diff --git a/.gitignore b/.gitignore index 102e165..ea199c9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-10.12.0.tar.gz +SOURCES/pki-10.14.2.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 78529e8..0367143 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -14942c7bda42ccd0f57ea5b2e538eb13a559572f SOURCES/pki-10.12.0.tar.gz +8530e93dbd5da8b31a3b97707c7c2e102afa4ebc SOURCES/pki-10.14.2.tar.gz diff --git a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch b/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch deleted file mode 100644 index 065a9d9..0000000 --- a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch +++ /dev/null @@ -1,332 +0,0 @@ -From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 25 Jan 2022 16:29:53 -0600 -Subject: [PATCH] Fix pki-healthcheck for clones - -Previously the ClonesConnectivyAndDataCheck.check_kra_clones() -was trying to check KRA clone status by retrieving a key using -the subsystem cert. This operation did not work since the user -associated with the cert did not have access to the keys. The -code has been changed to get the status from GetStatus service -instead. The original code might be moved into IPA later so it -could run with IPA's RA agent credentials which would allow -access to the keys. - -Previously the ClonesPlugin.contact_subsystem_using_sslget() -used sslget to call GetStatus service and returned the entire -output which was then incorrectly processed in XML format. The -method has been renamed to get_status() and changed to use -PKIConnection and process the response in either JSON or XML -format, then only return the subsystem status. All callers -have been updated accordingly. - -The ClonesPlugin.contact_subsystem_using_pki() is no longer -used so it has been removed. ---- - .../clones/connectivity_and_data.py | 130 ++++++++---------- - .../pki/server/healthcheck/clones/plugin.py | 75 ++++------ - base/server/python/pki/server/__init__.py | 8 +- - 3 files changed, 91 insertions(+), 122 deletions(-) - -diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py -index ca5d6dae48..d9bb480f7f 100644 ---- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py -+++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py -@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin): - - def check_kra_clones(self): - for host in self.clone_kras: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out and get some keys or requests , to serve as a data and connectivity check -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName') -- -- output = self.contact_subsystem_using_pki( -- host.SecurePort, host.Hostname, client_nick, -- self.passwd, self.db_dir, 'kra-key-show', ['0x01']) -- -- # check to see if we either got a key or a key not found exception -- # of which either will imply a successful connection -- if output is not None: -- key_found = output.find('Key ID:') -- key_not_found = output.find('KeyNotFoundException:') -- if key_found >= 0: -- logger.info('Key material found from kra clone.') -- -- if key_not_found >= 0: -- logger.info('key not found, possibly empty kra') -- -- if key_not_found == -1 and key_found == -1: -- logger.info('Failure to get key material from kra') -- raise BaseException('KRA clone problem detected ' + cur_clone_msg) -- else: -- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg) -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/kra/admin/kra/getStatus') - -- except BaseException as e: -- logger.error("Internal error testing KRA clone. %s", e) -- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg) -+ logger.info('KRA at %s is %s', url, status) - -- return -+ if status != 'running': -+ raise Exception('KRA at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach KRA at %s: %s', url, e) -+ raise Exception('Unable to reach KRA at %s: %s' % (url, e)) - - def check_ocsp_clones(self): - for host in self.clone_ocsps: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out to the ocsp clones -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- output = self.contact_subsystem_using_sslget( -- host.SecurePort, host.Hostname, None, -- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus') -- -- good_status = output.find('1') -- if good_status == -1: -- raise BaseException('OCSP clone problem detected.' + cur_clone_msg) -- logger.info('good_status %s ', good_status) -- except BaseException as e: -- logger.error("Internal error testing OCSP clone. %s", e) -- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg) -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/ocsp/admin/ocsp/getStatus') - -- return -+ logger.info('OCSP at %s is %s', url, status) -+ -+ if status != 'running': -+ raise Exception('OCSP