diff --git a/.gitignore b/.gitignore
index dc9d439..2e17446 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-10.9.4.tar.gz
+SOURCES/pki-10.10.5.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index 5d8738e..a910798 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-dd0b6a1732c36077180769ba58ed11e659c0b621 SOURCES/pki-10.9.4.tar.gz
+61641f173fb9de15b4f16bdcef95ca97479bc947 SOURCES/pki-10.10.5.tar.gz
diff --git a/SOURCES/0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch b/SOURCES/0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch
deleted file mode 100644
index 0063437..0000000
--- a/SOURCES/0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From 8b3cb80954a932867c2d4d96eb1cced83fa78996 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 13 Jan 2021 18:27:46 +1100
-Subject: [PATCH] Fix renewal profile approval process
-
-Due to a recent change in PKI CLI, the CLI now passes along user
-authentication with submissions to the renewal endpoint. Unlike the EE
-pages, the REST API has passed along this authentication for a while.
-Due to a bug in the RenewalProcessor, requests with credentials against
-profiles with no authentication method and no ACLs result in the
-certificiate automatically being approved. This occurs because, when
-an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
-the code to allow Light-Weight SubCAs to issue certificates, validation
-wasn't done on the passed principal, to see if it was a trusted agent.
-Because profiles requring Agent approval have an empty ACL list (as, no
-user should be able to submit a certificate request and have it
-automatically signed without agent approval), authorize allows any user
-to approve this request and thus accepts the AuthToken.
-
-Critical analysis: the RenewalProcessor code interprets (authToken
-!= null) as evidence that the authenticated user is /authorized/ to
-immediately issue the certificate. This mismatch of concerns (authn
-vs authz) resulted in a misunderstanding of system behaviour. The
-"latent" AuthToken (from the HTTP request) was assigned to authToken
-without realising that authorization needed to be performed.
-
-We fix this by splitting the logic on whether the profile defines an
-authenticator. If so, we (re)authenticate and authorize the user
-according to the profile configuration.
-
-If the profile does not define an authenticator but there is a
-principal in the HTTP request, if (and only if) the user has
-permission to approve certificate requests *and* the requested
-renewal profile is caManualRenewal (which is hardcoded to be used
-for LWCA renewal), then we issue the certificate immediately. This
-special case ensures that LWCA renewal keeps working.
-
-Otherwise, if there is no principal in the HTTP request or the
-principal does not have permission to approve certificate requests,
-we leave the authToken unset. The resulting renewal request will be
-created with status PENDING, i.e. enqueued for agent review.
-
-Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- .../com/netscape/ca/CertificateAuthority.java | 10 +++
- .../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++--
- 2 files changed, 79 insertions(+), 6 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index 07f29fead..50292201b 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -2962,6 +2962,16 @@ public class CertificateAuthority
- }
-
- ProfileSubsystem ps = engine.getProfileSubsystem();
-+ /* NOTE: hard-coding the profile to use for Lightweight CA renewal
-+ * might be OK, but caManualRenewal was not the right one to use.
-+ * As a consequence, we have an undesirable special case in
-+ * RenewalProcessor.processRenewal().
-+ *
-+ * We should introduce a new profile specifically for LWCA renewal,
-+ * with an authenticator and ACLs to match the authz requirements
-+ * for the renewAuthority REST resource itself. Then we can use
-+ * it here, and remove the workaround from RenewalProcessor.
-+ */
- Profile profile = ps.getProfile("caManualRenewal");
- CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
- new ArgBlock(), profile, httpReq.getLocale());
-diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
-index 917c64856..75677b5e4 100644
---- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
-+++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
-@@ -31,6 +31,7 @@ import java.util.Map;
- import javax.servlet.http.HttpServletRequest;
-
- import org.apache.commons.lang.StringUtils;
-+import org.dogtagpki.server.authorization.AuthzToken;
- import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
- import org.mozilla.jss.netscape.security.x509.X509CertImpl;
-
-@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor {
-
- // before creating the request, authenticate the request
- IAuthToken authToken = null;
-- Principal principal = request.getUserPrincipal();
-- if (principal instanceof PKIPrincipal)
-- authToken = ((PKIPrincipal) principal).getAuthToken();
-- if (authToken == null && authenticator != null) {
-- authToken = authenticate(request, origReq, authenticator, context, true, credentials);
-+
-+ if (authenticator != null) {
-+ /* The profile specifies an authenticator. Use it to
-+ * authenticate the user. Ignore the "latent" session
-+ * principal (if any).
-+ */
-+ authToken = authenticate(
-+ request,
-+ origReq,
-+ authenticator,
-+ context,
-+ true /* isRenewal */,
-+ credentials);
-+ } else {
-+ /* When authenticator is null, we expect manual agent
-+ * review (leave authToken as null).
-+ *
-+ * But as a special case to ensure Lightweight CA (LWCA)
-+ * renewal works, if there is a latent user in the HTTP
-+ * request, we use that user (i.e. set authToken to the
-+ * principal's IAuthToken) if and only if:
-+ *
-+ * - The renewal profile is caManualRenewal (LWCA renewal
-+ * is hardcoded to use this profile); AND
-+ *
-+ * - The latent user is authorized to "execute"
-+ * certificate requests (i.e. agent approval)
-+ *
-+ * See also CertificateAuthority.renewAuthority().
-+ */
-+
-+ Principal principal = request.getUserPrincipal();
-+ if (
-+ renewProfileId.equals("caManualRenewal")
-+ && principal instanceof PKIPrincipal
-+ ) {
-+ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken();
-+ AuthzToken authzToken = authorize(
-+ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute");
-+ if (authzToken != null) {
-+ // Success (no exception); user is authorized to approve
-+ // cert requests. Set the authToken.
-+ //
-+ // NOTE: This authz does not replace or subsume the
-+ // profile-specific authz check below.
