diff --git a/.gitignore b/.gitignore index e8a5f49..27f5af4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-11.2.1.tar.gz +SOURCES/pki-11.3.0.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 5922062..0ddb11a 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -b38832fe7b4778f70a8622d203e754ff931c85c5 SOURCES/pki-11.2.1.tar.gz +b1c586a9698fa27521222d7c384e2181fddcda80 SOURCES/pki-11.3.0.tar.gz diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 6b7e05a..e11cc40 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -8,8 +8,8 @@ Name: pki-core # Upstream version number: %global major_version 11 -%global minor_version 2 -%global update_version 1 +%global minor_version 3 +%global update_version 0 # Downstream release number: # - development/stabilization (unsupported): 0. where n >= 1 @@ -20,7 +20,7 @@ Name: pki-core # - development (unsupported): alpha where n >= 1 # - stabilization (unsupported): beta where n >= 1 # - GA/update (supported): -%undefine phase +#global phase %undefine timestamp %undefine commit_id @@ -47,14 +47,17 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase} # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -# Java 17 and md2man are not available on i686 +%if 0%{?fedora} && 0%{?fedora} > 35 +ExclusiveArch: %{java_arches} +%else ExcludeArch: i686 +%endif ################################################################################ -# NSS +# PKCS #11 Kit Trust ################################################################################ -%global nss_default_db_type sql +%global p11_kit_trust /usr/lib64/pkcs11/p11-kit-trust.so ################################################################################ # Python @@ -66,9 +69,15 @@ ExcludeArch: i686 # Java ################################################################################ -%define java_devel java-17-openjdk-devel -%define java_headless java-17-openjdk-headless -%define java_home %{_jvmdir}/jre-17-openjdk +%global java_devel java-17-openjdk-devel +%global java_headless java-17-openjdk-headless +%global java_home %{_jvmdir}/jre-17-openjdk + +################################################################################ +# Application Server +################################################################################ + +%global app_server tomcat-9.0 ################################################################################ # PKI @@ -77,44 +86,26 @@ ExcludeArch: i686 # Execute unit tests unless --without test is specified. %bcond_without test -# Don't build console unless --with console is specified. -%bcond_with console - -# By default all packages will be built except the ones specified with -# --without option (exclusion method). +# Build the package unless --without is specified. -# If --with pkgs option is specified, only packages specified with -# --with will be built (inclusion method). +%bcond_without base +%bcond_without server +%bcond_without acme +%bcond_without ca +%bcond_without est +%bcond_without kra -%bcond_with pkgs +# Do not build the following packages for pki-core. -# Define package_option macro to wrap bcond_with or bcond_without macro -# depending on package selection method. - -%if %{with pkgs} -%define package_option() %bcond_with %1 -%else -%define package_option() %bcond_without %1 -%endif - -# Define --with or --without options depending on -# package selection method. - -%package_option base -%package_option server -%package_option acme -%package_option ca -%package_option kra - -# NOTE: Do not build the following packages for pki-core -# package_option ocsp -# package_option tks -# package_option tps -# package_option javadoc -# package_option theme -# package_option meta -# package_option tests -# package_option debug +%bcond_with console +%bcond_with ocsp +%bcond_with tks +%bcond_with tps +%bcond_with javadoc +%bcond_with theme +%bcond_with meta +%bcond_with tests +%bcond_with debug %if ! %{with debug} %define debug_package %{nil} @@ -163,7 +154,7 @@ BuildRequires: gcc-c++ BuildRequires: zip BuildRequires: %{java_devel} BuildRequires: javapackages-tools -BuildRequires: redhat-rpm-config + BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io @@ -196,9 +187,9 @@ BuildRequires: python3-six BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 5.2.0 -BuildRequires: tomcatjss >= 8.2.0 -BuildRequires: ldapjdk >= 5.2.0 +BuildRequires: jss = 5.3 +BuildRequires: tomcatjss = 8.3 +BuildRequires: ldapjdk = 5.3 BuildRequires: systemd-units @@ -214,7 +205,6 @@ BuildRequires: apr-devel BuildRequires: apr-util-devel BuildRequires: cyrus-sasl-devel BuildRequires: httpd-devel >= 2.4.2 -BuildRequires: pcre-devel BuildRequires: systemd BuildRequires: zlib BuildRequires: zlib-devel @@ -261,7 +251,7 @@ Summary: %{product_name} Package %endif Obsoletes: pki-symkey < %{version} -Obsoletes: %{product_id}-pki-symkey < %{version} +Obsoletes: %{product_id}-symkey < %{version} Obsoletes: pki-console < %{version} Obsoletes: pki-console-theme < %{version} Obsoletes: idm-console-framework < 2.0 @@ -274,6 +264,7 @@ Requires: %{product_id}-theme = %{version}-%{release} # of ALL PKI core packages Requires: %{product_id}-acme = %{version}-%{release} Requires: %{product_id}-ca = %{version}-%{release} +Requires: %{product_id}-est = %{version}-%{release} Requires: %{product_id}-kra = %{version}-%{release} Requires: %{product_id}-ocsp = %{version}-%{release} Requires: %{product_id}-tks = %{version}-%{release} @@ -382,8 +373,8 @@ Requires: apache-commons-net Requires: slf4j Requires: slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 5.2.0 -Requires: ldapjdk >= 5.2.0 +Requires: jss = 5.3 +Requires: ldapjdk = 5.3 Requires: %{product_id}-base = %{version}-%{release} Requires: resteasy-client >= 3.0.17-1 Requires: resteasy-core >= 3.0.17-1 @@ -459,7 +450,7 @@ Requires: systemd Requires(post): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -Requires: tomcatjss >= 8.2.0 +Requires: tomcatjss = 8.3 # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -535,6 +526,26 @@ where it obtains its own signing certificate from a public CA. # with ca %endif +%if %{with est} +################################################################################ +%package -n %{product_id}-est +################################################################################ + +Summary: %{product_name} EST Package +BuildArch: noarch + +Obsoletes: pki-est < %{version}-%{release} +Provides: pki-est = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} + +%description -n %{product_id}-est +%{product_name} EST subsystem provides an Enrollment over +Secure Transport (RFC 7030) service. + +# with est +%endif + %if %{with kra} ################################################################################ %package -n %{product_id}-kra @@ -804,65 +815,58 @@ This package provides test suite for %{product_name}. %build ################################################################################ -# assume tomcat app_server -app_server=tomcat-9.0 - -%cmake \ - --no-warn-unused-cli \ - -DPRODUCT_NAME="%{product_name}" \ - -DVERSION=%{version}-%{release} \ - -DVAR_INSTALL_DIR:PATH=/var \ - -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \ - -DJAVA_HOME=%{java_home} \ - -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ - -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ - -DAPP_SERVER=$app_server \ - -DNSS_DEFAULT_DB_TYPE=%{nss_default_db_type} \ - -DPYTHON_EXECUTABLE=%{python_executable} \ - -DWITH_SERVER:BOOL=%{?with_server:ON}%{!?with_server:OFF} \ - -DWITH_CA:BOOL=%{?with_ca:ON}%{!?with_ca:OFF} \ - -DWITH_KRA:BOOL=%{?with_kra:ON}%{!?with_kra:OFF} \ - -DWITH_OCSP:BOOL=%{?with_ocsp:ON}%{!?with_ocsp:OFF} \ - -DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \ - -DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \ - -DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \ - -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ - -DWITH_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ - -DWITH_TESTS:BOOL=%{?with_tests:ON}%{!?with_tests:OFF} \ - -DWITH_META:BOOL=%{?with_meta:ON}%{!?with_meta:OFF} \ - -DTHEME=%{?with_theme:%{theme}} \ - -DRUN_TESTS:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ - -B %{_vpath_builddir} - -cd %{_vpath_builddir} - -# Do not use _smp_mflags to preserve build order -%{__make} \ - VERBOSE=%{?_verbose} \ - CMAKE_NO_VERBOSE=1 \ - DESTDIR=%{buildroot} \ - INSTALL="install -p" \ - --no-print-directory \ - all +# Set build flags for CMake +# (see /usr/lib/rpm/macros.d/macros.cmake) +%set_build_flags + +pkgs=base\ +%{?with_server:,server}\ +%{?with_ca:,ca}\ +%{?with_est:,est}\ +%{?with_kra:,kra}\ +%{?with_ocsp:,ocsp}\ +%{?with_tks:,tks}\ +%{?with_tps:,tps}\ +%{?with_acme:,acme}\ +%{?with_javadoc:,javadoc}\ +%{?with_theme:,theme}\ +%{?with_meta:,meta}\ +%{?with_tests:,tests}\ +%{?with_debug:,debug} + +./build.sh \ + %{?_verbose:-v} \ + --product-name="%{product_name}" \ + --product-id=%{product_id} \ +%if %{with theme} + --theme=%{theme} \ +%endif + --work-dir=%{_vpath_builddir} \ + --prefix-dir=%{_prefix} \ + --include-dir=%{_includedir} \ + --lib-dir=%{_libdir} \ + --sysconf-dir=%{_sysconfdir} \ + --share-dir=%{_datadir} \ + --cmake=%{__cmake} \ + --java-home=%{java_home} \ + --jni-dir=%{_jnidir} \ + --unit-dir=%{_unitdir} \ + --python=%{python_executable} \ + --with-pkgs=$pkgs \ + %{?with_console:--with-console} \ + %{!?with_test:--without-test} \ + dist ################################################################################ %install ################################################################################ -cd %{_vpath_builddir} - -%{__make} \ - VERBOSE=%{?_verbose} \ - CMAKE_NO_VERBOSE=1 \ - DESTDIR=%{buildroot} \ - INSTALL="install -p" \ - --no-print-directory \ +./build.sh \ + %{?_verbose:-v} \ + --work-dir=%{_vpath_builddir} \ + --install-dir=%{buildroot} \ install -%if %{with tests} -ctest --output-on-failure -%endif - %if %{with server} %pre -n %{product_id}-server @@ -968,7 +972,6 @@ fi %{_datadir}/pki/examples/java/ %{_datadir}/pki/lib/*.jar %dir %{_javadir}/pki -%{_javadir}/pki/pki-cmsutil.jar %{_javadir}/pki/pki-certsrv.jar ################################################################################ @@ -1091,7 +1094,6 @@ fi %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target %{_javadir}/pki/pki-cms.jar -%{_javadir}/pki/pki-cmsbundle.jar %{_javadir}/pki/pki-tomcat.jar %dir %{_sharedstatedir}/pki %{_mandir}/man1/pkidaemon.1.gz @@ -1103,6 +1105,7 @@ fi %{_mandir}/man8/pkispawn.8.gz %{_mandir}/man8/pki-server.8.gz %{_mandir}/man8/pki-server-acme.8.gz +%{_mandir}/man8/pki-server-est.8.gz %{_mandir}/man8/pki-server-instance.8.gz %{_mandir}/man8/pki-server-subsystem.8.gz %{_mandir}/man8/pki-server-nuxwdog.8.gz @@ -1143,6 +1146,17 @@ fi # with ca %endif +%if %{with est} +################################################################################ +%files -n %{product_id}-est +################################################################################ + +%{_javadir}/pki/pki-est.jar +%{_datadir}/pki/est/ + +# with est +%endif + %if %{with kra} ################################################################################ %files -n %{product_id}-kra @@ -1260,6 +1274,19 @@ fi ################################################################################ %changelog +* Mon Jan 30 2023 Red Hat PKI Team - 11.3.0-1 +- Rebase to PKI 11.3.0 +- Bug #2091993 - IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied +- Bug #2122409 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled + +* Wed Nov 30 2022 Red Hat PKI Team - 11.3.0-0.2.beta1 +- Rebase to PKI 11.3.0-beta1 +- Bug #1849834 - [RFE] Provide EST Responder (RFC 7030) +- Bug #1883477 - [RFE] Automatic expired certificate purging +- Bug #2091999 - Error displayed should be user friendly in case RSNv3 certificate serial number collision +- Bug #2106452 - softhsm2: Unable to create cert: Private key not found +- Bug #2106459 - CVE-2022-2393 pki-core: Improper authentication/authorization with caServerKeygen_DirUserCert profile + * Thu Aug 04 2022 Red Hat PKI Team - 11.2.1-1 - Rebase to PKI 11.2.1 - Bug #2107336 - CVE-2022-2414 pki-core: access to external entities when parsing XML can lead to XXE [rhel-9.1.0]