bf8d2ec83a410127872dd196a46f9dbbd) +--- + base/kra/src/com/netscape/kra/RecoveryService.java | 24 +++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index 023eb8093..a7d639208 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -648,18 +648,36 @@ public class RecoveryService implements IService { + SEQUENCE safeContents = new SEQUENCE(); + PasswordConverter passConverter = new + PasswordConverter(); +- byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; + PrivateKeyInfo pki = (PrivateKeyInfo) + ASN1Util.decode(PrivateKeyInfo.getTemplate(), + priData); +- ASN1Value key = EncryptedPrivateKeyInfo.createPBE( ++ EncryptedPrivateKeyInfo epki = null; ++ ++ boolean legacyP12 = ++ CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true); ++ ++ if (legacyP12) { ++ /* legacy mode may be required e.g. when token/HSM ++ * does not support CKM_PKCS5_PBKD2 mechanism */ ++ byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; ++ epki = EncryptedPrivateKeyInfo.createPBE( + PBEAlgorithm.PBE_SHA1_DES3_CBC, + pass, salt, 1, passConverter, pki); ++ } else { ++ epki = EncryptedPrivateKeyInfo.createPBES2( ++ 16, // saltLen ++ 2000, // kdfIterations ++ EncryptionAlgorithm.AES_128_CBC_PAD, ++ pass, ++ passConverter, ++ pki); ++ } ++ + SET keyAttrs = createBagAttrs( + x509cert.getSubjectDN().toString(), + localKeyId); + SafeBag keyBag = new SafeBag( +- SafeBag.PKCS8_SHROUDED_KEY_BAG, key, ++ SafeBag.PKCS8_SHROUDED_KEY_BAG, epki, + keyAttrs); // ?? + + safeContents.addElement(keyBag); +-- +2.13.5 + diff --git a/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch b/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch new file mode 100644 index 0000000..e0b175d --- /dev/null +++ b/SOURCES/pki-core-Make-PKCS12-files-compatible-with-PBES2.patch @@ -0,0 +1,162 @@ +From 137832b2892dfc596ed067a86242d341f2c325e7 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 14 Sep 2017 12:22:47 +1000 +Subject: [PATCH] Make PKCS #12 files compatible with OpenSSL, NSS >= 3.31 + +For compatibility with OpenSSL and NSS >= 3.31, the passphrase must +not be BMPString-encoded when non-PKCS #12 PBE schemes such as +PBES2. + +Fixes: https://pagure.io/dogtagpki/issue/2809 + +Change-Id: Ic78ad337ac0b9b2f5d2e75581cc0ee55e6d82782 +(cherry picked from commit ed5cccefebf98e588a5385191e43f727349b54a9) +--- + base/kra/src/com/netscape/kra/RecoveryService.java | 26 +++++++++++++++---- + .../cms/servlet/csadmin/ConfigurationUtils.java | 15 ++++++++--- + .../src/netscape/security/pkcs/PKCS12Util.java | 29 ++++++++++++++++++---- + 3 files changed, 57 insertions(+), 13 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java +index a7d639208..0d293e411 100644 +--- a/base/kra/src/com/netscape/kra/RecoveryService.java ++++ b/base/kra/src/com/netscape/kra/RecoveryService.java +@@ -508,10 +508,21 @@ public class RecoveryService implements IService { + } + } else { + byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( ++ /* For compatibility with OpenSSL and NSS >= 3.31, ++ * do not BMPString-encode the passphrase when using ++ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. ++ * ++ * The resulting PKCS #12 is not compatible with ++ * NSS < 3.31. ++ */ ++ null /* passConverter */, ++ pass, + /* NSS has a bug that causes any AES CBC encryption + * to use AES-256, but AlgorithmID contains chosen + * alg. To avoid mismatch, use AES_256_CBC. */ +- passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); ++ EncryptionAlgorithm.AES_256_CBC, ++ 0 /* iterations (use default) */, ++ priKey); + CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); + if (epkiBytes == null) { + CMS.debug("RecoverService: createPFX() epkiBytes null"); +@@ -646,8 +657,6 @@ public class RecoveryService implements IService { + pwd.toCharArray()); + + SEQUENCE safeContents = new SEQUENCE(); +- PasswordConverter passConverter = new +- PasswordConverter(); + PrivateKeyInfo pki = (PrivateKeyInfo) + ASN1Util.decode(PrivateKeyInfo.getTemplate(), + priData); +@@ -662,14 +671,21 @@ public class RecoveryService implements IService { + byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; + epki = EncryptedPrivateKeyInfo.createPBE( + PBEAlgorithm.PBE_SHA1_DES3_CBC, +- pass, salt, 1, passConverter, pki); ++ pass, salt, 1, new PasswordConverter(), pki); + } else { + epki = EncryptedPrivateKeyInfo.createPBES2( + 16, // saltLen + 2000, // kdfIterations + EncryptionAlgorithm.AES_128_CBC_PAD, + pass, +- passConverter, ++ /* For compatibility with OpenSSL and NSS >= 3.31, ++ * do not BMPString-encode the passphrase when using ++ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. ++ * ++ * The resulting PKCS #12 is not compatible with ++ * NSS < 3.31. ++ */ ++ null /* passConverter */, + pki); + } + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index ebade36bc..df3b4672d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -1058,9 +1058,18 @@ public class ConfigurationUtils { + // this is OK + } + +- // import private key into database +- store.importEncryptedPrivateKeyInfo( +- new PasswordConverter(), password, nickname, publicKey, epki); ++ try { ++ // first true without BMPString-encoding the passphrase. ++ store.importEncryptedPrivateKeyInfo( ++ null, password, nickname, publicKey, epki); ++ } catch (Exception e) { ++ // if that failed, try again with BMPString-encoded ++ // passphrase. This is required for PKCS #12 PBE ++ // schemes and for PKCS #12 files using PBES2 generated ++ // by NSS < 3.31 ++ store.importEncryptedPrivateKeyInfo( ++ new PasswordConverter(), password, nickname, publicKey, epki); ++ } + } + + CMS.debug("Importing new certificates:"); +diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java +index 1bc1baee5..1018b21f6 100644 +--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java ++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java +@@ -134,16 +134,25 @@ public class PKCS12Util { + } + logger.debug("Encrypting private key for " + keyInfo.subjectDN); + +- PasswordConverter passConverter = new PasswordConverter(); + epkiBytes = CryptoManager.getInstance() + .getInternalKeyStorageToken() + .getCryptoStore() + .getEncryptedPrivateKeyInfo( ++ /* For compatibility with OpenSSL and NSS >= 3.31, ++ * do not BMPString-encode the passphrase when using ++ * non-PKCS #12 PBE scheme such as PKCS #5 PBES2. ++ * ++ * The resulting PKCS #12 is not compatible with ++ * NSS < 3.31. ++ */ ++ null /* passConverter */, ++ password, + /* NSS has a bug that causes any AES CBC encryption + * to use AES-256, but AlgorithmID contains chosen + * alg. To avoid mismatch, use AES_256_CBC. */ +- passConverter, password, +- EncryptionAlgorithm.AES_256_CBC, 0, k); ++ EncryptionAlgorithm.AES_256_CBC, ++ 0 /* iterations (default) */, ++ k); + } + + SET keyAttrs = createKeyBagAttrs(keyInfo); +@@ -616,8 +625,18 @@ public class PKCS12Util { + "No EncryptedPrivateKeyInfo for key '" + + keyInfo.subjectDN + "'; skipping key"); + } +- store.importEncryptedPrivateKeyInfo( +- new PasswordConverter(), password, nickname, publicKey, epkiBytes); ++ try { ++ // first true without BMPString-encoding the passphrase. ++ store.importEncryptedPrivateKeyInfo( ++ null, password, nickname, publicKey, epkiBytes); ++ } catch (Exception e) { ++ // if that failed, try again with BMPString-encoded ++ // passphrase. This is required for PKCS #12 PBE ++ // schemes and for PKCS #12 files using PBES2 generated ++ // by NSS < 3.31 ++ store.importEncryptedPrivateKeyInfo( ++ new PasswordConverter(), password, nickname, publicKey, epkiBytes); ++ } + + // delete the cert again (it will be imported again later + // with the correct nickname) +-- +2.13.5 + diff --git a/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch b/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch new file mode 100644 index 0000000..721c49f --- /dev/null +++ b/SOURCES/pki-core-fix-ipa-replica-install-timing-issue.patch @@ -0,0 +1,278 @@ +From 609b98cccc77fa8b8e8d307c2f84651429068ec6 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 9 Oct 2017 16:26:21 +1100 +Subject: [PATCH 1/5] CMSServlet.renderFinalError: log exception + +renderFinalError is a "last resort" error handler that writes an +error message back to the client. If the exception was not already +logged, the call stack will be discarded after renderFinalError is +finished with the exception. + +Log the exception so that the call stack information is not lost. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: I2fd608adf205e3f72b67d822b1966fdb1b8bc60f +(cherry picked from commit 386357c347f8433e14ccd8637576f4c4a4e42492) +(cherry picked from commit 3af42c306446ddc931fc0d44505cd237aa2267d7) +--- + base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index 65dc06a..fe18ee1 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -763,6 +763,8 @@ public abstract class CMSServlet extends HttpServlet { + + public void renderFinalError(CMSRequest cmsReq, Exception ex) + throws IOException { ++ CMS.debug("Caught exception in renderFinalError:"); ++ CMS.debug(ex); + // this template is the last resort for all other unexpected + // errors in other templates so we can only output text. + HttpServletResponse httpResp = cmsReq.getHttpResp(); +-- +1.8.3.1 + + +From c160d49e0b61d650a14eae9be38e5f381aeb0b24 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 9 Oct 2017 16:45:51 +1100 +Subject: [PATCH 2/5] TokenAuthenticate: avoid NPE on null session table + +If the security domain session table is null for some reason, detect +this condition, log it, and return cleanly instead of throwing a +NullPointerException. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: Ie487492ed6eec913f0271221fd12842fe7128ceb +(cherry picked from commit bc329a0162ae9af382c81e75742b282ea8c5df0d) +(cherry picked from commit 76d85a648bc6be0f690d36341e6a11d64a3ff6b6) +--- + .../cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java +index 27f4782..1d98693 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/TokenAuthenticate.java +@@ -81,7 +81,11 @@ public class TokenAuthenticate extends CMSServlet { + String uid = ""; + String gid = ""; + CMS.debug("TokenAuthentication: checking session in the session table"); +- if (table.sessionExists(sessionId)) { ++ if (table == null) { ++ CMS.debug("TokenAuthentication: session table is null"); ++ outputError(httpResp, "Error: session table is null"); ++ return; ++ } else if (table.sessionExists(sessionId)) { + CMS.debug("TokenAuthentication: found session"); + if (checkIP) { + String hostname = table.getIP(sessionId); +-- +1.8.3.1 + + +From 275d3b1ad88721e1a5a5bfd8b5013a14d3db2263 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 10 Oct 2017 00:21:57 +1100 +Subject: [PATCH 3/5] TokenAuthentication: log error message on error + +If a TokenAuthenticate response indicates failure (state != 0), log +the error string in addition to the status code. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: I22ba44be109a06f33ae6015e62393a2ef575b6b2 +(cherry picked from commit 9eb354883c9d965bb271223bf870839bb756db26) +(cherry picked from commit c9908785df9f22b1ca4f507c9f51bf904193a143) +--- + .../cms/src/com/netscape/cms/authentication/TokenAuthentication.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java +index ebda0b6..2aa32d4 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java +@@ -183,6 +183,7 @@ public class TokenAuthentication implements IAuthManager, + CMS.debug("TokenAuthentication: status=" + status); + if (!status.equals("0")) { + String error = parser.getValue("Error"); ++ CMS.debug("TokenAuthentication: error: " + error); + throw new EBaseException(error); + } + +-- +1.8.3.1 + + +From 2a8f26e1169f8840a59f1707964d98b47619ca1c Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 11 Oct 2017 15:41:15 +1100 +Subject: [PATCH 4/5] Sleep after security domain login during configuration + +Clone installation can fail due to security domain token +authentication failure that arises because: + +1. The security domain session gets created on the replica's CA + instance. + +2. The "updateNumberRange" is performed against the subsystem being + cloned, and results in a token authentication request to the CA + subsystem on the same host. + +3. LDAP replication lag means that the master does not yet see + the security domain session that was created on the replica. + +To avoid this problem, introduce a small delay after logging into +the security domain, to allow for replication to occur. The delay +is configurable and defaults to 5 seconds. + +Fixes: https://pagure.io/dogtagpki/issue/2557 +Change-Id: Ib11c077518c40b3b16699c9170b61085f55a1913 +(cherry picked from commit fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3) +(cherry picked from commit 5fae20defb5e938a621fc40f92954eb7daba1c7b) +--- + .../netscape/certsrv/system/ConfigurationRequest.java | 14 ++++++++++++++ + .../org/dogtagpki/server/rest/SystemConfigService.java | 17 ++++++++++++++++- + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +index 26f45f0..03dbfa6 100644 +--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java ++++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +@@ -244,6 +244,11 @@ public class ConfigurationRequest { + @XmlElement + protected String signingCertSerialNumber; + ++ /** Seconds to sleep after logging into the Security Domain, ++ * so that replication of the session data may complete. */ ++ @XmlElement ++ protected Long securityDomainPostLoginSleepSeconds; ++ + public ConfigurationRequest() { + // required for JAXB + } +@@ -974,6 +979,14 @@ public class ConfigurationRequest { + this.signingCertSerialNumber = signingCertSerialNumber; + } + ++ public Long getSecurityDomainPostLoginSleepSeconds() { ++ return securityDomainPostLoginSleepSeconds; ++ } ++ ++ public void setSecurityDomainPostLoginSleepSeconds(Long d) { ++ securityDomainPostLoginSleepSeconds = d; ++ } ++ + @Override + public String toString() { + return "ConfigurationRequest [pin=XXXX" + +@@ -983,6 +996,7 @@ public class ConfigurationRequest { + ", securityDomainName=" + securityDomainName + + ", securityDomainUser=" + securityDomainUser + + ", securityDomainPassword=XXXX" + ++ ", securityDomainPostLoginSleepSeconds=" + securityDomainPostLoginSleepSeconds + + ", isClone=" + isClone + + ", cloneUri=" + cloneUri + + ", subsystemName=" + subsystemName + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index afbb24a..9ffb6e3 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -950,7 +950,22 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + + getInstallToken(data, host, port); + +- return getDomainXML(host, port); ++ String domainXML = getDomainXML(host, port); ++ ++ /* Sleep for a bit to allow security domain session to replicate ++ * to other clones. In the future we can use signed tokens ++ * (ticket https://pagure.io/dogtagpki/issue/2831) but we need to ++ * be mindful of working with older versions, too. ++ * ++ * The default sleep time is 5s. ++ */ ++ Long d = data.getSecurityDomainPostLoginSleepSeconds(); ++ if (null == d || d <= 0) ++ d = new Long(5); ++ CMS.debug("Logged into security domain; sleeping for " + d + "s"); ++ Thread.sleep(d * 1000); ++ ++ return domainXML; + } + + private String getDomainXML(String host, int port) { +-- +1.8.3.1 + + +From 2cf5ab35f9fda67405b209ae46891232c38eb4f0 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 11 Oct 2017 18:12:04 +1100 +Subject: [PATCH 5/5] pkispawn: make security domain login sleep duration + configurable + +Add the pki_security_domain_post_login_sleep_seconds pkispawn +config, so that the administrator may set a duration other than the +default. + +Part of: https://pagure.io/dogtagpki/issue/2557 + +Change-Id: I74f16ea15621773e0742f709adc87df559cb530a +(cherry picked from commit 8c0a7eee3bbfe01b2d965dbe09e95221c5031c8b) +(cherry picked from commit 32ec33f8e49d1085ac1b28657a8321547a6bf910) +--- + base/server/man/man8/pkispawn.8 | 7 +++++++ + base/server/python/pki/server/deployment/pkihelper.py | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 +index 002520a..1d4ae24 100644 +--- a/base/server/man/man8/pkispawn.8 ++++ b/base/server/man/man8/pkispawn.8 +@@ -956,6 +956,7 @@ pki_security_domain_password=\fISecret123\fP + pki_security_domain_hostname= + pki_security_domain_https_port= + pki_security_domain_user=caadmin ++pki_security_domain_post_login_sleep_seconds=\fI5\fP + + [Tomcat] + pki_clone=True +@@ -997,6 +998,12 @@ and the \fBpki_backup_password\fP is set. The PKCS#12 file is then found under + be generated at any time post-installation using \fBPKCS12Export\fP. + + .PP ++The \fBpki_security_domain_post_login_sleep_seconds\fP config specifies sleep ++duration after logging into a security domain, to allow the security domain ++session data to be replicated to subsystems on other hosts. It is optional and ++defaults to 5 seconds. ++ ++.PP + An example invocation showing the export of the system certificates and keys, + copying the keys to the replica subsystem, and setting the relevant SELinux and + file permissions is shown below. \fBpwfile\fP is a text file containing the +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index cf2a748..9bb0dfc 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -4045,6 +4045,13 @@ class ConfigClient: + if self.subordinate: + self.set_subca_security_domain(data) + ++ try: ++ d = int(self.mdict['pki_security_domain_post_login_sleep_seconds']) ++ if d > 0: ++ data.securityDomainPostLoginSleepSeconds = d ++ except (KeyError, ValueError): ++ pass ++ + # database + if self.subsystem != "RA": + self.set_database_parameters(data) +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch b/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch new file mode 100644 index 0000000..4514c7b --- /dev/null +++ b/SOURCES/pki-core-fix-issuance-sans-subject-key-ID-ext.patch @@ -0,0 +1,38 @@ +From 5f62e2db4a1a9040758a806095e1b4da5d0a0d1d Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 6 Oct 2017 11:21:48 +1100 +Subject: [PATCH] Fix issuance when CA cert lacks Subject Key ID ext + +If the CA signing cert does not have the Subject Key Identifier +extension, issuance of certificates fails. Although such a CA +certificate is not compliant with RFC 5280, this does happen in the +wild, and we previously handled this case by computing the SHA-1 +digest of the signing key as a last resort. This behaviour was +removed by 3c43b1119ca978c296a38a9fe404e1c0cdcdab63, breaking cert +issuance in installations with CA certs that lack the SKI extention. + +Restore this behaviour. + +Fixes: https://pagure.io/dogtagpki/issue/2829 +Change-Id: I2f590abe258c0f9405549945b89e3c25c32c2a00 +(cherry picked from commit 8ec0cbd1bef372ed50e19f6c5b6332b75209beb0) +(cherry picked from commit 119f4ee0288c1e6e6996847a66f617f04dd42ae6) +--- + base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java +index 635c044..8d5361e 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java +@@ -95,6 +95,6 @@ public abstract class CAEnrollDefault extends EnrollDefault { + "CryptoUtil.generateKeyIdentifier returns null"); + return null; + } +- return null; ++ return new KeyIdentifier(hash); + } + } +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-tps-externalReg-regression.patch b/SOURCES/pki-core-tps-externalReg-regression.patch new file mode 100644 index 0000000..1b727ba --- /dev/null +++ b/SOURCES/pki-core-tps-externalReg-regression.patch @@ -0,0 +1,55 @@ +From 47fccfaa32bf327c56c5789f373e4d18c714556f Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 10 Nov 2017 15:55:36 -0800 +Subject: [PATCH] ReFix for #2824 TPS new configuration to allow the protocol + of the to determine applet loaded. + +The problem discovered was that in only the external registration case, there was a problem obtaining the protocol +information for the token being enrolled. This simple fix makes sure the protocol info is obtained correctly for external +reg and non external reg enrollment cases. + +Change-Id: Iccd40adbdafd5e94e04cbb8c391bd2706e483a1f +(cherry picked from commit e48374cd8a744fad5a03f64e8685ec3b3c465553) +(cherry picked from commit 3718b369598c3ecfdb6733c25b08e4b51042423f) +--- + .../src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +index 4ec277e..03d6532 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java ++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +@@ -33,8 +33,6 @@ import java.util.List; + import java.util.Map; + import java.util.Set; + +-import netscape.security.x509.RevocationReason; +- + import org.dogtagpki.server.tps.TPSSession; + import org.dogtagpki.server.tps.TPSSubsystem; + import org.dogtagpki.server.tps.authentication.AuthUIParameter; +@@ -102,6 +100,8 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.symkey.SessionKey; + ++import netscape.security.x509.RevocationReason; ++ + public class TPSProcessor { + + public static final int RESULT_NO_ERROR = 0; +@@ -556,8 +556,10 @@ public class TPSProcessor { + CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData"); + } + +- // We already do this when checking for applet upgrade earlier. +- //acquireChannelPlatformAndProtocolInfo(); ++ // Do this on behalf of external reg, which needs it ++ // If already called, the routine will return anyway. ++ ++ acquireChannelPlatformAndProtocolInfo(); + + TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch b/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch new file mode 100644 index 0000000..accac88 --- /dev/null +++ b/SOURCES/pki-core-update-RHEL-cert-revocation-reasons.patch @@ -0,0 +1,429 @@ +From d3f50c6a77b164cc876192ab95639ad913f33deb Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 20 Jul 2017 17:50:38 -0700 +Subject: [PATCH] Ticket #1665 (code realignment) Certificate Revocation + Reasons not being updated in some cases This patch makes sure that when a + token is temporarily lost (certs on_hold), its certs are properly revoked + when moving to other revocation reasons when marked damaged or permanently + lost. In addition, on the CA side, this patch to some degree mimics the + original request for transitions from SUPERSEDED to KEY_COMPROMISED, although + in the current TPS that is prohibited. Also, the original requested code + skipped over informing CRLIssuingPoints, while in this patch, that is not + skipped as the revocation reason has changed it should be updated; Time + stamp in the cert record is also updated, which is different from the + original requested code. Development tests were conducted on currently + allowed TPS token state transitions only. + +Change-Id: I675ce13892a7c48eba42870a87954398d7dc8168 +(cherry picked from commit 36213c8b614775feadfebef54db034e1155d33c7) +(cherry picked from commit 34aabcc5fb21f35d96f76fc5b822959f26aacf42) +--- + base/ca/src/com/netscape/ca/CAService.java | 58 +++++++++++++++++-- + .../netscape/certsrv/dbs/certdb/ICertRecord.java | 9 +++ + .