diff --git a/.gitignore b/.gitignore
index 102e165..1837221 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-10.12.0.tar.gz
+SOURCES/pki-10.14.3.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index 78529e8..a5e8c43 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-14942c7bda42ccd0f57ea5b2e538eb13a559572f SOURCES/pki-10.12.0.tar.gz
+0508d8fa638b11f309d958338afc71e4c9f24f8d SOURCES/pki-10.14.3.tar.gz
diff --git a/SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch b/SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch
deleted file mode 100644
index 75da580..0000000
--- a/SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 039b3453d17bb5666d4b7a4eacc6a014703416c7 Mon Sep 17 00:00:00 2001
-From: Chris Kelley <ckelley@redhat.com>
-Date: Fri, 10 Jun 2022 17:25:07 +0100
-Subject: [PATCH] Disable access to external entities when parsing XML
-
-This reduces the vulnerability of XML parsers to XXE (XML external
-entity) injection.
-
-The best way to prevent XXE is to stop using XML altogether, which we do
-plan to do. Until that happens I consider it worthwhile to tighten the
-security here though.
----
- .../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
- .../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 +
- .../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
- .../src/test/java/com/netscape/test/TestListener.java | 5 ++++-
- 4 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
-index bdd485e89a..07fae1ad50 100644
---- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
-+++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
-@@ -24,6 +24,7 @@ import java.util.Enumeration;
- import java.util.Locale;
- import java.util.Vector;
-
-+import javax.xml.XMLConstants;
- import javax.xml.parsers.ParserConfigurationException;
- import javax.xml.transform.OutputKeys;
- import javax.xml.transform.Transformer;
-@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor {
- XMLObject xmlObject = convertDomainInfoToXMLObject(before);
- Document document = xmlObject.getDocument();
-
-- Transformer transformer = TransformerFactory.newInstance().newTransformer();
-+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
-+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-+ Transformer transformer = transformerFactory.newTransformer();
- transformer.setOutputProperty(OutputKeys.INDENT, "yes");
- transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
-
-diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
-index 2a02d722a1..d9ac572747 100644
---- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
-+++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
-@@ -41,6 +41,7 @@ public class ServerXml {
- ServerXml serverXml = new ServerXml();
-
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- DocumentBuilder builder = factory.newDocumentBuilder();
- Document document = builder.parse(filename);
-
-diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
-index 81fdbf4b2e..1043bcb477 100644
---- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
-+++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
-@@ -25,6 +25,7 @@ import java.io.OutputStream;
- import java.io.StringWriter;
- import java.util.Vector;
-
-+import javax.xml.XMLConstants;
- import javax.xml.parsers.DocumentBuilder;
- import javax.xml.parsers.DocumentBuilderFactory;
- import javax.xml.parsers.ParserConfigurationException;
-@@ -56,6 +57,7 @@ public class XMLObject {
- public XMLObject(InputStream s)
- throws SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- DocumentBuilder docBuilder = factory.newDocumentBuilder();
- mDoc = docBuilder.parse(s);
- }
-@@ -63,6 +65,7 @@ public class XMLObject {
- public XMLObject(File f)
- throws SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- DocumentBuilder docBuilder = factory.newDocumentBuilder();
- mDoc = docBuilder.parse(f);
- }
-@@ -159,6 +162,8 @@ public class XMLObject {
- public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
- TransformerFactory tranFactory = TransformerFactory.newInstance();
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
- Transformer aTransformer = tranFactory.newTransformer();
- Source src = new DOMSource(mDoc);
- Result dest = new StreamResult(bos);
-@@ -169,6 +174,8 @@ public class XMLObject {
- public void output(OutputStream os)
- throws TransformerConfigurationException, TransformerException {
- TransformerFactory tranFactory = TransformerFactory.newInstance();
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
