diff --git a/.gitignore b/.gitignore index 2f79cc9..e8a5f49 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-11.0.3.tar.gz +SOURCES/pki-11.2.1.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 3b0a62a..5922062 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -33761e63168feb9cb43eddff4c36d6631eb0d74e SOURCES/pki-11.0.3.tar.gz +b38832fe7b4778f70a8622d203e754ff931c85c5 SOURCES/pki-11.2.1.tar.gz diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 098dc12..6b7e05a 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -2,22 +2,35 @@ Name: pki-core ################################################################################ -%global product_name PKI -%global product_id pki +%global product_name IDM PKI +%global product_id idm-pki +%undefine theme -# NOTE: Do not specify the theme for pki-core -# global theme dogtag +# Upstream version number: +%global major_version 11 +%global minor_version 2 +%global update_version 1 -Summary: %{product_name} Core Package +# Downstream release number: +# - development/stabilization (unsupported): 0. where n >= 1 +# - GA/update (supported): where n >= 1 +%global release_number 1 + +# Development phase: +# - development (unsupported): alpha where n >= 1 +# - stabilization (unsupported): beta where n >= 1 +# - GA/update (supported): +%undefine phase + +%undefine timestamp +%undefine commit_id + +Summary: %{product_name} Package URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPLv2 and LGPLv2 - -# For development (i.e. unsupported) releases, use x.y.z-0.n.. -# For official (i.e. supported) releases, use x.y.z-r where r >=1. -Version: 11.0.3 -Release: 1%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -alpha1 +Version: %{major_version}.%{minor_version}.%{update_version} +Release: %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist} # To create a tarball from a version tag: # $ git archive \ @@ -25,7 +38,7 @@ Release: 1%{?_timestamp}%{?_commit_id}%{?dist} # --prefix pki-/ \ # -o pki-.tar.gz \ # -Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{version}%{?_phase}.tar.gz +Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase}/pki-%{version}%{?phase:-}%{?phase}.tar.gz # To create a patch for all changes since a version tag: # $ git format-patch \ @@ -34,13 +47,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -# md2man isn't available on i686. Additionally, we aren't generally multi-lib -# compatible (https://fedoraproject.org/wiki/Packaging:Java) -# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems -# safest. -%if ! 0%{?rhel} || 0%{?rhel} > 8 +# Java 17 and md2man are not available on i686 ExcludeArch: i686 -%endif ################################################################################ # NSS @@ -52,26 +60,15 @@ ExcludeArch: i686 # Python ################################################################################ -%if 0%{?rhel} && 0%{?rhel} <= 8 -%global python_executable /usr/libexec/platform-python -%else %global python_executable /usr/bin/python3 -%endif ################################################################################ # Java ################################################################################ -%define java_devel java-11-openjdk-devel -%define java_headless java-11-openjdk-headless -%define java_home %{_jvmdir}/jre-11-openjdk - -################################################################################ -# RESTEasy -################################################################################ - -%define jaxrs_api_jar /usr/share/java/jboss-jaxrs-2.0-api.jar -%define resteasy_lib /usr/share/java/resteasy +%define java_devel java-17-openjdk-devel +%define java_headless java-17-openjdk-headless +%define java_home %{_jvmdir}/jre-17-openjdk ################################################################################ # PKI @@ -185,12 +182,9 @@ BuildRequires: policycoreutils BuildRequires: python3-lxml BuildRequires: python3-sphinx -BuildRequires: xalan-j2 -BuildRequires: xerces-j2 - BuildRequires: resteasy >= 3.0.26 -BuildRequires: python3 >= 3.5 +BuildRequires: python3 >= 3.9 BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-cryptography @@ -202,16 +196,16 @@ BuildRequires: python3-six BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 5.0.0 -BuildRequires: tomcatjss >= 8.0.0 -BuildRequires: ldapjdk >= 5.0.0 +BuildRequires: jss >= 5.2.0 +BuildRequires: tomcatjss >= 8.2.0 +BuildRequires: ldapjdk >= 5.2.0 BuildRequires: systemd-units %if 0%{?rhel} && ! 0%{?eln} -BuildRequires: pki-servlet-engine +BuildRequires: pki-servlet-engine >= 9.0.31 %else -BuildRequires: tomcat >= 1:9.0.7 +BuildRequires: tomcat >= 1:9.0.31 %endif # additional build requirements needed to build native 'tpsclient' @@ -226,11 +220,7 @@ BuildRequires: zlib BuildRequires: zlib-devel # build dependency to build man pages -%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel} && 0%{?rhel} <= 8 -BuildRequires: go-md2man -%else BuildRequires: golang-github-cpuguy83-md2man -%endif # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -270,13 +260,15 @@ to manage enterprise Public Key Infrastructure deployments. Summary: %{product_name} Package %endif +Obsoletes: pki-symkey < %{version} +Obsoletes: %{product_id}-pki-symkey < %{version} Obsoletes: pki-console < %{version} Obsoletes: pki-console-theme < %{version} Obsoletes: idm-console-framework < 2.0 # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI theme packages -Requires: %{product_id}-server-theme = %{version}-%{release} +Requires: %{product_id}-theme = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI core packages @@ -319,28 +311,6 @@ to manage enterprise Public Key Infrastructure deployments. %if %{with base} ################################################################################ -%package -n %{product_id}-symkey -################################################################################ - -Summary: %{product_name} Symmetric Key Package - -Obsoletes: pki-symkey < %{version}-%{release} -Provides: pki-symkey = %{version}-%{release} - -Requires: %{java_headless} -Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 5.0.0 -Requires: nss >= 3.38.0 - -# Ensure we end up with a useful installation -Conflicts: pki-symkey < %{version} -Conflicts: pki-javadoc < %{version} -Conflicts: pki-server-theme < %{version} - -%description -n %{product_id}-symkey -This package provides library for symmetric key operations. - -################################################################################ %package -n %{product_id}-base ################################################################################ @@ -356,9 +326,9 @@ Requires: python3-pki = %{version}-%{release} Requires(post): python3-pki = %{version}-%{release} # Ensure we end up with a useful installation -Conflicts: pki-symkey < %{version} Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} +Conflicts: %{product_id}-theme < %{version} %description -n %{product_id}-base This package provides default configuration files for %{product_name} client. @@ -376,12 +346,10 @@ Provides: python3-pki = %{version}-%{release} Obsoletes: pki-base-python3 < %{version}-%{release} Provides: pki-base-python3 = %{version}-%{release} -%if 0%{?fedora} || 0%{?rhel} > 8 %{?python_provide:%python_provide python3-pki} -%endif Requires: %{product_id}-base = %{version}-%{release} -Requires: python3 >= 3.5 +Requires: python3 >= 3.9 Requires: python3-cryptography Requires: python3-ldap Requires: python3-lxml @@ -392,7 +360,7 @@ Requires: python3-six This package provides common and client library for Python 3. ################################################################################ -%package -n %{product_id}-base-java +%package -n %{product_id}-java ################################################################################ Summary: %{product_name} Base Java Package @@ -401,6 +369,9 @@ BuildArch: noarch Obsoletes: pki-base-java < %{version}-%{release} Provides: pki-base-java = %{version}-%{release} +Obsoletes: %{product_id}-base-java < %{version}-%{release} +Provides: %{product_id}-base-java = %{version}-%{release} + Requires: %{java_headless} Requires: apache-commons-cli Requires: apache-commons-codec @@ -411,23 +382,14 @@ Requires: apache-commons-net Requires: slf4j Requires: slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 5.0.0 -Requires: ldapjdk >= 5.0.0 +Requires: jss >= 5.2.0 +Requires: ldapjdk >= 5.2.0 Requires: %{product_id}-base = %{version}-%{release} - -%if 0%{?rhel} && 0%{?rhel} <= 8 -Requires: resteasy >= 3.0.26 -%else Requires: resteasy-client >= 3.0.17-1 Requires: resteasy-core >= 3.0.17-1 Requires: resteasy-jackson2-provider >= 3.0.17-1 -%endif -Requires: xalan-j2 -Requires: xerces-j2 -Requires: xml-commons-resolver - -%description -n %{product_id}-base-java +%description -n %{product_id}-java This package provides common and client libraries for Java. ################################################################################ @@ -441,7 +403,7 @@ Provides: pki-tools = %{version}-%{release} Requires: openldap-clients Requires: nss-tools >= 3.36.1 -Requires: %{product_id}-base-java = %{version}-%{release} +Requires: %{product_id}-java = %{version}-%{release} Requires: p11-kit-trust # PKICertImport depends on certutil and openssl @@ -452,6 +414,9 @@ Requires: openssl This package provides tools that can be used to help make %{product_name} into a more complete and robust PKI solution. +The utility "tpsclient" is a test tool that interacts with TPS. +This tool is useful to test TPS server without risking an actual smart card. + # with base %endif @@ -472,7 +437,6 @@ Requires: policycoreutils Requires: procps-ng Requires: openldap-clients Requires: openssl -Requires: %{product_id}-symkey = %{version}-%{release} Requires: %{product_id}-tools = %{version}-%{release} Requires: keyutils @@ -486,16 +450,16 @@ Requires: python3-policycoreutils Requires: selinux-policy-targeted >= 3.13.1-159 %if 0%{?rhel} && ! 0%{?eln} -Requires: pki-servlet-engine +Requires: pki-servlet-engine >= 9.0.31 %else -Requires: tomcat >= 1:9.0.7 +Requires: tomcat >= 1:9.0.31 %endif Requires: systemd Requires(post): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -Requires: tomcatjss >= 8.0.0 +Requires: tomcatjss >= 8.2.0 # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -684,6 +648,7 @@ behind the firewall with restricted access. ################################################################################ Summary: %{product_name} TPS Package +BuildArch: noarch Obsoletes: pki-tps < %{version}-%{release} Provides: pki-tps = %{version}-%{release} @@ -714,10 +679,6 @@ Token Key Service (TKS)) to fulfill the user's requests. TPS also interacts with the token database, an LDAP server that stores information about individual tokens. -The utility "tpsclient" is a test tool that interacts with TPS. This -tool is useful to test TPS server configs without risking an actual -smart card. - # with tps %endif @@ -734,8 +695,8 @@ Provides: pki-javadoc = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} -Conflicts: pki-symkey < %{version} Conflicts: pki-server-theme < %{version} +Conflicts: %{product_id}-theme < %{version} %description -n %{product_id}-javadoc This package provides %{product_name} API documentation. @@ -757,7 +718,7 @@ Obsoletes: pki-console < %{version}-%{release} Provides: pki-console = %{version}-%{release} Requires: idm-console-framework >= 2.0 -Requires: %{product_id}-base-java = %{version}-%{release} +Requires: %{product_id}-java = %{version}-%{release} Requires: %{product_id}-console-theme = %{version}-%{release} %description -n %{product_id}-console @@ -768,7 +729,7 @@ Requires: %{product_id}-console-theme = %{version}-%{release} %if %{with theme} ################################################################################ -%package -n %{product_id}-server-theme +%package -n %{product_id}-theme ################################################################################ Summary: %{product_name} Server Theme Package @@ -777,13 +738,15 @@ BuildArch: noarch Obsoletes: pki-server-theme < %{version}-%{release} Provides: pki-server-theme = %{version}-%{release} +Obsoletes: %{product_id}-server-theme < %{version}-%{release} +Provides: %{product_id}-server-theme = %{version}-%{release} + # Ensure we end up with a useful installation Conflicts: pki-base < %{version} -Conflicts: pki-symkey < %{version} Conflicts: pki-javadoc < %{version} -%description -n %{product_id}-server-theme -This package provides theme files for %{product_name} Server. +%description -n %{product_id}-theme +This package provides theme files for %{product_name}. %if %{with console} ################################################################################ @@ -798,9 +761,9 @@ Provides: pki-console-theme = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} -Conflicts: pki-symkey < %{version} Conflicts: pki-server-theme < %{version} Conflicts: pki-javadoc < %{version} +Conflicts: %{product_id}-theme < %{version} %description -n %{product_id}-console-theme This package provides theme files for %{product_name} Console. @@ -835,46 +798,28 @@ This package provides test suite for %{product_name}. %prep ################################################################################ -%autosetup -n pki-%{version}%{?_phase} -p 1 +%autosetup -n pki-%{version}%{?phase:-}%{?phase} -p 1 ################################################################################ %build ################################################################################ -# get Java . version number -java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | sed -n 's/ *java.version *= *\([0-9]\+\.[0-9]\+\).*/\1/p'` - -# if == 1, get version number -# otherwise get version number -java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'` - # assume tomcat app_server app_server=tomcat-9.0 -%if 0%{?rhel} && 0%{?rhel} <= 8 -%{__mkdir_p} build -cd build -%endif - %cmake \ --no-warn-unused-cli \ + -DPRODUCT_NAME="%{product_name}" \ -DVERSION=%{version}-%{release} \ -DVAR_INSTALL_DIR:PATH=/var \ -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \ - -DJAVA_VERSION=${java_version} \ -DJAVA_HOME=%{java_home} \ - -DPKI_JAVA_PATH=%{java_home}/bin/java \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ -DAPP_SERVER=$app_server \ - -DJAXRS_API_JAR=%{jaxrs_api_jar} \ - -DRESTEASY_LIB=%{resteasy_lib} \ -DNSS_DEFAULT_DB_TYPE=%{nss_default_db_type} \ - -DBUILD_PKI_CORE:BOOL=ON \ -DPYTHON_EXECUTABLE=%{python_executable} \ -%if ! %{with server} && ! %{with acme} && ! %{with ca} && ! %{with kra} && ! %{with ocsp} && ! %{with tks} && ! %{with tps} - -DWITH_SERVER:BOOL=OFF \ -%endif + -DWITH_SERVER:BOOL=%{?with_server:ON}%{!?with_server:OFF} \ -DWITH_CA:BOOL=%{?with_ca:ON}%{!?with_ca:OFF} \ -DWITH_KRA:BOOL=%{?with_kra:ON}%{!?with_kra:OFF} \ -DWITH_OCSP:BOOL=%{?with_ocsp:ON}%{!?with_ocsp:OFF} \ @@ -882,18 +827,14 @@ cd build -DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \ -DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \ -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ - -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ - -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ + -DWITH_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ + -DWITH_TESTS:BOOL=%{?with_tests:ON}%{!?with_tests:OFF} \ + -DWITH_META:BOOL=%{?with_meta:ON}%{!?with_meta:OFF} \ -DTHEME=%{?with_theme:%{theme}} \ -%if 0%{?rhel} && 0%{?rhel} <= 8 - .. -%else + -DRUN_TESTS:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ -B %{_vpath_builddir} -%endif -%if 0%{?fedora} || 0%{?rhel} > 8 cd %{_vpath_builddir} -%endif # Do not use _smp_mflags to preserve build order %{__make} \ @@ -908,11 +849,7 @@ cd %{_vpath_builddir} %install ################################################################################ -%if 0%{?rhel} && 0%{?rhel} <= 8 -cd build -%else cd %{_vpath_builddir} -%endif %{__make} \ VERBOSE=%{?_verbose} \ @@ -922,43 +859,10 @@ cd %{_vpath_builddir} --no-print-directory \ install -%if %{with test} +%if %{with tests} ctest --output-on-failure %endif -%if %{with meta} -%{__mkdir_p} %{buildroot}%{_datadir}/doc/pki - -cat > %{buildroot}%{_datadir}/doc/pki/README << EOF -This package is a "meta-package" whose dependencies pull in all of the -packages comprising the %{product_name} Suite. -EOF - -# with meta -%endif - -# Customize client library links in /usr/share/pki/lib -ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar -%if 0%{?fedora} && 0%{?fedora} <= 34 -ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar -%else -ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/lib/jakarta.annotation-api.jar -%endif - -%if %{with server} - -# Customize server common library links in /usr/share/pki/server/common/lib -ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar -ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar -%if 0%{?fedora} && 0%{?fedora} <= 34 -ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar -%else -ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/server/common/lib/jakarta.annotation-api.jar -%endif - -# with server -%endif - %if %{with server} %pre -n %{product_id}-server @@ -1030,14 +934,6 @@ fi %if %{with base} ################################################################################ -%files -n %{product_id}-symkey -################################################################################ - -%license base/symkey/LICENSE -%{_jnidir}/symkey.jar -%{_libdir}/symkey/ - -################################################################################ %files -n %{product_id}-base ################################################################################ @@ -1064,7 +960,7 @@ fi %{_mandir}/man8/pki-upgrade.8.gz ################################################################################ -%files -n %{product_id}-base-java +%files -n %{product_id}-java ################################################################################ %license base/common/LICENSE @@ -1092,14 +988,15 @@ fi %license base/tools/LICENSE %doc base/tools/doc/README -%{_bindir}/p7tool %{_bindir}/p12tool +%{_bindir}/p7tool %{_bindir}/pistool %{_bindir}/pki %{_bindir}/revoker %{_bindir}/setpin %{_bindir}/sslget %{_bindir}/tkstool +%{_bindir}/tpsclient %{_bindir}/AtoB %{_bindir}/AuditVerify %{_bindir}/BtoA @@ -1126,6 +1023,7 @@ fi %{_javadir}/pki/pki-tools.jar %{_datadir}/pki/tools/ %{_datadir}/pki/lib/p11-kit-trust.so +%{_libdir}/tps/libtps.so %{_mandir}/man1/AtoB.1.gz %{_mandir}/man1/AuditVerify.1.gz %{_mandir}/man1/BtoA.1.gz @@ -1156,6 +1054,7 @@ fi %{_mandir}/man1/pki-user-membership.1.gz %{_mandir}/man1/PKCS10Client.1.gz %{_mandir}/man1/PKICertImport.1.gz +%{_mandir}/man1/tpsclient.1.gz # with base %endif @@ -1290,14 +1189,6 @@ fi %{_datadir}/pki/tps/ %{_mandir}/man5/pki-tps-connector.5.gz %{_mandir}/man5/pki-tps-profile.5.gz -%{_mandir}/man1/tpsclient.1.gz - -# files for native 'tpsclient' -# REMINDER: Remove this comment once 'tpsclient' is rewritten as a Java app - -%{_bindir}/tpsclient -%{_libdir}/tps/libtps.so -%{_libdir}/tps/libtokendb.so # with tps %endif @@ -1326,7 +1217,7 @@ fi %if %{with theme} ################################################################################ -%files -n %{product_id}-server-theme +%files -n %{product_id}-theme ################################################################################ %license themes/%{theme}/common-ui/LICENSE @@ -1369,6 +1260,27 @@ fi ################################################################################ %changelog +* Thu Aug 04 2022 Red Hat PKI Team - 11.2.1-1 +- Rebase to PKI 11.2.1 +- Bug #2107336 - CVE-2022-2414 pki-core: access to external entities when parsing XML can lead to XXE [rhel-9.1.0] + +* Fri Jul 01 2022 Red Hat PKI Team - 11.2.0-1 +- Rebase to PKI 11.2.0 +- Bug #2084639 ipa cert-request ssl error +- Bug #2099312 SKI field is not reflected back in generated CSR +- Bug #2095197 PKI cert-fix operation failing + +* Fri May 06 2022 Red Hat PKI Team - 11.2.0-0.4.beta3 +- Rebase to PKI 11.2.0-beta3 +- Bug #2062808 Drop SHA-1 use from authentication challenges [rhel-9.1.0] + +* Mon May 02 2022 Red Hat PKI Team - 11.2.0-0.3.beta2 +- Rebase to PKI 11.2.0-beta2 +- Rename packages to idm-pki + +* Mon Apr 18 2022 Red Hat PKI Team - 11.2.0-0.2.beta1 +- Rebase to PKI 11.2.0-beta1 + * Wed Jan 19 2022 Red Hat PKI Team - 11.0.3-1 - Bug #2033109 Invalid certificates with creation of subCA (pkispawn single step)[rhel-9.0.0] - Bug #2013141 kra-key-retrieve failed to accept xml input format to generate .p12 key through cli