diff --git a/SOURCES/pki-core-BASE-format-G-and-D-cards.patch b/SOURCES/pki-core-BASE-format-G-and-D-cards.patch new file mode 100644 index 0000000..8a97b0c --- /dev/null +++ b/SOURCES/pki-core-BASE-format-G-and-D-cards.patch @@ -0,0 +1,84 @@ +From 618a17ad33363633c6589c4ce7170c34f21bf459 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Tue, 15 Nov 2016 17:37:07 -0800 +Subject: [PATCH] Change lifecycle at end of enrollment if it is not already + set. + +TPS throws "err=6" when attempting to format and enroll G&D Cards. +https://bugzilla.redhat.com/show_bug.cgi?id=1320283 + +This fix addresses this bug , but also: +Fixes this issue: + +Applet upgrade during rekey operation results in formatted token. + + Also, it takes care of a related issue where the new apdu needed for the +lifecycle state causes the testing tool "tpslcient" to seg fault. +The fix here is a minimal fix to have tpsclient return an error when it gets +this apdu it can't handle, instead of crashing. + +(cherry picked from commit 4027d3caa872f2950dae0b3d2208c0c54ceb4a4c) +(cherry picked from commit fbb7cf7d70263aa63274a41ecba235bc87c961f0) +--- + base/common/src/org/dogtagpki/tps/apdu/APDU.java | 3 +- + .../org/dogtagpki/tps/apdu/GetLifecycleAPDU.java | 35 +++++++++++++ + 2 files changed, 37 insertions(+), 1 deletions(-) + create mode 100644 base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java + +diff --git a/base/common/src/org/dogtagpki/tps/apdu/APDU.java b/base/common/src/org/dogtagpki/tps/apdu/APDU.java +index 86f07ee..390252f 100644 +--- a/base/common/src/org/dogtagpki/tps/apdu/APDU.java ++++ b/base/common/src/org/dogtagpki/tps/apdu/APDU.java +@@ -56,7 +56,8 @@ public abstract class APDU { + APDU_IMPORT_KEY_ENC, + APDU_SET_ISSUERINFO, + APDU_GET_ISSUERINFO, +- APDU_GENERATE_KEY_ECC ++ APDU_GENERATE_KEY_ECC, ++ APDU_GET_LIFECYCLE + } + + protected byte cla; +diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java b/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java +new file mode 100644 +index 0000000..6f55b01 +--- /dev/null ++++ b/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java +@@ -0,0 +1,35 @@ ++package org.dogtagpki.tps.apdu; ++ ++import org.dogtagpki.tps.main.TPSBuffer; ++ ++ ++public class GetLifecycleAPDU extends APDU { ++ public GetLifecycleAPDU() { ++ setCLA((byte) 0xB0); ++ setINS((byte) 0xf2); ++ setP1((byte) 0x0); ++ setP2((byte) 0x0); ++ } ++ ++ @Override ++ public Type getType() ++ { ++ return Type.APDU_GET_LIFECYCLE; ++ } ++ ++ @Override ++ public TPSBuffer getEncoding() ++ { ++ TPSBuffer encoding = new TPSBuffer(); ++ ++ encoding.add(cla); ++ encoding.add(ins); ++ encoding.add(p1); ++ encoding.add(p2); ++ encoding.add((byte) 0x01); ++ ++ return encoding; ++ } /* Encode */ ++ ++ ++} +-- +1.8.3.1 diff --git a/SOURCES/pki-core-ca-cert-request-submit-missing-authentication.patch b/SOURCES/pki-core-ca-cert-request-submit-missing-authentication.patch new file mode 100644 index 0000000..be93088 --- /dev/null +++ b/SOURCES/pki-core-ca-cert-request-submit-missing-authentication.patch @@ -0,0 +1,35 @@ +From 5332079797f763e9997685eaf188206c4631daa8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 22 Nov 2016 19:29:58 +0100 +Subject: [PATCH] Updated pki-cert man page. + +The pki-cert man page has been updated to clarify that certain +profiles may require authentication and the CLI supports certain +authentication types. + +https://fedorahosted.org/pki/ticket/2289 +(cherry picked from commit 52694cd6acf81446623b6d24947d8d3afdc8536c) +(cherry picked from commit b99469a9805df722a58fe20ca7160de706b69e7c) +--- + base/java-tools/man/man1/pki-cert.1 | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/base/java-tools/man/man1/pki-cert.1 b/base/java-tools/man/man1/pki-cert.1 +index 7ece1ad..146c82b 100644 +--- a/base/java-tools/man/man1/pki-cert.1 ++++ b/base/java-tools/man/man1/pki-cert.1 +@@ -215,7 +215,10 @@ profile, and submit the request using the following command: + + .B pki ca-cert-request-submit + +-Depending on the profile, an agent may need to review the request by running ++Depending on the profile, the command may require authentication (see the profile configuration file). ++The CLI currently supports client certificate authentication and directory-based authentication. ++ ++Also depending on the profile, an agent may need to review and approve the request by running + the following command: + + .B pki ca-cert-request-review --file +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-log-properties-and-man-pages.patch b/SOURCES/pki-core-log-properties-and-man-pages.patch new file mode 100644 index 0000000..15a2473 --- /dev/null +++ b/SOURCES/pki-core-log-properties-and-man-pages.patch @@ -0,0 +1,1087 @@ +From c5b7d9c16449f63bcf570772badcb5485cead3f7 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 17 Nov 2016 00:10:55 +0100 +Subject: [PATCH 1/8] Removed unused CA and KRA logging.properties. + +The logging.properties files in CA and KRA folders are never +deployed so they have been removed. + +https://fedorahosted.org/pki/ticket/1897 +(cherry picked from commit f6ee4065c0bdb59e22fa92c5f56d49851f4ec6e1) +(cherry picked from commit 038f18ae08e760f96524a73c02f452711601bdb0) +--- + base/ca/shared/conf/logging.properties | 70 --------------------------------- + base/kra/shared/conf/logging.properties | 70 --------------------------------- + 2 files changed, 140 deletions(-) + delete mode 100644 base/ca/shared/conf/logging.properties + delete mode 100644 base/kra/shared/conf/logging.properties + +diff --git a/base/ca/shared/conf/logging.properties b/base/ca/shared/conf/logging.properties +deleted file mode 100644 +index 796cfc0..0000000 +--- a/base/ca/shared/conf/logging.properties ++++ /dev/null +@@ -1,70 +0,0 @@ +-# --- BEGIN COPYRIGHT BLOCK --- +-# Copyright (C) 2006-2010 Red Hat, Inc. +-# All rights reserved. +-# Modifications: configuration parameters +-# --- END COPYRIGHT BLOCK --- +- +-# Licensed to the Apache Software Foundation (ASF) under one or more +-# contributor license agreements. See the NOTICE file distributed with +-# this work for additional information regarding copyright ownership. +-# The ASF licenses this file to You under the Apache License, Version 2.0 +-# (the "License"); you may not use this file except in compliance with +-# the License. You may obtain a copy of the License at +-# +-# http://www.apache.org/licenses/LICENSE-2.0 +-# +-# Unless required by applicable law or agreed to in writing, software +-# distributed under the License is distributed on an "AS IS" BASIS, +-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-# See the License for the specific language governing permissions and +-# limitations under the License. +- +-handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler +- +-.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler +- +-############################################################ +-# Handler specific properties. +-# Describes specific configuration info for Handlers. +-############################################################ +- +-1catalina.org.apache.juli.FileHandler.level = FINE +-1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-1catalina.org.apache.juli.FileHandler.prefix = catalina. +- +-2localhost.org.apache.juli.FileHandler.level = FINE +-2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-2localhost.org.apache.juli.FileHandler.prefix = localhost. +- +-3manager.org.apache.juli.FileHandler.level = FINE +-3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-3manager.org.apache.juli.FileHandler.prefix = manager. +- +-4host-manager.org.apache.juli.FileHandler.level = FINE +-4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-4host-manager.org.apache.juli.FileHandler.prefix = host-manager. +- +-java.util.logging.ConsoleHandler.level = FINE +-java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter +- +- +-############################################################ +-# Facility specific properties. +-# Provides extra control for each logger. +-############################################################ +- +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler +- +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler +- +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler +- +-# For example, set the com.xyz.foo logger to only log SEVERE +-# messages: +-#org.apache.catalina.startup.ContextConfig.level = FINE +-#org.apache.catalina.startup.HostConfig.level = FINE +-#org.apache.catalina.session.ManagerBase.level = FINE +-#org.apache.catalina.core.AprLifecycleListener.level=FINE +diff --git a/base/kra/shared/conf/logging.properties b/base/kra/shared/conf/logging.properties +deleted file mode 100644 +index 796cfc0..0000000 +--- a/base/kra/shared/conf/logging.properties ++++ /dev/null +@@ -1,70 +0,0 @@ +-# --- BEGIN COPYRIGHT BLOCK --- +-# Copyright (C) 2006-2010 Red Hat, Inc. +-# All rights reserved. +-# Modifications: configuration parameters +-# --- END COPYRIGHT BLOCK --- +- +-# Licensed to the Apache Software Foundation (ASF) under one or more +-# contributor license agreements. See the NOTICE file distributed with +-# this work for additional information regarding copyright ownership. +-# The ASF licenses this file to You under the Apache License, Version 2.0 +-# (the "License"); you may not use this file except in compliance with +-# the License. You may obtain a copy of the License at +-# +-# http://www.apache.org/licenses/LICENSE-2.0 +-# +-# Unless required by applicable law or agreed to in writing, software +-# distributed under the License is distributed on an "AS IS" BASIS, +-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-# See the License for the specific language governing permissions and +-# limitations under the License. +- +-handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler +- +-.