- Transformer aTransformer = tranFactory.newTransformer();
- Source src = new DOMSource(mDoc);
- Result dest = new StreamResult(os);
-@@ -177,6 +184,8 @@ public class XMLObject {
-
- public String toXMLString() throws TransformerConfigurationException, TransformerException {
- TransformerFactory tranFactory = TransformerFactory.newInstance();
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
- Transformer transformer = tranFactory.newTransformer();
- Source src = new DOMSource(mDoc);
- StreamResult dest = new StreamResult(new StringWriter());
-diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
-index 3181d53dc8..ac5d6e0f42 100644
---- a/base/util/src/test/java/com/netscape/test/TestListener.java
-+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
-@@ -10,6 +10,7 @@ import java.text.SimpleDateFormat;
- import java.util.Date;
- import java.util.TimeZone;
-
-+import javax.xml.XMLConstants;
- import javax.xml.parsers.DocumentBuilder;
- import javax.xml.parsers.DocumentBuilderFactory;
- import javax.xml.transform.OutputKeys;
-@@ -22,7 +23,6 @@ import org.junit.runner.Description;
- import org.junit.runner.Result;
- import org.junit.runner.notification.Failure;
- import org.junit.runner.notification.RunListener;
--
- import org.w3c.dom.Document;
- import org.w3c.dom.Element;
- import org.w3c.dom.Text;
-@@ -64,9 +64,12 @@ public class TestListener extends RunListener {
- dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
-
- docBuilderFactory = DocumentBuilderFactory.newInstance();
-+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- docBuilder = docBuilderFactory.newDocumentBuilder();
-
- transFactory = TransformerFactory.newInstance();
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
- trans = transFactory.newTransformer();
- trans.setOutputProperty(OutputKeys.INDENT, "yes");
-
---
-2.35.1
-
diff --git a/SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch b/SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch
deleted file mode 100644
index 1b057a2..0000000
--- a/SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From af9d5ee1e57b128603974595e26feb3effe05c87 Mon Sep 17 00:00:00 2001
-From: Chris Kelley <ckelley@redhat.com>
-Date: Thu, 14 Jul 2022 16:49:25 +0100
-Subject: [PATCH] Fix accidental renaming of factories in conflict resolution.
-
----
- base/util/src/test/java/com/netscape/test/TestListener.java | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
-index ac5d6e0f42..56b7793f61 100644
---- a/base/util/src/test/java/com/netscape/test/TestListener.java
-+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
-@@ -64,12 +64,12 @@ public class TestListener extends RunListener {
- dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
-
- docBuilderFactory = DocumentBuilderFactory.newInstance();
-- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- docBuilder = docBuilderFactory.newDocumentBuilder();
-
- transFactory = TransformerFactory.newInstance();
-- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
- trans = transFactory.newTransformer();
- trans.setOutputProperty(OutputKeys.INDENT, "yes");
-
---
-2.35.1
-
diff --git a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch b/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch
deleted file mode 100644
index 065a9d9..0000000
--- a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch
+++ /dev/null
@@ -1,332 +0,0 @@
-From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 25 Jan 2022 16:29:53 -0600
-Subject: [PATCH] Fix pki-healthcheck for clones
-
-Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
-was trying to check KRA clone status by retrieving a key using
-the subsystem cert. This operation did not work since the user
-associated with the cert did not have access to the keys. The
-code has been changed to get the status from GetStatus service
-instead. The original code might be moved into IPA later so it
-could run with IPA's RA agent credentials which would allow
-access to the keys.
-
-Previously the ClonesPlugin.contact_subsystem_using_sslget()
-used sslget to call GetStatus service and returned the entire
-output which was then incorrectly processed in XML format. The
-method has been renamed to get_status() and changed to use
-PKIConnection and process the response in either JSON or XML
-format, then only return the subsystem status. All callers
-have been updated accordingly.
-
-The ClonesPlugin.contact_subsystem_using_pki() is no longer
-used so it has been removed.
----
- .../clones/connectivity_and_data.py | 130 ++++++++----------
- .../pki/server/healthcheck/clones/plugin.py | 75 ++++------
- base/server/python/pki/server/__init__.py | 8 +-
- 3 files changed, 91 insertions(+), 122 deletions(-)
-
-diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
-index ca5d6dae48..d9bb480f7f 100644
---- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
-+++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
-@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin):
-
- def check_kra_clones(self):
- for host in self.clone_kras:
-- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
-- # Reach out and get some keys or requests , to serve as a data and connectivity check
-+
-+ url = 'https://' + host.Hostname + ':' + host.SecurePort
-+
- try:
-- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName')
--
-- output = self.contact_subsystem_using_pki(
-- host.SecurePort, host.Hostname, client_nick,
-- self.passwd, self.db_dir, 'kra-key-show', ['0x01'])
--
-- # check to see if we either got a key or a key not found exception
-- # of which either will imply a successful connection
-- if output is not None:
-- key_found = output.find('Key ID:')
-- key_not_found = output.find('KeyNotFoundException:')
-- if key_found >= 0:
-- logger.info('Key material found from kra clone.')
--
-- if key_not_found >= 0:
-- logger.info('key not found, possibly empty kra')
--
-- if key_not_found == -1 and key_found == -1:
-- logger.info('Failure to get key material from kra')
-- raise BaseException('KRA clone problem detected ' + cur_clone_msg)
-- else:
-- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg)
-+ status = self.get_status(
-+ host.Hostname,
-+ host.SecurePort,
-+ '/kra/admin/kra/getStatus')
-
-- except BaseException as e:
-- logger.error("Internal error testing KRA clone. %s", e)
-- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg)
-+ logger.info('KRA at %s is %s', url, status)
-
-- return
-+ if status != 'running':
-+ raise Exception('KRA at %s is %s' % (url, status))
-+
-+ except Exception as e:
-+ logger.error('Unable to reach KRA at %s: %s', url, e)
-+ raise Exception('Unable to reach KRA at %s: %s' % (url, e))
-
- def check_ocsp_clones(self):
- for host in self.clone_ocsps:
-- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
-- # Reach out to the ocsp clones
-+
-+ url = 'https://' + host.Hostname + ':' + host.SecurePort
-+
- try:
-- output = self.contact_subsystem_using_sslget(
-- host.SecurePort, host.Hostname, None,
-- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus')
--
-- good_status = output.find('<State>1</State>')
-- if good_status == -1:
-- raise BaseException('OCSP clone problem detected.' + cur_clone_msg)
-- logger.info('good_status %s ', good_status)
-- except BaseException as e:
-- logger.error("Internal error testing OCSP clone. %s", e)
-- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg)
-+ status = self.get_status(
-+ host.Hostname,
-+ host.SecurePort,
-+ '/ocsp/admin/ocsp/getStatus')
-
-- return
-+ logger.info('OCSP at %s is %s', url, status)
-+
-+ if status != 'running':
-+ raise Exception('OCSP at %s is %s' % (url, status))
-+
-+ except Exception as e:
-+ logger.error('Unable to reach OCSP at %s: %s', url, e)
-+ raise Exception('Unable to reach OCSP at %s: %s' % (url, e))
-
- def check_tks_clones(self):
- for host in self.clone_tkss:
-- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
-- # Reach out to the tks clones
-+
-+ url = 'https://' + host.Hostname + ':' + host.SecurePort
-+
- try:
-- output = self.contact_subsystem_using_sslget(
-- host.SecurePort, host.Hostname, None,
-- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus')
--
-- good_status = output.find('<State>1</State>')
-- if good_status == -1:
-- raise BaseException('TKS clone problem detected.' + cur_clone_msg)
-- logger.info('good_status %s ', good_status)
