diff --git a/SOURCES/pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch b/SOURCES/pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch new file mode 100644 index 0000000..d274eb5 --- /dev/null +++ b/SOURCES/pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch @@ -0,0 +1,100 @@ +From 833c060b26756a17d0b85a19846888d71e4bdd5d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 24 Jul 2019 17:46:30 -0500 +Subject: [PATCH] Fixed missing SAN extension for CA clone + +The CertUtil.buildSANSSLserverURLExtension() has been modified +to include SAN parameters in the request to generate the SSL +server certificate for CA clone. + +https://bugzilla.redhat.com/show_bug.cgi?id=1732637 +--- + .../src/com/netscape/cms/servlet/csadmin/CertUtil.java | 16 +++++++--------- + .../netscape/cms/servlet/csadmin/ConfigurationUtils.java | 16 ++++++++-------- + 2 files changed, 15 insertions(+), 17 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +index 12d4ac1..e77be32 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +@@ -228,34 +228,32 @@ public class CertUtil { + // embed a certificate extension into + // a PKCS #10 certificate request. + // +- public static String buildSANSSLserverURLExtension(IConfigStore config) ++ public static void buildSANSSLserverURLExtension(IConfigStore config, MultivaluedMap content) + throws Exception { +- String url = ""; +- String entries = ""; + + CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + + "building SAN SSL Server Certificate URL extension . . ."); +- int i = 0; ++ + if (config == null) { + throw new EBaseException("injectSANextensionIntoRequest: parameter config cannot be null"); + } ++ + String sanHostnames = config.getString("service.sslserver.san"); + String sans[] = StringUtils.split(sanHostnames, ","); ++ ++ int i = 0; + for (String san : sans) { + CMS.debug("CertUtil: buildSANSSLserverURLExtension() processing " + + "SAN hostname: " + san); + // Add the DNSName for all SANs +- entries = entries + +- "&req_san_pattern_" + i + "=" + san; ++ content.putSingle("req_san_pattern_" + i, san); + i++; + } + +- url = "&req_san_entries=" + i + entries; ++ content.putSingle("req_san_entries", "" + i); + + CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + "placed " + + i + " SAN entries into SSL Server Certificate URL."); +- +- return url; + } + + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index cc65c78..5395b06 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -2685,16 +2685,9 @@ public class ConfigurationUtils { + } catch (Exception ee) { + } + +- String sslserver_extension = ""; +- Boolean injectSAN = config.getBoolean("service.injectSAN", false); +- CMS.debug("ConfigurationUtils: injectSAN: " + injectSAN); +- +- if (certTag.equals("sslserver") && injectSAN == true) { +- sslserver_extension = CertUtil.buildSANSSLserverURLExtension(config); +- } +- + MultivaluedMap content = new MultivaluedHashMap(); + content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); ++ + //Get the correct profile id to send in case it's sslserver type: + CMS.debug("configRemoteCert: tag: " + certTag + " : setting profileId to: " + profileId); + String actualProfileId = request.getSystemCertProfileID(certTag, profileId); +@@ -2706,6 +2699,13 @@ public class ConfigurationUtils { + content.putSingle("xmlOutput", "true"); + content.putSingle("sessionID", session_id); + ++ Boolean injectSAN = config.getBoolean("service.injectSAN", false); ++ CMS.debug("ConfigurationUtils: injectSAN: " + injectSAN); ++ ++ if (certTag.equals("sslserver") && injectSAN) { ++ CertUtil.buildSANSSLserverURLExtension(config, content); ++ } ++ + cert = CertUtil.createRemoteCert(ca_hostname, ca_port, content, response); + + if (cert == null) { +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch b/SOURCES/pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch new file mode 100644 index 0000000..24280bf --- /dev/null +++ b/SOURCES/pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch @@ -0,0 +1,65 @@ +From b5655c1f309893919435766e0e17f8d811680abb Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 6 Sep 2019 16:49:00 -0400 +Subject: [PATCH] Bug 1523330 - CC: missing audit event for CS acting as TLS + client + +This patch adds failed CLIENT_ACCESS_SESSION_ESTABLISH audit event for the case +when internal ldap server goes down + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523330 + +(cherry picked from commit 10d52dd0d6b562edc9e32c543017c67c1c0212a8) +--- + .../netscape/cmscore/ldapconn/PKISocketFactory.java | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java +index e9f28c9..e992016 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java +@@ -31,6 +31,9 @@ import org.mozilla.jss.ssl.SSLSocket; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.cms.logging.SignedAuditLogger; + + import netscape.ldap.LDAPException; + import netscape.ldap.LDAPSSLSocketFactoryExt; +@@ -44,6 +47,8 @@ import org.dogtagpki.server.PKIClientSocketListener; + */ + public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + ++ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); ++ + private boolean secure; + private String mClientAuthCertNickname; + private boolean mClientAuth; +@@ -140,6 +145,22 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + s.setKeepAlive(keepAlive); + + } catch (Exception e) { ++ // for auditing ++ String localIP = "localhost"; ++ try { ++ localIP = InetAddress.getLocalHost().getHostAddress(); ++ } catch (UnknownHostException e2) { ++ // default to "localhost"; ++ } ++ SignedAuditEvent auditEvent; ++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( ++ localIP, ++ host, ++ Integer.toString(port), ++ "SYSTEM", ++ "connect:" +e.toString()); ++ signedAuditLogger.log(auditEvent); ++ + CMS.debug(e); + if (s != null) { + try { +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 5151a22..23f7248 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -65,22 +65,24 @@ Name: pki-core %if 0%{?rhel} Version: 10.5.16 -%define redhat_release 3 +%define redhat_release 5 %define redhat_stage 0 #%define default_release %{redhat_release}.%{redhat_stage} %define default_release %{redhat_release} %else Version: 10.5.16 -%define fedora_release 4 +%define fedora_release 5 %define fedora_stage 0 #%define default_release %{fedora_release}.%{fedora_stage} %define default_release %{fedora_release} %endif %if 0%{?use_pki_release} -Release: %{pki_release}%{?dist} +#Release: %{pki_release}%{?dist} +Release: %{pki_release}.el7_7 %else -Release: %{default_release}%{?dist} +#Release: %{default_release}%{?dist} +Release: %{default_release}.el7_7 %endif Summary: Certificate System - PKI Core Components @@ -208,6 +210,8 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{ Patch0: pki-core-Add-Subject-Key-ID-to-CSR.patch Patch1: pki-core-PKI-startup-init-LDAP-operation-attr-independence.patch +Patch2: pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch +Patch3: pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -803,6 +807,8 @@ This package is a part of the PKI Core used by the Certificate System. %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %clean %{__rm} -rf %{buildroot} @@ -1339,6 +1345,30 @@ fi %endif # %{with server} %changelog +* Mon Sep 9 2019 Dogtag Team 10.5.16-5 +- ########################################################################## +- # RHEL 7.7: +- ########################################################################## +- Bugzilla Bug #1750277 - CC: missing audit event for CS acting as TLS client + [rhel-7.7.z] (cfu) +- ########################################################################## +- # RHCS 9.5: +- ########################################################################## +- # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + # pki-console to 10.5.16 in RHCS 9.5 + +* Mon Aug 19 2019 Dogtag Team 10.5.16-4 +- ########################################################################## +- # RHEL 7.7: +- ########################################################################## +- Bugzilla Bug #1743122 - RHCS-9 CA clone SSL server cert not issued with its + custom SAN extension, RHEL-7.6 and HSM [rhel-7.7.z] (edewata) +- ########################################################################## +- # RHCS 9.5: +- ########################################################################## +- # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + # pki-console to 10.5.16 in RHCS 9.5 + * Thu Jun 20 2019 Dogtag Team 10.5.16-3 - ########################################################################## - # RHEL 7.7: