diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..94c16a4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/pki-10.6.9.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata new file mode 100644 index 0000000..973de1c --- /dev/null +++ b/.pki-core.metadata @@ -0,0 +1 @@ +7328a1d3e1a8f743b3663ed8191bb481354bee4f SOURCES/pki-10.6.9.tar.gz diff --git a/SOURCES/0001-Bug-fix-for-Nuxwdog-150.patch b/SOURCES/0001-Bug-fix-for-Nuxwdog-150.patch new file mode 100644 index 0000000..bdf9bfc --- /dev/null +++ b/SOURCES/0001-Bug-fix-for-Nuxwdog-150.patch @@ -0,0 +1,47 @@ +From bb759551b1177fb6795405b26067c9a369fb6b52 Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Fri, 25 Jan 2019 12:23:10 -0500 +Subject: [PATCH] Bug fix for Nuxwdog (#150) + +- systemd doesn't keep the keys pinned between ExecStartPre and ExecStart. + As a result, PKI server sees an empty keyring when it starts. (Bug #1668954) + +- This PR includes a fix to keep a fd open until the PKI server starts. This will + keep a process running for `User=` and so the keyring won't be dropped. + +Backport of #149 + +Signed-off-by: Dinesh Prasanth M K +--- + base/server/scripts/pki-server-nuxwdog | 4 ++++ + pki.spec | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/base/server/scripts/pki-server-nuxwdog b/base/server/scripts/pki-server-nuxwdog +index ab504ae3e..4f11f6de2 100755 +--- a/base/server/scripts/pki-server-nuxwdog ++++ b/base/server/scripts/pki-server-nuxwdog +@@ -122,3 +122,7 @@ for tag in sorted(iter(tags)): + key_name = instance_name + '/' + tag + + keyring.put_password(key_name=key_name, password=entered_pass) ++ ++# 4. Put this script to sleep in background to keep the keyring fd open until main program starts ++# due to systemd bug #1668954 ++subprocess.Popen(['/usr/bin/sleep', '10']) +diff --git a/pki.spec b/pki.spec +index 80cd74a94..358a8a758 100644 +--- a/pki.spec ++++ b/pki.spec +@@ -609,6 +609,8 @@ Requires: pki-symkey >= %{version}-%{release} + Requires: pki-base-java >= %{version}-%{release} + Requires: pki-tools >= %{version}-%{release} + ++Requires: keyutils ++ + %if 0%{?rhel} && 0%{?rhel} <= 7 + # no policycoreutils-python-utils + %else +-- +2.20.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec new file mode 100644 index 0000000..039311e --- /dev/null +++ b/SPECS/pki-core.spec @@ -0,0 +1,1693 @@ +################################################################################ +Name: pki-core +################################################################################ + +Summary: PKI Core Package +URL: http://www.dogtagpki.org/ +# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 +License: GPLv2 and LGPLv2 + +Version: 10.6.9 +Release: 2%{?_timestamp}%{?_commit_id}%{?dist} +# global _phase -a1 + +# To create a tarball from a version tag: +# $ git archive \ +# --format=tar.gz \ +# --prefix pki-/ \ +# -o pki-.tar.gz \ +# +Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{version}%{?_phase}.tar.gz + +# To create a patch for all changes since a version tag: +# $ git format-patch \ +# --stdout \ +# \ +# > pki-VERSION-RELEASE.patch +# Patch: pki-VERSION-RELEASE.patch + +Patch: 0001-Bug-fix-for-Nuxwdog-150.patch + +################################################################################ +# NSS +################################################################################ + +%if 0%{?rhel} && 0%{?rhel} <= 7 || 0%{?fedora} && 0%{?fedora} <= 27 +%global nss_default_db_type dbm +%else +%global nss_default_db_type sql +%endif + +################################################################################ +# Python +################################################################################ + +# Python 2 packages +%if 0%{!?with_python2:1} +%if 0%{?rhel} && 0%{?rhel} <= 7 || 0%{?fedora} && 0%{?fedora} <= 28 +%global with_python2 1 +%else +# no python2 +%endif +%endif + +# Python 3 packages +%if 0%{!?with_python3:1} +%if 0%{?rhel} && 0%{?rhel} <= 7 +# no python3 +%else +%global with_python3 1 +%endif +%endif + +# Use Python 3 for all commands? +%if 0%{!?with_python3_default:1} +%if 0%{?rhel} && 0%{?rhel} <= 7 || 0%{?fedora} && 0%{?fedora} <= 27 +%global with_python3_default 0 +%else +%global with_python3_default 1 +%endif +%endif + +################################################################################ +# Java +################################################################################ + +%define java_home %{_usr}/lib/jvm/jre-1.8.0-openjdk + +################################################################################ +# RESTEasy +################################################################################ + +%if 0%{?rhel} && 0%{?rhel} <= 7 +%define jaxrs_api_jar /usr/share/java/resteasy-base/jaxrs-api.jar +%define resteasy_lib /usr/share/java/resteasy-base +%else +%define jaxrs_api_jar /usr/share/java/jboss-jaxrs-2.0-api.jar +%define resteasy_lib /usr/share/java/resteasy +%endif + +################################################################################ +# PKI +################################################################################ + +# By default the build will execute unit tests unless --without test +# option is specified. + +# bcond_without test +%global with_test 1 + +# By default all packages will be built except the ones specified with +# --without option (exclusion method). + +# If --with pkgs option is specified, only packages specified with +# --with will be built (inclusion method). + +# bcond_with pkgs +%global with_pkgs 1 + +# Define package_option macro to wrap bcond_with or bcond_without macro +# depending on package selection method. + +%if %{with pkgs} +%define package_option() %bcond_with %1 +%else +%define package_option() %bcond_without %1 +%endif # with pkgs + +# Define --with or --without options depending on +# package selection method. + +# package_option base +%global with_base 1 +# package_option server +%global with_server 1 +# package_option ca +%global with_ca 1 +# package_option kra +%global with_kra 1 +# package_option ocsp +# package_option tks +# package_option tps +# package_option javadoc +# package_option console +# package_option theme +# package_option meta +# package_option debug +%global with_debug 1 + +%if ! %{with debug} +%define debug_package %{nil} +%endif # with debug + +# ignore unpackaged files from native 'tpsclient' +# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app +%define _unpackaged_files_terminate_build 0 + +# pkiuser and group. The uid and gid are preallocated +# see /usr/share/doc/setup/uidgid +%define pki_username pkiuser +%define pki_uid 17 +%define pki_groupname pkiuser +%define pki_gid 17 +%define pki_homedir /usr/share/pki + +%global brand redhat + +%global saveFileContext() \ +if [ -s /etc/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ + cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ + fi \ +fi; + +%global relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ + fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ + rm -f ${FILE_CONTEXT}.