-- except BaseException as e:
-- logger.error("Internal error testing TKS clone. %s", e)
-- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg)
-+ status = self.get_status(
-+ host.Hostname,
-+ host.SecurePort,
-+ '/tks/admin/tks/getStatus')
-
-- return
-+ logger.info('TKS at %s is %s', url, status)
-+
-+ if status != 'running':
-+ raise Exception('TKS at %s is %s' % (url, status))
-+
-+ except Exception as e:
-+ logger.error('Unable to reach TKS at %s: %s', url, e)
-+ raise Exception('Unable to reach TKS at %s: %s' % (url, e))
-
- def check_tps_clones(self):
- for host in self.clone_tpss:
-- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
-- # Reach out to the tps clones
-+
-+ url = 'https://' + host.Hostname + ':' + host.SecurePort
-+
- try:
-- output = self.contact_subsystem_using_sslget(
-- host.SecurePort, host.Hostname, None,
-- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus')
--
-- good_status = output.find('<State>1</State>')
-- if good_status == -1:
-- raise BaseException('TPS clone problem detected.' + cur_clone_msg)
-- logger.info('good_status %s ', good_status)
-- except BaseException as e:
-- logger.error("Internal error testing TPS clone. %s", e)
-- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg)
-- return
-+ status = self.get_status(
-+ host.Hostname,
-+ host.SecurePort,
-+ '/tps/admin/tps/getStatus')
-+
-+ logger.info('TPS at %s is %s', url, status)
-+
-+ if status != 'running':
-+ raise Exception('TPS at %s is %s' % (url, status))
-+
-+ except Exception as e:
-+ logger.error('Unable to reach TPS at %s: %s', url, e)
-+ raise Exception('Unable to reach TPS at %s: %s' % (url, e))
-
- @duration
- def check(self):
-diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
-index 2472f35b5b..824c36a1a9 100644
---- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
-+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
-@@ -6,6 +6,10 @@
- # SPDX-License-Identifier: GPL-2.0-or-later
- #
-
-+import json
-+import logging
-+import xml.etree.ElementTree as ET
-+
- from ipahealthcheck.core.plugin import Plugin, Registry
- from pki.server.instance import PKIInstance
- from pki.client import PKIConnection
-@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient
-
- from pki.server.healthcheck.core.main import merge_dogtag_config
-
--import logging
--import subprocess
--
- logger = logging.getLogger(__name__)
-
- # Temporary workaround to skip VERBOSE data. Fix already pushed to upstream
-@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin):
-
- self.instance = PKIInstance(self.config.instance_name)
-
-- def contact_subsystem_using_pki(
-- self, subport, subhost, subsystemnick,
-- token_pwd, db_path, cmd, exts=None):
-- command = ["/usr/bin/pki",
-- "-p", str(subport),
-- "-h", subhost,
-- "-n", subsystemnick,
-- "-P", "https",
-- "-d", db_path,
-- "-c", token_pwd,
-- cmd]
--
-- if exts is not None:
-- command.extend(exts)
--
-- output = None
-- try:
-- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
-- except subprocess.CalledProcessError as e:
-- output = e.output.decode('utf-8')
-- return output
-+ def get_status(self, host, port, path):
-
-- output = output.decode('utf-8')
-+ self.instance.export_ca_cert()
-
-- return output
-+ connection = PKIConnection(
-+ protocol='https',
-+ hostname=host,
-+ port=port,
-+ cert_paths=self.instance.ca_cert)
-
-- def contact_subsystem_using_sslget(
-- self, port, host, subsystemnick,
-- token_pwd, db_path, params, url):
-+ response = connection.get(path)
-
-- command = ["/usr/bin/sslget"]
-+ content_type = response.headers['Content-Type']
-+ content = response.text
-+ logger.info('Content:\n%s', content)
-
-- if subsystemnick is not None:
-- command.extend(["-n", subsystemnick])
-+ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service
-+ if content_type == 'application/json':
-+ json_response = json.loads(content)
-+ status = json_response['Response']['Status']
-
-- command.extend(["-p", token_pwd, "-d", db_path])
--
-- if params is not None:
-- command.extend(["-e", params])
--
-- command.extend([
-- "-r", url, host + ":" + port])
--
-- logger.info(' command : %s ', command)
-- output = None
-- try:
-- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
-- except subprocess.CalledProcessError as e:
-- output = e.output.decode('utf-8')
-- return output
-+ elif content_type == 'application/xml':
-+ root = ET.fromstring(content)
-+ status = root.findtext('Status')
-
-- output = output.decode('utf-8')
-+ else:
-+ raise Exception('Unsupported content-type: %s' % content_type)
-
-- return output
-+ logger.info('Status: %s', status)
-+ return status
-
- def get_security_domain_data(self, host, port):
- domain_data = None
-diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
-index 4fbb74684b..0515bbb197 100644
---- a/base/server/python/pki/server/__init__.py
-+++ b/base/server/python/pki/server/__init__.py
-@@ -241,6 +241,10 @@ class PKIServer(object):
- def jss_conf(self):
- return os.path.join(self.conf_dir, 'jss.conf')
-
-+ @property
-+ def ca_cert(self):
-+ return os.path.join(self.nssdb_dir, 'ca.crt')
-+
- def is_valid(self):
- return self.exists()
-
-@@ -259,8 +263,6 @@ class PKIServer(object):
-
- def export_ca_cert(self):
-
-- ca_path = os.path.join(self.nssdb_dir, 'ca.crt')
--
- token = pki.nssdb.INTERNAL_TOKEN_NAME
- nickname = self.get_sslserver_cert_nickname()
-
-@@ -272,7 +274,7 @@ class PKIServer(object):
- nssdb = self.open_nssdb(token=token)
-
- try:
-- nssdb.extract_ca_cert(ca_path, nickname)
-+ nssdb.extract_ca_cert(self.ca_cert, nickname)
- finally:
- nssdb.close()
-
---
-2.33.1
-
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index e171a44..a6cacd8 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -12,9 +12,10 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
-Version: 10.12.0
-Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
-#global _phase -alpha1
+%global release_number 1
+Version: 10.14.3
+Release: %{?release_number}%{?_timestamp}%{?_commit_id}%{?dist}
+#global _phase
# To create a tarball from a version tag:
# $ git archive \
@@ -31,10 +32,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
-Patch0: 0001-Fix-pki-healthcheck-for-clones.patch
-Patch1: 0001-Disable-access-to-external-entities-when-parsing-XML.patch
-Patch2: 0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch
-
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
# md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+
@@ -787,9 +784,9 @@ BuildArch: noarch
Obsoletes: pki-console < %{version}-%{release}
Provides: pki-console = %{version}-%{release}
-BuildRequires: idm-console-framework >= 1.2.0
+BuildRequires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
-Requires: idm-console-framework >= 1.2.0
+Requires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
Requires: %{product_id}-base-java = %{version}-%{release}
Requires: %{product_id}-console-theme = %{version}-%{release}
@@ -1406,6 +1403,16 @@ fi
################################################################################
%changelog
+* Fri Feb 03 2023 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-1
+- Rebase to PKI 10.14.3
+- Bug 1959057 - An error has ocorred (IPA Error 4301:CertificateOperationError)
+- Bug 2016164 - IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied
+- Bug 2022561 - ipa-healthcheck CADogtagCertsConfigCheck fail to process the scenario of renewed IPA CA certificates ( ipa get_cert_from_db() )
+
+* Tue Nov 29 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.2-1
+- Rebase to PKI 10.14.2
+- Bug 2149253 - Rebase to upstream version v2.14.2
+
* Mon Jul 25 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-4
- Bug 2107334 - CVE-2022-2414 access to external entities when parsing XML can lead to XXE
- Rename packages to idm-pki