-+ authToken = latentToken;
-+ } else {
-+ // leave authToken as null to enqueue a pending request.
-+ }
-+ } else {
-+ // not caManualRenewal or no latent principal;
-+ // leave authToken as null to enqueue a pending request.
-+ }
- }
-
-- // authentication success, now authorize
-+ /* Authorize the request.
-+ *
-+ * If authToken != null, it will be checked against ACLs specified
-+ * in the profile (if any). If ACLs are defined and authToken does
-+ * not match, throws an authorization exception.
-+ *
-+ * If authToken == null, no check is performed (even if the profile
-+ * defines ACLs). This is fine, because null authToken will cause
-+ * the request status to be 'pending' [agent approval].
-+ */
- authorize(profileId, renewProfile, authToken);
-
-+ /* At this point, the request will be created. If authToken
-+ * is non-null, then the certificate will be issued
-+ * immediately. Otherwise the request will be pending. */
-+
-+
- ///////////////////////////////////////////////
- // create and populate requests
- ///////////////////////////////////////////////
---
-2.29.2
-
diff --git a/SOURCES/0001-Fix-renewal-profile-approval-process.patch b/SOURCES/0001-Fix-renewal-profile-approval-process.patch
new file mode 100644
index 0000000..2aa7f35
--- /dev/null
+++ b/SOURCES/0001-Fix-renewal-profile-approval-process.patch
@@ -0,0 +1,170 @@
+From 608e9bbe537aba314b124ceef70f9b606ab7e121 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 13 Jan 2021 18:27:46 +1100
+Subject: [PATCH] Fix renewal profile approval process
+
+Due to a recent change in PKI CLI, the CLI now passes along user
+authentication with submissions to the renewal endpoint. Unlike the EE
+pages, the REST API has passed along this authentication for a while.
+Due to a bug in the RenewalProcessor, requests with credentials against
+profiles with no authentication method and no ACLs result in the
+certificiate automatically being approved. This occurs because, when
+an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
+the code to allow Light-Weight SubCAs to issue certificates, validation
+wasn't done on the passed principal, to see if it was a trusted agent.
+Because profiles requring Agent approval have an empty ACL list (as, no
+user should be able to submit a certificate request and have it
+automatically signed without agent approval), authorize allows any user
+to approve this request and thus accepts the AuthToken.
+
+Critical analysis: the RenewalProcessor code interprets (authToken
+!= null) as evidence that the authenticated user is /authorized/ to
+immediately issue the certificate. This mismatch of concerns (authn
+vs authz) resulted in a misunderstanding of system behaviour. The
+"latent" AuthToken (from the HTTP request) was assigned to authToken
+without realising that authorization needed to be performed.
+
+We fix this by splitting the logic on whether the profile defines an
+authenticator. If so, we (re)authenticate and authorize the user
+according to the profile configuration.
+
+If the profile does not define an authenticator but there is a
+principal in the HTTP request, if (and only if) the user has
+permission to approve certificate requests *and* the requested
+renewal profile is caManualRenewal (which is hardcoded to be used
+for LWCA renewal), then we issue the certificate immediately. This
+special case ensures that LWCA renewal keeps working.
+
+Otherwise, if there is no principal in the HTTP request or the
+principal does not have permission to approve certificate requests,
+we leave the authToken unset. The resulting renewal request will be
+created with status PENDING, i.e. enqueued for agent review.
+
+Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ .../com/netscape/ca/CertificateAuthority.java | 10 +++
+ .../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++--
+ 2 files changed, 79 insertions(+), 6 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+index 560507168a..431ce9ff78 100644
+--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+@@ -1929,6 +1929,16 @@ public class CertificateAuthority
+ }
+
+ ProfileSubsystem ps = engine.getProfileSubsystem();
++ /* NOTE: hard-coding the profile to use for Lightweight CA renewal
++ * might be OK, but caManualRenewal was not the right one to use.
++ * As a consequence, we have an undesirable special case in
++ * RenewalProcessor.processRenewal().
++ *
++ * We should introduce a new profile specifically for LWCA renewal,
++ * with an authenticator and ACLs to match the authz requirements
++ * for the renewAuthority REST resource itself. Then we can use
++ * it here, and remove the workaround from RenewalProcessor.
++ */
+ Profile profile = ps.getProfile("caManualRenewal");
+ CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
+ new ArgBlock(), profile, httpReq.getLocale());
+diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+index 4293cdd064..fd20f48267 100644
+--- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
++++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
+
+ import org.apache.commons.lang3.StringUtils;
+ import org.dogtagpki.server.ca.CAEngine;
++import org.dogtagpki.server.authorization.AuthzToken;
+ import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
+ import org.mozilla.jss.netscape.security.x509.X509CertImpl;
+
+@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor {
+
+ // before creating the request, authenticate the request
+ IAuthToken authToken = null;
+- Principal principal = request.getUserPrincipal();
+- if (principal instanceof PKIPrincipal)
+- authToken = ((PKIPrincipal) principal).getAuthToken();
+- if (authToken == null && authenticator != null) {
+- authToken = authenticate(request, origReq, authenticator, context, true, credentials);
++
++ if (authenticator != null) {
++ /* The profile specifies an authenticator. Use it to
++ * authenticate the user. Ignore the "latent" session
++ * principal (if any).
++ */
++ authToken = authenticate(
++ request,
++ origReq,
++ authenticator,
++ context,
++ true /* isRenewal */,
++ credentials);
++ } else {
++ /* When authenticator is null, we expect manual agent
++ * review (leave authToken as null).
++ *
++ * But as a special case to ensure Lightweight CA (LWCA)
++ * renewal works, if there is a latent user in the HTTP
++ * request, we use that user (i.e. set authToken to the
++ * principal's IAuthToken) if and only if:
++ *
++ * - The renewal profile is caManualRenewal (LWCA renewal
++ * is hardcoded to use this profile); AND
++ *
++ * - The latent user is authorized to "execute"
++ * certificate requests (i.e. agent approval)
++ *
++ * See also CertificateAuthority.renewAuthority().
++ */
++
++ Principal principal = request.getUserPrincipal();
++ if (
++ renewProfileId.equals("caManualRenewal")
++ && principal instanceof PKIPrincipal
++ ) {
++ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken();
++ AuthzToken authzToken = authorize(
++ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute");
++ if (authzToken != null) {
++ // Success (no exception); user is authorized to approve
++ // cert requests. Set the authToken.
++ //
++ // NOTE: This authz does not replace or subsume the
++ // profile-specific authz check below.
++ authToken = latentToken;
++ } else {
++ // leave authToken as null to enqueue a pending request.
++ }
++ } else {
++ // not caManualRenewal or no latent principal;
++ // leave authToken as null to enqueue a pending request.
++ }
+ }
+
+- // authentication success, now authorize
++ /* Authorize the request.
++ *
++ * If authToken != null, it will be checked against ACLs specified
++ * in the profile (if any). If ACLs are defined and authToken does
++ * not match, throws an authorization exception.
++ *
++ * If authToken == null, no check is performed (even if the profile
++ * defines ACLs). This is fine, because null authToken will cause
++ * the request status to be 'pending' [agent approval].
++ */
+ authorize(profileId, renewProfile, authToken);
+
++ /* At this point, the request will be created. If authToken
++ * is non-null, then the certificate will be issued
++ * immediately. Otherwise the request will be pending. */
++
++
+ ///////////////////////////////////////////////
+ // create and populate requests
+ ///////////////////////////////////////////////
+--
+2.26.2
+
diff --git a/SOURCES/0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch b/SOURCES/0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
deleted file mode 100644
index 0c1dbcf..0000000
--- a/SOURCES/0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From d17df6f22376753b5cd156f1b7f51837cae1f522 Mon Sep 17 00:00:00 2001
-From: jmagne <jmagne@redhat.com>
-Date: Mon, 22 Feb 2021 13:44:20 -0800
-Subject: [PATCH] pkispawn fails against 389-ds 1.4.3.19 #3458 (#3465)
-
-Add suggested patch from stanislavlevin to solve this issue.
-Also add f34 to the ipa tests,this time really add the tests.
-Upon further review, back out of f34 tests until the infractructure
-supports it.
-
-Also hardcode tomcat app setting in spec file for the moment to
-avoid possible glitches on certain platform.
-
-Co-authored-by: Jack Magne <jmagne@localhost.localdomain>
----
- .../com/netscape/cmscore/apps/CMSEngine.java | 18 +++++++-----------
- 1 file changed, 7 insertions(+), 11 deletions(-)
-
-diff --git a/base/server/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/src/com/netscape/cmscore/apps/CMSEngine.java
-index 295c4d4cc..f40f99136 100644
---- a/base/server/src/com/netscape/cmscore/apps/CMSEngine.java
-+++ b/base/server/src/com/netscape/cmscore/apps/CMSEngine.java
-@@ -156,9 +156,8 @@ public class CMSEngine {
-
- private static final int PW_OK =0;
- //private static final int PW_BAD_SETUP = 1;
-- private static final int PW_INVALID_PASSWORD = 2;
-+ private static final int PW_INVALID_CREDENTIALS = 2;
- private static final int PW_CANNOT_CONNECT = 3;
-- private static final int PW_NO_USER = 4;
- private static final int PW_MAX_ATTEMPTS = 3;
-
-
-@@ -332,16 +331,16 @@ public class CMSEngine {
- }
-
- int iteration = 0;
-- int result = PW_INVALID_PASSWORD;
-+ int result = PW_INVALID_CREDENTIALS;
-
- do {
- String passwd = mPasswordStore.getPassword(tag, iteration);
- result = testLDAPConnection(tag, connInfo, binddn, passwd);
- iteration++;
-- } while ((result == PW_INVALID_PASSWORD) && (iteration < PW_MAX_ATTEMPTS));
-+ } while ((result == PW_INVALID_CREDENTIALS) && (iteration < PW_MAX_ATTEMPTS));
-
- if (result != PW_OK) {
-- if ((result == PW_NO_USER) && (tag.equals("replicationdb"))) {
-+ if ((result == PW_INVALID_CREDENTIALS) && (tag.equals("replicationdb"))) {
- logger.warn(
- "CMSEngine: password test execution failed for replicationdb " +
- "with NO_SUCH_USER. This may not be a latest instance. Ignoring ..");
-@@ -364,7 +363,7 @@ public class CMSEngine {
- int ret = PW_OK;
-
- if (StringUtils.isEmpty(pwd)) {
-- return PW_INVALID_PASSWORD;
-+ return PW_INVALID_CREDENTIALS;
- }
-
- String host = info.getHost();
-@@ -383,12 +382,9 @@ public class CMSEngine {
-
- switch (e.getLDAPResultCode()) {
- case LDAPException.NO_SUCH_OBJECT:
-- logger.debug("CMSEngine: user does not exist: " + binddn);
-- ret = PW_NO_USER;
-- break;
- case LDAPException.INVALID_CREDENTIALS:
-- logger.debug("CMSEngine: invalid password");
-- ret = PW_INVALID_PASSWORD;
-+ logger.debug("CMSEngine: invalid credentials");
-+ ret = PW_INVALID_CREDENTIALS;
- break;
- default:
- logger.debug("CMSEngine: unable to connect to " + name + ": " + e.getMessage());
---
-2.29.2
-
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 95554a9..05309bb 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -6,15 +6,15 @@ Name: pki-core
%global brand Red Hat
Summary: %{brand} PKI Core Package
-URL: http://www.dogtagpki.org/
+URL: https://www.dogtagpki.org
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
License: GPLv2 and LGPLv2
-# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase.
-# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase.
-Version: 10.9.4
-Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
-#global _phase -a1
+# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
+# For official (i.e. supported) releases, use x.y.z-r where r >=1.
+Version: 10.10.5
+Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
+#global _phase -beta1
# To create a tarball from a version tag:
# $ git archive \
@@ -36,8 +36,15 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/:
# [Errno 111] Connection refused -- Some packages may not be found!
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
-Patch2: 0001-CVE-2021-20179-Fix-renewal-profile-approval-process.patch
-Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
+Patch2: 0001-Fix-renewal-profile-approval-process.patch
+
+# md2man isn't available on i686. Additionally, we aren't generally multi-lib
+# compatible (https://fedoraproject.org/wiki/Packaging:Java)
+# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
+# safest.
+%if ! 0%{?rhel} || 0%{?rhel} > 8
+ExcludeArch: i686
+%endif
################################################################################
# NSS
@@ -49,7 +56,7 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
# Python
################################################################################
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
%global python_executable /usr/libexec/platform-python
%else
%global python_executable /usr/bin/python3
@@ -59,14 +66,15 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
# Java
################################################################################
-%define java_home /usr/lib/jvm/jre-openjdk
%define java_devel java-devel
%define java_headless java-headless
-%if 0%{?fedora} && 0%{?fedora} >= 33
+%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
%define min_java_version 1:11
+%define java_home /usr/lib/jvm/java-11-openjdk
%else
%define min_java_version 1:1.8.0
+%define java_home /usr/lib/jvm/java-1.8.0-openjdk
%endif
################################################################################
@@ -111,6 +119,8 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
%global with_base 1
# package_option server
%global with_server 1
+# package_option acme
+%global with_acme 1
# package_option ca
%global with_ca 1
# package_option kra
@@ -130,6 +140,8 @@ Patch3: 0004-pkispawn-fails-against-389-ds-1.4.3.19-3458-3465.patch
%define debug_package %{nil}
%endif
+%bcond_without sdnotify
+
# ignore unpackaged files from native 'tpsclient'
# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app
%define _unpackaged_files_terminate_build 0
@@ -181,7 +193,7 @@ BuildRequires: ldapjdk >= 4.22.0
BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
-BuildRequires: apache-commons-lang
+BuildRequires: apache-commons-lang3 >= 3.2
BuildRequires: apache-commons-net
BuildRequires: jakarta-commons-httpclient
BuildRequires: glassfish-jaxb-api
@@ -201,7 +213,7 @@ BuildRequires: velocity
BuildRequires: xalan-j2
BuildRequires: xerces-j2
-%if 0%{?rhel}
+%if 0%{?rhel} && ! 0%{?eln}
BuildRequires: resteasy >= 3.0.26
%else
BuildRequires: jboss-annotations-1.2-api
@@ -225,19 +237,22 @@ BuildRequires: python3-nss
BuildRequires: python3-requests >= 2.6.0
BuildRequires: python3-six
-%if 0%{?rhel}
-# no python3-pytest-runner
-%else
+%if 0%{?fedora} || 0%{?rhel} > 8
BuildRequires: python3-pytest-runner
%endif
BuildRequires: junit
BuildRequires: jpackage-utils >= 0:1.7.5-10
-BuildRequires: jss >= 4.7.0
-BuildRequires: tomcatjss >= 7.5.0
+BuildRequires: jss >= 4.8.1
+BuildRequires: tomcatjss >= 7.6.1
+
+# JNA is used to bind to libsystemd
+%if %{with sdnotify}
+BuildRequires: jna
+%endif
BuildRequires: systemd-units
-%if 0%{?rhel}
+%if 0%{?rhel} && ! 0%{?eln}
BuildRequires: pki-servlet-engine
%else
BuildRequires: tomcat >= 1:9.0.7
@@ -255,7 +270,7 @@ BuildRequires: zlib
BuildRequires: zlib-devel
# build dependency to build man pages
-%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel}
+%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel} && 0%{?rhel} <= 8
BuildRequires: go-md2man
%else
BuildRequires: golang-github-cpuguy83-md2man
@@ -281,6 +296,7 @@ to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components:
+ * Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
@@ -305,6 +321,7 @@ Requires: %{vendor_id}-pki-console-theme = %{version}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI core packages
+Requires: pki-acme = %{version}
Requires: pki-ca = %{version}
Requires: pki-kra = %{version}
Requires: pki-ocsp = %{version}
@@ -317,8 +334,10 @@ Requires: pki-console = %{version}
Requires: pki-javadoc = %{version}
# Make certain that this 'meta' package requires the latest version(s)
-# of ALL PKI clients
+# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
+%ifnarch s390 s390x
Requires: esc >= 1.1.1
+%endif
# description for top-level package (unless there is a separate meta package)
%if "%{name}" == "%{vendor_id}-pki"
@@ -332,6 +351,7 @@ to manage enterprise Public Key Infrastructure deployments.
PKI consists of the following components:
+ * Automatic Certificate Management Environment (ACME) Responder
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
@@ -350,7 +370,7 @@ Summary: PKI Symmetric Key Package
Requires: %java_headless >= %{min_java_version}
Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.7.0
+Requires: jss >= 4.8.0
Requires: nss >= 3.38.0
# Ensure we end up with a useful installation
@@ -394,13 +414,14 @@ BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} > 8
%{?python_provide:%python_provide python3-pki}
%endif
Requires: pki-base = %{version}-%{release}
Requires: python3 >= 3.5
Requires: python3-cryptography
+Requires: python3-ldap
Requires: python3-lxml
Requires: python3-nss
Requires: python3-requests >= 2.6.0
@@ -420,7 +441,7 @@ Requires: %java_headless >= %{min_java_version}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
-Requires: apache-commons-lang
+Requires: apache-commons-lang3 >= 3.2
Requires: apache-commons-logging
Requires: apache-commons-net
Requires: jakarta-commons-httpclient
@@ -432,7 +453,7 @@ Requires: jss >= 4.7.0
Requires: ldapjdk >= 4.22.0
Requires: pki-base = %{version}-%{release}
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
Requires: resteasy >= 3.0.26
%else
Requires: resteasy-atom-provider >= 3.0.17-1
@@ -442,7 +463,7 @@ Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
-%if 0%{?fedora} && 0%{?fedora} >= 33
+%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
Requires: jaxb-impl >= 2.3.3
Requires: jakarta-activation >= 1.2.2
%endif
@@ -487,7 +508,6 @@ Summary: PKI Server Package
BuildArch: noarch
Requires: hostname
-Requires: net-tools
Requires: policycoreutils
Requires: procps-ng
@@ -500,15 +520,14 @@ Requires: keyutils
Requires: policycoreutils-python-utils
-Requires: python3-ldap
Requires: python3-lxml
Requires: python3-libselinux
Requires: python3-policycoreutils
Requires: selinux-policy-targeted >= 3.13.1-159
-%if 0%{?rhel}
-Requires: pki-servlet-engine >= 1:9.0.7
+%if 0%{?rhel} && ! 0%{?eln}
+Requires: pki-servlet-engine
%else
Requires: tomcat >= 1:9.0.7
%endif
@@ -520,7 +539,12 @@ Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
-Requires: tomcatjss >= 7.5.0
+Requires: tomcatjss >= 7.6.1
+
+# JNA is used to bind to libsystemd
+%if %{with sdnotify}
+Requires: jna
+%endif
# pki-healthcheck depends on the following library
%if 0%{?rhel}
@@ -544,18 +568,29 @@ Provides: bundled(js-patternfly) = 3.59.2
Provides: bundled(js-underscore) = 1.9.2
%description -n pki-server
-The PKI Server Package contains libraries and utilities needed by the
-following PKI subsystems:
-
- the Certificate Authority (CA),
- the Key Recovery Authority (KRA),
- the Online Certificate Status Protocol (OCSP) Manager,
- the Token Key Service (TKS), and
- the Token Processing Service (TPS).
+The PKI Server Package contains libraries and utilities needed by other
+PKI subsystems.
# with server
%endif
+%if %{with acme}
+################################################################################
+%package -n pki-acme
+################################################################################
+
+Summary: PKI ACME Package
+BuildArch: noarch
+
+Requires: pki-server = %{version}-%{release}
+
+%description -n pki-acme
+The PKI ACME responder is a service that provides an automatic certificate
+management via ACME v2 protocol defined in RFC 8555.
+
+# with acme
+%endif
+
%if %{with ca}
################################################################################
%package -n pki-ca
@@ -836,16 +871,10 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se
# otherwise get <major> version number
java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
-# get Tomcat <major>.<minor> version number
-tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
+# assume tomcat app_server
+app_server=tomcat-8.5
-if [ $tomcat_version == "9.0" ]; then
- app_server=tomcat-8.5
-else
- app_server=tomcat-$tomcat_version
-fi
-
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
%{__mkdir_p} build
cd build
%endif
@@ -855,9 +884,9 @@ cd build
-DVERSION=%{version}-%{release} \
-DVAR_INSTALL_DIR:PATH=/var \
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
- -DJAVA_VERSION=%{java_version} \
+ -DJAVA_VERSION=${java_version} \
-DJAVA_HOME=%java_home \
- -DPKI_JAVA_PATH=%java \
+ -DPKI_JAVA_PATH=%java_home/bin/java \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
-DAPP_SERVER=$app_server \
@@ -866,20 +895,27 @@ cd build
-DNSS_DEFAULT_DB_TYPE=%{nss_default_db_type} \
-DBUILD_PKI_CORE:BOOL=ON \
-DPYTHON_EXECUTABLE=%{python_executable} \
- -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-%if ! %{with server} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps}
+%if ! %{with server} && ! %{with acme} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps}
-DWITH_SERVER:BOOL=OFF \
%endif
+ -DWITH_CA:BOOL=%{?with_ca:ON}%{!?with_ca:OFF} \
+ -DWITH_KRA:BOOL=%{?with_kra:ON}%{!?with_kra:OFF} \
+ -DWITH_OCSP:BOOL=%{?with_ocsp:ON}%{!?with_ocsp:OFF} \
+ -DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \
+ -DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \
+ -DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \
+ -DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
+ -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
-DTHEME=%{?with_theme:%{vendor_id}} \
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
..
%else
-B %{_vpath_builddir}
%endif
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} > 8
cd %{_vpath_builddir}
%endif
@@ -896,7 +932,7 @@ cd %{_vpath_builddir}
%install
################################################################################
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
cd build
%else
cd %{_vpath_builddir}
@@ -1081,8 +1117,8 @@ fi
%files -n pki-tools
################################################################################
-%license base/native-tools/LICENSE
-%doc base/native-tools/doc/README
+%license base/tools/LICENSE
+%doc base/tools/doc/README
%{_bindir}/p7tool
%{_bindir}/pistool
%{_bindir}/pki
@@ -1090,7 +1126,6 @@ fi
%{_bindir}/setpin
%{_bindir}/sslget
%{_bindir}/tkstool
-%{_datadir}/pki/native-tools/
%{_bindir}/AtoB
%{_bindir}/AuditVerify
%{_bindir}/BtoA
@@ -1115,7 +1150,7 @@ fi
%{_bindir}/PrettyPrintCrl
%{_bindir}/TokenInfo
%{_javadir}/pki/pki-tools.jar
-%{_datadir}/pki/java-tools/
+%{_datadir}/pki/tools/
%{_datadir}/pki/lib/p11-kit-trust.so
%{_mandir}/man1/AtoB.1.gz
%{_mandir}/man1/AuditVerify.1.gz
@@ -1165,9 +1200,8 @@ fi
%{_sbindir}/pkidestroy
%{_sbindir}/pki-server
%{_sbindir}/pki-server-upgrade
-%{python3_sitelib}/pki/server/
%{_sbindir}/pki-healthcheck
-%{python3_sitelib}/pki/server/healthcheck/
+%{python3_sitelib}/pki/server/
%{python3_sitelib}/pkihealthcheck-*.egg-info/
%config(noreplace) %{_sysconfdir}/pki/healthcheck.conf
@@ -1189,6 +1223,7 @@ fi
%dir %{_sharedstatedir}/pki
%{_mandir}/man1/pkidaemon.1.gz
%{_mandir}/man5/pki_default.cfg.5.gz
+%{_mandir}/man5/pki_healthcheck.conf.5.gz
%{_mandir}/man5/pki-server-logging.5.gz
%{_mandir}/man8/pki-server-upgrade.8.gz
%{_mandir}/man8/pkidestroy.8.gz
@@ -1208,12 +1243,25 @@ fi
%{_mandir}/man8/pki-healthcheck.8.gz
%{_datadir}/pki/setup/
%{_datadir}/pki/server/
-%{_datadir}/pki/acme/
-%{_javadir}/pki/pki-acme.jar
+
+%if %{with sdnotify}
+%{_javadir}/pki/pki-systemd.jar
+%endif
# with server
%endif
+%if %{with acme}
+################################################################################
+%files -n pki-acme
+################################################################################
+
+%{_javadir}/pki/pki-acme.jar
+%{_datadir}/pki/acme/
+
+# with acme
+%endif
+
%if %{with ca}
################################################################################
%files -n pki-ca
@@ -1221,12 +1269,7 @@ fi
%license base/ca/LICENSE
%{_javadir}/pki/pki-ca.jar
-%dir %{_datadir}/pki/ca
-%{_datadir}/pki/ca/conf/
-%{_datadir}/pki/ca/emails/
-%{_datadir}/pki/ca/profiles/
-%{_datadir}/pki/ca/setup/
-%{_datadir}/pki/ca/webapps/
+%{_datadir}/pki/ca/
# with ca
%endif
@@ -1238,10 +1281,7 @@ fi
%license base/kra/LICENSE
%{_javadir}/pki/pki-kra.jar
-%dir %{_datadir}/pki/kra
-%{_datadir}/pki/kra/conf/
-%{_datadir}/pki/kra/setup/
-%{_datadir}/pki/kra/webapps/
+%{_datadir}/pki/kra/
# with kra
%endif
@@ -1253,10 +1293,7 @@ fi
%license base/ocsp/LICENSE
%{_javadir}/pki/pki-ocsp.jar
-%dir %{_datadir}/pki/ocsp
-%{_datadir}/pki/ocsp/conf/
-%{_datadir}/pki/ocsp/setup/
-%{_datadir}/pki/ocsp/webapps/
+%{_datadir}/pki/ocsp/
# with ocsp
%endif
@@ -1268,10 +1305,7 @@ fi
%license base/tks/LICENSE
%{_javadir}/pki/pki-tks.jar
-%dir %{_datadir}/pki/tks
-%{_datadir}/pki/tks/conf/
-%{_datadir}/pki/tks/setup/
-%{_datadir}/pki/tks/webapps/
+%{_datadir}/pki/tks/
# with tks
%endif
@@ -1283,11 +1317,7 @@ fi
%license base/tps/LICENSE
%{_javadir}/pki/pki-tps.jar
-%dir %{_datadir}/pki/tps
-%{_datadir}/pki/tps/applets/
-%{_datadir}/pki/tps/conf/
-%{_datadir}/pki/tps/setup/
-%{_datadir}/pki/tps/webapps/
+%{_datadir}/pki/tps/
%{_mandir}/man5/pki-tps-connector.5.gz
%{_mandir}/man5/pki-tps-profile.5.gz
%{_mandir}/man1/tpsclient.1.gz
@@ -1365,199 +1395,239 @@ fi
################################################################################
%changelog
-* Thu Mar 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.4-3
-- Bug # 1933146 - PKI instance creation failed with new 389-ds-base build
-
-* Thu Feb 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.4-2
-- CVE-2021-20179: Fix unprivileged users can renew any certificate
+* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
+- Bug 1914396 - CVE-2021-20179 pki-core:10.6/pki-core: Unprivileged users can renew any certificate
+
+* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
+- Rebase to PKI 10.10.5
+- Bug 1929067 - PKI instance creation failed with new 389-ds-base build
+
+* Mon Feb 08 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.4-1
+- Rebase to PKI 10.10.4
+- Bug 1664435 - Error instantiating class for challenge_password with SCEP request
+- Bug 1912418 - OCSP and TKS cloning failed due to duplicate replica ID
+- Bug 1916686 - Memory leak during ACME performance test
+- Bug 1919282 - ACME cert enrollment failed with HTTP 500
+
+* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.3-1
+- Rebase to PKI 10.10.3
+- Bug 1584550 - CRMFPopClient: unexpected behavior with -y option when values are specified
+- Bug 1590942 - CMCResponse treats -d as optional
+- Bug 1890639 - Two-step installation with external certificates fails on HSM configured system
+- Bug 1912493 - pkispawn reports incorrect FIPS mode
+
+* Tue Dec 08 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.2-1
+- Rebase to PKI 10.10.2
+- Bug 1392616 - KRA key recovery cli kra-key-retrieve generates an invalid p12 file
+- Bug 1897120 - pki-server cert-fix command failing
+- Bug 1694664 - ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (503)
+
+* Tue Nov 17 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.1-1
+- Rebase to PKI 10.10.1
+- Bug 1843416 - kra-audit-mod fail with Invalid event configuration
+- Bug 1889691 - ACME failed when run with more than 1 thread/connection
+- Bug 1891577 - Sub-ordinate installation is failing with NullPointerException
+
+* Wed Oct 28 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.0-1
+- Rebase to PKI 10.10.0
+- Add workaround for missing capture_output in Python 3.6
+- Fix JSS initialization in pki-server <subsystem>-user-cert-add
+- Fix NPE in UGSubsystem.findUsersByKeyword()
+- Bug 1787115 - Need Method to copy SKI from CSR to Certificate signed
+- Bug 1875563 - Add KRA Transport and Storage Certificates profiles, audit for IPA
+- Bug 1883996 - Inconsistent folders in pki-tools
+
+* Tue Oct 20 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.0-0.2.beta1
+- Rebase to PKI 10.10.0-beta1
+- Bug 1868233 - Disabling AIA and cert policy extensions in ACME examples
* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.4-1
-- Rebased to PKI 10.9.4
-- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
+- Rebase to PKI 10.9.4
+- Bug 1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
* Thu Sep 03 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.3-1
-- Rebased to PKI 10.9.3
-- Bug #1869893 - Common certificates are missing in CS.cfg on shared PKI instance
+- Rebase to PKI 10.9.3
+- Bug 1869893 - Common certificates are missing in CS.cfg on shared PKI instance
* Tue Aug 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.2-2
-- Bug #1871064 - Replica install failing during pki-ca component configuration
+- Bug 1871064 - Replica install failing during pki-ca component configuration
* Tue Aug 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.2-1
-- Rebased to PKI 10.9.2
+- Rebase to PKI 10.9.2
* Wed Aug 12 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.1-2
-- Bug #1857933 - CA Installation is failing with ncipher v12.30 HSM
-- Bug #1868233 - Disabling AIA and cert policy extensions in ACME examples
+- Bug 1857933 - CA Installation is failing with ncipher v12.30 HSM
+- Bug 1868233 - Disabling AIA and cert policy extensions in ACME examples
* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.1-1
-- Rebased to PKI 10.9.1
-- Bug #1426572 - Fix Secure connection issue when server is down
+- Rebase to PKI 10.9.1
+- Bug 1426572 - Fix Secure connection issue when server is down
* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-1
-- Rebased to PKI 10.9.0
+- Rebase to PKI 10.9.0
-* Fri Jul 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.7
-- Fixed pki kra-key-generate failure
-- Fixed error handling in PKIRealm
+* Tue Jul 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.7
+- Fix pki kra-key-generate failure
+- Fix error handling in PKIRealm
* Fri Jul 10 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.6
-- Rebased to PKI 10.9.0-b4
+- Rebase to PKI 10.9.0-b4
* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.4
-- Rebased to PKI 10.9.0-b2
+- Rebase to PKI 10.9.0-b2
* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.3
-- Rebased to PKI 10.9.0-b1
+- Rebase to PKI 10.9.0-b1
* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.0-0.1
-- Rebased to PKI 10.9.0-a1
+- Rebase to PKI 10.9.0-a1
* Tue Mar 03 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.3-1
-- Rebased to PKI 10.8.3
-- Bug #1809210 - TPS installation failure on HSM machine
-- Bug #1807421 - Subordinate CA installation failed
-- Bug #1806840 - KRA cloning with HSM failed
+- Rebase to PKI 10.8.3
+- Bug 1809210 - TPS installation failure on HSM machine
+- Bug 1807421 - Subordinate CA installation failed
+- Bug 1806840 - KRA cloning with HSM failed
* Wed Feb 19 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.2-2
-- Bug #1795215 - pkispawn interactive installation failed
+- Bug 1795215 - pkispawn interactive installation failed
* Mon Feb 17 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.2-1
-- Rebased to PKI 10.8.2
-- Bug #1802006 - KRA installation failed to create ECC admin cert
+- Rebase to PKI 10.8.2
+- Bug 1802006 - KRA installation failed to create ECC admin cert
* Mon Feb 10 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.1-1
-- Rebased to PKI 10.8.1
+- Rebase to PKI 10.8.1
* Fri Feb 07 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-1
-- Rebased to PKI 10.8.0
+- Rebase to PKI 10.8.0
* Thu Jan 16 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.5
-- Rebased to PKI 10.8.0-b3
+- Rebase to PKI 10.8.0-b3
* Fri Dec 13 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.4
-- Rebased to PKI 10.8.0-b2
+- Rebase to PKI 10.8.0-b2
* Wed Dec 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.3
-- Rebased to PKI 10.8.0-b1
+- Rebase to PKI 10.8.0-b1
* Fri Nov 22 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.2
-- Rebased to PKI 10.8.0-a2
+- Rebase to PKI 10.8.0-a2
* Thu Oct 31 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.8.0-0.1
-- Rebased to PKI 10.8.0-a1
+- Rebase to PKI 10.8.0-a1
* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.3-1
-- Rebased to PKI 10.7.3
-- Bug #1698084 - pkidestroy not working as expected
-- Bug #1468050 and Bug #1448235 - Support AES for LWCA key replication
+- Rebase to PKI 10.7.3
+- Bug 1698084 - pkidestroy not working as expected
+- Bug 1468050 and Bug #1448235 - Support AES for LWCA key replication
* Tue Jul 23 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.2-1
-- Rebased to PKI 10.7.2
-- Bug #1721340 - TPS installation failure
-- Bug #1248216 - Incorrect pkidaemon status
-- Bug #1729215 - cert-fix: detect and prevent pkidbuser being used as --agent-uid
-- Bug #1698059 - pki-core implements crypto
+- Rebase to PKI 10.7.2
+- Bug 1721340 - TPS installation failure
+- Bug 1248216 - Incorrect pkidaemon status
+- Bug 1729215 - cert-fix: detect and prevent pkidbuser being used as --agent-uid
+- Bug 1698059 - pki-core implements crypto
* Thu Jun 13 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.1-2
-- Fixed cloning issue
-- Fixed TPS installation issue
+- Fix cloning issue
+- Fix TPS installation issue
* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.1-1
-- Rebased to PKI 10.7.1
+- Rebase to PKI 10.7.1
* Wed Apr 24 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.7.0-1
-- Rebased to PKI 10.7.0
+- Rebase to PKI 10.7.0
* Mon Jan 28 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.9-2
-- Bug #1652269 - Replace Nuxwdog
+- Bug 1652269 - Replace Nuxwdog
* Mon Jan 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.9-1
-- Rebased to PKI 10.6.9
-- Bug #1629048 - X500Name.directoryStringEncodingOrder overridden by CSR encoding
-- Bug #1652269 - Replace Nuxwdog
-- Bug #1656856 - Need Method to Include SKI in CA Signing Certificate Request
+- Rebase to PKI 10.6.9
+- Bug 1629048 - X500Name.directoryStringEncodingOrder overridden by CSR encoding
+- Bug 1652269 - Replace Nuxwdog
+- Bug 1656856 - Need Method to Include SKI in CA Signing Certificate Request
* Thu Nov 29 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.8-1
-- Rebased to PKI 10.6.8
-- Bug #1602659 - Fix issues found by covscan
-- Bug #1566360 - Fix missing serial number from pki-server subsystem-cert-find
+- Rebase to PKI 10.6.8
+- Bug 1602659 - Fix issues found by covscan
+- Bug 1566360 - Fix missing serial number from pki-server subsystem-cert-find
* Fri Oct 26 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.7-3
-- Bug #1643101 - Fix problems due to token normalization
+- Bug 1643101 - Fix problems due to token normalization
* Tue Oct 23 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.7-2
-- Bug #1623444 - Fix Python KeyClient KeyRequestResponse parsing
+- Bug 1623444 - Fix Python KeyClient KeyRequestResponse parsing
* Fri Oct 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.7-1
-- Rebased to PKI 10.6.7
+- Rebase to PKI 10.6.7
* Fri Aug 24 2018 Alexander Bokovoy <abokovoy@redhat.com> 10.6.6-3
- Build on s390x
* Wed Aug 22 2018 Alexander Bokovoy <abokovoy@redhat.com> 10.6.6-2
- Use platform-python interpreter
-- Bug #1620066 - pkispawn crashes as /usr/bin/python3 does not exist
+- Bug 1620066 - pkispawn crashes as /usr/bin/python3 does not exist
* Mon Aug 13 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.6-1
-- Rebased to PKI 10.6.6
+- Rebase to PKI 10.6.6
* Wed Aug 08 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.5-1
-- Rebased to PKI 10.6.5
+- Rebase to PKI 10.6.5
* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-4
-- Bug #1612063 - Do not override system crypto policy (support TLS 1.3)
+- Bug 1612063 - Do not override system crypto policy (support TLS 1.3)
* Wed Aug 01 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-3
- Patch PKI to use Jackson 2 and avoid Jackson 1 dependency.
Add direct dependency on slf4j-jdk14.
* Tue Jul 31 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-2
-- Updated Jackson and RESTEasy dependencies
+- Update Jackson and RESTEasy dependencies
* Fri Jul 20 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.4-1
-- Rebased to PKI 10.6.4
+- Rebase to PKI 10.6.4
* Thu Jul 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.3-1
-- Rebased to PKI 10.6.3
+- Rebase to PKI 10.6.3
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> 10.6.2-4
-- Rebuilt for Python 3.7
+- Rebuild for Python 3.7
* Thu Jun 28 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.2-3
-- Fixed macro expressions
-- Bug #1566606 - pki-core: Switch to Python 3
-- Bug #1590467 - pki-core: Drop pylint dependency from RHEL 8
+- Fix macro expressions
+- Bug 1566606 - pki-core: Switch to Python 3
+- Bug 1590467 - pki-core: Drop pylint dependency from RHEL 8
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> 10.6.2-2
-- Rebuilt for Python 3.7
+- Rebuild for Python 3.7
* Fri Jun 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.2-1
-- Rebased to PKI 10.6.2
+- Rebase to PKI 10.6.2
* Wed May 30 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.1-3
-- Updated JSS dependency
-- Updated Tomcat dependency
-- Fixed rpmlint warnings
+- Update JSS dependency
+- Update Tomcat dependency
+- Fix rpmlint warnings
* Fri May 04 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.1-2
-- Bug #1574711 - pki-tools cannot be installed on current Rawhide
-- Fixed rpmlint warnings
+- Bug 1574711 - pki-tools cannot be installed on current Rawhide
+- Fix rpmlint warnings
* Thu May 03 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.1-1
-- Rebased to PKI 10.6.1
-- Bug #1559047 - pki-core misses a dependency to pki-symkey
-- Bug #1573094 - FreeIPA external CA installation fails
+- Rebase to PKI 10.6.1
+- Bug 1559047 - pki-core misses a dependency to pki-symkey
+- Bug 1573094 - FreeIPA external CA installation fails
* Wed Apr 11 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.0-1
-- Updated project URL and package descriptions
-- Cleaned up spec file
-- Rebased to PKI 10.6.0 final
+- Update project URL and package descriptions
+- Clean up spec file
+- Rebase to PKI 10.6.0 final
* Thu Mar 29 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.0-0.3
- Iryna Shcherbina <ishcherb@redhat.com>: Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
-- Rebased to PKI 10.6.0 beta2
+- Rebase to PKI 10.6.0 beta2
* Thu Mar 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.0-0.2
-- Rebased to PKI 10.6.0 beta
+- Rebase to PKI 10.6.0 beta