at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach OCSP at %s: %s', url, e) -+ raise Exception('Unable to reach OCSP at %s: %s' % (url, e)) - - def check_tks_clones(self): - for host in self.clone_tkss: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out to the tks clones -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- output = self.contact_subsystem_using_sslget( -- host.SecurePort, host.Hostname, None, -- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus') -- -- good_status = output.find('1') -- if good_status == -1: -- raise BaseException('TKS clone problem detected.' + cur_clone_msg) -- logger.info('good_status %s ', good_status) -- except BaseException as e: -- logger.error("Internal error testing TKS clone. %s", e) -- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg) -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/tks/admin/tks/getStatus') - -- return -+ logger.info('TKS at %s is %s', url, status) -+ -+ if status != 'running': -+ raise Exception('TKS at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach TKS at %s: %s', url, e) -+ raise Exception('Unable to reach TKS at %s: %s' % (url, e)) - - def check_tps_clones(self): - for host in self.clone_tpss: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out to the tps clones -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- output = self.contact_subsystem_using_sslget( -- host.SecurePort, host.Hostname, None, -- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus') -- -- good_status = output.find('1') -- if good_status == -1: -- raise BaseException('TPS clone problem detected.' + cur_clone_msg) -- logger.info('good_status %s ', good_status) -- except BaseException as e: -- logger.error("Internal error testing TPS clone. %s", e) -- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg) -- return -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/tps/admin/tps/getStatus') -+ -+ logger.info('TPS at %s is %s', url, status) -+ -+ if status != 'running': -+ raise Exception('TPS at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach TPS at %s: %s', url, e) -+ raise Exception('Unable to reach TPS at %s: %s' % (url, e)) - - @duration - def check(self): -diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py -index 2472f35b5b..824c36a1a9 100644 ---- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py -+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py -@@ -6,6 +6,10 @@ - # SPDX-License-Identifier: GPL-2.0-or-later - # - -+import json -+import logging -+import xml.etree.ElementTree as ET -+ - from ipahealthcheck.core.plugin import Plugin, Registry - from pki.server.instance import PKIInstance - from pki.client import PKIConnection -@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient - - from pki.server.healthcheck.core.main import merge_dogtag_config - --import logging --import subprocess -- - logger = logging.getLogger(__name__) - - # Temporary workaround to skip VERBOSE data. Fix already pushed to upstream -@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin): - - self.instance = PKIInstance(self.config.instance_name) - -- def contact_subsystem_using_pki( -- self, subport, subhost, subsystemnick, -- token_pwd, db_path, cmd, exts=None): -- command = ["/usr/bin/pki", -- "-p", str(subport), -- "-h", subhost, -- "-n", subsystemnick, -- "-P", "https", -- "-d", db_path, -- "-c", token_pwd, -- cmd] -- -- if exts is not None: -- command.extend(exts) -- -- output = None -- try: -- output = subprocess.check_output(command, stderr=subprocess.STDOUT) -- except subprocess.CalledProcessError as e: -- output = e.output.decode('utf-8') -- return output -+ def get_status(self, host, port, path): - -- output = output.decode('utf-8') -+ self.instance.export_ca_cert() - -- return output -+ connection = PKIConnection( -+ protocol='https', -+ hostname=host, -+ port=port, -+ cert_paths=self.instance.ca_cert) - -- def contact_subsystem_using_sslget( -- self, port, host, subsystemnick, -- token_pwd, db_path, params, url): -+ response = connection.get(path) - -- command = ["/usr/bin/sslget"] -+ content_type = response.headers['Content-Type'] -+ content = response.text -+ logger.info('Content:\n%s', content) - -- if subsystemnick is not None: -- command.extend(["-n", subsystemnick]) -+ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service -+ if content_type == 'application/json': -+ json_response = json.loads(content) -+ status = json_response['Response']['Status'] - -- command.extend(["-p", token_pwd, "-d", db_path]) -- -- if params is not None: -- command.extend(["-e", params]) -- -- command.extend([ -- "-r", url, host + ":" + port]) -- -- logger.info(' command : %s ', command) -- output = None -- try: -- output = subprocess.check_output(command, stderr=subprocess.STDOUT) -- except subprocess.CalledProcessError as e: -- output = e.output.decode('utf-8') -- return output -+ elif content_type == 'application/xml': -+ root = ET.fromstring(content) -+ status = root.findtext('Status') - -- output = output.decode('utf-8') -+ else: -+ raise Exception('Unsupported content-type: %s' % content_type) - -- return output -+ logger.info('Status: %s', status) -+ return status - - def get_security_domain_data(self, host, port): - domain_data = None -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 4fbb74684b..0515bbb197 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -241,6 +241,10 @@ class PKIServer(object): - def jss_conf(self): - return os.path.join(self.conf_dir, 'jss.conf') - -+ @property -+ def ca_cert(self): -+ return os.path.join(self.nssdb_dir, 'ca.crt') -+ - def is_valid(self): - return self.exists() - -@@ -259,8 +263,6 @@ class PKIServer(object): - - def export_ca_cert(self): - -- ca_path = os.path.join(self.nssdb_dir, 'ca.crt') -- - token = pki.nssdb.INTERNAL_TOKEN_NAME - nickname = self.get_sslserver_cert_nickname() - -@@ -272,7 +274,7 @@ class PKIServer(object): - nssdb = self.open_nssdb(token=token) - - try: -- nssdb.extract_ca_cert(ca_path, nickname) -+ nssdb.extract_ca_cert(self.ca_cert, nickname) - finally: - nssdb.close() - --- -2.33.1 - diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 450b985..d008778 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -2,20 +2,20 @@ Name: pki-core ################################################################################ -%global vendor_id redhat -%global brand Red Hat +%global product_name IDM PKI +%global product_id idm-pki -Summary: %{brand} PKI Core Package +Summary: %{product_name} Package URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. -Version: 10.12.0 -Release: 3%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -alpha1 - +%global release_number 1 +Version: 10.14.2 +Release: %{?release_number}%{?_timestamp}%{?_commit_id}%{?dist} +#global _phase # To create a tarball from a version tag: # $ git archive \ @@ -32,8 +32,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -Patch: 0001-Fix-pki-healthcheck-for-clones.patch - # md2man isn't available on i686. Additionally, we aren't generally multi-lib # compatible (https://fedoraproject.org/wiki/Packaging:Java) # md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+ @@ -255,13 +253,13 @@ BuildRequires: nss-tools BuildRequires: openssl # description for top-level package (if there is a separate meta package) -%if "%{name}" != "%{vendor_id}-pki" +%if "%{name}" != "%{product_id}" %description -%{brand} PKI is an enterprise software system designed +%{product_name} is an enterprise software system designed to manage enterprise Public Key Infrastructure deployments. -PKI consists of the following components: +%{product_name} consists of the following components: * Automatic Certificate Management Environment (ACME) Responder * Certificate Authority (CA) @@ -273,32 +271,32 @@ PKI consists of the following components: %endif %if %{with meta} -%if "%{name}" != "%{vendor_id}-pki" +%if "%{name}" != "%{product_id}" ################################################################################ -%package -n %{vendor_id}-pki +%package -n %{product_id} ################################################################################ -Summary: %{brand} PKI Package +Summary: %{product_name} Package %endif # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI theme packages -Requires: %{vendor_id}-pki-server-theme = %{version}-%{release} -Requires: %{vendor_id}-pki-console-theme = %{version}-%{release} +Requires: %{product_id}-server-theme = %{version}-%{release} +Requires: %{product_id}-console-theme = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI core packages -Requires: pki-acme = %{version}-%{release} -Requires: pki-ca = %{version}-%{release} -Requires: pki-kra = %{version}-%{release} -Requires: pki-ocsp = %{version}-%{release} -Requires: pki-tks = %{version}-%{release} -Requires: pki-tps = %{version}-%{release} +Requires: %{product_id}-acme = %{version}-%{release} +Requires: %{product_id}-ca = %{version}-%{release} +Requires: %{product_id}-kra = %{version}-%{release} +Requires: %{product_id}-ocsp = %{version}-%{release} +Requires: %{product_id}-tks = %{version}-%{release} +Requires: %{product_id}-tps = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of PKI console -Requires: pki-console = %{version}-%{release} -Requires: pki-javadoc = %{version}-%{release} +Requires: %{product_id}-console = %{version}-%{release} +Requires: %{product_id}-javadoc = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI clients -- except for s390/s390x where 'esc' is not built @@ -307,16 +305,16 @@ Requires: esc >= 1.1.1 %endif # description for top-level package (unless there is a separate meta package) -%if "%{name}" == "%{vendor_id}-pki" +%if "%{name}" == "%{product_id}" %description %else -%description -n %{vendor_id}-pki +%description -n %{product_id} %endif -%{brand} PKI is an enterprise software system designed +%{product_name} is an enterprise software system designed to manage enterprise Public Key Infrastructure deployments. -PKI consists of the following components: +%{product_name} consists of the following components: * Automatic Certificate Management Environment (ACME) Responder * Certificate Authority (CA) @@ -330,10 +328,13 @@ PKI consists of the following components: %if %{with base} ################################################################################ -%package -n pki-symkey +%package -n %{product_id}-symkey ################################################################################ -Summary: PKI Symmetric Key Package +Summary: %{product_name} Symmetric Key Package + +Obsoletes: pki-symkey < %{version}-%{release} +Provides: pki-symkey = %{version}-%{release} Requires: %{java_headless} Requires: jpackage-utils >= 0:1.7.5-10 @@ -346,15 +347,14 @@ Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} Conflicts: pki-console-theme < %{version} -%description -n pki-symkey -The PKI Symmetric Key Java Package supplies various native -symmetric key operations to Java programs. +%description -n %{product_id}-symkey +This package provides library for symmetric key operations. ################################################################################ -%package -n pki-base +%package -n %{product_id}-base ################################################################################ -Summary: PKI Base Package +Summary: %{product_name} Base Package BuildArch: noarch Obsoletes: pki-base < %{version}-%{release} @@ -371,25 +371,27 @@ Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} Conflicts: pki-console-theme < %{version} -%description -n pki-base -The PKI Base Package contains the common and client libraries and utilities -written in Python. +%description -n %{product_id}-base +This package provides default configuration files for %{product_name} client. ################################################################################ -%package -n python3-pki +%package -n python3-%{product_id} ################################################################################ -Summary: PKI Python 3 Package +Summary: %{product_name} Python 3 Package BuildArch: noarch -Obsoletes: pki-base-python3 < %{version} +Obsoletes: python3-pki < %{version}-%{release} +Provides: python3-pki = %{version}-%{release} + +Obsoletes: pki-base-python3 < %{version}-%{release} Provides: pki-base-python3 = %{version}-%{release} %if 0%{?fedora} || 0%{?rhel} > 8 %{?python_provide:%python_provide python3-pki} %endif -Requires: pki-base = %{version}-%{release} +Requires: %{product_id}-base = %{version}-%{release} Requires: python3 >= 3.5 Requires: python3-cryptography Requires: python3-ldap @@ -400,14 +402,14 @@ Requires: python3-six Recommends: python3-nss %endif -%description -n python3-pki -This package contains PKI client library for Python 3. +%description -n python3-%{product_id} +This package provides common and client library for Python 3. ################################################################################ -%package -n pki-base-java +%package -n %{product_id}-base-java ################################################################################ -Summary: PKI Base Java Package +Summary: %{product_name} Base Java Package BuildArch: noarch Obsoletes: pki-base-java < %{version}-%{release} @@ -426,7 +428,7 @@ Requires: slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 Requires: jss >= 4.9.0, jss < 5.0.0 Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0 -Requires: pki-base = %{version}-%{release} +Requires: %{product_id}-base = %{version}-%{release} %if 0%{?rhel} && 0%{?rhel} <= 8 Requires: resteasy >= 3.0.26 @@ -447,38 +449,40 @@ Requires: xerces-j2 Requires: xml-commons-apis Requires: xml-commons-resolver -%description -n pki-base-java -The PKI Base Java Package contains the common and client libraries and utilities -written in Java. +%description -n %{product_id}-base-java +This package provides common and client libraries for Java. ################################################################################ -%package -n pki-tools +%package -n %{product_id}-tools ################################################################################ -Summary: PKI Tools Package +Summary: %{product_name} Tools Package + +Obsoletes: pki-tools < %{version}-%{release} +Provides: pki-tools = %{version}-%{release} Requires: openldap-clients Requires: nss-tools >= 3.36.1 -Requires: pki-base-java = %{version}-%{release} +Requires: %{product_id}-base-java = %{version}-%{release} Requires: p11-kit-trust # PKICertImport depends on certutil and openssl Requires: nss-tools Requires: openssl -%description -n pki-tools -This package contains PKI executables that can be used to help make -Certificate System into a more complete and robust PKI solution. +%description -n %{product_id}-tools +This package provides tools that can be used to help make +%{product_name} into a more complete and robust PKI solution. # with base %endif %if %{with server} ################################################################################ -%package -n pki-server +%package -n %{product_id}-server ################################################################################ -Summary: PKI Server Package +Summary: %{product_name} Server Package BuildArch: noarch Obsoletes: pki-server < %{version}-%{release} @@ -490,8 +494,8 @@ Requires: policycoreutils Requires: procps-ng Requires: openldap-clients Requires: openssl -Requires: pki-symkey = %{version}-%{release} -Requires: pki-tools = %{version}-%{release} +Requires: %{product_id}-symkey = %{version}-%{release} +Requires: %{product_id}-tools = %{version}-%{release} Requires: keyutils @@ -538,25 +542,27 @@ Provides: bundled(js-jquery-i18n-properties) = 1.2.7 Provides: bundled(js-patternfly) = 3.59.2 Provides: bundled(js-underscore) = 1.9.2 -%description -n pki-server -The PKI Server Package contains libraries and utilities needed by other -PKI subsystems. +%description -n %{product_id}-server +This package provides libraries and utilities needed by %{product_name} services. # with server %endif %if %{with acme} ################################################################################ -%package -n pki-acme +%package -n %{product_id}-acme ################################################################################ -Summary: PKI ACME Package +Summary: %{product_name} ACME Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-acme < %{version}-%{release} +Provides: pki-acme = %{version}-%{release} -%description -n pki-acme -The PKI ACME responder is a service that provides an automatic certificate +Requires: %{product_id}-server = %{version}-%{release} + +%description -n %{product_id}-acme +%{product_name} ACME responder is a service that provides an automatic certificate management via ACME v2 protocol defined in RFC 8555. # with acme @@ -564,19 +570,22 @@ management via ACME v2 protocol defined in RFC 8555. %if %{with ca} ################################################################################ -%package -n pki-ca +%package -n %{product_id}-ca ################################################################################ -Summary: PKI CA Package +Summary: %{product_name} CA Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-ca < %{version}-%{release} +Provides: pki-ca = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-ca -The Certificate Authority (CA) is a required PKI subsystem which issues, +%description -n %{product_id}-ca +%{product_name} Certificate Authority (CA) is a required subsystem which issues, renews, revokes, and publishes certificates as well as compiling and publishing Certificate Revocation Lists (CRLs). @@ -589,19 +598,22 @@ where it obtains its own signing certificate from a public CA. %if %{with kra} ################################################################################ -%package -n pki-kra +%package -n %{product_id}-kra ################################################################################ -Summary: PKI KRA Package +Summary: %{product_name} KRA Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-kra < %{version}-%{release} +Provides: pki-kra = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-kra -The Key Recovery Authority (KRA) is an optional PKI subsystem that can act +%description -n %{product_id}-kra +%{product_name} Key Recovery Authority (KRA) is an optional subsystem that can act as a key archival facility. When configured in conjunction with the Certificate Authority (CA), the KRA stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered @@ -620,19 +632,22 @@ since such archival would undermine non-repudiation properties of signing keys. %if %{with ocsp} ################################################################################ -%package -n pki-ocsp +%package -n %{product_id}-ocsp ################################################################################ -Summary: PKI OCSP Package +Summary: %{product_name} OCSP Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-ocsp < %{version}-%{release} +Provides: pki-ocsp = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-ocsp -The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +%description -n %{product_id}-ocsp +%{product_name} Online Certificate Status Protocol (OCSP) Manager is an optional subsystem that can act as a stand-alone OCSP service. The OCSP Manager performs the task of an online certificate validation authority by enabling OCSP-compliant clients to do real-time verification of certificates. Note @@ -658,19 +673,22 @@ whenever they are issued or updated. %if %{with tks} ################################################################################ -%package -n pki-tks +%package -n %{product_id}-tks ################################################################################ -Summary: PKI TKS Package +Summary: %{product_name} TKS Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-tks < %{version}-%{release} +Provides: pki-tks = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-tks -The Token Key Service (TKS) is an optional PKI subsystem that manages the +%description -n %{product_id}-tks +%{product_name} Token Key Service (TKS) is an optional subsystem that manages the master key(s) and the transport key(s) required to generate and distribute keys for hardware tokens. TKS provides the security between tokens and an instance of Token Processing System (TPS), where the security relies upon the @@ -690,12 +708,15 @@ behind the firewall with restricted access. %if %{with tps} ################################################################################ -%package -n pki-tps +%package -n %{product_id}-tps ################################################################################ -Summary: PKI TPS Package +Summary: %{product_name} TPS Package -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-tps < %{version}-%{release} +Provides: pki-tps = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -706,8 +727,8 @@ Requires(postun): systemd-units Requires: nss-tools >= 3.36.1 Requires: openldap-clients -%description -n pki-tps -The Token Processing System (TPS) is an optional PKI subsystem that acts +%description -n %{product_id}-tps +%{product_name} Token Processing System (TPS) is an optional subsystem that acts as a Registration Authority (RA) for authenticating and processing enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security Client (ESC). @@ -731,10 +752,10 @@ smart card. %if %{with javadoc} ################################################################################ -%package -n pki-javadoc +%package -n %{product_id}-javadoc ################################################################################ -Summary: PKI Javadoc Package +Summary: %{product_name} Javadoc Package BuildArch: noarch Obsoletes: pki-javadoc < %{version}-%{release} @@ -746,18 +767,18 @@ Conflicts: pki-symkey < %{version} Conflicts: pki-server-theme < %{version} Conflicts: pki-console-theme < %{version} -%description -n pki-javadoc -This package contains PKI API documentation. +%description -n %{product_id}-javadoc +This package provides %{product_name} API documentation. # with javadoc %endif %if %{with console} ################################################################################ -%package -n pki-console +%package -n %{product_id}-console ################################################################################ -Summary: PKI Console Package +Summary: %{product_name} Console Package BuildArch: noarch Obsoletes: pki-console < %{version}-%{release} @@ -766,21 +787,21 @@ Provides: pki-console = %{version}-%{release} BuildRequires: idm-console-framework >= 1.2.0 Requires: idm-console-framework >= 1.2.0 -Requires: pki-base-java = %{version}-%{release} -Requires: pki-console-theme = %{version}-%{release} +Requires: %{product_id}-base-java = %{version}-%{release} +Requires: %{product_id}-console-theme = %{version}-%{release} -%description -n pki-console -The PKI Console is a Java application used to administer PKI server. +%description -n %{product_id}-console +%{product_name} Console is a Java application used to administer %{product_name} Server. # with console %endif %if %{with theme} ################################################################################ -%package -n %{vendor_id}-pki-server-theme +%package -n %{product_id}-server-theme ################################################################################ -Summary: %{brand} PKI Server Theme Package +Summary: %{product_name} Server Theme Package BuildArch: noarch Obsoletes: pki-server-theme < %{version}-%{release} @@ -792,15 +813,14 @@ Conflicts: pki-symkey < %{version} Conflicts: pki-console-theme < %{version} Conflicts: pki-javadoc < %{version} -%description -n %{vendor_id}-pki-server-theme -This PKI Server Theme Package contains -%{brand} textual and graphical user interface for PKI Server. +%description -n %{product_id}-server-theme +This package provides theme files for %{product_name} Server. ################################################################################ -%package -n %{vendor_id}-pki-console-theme +%package -n %{product_id}-console-theme ################################################################################ -Summary: %{brand} PKI Console Theme Package +Summary: %{product_name} Console Theme Package BuildArch: noarch Obsoletes: pki-console-theme < %{version}-%{release} @@ -812,23 +832,28 @@ Conflicts: pki-symkey < %{version} Conflicts: pki-server-theme < %{version} Conflicts: pki-javadoc < %{version} -%description -n %{vendor_id}-pki-console-theme -This PKI Console Theme Package contains -%{brand} textual and graphical user interface for PKI Console. +%description -n %{product_id}-console-theme +This package provides theme files for %{product_name} Console. # with theme %endif %if %{with tests} ################################################################################ -%package -n pki-tests +%package -n %{product_id}-tests ################################################################################ -Summary: PKI Tests +Summary: %{product_name} Tests BuildArch: noarch -%description -n pki-tests -This package contains PKI test suite. +Obsoletes: pki-tests < %{version}-%{release} +Provides: pki-tests = %{version}-%{release} + +Requires: python3-pylint +Requires: python3-flake8 + +%description -n %{product_id}-tests +This package provides test suite for %{product_name}. # with tests %endif @@ -886,7 +911,7 @@ cd build -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ - -DTHEME=%{?with_theme:%{vendor_id}} \ + -DTHEME=%{?with_theme:%{theme}} \ %if 0%{?rhel} && 0%{?rhel} <= 8 .. %else @@ -933,7 +958,7 @@ ctest --output-on-failure cat > %{buildroot}%{_datadir}/doc/pki/README << EOF This package is a "meta-package" whose dependencies pull in all of the -packages comprising the %{brand} Public Key Infrastructure (PKI) Suite. +packages comprising the %{product_name} Suite. EOF # with meta @@ -963,7 +988,7 @@ ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroo %if %{with server} -%pre -n pki-server +%pre -n %{product_id}-server getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} if ! getent passwd %{pki_username} >/dev/null ; then useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} @@ -975,7 +1000,7 @@ exit 0 %if %{with base} -%post -n pki-base +%post -n %{product_id}-base if [ $1 -eq 1 ] then @@ -989,7 +1014,7 @@ else echo >> /var/log/pki/pki-upgrade-%{version}.log fi -%postun -n pki-base +%postun -n %{product_id}-base if [ $1 -eq 0 ] then @@ -1002,11 +1027,7 @@ fi %if %{with server} -%post -n pki-server -## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem -## from EITHER 'sysVinit' OR previous 'systemd' processes to the new -## PKI deployment process - +%post -n %{product_id}-server # CVE-2021-3551 # Remove world access from existing installation logs find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; @@ -1032,9 +1053,9 @@ fi %endif %if %{with meta} -%if "%{name}" != "%{vendor_id}-pki" +%if "%{name}" != "%{product_id}" ################################################################################ -%files -n %{vendor_id}-pki +%files -n %{product_id} ################################################################################ %else %files @@ -1047,7 +1068,7 @@ fi %if %{with base} ################################################################################ -%files -n pki-symkey +%files -n %{product_id}-symkey ################################################################################ %license base/symkey/LICENSE @@ -1055,7 +1076,7 @@ fi %{_libdir}/symkey/ ################################################################################ -%files -n pki-base +%files -n %{product_id}-base ################################################################################ %license base/common/LICENSE @@ -1081,7 +1102,7 @@ fi %{_mandir}/man8/pki-upgrade.8.gz ################################################################################ -%files -n pki-base-java +%files -n %{product_id}-base-java ################################################################################ %license base/common/LICENSE @@ -1093,7 +1114,7 @@ fi %{_javadir}/pki/pki-certsrv.jar ################################################################################ -%files -n python3-pki +%files -n python3-%{product_id} ################################################################################ %license base/common/LICENSE @@ -1104,7 +1125,7 @@ fi %{python3_sitelib}/pki ################################################################################ -%files -n pki-tools +%files -n %{product_id}-tools ################################################################################ %license base/tools/LICENSE @@ -1179,7 +1200,7 @@ fi %if %{with server} ################################################################################ -%files -n pki-server +%files -n %{product_id}-server ################################################################################ %license base/common/THIRD_PARTY_LICENSES @@ -1240,7 +1261,7 @@ fi %if %{with acme} ################################################################################ -%files -n pki-acme +%files -n %{product_id}-acme ################################################################################ %{_javadir}/pki/pki-acme.jar @@ -1251,7 +1272,7 @@ fi %if %{with ca} ################################################################################ -%files -n pki-ca +%files -n %{product_id}-ca ################################################################################ %license base/ca/LICENSE @@ -1263,7 +1284,7 @@ fi %if %{with kra} ################################################################################ -%files -n pki-kra +%files -n %{product_id}-kra ################################################################################ %license base/kra/LICENSE @@ -1275,7 +1296,7 @@ fi %if %{with ocsp} ################################################################################ -%files -n pki-ocsp +%files -n %{product_id}-ocsp ################################################################################ %license base/ocsp/LICENSE @@ -1287,7 +1308,7 @@ fi %if %{with tks} ################################################################################ -%files -n pki-tks +%files -n %{product_id}-tks ################################################################################ %license base/tks/LICENSE @@ -1299,7 +1320,7 @@ fi %if %{with tps} ################################################################################ -%files -n pki-tps +%files -n %{product_id}-tps ################################################################################ %license base/tps/LICENSE @@ -1321,7 +1342,7 @@ fi %if %{with javadoc} ################################################################################ -%files -n pki-javadoc +%files -n %{product_id}-javadoc ################################################################################ %{_javadocdir}/pki-%{version}/ @@ -1331,7 +1352,7 @@ fi %if %{with console} ################################################################################ -%files -n pki-console +%files -n %{product_id}-console ################################################################################ %license base/console/LICENSE @@ -1343,10 +1364,10 @@ fi %if %{with theme} ################################################################################ -%files -n %{vendor_id}-pki-server-theme +%files -n %{product_id}-server-theme ################################################################################ -%license themes/%{vendor_id}/common-ui/LICENSE +%license themes/%{theme}/common-ui/LICENSE %dir %{_datadir}/pki %{_datadir}/pki/CS_SERVER_VERSION %{_datadir}/pki/common-ui/ @@ -1361,10 +1382,10 @@ fi %{_datadir}/pki/server/webapps/pki/tks ################################################################################ -%files -n %{vendor_id}-pki-console-theme +%files -n %{product_id}-console-theme ################################################################################ -%license themes/%{vendor_id}/console-ui/LICENSE +%license themes/%{theme}/console-ui/LICENSE %{_javadir}/pki/pki-console-theme.jar # with theme @@ -1372,7 +1393,7 @@ fi %if %{with tests} ################################################################################ -%files -n pki-tests +%files -n %{product_id}-tests ################################################################################ %{_datadir}/pki/tests/ @@ -1382,6 +1403,14 @@ fi ################################################################################ %changelog +* Tue Nov 29 2022 Red Hat PKI Team 10.14.2-1 +- Rebase to PKI 10.14.2 +- Bug 2149253 - Rebase to upstream version v2.14.2 + +* Mon Jul 25 2022 Red Hat PKI Team 10.12.0-4 +- Bug 2107334 - CVE-2022-2414 access to external entities when parsing XML can lead to XXE +- Rename packages to idm-pki + * Wed Jun 01 2022 Red Hat PKI Team 10.12.0-3 - ExcludeArch i686 as md2man not available in RHEL 8.7