diff --git a/SOURCES/pki-core-10.5.1-batch-4.0.patch b/SOURCES/pki-core-10.5.1-batch-4.0.patch
new file mode 100644
index 0000000..8c32da6
--- /dev/null
+++ b/SOURCES/pki-core-10.5.1-batch-4.0.patch
@@ -0,0 +1,1145 @@
+From a44118f657f570493bbcc7af4ed347f638031905 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 12 Jul 2018 10:24:33 -0700
+Subject: [PATCH 1/9] Bugzilla 1548203 LDAP password from console update in
+ audit
+
+This patch replace ldap passwords with "(sensitive)" in audit log.
+
+fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203
+
+Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a
+(cherry picked from commit cf9c23a842000755d872202777b0a280bda7f1a1)
+---
+ .../server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index 769e8e4..2b8cec7 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -991,7 +991,11 @@ public class AdminServlet extends HttpServlet {
+ if (name.equals(Constants.OP_TYPE)) continue;
+ if (name.equals(Constants.RS_ID)) continue;
+
+- String value = req.getParameter(name);
++ String value = null;
++ if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD"))
++ value = "(sensitive)";
++ else
++ value = req.getParameter(name);
+ params.put(name, value);
+ }
+
+--
+1.8.3.1
+
+
+From 3210233343ae0d837855ac35884ea0d74450dc01 Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@redhat.com>
+Date: Mon, 15 Jan 2018 13:59:33 -0800
+Subject: [PATCH 2/9] Test fix for TPS server side key gen for only identity
+ cert problem.
+
+Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d
+(cherry picked from commit c87d7820f7b1af97134197a23543e9fc4be1aa39)
+(cherry picked from commit c1314749b7b3a2a6647aadd6945186833e539da8)
+---
+ .../server/tps/cms/TKSRemoteRequestHandler.java | 26 +++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
+index 65d0ed0..8155f90 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
++++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
+@@ -103,7 +103,8 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
+ String tokenType)
+ throws EBaseException {
+
+- CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins.");
++ String method = "TKSRemoteRequestHandler: computeSessionKey(): ";
++ CMS.debug(method + " begins.");
+ if (cuid == null || kdd == null || keyInfo == null || card_challenge == null
+ || card_cryptogram == null || host_challenge == null) {
+ throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null.");
+@@ -111,10 +112,25 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
+
+ IConfigStore conf = CMS.getConfigStore();
+
+- boolean serverKeygen =
+- conf.getBoolean("op.enroll." +
+- tokenType + ".keyGen.encryption.serverKeygen.enable",
+- false);
++ boolean serverKeygen = false;
++
++ //Try out all the currently supported cert types to see if we are doing server side keygen here
++ String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"};
++ for (String keygenString : keygenStrings) {
++ boolean enabled = conf.getBoolean("op.enroll." +
++ tokenType + ".keyGen." +
++ keygenString + ".serverKeygen.enable", false);
++
++ CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled);
++ if (enabled) {
++ serverKeygen = true;
++ break;
++ }
++ }
++
++
++
++
+ if (keySet == null)
+ keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
+
+--
+1.8.3.1
+
+
+From 6e4ad81a8f65c015f23cbd3716564c6755bbbdf1 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Mon, 30 Jul 2018 17:15:09 -0700
+Subject: [PATCH 4/9] Bug 1601071 Certificate generation happens with partial
+ attributes in CMCRequest file
+
+This patch addresses the issue where when a cmcSelfSisnged profile is used
+in a cmcUserSigned case, the certificate is issued.
+A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has
+been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
+A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
+to verify.
+In additional, all profiles that authenticate through CMCUserSignedAuth are
+turned off by default to allow site administrators to make conscious decision
+on their own for these features.
+Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.
+
+Change-Id: I275118d31b966494411888beb37032bb022c29ce
+(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536)
+---
+ base/ca/shared/conf/CS.cfg | 2 +-
+ base/ca/shared/conf/registry.cfg | 9 +-
+ .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 8 +-
+ .../profiles/ca/caECFullCMCUserSignedCert.cfg | 2 +-
+ .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 8 +-
+ .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +-
+ .../certsrv/authentication/IAuthToken.java | 7 +-
+ .../com/netscape/cms/authentication/CMCAuth.java | 5 +-
+ .../cms/authentication/CMCUserSignedAuth.java | 16 ++-
+ .../netscape/cms/authentication/SharedSecret.java | 4 +-
+ .../netscape/cms/profile/common/EnrollProfile.java | 18 +++
+ .../CMCSelfSignedSubjectNameConstraint.java | 129 +++++++++++++++++++++
+ .../profile/def/AuthTokenSubjectNameDefault.java | 2 +-
+ .../servlet/profile/ProfileSubmitCMCServlet.java | 29 ++++-
+ base/server/cmsbundle/src/UserMessages.properties | 3 +-
+ 15 files changed, 216 insertions(+), 28 deletions(-)
+ create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 1d65835..fcd85a2 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
+ log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
+diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
+index 54e4d95..4fe6e93 100644
+--- a/base/ca/shared/conf/registry.cfg
++++ b/base/ca/shared/conf/registry.cfg
+@@ -1,5 +1,5 @@
+ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
+-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
+ constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
+ constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
+ constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
+@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
+ constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
+ constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
+ constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint
++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint
++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint
+ constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
+-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint
+-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint
++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint
++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint
+ constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
+ constraintPolicy.validityConstraintImpl.desc=Validity Constraint
+ constraintPolicy.validityConstraintImpl.name=Validity Constraint
+diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
+index 144c05c..48e6499 100644
+--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request
+-enable=true
++enable=false
+ enableBy=admin
+ name=Self-Signed CMC User Certificate Enrollment
+ visible=false
+@@ -10,10 +10,8 @@ output.list=o1
+ output.o1.class_id=certOutputImpl
+ policyset.list=cmcUserCertSet
+ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+-policyset.cmcUserCertSet.1.constraint.params.accept=true
+-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
++policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
++policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint
+ policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
+ policyset.cmcUserCertSet.1.default.name=Subject Name Default
+ policyset.cmcUserCertSet.1.default.params.name=
+diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
+index d2286de..e7b60ee 100644
+--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication.
+-enable=true
++enable=false
+ enableBy=admin
+ name=User-Signed CMC-Authenticated User Certificate Enrollment
+ visible=false
+diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+index bdcdc24..538b16a 100644
+--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request
+-enable=true
++enable=false
+ enableBy=admin
+ name=Self-Signed CMC User Certificate Enrollment
+ visible=false
+@@ -10,10 +10,8 @@ output.list=o1
+ output.o1.class_id=certOutputImpl
+ policyset.list=cmcUserCertSet
+ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
+-policyset.cmcUserCertSet.1.constraint.params.accept=true
++policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
++policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint
+ policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
+ policyset.cmcUserCertSet.1.default.name=Subject Name Default
+ policyset.cmcUserCertSet.1.default.params.name=
+diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+index 9b5d3e9..b0ff8af 100644
+--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication.
+-enable=true
++enable=false
+ enableBy=admin
+ name=User-Signed CMC-Authenticated User Certificate Enrollment
+ visible=false
+diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
+index 59c6af2..d5d03b4 100644
+--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
+@@ -44,9 +44,14 @@ public interface IAuthToken {
+ public static final String GROUP = "group";
+ public static final String GROUPS = "groups";
+
+- /* Subject name of the certificate in the authenticating entry */
++ /* Subject name of the certificate request in the authenticating entry */
+ public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
+
++ /* Subject name of the authenticated cert */
++ public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject";
++ /* Subject DN of the Shared Token authenticated entry */
++ public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject";
++
+ /* NotBefore value of the certificate in the authenticating entry */
+ public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
+
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+index 86ffa2f..9b6a819 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+
+ IAuthToken tempToken = agentAuth.authenticate(agentCred);
+ netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+- String ID = tempPrincipal.toString();
++ String ID = tempPrincipal.getName();
+ CMS.debug(method + " Principal name = " + ID);
++ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
+
+ BigInteger agentCertSerial = x509Certs[0].getSerialNumber();
+ authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString());
+@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+ public void populate(IAuthToken token, IRequest request)
+ throws EProfileException {
+ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+- token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
++ token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT));
+ }
+
+ public boolean isSSLClientRequired() {
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index d5f6c34..a9a7ade 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ if (requestCertSubject.equals("")) {
+ requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ }
+-
+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
+ auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject);
+ //authToken.set("uid", uid);
+@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+
+ IAuthToken tempToken = new AuthToken(null);
+ netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+- String ID = tempPrincipal.toString(); //tempToken.get("userid");
++ String ID = tempPrincipal.getName(); //tempToken.get("userid");
+ CMS.debug(method + " Principal name = " + ID);
++ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
+
+ BigInteger certSerial = x509Certs[0].getSerialNumber();
+ CMS.debug(method + " verified cert serial=" + certSerial.toString());
+@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+
+ public void populate(IAuthToken token, IRequest request)
+ throws EProfileException {
+- request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+- token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
++ String method = "CMCUserSignedAuth: populate: ";
++ String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT);
++ if (authenticatedDN != null) {
++ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
++ authenticatedDN);
++ CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+
++ authenticatedDN);
++ } else {
++ CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?");
++ }
+ }
+
+ public boolean isSSLClientRequired() {
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
+index 5ebc213..2d8679c 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
+@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey;
+ import org.mozilla.jss.pkix.cmc.PKIData;
+
+ import com.netscape.certsrv.apps.CMS;
+-import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.EInvalidCredentials;
+ import com.netscape.certsrv.authentication.IAuthCredentials;
++import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.base.EBaseException;
+@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication
+ }
+
+ CMS.debug(method + "found user ldap entry: userdn = " + userdn);
+- authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn);
++ authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn);
+
+ res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE,
+ "(objectclass=*)", new String[] { mShrTokAttr }, false);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 929e629..f9903c6 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile
+
+ // catch for invalid request
+ cmc_msgs = parseCMC(locale, cert_request, donePOI);
++ SessionContext sessionContext = SessionContext.getContext();
++ String authenticatedSubject =
++ (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++
++ if (authenticatedSubject != null) {
++ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject);
++ }
++
+ if (cmc_msgs == null) {
+ CMS.debug(method + "parseCMC returns cmc_msgs null");
+ return null;
+@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile
+ auditSubjectID = ident_string;
+ sessionContext.put(SessionContext.USER_ID, auditSubjectID);
+
++ // subjectdn from SharedSecret ldap auth
++ // set in context and authToken to be used by profile
++ // default and constraints plugins
++ authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
++ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
++ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT,
++ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
++ sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
++ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
++
+ auditMessage = CMS.getLogMessage(
+ AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
+ auditSubjectID,
+diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
+new file mode 100644
+index 0000000..d4554ca
+--- /dev/null
++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
+@@ -0,0 +1,129 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2013 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.cms.profile.constraint;
++
++import java.util.Locale;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthToken;
++import com.netscape.certsrv.authentication.IAuthManager;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.profile.EProfileException;
++import com.netscape.certsrv.profile.ERejectException;
++import com.netscape.certsrv.profile.IPolicyDefault;
++import com.netscape.certsrv.profile.IProfile;
++import com.netscape.certsrv.property.IDescriptor;
++import com.netscape.certsrv.request.IRequest;
++import com.netscape.cms.profile.common.EnrollProfile;
++import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault;
++
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertInfo;
++
++/**
++ * This class implements the user subject name constraint for self-signed cmc requests.
++ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match
++ *
++ * @author cfu
++ * @version $Revision$, $Date$
++ */
++public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint {
++
++ public CMCSelfSignedSubjectNameConstraint() {
++ }
++
++ public void init(IProfile profile, IConfigStore config)
++ throws EProfileException {
++ super.init(profile, config);
++ }
++
++ public IDescriptor getConfigDescriptor(Locale locale, String name) {
++ return null;
++ }
++
++ public String getDefaultConfig(String name) {
++ return null;
++ }
++
++ /**
++ * Validates the request. The request is not modified
++ * during the validation. User encoded subject name
++ * is copied into the certificate template.
++ */
++ public void validate(IRequest request, X509CertInfo info)
++ throws ERejectException {
++ String method = "CMCSelfSignedSubjectNameConstraint: ";
++ String msg = "";
++
++ CertificateSubjectName infoCertSN = null;
++ String authTokenSharedTokenSN = null;
++
++ try {
++ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
++ if (infoCertSN == null) {
++ msg = method + "infoCertSN null";
++ CMS.debug(msg);
++ throw new Exception(msg);
++ }
++ CMS.debug(method + "validate user subject ="+
++ infoCertSN.toString());
++ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME);
++ if (infoCertName == null) {
++ msg = method + "infoCertName null";
++ CMS.debug(msg);
++ throw new Exception(msg);
++ }
++
++ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++ if (authTokenSharedTokenSN == null) {
++ msg = method + "authTokenSharedTokenSN null";
++ CMS.debug(msg);
++ throw new Exception(msg);
++ }
++ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) {
++ CMS.debug(method + "names matched");
++ } else {
++ msg = method + "names do not match; authTokenSharedTokenSN =" +
++ authTokenSharedTokenSN;
++ CMS.debug(msg);
++ throw new Exception(msg);
++ }
++
++ } catch (Exception e) {
++ throw new ERejectException(
++ CMS.getUserMessage(getLocale(request),
++ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e);
++ }
++ }
++
++ public String getText(Locale locale) {
++ return CMS.getUserMessage(locale,
++ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT");
++ }
++
++ public boolean isApplicable(IPolicyDefault def) {
++ String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: ";
++ if (def instanceof AuthTokenSubjectNameDefault) {
++ CMS.debug(method + "true");
++ return true;
++ }
++ CMS.debug(method + "false");
++ return false;
++ }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
+index e789625..85bf241 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
+@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault {
+ X500Name name = new X500Name(
+ request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+
+- CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString());
++ CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName());
+ info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));
+ } catch (Exception e) {
+ // failed to insert subject name
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 12fd294..03e94a8 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+ CMS.debug("ProfileSubmitCMCServlet: null it out");
+ ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
+ }
++
+ String signingCertSerialS = null;
+ if (authToken != null) {
+ signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
+@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+ ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
+ }
+
++ String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++ if (tmpSharedTokenAuthenticatedCertSubject != null) {
++ // unlikely to happen, but do this just in case
++ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
++ CMS.debug("ProfileSubmitCMCServlet: null it out");
++ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
++ }
++
+ String errorCode = null;
+ String errorReason = null;
+ String auditRequesterID = ILogger.UNIDENTIFIED;
+@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+
+ tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
+ if (tmpCertSerialS != null) {
+- // unlikely to happenm, but do this just in case
++ // unlikely to happen, but do this just in case
+ CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS);
+ CMS.debug("ProfileSubmitCMCServlet: null it out");
+ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, "");
+ }
+ // put CMCUserSignedAuth authToken in request
+ if (signingCertSerialS != null) {
++ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
++ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
++ }
++
++ tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++ if (tmpSharedTokenAuthenticatedCertSubject != null) {
++ // unlikely to happen, but do this just in case
++ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
++ CMS.debug("ProfileSubmitCMCServlet: null it out");
++ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
++ }
++ // put Shared Token authToken in request
++ String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++ if (st_sbj != null) {
++ CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth");
++ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj);
++ }
++ if (tmpSharedTokenAuthenticatedCertSubject != null) {
+ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
+ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
+ }
+diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
+index 208632d..e5e6ecc 100644
+--- a/base/server/cmsbundle/src/UserMessages.properties
++++ b/base/server/cmsbundle/src/UserMessages.properties
+@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing
+ CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0}
+ CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only
+ CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only
+-CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only
++CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only
++CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only
+ CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days.
+ CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0}
+ CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate.
+--
+1.8.3.1
+
+
+From cc94db7c4c960e2f752a3d1b8687d075187f4e3d Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 1 Aug 2018 13:35:53 -0700
+Subject: [PATCH 5/9] Bug 1593805 Better understanding of
+ NSS_USE_DECODED_CKA_EC_POINT for ECC
+
+This patch removes the outdated reference to EC environment variable
+NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage.
+
+More info in the usage are updated as well for correctness and clarity.
+
+Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9
+(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051)
+---
+ .../src/com/netscape/cmstools/HttpClient.java | 32 ++++++++++++----------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+index fcaf210..28934ab 100644
+--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+@@ -251,43 +251,47 @@ public class HttpClient {
+ System.out.println("The configuration file should look like as follows:");
+ System.out.println("");
+ System.out.println("#host: host name for the http server");
+- System.out.println("host=host1.a.com");
++ System.out.println("host=host.example.com");
+ System.out.println("");
+ System.out.println("#port: port number");
+- System.out.println("port=1025");
++ System.out.println("port=8443");
+ System.out.println("");
+ System.out.println("#secure: true for secure connection, false for nonsecure connection");
+- System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command");
+ System.out.println("secure=false");
+ System.out.println("");
+ System.out.println("#input: full path for the enrollment request, the content must be in binary format");
+- System.out.println("input=/u/doc/cmcReqCRMFBin");
++ System.out.println("input=~/cmcReqCRMFBin");
+ System.out.println("");
+ System.out.println("#output: full path for the response in binary format");
+- System.out.println("output=/u/doc/cmcResp");
++ System.out.println("#output could be parsed by running CMCResponse");
++ System.out.println("output=~/cmcResp");
+ System.out.println("");
+- System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)");
++ System.out.println("#dbdir: directory for NSS certificate/key databases");
+ System.out.println("#This parameter will be ignored if secure=false");
+- System.out.println("tokenname=hsmname");
++ System.out.println("dbdir=/.dogtag/nssdb");
+ System.out.println("");
+- System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
++ System.out.println("#password: password for NSS database");
++ System.out.println("#This parameter will be ignored if secure=false and clientmode=false");
++ System.out.println("password=");
++ System.out.println("");
++ System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)");
+ System.out.println("#This parameter will be ignored if secure=false");
+- System.out.println("dbdir=/u/smith/.netscape");
++ System.out.println("tokenname=internal");
+ System.out.println("");
+ System.out.println("#clientmode: true for client authentication, false for no client authentication");
+ System.out.println("#This parameter will be ignored if secure=false");
+ System.out.println("clientmode=false");
+ System.out.println("");
+- System.out.println("#password: password for cert8.db");
+- System.out.println("#This parameter will be ignored if secure=false and clientauth=false");
+- System.out.println("password=");
+- System.out.println("");
+ System.out.println("#nickname: nickname for client certificate");
+ System.out.println("#This parameter will be ignored if clientmode=false");
+ System.out.println("nickname=");
+ System.out.println("");
+ System.out.println("#servlet: target URL");
+- System.out.println("#This parameter may include query parameters");
++ System.out.println("#This parameter may include query parameters;");
++ System.out.println("# - reminder: profileId should be a profile that matches");
++ System.out.println("# the intended certificate; for certificates intended");
++ System.out.println("# for SSL (client or server), profiles should match");
++ System.out.println("# the key type (RSA or EC) of the keys generated for CSR;");
+ System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert");
+ System.out.println("");
+ System.exit(0);
+--
+1.8.3.1
+
+
+From 70b933bc570ec288037c2b5e853dbe8f9ab83571 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 2 Aug 2018 10:33:08 +0300
+Subject: [PATCH 6/9] ConfigurationUtil: support new format for
+ nsds5replicaLastInitStatus value
+
+pkispawn is reading the attribute nsds5replicaLastInitStatus in
+cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping
+tree,cn=config in order to find the replication status. The new format
+(in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update
+succeeded" but pkispawn is expecting "0 Total update succeeded"
+
+389-ds-base introduced this change with https://pagure.io/389-ds-base/issue/49599
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1596629
+(cherry picked from commit 151ecf63106425cada104d141a81722570ba2b28)
+---
+ .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index 7f5341a..d8b4965 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -2053,7 +2053,7 @@ public class ConfigurationUtils {
+ }
+
+ String status = replicationStatus(replicadn, masterConn, masterAgreementName);
+- if (!status.startsWith("0 ")) {
++ if (!(status.startsWith("Error (0) ") || status.startsWith("0 "))) {
+ CMS.debug("setupReplication: consumer initialization failed. " + status);
+ throw new IOException("consumer initialization failed. " + status);
+ }
+--
+1.8.3.1
+
+
+From 3ad4c2b779a4bb9f993e6886597812904353d2b0 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 2 Aug 2018 09:31:50 -0700
+Subject: [PATCH 7/9] Bug1608375 - CMC Revocations throws exception with same
+ reqIssuer & certissuer
+
+This patch resolves the possible encoding mismatch between the actual CA cert
+and the X500Name gleaned from the CMC revocation request.
+
+Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d
+(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248)
+---
+ .../cms/authentication/CMCUserSignedAuth.java | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index a9a7ade..97971dd 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.IExtendedPluginInfo;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ // to CMCOutputTemplate so that we can
+ // have a chance to capture user identification info
+ if (issuerANY != null) {
++ // get CA signing cert
++ ICertificateAuthority ca = null;
++ ca = (ICertificateAuthority) CMS.getSubsystem("ca");
++ X500Name caName = ca.getX500Name();
++
+ try {
+ byte[] issuerBytes = issuerANY.getEncoded();
+- X500Name issuerName = new X500Name(issuerBytes);
+- CMS.debug(method + "revRequest issuer name = " + issuerName.toString());
++ X500Name reqIssuerName = new X500Name(issuerBytes);
++ String reqIssuerNameStr = reqIssuerName.getName();
++ CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr);
++ if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) {
++ // making sure it's identical, even in encoding
++ reqIssuerName = caName;
++ } else {
++ // not this CA; will be bumped off later;
++ // make a note in debug anyway
++ CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;");
++ }
+ // capture issuer principal to be checked against
+ // cert issuer principal later in CMCOutputTemplate
+- auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName);
++ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName);
+ } catch (Exception e) {
+ CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString());
+ }
+--
+1.8.3.1
+
+
+From a1130e298048b106fb6febcfe9f88fea0d733e6a Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 8 Aug 2018 18:41:52 -0700
+Subject: [PATCH 8/9] Ticket #3041 Enable all config audit events
+
+This patch enables the audit events concerning role actions (mostly config)
+by default.
+
+Two additional minor issues are also addressed:
+1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
+ (bugzilla #1610718)
+2. removing unrecommended signing algorithms
+
+fixes: https://pagure.io/dogtagpki/issue/3041
+Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d
+(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099)
+---
+ base/ca/shared/conf/CS.cfg | 2 +-
+ base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +-
+ base/ca/shared/profiles/ca/caECDirUserCert.cfg | 2 +-
+ base/kra/shared/conf/CS.cfg | 2 +-
+ base/ocsp/shared/conf/CS.cfg | 2 +-
+ .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java | 2 +-
+ .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java | 2 +-
+ base/server/cmsbundle/src/LogMessages.properties | 2 +-
+ base/tks/shared/conf/CS.cfg | 2 +-
+ base/tps/shared/conf/CS.cfg | 2 +-
+ base/util/src/netscape/security/x509/AlgorithmId.java | 8 ++++----
+ 11 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index fcd85a2..6158d5a 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
+ log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
+diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
+index f12c7ed..0b7f6b7 100644
+--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
++++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
+@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
+ policyset.userCertSet.2.default.params.startTime=0
+ policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.userCertSet.3.constraint.name=Key Constraint
+-policyset.userCertSet.3.constraint.params.keyType=EC
++policyset.userCertSet.3.constraint.params.keyType=RSA
+ policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+ policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.userCertSet.3.default.name=Key Default
+diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
+index 0663b40..b65999e 100644
+--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
++++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
+@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
+ policyset.userCertSet.2.default.params.startTime=0
+ policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.userCertSet.3.constraint.name=Key Constraint
+-policyset.userCertSet.3.constraint.params.keyType=-
++policyset.userCertSet.3.constraint.params.keyType=EC
+ policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+ policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.userCertSet.3.default.name=Key Default
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index f314234..878e5f8 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
+ log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
+ log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
+ log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
+diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
+index dc993b0..b412e5e 100644
+--- a/base/ocsp/shared/conf/CS.cfg
++++ b/base/ocsp/shared/conf/CS.cfg
+@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+ log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+ log.instance.SignedAudit.expirationTime=0
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
+index a1a83a4..2dcf9c1 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
+@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile
+ defConfig4
+ .putString(
+ "params.signingAlgsAllowed",
+- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
++ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
+
+ IProfilePolicy policy5 =
+ createProfilePolicy("set1", "p5",
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
+index 710a461..9b1eacb 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
+@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile
+ defConfig4
+ .putString(
+ "params.signingAlgsAllowed",
+- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
++ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
+
+ IProfilePolicy policy5 =
+ createProfilePolicy("set1", "p5",
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 7963f6f..d534506 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
+ # and to be approved by an agent
+ # Op must be "approve" or "disapprove"
+ #
+-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval
++LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
+ #
+ # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
+ # - used for proof of possession during certificate enrollment processing
+diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
+index d1da996..e9bf03e 100644
+--- a/base/tks/shared/conf/CS.cfg
++++ b/base/tks/shared/conf/CS.cfg
+@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+ log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+ log.instance.SignedAudit.expirationTime=0
+diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
+index c44bc75..3671100 100644
+--- a/base/tps/shared/conf/CS.cfg
++++ b/base/tps/shared/conf/CS.cfg
+@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL
+ log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
+diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
+index ae5975a..012575c 100644
+--- a/base/util/src/netscape/security/x509/AlgorithmId.java
++++ b/base/util/src/netscape/security/x509/AlgorithmId.java
+@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder {
+ * Supported signing algorithms for a RSA key.
+ */
+ public static final String[] RSA_SIGNING_ALGORITHMS = new String[]
+- { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" };
++ { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" };
+
+ public static final String[] EC_SIGNING_ALGORITHMS = new String[]
+- { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" };
++ { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
+
+ /**
+ * All supported signing algorithms.
+ */
+ public static final String[] ALL_SIGNING_ALGORITHMS = new String[]
+ {
+- "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC",
+- "SHA256withEC", "SHA384withEC", "SHA512withEC" };
++ "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA",
++ "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
+
+ }
+--
+1.8.3.1
+
+
+From a7df5434dd8b32d549abff80173653350fd9a7c4 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Fri, 10 Aug 2018 14:04:14 -0700
+Subject: [PATCH 9/9] Ticket #2481 ECC keys not supported for signing audit
+ logs
+
+This patch addes support for ECC audit log signing key.
+All enrollment profiles for audit signing certificate are updated to allow that.
+
+fixes https://pagure.io/dogtagpki/issue/2481
+
+Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f
+(cherry picked from commit 435ede04d525d8816345271a887753a620795d56)
+---
+ base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 4 ++--
+ base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++--
+ base/ca/shared/profiles/ca/caSignedLogCert.cfg | 8 ++++----
+ base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 6 +++---
+ base/server/cms/src/com/netscape/cms/logging/LogFile.java | 8 +++-----
+ 5 files changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
+index ff4856c..642e67b 100644
+--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
++++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
+@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720
+ policyset.auditSigningCertSet.2.default.params.startTime=0
+ policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.auditSigningCertSet.3.constraint.name=Key Constraint
+-policyset.auditSigningCertSet.3.constraint.params.keyType=RSA
+-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
++policyset.auditSigningCertSet.3.constraint.params.keyType=-
++policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
+ policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.auditSigningCertSet.3.default.name=Key Default
+ policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
+diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
+index b850f1c..4acaab7 100644
+--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
++++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
+@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0
+ policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.auditSigningCertSet.3.constraint.name=Key Constraint
+ policyset.auditSigningCertSet.3.constraint.params.keyType=-
+-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
++policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
+ policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.auditSigningCertSet.3.default.name=Key Default
+ policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
+@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
+ policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
+ policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
+ policyset.auditSigningCertSet.9.constraint.name=No Constraint
+-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
++policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+ policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
+ policyset.auditSigningCertSet.9.default.name=Signing Alg
+ policyset.auditSigningCertSet.9.default.params.signingAlg=-
+diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
+index 6fdb8b5..c568572 100644
+--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
++++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
+@@ -3,7 +3,7 @@ visible=true
+ enable=true
+ enableBy=admin
+ auth.class_id=
+-name=Manual Log Signing Certificate Enrollment
++name=Manual Audit Log Signing Certificate Enrollment
+ input.list=i1,i2
+ input.i1.class_id=certReqInputImpl
+ input.i2.class_id=submitterInfoInputImpl
+@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720
+ policyset.caLogSigningSet.2.default.params.startTime=0
+ policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl
+ policyset.caLogSigningSet.3.constraint.name=Key Constraint
+-policyset.caLogSigningSet.3.constraint.params.keyType=RSA
+-policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096
++policyset.caLogSigningSet.3.constraint.params.keyType=-
++policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
+ policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl
+ policyset.caLogSigningSet.3.default.name=Key Default
+ policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl
+@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul
+ policyset.caLogSigningSet.8.default.params.critical=false
+ policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl
+ policyset.caLogSigningSet.9.constraint.name=No Constraint