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 51 +++++++++++++---- + base/server/cmsbundle/src/LogMessages.properties | 2 + + base/server/cmsbundle/src/UserMessages.properties | 1 + + .../src/com/netscape/cmscore/dbs/CertRecord.java | 65 +++++++++++++++------- + .../cmscore/dbs/CertificateRepository.java | 32 ++++++----- + 7 files changed, 166 insertions(+), 52 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index c9eacfe..7cc6a31 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -980,8 +980,28 @@ public class CAService implements ICAService, IService { + BigInteger serialno = crlentry.getSerialNumber(); + Date revdate = crlentry.getRevocationDate(); + CRLExtensions crlentryexts = crlentry.getExtensions(); ++ String msg = ""; + + CMS.debug("CAService.revokeCert: revokeCert begins"); ++ ++ // Get the revocation reason ++ Enumeration enum1 = crlentryexts.getElements(); ++ RevocationReason revReason = null; ++ while (enum1.hasMoreElements()) { ++ Extension ext = (Extension) enum1.nextElement(); ++ if (ext instanceof CRLReasonExtension) { ++ revReason = ((CRLReasonExtension) ext).getReason(); ++ break; ++ } ++ } ++ if (revReason == null) { ++ CMS.debug("CAService.revokeCert: missing revocation reason"); ++ mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_MISSING_REV_REASON=", serialno.toString(16))); ++ throw new ECAException( ++ CMS.getUserMessage("CMS_CA_MISSING_REV_REASON", ++ "0x" + serialno.toString(16))); ++ } ++ + CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno); + + if (certRec == null) { +@@ -995,24 +1015,52 @@ public class CAService implements ICAService, IService { + // allow revoking certs that are on hold. + String certStatus = certRec.getStatus(); + +- if ((certStatus.equals(ICertRecord.STATUS_REVOKED) && +- !certRec.isCertOnHold()) || ++ RevocationReason recRevReason = null; ++ if (certStatus.equals(ICertRecord.STATUS_REVOKED)) { ++ try { ++ recRevReason = certRec.getRevReason(); ++ } catch (Exception e) { ++ throw new EBaseException(e); ++ } ++ if (recRevReason == null) { ++ msg = "existing revoked cert missing revocation reason"; ++ CMS.debug("CAService.revokeCert: " + msg); ++ throw new EBaseException(msg); ++ } ++ } ++ ++ // for cert already revoked, also check whether revocation reason is changed from SUPERSEDED to KEY_COMPROMISE ++ if (((certStatus.equals(ICertRecord.STATUS_REVOKED) && ++ !certRec.isCertOnHold()) && ++ ((recRevReason != RevocationReason.SUPERSEDED) || ++ revReason != RevocationReason.KEY_COMPROMISE)) ++ || + certStatus.equals(ICertRecord.STATUS_REVOKED_EXPIRED)) { + CMS.debug("CAService.revokeCert: cert already revoked:" + + serialno.toString()); + throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_ALREADY_REVOKED", + "0x" + Long.toHexString(serialno.longValue()))); + } ++ + try { ++ // if cert has already revoked, update the revocation info only + CMS.debug("CAService.revokeCert: about to call markAsRevoked"); +- if (certRec.isCertOnHold()) { ++ if (certStatus.equals(ICertRecord.STATUS_REVOKED) && certRec.isCertOnHold()) { + mCA.getCertificateRepository().markAsRevoked(serialno, +- new RevocationInfo(revdate, crlentryexts), true /*isAlreadyOnHold*/); ++ new RevocationInfo(revdate, crlentryexts), ++ true /*isAlreadyRevoked*/); ++ CMS.debug("CAService.revokeCert: on_hold cert marked revoked"); ++ mCA.log(ILogger.LL_INFO, ++ CMS.getLogMessage("CMSCORE_CA_CERT_REVO_INFO_UPDATE", ++ recRevReason.toString(), ++ revReason.toString(), ++ serialno.toString(16))); + } else { + mCA.getCertificateRepository().markAsRevoked(serialno, + new RevocationInfo(revdate, crlentryexts)); + } +- CMS.debug("CAService.revokeCert: cert revoked"); ++ ++ CMS.debug("CAService.revokeCert: cert now revoked"); + mCA.log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_CERT_REVOKED", + serialno.toString(16))); + // inform all CRLIssuingPoints about revoked certificate +diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java +index 3a0c955..65db57e 100644 +--- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java ++++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertRecord.java +@@ -20,6 +20,9 @@ package com.netscape.certsrv.dbs.certdb; + import java.math.BigInteger; + import java.util.Date; + ++import com.netscape.certsrv.base.EBaseException; ++import netscape.security.x509.RevocationReason; ++import netscape.security.x509.X509ExtensionException; + import netscape.security.x509.X509CertImpl; + + import com.netscape.certsrv.base.MetaInfo; +@@ -181,4 +184,10 @@ public interface ICertRecord extends IDBObj { + * is this cert on hold? + */ + public boolean isCertOnHold(); ++ ++ /** ++ * returns the revocation reason ++ */ ++ public RevocationReason getRevReason() ++ throws EBaseException, X509ExtensionException; + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +index a9a6238..47062f2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +@@ -1,4 +1,4 @@ +-// --- BEGIN COPYRIGHT BLOCK --- ++ + // This program is free software; you can redistribute it and/or modify + // it under the terms of the GNU General Public License as published by + // the Free Software Foundation; version 2 of the License. +@@ -330,8 +330,10 @@ public class DoRevokeTPS extends CMSServlet { + String auditRequestType = auditRequestType(reason); + RequestStatus auditApprovalStatus = null; + String auditReasonNum = String.valueOf(reason); +- String method = "DoRevokeTPS.process"; ++ String method = "DoRevokeTPS.process:"; ++ String msg = ""; + ++ CMS.debug(method + "begins"); + if (revokeAll != null) { + CMS.debug("DoRevokeTPS.process revokeAll" + revokeAll); + +@@ -357,6 +359,8 @@ public class DoRevokeTPS extends CMSServlet { + Vector revCertImplsV = new Vector(); + + // Construct a CRL reason code extension. ++ ++ CMS.debug(method + "reason code = " + reason); + RevocationReason revReason = RevocationReason.fromInt(reason); + CRLReasonExtension crlReasonExtn = new CRLReasonExtension(revReason); + +@@ -401,22 +405,47 @@ public class DoRevokeTPS extends CMSServlet { + } + + if (xcert != null) { ++ RevocationReason recRevReason = null; ++ if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) { ++ try { ++ recRevReason = rec.getRevReason(); ++ } catch (Exception ex) { ++ CMS.debug(method + ex.toString()); ++ throw new EBaseException(ex); ++ } ++ if (recRevReason == null) { ++ msg = "existing revoked cert missing revocation reason"; ++ CMS.debug(method + msg); ++ throw new EBaseException(msg); ++ } ++ } ++ + rarg.addStringValue("serialNumber", + xcert.getSerialNumber().toString(16)); + +- if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED) +- && !rec.isCertOnHold()) { +- alreadyRevokedCertFound = true; +- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " has already been revoked."); +- } else { ++ boolean updateRevocation = true; ++ if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED) && ++ revReason == RevocationReason.KEY_COMPROMISE)) { ++ updateRevocation = false; ++ if ((recRevReason == RevocationReason.SUPERSEDED) || ++ (rec.isCertOnHold())) { ++ updateRevocation = true; ++ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) ++ + " has been revoked, but reason is changed"); ++ } else { ++ alreadyRevokedCertFound = true; ++ CMS.debug("Certificate 0x" + xcert.getSerialNumber().toString(16) + " has been revoked."); ++ } ++ } ++ if (updateRevocation) { + oldCertsV.addElement(xcert); + +- RevokedCertImpl revCertImpl = +- new RevokedCertImpl(xcert.getSerialNumber(), +- CMS.getCurrentDate(), entryExtn); ++ RevokedCertImpl revCertImpl = new RevokedCertImpl(xcert.getSerialNumber(), ++ CMS.getCurrentDate(), entryExtn); + + revCertImplsV.addElement(revCertImpl); +- CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) + " is going to be revoked."); ++ CMS.debug(method + "Certificate 0x" + xcert.getSerialNumber().toString(16) ++ + " is going to be revoked."); + count++; + } + } else { +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 5e51440..ff432b6 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -119,7 +119,9 @@ CMSCORE_CA_STORE_SERIAL=CA stored signed certificate serial number 0x{0} + CMSCORE_CA_MARK_SERIAL=CA marked certificate serial number 0x{0} as renewed with serial number 0x{1} + CMSCORE_CA_NO_STORE_SERIAL=Could not store certificate serial number 0x{0} + CMSCORE_CA_CERT_NOT_FOUND=Cannot find certificate serial number 0x{0} ++CMSCORE_CA_MISSING_REV_REASON=Missing revocation reason for revocation request on serial number 0x{0} + CMSCORE_CA_CERT_REVOKED=Revoked certificate serial number 0x{0} ++CMSCORE_CA_CERT_REVO_INFO_UPDATE=Revocation reason changed from {0} to {1} Certificate serial number 0x{2} + CMSCORE_CA_ERROR_REVOCATION=Error revoking certificate {0}. Error {1} + CMSCORE_CA_CERT_ON_HOLD=Certificate {0} has to be on-hold. + CMSCORE_CA_CERT_UNREVOKED=Unrevoked certificate serial number 0x{0} +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index ed2a620..4d1b755 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -397,6 +397,7 @@ CMS_CA_CERT4CRL_FAILED=One or more revoked certificates could not be recorded by + CMS_CA_UNCERT4CRL_FAILED=One or more revoked certificates could not be removed by the CLA + CMS_CA_RENEW_FAILED=One or more certificates could not be renewed + CMS_CA_CANT_FIND_CERT_SERIAL=Cannot find certificate with serial number {0} ++CMS_CA_MISSING_REV_REASON=Missing revocation reason for revocatoin request on serial number {0} + CMS_CA_TOKEN_NOT_FOUND=Token {0} not found + CMS_CA_CERT_OBJECT_NOT_FOUND=Certificate object not found + CMS_CA_TOKEN_ERROR=Token Error +diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java +index a79f7a3..d4f3c03 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertRecord.java +@@ -23,12 +23,6 @@ import java.util.Date; + import java.util.Enumeration; + import java.util.Vector; + +-import netscape.security.x509.CRLExtensions; +-import netscape.security.x509.CRLReasonExtension; +-import netscape.security.x509.RevocationReason; +-import netscape.security.x509.X509CertImpl; +-import netscape.security.x509.X509ExtensionException; +- + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.MetaInfo; +@@ -37,6 +31,12 @@ import com.netscape.certsrv.dbs.IDBObj; + import com.netscape.certsrv.dbs.certdb.ICertRecord; + import com.netscape.certsrv.dbs.certdb.IRevocationInfo; + ++import netscape.security.x509.CRLExtensions; ++import netscape.security.x509.CRLReasonExtension; ++import netscape.security.x509.RevocationReason; ++import netscape.security.x509.X509CertImpl; ++import netscape.security.x509.X509ExtensionException; ++ + /** + * A class represents a serializable certificate record. + *

+@@ -274,27 +274,50 @@ public class CertRecord implements IDBObj, ICertRecord { + return mModifyTime; + } + ++ /* ++ * getRevReason - ++ * @returns RevocationReason if cert is revoked; null if not ++ * it throws exceptions if anything failed ++ */ ++ public RevocationReason getRevReason() ++ throws EBaseException, X509ExtensionException { ++ String method = "CertRecord.getRevReason:"; ++ String msg = ""; ++ //CMS.debug(method + " checking for cert serial: " ++ // + getSerialNumber().toString()); ++ IRevocationInfo revInfo = getRevocationInfo(); ++ if (revInfo == null) { ++ msg = "revInfo null for" + getSerialNumber().toString(); ++ CMS.debug(method + msg); ++ return null; ++ } ++ ++ CRLExtensions crlExts = revInfo.getCRLEntryExtensions(); ++ if (crlExts == null) ++ throw new X509ExtensionException("crlExts null"); ++ ++ CRLReasonExtension reasonExt = null; ++ reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME); ++ if (reasonExt == null) ++ throw new EBaseException("reasonExt null"); ++ ++ return reasonExt.getReason(); ++ } ++ + public boolean isCertOnHold() { + String method = "CertRecord.isCertOnHold:"; + CMS.debug(method + " checking for cert serial: " +- + getSerialNumber().toString()); +- IRevocationInfo revInfo = getRevocationInfo(); +- if (revInfo != null) { +- CRLExtensions crlExts = revInfo.getCRLEntryExtensions(); +- if (crlExts == null) return false; +- CRLReasonExtension reasonExt = null; +- try { +- reasonExt = (CRLReasonExtension) crlExts.get(CRLReasonExtension.NAME); +- } catch (X509ExtensionException e) { +- CMS.debug(method + " returning false:" + e.toString()); +- return false; +- } +- if (reasonExt.getReason() == RevocationReason.CERTIFICATE_HOLD) { +- CMS.debug(method + " returning true"); ++ + getSerialNumber().toString()); ++ try { ++ RevocationReason revReason = getRevReason(); ++ if (revReason == RevocationReason.CERTIFICATE_HOLD) { ++ CMS.debug(method + "for " + getSerialNumber().toString() + " returning true"); + return true; + } ++ } catch (Exception e) { ++ CMS.debug(method + e); + } +- CMS.debug(method + " returning false"); ++ CMS.debug(method + "for " + getSerialNumber().toString() + " returning false"); + return false; + } + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +index 9a333fe..367917f 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +@@ -1110,19 +1110,21 @@ public class CertificateRepository extends Repository + + /** + * Marks certificate as revoked. +- * isAlreadyOnHold - boolean to indicate that the cert was revoked onHold +- * When a cert was originally onHold, some of the ldap attributes +- * already exist, so "MOD_REPLACE" is needed instead of "MOD_ADD" ++ * isAlreadyRevoked - boolean to indicate that the cert was revoked ++ * ( possibly onHold ) ++ * When a cert was originally revoked (possibly onHold), ++ * some of the ldap attributes already exist, ++ * so "MOD_REPLACE" is needed instead of "MOD_ADD" + */ + public void markAsRevoked(BigInteger id, IRevocationInfo info) + throws EBaseException { + markAsRevoked(id, info, false); + } +- public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyOnHold) ++ ++ public void markAsRevoked(BigInteger id, IRevocationInfo info, boolean isAlreadyRevoked) + throws EBaseException { +- String method = "CertificateRepository.markAsRevoked:"; + ModificationSet mods = new ModificationSet(); +- if (isAlreadyOnHold) { ++ if (isAlreadyRevoked) { + mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_REPLACE, info); + } else { + mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_ADD, info); +@@ -1134,30 +1136,30 @@ public class CertificateRepository extends Repository + * When already revoked onHold, the fields already existing in record + * can only be replaced instead of added + */ +- if (isAlreadyOnHold) { ++ if (isAlreadyRevoked) { + if (uid == null) { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE, +- "system"); ++ "system"); + } else { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_REPLACE, +- uid); ++ uid); + } + mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_REPLACE, +- CMS.getCurrentDate()); ++ CMS.getCurrentDate()); + } else { + if (uid == null) { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD, +- "system"); ++ "system"); + } else { + mods.add(CertRecord.ATTR_REVOKED_BY, Modification.MOD_ADD, +- uid); ++ uid); + } + mods.add(CertRecord.ATTR_REVOKED_ON, Modification.MOD_ADD, +- CMS.getCurrentDate()); ++ CMS.getCurrentDate()); ++ mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE, ++ CertRecord.STATUS_REVOKED); + } + +- mods.add(CertRecord.ATTR_CERT_STATUS, Modification.MOD_REPLACE, +- CertRecord.STATUS_REVOKED); + modifyCertificateRecord(id, mods); + } + +-- +1.8.3.1 diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index dc582cc..142b6f1 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -66,11 +66,11 @@ Name: pki-core %if 0%{?rhel} Version: 10.4.1 -#Release: 13%{?dist} -Release: 13.el7_4 +#Release: 17%{?dist} +Release: 17.el7_4 %else Version: 10.4.8 -Release: 1%{?dist} +Release: 8%{?dist} %endif Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ @@ -184,10 +184,10 @@ BuildRequires: python-ldap BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 %if 0%{?rhel} -BuildRequires: jss >= 4.4.0-7 +BuildRequires: jss >= 4.4.0-8 %else %if 0%{?fedora} >= 25 -BuildRequires: jss >= 4.4.2-2 +BuildRequires: jss >= 4.4.2-5 %else BuildRequires: jss >= 4.2.6-44 %endif @@ -206,6 +206,7 @@ BuildRequires: tomcatjss >= 7.1.3 %if 0%{?with_python3} BuildRequires: python3-cryptography BuildRequires: python3-devel +BuildRequires: python3-lxml BuildRequires: python3-nss BuildRequires: python3-pyldap BuildRequires: python3-requests >= 2.6.0 @@ -278,11 +279,13 @@ Patch11: pki-core-CMC-check-HTTPS-client-authentication-cert.patch Patch12: pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch ####################### ## pki-core-10.4.1-11 +## (pki-core 0-day patch) ####################### Patch13: pki-core-cmc-plugin-default-change.patch ####################### ## pki-core-10.4.1-12 ####################### +## RHEL 7.4 Batch Update 1 Patch14: pki-core-server-access-banner-validation.patch Patch15: pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch Patch16: pki-core-platform-dependent-python-import.patch @@ -293,7 +296,41 @@ Patch20: pki-core-system-cert-CMC-enroll-profile.patch ####################### ## pki-core-10.4.1-13 ####################### +## RHEL 7.4 Batch Update 1 Patch21: pki-core-server-access-banner-retrieval-validation.patch +####################### +## pki-core-10.4.1-14 +####################### +## RHEL 7.4 Batch Update 2 +Patch22: pki-core-Fix-lightweight-CA-replication-NPE-failure.patch +Patch23: pki-core-Fix-missing-CN-error-in-CMC-user-signed.patch +Patch24: pki-core-FixDeploymentDescriptor-upgrade-scriptlet.patch +Patch25: pki-core-KRA-use-AES-in-PKCS12-encrypted-key-recovery.patch +Patch26: pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI-Server.patch +Patch27: pki-core-Fix-JSON-encoding-in-Python-3.patch +## RHCS 9.2 Batch Update 2 +#Patch28: pki-core-Fix-tokenOrigin-and-tokenType-attrs-in-recovered-certs.patch +#Patch29: pki-core-Display-tokenType-and-tokenOrigin-in-TPS-UI-and-CLI.patch +####################### +## pki-core-10.4.1-15 +####################### +Patch30: pki-core-Make-PKCS12-files-compatible-with-PBES2.patch +####################### +## pki-core-10.4.1-16 +####################### +## RHCS 9.2 Batch Update 3 +#Patch31: pki-core-externalRegRecover-multiple-KRA.patch +#Patch32: pki-core-TPS-applet-protocol-determination.patch +#Patch33: pki-core-update-RHCS-cert-revocation-reasons.patch +## RHEL 7.4 Batch Update 3 +Patch34: pki-core-update-RHEL-cert-revocation-reasons.patch +Patch35: pki-core-fix-issuance-sans-subject-key-ID-ext.patch +Patch36: pki-core-fix-ipa-replica-install-timing-issue.patch +####################### +## pki-core-10.4.1-17 +####################### +## RHCS 9.2 Batch Update 3 +Patch37: pki-core-tps-externalReg-regression.patch @@ -405,10 +442,10 @@ Requires: nss >= 3.27.0 %endif Requires: jpackage-utils >= 0:1.7.5-10 %if 0%{?rhel} -Requires: jss >= 4.4.0-7 +Requires: jss >= 4.4.0-8 %else %if 0%{?fedora} >= 25 -Requires: jss >= 4.4.2-2 +Requires: jss >= 4.4.2-5 %else Requires: jss >= 4.2.6-44 %endif @@ -499,10 +536,10 @@ Requires: slf4j-jdk14 Requires: javassist Requires: jpackage-utils >= 0:1.7.5-10 %if 0%{?rhel} -Requires: jss >= 4.4.0-7 +Requires: jss >= 4.4.0-8 %else %if 0%{?fedora} >= 25 -Requires: jss >= 4.4.2-2 +Requires: jss >= 4.4.2-5 %else Requires: jss >= 4.2.6-44 %endif @@ -568,6 +605,7 @@ BuildArch: noarch Requires: pki-base = %{version}-%{release} Requires: python3-cryptography +Requires: python3-lxml Requires: python3-nss Requires: python3-requests >= 2.6.0 Requires: python3-six @@ -982,6 +1020,22 @@ This package is a part of the PKI Core used by the Certificate System. %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +#%patch28 -p1 +#%patch29 -p1 +%patch30 -p1 +#%patch31 -p1 +#%patch32 -p1 +#%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +#%patch37 -p1 %clean %{__rm} -rf %{buildroot} @@ -1507,6 +1561,67 @@ fi %endif # %{with server} %changelog +* Fri Nov 10 2017 Dogtag Team 10.4.1-17 +- ########################################################################### +- ## RHCS 9.2 +- ########################################################################### +- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of + #the to determine applet loaded (jmagne) + +* Fri Oct 13 2017 Dogtag Team 10.4.1-16 +- ########################################################################### +- ## RHCS 9.2 +- ########################################################################### +- #Bugzilla Bug #1439228 - externalRegRecover does not support multiple + #KRA instances (cfu) +- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of + #the to determine applet loaded (jmagne) +- #Bugzilla Bug #1471996 - Certificate Revocation Reasons not being updated + #in some cases [RHCS 9] (cfu) +- ########################################################################### +- ## RHEL 7.4 +- ########################################################################### +- Bugzilla Bug #1500499 - Certificate Revocation Reasons not being updated + in some cases [rhel-7.4.z] (cfu) +- Bugzilla Bug #1502527 - CA cert without Subject Key Identifier causes + issuance failure [rhel-7.4.z] (ftweedal) +- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0 + [rhel-7.4.z] (ftweedal) + NOTE: Check-ins for #1492560 all reference the dogtagpki Pagure Issue + associated with Bugzilla Bug #1402280 - CA Cloning: Failed to + update number range in few cases (which is not yet fully resolved) + +* Mon Sep 18 2017 Dogtag Team 10.4.1-15 +- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0 + [rhel-7.4.z] (ftweedal) + +* Tue Sep 12 2017 Dogtag Team 10.4.1-14 +- Require "jss >= 4.4.0-8" as a build and runtime requirement +- ########################################################################## +- RHEL 7.4: +- ########################################################################## +- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 +- Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) + [RHEL 7.4.z] (ftweedal) +- Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error + in cmc user-signed [rhel-7.4.z] (cfu) +- Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from + RHEL 7.1 [rhel-7.4.z] (ftweedal) +- Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) + [rhel-7.4.z] (ftweedal) +- Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin + for token certificates on TPS UI Server [rhel-7.4.z] (edewata) +- dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: + TypeError: ... is not JSON serializable (ftweedal) +- ########################################################################## +- RHCS 9.2: +- ########################################################################## +- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 +- Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and + "tokenType" certificate attribute for recovered certificates. (cfu) +- Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin + for token certificates on TPS UI (edewata) + * Mon Aug 21 2017 Dogtag Team 10.4.1-13 - Resolves: rhbz #1463350 - ########################################################################## @@ -2825,7 +2940,7 @@ fi to be open in the FW (alee) - 'pki-silent' -* Wed Aug 10 2011 Matthew Harmsen 9.0.11-1 +* Wed Aug 10 2011 Matthew Harmsen 9.0.12 - 'pki-setup' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee)