diff --git a/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch b/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch new file mode 100644 index 0000000..f4efa8e --- /dev/null +++ b/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch @@ -0,0 +1,34 @@ +From 1834a25a1982e2c2c49fde5998efdc7d10d3a29b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 6 Oct 2016 22:08:15 +0200 +Subject: [PATCH] Fixed ConfigurationUtils.importCertChain(). + +The ConfigurationUtils.importCertChain() has been modified to +ignore UNKNOWN_ISSUER error when connecting to a server that +does not have the complete certificate chain. + +https://fedorahosted.org/pki/ticket/2497 +(cherry picked from commit 343a756bb93abf057f2999858ba9e170fa84f143) +(cherry picked from commit 6e0e2afbbeb1bb7acdf402edf5ca426bfc01a433) +--- + .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 34500d0..ecf8157 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -261,8 +261,9 @@ public class ConfigurationUtils { + + IConfigStore cs = CMS.getConfigStore(); + ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback(); +- // Ignore untrusted issuer to get cert chain. ++ // Ignore untrusted/unknown issuer to get cert chain. + certApprovalCallback.ignoreError(ValidityStatus.UNTRUSTED_ISSUER); ++ certApprovalCallback.ignoreError(ValidityStatus.UNKNOWN_ISSUER); + String c = get(host, port, true, serverPath, null, certApprovalCallback); + + if (c != null) { +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch b/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch new file mode 100644 index 0000000..7919499 --- /dev/null +++ b/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch @@ -0,0 +1,191 @@ +From fdff7d618958162b3a30d63c9c50bd71faace530 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 29 Oct 2016 07:52:36 +0200 +Subject: [PATCH 1/2] Reformatted SecurityDataRecoveryService.serviceRequest(). + +The code in SecurityDataRecoveryService.serviceRequest() has been +reformatted for clarity. + +https://fedorahosted.org/pki/ticket/2500 +(cherry picked from commit 613d8e8281cc336d7e1c8291abedb4b2321f93ec) +(cherry picked from commit ec165a0d6cd805d1b5d4fbd4fff44ff00bfcaee0) +--- + .../netscape/kra/SecurityDataRecoveryService.java | 30 ++++++++++++++++++---- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +index f12222b..478f7a8 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +@@ -24,6 +24,7 @@ import java.math.BigInteger; + import java.security.InvalidAlgorithmParameterException; + import java.security.InvalidKeyException; + import java.security.NoSuchAlgorithmException; ++import java.security.PublicKey; + import java.security.spec.AlgorithmParameterSpec; + import java.util.Arrays; + import java.util.Hashtable; +@@ -31,9 +32,6 @@ import java.util.Random; + + import javax.crypto.spec.RC2ParameterSpec; + +-import netscape.security.util.DerValue; +-import netscape.security.x509.X509Key; +- + import org.dogtagpki.server.kra.rest.KeyRequestService; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.asn1.OCTET_STRING; +@@ -73,6 +71,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit; + import com.netscape.cmscore.dbs.KeyRecord; + import com.netscape.cmsutil.util.Utils; + ++import netscape.security.util.DerValue; ++import netscape.security.x509.X509Key; ++ + /** + * This implementation services SecurityData Recovery requests. + *

+@@ -184,6 +185,7 @@ public class SecurityDataRecoveryService implements IService { + } catch (Exception e) { + iv = iv_default; + } ++ + String ivStr = Utils.base64encode(iv); + + KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno); +@@ -200,20 +202,27 @@ public class SecurityDataRecoveryService implements IService { + if (allowEncDecrypt_recovery == true) { + CMS.debug("Recover symmetric key by decrypting as per allowEncDecrypt_recovery: true."); + unwrappedSecData = recoverSecurityData(keyRecord); ++ + } else { + symKey = recoverSymKey(keyRecord); + } + + } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { + unwrappedSecData = recoverSecurityData(keyRecord); ++ + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { + try { + if (allowEncDecrypt_recovery == true) { + CMS.debug("Recover asymmetric key by decrypting as per allowEncDecrypt_recovery: true."); + unwrappedSecData = recoverSecurityData(keyRecord); ++ + } else { +- privateKey = mStorageUnit.unwrap(keyRecord.getPrivateKeyData(), +- X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData()))); ++ ++ byte[] publicKeyData = keyRecord.getPublicKeyData(); ++ byte[] privateKeyData = keyRecord.getPrivateKeyData(); ++ ++ PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData)); ++ privateKey = mStorageUnit.unwrap(privateKeyData, publicKey); + } + + } catch (IOException e) { +@@ -244,22 +253,29 @@ public class SecurityDataRecoveryService implements IService { + passStr = null; + + if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { ++ + CMS.debug("SecurityDataRecoveryService: wrap or encrypt stored symmetric key with transport passphrase"); + if (allowEncDecrypt_recovery == true) { + CMS.debug("SecurityDataRecoveryServic: allowEncDecyypt_recovery: true, symmetric key: create blob with unwrapped key."); + pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); ++ + } else { + pbeWrappedData = createEncryptedContentInfo(ct, symKey, null, null, + pass); + } ++ + } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { ++ + CMS.debug("SecurityDataRecoveryService: encrypt stored passphrase with transport passphrase"); + pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, + pass); ++ + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { ++ + if (allowEncDecrypt_recovery == true) { + CMS.debug("SecurityDataRecoveryService: allowEncDecyypt_recovery: true, asymmetric key: create blob with unwrapped key."); + pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); ++ + } else { + CMS.debug("SecurityDataRecoveryService: wrap stored private key with transport passphrase"); + pbeWrappedData = createEncryptedContentInfo(ct, null, null, privateKey, +@@ -294,9 +310,11 @@ public class SecurityDataRecoveryService implements IService { + CMS.debug("SecurityDataRecoveryService: encrypt symmetric key with session key as per allowEncDecrypt_recovery: true."); + unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.ENCRYPT); + Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); ++ + if (encryptor != null) { + encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); + key_data = encryptor.doFinal(unwrappedSecData); ++ + } else { + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, + serialno.toString(), "Failed to create cipher encrypting symmetric key"); +@@ -344,9 +362,11 @@ public class SecurityDataRecoveryService implements IService { + CMS.debug("SecurityDataRecoveryService: encrypt symmetric key with session key as per allowEncDecrypt_recovery: true."); + unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.ENCRYPT); + Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); ++ + if (encryptor != null) { + encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); + key_data = encryptor.doFinal(unwrappedSecData); ++ + } else { + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, + serialno.toString(), "Failed to create cipher encrypting asymmetric key"); +-- +1.8.3.1 + + +From 7fe0c22d09017fc45b251fd4fb2dd5f5dd23c603 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 1 Nov 2016 22:49:22 +0100 +Subject: [PATCH 2/2] Fixed KRA key recovery via CLI in FIPS mode. + +Based on investigation and solution provided by cfu and jmagne, +the SecurityDataRecoveryService.serviceRequest() has been modified +to use EncryptionUnit.unwrap_temp() for key recovery via CLI in +FIPS mode. + +https://fedorahosted.org/pki/ticket/2500 +(cherry picked from commit 650b00dc57bb0c51c1e327ec3064531c26f80c43) +(cherry picked from commit 8bef45df5e3d287111df8e0a33519a065e3e7b70) +--- + base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java | 3 +++ + base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +index 23a1f77..575dda7 100644 +--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java ++++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +@@ -142,6 +142,9 @@ public interface IEncryptionUnit extends IToken { + public SymmetricKey unwrap_sym(byte encSymmKey[], + SymmetricKey.Usage usage); + ++ public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey) ++ throws EBaseException; ++ + /** + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. +diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +index 478f7a8..83c1fb1 100644 +--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java ++++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +@@ -222,7 +222,7 @@ public class SecurityDataRecoveryService implements IService { + byte[] privateKeyData = keyRecord.getPrivateKeyData(); + + PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData)); +- privateKey = mStorageUnit.unwrap(privateKeyData, publicKey); ++ privateKey = mStorageUnit.unwrap_temp(privateKeyData, publicKey); + } + + } catch (IOException e) { +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch b/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch new file mode 100644 index 0000000..9686063 --- /dev/null +++ b/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch @@ -0,0 +1,45 @@ +From bd7606fc9f2f7349ab33c0d9629667533a4fa7cd Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 22 Sep 2016 12:00:35 +1000 +Subject: [PATCH] Compare serialised DNs in host authority check + +CA startup creates an LWCA entry for the host authority if it +determines that one has not already been created. It determines if +an LWCA entry corresponds to the host CA by comparing the DN from +LDAP with the DN from the host authority's certificate. + +If the DN from the host authority's certificate contains values +encoded as PrintableString, it will compare unequal to the DN from +LDAP, which parses to UTF8String AVA values. This causes the +addition of a spurious host authority entry every time the server +starts. + +Serialise DNs before comparing, to avoid these false negatives. + +Fixes: https://fedorahosted.org/pki/ticket/2475 +(cherry picked from commit 84606cc69390187b7f0f11fff41a372fd96f8f93) +--- + base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index a4f1024..ae90d3a 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -3256,7 +3256,12 @@ public class CertificateAuthority + if (descAttr != null) + desc = (String) descAttr.getStringValues().nextElement(); + +- if (dn.equals(mName)) { ++ /* Determine if it is the host authority's entry, by ++ * comparing DNs. DNs must be serialised in case different ++ * encodings are used for AVA values, e.g. PrintableString ++ * from LDAP vs UTF8String in certificate. ++ */ ++ if (dn.toString().equals(mName.toString())) { + CMS.debug("Found host authority"); + foundHostAuthority = true; + this.authorityID = aid; +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch b/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch new file mode 100644 index 0000000..a39457a --- /dev/null +++ b/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch @@ -0,0 +1,245 @@ +From 3c6aa16ac1e1350a9700d7a3f9e836a44c9a134e Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 5 Oct 2016 22:58:16 +0200 +Subject: [PATCH] Removed duplicate classes. + +The CMake scripts have been modified to store compiled Java classes +in separate folders for each JAR files to avoid duplicates. + +https://fedorahosted.org/pki/ticket/2505 +(cherry picked from commit 0f9212ee0fee093be5e47afc15629d281984ec09) +(cherry picked from commit 9bfe6101e82319d9f14edc0b0c1c16ca02a0f9a4) +--- + CMakeLists.txt | 1 - + base/ca/src/CMakeLists.txt | 4 ++-- + base/common/src/CMakeLists.txt | 4 ++-- + base/java-tools/src/CMakeLists.txt | 4 ++-- + base/kra/src/CMakeLists.txt | 4 ++-- + base/server/cms/src/CMakeLists.txt | 4 ++-- + base/server/cmscore/src/CMakeLists.txt | 4 ++-- + base/symkey/src/CMakeLists.txt | 4 ++-- + base/symkey/src/com/netscape/symkey/CMakeLists.txt | 2 +- + base/util/src/CMakeLists.txt | 8 ++++---- + 10 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index c746056..457e144 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -54,7 +54,6 @@ macro_ensure_out_of_source_build("${PROJECT_NAME} requires an out of source buil + include(MacroCopyFile) + include(Java) + +-file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/classes) + file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/dist) + + # required for all PKI components +diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt +index 854ce28..e612d72 100644 +--- a/base/ca/src/CMakeLists.txt ++++ b/base/ca/src/CMakeLists.txt +@@ -96,7 +96,7 @@ javac(pki-ca-classes + ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR} + ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS + symkey-jar pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar + ) +@@ -114,7 +114,7 @@ jar(pki-ca-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-ca.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/ca/*.class + org/dogtagpki/server/ca/*.class +diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt +index ee41b2f..7ce833c 100644 +--- a/base/common/src/CMakeLists.txt ++++ b/base/common/src/CMakeLists.txt +@@ -131,7 +131,7 @@ javac(pki-certsrv-classes + ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR} + ${HTTPCLIENT_JAR} ${HTTPCORE_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS + pki-nsutil-jar pki-cmsutil-jar + ) +@@ -149,7 +149,7 @@ jar(pki-certsrv-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-certsrv.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/certsrv/*.class + org/dogtagpki/tps/*.class +diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt +index e7ca5db..6753102 100644 +--- a/base/java-tools/src/CMakeLists.txt ++++ b/base/java-tools/src/CMakeLists.txt +@@ -100,7 +100,7 @@ javac(pki-tools-classes + ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} + ${HTTPCLIENT_JAR} ${HTTPCORE_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS + pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar + ) +@@ -118,7 +118,7 @@ jar(pki-tools-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-tools.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/cmstools/*.class + DEPENDS +diff --git a/base/kra/src/CMakeLists.txt b/base/kra/src/CMakeLists.txt +index 400ec01..c04d7fe 100644 +--- a/base/kra/src/CMakeLists.txt ++++ b/base/kra/src/CMakeLists.txt +@@ -118,7 +118,7 @@ javac(pki-kra-classes + ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR} + ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR} ${TOMCAT_CATALINA_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS + symkey-jar pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar + ) +@@ -136,7 +136,7 @@ jar(pki-kra-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-kra.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/kra/*.class + org/dogtagpki/server/kra/*.class +diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt +index 93f4a8a..447dcb1 100644 +--- a/base/server/cms/src/CMakeLists.txt ++++ b/base/server/cms/src/CMakeLists.txt +@@ -133,7 +133,7 @@ javac(pki-cms-classes + ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} + ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_TOMCAT_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS + pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-tomcat-jar + ) +@@ -151,7 +151,7 @@ jar(pki-cms-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-cms.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/cms/*.class + org/dogtagpki/server/*.class +diff --git a/base/server/cmscore/src/CMakeLists.txt b/base/server/cmscore/src/CMakeLists.txt +index 32e4351..fe8dba2 100644 +--- a/base/server/cmscore/src/CMakeLists.txt ++++ b/base/server/cmscore/src/CMakeLists.txt +@@ -133,7 +133,7 @@ javac(pki-cmscore-classes + ${HTTPCLIENT_JAR} ${HTTPCORE_JAR} + ${NUXWDOG_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS + pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-tomcat-jar + ) +@@ -151,7 +151,7 @@ jar(pki-cmscore-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-cmscore.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/cmscore/*.class + DEPENDS +diff --git a/base/symkey/src/CMakeLists.txt b/base/symkey/src/CMakeLists.txt +index 9a4e10f..8455d59 100644 +--- a/base/symkey/src/CMakeLists.txt ++++ b/base/symkey/src/CMakeLists.txt +@@ -15,14 +15,14 @@ javac(symkey-classes + CLASSPATH + ${JSS_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + ) + + jar(symkey-jar + CREATE + ${CMAKE_BINARY_DIR}/dist/symkey.jar + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/symkey/*.class + DEPENDS +diff --git a/base/symkey/src/com/netscape/symkey/CMakeLists.txt b/base/symkey/src/com/netscape/symkey/CMakeLists.txt +index 590a7d8..6915ee9 100644 +--- a/base/symkey/src/com/netscape/symkey/CMakeLists.txt ++++ b/base/symkey/src/com/netscape/symkey/CMakeLists.txt +@@ -42,7 +42,7 @@ add_custom_command( + ${symkey_library_HDRS} + COMMAND + ${Java_JAVAH_EXECUTABLE} +- -classpath ${CMAKE_BINARY_DIR}/classes:${JAVA_LIB_INSTALL_DIR}/jss4.jar ++ -classpath ${CMAKE_CURRENT_BINARY_DIR}/../../../classes:${JAVA_LIB_INSTALL_DIR}/jss4.jar + -jni -d ${CMAKE_CURRENT_BINARY_DIR} + com.netscape.symkey.SessionKey + ) +diff --git a/base/util/src/CMakeLists.txt b/base/util/src/CMakeLists.txt +index f374c01..bf531d4 100644 +--- a/base/util/src/CMakeLists.txt ++++ b/base/util/src/CMakeLists.txt +@@ -76,7 +76,7 @@ javac(pki-nsutil-classes + ${APACHE_COMMONS_LANG_JAR} ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR} + ${JSS_JAR} ${COMMONS_CODEC_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + ) + + configure_file( +@@ -92,7 +92,7 @@ jar(pki-nsutil-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-nsutil.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + netscape/*.class + DEPENDS +@@ -118,7 +118,7 @@ javac(pki-cmsutil-classes + ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR} + ${JSS_JAR} ${COMMONS_CODEC_JAR} ${NUXWDOG_JAR} + OUTPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + DEPENDS + pki-nsutil-jar + ) +@@ -136,7 +136,7 @@ jar(pki-cmsutil-jar + PARAMS + ${CMAKE_CURRENT_BINARY_DIR}/pki-cmsutil.mf + INPUT_DIR +- ${CMAKE_BINARY_DIR}/classes ++ ${CMAKE_CURRENT_BINARY_DIR}/classes + FILES + com/netscape/cmsutil/*.class + DEPENDS +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-problems-with-FIPS-mode.patch b/SOURCES/pki-core-problems-with-FIPS-mode.patch new file mode 100644 index 0000000..390c0e5 --- /dev/null +++ b/SOURCES/pki-core-problems-with-FIPS-mode.patch @@ -0,0 +1,82 @@ +From 78fa2f5955225cd38f3c5b996396453899017b31 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 12 Oct 2016 03:26:41 +0200 +Subject: [PATCH] Fixed CryptoUtil.getTokenName(). + +The CryptoUtil.getTokenName() has been modified to check both the +short name and full name of the internal token. + +The ConfigurationUtils.deleteCert() has also been modified to call +CryptoUtil.getTokenName(). + +https://fedorahosted.org/pki/ticket/2500 +(cherry picked from commit 5be68e38fd77f171331d27ca52a291f06f7c686c) +(cherry picked from commit 42c52b18467212dde0cdebedca55ab22c4629cb5) +--- + .../cms/servlet/csadmin/ConfigurationUtils.java | 2 +- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 23 +++++++++++++--------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index ecf8157..afd8d28 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -3419,7 +3419,7 @@ public class ConfigurationUtils { + NoSuchTokenException, TokenException { + + CryptoManager cm = CryptoManager.getInstance(); +- CryptoToken tok = cm.getTokenByName(tokenname); ++ CryptoToken tok = CryptoUtil.getTokenByName(tokenname); + CryptoStore store = tok.getCryptoStore(); + String fullnickname = nickname; + if (!tokenname.equals("") && +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index b02c363..b6b5e6a 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -135,6 +135,9 @@ import netscape.security.x509.X509Key; + @SuppressWarnings("serial") + public class CryptoUtil { + ++ public final static String INTERNAL_TOKEN_NAME = "internal"; ++ public final static String INTERNAL_TOKEN_FULL_NAME = "Internal Key Storage Token"; ++ + public static final String CERTREQ_BEGIN_HEADING = "-----BEGIN CERTIFICATE REQUEST-----"; + public static final String CERTREQ_END_HEADING = "-----END CERTIFICATE REQUEST-----"; + public static final int LINE_COUNT = 76; +@@ -472,21 +475,23 @@ public class CryptoUtil { + return true; + } + ++ public static boolean isInternalToken(String name) { ++ return name.equalsIgnoreCase(INTERNAL_TOKEN_NAME) || name.equalsIgnoreCase(INTERNAL_TOKEN_FULL_NAME); ++ } ++ + /** + * Retrieves handle to a JSS token. + */ +- public static CryptoToken getTokenByName(String token) +- throws CryptoManager.NotInitializedException, +- NoSuchTokenException { ++ public static CryptoToken getTokenByName(String name) ++ throws NotInitializedException, NoSuchTokenException { ++ + CryptoManager cm = CryptoManager.getInstance(); +- CryptoToken t = null; + +- if (token.equals("internal")) { +- t = cm.getInternalKeyStorageToken(); +- } else { +- t = cm.getTokenByName(token); ++ if (isInternalToken(name)) { ++ return cm.getInternalKeyStorageToken(); + } +- return t; ++ ++ return cm.getTokenByName(name); + } + + /** +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch b/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch new file mode 100644 index 0000000..dba4187 --- /dev/null +++ b/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch @@ -0,0 +1,44 @@ +From eb106cb46aaea07ddc3c46db63f99ab41b2cd835 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Thu, 20 Oct 2016 15:18:12 -0700 +Subject: [PATCH] TPS token enrollment fails to setupSecureChannel when TPS and + TKS security db is on fips mode. + +Ticket #2513. + +Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode. + +(cherry picked from commit cb2cc3c7fd93e1a0519a0b530cbc2edbab7741cc) +(cherry picked from commit 7fae5790584855ea84b9c6ecf73058b6f0dfc1aa) +--- + .../cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +index db42cab..6dfd1d2 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +@@ -31,6 +31,7 @@ import sun.security.pkcs11.wrapper.PKCS11Constants; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.base.EBaseException; ++import com.netscape.cmsutil.crypto.CryptoUtil; + + public class SecureChannelProtocol { + +@@ -688,10 +689,11 @@ public class SecureChannelProtocol { + + public CryptoToken returnTokenByName(String name, CryptoManager manager) throws NoSuchTokenException { + ++ CMS.debug("returnTokenByName: requested name: " + name); + if (name == null || manager == null) + throw new NoSuchTokenException(); + +- if (name.equals("internal") || name.equals("Internal KeyStorage Token")) { ++ if(CryptoUtil.isInternalToken(name)) { + return manager.getInternalKeyStorageToken(); + } else { + return manager.getTokenByName(name); +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-two-step-external-CA-authorityID.patch b/SOURCES/pki-core-two-step-external-CA-authorityID.patch new file mode 100644 index 0000000..41f54be --- /dev/null +++ b/SOURCES/pki-core-two-step-external-CA-authorityID.patch @@ -0,0 +1,41 @@ +From 441e69f01d8acddef0659f10084fa07b8bff06e5 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 21 Sep 2016 20:18:37 +1000 +Subject: [PATCH] Do not attempt LWCA key retrieval for host authority + +During two-step installation of externally-signed CA, installation +can fail because host authority's private key cannot be located (a +temporary condition), causing LWCA key replication to fire, which +throws NullPointerException because the host authority's AuthorityID +has not been set yet. + +Do not start key retrieval if the CA's AuthorityID is null (a +condition which implies that the CA is the host authority). + +Fixes: https://fedorahosted.org/pki/ticket/2466 +(cherry picked from commit fca5fd053434d112998c814bc6d9424b6a5bac98) +--- + base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index 1f77fd8..a4f1024 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -1569,7 +1569,12 @@ public class CertificateAuthority + CMS.debug("CA signing key and cert not (yet) present in NSSDB"); + signingUnitException = e; + if (retrieveKeys == true) { +- if (!keyRetrieverThreads.containsKey(authorityID)) { ++ if (authorityID == null) { ++ // Only the host authority should ever see a ++ // null authorityID, e.g. during two-step ++ // installation of externally-signed CA. ++ CMS.debug("null authorityID -> host authority; not starting KeyRetriever"); ++ } else if (!keyRetrieverThreads.containsKey(authorityID)) { + CMS.debug("Starting KeyRetrieverRunner thread"); + Thread t = new Thread( + new KeyRetrieverRunner(authorityID, mNickname, authorityKeyHosts), +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch b/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch new file mode 100644 index 0000000..aac26c3 --- /dev/null +++ b/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch @@ -0,0 +1,27 @@ +From 92372f653ca48d1de71de990fe3ef99ba1a83111 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 24 Oct 2016 18:30:55 +0200 +Subject: [PATCH] Fixed typo in UserPwdDirAuthentication. + +https://fedorahosted.org/pki/ticket/2460 +(cherry picked from commit 634da4e7ba6af5e799da300955a4730fa51be8f0) +--- + .../src/com/netscape/cms/authentication/UserPwdDirAuthentication.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java +index a95dd86..ead8650 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java +@@ -108,7 +108,7 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication + } + + /** +- * Initializes the UdnPwdDirAuthentication auth manager. ++ * Initializes the UserPwdDirAuthentication auth manager. + *

+ * + * @param name - The name for this authentication manager instance. +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index c80dc4a..0b2b688 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -65,7 +65,8 @@ Name: pki-core Version: 10.3.3 -Release: 10%{?dist} +Release: 14.el7_3 +#Release: 14%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -221,6 +222,26 @@ Patch5: pki-core-snapshot-2.patch Patch6: pki-core-snapshot-3.patch ## pki-core-10.3.3-10 Patch7: pki-core-snapshot-4.patch +## pki-core-10.3.3-11 +#Patch8: pki-core-rhel-post-snapshot-1.patch +## pki-core-10.3.3-12 +## RHEL 7.3.z Batch Update 1 +Patch9: pki-core-two-step-external-CA-authorityID.patch +Patch10: pki-core-compare-serial-DNs-host-authz-check.patch +Patch11: pki-core-KRA-external-CA-partial-cert-chain.patch +Patch12: pki-core-problems-with-FIPS-mode.patch +Patch13: pki-core-eliminate-duplicate-classes-in-jars.patch +Patch14: pki-core-typo-in-UserPwdDirAuthentication.patch +## RHCS 9.1.z Batch Update 1 +#Patch15: pki-core-token-format-external-reg.patch +#Patch16: pki-core-encryption-cert-auto-recovery-damaged-token.patch +#Patch17: pki-core-pin-reset-policy.patch +Patch18: pki-core-tps-token-setupSecureChannel-fips-mode.patch +## pki-core-10.3.3-13 +## RHCS 9.1.z Batch Update 1 +##Patch19: pki-core-target-agent-approve-list.patch +## RHEL 7.3.z Batch Update 1 +Patch20: pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -528,6 +549,7 @@ Requires: nuxwdog-client-java >= 1.0.3 Requires: policycoreutils Requires: openldap-clients +Requires: openssl Requires: pki-base = %{version}-%{release} Requires: pki-base-java = %{version}-%{release} Requires: pki-tools = %{version}-%{release} @@ -841,6 +863,19 @@ This package is a part of the PKI Core used by the Certificate System. %patch5 -p1 %patch6 -p1 %patch7 -p1 +#%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +#%patch15 -p1 +#%patch16 -p1 +#%patch17 -p1 +%patch18 -p1 +##%patch19 -p1 +%patch20 -p1 %clean %{__rm} -rf %{buildroot} @@ -1341,9 +1376,78 @@ systemctl daemon-reload %endif # %{with server} %changelog +* Tue Nov 8 2016 Dogtag Team 10.3.3-14 +- Marked the following RHCS 9.1.z bug: + Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel + when TPS and TKS security db is on fips mode. (jmagne) + as a duplicate of RHEL 7.3.z bug: + Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) + and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug. + +* Thu Nov 3 2016 Dogtag Team 10.3.3-13 +- ## RHEL 7.3.z Batch Update 1 +- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) + (added KRA key recovery via CLI in FIPS mode) +- ## RHCS 9.1.z Batch Update 1 +- Reverted patches associated with + Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI (edewata) + +* Mon Oct 31 2016 Dogtag Team 10.3.3-12 +- ## RHEL 7.3.z Batch Update 1 +- Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does + not show proper error message (alee) +- Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service + ("ipa-cacert-manage renew" failed?) (edewata) +- Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as + a dependency package (mharmsen) +- Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due + to missing AuthorityID (ftweedal) +- Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal) +- Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA + with partial certificate chain (edewata) +- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) +- Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar + files (edewata) +- Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java + (edewata) +- ## RHCS 9.1.z Batch Update 1 +- Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu) +- Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a + single user on multiple tokens. (jmagne) +- Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed + tokens (jmagne) +- Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working + when a token is physically damaged and a temporary token is issued (jmagne) +- Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial + number and key id on the ldap user mismatches +- Bugzilla Bug #1381635 - Token format with external reg fails when + op.format.externalRegAddToToken.revokeCert=true (cfu) +- Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when + set on a token (jmagne) +- Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel + when TPS and TKS security db is on fips mode. (jmagne) +- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI (edewata) + +* Mon Oct 10 2016 Dogtag Team 10.3.3-11 +- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu) +- PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single + user on multiple tokens. (jmagne) +- PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a + dependency package (mharmsen) +- PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed + tokens (jmagne) +- PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial + number and key id on the ldap user mismatches (cfu) +- PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar + files (edewata) + * Fri Sep 9 2016 Dogtag Team 10.3.3-10 - Revert Patch: PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata) +- Resolves: rhbz #1374054 - ipa-replica-install fails setting up certificate +- Restores: rhbz #1319557 - pkispawn KRA instance is failing server - Removes from Errata: rhbz #1372041 - Unable to create system certificates in different tokens