diff --git a/.gitignore b/.gitignore index dc9d439..2e17446 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-10.9.4.tar.gz +SOURCES/pki-10.10.5.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 5d8738e..a910798 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -dd0b6a1732c36077180769ba58ed11e659c0b621 SOURCES/pki-10.9.4.tar.gz +61641f173fb9de15b4f16bdcef95ca97479bc947 SOURCES/pki-10.10.5.tar.gz diff --git a/SOURCES/0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch b/SOURCES/0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch deleted file mode 100644 index 0063437..0000000 --- a/SOURCES/0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 8b3cb80954a932867c2d4d96eb1cced83fa78996 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 13 Jan 2021 18:27:46 +1100 -Subject: [PATCH] Fix renewal profile approval process - -Due to a recent change in PKI CLI, the CLI now passes along user -authentication with submissions to the renewal endpoint. Unlike the EE -pages, the REST API has passed along this authentication for a while. -Due to a bug in the RenewalProcessor, requests with credentials against -profiles with no authentication method and no ACLs result in the -certificiate automatically being approved. This occurs because, when -an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified -the code to allow Light-Weight SubCAs to issue certificates, validation -wasn't done on the passed principal, to see if it was a trusted agent. -Because profiles requring Agent approval have an empty ACL list (as, no -user should be able to submit a certificate request and have it -automatically signed without agent approval), authorize allows any user -to approve this request and thus accepts the AuthToken. - -Critical analysis: the RenewalProcessor code interprets (authToken -!= null) as evidence that the authenticated user is /authorized/ to -immediately issue the certificate. This mismatch of concerns (authn -vs authz) resulted in a misunderstanding of system behaviour. The -"latent" AuthToken (from the HTTP request) was assigned to authToken -without realising that authorization needed to be performed. - -We fix this by splitting the logic on whether the profile defines an -authenticator. If so, we (re)authenticate and authorize the user -according to the profile configuration. - -If the profile does not define an authenticator but there is a -principal in the HTTP request, if (and only if) the user has -permission to approve certificate requests *and* the requested -renewal profile is caManualRenewal (which is hardcoded to be used -for LWCA renewal), then we issue the certificate immediately. This -special case ensures that LWCA renewal keeps working. - -Otherwise, if there is no principal in the HTTP request or the -principal does not have permission to approve certificate requests, -we leave the authToken unset. The resulting renewal request will be -created with status PENDING, i.e. enqueued for agent review. - -Signed-off-by: Fraser Tweedale -Signed-off-by: Alexander Scheel ---- - .../com/netscape/ca/CertificateAuthority.java | 10 +++ - .../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++-- - 2 files changed, 79 insertions(+), 6 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java -index 07f29fead..50292201b 100644 ---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java -+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java -@@ -2962,6 +2962,16 @@ public class CertificateAuthority - } - - ProfileSubsystem ps = engine.getProfileSubsystem(); -+ /* NOTE: hard-coding the profile to use for Lightweight CA renewal -+ * might be OK, but caManualRenewal was not the right one to use. -+ * As a consequence, we have an undesirable special case in -+ * RenewalProcessor.processRenewal(). -+ * -+ * We should introduce a new profile specifically for LWCA renewal, -+ * with an authenticator and ACLs to match the authz requirements -+ * for the renewAuthority REST resource itself. Then we can use -+ * it here, and remove the workaround from RenewalProcessor. -+ */ - Profile profile = ps.getProfile("caManualRenewal"); - CertEnrollmentRequest req = CertEnrollmentRequestFactory.create( - new ArgBlock(), profile, httpReq.getLocale()); -diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java -index 917c64856..75677b5e4 100644 ---- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java -+++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java -@@ -31,6 +31,7 @@ import java.util.Map; - import javax.servlet.http.HttpServletRequest; - - import org.apache.commons.lang.StringUtils; -+import org.dogtagpki.server.authorization.AuthzToken; - import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension; - import org.mozilla.jss.netscape.security.x509.X509CertImpl; - -@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor { - - // before creating the request, authenticate the request - IAuthToken authToken = null; -- Principal principal = request.getUserPrincipal(); -- if (principal instanceof PKIPrincipal) -- authToken = ((PKIPrincipal) principal).getAuthToken(); -- if (authToken == null && authenticator != null) { -- authToken = authenticate(request, origReq, authenticator, context, true, credentials); -+ -+ if (authenticator != null) { -+ /* The profile specifies an authenticator. Use it to -+ * authenticate the user. Ignore the "latent" session -+ * principal (if any). -+ */ -+ authToken = authenticate( -+ request, -+ origReq, -+ authenticator, -+ context, -+ true /* isRenewal */, -+ credentials); -+ } else { -+ /* When authenticator is null, we expect manual agent -+ * review (leave authToken as null). -+ * -+ * But as a special case to ensure Lightweight CA (LWCA) -+ * renewal works, if there is a latent user in the HTTP -+ * request, we use that user (i.e. set authToken to the -+ * principal's IAuthToken) if and only if: -+ * -+ * - The renewal profile is caManualRenewal (LWCA renewal -+ * is hardcoded to use this profile); AND -+ * -+ * - The latent user is authorized to "execute" -+ * certificate requests (i.e. agent approval) -+ * -+ * See also CertificateAuthority.renewAuthority(). -+ */ -+ -+ Principal principal = request.getUserPrincipal(); -+ if ( -+ renewProfileId.equals("caManualRenewal") -+ && principal instanceof PKIPrincipal -+ ) { -+ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken(); -+ AuthzToken authzToken = authorize( -+ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute"); -+ if (authzToken != null) { -+ // Success (no exception); user is authorized to approve -+ // cert requests. Set the authToken. -+ // -+ // NOTE: This authz does not replace or subsume the -+ // profile-specific authz check below. -+ authToken = latentToken; -+ } else { -+ // leave authToken as null to enqueue a pending request. -+ } -+ } else { -+ // not caManualRenewal or no latent principal; -+ // leave authToken as null to enqueue a pending request. -+ } - } - -- // authentication success, now authorize -+ /* Authorize the request. -+ * -+ * If authToken != null, it will be checked against ACLs specified -+ * in the profile (if any). If ACLs are defined and authToken does -+ * not match, throws an authorization exception. -+ * -+ * If authToken == null, no check is performed (even if the profile -+ * defines ACLs). This is fine, because null authToken will cause -+ * the request status to be 'pending' [agent approval]. -+ */ - authorize(profileId, renewProfile, authToken); - -+ /* At this point, the request will be created. If authToken -+ * is non-null, then the certificate will be issued -+ * immediately. Otherwise the request will be pending. */ -+ -+ - /////////////////////////////////////////////// - // create and populate requests - /////////////////////////////////////////////// --- -2.29.2 - diff --git a/SOURCES/0001-Fix-renewal-profile-approval-process.patch b/SOURCES/0001-Fix-renewal-profile-approval-process.patch new file mode 100644 index 0000000..2aa7f35 --- /dev/null +++ b/SOURCES/0001-Fix-renewal-profile-approval-process.patch @@ -0,0 +1,170 @@ +From 608e9bbe537aba314b124ceef70f9b606ab7e121 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 13 Jan 2021 18:27:46 +1100 +Subject: [PATCH] Fix renewal profile approval process + +Due to a recent change in PKI CLI, the CLI now passes along user +authentication with submissions to the renewal endpoint. Unlike the EE +pages, the REST API has passed along this authentication for a while. +Due to a bug in the RenewalProcessor, requests with credentials against +profiles with no authentication method and no ACLs result in the +certificiate automatically being approved. This occurs because, when +an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified +the code to allow Light-Weight SubCAs to issue certificates, validation +wasn't done on the passed principal, to see if it was a trusted agent. +Because profiles requring Agent approval have an empty ACL list (as, no +user should be able to submit a certificate request and have it +automatically signed without agent approval), authorize allows any user +to approve this request and thus accepts the AuthToken. + +Critical analysis: the RenewalProcessor code interprets (authToken +!= null) as evidence that the authenticated user is /authorized/ to +immediately issue the certificate. This mismatch of concerns (authn +vs authz) resulted in a misunderstanding of system behaviour. The +"latent" AuthToken (from the HTTP request) was assigned to authToken +without realising that authorization needed to be performed. + +We fix this by splitting the logic on whether the profile defines an +authenticator. If so, we (re)authenticate and authorize the user +according to the profile configuration. + +If the profile does not define an authenticator but there is a +principal in the HTTP request, if (and only if) the user has +permission to approve certificate requests *and* the requested +renewal profile is caManualRenewal (which is hardcoded to be used +for LWCA renewal), then we issue the certificate immediately. This +special case ensures that LWCA renewal keeps working. + +Otherwise, if there is no principal in the HTTP request or the +principal does not have permission to approve certificate requests, +we leave the authToken unset. The resulting renewal request will be +created with status PENDING, i.e. enqueued for agent review. + +Signed-off-by: Fraser Tweedale +Signed-off-by: Alexander Scheel +--- + .../com/netscape/ca/CertificateAuthority.java | 10 +++ + .../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++-- + 2 files changed, 79 insertions(+), 6 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index 560507168a..431ce9ff78 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -1929,6 +1929,16 @@ public class CertificateAuthority + } + + ProfileSubsystem ps = engine.getProfileSubsystem(); ++ /* NOTE: hard-coding the profile to use for Lightweight CA renewal ++ * might be OK, but caManualRenewal was not the right one to use. ++ * As a consequence, we have an undesirable special case in ++ * RenewalProcessor.processRenewal(). ++ * ++ * We should introduce a new profile specifically for LWCA renewal, ++ * with an authenticator and ACLs to match the authz requirements ++ * for the renewAuthority REST resource itself. Then we can use ++ * it here, and remove the workaround from RenewalProcessor. ++ */ + Profile profile = ps.getProfile("caManualRenewal"); + CertEnrollmentRequest req = CertEnrollmentRequestFactory.create( + new ArgBlock(), profile, httpReq.getLocale()); +diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +index 4293cdd064..fd20f48267 100644 +--- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java ++++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest; + + import org.apache.commons.lang3.StringUtils; + import org.dogtagpki.server.ca.CAEngine; ++import org.dogtagpki.server.authorization.AuthzToken; + import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension; + import org.mozilla.jss.netscape.security.x509.X509CertImpl; + +@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor { + + // before creating the request, authenticate the request + IAuthToken authToken = null; +- Principal principal = request.getUserPrincipal(); +- if (principal instanceof PKIPrincipal) +- authToken = ((PKIPrincipal) principal).getAuthToken(); +- if (authToken == null && authenticator != null) { +- authToken = authenticate(request, origReq, authenticator, context, true, credentials); ++ ++ if (authenticator != null) { ++ /* The profile specifies an authenticator. Use it to ++ * authenticate the user. Ignore the "latent" session ++ * principal (if any). ++ */ ++ authToken = authenticate( ++ request, ++ origReq, ++ authenticator, ++ context, ++ true /* isRenewal */, ++ credentials); ++ } else { ++ /* When authenticator is null, we expect manual agent ++ * review (leave authToken as null). ++ * ++ * But as a special case to ensure Lightweight CA (LWCA) ++ * renewal works, if there is a latent user in the HTTP ++ * request, we use that user (i.e. set authToken to the ++ * principal's IAuthToken) if and only if: ++ * ++ * - The renewal profile is caManualRenewal (LWCA renewal ++ * is hardcoded to use this profile); AND ++ * ++ * - The latent user is authorized to "execute" ++ * certificate requests (i.e. agent approval) ++ * ++ * See also CertificateAuthority.renewAuthority(). ++ */ ++ ++ Principal principal = request.getUserPrincipal(); ++ if ( ++ renewProfileId.equals("caManualRenewal") ++ && principal instanceof PKIPrincipal ++ ) { ++ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken(); ++ AuthzToken authzToken = authorize( ++ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute"); ++ if (authzToken != null) { ++ // Success (no exception); user is authorized to approve ++ // cert requests. Set the authToken. ++ // ++ // NOTE: This authz does not replace or subsume the ++ // profile-specific authz check below. ++ authToken = latentToken; ++ } else { ++ // leave authToken as null to enqueue a pending request. ++ } ++ } else { ++ // not caManualRenewal or no latent principal; ++ // leave authToken as null to enqueue a pending request. ++ } + } + +- // authentication success, now authorize ++ /* Authorize the request. ++ * ++ * If authToken != null, it will be checked against ACLs specified ++ * in the profile (if any). If ACLs are defined and authToken does ++ * not match, throws an authorization exception. ++ * ++ * If authToken == null, no check is performed (even if the profile ++ * defines ACLs). This is fine, because null authToken will cause ++ * the request status to be 'pending' [agent approval]. ++ */ + authorize(profileId, renewProfile, authToken); + ++ /* At this point, the request will be created. If authToken ++ * is non-null, then the certificate will be issued ++ * immediately. Otherwise the request will be pending. */ ++ ++ + /////////////////////////////////////////////// + // create and populate requests + /////////////////////////////////////////////// +-- +2.26.2 + diff --git a/SOURCES/0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch b/SOURCES/0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch deleted file mode 100644 index 0c1dbcf..0000000 --- a/SOURCES/0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch +++ /dev/null @@ -1,80 +0,0 @@ -From d17df6f22376753b5cd156f1b7f51837cae1f522 Mon Sep 17 00:00:00 2001 -From: jmagne -Date: Mon, 22 Feb 2021 13:44:20 -0800 -Subject: [PATCH] pkispawn fails against 389-ds 1.4.3.19 #3458 (#3465) - -Add suggested patch from stanislavlevin to solve this issue. -Also add f34 to the ipa tests,this time really add the tests. -Upon further review, back out of f34 tests until the infractructure -supports it. - -Also hardcode tomcat app setting in spec file for the moment to -avoid possible glitches on certain platform. - -Co-authored-by: Jack Magne ---- - .../com/netscape/cmscore/apps/CMSEngine.java | 18 +++++++----------- - 1 file changed, 7 insertions(+), 11 deletions(-) - -diff --git a/base/server/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/src/com/netscape/cmscore/apps/CMSEngine.java -index 295c4d4cc..f40f99136 100644 ---- a/base/server/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -156,9 +156,8 @@ public class CMSEngine { - - private static final int PW_OK =0; - //private static final int PW_BAD_SETUP = 1; -- private static final int PW_INVALID_PASSWORD = 2; -+ private static final int PW_INVALID_CREDENTIALS = 2; - private static final int PW_CANNOT_CONNECT = 3; -- private static final int PW_NO_USER = 4; - private static final int PW_MAX_ATTEMPTS = 3; - - -@@ -332,16 +331,16 @@ public class CMSEngine { - } - - int iteration = 0; -- int result = PW_INVALID_PASSWORD; -+ int result = PW_INVALID_CREDENTIALS; - - do { - String passwd = mPasswordStore.getPassword(tag, iteration); - result = testLDAPConnection(tag, connInfo, binddn, passwd); - iteration++; -- } while ((result == PW_INVALID_PASSWORD) && (iteration < PW_MAX_ATTEMPTS)); -+ } while ((result == PW_INVALID_CREDENTIALS) && (iteration < PW_MAX_ATTEMPTS)); - - if (result != PW_OK) { -- if ((result == PW_NO_USER) && (tag.equals("replicationdb"))) { -+ if ((result == PW_INVALID_CREDENTIALS) && (tag.equals("replicationdb"))) { - logger.warn( - "CMSEngine: password test execution failed for replicationdb " + - "with NO_SUCH_USER. This may not be a latest instance. Ignoring .."); -@@ -364,7 +363,7 @@ public class CMSEngine { - int ret = PW_OK; - - if (StringUtils.isEmpty(pwd)) { -- return PW_INVALID_PASSWORD; -+ return PW_INVALID_CREDENTIALS; - } - - String host = info.getHost(); -@@ -383,12 +382,9 @@ public class CMSEngine { - - switch (e.getLDAPResultCode()) { - case LDAPException.NO_SUCH_OBJECT: -- logger.debug("CMSEngine: user does not exist: " + binddn); -- ret = PW_NO_USER; -- break; - case LDAPException.INVALID_CREDENTIALS: -- logger.debug("CMSEngine: invalid password"); -- ret = PW_INVALID_PASSWORD; -+ logger.debug("CMSEngine: invalid credentials"); -+ ret = PW_INVALID_CREDENTIALS; - break; - default: - logger.debug("CMSEngine: unable to connect to " + name + ": " + e.getMessage()); --- -2.29.2 - diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 95554a9..05309bb 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -6,15 +6,15 @@ Name: pki-core %global brand Red Hat Summary: %{brand} PKI Core Package -URL: http://www.dogtagpki.org/ +URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPLv2 and LGPLv2 -# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase. -# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase. -Version: 10.9.4 -Release: 3%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -a1 +# For development (i.e. unsupported) releases, use x.y.z-0.n.. +# For official (i.e. supported) releases, use x.y.z-r where r >=1. +Version: 10.10.5 +Release: 2%{?_timestamp}%{?_commit_id}%{?dist} +#global _phase -beta1 # To create a tarball from a version tag: # $ git archive \ @@ -36,8 +36,15 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/: # [Errno 111] Connection refused -- Some packages may not be found! Patch1: 0001-Removed-dependency-on-pytest-runner.patch -Patch2: 0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch -Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch +Patch2: 0001-Fix-renewal-profile-approval-process.patch + +# md2man isn't available on i686. Additionally, we aren't generally multi-lib +# compatible (https://fedoraproject.org/wiki/Packaging:Java) +# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems +# safest. +%if ! 0%{?rhel} || 0%{?rhel} > 8 +ExcludeArch: i686 +%endif ################################################################################ # NSS @@ -49,7 +56,7 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch # Python ################################################################################ -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 8 %global python_executable /usr/libexec/platform-python %else %global python_executable /usr/bin/python3 @@ -59,14 +66,15 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch # Java ################################################################################ -%define java_home /usr/lib/jvm/jre-openjdk %define java_devel java-devel %define java_headless java-headless -%if 0%{?fedora} && 0%{?fedora} >= 33 +%if 0%{?fedora} >= 33 || 0%{?rhel} > 8 %define min_java_version 1:11 +%define java_home /usr/lib/jvm/java-11-openjdk %else %define min_java_version 1:1.8.0 +%define java_home /usr/lib/jvm/java-1.8.0-openjdk %endif ################################################################################ @@ -111,6 +119,8 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch %global with_base 1 # package_option server %global with_server 1 +# package_option acme +%global with_acme 1 # package_option ca %global with_ca 1 # package_option kra @@ -130,6 +140,8 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch %define debug_package %{nil} %endif +%bcond_without sdnotify + # ignore unpackaged files from native 'tpsclient' # REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app %define _unpackaged_files_terminate_build 0 @@ -181,7 +193,7 @@ BuildRequires: ldapjdk >= 4.22.0 BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io -BuildRequires: apache-commons-lang +BuildRequires: apache-commons-lang3 >= 3.2 BuildRequires: apache-commons-net BuildRequires: jakarta-commons-httpclient BuildRequires: glassfish-jaxb-api @@ -201,7 +213,7 @@ BuildRequires: velocity BuildRequires: xalan-j2 BuildRequires: xerces-j2 -%if 0%{?rhel} +%if 0%{?rhel} && ! 0%{?eln} BuildRequires: resteasy >= 3.0.26 %else BuildRequires: jboss-annotations-1.2-api @@ -225,19 +237,22 @@ BuildRequires: python3-nss BuildRequires: python3-requests >= 2.6.0 BuildRequires: python3-six -%if 0%{?rhel} -# no python3-pytest-runner -%else +%if 0%{?fedora} || 0%{?rhel} > 8 BuildRequires: python3-pytest-runner %endif BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.7.0 -BuildRequires: tomcatjss >= 7.5.0 +BuildRequires: jss >= 4.8.1 +BuildRequires: tomcatjss >= 7.6.1 + +# JNA is used to bind to libsystemd +%if %{with sdnotify} +BuildRequires: jna +%endif BuildRequires: systemd-units -%if 0%{?rhel} +%if 0%{?rhel} && ! 0%{?eln} BuildRequires: pki-servlet-engine %else BuildRequires: tomcat >= 1:9.0.7 @@ -255,7 +270,7 @@ BuildRequires: zlib BuildRequires: zlib-devel # build dependency to build man pages -%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel} +%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel} && 0%{?rhel} <= 8 BuildRequires: go-md2man %else BuildRequires: golang-github-cpuguy83-md2man @@ -281,6 +296,7 @@ to manage enterprise Public Key Infrastructure deployments. PKI consists of the following components: + * Automatic Certificate Management Environment (ACME) Responder * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager @@ -305,6 +321,7 @@ Requires: %{vendor_id}-pki-console-theme = %{version} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI core packages +Requires: pki-acme = %{version} Requires: pki-ca = %{version} Requires: pki-kra = %{version} Requires: pki-ocsp = %{version} @@ -317,8 +334,10 @@ Requires: pki-console = %{version} Requires: pki-javadoc = %{version} # Make certain that this 'meta' package requires the latest version(s) -# of ALL PKI clients +# of ALL PKI clients -- except for s390/s390x where 'esc' is not built +%ifnarch s390 s390x Requires: esc >= 1.1.1 +%endif # description for top-level package (unless there is a separate meta package) %if "%{name}" == "%{vendor_id}-pki" @@ -332,6 +351,7 @@ to manage enterprise Public Key Infrastructure deployments. PKI consists of the following components: + * Automatic Certificate Management Environment (ACME) Responder * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager @@ -350,7 +370,7 @@ Summary: PKI Symmetric Key Package Requires: %java_headless >= %{min_java_version} Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 4.7.0 +Requires: jss >= 4.8.0 Requires: nss >= 3.38.0 # Ensure we end up with a useful installation @@ -394,13 +414,14 @@ BuildArch: noarch Obsoletes: pki-base-python3 < %{version} Provides: pki-base-python3 = %{version} -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} > 8 %{?python_provide:%python_provide python3-pki} %endif Requires: pki-base = %{version}-%{release} Requires: python3 >= 3.5 Requires: python3-cryptography +Requires: python3-ldap Requires: python3-lxml Requires: python3-nss Requires: python3-requests >= 2.6.0 @@ -420,7 +441,7 @@ Requires: %java_headless >= %{min_java_version} Requires: apache-commons-cli Requires: apache-commons-codec Requires: apache-commons-io -Requires: apache-commons-lang +Requires: apache-commons-lang3 >= 3.2 Requires: apache-commons-logging Requires: apache-commons-net Requires: jakarta-commons-httpclient @@ -432,7 +453,7 @@ Requires: jss >= 4.7.0 Requires: ldapjdk >= 4.22.0 Requires: pki-base = %{version}-%{release} -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 8 Requires: resteasy >= 3.0.26 %else Requires: resteasy-atom-provider >= 3.0.17-1 @@ -442,7 +463,7 @@ Requires: resteasy-core >= 3.0.17-1 Requires: resteasy-jackson2-provider >= 3.0.17-1 %endif -%if 0%{?fedora} && 0%{?fedora} >= 33 +%if 0%{?fedora} >= 33 || 0%{?rhel} > 8 Requires: jaxb-impl >= 2.3.3 Requires: jakarta-activation >= 1.2.2 %endif @@ -487,7 +508,6 @@ Summary: PKI Server Package BuildArch: noarch Requires: hostname -Requires: net-tools Requires: policycoreutils Requires: procps-ng @@ -500,15 +520,14 @@ Requires: keyutils Requires: policycoreutils-python-utils -Requires: python3-ldap Requires: python3-lxml Requires: python3-libselinux Requires: python3-policycoreutils Requires: selinux-policy-targeted >= 3.13.1-159 -%if 0%{?rhel} -Requires: pki-servlet-engine >= 1:9.0.7 +%if 0%{?rhel} && ! 0%{?eln} +Requires: pki-servlet-engine %else Requires: tomcat >= 1:9.0.7 %endif @@ -520,7 +539,12 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -Requires: tomcatjss >= 7.5.0 +Requires: tomcatjss >= 7.6.1 + +# JNA is used to bind to libsystemd +%if %{with sdnotify} +Requires: jna +%endif # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -544,18 +568,29 @@ Provides: bundled(js-patternfly) = 3.59.2 Provides: bundled(js-underscore) = 1.9.2 %description -n pki-server -The PKI Server Package contains libraries and utilities needed by the -following PKI subsystems: - - the Certificate Authority (CA), - the Key Recovery Authority (KRA), - the Online Certificate Status Protocol (OCSP) Manager, - the Token Key Service (TKS), and - the Token Processing Service (TPS). +The PKI Server Package contains libraries and utilities needed by other +PKI subsystems. # with server %endif +%if %{with acme} +################################################################################ +%package -n pki-acme +################################################################################ + +Summary: PKI ACME Package +BuildArch: noarch + +Requires: pki-server = %{version}-%{release} + +%description -n pki-acme +The PKI ACME responder is a service that provides an automatic certificate +management via ACME v2 protocol defined in RFC 8555. + +# with acme +%endif + %if %{with ca} ################################################################################ %package -n pki-ca @@ -836,16 +871,10 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se # otherwise get version number java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'` -# get Tomcat . version number -tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'` +# assume tomcat app_server +app_server=tomcat-8.5 -if [ $tomcat_version == "9.0" ]; then - app_server=tomcat-8.5 -else - app_server=tomcat-$tomcat_version -fi - -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 8 %{__mkdir_p} build cd build %endif @@ -855,9 +884,9 @@ cd build -DVERSION=%{version}-%{release} \ -DVAR_INSTALL_DIR:PATH=/var \ -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \ - -DJAVA_VERSION=%{java_version} \ + -DJAVA_VERSION=${java_version} \ -DJAVA_HOME=%java_home \ - -DPKI_JAVA_PATH=%java \ + -DPKI_JAVA_PATH=%java_home/bin/java \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ -DAPP_SERVER=$app_server \ @@ -866,20 +895,27 @@ cd build -DNSS_DEFAULT_DB_TYPE=%{nss_default_db_type} \ -DBUILD_PKI_CORE:BOOL=ON \ -DPYTHON_EXECUTABLE=%{python_executable} \ - -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ -%if ! %{with server} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps} +%if ! %{with server} && ! %{with acme} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps} -DWITH_SERVER:BOOL=OFF \ %endif + -DWITH_CA:BOOL=%{?with_ca:ON}%{!?with_ca:OFF} \ + -DWITH_KRA:BOOL=%{?with_kra:ON}%{!?with_kra:OFF} \ + -DWITH_OCSP:BOOL=%{?with_ocsp:ON}%{!?with_ocsp:OFF} \ + -DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \ + -DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \ + -DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \ + -DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \ -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ + -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ -DTHEME=%{?with_theme:%{vendor_id}} \ -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 8 .. %else -B %{_vpath_builddir} %endif -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} > 8 cd %{_vpath_builddir} %endif @@ -896,7 +932,7 @@ cd %{_vpath_builddir} %install ################################################################################ -%if 0%{?rhel} +%if 0%{?rhel} && 0%{?rhel} <= 8 cd build %else cd %{_vpath_builddir} @@ -1081,8 +1117,8 @@ fi %files -n pki-tools ################################################################################ -%license base/native-tools/LICENSE -%doc base/native-tools/doc/README +%license base/tools/LICENSE +%doc base/tools/doc/README %{_bindir}/p7tool %{_bindir}/pistool %{_bindir}/pki @@ -1090,7 +1126,6 @@ fi %{_bindir}/setpin %{_bindir}/sslget %{_bindir}/tkstool -%{_datadir}/pki/native-tools/ %{_bindir}/AtoB %{_bindir}/AuditVerify %{_bindir}/BtoA @@ -1115,7 +1150,7 @@ fi %{_bindir}/PrettyPrintCrl %{_bindir}/TokenInfo %{_javadir}/pki/pki-tools.jar -%{_datadir}/pki/java-tools/ +%{_datadir}/pki/tools/ %{_datadir}/pki/lib/p11-kit-trust.so %{_mandir}/man1/AtoB.1.gz %{_mandir}/man1/AuditVerify.1.gz @@ -1165,9 +1200,8 @@ fi %{_sbindir}/pkidestroy %{_sbindir}/pki-server %{_sbindir}/pki-server-upgrade -%{python3_sitelib}/pki/server/ %{_sbindir}/pki-healthcheck -%{python3_sitelib}/pki/server/healthcheck/ +%{python3_sitelib}/pki/server/ %{python3_sitelib}/pkihealthcheck-*.egg-info/ %config(noreplace) %{_sysconfdir}/pki/healthcheck.conf @@ -1189,6 +1223,7 @@ fi %dir %{_sharedstatedir}/pki %{_mandir}/man1/pkidaemon.1.gz %{_mandir}/man5/pki_default.cfg.5.gz +%{_mandir}/man5/pki_healthcheck.conf.5.gz %{_mandir}/man5/pki-server-logging.5.gz %{_mandir}/man8/pki-server-upgrade.8.gz %{_mandir}/man8/pkidestroy.8.gz @@ -1208,12 +1243,25 @@ fi %{_mandir}/man8/pki-healthcheck.8.gz %{_datadir}/pki/setup/ %{_datadir}/pki/server/ -%{_datadir}/pki/acme/ -%{_javadir}/pki/pki-acme.jar + +%if %{with sdnotify} +%{_javadir}/pki/pki-systemd.jar +%endif # with server %endif +%if %{with acme} +################################################################################ +%files -n pki-acme +################################################################################ + +%{_javadir}/pki/pki-acme.jar +%{_datadir}/pki/acme/ + +# with acme +%endif + %if %{with ca} ################################################################################ %files -n pki-ca @@ -1221,12 +1269,7 @@ fi %license base/ca/LICENSE %{_javadir}/pki/pki-ca.jar -%dir %{_datadir}/pki/ca -%{_datadir}/pki/ca/conf/ -%{_datadir}/pki/ca/emails/ -%{_datadir}/pki/ca/profiles/ -%{_datadir}/pki/ca/setup/ -%{_datadir}/pki/ca/webapps/ +%{_datadir}/pki/ca/ # with ca %endif @@ -1238,10 +1281,7 @@ fi %license base/kra/LICENSE %{_javadir}/pki/pki-kra.jar -%dir %{_datadir}/pki/kra -%{_datadir}/pki/kra/conf/ -%{_datadir}/pki/kra/setup/ -%{_datadir}/pki/kra/webapps/ +%{_datadir}/pki/kra/ # with kra %endif @@ -1253,10 +1293,7 @@ fi %license base/ocsp/LICENSE %{_javadir}/pki/pki-ocsp.jar -%dir %{_datadir}/pki/ocsp -%{_datadir}/pki/ocsp/conf/ -%{_datadir}/pki/ocsp/setup/ -%{_datadir}/pki/ocsp/webapps/ +%{_datadir}/pki/ocsp/ # with ocsp %endif @@ -1268,10 +1305,7 @@ fi %license base/tks/LICENSE %{_javadir}/pki/pki-tks.jar -%dir %{_datadir}/pki/tks -%{_datadir}/pki/tks/conf/ -%{_datadir}/pki/tks/setup/ -%{_datadir}/pki/tks/webapps/ +%{_datadir}/pki/tks/ # with tks %endif @@ -1283,11 +1317,7 @@ fi %license base/tps/LICENSE %{_javadir}/pki/pki-tps.jar -%dir %{_datadir}/pki/tps -%{_datadir}/pki/tps/applets/ -%{_datadir}/pki/tps/conf/ -%{_datadir}/pki/tps/setup/ -%{_datadir}/pki/tps/webapps/ +%{_datadir}/pki/tps/ %{_mandir}/man5/pki-tps-connector.5.gz %{_mandir}/man5/pki-tps-profile.5.gz %{_mandir}/man1/tpsclient.1.gz @@ -1365,199 +1395,239 @@ fi ################################################################################ %changelog -* Thu Mar 11 2021 Red Hat PKI Team 10.9.4-3 -- Bug # 1933146 - PKI instance creation failed with new 389-ds-base build - -* Thu Feb 11 2021 Red Hat PKI Team 10.9.4-2 -- CVE-2021-20179: Fix unprivileged users can renew any certificate +* Tue Mar 23 2021 Red Hat PKI Team 10.10.5-2 +- Bug 1914396 - CVE-2021-20179 pki-core:10.6/pki-core: Unprivileged users can renew any certificate + +* Tue Feb 23 2021 Red Hat PKI Team 10.10.5-1 +- Rebase to PKI 10.10.5 +- Bug 1929067 - PKI instance creation failed with new 389-ds-base build + +* Mon Feb 08 2021 Red Hat PKI Team 10.10.4-1 +- Rebase to PKI 10.10.4 +- Bug 1664435 - Error instantiating class for challenge_password with SCEP request +- Bug 1912418 - OCSP and TKS cloning failed due to duplicate replica ID +- Bug 1916686 - Memory leak during ACME performance test +- Bug 1919282 - ACME cert enrollment failed with HTTP 500 + +* Thu Jan 14 2021 Red Hat PKI Team 10.10.3-1 +- Rebase to PKI 10.10.3 +- Bug 1584550 - CRMFPopClient: unexpected behavior with -y option when values are specified +- Bug 1590942 - CMCResponse treats -d as optional +- Bug 1890639 - Two-step installation with external certificates fails on HSM configured system +- Bug 1912493 - pkispawn reports incorrect FIPS mode + +* Tue Dec 08 2020 Red Hat PKI Team 10.10.2-1 +- Rebase to PKI 10.10.2 +- Bug 1392616 - KRA key recovery cli kra-key-retrieve generates an invalid p12 file +- Bug 1897120 - pki-server cert-fix command failing +- Bug 1694664 - ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (503) + +* Tue Nov 17 2020 Red Hat PKI Team 10.10.1-1 +- Rebase to PKI 10.10.1 +- Bug 1843416 - kra-audit-mod fail with Invalid event configuration +- Bug 1889691 - ACME failed when run with more than 1 thread/connection +- Bug 1891577 - Sub-ordinate installation is failing with NullPointerException + +* Wed Oct 28 2020 Red Hat PKI Team 10.10.0-1 +- Rebase to PKI 10.10.0 +- Add workaround for missing capture_output in Python 3.6 +- Fix JSS initialization in pki-server -user-cert-add +- Fix NPE in UGSubsystem.findUsersByKeyword() +- Bug 1787115 - Need Method to copy SKI from CSR to Certificate signed +- Bug 1875563 - Add KRA Transport and Storage Certificates profiles, audit for IPA +- Bug 1883996 - Inconsistent folders in pki-tools + +* Tue Oct 20 2020 Red Hat PKI Team 10.10.0-0.2.beta1 +- Rebase to PKI 10.10.0-beta1 +- Bug 1868233 - Disabling AIA and cert policy extensions in ACME examples * Fri Sep 11 2020 Red Hat PKI Team 10.9.4-1 -- Rebased to PKI 10.9.4 -- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add +- Rebase to PKI 10.9.4 +- Bug 1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add * Thu Sep 03 2020 Red Hat PKI Team 10.9.3-1 -- Rebased to PKI 10.9.3 -- Bug #1869893 - Common certificates are missing in CS.cfg on shared PKI instance +- Rebase to PKI 10.9.3 +- Bug 1869893 - Common certificates are missing in CS.cfg on shared PKI instance * Tue Aug 18 2020 Red Hat PKI Team 10.9.2-2 -- Bug #1871064 - Replica install failing during pki-ca component configuration +- Bug 1871064 - Replica install failing during pki-ca component configuration * Tue Aug 18 2020 Red Hat PKI Team 10.9.2-1 -- Rebased to PKI 10.9.2 +- Rebase to PKI 10.9.2 * Wed Aug 12 2020 Red Hat PKI Team 10.9.1-2 -- Bug #1857933 - CA Installation is failing with ncipher v12.30 HSM -- Bug #1868233 - Disabling AIA and cert policy extensions in ACME examples +- Bug 1857933 - CA Installation is failing with ncipher v12.30 HSM +- Bug 1868233 - Disabling AIA and cert policy extensions in ACME examples * Thu Aug 06 2020 Red Hat PKI Team 10.9.1-1 -- Rebased to PKI 10.9.1 -- Bug #1426572 - Fix Secure connection issue when server is down +- Rebase to PKI 10.9.1 +- Bug 1426572 - Fix Secure connection issue when server is down * Fri Jul 31 2020 Red Hat PKI Team 10.9.0-1 -- Rebased to PKI 10.9.0 +- Rebase to PKI 10.9.0 -* Fri Jul 14 2020 Red Hat PKI Team 10.9.0-0.7 -- Fixed pki kra-key-generate failure -- Fixed error handling in PKIRealm +* Tue Jul 14 2020 Red Hat PKI Team 10.9.0-0.7 +- Fix pki kra-key-generate failure +- Fix error handling in PKIRealm * Fri Jul 10 2020 Red Hat PKI Team 10.9.0-0.6 -- Rebased to PKI 10.9.0-b4 +- Rebase to PKI 10.9.0-b4 * Thu Jun 25 2020 Red Hat PKI Team 10.9.0-0.4 -- Rebased to PKI 10.9.0-b2 +- Rebase to PKI 10.9.0-b2 * Mon Jun 22 2020 Red Hat PKI Team 10.9.0-0.3 -- Rebased to PKI 10.9.0-b1 +- Rebase to PKI 10.9.0-b1 * Tue May 26 2020 Red Hat PKI Team 10.9.0-0.1 -- Rebased to PKI 10.9.0-a1 +- Rebase to PKI 10.9.0-a1 * Tue Mar 03 2020 Red Hat PKI Team 10.8.3-1 -- Rebased to PKI 10.8.3 -- Bug #1809210 - TPS installation failure on HSM machine -- Bug #1807421 - Subordinate CA installation failed -- Bug #1806840 - KRA cloning with HSM failed +- Rebase to PKI 10.8.3 +- Bug 1809210 - TPS installation failure on HSM machine +- Bug 1807421 - Subordinate CA installation failed +- Bug 1806840 - KRA cloning with HSM failed * Wed Feb 19 2020 Red Hat PKI Team 10.8.2-2 -- Bug #1795215 - pkispawn interactive installation failed +- Bug 1795215 - pkispawn interactive installation failed * Mon Feb 17 2020 Red Hat PKI Team 10.8.2-1 -- Rebased to PKI 10.8.2 -- Bug #1802006 - KRA installation failed to create ECC admin cert +- Rebase to PKI 10.8.2 +- Bug 1802006 - KRA installation failed to create ECC admin cert * Mon Feb 10 2020 Red Hat PKI Team 10.8.1-1 -- Rebased to PKI 10.8.1 +- Rebase to PKI 10.8.1 * Fri Feb 07 2020 Red Hat PKI Team 10.8.0-1 -- Rebased to PKI 10.8.0 +- Rebase to PKI 10.8.0 * Thu Jan 16 2020 Red Hat PKI Team 10.8.0-0.5 -- Rebased to PKI 10.8.0-b3 +- Rebase to PKI 10.8.0-b3 * Fri Dec 13 2019 Red Hat PKI Team 10.8.0-0.4 -- Rebased to PKI 10.8.0-b2 +- Rebase to PKI 10.8.0-b2 * Wed Dec 11 2019 Red Hat PKI Team 10.8.0-0.3 -- Rebased to PKI 10.8.0-b1 +- Rebase to PKI 10.8.0-b1 * Fri Nov 22 2019 Red Hat PKI Team 10.8.0-0.2 -- Rebased to PKI 10.8.0-a2 +- Rebase to PKI 10.8.0-a2 * Thu Oct 31 2019 Red Hat PKI Team 10.8.0-0.1 -- Rebased to PKI 10.8.0-a1 +- Rebase to PKI 10.8.0-a1 * Wed Aug 14 2019 Red Hat PKI Team 10.7.3-1 -- Rebased to PKI 10.7.3 -- Bug #1698084 - pkidestroy not working as expected -- Bug #1468050 and Bug #1448235 - Support AES for LWCA key replication +- Rebase to PKI 10.7.3 +- Bug 1698084 - pkidestroy not working as expected +- Bug 1468050 and Bug #1448235 - Support AES for LWCA key replication * Tue Jul 23 2019 Red Hat PKI Team 10.7.2-1 -- Rebased to PKI 10.7.2 -- Bug #1721340 - TPS installation failure -- Bug #1248216 - Incorrect pkidaemon status -- Bug #1729215 - cert-fix: detect and prevent pkidbuser being used as --agent-uid -- Bug #1698059 - pki-core implements crypto +- Rebase to PKI 10.7.2 +- Bug 1721340 - TPS installation failure +- Bug 1248216 - Incorrect pkidaemon status +- Bug 1729215 - cert-fix: detect and prevent pkidbuser being used as --agent-uid +- Bug 1698059 - pki-core implements crypto * Thu Jun 13 2019 Red Hat PKI Team 10.7.1-2 -- Fixed cloning issue -- Fixed TPS installation issue +- Fix cloning issue +- Fix TPS installation issue * Wed Jun 12 2019 Red Hat PKI Team 10.7.1-1 -- Rebased to PKI 10.7.1 +- Rebase to PKI 10.7.1 * Wed Apr 24 2019 Red Hat PKI Team 10.7.0-1 -- Rebased to PKI 10.7.0 +- Rebase to PKI 10.7.0 * Mon Jan 28 2019 Red Hat PKI Team 10.6.9-2 -- Bug #1652269 - Replace Nuxwdog +- Bug 1652269 - Replace Nuxwdog * Mon Jan 14 2019 Red Hat PKI Team 10.6.9-1 -- Rebased to PKI 10.6.9 -- Bug #1629048 - X500Name.directoryStringEncodingOrder overridden by CSR encoding -- Bug #1652269 - Replace Nuxwdog -- Bug #1656856 - Need Method to Include SKI in CA Signing Certificate Request +- Rebase to PKI 10.6.9 +- Bug 1629048 - X500Name.directoryStringEncodingOrder overridden by CSR encoding +- Bug 1652269 - Replace Nuxwdog +- Bug 1656856 - Need Method to Include SKI in CA Signing Certificate Request * Thu Nov 29 2018 Red Hat PKI Team 10.6.8-1 -- Rebased to PKI 10.6.8 -- Bug #1602659 - Fix issues found by covscan -- Bug #1566360 - Fix missing serial number from pki-server subsystem-cert-find +- Rebase to PKI 10.6.8 +- Bug 1602659 - Fix issues found by covscan +- Bug 1566360 - Fix missing serial number from pki-server subsystem-cert-find * Fri Oct 26 2018 Red Hat PKI Team 10.6.7-3 -- Bug #1643101 - Fix problems due to token normalization +- Bug 1643101 - Fix problems due to token normalization * Tue Oct 23 2018 Red Hat PKI Team 10.6.7-2 -- Bug #1623444 - Fix Python KeyClient KeyRequestResponse parsing +- Bug 1623444 - Fix Python KeyClient KeyRequestResponse parsing * Fri Oct 05 2018 Red Hat PKI Team 10.6.7-1 -- Rebased to PKI 10.6.7 +- Rebase to PKI 10.6.7 * Fri Aug 24 2018 Alexander Bokovoy 10.6.6-3 - Build on s390x * Wed Aug 22 2018 Alexander Bokovoy 10.6.6-2 - Use platform-python interpreter -- Bug #1620066 - pkispawn crashes as /usr/bin/python3 does not exist +- Bug 1620066 - pkispawn crashes as /usr/bin/python3 does not exist * Mon Aug 13 2018 Red Hat PKI Team 10.6.6-1 -- Rebased to PKI 10.6.6 +- Rebase to PKI 10.6.6 * Wed Aug 08 2018 Red Hat PKI Team 10.6.5-1 -- Rebased to PKI 10.6.5 +- Rebase to PKI 10.6.5 * Tue Aug 07 2018 Red Hat PKI Team 10.6.4-4 -- Bug #1612063 - Do not override system crypto policy (support TLS 1.3) +- Bug 1612063 - Do not override system crypto policy (support TLS 1.3) * Wed Aug 01 2018 Red Hat PKI Team 10.6.4-3 - Patch PKI to use Jackson 2 and avoid Jackson 1 dependency. Add direct dependency on slf4j-jdk14. * Tue Jul 31 2018 Red Hat PKI Team 10.6.4-2 -- Updated Jackson and RESTEasy dependencies +- Update Jackson and RESTEasy dependencies * Fri Jul 20 2018 Red Hat PKI Team 10.6.4-1 -- Rebased to PKI 10.6.4 +- Rebase to PKI 10.6.4 * Thu Jul 05 2018 Red Hat PKI Team 10.6.3-1 -- Rebased to PKI 10.6.3 +- Rebase to PKI 10.6.3 * Mon Jul 02 2018 Miro Hrončok 10.6.2-4 -- Rebuilt for Python 3.7 +- Rebuild for Python 3.7 * Thu Jun 28 2018 Red Hat PKI Team 10.6.2-3 -- Fixed macro expressions -- Bug #1566606 - pki-core: Switch to Python 3 -- Bug #1590467 - pki-core: Drop pylint dependency from RHEL 8 +- Fix macro expressions +- Bug 1566606 - pki-core: Switch to Python 3 +- Bug 1590467 - pki-core: Drop pylint dependency from RHEL 8 * Tue Jun 19 2018 Miro Hrončok 10.6.2-2 -- Rebuilt for Python 3.7 +- Rebuild for Python 3.7 * Fri Jun 15 2018 Red Hat PKI Team 10.6.2-1 -- Rebased to PKI 10.6.2 +- Rebase to PKI 10.6.2 * Wed May 30 2018 Red Hat PKI Team 10.6.1-3 -- Updated JSS dependency -- Updated Tomcat dependency -- Fixed rpmlint warnings +- Update JSS dependency +- Update Tomcat dependency +- Fix rpmlint warnings * Fri May 04 2018 Red Hat PKI Team 10.6.1-2 -- Bug #1574711 - pki-tools cannot be installed on current Rawhide -- Fixed rpmlint warnings +- Bug 1574711 - pki-tools cannot be installed on current Rawhide +- Fix rpmlint warnings * Thu May 03 2018 Red Hat PKI Team 10.6.1-1 -- Rebased to PKI 10.6.1 -- Bug #1559047 - pki-core misses a dependency to pki-symkey -- Bug #1573094 - FreeIPA external CA installation fails +- Rebase to PKI 10.6.1 +- Bug 1559047 - pki-core misses a dependency to pki-symkey +- Bug 1573094 - FreeIPA external CA installation fails * Wed Apr 11 2018 Red Hat PKI Team 10.6.0-1 -- Updated project URL and package descriptions -- Cleaned up spec file -- Rebased to PKI 10.6.0 final +- Update project URL and package descriptions +- Clean up spec file +- Rebase to PKI 10.6.0 final * Thu Mar 29 2018 Red Hat PKI Team 10.6.0-0.3 - Iryna Shcherbina : Update Python 2 dependency declarations to new packaging standards (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) -- Rebased to PKI 10.6.0 beta2 +- Rebase to PKI 10.6.0 beta2 * Thu Mar 15 2018 Red Hat PKI Team 10.6.0-0.2 -- Rebased to PKI 10.6.0 beta +- Rebase to PKI 10.6.0 beta