%name; \ +fi; + +################################################################################ +# Build Dependencies +################################################################################ + +# autosetup +BuildRequires: git +BuildRequires: make + +BuildRequires: cmake >= 2.8.9-1 +BuildRequires: gcc-c++ +BuildRequires: zip +BuildRequires: java-1.8.0-openjdk-devel +BuildRequires: redhat-rpm-config +BuildRequires: ldapjdk >= 4.20 +BuildRequires: apache-commons-cli +BuildRequires: apache-commons-codec +BuildRequires: apache-commons-io +BuildRequires: apache-commons-lang +BuildRequires: jakarta-commons-httpclient +BuildRequires: glassfish-jaxb-api +BuildRequires: slf4j +%if 0%{?rhel} && 0%{?rhel} <= 7 +# no slf4j-jdk14 +%else +BuildRequires: slf4j-jdk14 +%endif +BuildRequires: nspr-devel +BuildRequires: nss-devel >= 3.36.1 + +BuildRequires: openldap-devel +BuildRequires: pkgconfig +BuildRequires: policycoreutils + +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: python-lxml +BuildRequires: python-sphinx +%else +%if 0%{?fedora} && 0%{?fedora} <= 28 +BuildRequires: python2-lxml +BuildRequires: python2-sphinx +%else +BuildRequires: python3-lxml +BuildRequires: python3-sphinx +%endif +%endif + +BuildRequires: velocity +BuildRequires: xalan-j2 +BuildRequires: xerces-j2 + +%if 0%{?rhel} +%if 0%{?rhel} <= 7 +# 'resteasy-base' is a subset of the complete set of +# 'resteasy' packages and consists of what is needed to +# support the PKI Restful interface on certain RHEL platforms +BuildRequires: resteasy-base-atom-provider >= 3.0.6-1 +BuildRequires: resteasy-base-client >= 3.0.6-1 +BuildRequires: resteasy-base-jaxb-provider >= 3.0.6-1 +BuildRequires: resteasy-base-jaxrs >= 3.0.6-1 +BuildRequires: resteasy-base-jaxrs-api >= 3.0.6-1 +BuildRequires: resteasy-base-jackson-provider >= 3.0.6-1 +%else +BuildRequires: resteasy >= 3.0.26 +%endif +%else +BuildRequires: jboss-annotations-1.2-api +BuildRequires: jboss-jaxrs-2.0-api +BuildRequires: jboss-logging +BuildRequires: resteasy-atom-provider >= 3.0.17-1 +BuildRequires: resteasy-client >= 3.0.17-1 +BuildRequires: resteasy-jaxb-provider >= 3.0.17-1 +BuildRequires: resteasy-core >= 3.0.17-1 +BuildRequires: resteasy-jackson2-provider >= 3.0.17-1 +%endif + +%if 0%{?with_python2} +%if 0%{?rhel} +# no pylint +%else +BuildRequires: pylint +%if 0%{?fedora} && 0%{?fedora} <= 27 +BuildRequires: python-flake8 >= 2.5.4 +BuildRequires: pyflakes >= 1.2.3 +%else +BuildRequires: python2-flake8 >= 2.5.4 +BuildRequires: python2-pyflakes >= 1.2.3 +%endif +%endif +%endif # with_python2 + +%if 0%{?with_python3} +%if 0%{?rhel} +# no pylint +%else +BuildRequires: python3-pylint +BuildRequires: python3-flake8 >= 2.5.4 +BuildRequires: python3-pyflakes >= 1.2.3 +%endif +%endif # with_python3 + +%if 0%{?with_python2} +BuildRequires: python2 +BuildRequires: python2-devel +BuildRequires: python2-cryptography +%if 0%{?rhel} && 0%{?rhel} <= 7 || 0%{?fedora} && 0%{?fedora} <= 27 +BuildRequires: python-nss +BuildRequires: python-requests >= 2.6.0 +BuildRequires: python-six +BuildRequires: libselinux-python +BuildRequires: policycoreutils-python +BuildRequires: python-ldap +%else +BuildRequires: python2-nss +BuildRequires: python2-requests >= 2.6.0 +BuildRequires: python2-six +BuildRequires: python2-libselinux +BuildRequires: python2-policycoreutils +BuildRequires: python2-ldap +%endif +%if 0%{?rhel} && 0%{?rhel} <= 7 +# no policycoreutils-python-utils +%else +BuildRequires: policycoreutils-python-utils +%endif +%endif # with_python2 + +%if 0%{?with_python3} +BuildRequires: python3 +BuildRequires: python3-devel +BuildRequires: python3-cryptography +BuildRequires: python3-lxml +%if 0%{?rhel} && 0%{?rhel} <= 7 || 0%{?fedora} && 0%{?fedora} <= 27 +BuildRequires: python3-pyldap +# no python3-libselinux +%else +BuildRequires: python3-ldap +BuildRequires: python3-libselinux +%endif +BuildRequires: python3-nss +BuildRequires: python3-requests >= 2.6.0 +BuildRequires: python3-six +%endif # with_python3 + +BuildRequires: junit +BuildRequires: jpackage-utils >= 0:1.7.5-10 +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: jss >= 4.4.0-11 +BuildRequires: tomcatjss >= 7.2.1-4 +%else +BuildRequires: jss >= 4.5.0-1 +BuildRequires: tomcatjss >= 7.3.6 +%endif +BuildRequires: systemd-units + +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: tomcat >= 7.0.69 +%else +%if 0%{?fedora} && 0%{?fedora} <= 27 +BuildRequires: tomcat >= 8.0.49 +%else +%if 0%{?fedora} && 0%{?fedora} <= 28 +BuildRequires: tomcat >= 1:8.5.23 +%else +%if 0%{?rhel} +BuildRequires: pki-servlet-container +%else +BuildRequires: tomcat >= 1:9.0.7 +%endif +%endif +%endif +%endif + +# additional build requirements needed to build native 'tpsclient' +# REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app +BuildRequires: apr-devel +BuildRequires: apr-util-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: httpd-devel >= 2.4.2 +BuildRequires: pcre-devel +BuildRequires: systemd +BuildRequires: zlib +BuildRequires: zlib-devel + +# description for top-level package (if there is a separate meta package) +%if "%{name}" != "%{brand}-pki" +%description + +Red Hat PKI is an enterprise software system designed +to manage enterprise Public Key Infrastructure deployments. + +PKI consists of the following components: + + * Certificate Authority (CA) + * Key Recovery Authority (KRA) + * Online Certificate Status Protocol (OCSP) Manager + * Token Key Service (TKS) + * Token Processing Service (TPS) + +%endif + +%if %{with meta} +%if "%{name}" != "%{brand}-pki" +################################################################################ +%package -n %{brand}-pki +################################################################################ + +Summary: Red Hat PKI Package +%endif + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL PKI theme packages +Requires: %{brand}-pki-server-theme >= %{version} +Requires: %{brand}-pki-console-theme >= %{version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL PKI core packages +Requires: pki-base-java >= %{version} +%if 0%{?with_python3} +Requires: pki-base-python3 >= %{version} +%endif +Requires: pki-tools >= %{version} +Requires: pki-server >= %{version} +Requires: pki-ca >= %{version} +Requires: pki-kra >= %{version} +Requires: pki-ocsp >= %{version} +Requires: pki-tks >= %{version} +Requires: pki-tps >= %{version} + +# Make certain that this 'meta' package requires the latest version(s) +# of PKI console +Requires: pki-console >= %{version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL PKI clients +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: esc >= 1.1.0 +%else +Requires: esc >= 1.1.1 +%endif + +# description for top-level package (unless there is a separate meta package) +%if "%{name}" == "%{brand}-pki" +%description +%else +%description -n %{brand}-pki +%endif + +Red Hat PKI is an enterprise software system designed +to manage enterprise Public Key Infrastructure deployments. + +PKI consists of the following components: + + * Certificate Authority (CA) + * Key Recovery Authority (KRA) + * Online Certificate Status Protocol (OCSP) Manager + * Token Key Service (TKS) + * Token Processing Service (TPS) + +%endif # with meta + +%if %{with base} +################################################################################ +%package -n pki-symkey +################################################################################ + +Summary: PKI Symmetric Key Package + +Requires: java-1.8.0-openjdk-headless +Requires: jpackage-utils >= 0:1.7.5-10 +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: jss >= 4.4.0-11 +%else +Requires: jss >= 4.5.0-1 +%endif +Requires: nss >= 3.38.0 + +%description -n pki-symkey +The PKI Symmetric Key Java Package supplies various native +symmetric key operations to Java programs. + +################################################################################ +%package -n pki-base +################################################################################ + +Summary: PKI Base Package +BuildArch: noarch + +Requires: nss >= 3.36.1 +%if 0%{?with_python3_default} +Requires: python3-pki = %{version}-%{release} +Requires(post): python3-pki = %{version}-%{release} +%else +Requires: python2-pki = %{version}-%{release} +Requires(post): python2-pki = %{version}-%{release} +%endif # with_python3_default + +%description -n pki-base +The PKI Base Package contains the common and client libraries and utilities +written in Python. + +%if 0%{?with_python2} +################################################################################ +%package -n python2-pki +################################################################################ + +Summary: PKI Python 2 Package +BuildArch: noarch + +Obsoletes: pki-base-python2 < %{version} +Provides: pki-base-python2 = %{version}-%{release} +%if 0%{?fedora} +%{?python_provide:%python_provide python2-pki} +%endif + +Requires: pki-base >= %{version}-%{release} +Requires: python2-cryptography +%if 0%{?rhel} && 0%{?rhel} <= 7 || 0%{?fedora} && 0%{?fedora} <= 27 +Requires: python-nss +Requires: python-requests >= 2.6.0 +Requires: python-six +%else +Requires: python2-nss +Requires: python2-requests >= 2.6.0 +Requires: python2-six +%endif + +%description -n python2-pki +This package contains PKI client library for Python 2. + +%endif # with_python2 + +%if 0%{?with_python3} +################################################################################ +%package -n python3-pki +################################################################################ + +Summary: PKI Python 3 Package +BuildArch: noarch + +Obsoletes: pki-base-python3 < %{version} +Provides: pki-base-python3 = %{version}-%{release} +%if 0%{?fedora} +%{?python_provide:%python_provide python3-pki} +%endif + +Requires: pki-base >= %{version}-%{release} +Requires: python3-cryptography +Requires: python3-lxml +Requires: python3-nss +Requires: python3-requests >= 2.6.0 +Requires: python3-six + +%description -n python3-pki +This package contains PKI client library for Python 3. + +%endif # with_python3 for python3-pki + +################################################################################ +%package -n pki-base-java +################################################################################ + +Summary: PKI Base Java Package +BuildArch: noarch + +Requires: java-1.8.0-openjdk-headless +Requires: apache-commons-cli +Requires: apache-commons-codec +Requires: apache-commons-io +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jakarta-commons-httpclient +Requires: glassfish-jaxb-api +Requires: slf4j +%if 0%{?rhel} && 0%{?rhel} <= 7 +# no slf4j-jdk14 +%else +Requires: slf4j-jdk14 +%endif +Requires: javassist +Requires: jpackage-utils >= 0:1.7.5-10 +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: jss >= 4.4.0-11 +%else +Requires: jss >= 4.5.0-1 +%endif +Requires: ldapjdk >= 4.20 +Requires: pki-base >= %{version}-%{release} + +%if 0%{?rhel} +%if 0%{?rhel} <= 7 +# 'resteasy-base' is a subset of the complete set of +# 'resteasy' packages and consists of what is needed to +# support the PKI Restful interface on certain RHEL platforms +Requires: resteasy-base-atom-provider >= 3.0.6-1 +Requires: resteasy-base-client >= 3.0.6-1 +Requires: resteasy-base-jaxb-provider >= 3.0.6-1 +Requires: resteasy-base-jaxrs >= 3.0.6-1 +Requires: resteasy-base-jaxrs-api >= 3.0.6-1 +Requires: resteasy-base-jackson-provider >= 3.0.6-1 +%else +Requires: resteasy >= 3.0.26 +%endif +%else +Requires: resteasy-atom-provider >= 3.0.17-1 +Requires: resteasy-client >= 3.0.17-1 +Requires: resteasy-jaxb-provider >= 3.0.17-1 +Requires: resteasy-core >= 3.0.17-1 +Requires: resteasy-jackson2-provider >= 3.0.17-1 +%endif + +Requires: xalan-j2 +Requires: xerces-j2 +Requires: xml-commons-apis +Requires: xml-commons-resolver + +%description -n pki-base-java +The PKI Base Java Package contains the common and client libraries and utilities +written in Java. + +################################################################################ +%package -n pki-tools +################################################################################ + +Summary: PKI Tools Package + +Requires: openldap-clients +Requires: nss-tools >= 3.36.1 +Requires: pki-base-java >= %{version}-%{release} + +%description -n pki-tools +This package contains PKI executables that can be used to help make +Certificate System into a more complete and robust PKI solution. + +%endif # with base + +%if %{with server} +################################################################################ +%package -n pki-server +################################################################################ + +Summary: PKI Server Package +BuildArch: noarch + +Requires: hostname +Requires: net-tools + +Requires: policycoreutils +Requires: procps-ng +Requires: openldap-clients +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: openssl >= 1.0.2k-11 +%else +Requires: openssl +%endif +Requires: pki-symkey >= %{version}-%{release} +Requires: pki-base-java >= %{version}-%{release} +Requires: pki-tools >= %{version}-%{release} + +%if 0%{?rhel} && 0%{?rhel} <= 7 +# no policycoreutils-python-utils +%else +Requires: policycoreutils-python-utils +%endif + +%if 0%{?with_python3_default} +%if 0%{?fedora} && 0%{?fedora} <= 27 +Requires: python3-pyldap +%else +Requires: python3-ldap +%endif +Requires: python3-lxml +Requires: python3-libselinux +Requires: python3-policycoreutils +%else +%if 0%{?rhel} && 0%{?rhel} <= 7 || 0%{?fedora} && 0%{?fedora} <= 27 +Requires: python-ldap +Requires: python-lxml +Requires: libselinux-python +Requires: policycoreutils-python +%else +Requires: python2-ldap +Requires: python2-lxml +Requires: python2-libselinux +Requires: python2-policycoreutils +%endif +%endif # with_python3_default + +Requires: selinux-policy-targeted >= 3.13.1-159 + +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: tomcat >= 7.0.69 +%else +%if 0%{?fedora} && 0%{?fedora} <= 27 +Requires: tomcat >= 8.0.49 +%else +%if 0%{?fedora} && 0%{?fedora} <= 28 +Requires: tomcat >= 1:8.5.23 +%else +%if 0%{?rhel} +Requires: pki-servlet-container >= 1:9.0.7 +%else +Requires: tomcat >= 1:9.0.7 +%endif +%endif +%endif +%endif + +Requires: velocity +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires(pre): shadow-utils +%if 0%{?rhel} && 0%{?rhel} <= 7 +Requires: tomcatjss >= 7.2.1-4 +%else +Requires: tomcatjss >= 7.3.6 +%endif + +# https://pagure.io/freeipa/issue/7742 +%if 0%{?rhel} +Conflicts: ipa-server < 4.7.1 +%else +Conflicts: freeipa-server < 4.7.1 +%endif + +%description -n pki-server +The PKI Server Package contains libraries and utilities needed by the +following PKI subsystems: + + the Certificate Authority (CA), + the Key Recovery Authority (KRA), + the Online Certificate Status Protocol (OCSP) Manager, + the Token Key Service (TKS), and + the Token Processing Service (TPS). + +%endif # with server + +%if %{with ca} +################################################################################ +%package -n pki-ca +################################################################################ + +Summary: PKI CA Package +BuildArch: noarch + +Requires: pki-server >= %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-ca +The Certificate Authority (CA) is a required PKI subsystem which issues, +renews, revokes, and publishes certificates as well as compiling and +publishing Certificate Revocation Lists (CRLs). + +The Certificate Authority can be configured as a self-signing Certificate +Authority, where it is the root CA, or it can act as a subordinate CA, +where it obtains its own signing certificate from a public CA. + +%endif # with ca + +%if %{with kra} +################################################################################ +%package -n pki-kra +################################################################################ + +Summary: PKI KRA Package +BuildArch: noarch + +Requires: pki-server >= %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-kra +The Key Recovery Authority (KRA) is an optional PKI subsystem that can act +as a key archival facility. When configured in conjunction with the +Certificate Authority (CA), the KRA stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the KRA which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the KRA archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +%endif # with kra + +%if %{with ocsp} +################################################################################ +%package -n pki-ocsp +################################################################################ + +Summary: PKI OCSP Package +BuildArch: noarch + +Requires: pki-server >= %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-ocsp +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +%endif # with ocsp + +%if %{with tks} +################################################################################ +%package -n pki-tks +################################################################################ + +Summary: PKI TKS Package +BuildArch: noarch + +Requires: pki-server >= %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-tks +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +%endif # with tks + +%if %{with tps} +################################################################################ +%package -n pki-tps +################################################################################ + +Summary: PKI TPS Package + +Requires: pki-server >= %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +# additional runtime requirements needed to run native 'tpsclient' +# REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app + +Requires: nss-tools >= 3.36.1 +Requires: openldap-clients + +%description -n pki-tps +The Token Processing System (TPS) is an optional PKI subsystem that acts +as a Registration Authority (RA) for authenticating and processing +enrollment requests, PIN reset requests, and formatting requests from +the Enterprise Security Client (ESC). + +TPS is designed to communicate with tokens that conform to +Global Platform's Open Platform Specification. + +TPS communicates over SSL with various PKI backend subsystems (including +the Certificate Authority (CA), the Key Recovery Authority (KRA), and the +Token Key Service (TKS)) to fulfill the user's requests. + +TPS also interacts with the token database, an LDAP server that stores +information about individual tokens. + +The utility "tpsclient" is a test tool that interacts with TPS. This +tool is useful to test TPS server configs without risking an actual +smart card. + +%endif # with tps + +%if %{with javadoc} +################################################################################ +%package -n pki-javadoc +################################################################################ + +Summary: PKI Javadoc Package +BuildArch: noarch + +%description -n pki-javadoc +This package contains PKI API documentation. + +%endif # with javadoc + +%if %{with console} +################################################################################ +%package -n pki-console +################################################################################ + +Summary: PKI Console Package +BuildArch: noarch + +BuildRequires: idm-console-framework >= 1.2.0 + +Requires: idm-console-framework >= 1.2.0 +Requires: pki-base-java >= %{version} +Requires: pki-console-theme >= %{version} + +%description -n pki-console +The PKI Console is a Java application used to administer PKI server. + +%endif # with console + +%if %{with theme} +################################################################################ +%package -n %{brand}-pki-server-theme +################################################################################ + +Summary: Red Hat PKI Server Theme Package +BuildArch: noarch + +Provides: pki-server-theme = %{version}-%{release} + +%description -n %{brand}-pki-server-theme +This PKI Server Theme Package contains +Red Hat textual and graphical user interface for PKI Server. + +################################################################################ +%package -n %{brand}-pki-console-theme +################################################################################ + +Summary: Red Hat PKI Console Theme Package +BuildArch: noarch + +Provides: pki-console-theme = %{version}-%{release} + +%description -n %{brand}-pki-console-theme +This PKI Console Theme Package contains +Red Hat textual and graphical user interface for PKI Console. + +%endif # with theme + +################################################################################ +%prep +################################################################################ + +%autosetup -n pki-%{version}%{?_phase} -p 1 -S git + +################################################################################ +%build +################################################################################ + +# get Tomcat . version number +tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'` + +if [ $tomcat_version == "9.0" ]; then + app_server=tomcat-8.5 +else + app_server=tomcat-$tomcat_version +fi + +%{__mkdir_p} build +cd build +%cmake \ + --no-warn-unused-cli \ + -DVERSION=%{version}-%{release} \ + -DVAR_INSTALL_DIR:PATH=/var \ + -DJAVA_HOME=%{java_home} \ + -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ + -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ + -DAPP_SERVER=$app_server \ + -DJAXRS_API_JAR=%{jaxrs_api_jar} \ + -DRESTEASY_LIB=%{resteasy_lib} \ + -DNSS_DEFAULT_DB_TYPE=%{nss_default_db_type} \ + -DBUILD_PKI_CORE:BOOL=ON \ + -DWITH_PYTHON2:BOOL=%{?with_python2:ON}%{!?with_python2:OFF} \ + -DWITH_PYTHON3:BOOL=%{?with_python3:ON}%{!?with_python3:OFF} \ +%if 0%{?with_python3_default} + -DWITH_PYTHON3_DEFAULT:BOOL=ON \ +%endif + -DPYTHON_EXECUTABLE=%{__python3} \ + -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ +%if ! %{with server} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps} + -DWITH_SERVER:BOOL=OFF \ +%endif + -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ + -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ + -DTHEME=%{?with_theme:%{brand}} \ + .. + +################################################################################ +%install +################################################################################ + +cd build + +# Do not use _smp_mflags to preserve build order +%{__make} \ + VERBOSE=%{?_verbose} \ + CMAKE_NO_VERBOSE=1 \ + DESTDIR=%{buildroot} \ + INSTALL="install -p" \ + --no-print-directory \ + all install + +%if %{with meta} +%{__mkdir_p} %{buildroot}%{_datadir}/doc/pki + +cat > %{buildroot}%{_datadir}/doc/pki/README << EOF +This package is a "meta-package" whose dependencies pull in all of the +packages comprising the Red Hat Public Key Infrastructure (PKI) Suite. +EOF +%endif # with meta + +# Customize system upgrade scripts in /usr/share/pki/upgrade +%if 0%{?rhel} && 0%{?rhel} <= 7 + +# merge newer upgrade scripts into 10.3.3 for RHEL +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.5 + +# merge newer upgrade scripts into 10.4.1 for RHEL +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.2 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.3 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.5 +/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.6 +%endif + +# Customize client library links in /usr/share/pki/lib +%if 0%{?rhel} && 0%{?rhel} <= 7 +# no link customization +%else + rm -f %{buildroot}%{_datadir}/pki/lib/scannotation.jar + ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar + ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar +%endif + +%if %{with server} + +# Customize server upgrade scripts in /usr/share/pki/server/upgrade +%if 0%{?rhel} && 0%{?rhel} <= 7 + +# merge newer upgrade scripts into 10.3.3 for RHEL +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/01-FixServerLibrary \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/02-FixServerLibrary +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/02-FixDeploymentDescriptor \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/03-FixDeploymentDescriptor +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5 + +# merge newer upgrade scripts into 10.4.1 for RHEL +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/01-AddSessionAuthenticationPlugin +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/02-AddKRAWrappingParams \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/02-AddKRAWrappingParams +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/03-UpdateKeepAliveTimeout +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.3 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.4 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.5 +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6 + +# merge newer upgrade script into 10.5.1 for RHEL +mv %{buildroot}%{_datadir}/pki/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams \ + %{buildroot}%{_datadir}/pki/server/upgrade/10.5.1/01-AddTPSExternalRegISEtokenParams + +/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.5.5 + +%endif + +# Customize server common library links in /usr/share/pki/server/common/lib +%if 0%{?fedora} || 0%{?rhel} > 7 + rm -f %{buildroot}%{_datadir}/pki/server/common/lib/scannotation.jar + rm -f %{buildroot}%{_datadir}/pki/server/common/lib/resteasy-jaxrs-api.jar + ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar + ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar + ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar + +%else + +if [ -f /etc/debian_version ]; then + ln -sf /usr/share/java/commons-collections3.jar %{buildroot}%{_datadir}/pki/server/common/lib/commons-collections.jar + ln -sf /usr/share/java/httpclient.