+-policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
++policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+ policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl
+ policyset.caLogSigningSet.9.default.name=Signing Alg
+ policyset.caLogSigningSet.9.default.params.signingAlg=-
+diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+index 7693ba3..be9c0ed 100644
+--- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
++++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+@@ -25,7 +25,6 @@ import java.io.FilenameFilter;
+ import java.io.IOException;
+ import java.security.PublicKey;
+ import java.security.Signature;
+-import java.security.interfaces.DSAPublicKey;
+ import java.security.interfaces.RSAPublicKey;
+ import java.util.List;
+ import java.util.StringTokenizer;
+@@ -34,6 +33,7 @@ import java.util.Vector;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.crypto.ObjectNotFoundException;
+ import org.mozilla.jss.crypto.X509Certificate;
++import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+
+ import com.netscape.cmsutil.util.Utils;
+
+@@ -159,8 +159,8 @@ public class AuditVerify {
+ String sigAlgorithm = null;
+ if (pubk instanceof RSAPublicKey) {
+ sigAlgorithm = "SHA-256/RSA";
+- } else if (pubk instanceof DSAPublicKey) {
+- sigAlgorithm = "SHA-256/DSA";
++ } else if (pubk instanceof PK11ECPublicKey) {
++ sigAlgorithm = "SHA-256/EC";
+ } else {
+ throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm());
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+index 74a8ada..b04f70d 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+@@ -41,8 +41,6 @@ import java.security.PrivateKey;
+ import java.security.Provider;
+ import java.security.Signature;
+ import java.security.SignatureException;
+-import java.security.interfaces.DSAPrivateKey;
+-import java.security.interfaces.RSAPrivateKey;
+ import java.text.ParseException;
+ import java.text.SimpleDateFormat;
+ import java.util.Date;
+@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+ mSigningKey = cm.findPrivKeyByCert(cert);
+
+ String sigAlgorithm;
+- if (mSigningKey instanceof RSAPrivateKey) {
++ if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) {
+ sigAlgorithm = "SHA-256/RSA";
+- } else if (mSigningKey instanceof DSAPrivateKey) {
+- sigAlgorithm = "SHA-256/DSA";
++ } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) {
++ sigAlgorithm = "SHA-256/EC";
+ } else {
+ throw new NoSuchAlgorithmException("Unknown private key type");
+ }
+--
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index f41db06..adf53aa 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -66,12 +66,12 @@
Name: pki-core
%if 0%{?rhel}
Version: 10.5.1
-%define redhat_release 14
+%define redhat_release 15
%define redhat_stage 0
#%define default_release %{redhat_release}.%{redhat_stage}
%define default_release %{redhat_release}
%else
-Version: 10.5.9
+Version: 10.5.12
%define fedora_release 1
%define fedora_stage 0
#%define default_release %{fedora_release}.%{fedora_stage}
@@ -220,6 +220,7 @@ Patch8: pki-core-10.5.1-batch-1.1.patch
Patch9: pki-core-10.5.1-batch-2.0.patch
Patch10: pki-core-10.5.1-batch-2.1.patch
Patch11: pki-core-10.5.1-batch-3.0.patch
+Patch12: pki-core-10.5.1-batch-4.0.patch
# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
#
@@ -832,6 +833,7 @@ This package is a part of the PKI Core used by the Certificate System.
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
%clean
%{__rm} -rf %{buildroot}
@@ -1370,6 +1372,31 @@ fi
%endif # %{with server}
%changelog
+* Mon Aug 13 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-15
+- ##########################################################################
+- # RHEL 7.5:
+- ##########################################################################
+- Bugzilla Bug #1600905 - pki console configurations that involves ldap
+ passwords leave the plain text password in signed audit logs
+ [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1611245 - Certificate generation happens with partial
+ attributes in CMCRequest file [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1611250 - Better understanding of
+ NSS_USE_DECODED_CKA_EC_POINT for ECC [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1612880 - CMC Revocations throws exception with
+ same reqIssuer & certissuer [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1614837 - ipa-replica-install --setup-kra broken on
+ DL0 with latest version [rhel-7.5.z] (abokovoy)
+- Bugzilla Bug #1614839 - CC: Enable all config audit events
+ [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1615266 - ECC keys not supported for signing audit
+ logs [rhel-7.5.z] (cfu)
+- ##########################################################################
+- # RHCS 9.3:
+- ##########################################################################
+- # Bugzilla Bug #1539933 - keyGen fails when only Identity
+ # certificate exists. [rhcs-9.3.z] (jmagne)
+
* Mon Jul 2 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-14
- Updated "jss" build and runtime requirements (mharmsen)
- Updated "tomcatjss" build and runtime requirements (mharmsen)