diff --git a/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-23.patch b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-23.patch new file mode 100644 index 0000000..a1d6cdc --- /dev/null +++ b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-23.patch @@ -0,0 +1,224 @@ +From 1e6afa85e7d129c09bd922108201a2b12aec34b2 Mon Sep 17 00:00:00 2001 +From: Chris Kelley +Date: Fri, 17 Mar 2023 11:21:01 +0000 +Subject: [PATCH 1/4] Fix token filtering in TPS UI + +Only the filter created from input in the search bar was being +used to compose the ldapsearch query. The attributes were passed +across from the client and into the processing method but were not +then passed on to the database. + +Resolves #2179305 + +(cherry picked from commit a4d8c4bde3c76b169745b495aa5f9f037727bbc9) +--- + base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +index 5256a66..68b49c2 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +@@ -25,7 +25,6 @@ import java.util.ArrayList; + import java.util.Collection; + import java.util.Date; + import java.util.HashMap; +-import java.util.Iterator; + import java.util.List; + import java.util.Map; + import java.util.MissingResourceException; +@@ -39,9 +38,7 @@ import org.dogtagpki.server.tps.dbs.ActivityDatabase; + import org.dogtagpki.server.tps.dbs.TokenDatabase; + import org.dogtagpki.server.tps.dbs.TokenRecord; + import org.dogtagpki.server.tps.engine.TPSEngine; +-import org.jboss.resteasy.plugins.providers.atom.Link; + +-import com.netscape.cms.realm.PKIPrincipal; + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.BadRequestException; + import com.netscape.certsrv.base.IConfigStore; +@@ -57,8 +54,8 @@ import com.netscape.certsrv.tps.token.TokenData.TokenStatusData; + import com.netscape.certsrv.tps.token.TokenResource; + import com.netscape.certsrv.tps.token.TokenStatus; + import com.netscape.certsrv.user.UserResource; +-import com.netscape.certsrv.usrgrp.IUGSubsystem; + import com.netscape.certsrv.usrgrp.IUser; ++import com.netscape.cms.realm.PKIPrincipal; + import com.netscape.cms.servlet.base.SubsystemService; + + import netscape.ldap.LDAPException; +@@ -411,7 +408,7 @@ public class TokenService extends SubsystemService implements TokenResource { + + String method = "TokenService.retrieveTokensWithoutVLV: "; + +- List tokens = (List) database.findRecords(filter); ++ List tokens = (List) database.findRecords(filter, attributes); + int total = tokens.size(); + CMS.debug(method + "total: " + total); + +-- +1.8.3.1 + + +From 1ad110d0c3a5d4fe452353bdc33b04d23f869584 Mon Sep 17 00:00:00 2001 +From: Chris Kelley +Date: Fri, 17 Mar 2023 11:24:32 +0000 +Subject: [PATCH 2/4] Fix token filtering in TPS UI + +Only the filter created from input in the search bar was being +used to compose the ldapsearch query. The attributes were passed +across from the client and into the processing method but were not +then passed on to the database. + +Resolves #2179305 + +(cherry picked from commit a6a412ed3a0f6b42656814c798151a0572c80c91) +--- + base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +index 68b49c2..e21953f 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +@@ -25,6 +25,7 @@ import java.util.ArrayList; + import java.util.Collection; + import java.util.Date; + import java.util.HashMap; ++import java.util.Iterator; + import java.util.List; + import java.util.Map; + import java.util.MissingResourceException; +@@ -38,7 +39,9 @@ import org.dogtagpki.server.tps.dbs.ActivityDatabase; + import org.dogtagpki.server.tps.dbs.TokenDatabase; + import org.dogtagpki.server.tps.dbs.TokenRecord; + import org.dogtagpki.server.tps.engine.TPSEngine; ++import org.jboss.resteasy.plugins.providers.atom.Link; + ++import com.netscape.cms.realm.PKIPrincipal; + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.BadRequestException; + import com.netscape.certsrv.base.IConfigStore; +@@ -54,8 +57,8 @@ import com.netscape.certsrv.tps.token.TokenData.TokenStatusData; + import com.netscape.certsrv.tps.token.TokenResource; + import com.netscape.certsrv.tps.token.TokenStatus; + import com.netscape.certsrv.user.UserResource; ++import com.netscape.certsrv.usrgrp.IUGSubsystem; + import com.netscape.certsrv.usrgrp.IUser; +-import com.netscape.cms.realm.PKIPrincipal; + import com.netscape.cms.servlet.base.SubsystemService; + + import netscape.ldap.LDAPException; +-- +1.8.3.1 + + +From e1f0f4d62d2de51a7c655f56896be07aca0c4c8d Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 24 Jan 2023 17:47:01 -0800 +Subject: [PATCH 3/4] Bug2092522_StatusChange per config for revokeCert and + revokeExpiredCert + +This patch fixes "part 1" and "part 3" of Bug 2092522 where it is reported that + 1. if op.enroll.xxx.revokeCert=false, an error message is received at attempt to change token status. e.g. +"certificate revocation (serial 0x100024e) not enabled for tokenType: KeyGR, keyType: encryption, state: terminated" + 2. It also should addresses the request in comment#6 regarding expired cert. + For that to work, one needs to enable: +"op.enroll." + tokenType + ".keyGen." + keyType + ".recovery." + tokenReason + ".revokeExpiredCerts" + +fixes part 1&3 of https://bugzilla.redhat.com/show_bug.cgi?id=2092522 + +(cherry picked from commit 5560fe03f02a113583ba6b7f93e191d602b75876) +--- + base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +index 147f346..c57a6f4 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java ++++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +@@ -671,9 +671,14 @@ public class TPSTokendb { + tdbActivity(ActivityDatabase.OP_CERT_REVOCATION, tokenRecord, + ipAddress, logMsg, "success", remoteUser); + +- } catch (Exception e) { ++ } catch (TPSException e) { + logMsg = "certificate not revoked: " + cert.getSerialNumber() + ": " + e; + CMS.debug(method + ": " + logMsg); ++ if (e.getStatus() == TPSStatus.STATUS_NO_ERROR) { ++ tdbActivity(ActivityDatabase.OP_TOKEN_MODIFY, tokenRecord, ++ ipAddress, e.getMessage(), "success", remoteUser); ++ return; ++ } + + tdbActivity(ActivityDatabase.OP_CERT_REVOCATION, tokenRecord, + ipAddress, e.getMessage(), "failure", remoteUser); +@@ -787,7 +792,8 @@ public class TPSTokendb { + "certificate revocation (serial " + cert.getSerialNumber() + + ") not enabled for tokenType: " + tokenType + + ", keyType: " + keyType + +- ", state: " + tokenReason); ++ ", state: " + tokenReason, ++ TPSStatus.STATUS_NO_ERROR); + } + + // check if expired certificates should be revoked. +@@ -801,11 +807,11 @@ public class TPSTokendb { + Date now = new Date(); + if (now.after(notAfter)) { + throw new TPSException( +- "revocation not enabled for expired cert: " + cert.getSerialNumber()); ++ "revocation not enabled for expired cert: " + cert.getSerialNumber(), TPSStatus.STATUS_NO_ERROR); + } + if (now.before(notBefore)) { + throw new TPSException( +- "revocation not enabled for cert that is not yet valid: " + cert.getSerialNumber()); ++ "revocation not enabled for cert that is not yet valid: " + cert.getSerialNumber(), TPSStatus.STATUS_NO_ERROR); + } + } + +-- +1.8.3.1 + + +From 2e8d3dfa75370d1e8d64da458ebd1dde6b370204 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 20 Mar 2023 16:13:42 -0700 +Subject: [PATCH 4/4] + Bug2176233_part2_StatusChange_holdRevocationUntilLastCredential + +This patch requires the previous commit that addresses part 1&3 of the + bug. This previous commit for bug 2092522 must be applied first. + + This patch addresses "part 2" of the original Bug 2092522 + ("part 2" has been cloned to bug 2176233). + The issue reported regards holdRevocationUntilLastCredential + when if set, and if there are shared tokens existing, an error + Exception is thrown. + + fixes part 2 of https://bugzilla.redhat.com/show_bug.cgi?id=2176233 + +(cherry picked from commit f3e34a63b7d016920c1aa9792fdbc42d3b9a9b14) +--- + base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +index c57a6f4..e27512a 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java ++++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +@@ -824,8 +824,9 @@ public class TPSTokendb { + if (!isLastActiveSharedCert(cert.getSerialNumber(), cert.getIssuedBy(), tokenRecord.getId())) { + msg = "revocation not permitted as certificate " + cert.getSerialNumber() + + " is shared by another active token"; +- CMS.debug(method + " holdRevocation true; " + msg); +- throw new TPSException(msg); ++ CMS.debug(method + " holdRevocationUntilLastCredential true; " + msg); ++ throw new TPSException(msg, ++ TPSStatus.STATUS_NO_ERROR); + } + } + CMS.debug(method + "revocation allowed."); +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index d1f47c3..f78ddfa 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -65,13 +65,13 @@ Name: pki-core %if 0%{?rhel} Version: 10.5.18 -%define redhat_release 25 +%define redhat_release 27 %define redhat_stage 0 #%define default_release %{redhat_release}.%{redhat_stage} %define default_release %{redhat_release} %else Version: 10.5.18 -%define fedora_release 25 +%define fedora_release 27 %define fedora_stage 0 #%define default_release %{fedora_release}.%{fedora_stage} %define default_release %{fedora_release} @@ -229,6 +229,8 @@ Patch19: pki-core-rhel-7-9-rhcs-9-7-bu-15.patch Patch21: pki-core-rhel-7-9-rhcs-9-7-bu-18.patch Patch22: pki-core-rhel-7-9-rhcs-9-7-bu-19.patch Patch23: pki-core-rhel-7-9-rhcs-9-7-bu-21.patch +#Patch24: pki-core-rhel-7-9-rhcs-9-7-bu-22.patch +Patch25: pki-core-rhel-7-9-rhcs-9-7-bu-23.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -852,6 +854,8 @@ This package is a part of the PKI Core used by the Certificate System. %patch21 -p1 %patch22 -p1 %patch23 -p1 +#%patch24 -p1 +%patch25 -p1 %clean %{__rm} -rf %{buildroot} @@ -1388,6 +1392,34 @@ fi %endif # %{with server} %changelog +* Mon May 1 2023 Dogtag Team 10.5.18-27 +- ########################################################################## +- # RHEL 7.9 (Batch Update 23): +- ########################################################################## +- ########################################################################## +- # RHCS 9.7 (Batch Update 23): +- ########################################################################## +- Bugzilla Bug #2179305 - Unable to use the TPS UI "Token Filter" to filter + a list of tokens [RHCS 9.7] (ckelley) +- Bugzilla Bug #2092522 - TPS Not allowing Token Status Change based on + Revoke True/False and Hold till last True/False [RHCS 9.7.z] (cfu) +- Bugzilla Bug #2176233 - TPS Not allowing Token Status Change based on + Revoke True/False and Hold till last True/False (part 2) [RHCS 9.7.z] (cfu) + +* Fri Mar 24 2023 Dogtag Team 10.5.18-26 +- ########################################################################## +- # RHEL 7.9 (Batch Update 22): +- ########################################################################## +- ########################################################################## +- # RHCS 9.7 (Batch Update 22): +- ########################################################################## +- Bugzilla Bug #2179305 - Unable to use the TPS UI "Token Filter" to filter + a list of tokens [RHCS 9.7] (ckelley) +- Bugzilla Bug #2092522 - TPS Not allowing Token Status Change based on + Revoke True/False and Hold till last True/False [RHCS 9.7.z] (cfu) +- Bugzilla Bug #2176233 - TPS Not allowing Token Status Change based on + Revoke True/False and Hold till last True/False (part 2) [RHCS 9.7.z] (cfu) + * Fri Feb 10 2023 Dogtag Team 10.5.18-25 - ########################################################################## - # RHEL 7.9 (Batch Update 21):