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpclient.jar + ln -sf /usr/share/java/httpcore.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpcore.jar + ln -sf /usr/share/java/jackson-core-asl.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-core-asl.jar + ln -sf /usr/share/java/jackson-jaxrs.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-jaxrs.jar + ln -sf /usr/share/java/jackson-mapper-asl.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-mapper-asl.jar + ln -sf /usr/share/java/jackson-mrbean.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-mrbean.jar + ln -sf /usr/share/java/jackson-smile.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-smile.jar + ln -sf /usr/share/java/jackson-xc.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-xc.jar + ln -sf /usr/share/java/jss4.jar %{buildroot}%{_datadir}/pki/server/common/lib/jss4.jar + ln -sf /usr/share/java/symkey.jar %{buildroot}%{_datadir}/pki/server/common/lib/symkey.jar + ln -sf /usr/share/java/xercesImpl.jar %{buildroot}%{_datadir}/pki/server/common/lib/xerces-j2.jar + ln -sf /usr/share/java/xml-apis.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-apis.jar + ln -sf /usr/share/java/xml-resolver.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-resolver.jar +fi + +%endif + +# Customize server library links in /usr/share/pki/server/lib +%if 0%{?rhel} && 0%{?rhel} <= 7 + rm -f %{buildroot}%{_datadir}/pki/server/lib/slf4j-jdk14.jar +%endif + +%if 0%{?rhel} +# no pylint +%else + +################################################################################ +echo "Scanning Python code with pylint" +################################################################################ + +%if 0%{?with_python3_default} +%{__python3} ../tools/pylint-build-scan.py rpm --prefix %{buildroot} +if [ $? -ne 0 ]; then + echo "pylint for Python 3 failed. RC: $?" + exit 1 +fi +%else +%{__python2} ../tools/pylint-build-scan.py rpm --prefix %{buildroot} +if [ $? -ne 0 ]; then + echo "pylint for Python 2 failed. RC: $?" + exit 1 +fi + +%{__python2} ../tools/pylint-build-scan.py rpm --prefix %{buildroot} -- --py3k +if [ $? -ne 0 ]; then + echo "pylint for Python 2 with --py3k failed. RC: $?" + exit 1 +fi +%endif # with_python3_default + +################################################################################ +echo "Scanning Python code with flake8" +################################################################################ + +%if 0%{?with_python2} +flake8 --config ../tox.ini %{buildroot} +if [ $? -ne 0 ]; then + echo "flake8 for Python 2 failed. RC: $?" + exit 1 +fi +%endif # with_python2 + +%if 0%{?with_python3} +python3-flake8 --config ../tox.ini %{buildroot} +if [ $? -ne 0 ]; then + echo "flake8 for Python 3 failed. RC: $?" + exit 1 +fi +%endif # with_python3 + +%endif + +%endif # with server + +%if %{with base} + +%if 0%{?rhel} && 0%{?rhel} <= 7 +# no upgrade check +%else +%pretrans -n pki-base -p +function test(a) + if posix.stat(a) then + for f in posix.files(a) do + if f~=".." and f~="." then + return true + end + end + end + return false +end + +if (test("/etc/sysconfig/pki/ca") or + test("/etc/sysconfig/pki/kra") or + test("/etc/sysconfig/pki/ocsp") or + test("/etc/sysconfig/pki/tks")) then + msg = "Unable to upgrade to Fedora 20. There are PKI 9 instances\n" .. + "that will no longer work since they require Tomcat 6, and \n" .. + "Tomcat 6 is no longer available in Fedora 20.\n\n" .. + "Please follow these instructions to migrate the instances to \n" .. + "PKI 10:\n\n" .. + "http://www.dogtagpki.org/wiki/Migrating_PKI_9_Instances_to_PKI_10" + error(msg) +end +%endif + +%endif # with base + +%if %{with server} + +%pre -n pki-server +getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} +if ! getent passwd %{pki_username} >/dev/null ; then + if ! getent passwd %{pki_uid} >/dev/null ; then + useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} + else + useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} + fi +fi +exit 0 + +%endif # with server + +%if %{with base} + +%post -n pki-base + +if [ $1 -eq 1 ] +then + # On RPM installation create system upgrade tracker + echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version + +else + # On RPM upgrade run system upgrade + echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 + /sbin/pki-upgrade --silent >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 + echo >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 +fi + +%postun -n pki-base + +if [ $1 -eq 0 ] +then + # On RPM uninstallation remove system upgrade tracker + rm -f %{_sysconfdir}/pki/pki.version +fi + +%endif # with base + +%if %{with server} + +%post -n pki-server +## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem +## from EITHER 'sysVinit' OR previous 'systemd' processes to the new +## PKI deployment process + +echo "Upgrading PKI server configuration at `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 +/sbin/pki-server-upgrade --silent >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 +echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 + +# Reload systemd daemons on upgrade only +if [ "$1" == "2" ] +then + systemctl daemon-reload +fi + +## preun -n pki-server +## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem +## from EITHER 'sysVinit' OR previous 'systemd' processes to the new +## PKI deployment process + + +## postun -n pki-server +## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem +## from EITHER 'sysVinit' OR previous 'systemd' processes to the new +## PKI deployment process + +%endif # with server + +%if %{with meta} +%if "%{name}" != "%{brand}-pki" +################################################################################ +%files -n %{brand}-pki +################################################################################ +%else +%files +%endif + +%doc %{_datadir}/doc/pki/README + +%endif # with meta + +%if %{with base} +################################################################################ +%files -n pki-symkey +################################################################################ + +%doc base/symkey/LICENSE +%{_jnidir}/symkey.jar +%{_libdir}/symkey/ + +################################################################################ +%files -n pki-base +################################################################################ + +%doc base/common/LICENSE +%doc base/common/LICENSE.LESSER +%doc %{_datadir}/doc/pki-base/html +%dir %{_datadir}/pki +%{_datadir}/pki/VERSION +%dir %{_datadir}/pki/etc +%{_datadir}/pki/etc/pki.conf +%{_datadir}/pki/etc/logging.properties +%dir %{_datadir}/pki/scripts +%{_datadir}/pki/scripts/config +%{_datadir}/pki/upgrade/ +%{_datadir}/pki/key/templates +%dir %{_sysconfdir}/pki +%config(noreplace) %{_sysconfdir}/pki/pki.conf +%dir %{_localstatedir}/log/pki +%{_sbindir}/pki-upgrade +%{_mandir}/man1/pki-python-client.1.gz +%{_mandir}/man5/pki-logging.5.gz +%{_mandir}/man8/pki-upgrade.8.gz + +%if 0%{?with_python2} +################################################################################ +%files -n python2-pki +################################################################################ + +%doc base/common/LICENSE +%doc base/common/LICENSE.LESSER +%if %{with server} && ! %{?with_python3_default} +%exclude %{python2_sitelib}/pki/server +%endif +%{python2_sitelib}/pki +%endif # with_python2 + +################################################################################ +%files -n pki-base-java +################################################################################ + +%doc base/common/LICENSE +%doc base/common/LICENSE.LESSER +%{_datadir}/pki/examples/java/ +%{_datadir}/pki/lib/ +%dir %{_javadir}/pki +%{_javadir}/pki/pki-cmsutil.jar +%{_javadir}/pki/pki-nsutil.jar +%{_javadir}/pki/pki-certsrv.jar + +%if 0%{?with_python3} +################################################################################ +%files -n python3-pki +################################################################################ + +%doc base/common/LICENSE +%doc base/common/LICENSE.LESSER +%if %{with server} && %{?with_python3_default} +%exclude %{python3_sitelib}/pki/server +%endif +%{python3_sitelib}/pki +%endif # with_python3 + +################################################################################ +%files -n pki-tools +################################################################################ + +%doc base/native-tools/LICENSE base/native-tools/doc/README +%{_bindir}/pki +%{_bindir}/p7tool +%{_bindir}/revoker +%{_bindir}/setpin +%{_bindir}/sslget +%{_bindir}/tkstool +%{_datadir}/pki/native-tools/ +%{_bindir}/AtoB +%{_bindir}/AuditVerify +%{_bindir}/BtoA +%{_bindir}/CMCEnroll +%{_bindir}/CMCRequest +%{_bindir}/CMCResponse +%{_bindir}/CMCRevoke +%{_bindir}/CMCSharedToken +%{_bindir}/CRMFPopClient +%{_bindir}/DRMTool +%{_bindir}/ExtJoiner +%{_bindir}/GenExtKeyUsage +%{_bindir}/GenIssuerAltNameExt +%{_bindir}/GenSubjectAltNameExt +%{_bindir}/HttpClient +%{_bindir}/KRATool +%{_bindir}/OCSPClient +%{_bindir}/PKCS10Client +%{_bindir}/PKCS12Export +%{_bindir}/PrettyPrintCert +%{_bindir}/PrettyPrintCrl +%{_bindir}/TokenInfo +%{_javadir}/pki/pki-tools.jar +%{_datadir}/pki/java-tools/ +%{_mandir}/man1/AtoB.1.gz +%{_mandir}/man1/AuditVerify.1.gz +%{_mandir}/man1/BtoA.1.gz +%{_mandir}/man1/CMCEnroll.1.gz +%{_mandir}/man1/CMCRequest.1.gz +%{_mandir}/man1/CMCSharedToken.1.gz +%{_mandir}/man1/CMCResponse.1.gz +%{_mandir}/man1/DRMTool.1.gz +%{_mandir}/man1/KRATool.1.gz +%{_mandir}/man1/PrettyPrintCert.1.gz +%{_mandir}/man1/PrettyPrintCrl.1.gz +%{_mandir}/man1/pki.1.gz +%{_mandir}/man1/pki-audit.1.gz +%{_mandir}/man1/pki-ca-kraconnector.1.gz +%{_mandir}/man1/pki-ca-profile.1.gz +%{_mandir}/man1/pki-cert.1.gz +%{_mandir}/man1/pki-client.1.gz +%{_mandir}/man1/pki-group.1.gz +%{_mandir}/man1/pki-group-member.1.gz +%{_mandir}/man1/pki-key.1.gz +%{_mandir}/man1/pki-pkcs12-cert.1.gz +%{_mandir}/man1/pki-pkcs12-key.1.gz +%{_mandir}/man1/pki-pkcs12.1.gz +%{_mandir}/man1/pki-securitydomain.1.gz +%{_mandir}/man1/pki-tps-profile.1.gz +%{_mandir}/man1/pki-user.1.gz +%{_mandir}/man1/pki-user-cert.1.gz +%{_mandir}/man1/pki-user-membership.1.gz +%{_mandir}/man1/PKCS10Client.1.gz + +%endif # with base + +%if %{with server} +################################################################################ +%files -n pki-server +################################################################################ + +%doc base/common/THIRD_PARTY_LICENSES +%doc base/server/LICENSE +%doc base/server/README +%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki +%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki/tomcat +%{_sbindir}/pkispawn +%{_sbindir}/pkidestroy +%{_sbindir}/pki-server +%{_sbindir}/pki-server-upgrade +%if 0%{?with_python3_default} +%{python3_sitelib}/pki/server/ +%else +%{python2_sitelib}/pki/server/ +%endif # with_python3_default + +%{_datadir}/pki/etc/tomcat.conf +%dir %{_datadir}/pki/deployment +%{_datadir}/pki/deployment/config/ +%{_datadir}/pki/scripts/operations +%{_bindir}/pkidaemon +%{_bindir}/pki-server-nuxwdog +%dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants +%attr(644,-,-) %{_unitdir}/pki-tomcatd@.service +%attr(644,-,-) %{_unitdir}/pki-tomcatd.target +%dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants +%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service +%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target +%{_javadir}/pki/pki-cms.jar +%{_javadir}/pki/pki-cmsbundle.jar +%{_javadir}/pki/pki-cmscore.jar +%{_javadir}/pki/pki-tomcat.jar +%dir %{_sharedstatedir}/pki +%{_mandir}/man1/pkidaemon.1.gz +%{_mandir}/man5/pki_default.cfg.5.gz +%{_mandir}/man5/pki-server-logging.5.gz +%{_mandir}/man8/pki-server-upgrade.8.gz +%{_mandir}/man8/pkidestroy.8.gz +%{_mandir}/man8/pkispawn.8.gz +%{_mandir}/man8/pki-server.8.gz +%{_mandir}/man8/pki-server-instance.8.gz +%{_mandir}/man8/pki-server-subsystem.8.gz +%{_mandir}/man8/pki-server-nuxwdog.8.gz +%{_mandir}/man8/pki-server-migrate.8.gz +%{_mandir}/man8/pki-server-cert.8.gz +%{_mandir}/man8/pki-server-ca.8.gz +%{_mandir}/man8/pki-server-kra.8.gz +%{_mandir}/man8/pki-server-ocsp.8.gz +%{_mandir}/man8/pki-server-tks.8.gz +%{_mandir}/man8/pki-server-tps.8.gz +%{_datadir}/pki/setup/ +%{_datadir}/pki/server/ + +%endif # with server + +%if %{with ca} +################################################################################ +%files -n pki-ca +################################################################################ + +%doc base/ca/LICENSE +%{_javadir}/pki/pki-ca.jar +%dir %{_datadir}/pki/ca +%{_datadir}/pki/ca/conf/ +%{_datadir}/pki/ca/emails/ +%dir %{_datadir}/pki/ca/profiles +%{_datadir}/pki/ca/profiles/ca/ +%{_datadir}/pki/ca/setup/ +%{_datadir}/pki/ca/webapps/ + +%endif # with ca + +%if %{with kra} +################################################################################ +%files -n pki-kra +################################################################################ + +%doc base/kra/LICENSE +%{_javadir}/pki/pki-kra.jar +%dir %{_datadir}/pki/kra +%{_datadir}/pki/kra/conf/ +%{_datadir}/pki/kra/setup/ +%{_datadir}/pki/kra/webapps/ + +%endif # with kra + +%if %{with ocsp} +################################################################################ +%files -n pki-ocsp +################################################################################ + +%doc base/ocsp/LICENSE +%{_javadir}/pki/pki-ocsp.jar +%dir %{_datadir}/pki/ocsp +%{_datadir}/pki/ocsp/conf/ +%{_datadir}/pki/ocsp/setup/ +%{_datadir}/pki/ocsp/webapps/ + +%endif # with ocsp + +%if %{with tks} +################################################################################ +%files -n pki-tks +################################################################################ + +%doc base/tks/LICENSE +%{_javadir}/pki/pki-tks.jar +%dir %{_datadir}/pki/tks +%{_datadir}/pki/tks/conf/ +%{_datadir}/pki/tks/setup/ +%{_datadir}/pki/tks/webapps/ + +%endif # with tks + +%if %{with tps} +################################################################################ +%files -n pki-tps +################################################################################ + +%doc base/tps/LICENSE +%{_javadir}/pki/pki-tps.jar +%dir %{_datadir}/pki/tps +%{_datadir}/pki/tps/applets/ +%{_datadir}/pki/tps/conf/ +%{_datadir}/pki/tps/setup/ +%{_datadir}/pki/tps/webapps/ +%{_mandir}/man5/pki-tps-connector.5.gz +%{_mandir}/man5/pki-tps-profile.5.gz +%{_mandir}/man1/tpsclient.1.gz + +# files for native 'tpsclient' +# REMINDER: Remove this comment once 'tpsclient' is rewritten as a Java app + +%{_bindir}/tpsclient +%{_libdir}/tps/libtps.so +%{_libdir}/tps/libtokendb.so + +%endif # with tps + +%if %{with javadoc} +################################################################################ +%files -n pki-javadoc +################################################################################ + +%{_javadocdir}/pki-%{version}/ + +%endif # with javadoc + +%if %{with console} +################################################################################ +%files -n pki-console +################################################################################ + +%doc base/console/LICENSE +%{_bindir}/pkiconsole +%{_javadir}/pki/pki-console.jar + +%endif # with console + +%if %{with theme} +################################################################################ +%files -n %{brand}-pki-server-theme +################################################################################ + +%doc themes/%{brand}/common-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/CS_SERVER_VERSION +%{_datadir}/pki/common-ui/ +%{_datadir}/pki/server/webapps/pki/ca +%{_datadir}/pki/server/webapps/pki/css +%{_datadir}/pki/server/webapps/pki/esc +%{_datadir}/pki/server/webapps/pki/fonts +%{_datadir}/pki/server/webapps/pki/images +%{_datadir}/pki/server/webapps/pki/kra +%{_datadir}/pki/server/webapps/pki/ocsp +%{_datadir}/pki/server/webapps/pki/pki.properties +%{_datadir}/pki/server/webapps/pki/tks + +################################################################################ +%files -n %{brand}-pki-console-theme +################################################################################ + +%doc themes/%{brand}/console-ui/LICENSE +%{_javadir}/pki/pki-console-theme.jar + +%endif # with theme + +################################################################################ +%changelog +* Mon Jan 28 2019 Red Hat PKI Team - 10.6.9-2 +- Bug #1652269 - Replace Nuxwdog + +* Mon Jan 14 2019 Red Hat PKI Team - 10.6.9-1 +- Rebased to PKI 10.6.9 +- Bug #1629048 - X500Name.directoryStringEncodingOrder overridden by CSR encoding +- Bug #1652269 - Replace Nuxwdog +- Bug #1656856 - Need Method to Include SKI in CA Signing Certificate Request + +* Thu Nov 29 2018 Red Hat PKI Team - 10.6.8-1 +- Rebased to PKI 10.6.8 +- Bug #1602659 - Fix issues found by covscan +- Bug #1566360 - Fix missing serial number from pki-server subsystem-cert-find + +* Fri Oct 26 2018 Red Hat PKI Team - 10.6.7-3 +- Bug #1643101 - Fix problems due to token normalization + +* Tue Oct 23 2018 Red Hat PKI Team - 10.6.7-2 +- Bug #1623444 - Fix Python KeyClient KeyRequestResponse parsing + +* Fri Oct 05 2018 Red Hat PKI Team - 10.6.7-1 +- Rebased to PKI 10.6.7 + +* Fri Aug 24 2018 Alexander Bokovoy - 10.6.6-3 +- Build on s390x + +* Wed Aug 22 2018 Alexander Bokovoy - 10.6.6-2 +- Use platform-python interpreter +- Bug #1620066 - pkispawn crashes as /usr/bin/python3 does not exist + +* Mon Aug 13 2018 Red Hat PKI Team - 10.6.6-1 +- Rebased to PKI 10.6.6 + +* Wed Aug 08 2018 Red Hat PKI Team - 10.6.5-1 +- Rebased to PKI 10.6.5 + +* Tue Aug 07 2018 Red Hat PKI Team 10.6.4-4 +- Bug #1612063 - Do not override system crypto policy (support TLS 1.3) + +* Wed Aug 01 2018 Red Hat PKI Team - 10.6.4-3 +- Patch PKI to use Jackson 2 and avoid Jackson 1 dependency. + Add direct dependency on slf4j-jdk14. + +* Tue Jul 31 2018 Red Hat PKI Team - 10.6.4-2 +- Updated Jackson and RESTEasy dependencies + +* Fri Jul 20 2018 Red Hat PKI Team - 10.6.4-1 +- Rebased to PKI 10.6.4 + +* Thu Jul 05 2018 Red Hat PKI Team - 10.6.3-1 +- Rebased to PKI 10.6.3 + +* Mon Jul 02 2018 Miro Hrončok - 10.6.2-4 +- Rebuilt for Python 3.7 + +* Thu Jun 28 2018 Red Hat PKI Team - 10.6.2-3 +- Fixed macro expressions +- Bug #1566606 - pki-core: Switch to Python 3 +- Bug #1590467 - pki-core: Drop pylint dependency from RHEL 8 + +* Tue Jun 19 2018 Miro Hrončok - 10.6.2-2 +- Rebuilt for Python 3.7 + +* Fri Jun 15 2018 Red Hat PKI Team - 10.6.2-1 +- Rebased to PKI 10.6.2 + +* Wed May 30 2018 Red Hat PKI Team - 10.6.1-3 +- Updated JSS dependency +- Updated Tomcat dependency +- Fixed rpmlint warnings + +* Fri May 04 2018 Red Hat PKI Team - 10.6.1-2 +- Bug #1574711 - pki-tools cannot be installed on current Rawhide +- Fixed rpmlint warnings + +* Thu May 03 2018 Red Hat PKI Team - 10.6.1-1 +- Rebased to PKI 10.6.1 +- Bug #1559047 - pki-core misses a dependency to pki-symkey +- Bug #1573094 - FreeIPA external CA installation fails + +* Wed Apr 11 2018 Red Hat PKI Team - 10.6.0-1 +- Updated project URL and package descriptions +- Cleaned up spec file +- Rebased to PKI 10.6.0 final + +* Thu Mar 29 2018 Red Hat PKI Team - 10.6.0-0.3 +- Iryna Shcherbina : Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) +- Rebased to PKI 10.6.0 beta2 + +* Thu Mar 15 2018 Red Hat PKI Team - 10.6.0-0.2 +- Rebased to PKI 10.6.0 beta +