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler +- +-############################################################ +-# Handler specific properties. +-# Describes specific configuration info for Handlers. +-############################################################ +- +-1catalina.org.apache.juli.FileHandler.level = FINE +-1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-1catalina.org.apache.juli.FileHandler.prefix = catalina. +- +-2localhost.org.apache.juli.FileHandler.level = FINE +-2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-2localhost.org.apache.juli.FileHandler.prefix = localhost. +- +-3manager.org.apache.juli.FileHandler.level = FINE +-3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-3manager.org.apache.juli.FileHandler.prefix = manager. +- +-4host-manager.org.apache.juli.FileHandler.level = FINE +-4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs +-4host-manager.org.apache.juli.FileHandler.prefix = host-manager. +- +-java.util.logging.ConsoleHandler.level = FINE +-java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter +- +- +-############################################################ +-# Facility specific properties. +-# Provides extra control for each logger. +-############################################################ +- +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler +- +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler +- +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO +-org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler +- +-# For example, set the com.xyz.foo logger to only log SEVERE +-# messages: +-#org.apache.catalina.startup.ContextConfig.level = FINE +-#org.apache.catalina.startup.HostConfig.level = FINE +-#org.apache.catalina.session.ManagerBase.level = FINE +-#org.apache.catalina.core.AprLifecycleListener.level=FINE +-- +1.8.3.1 + + +From b64fa73078df0e750a54fd8ee4fb1581f5be0e97 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 17 Nov 2016 00:27:58 +0100 +Subject: [PATCH 3/8] Updated logging.properties. + +To reduce maintenance the logging.properties is no longer copied +into the instance folder during deployment. Instead, a link will +be created in /etc/pki/ pointing to the default file +in /usr/share/pki/server/conf. + +The default logging.properties has been updated to only log +messages with level WARNING or higher on the console. + +https://fedorahosted.org/pki/ticket/1897 +(cherry picked from commit e674bc51b4d23bc362a1312addd0b09625cf5747) +(cherry picked from commit 882ad281c235cbe3a3074d1da00acb8c1b486d6f) +--- + base/common/share/etc/logging.properties | 1 + + .../deployment/scriptlets/instance_layout.py | 16 +++++++++++++-- + base/server/share/conf/logging.properties | 24 +++++----------------- + 3 files changed, 20 insertions(+), 21 deletions(-) + +diff --git a/base/common/share/etc/logging.properties b/base/common/share/etc/logging.properties +index bd5b5b6..fe879c4 100644 +--- a/base/common/share/etc/logging.properties ++++ b/base/common/share/etc/logging.properties +@@ -26,3 +26,4 @@ java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n + + .level = WARNING ++.handlers = java.util.logging.ConsoleHandler +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index c470c7f..07eecbd 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -55,6 +55,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_instance_configuration_path'], + ignore_cb=file_ignore_callback_src_server) + ++ # Link /etc/pki//logging.properties ++ # to /usr/share/pki/server/conf/logging.properties. ++ deployer.symlink.create( ++ os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), ++ os.path.join(deployer.mdict['pki_instance_configuration_path'], ++ "logging.properties")) ++ + # create /etc/sysconfig/ + deployer.file.copy_with_slot_substitution( + deployer.mdict['pki_source_tomcat_conf'], +@@ -219,5 +226,10 @@ def file_ignore_callback_src_server(src, names): + config.pki_log.info(log.FILE_EXCLUDE_CALLBACK_2, src, names, + extra=config.PKI_INDENTATION_LEVEL_1) + +- excludes = {'schema.ldif', 'database.ldif', 'manager.ldif', 'pki.xml'} +- return excludes ++ return { ++ 'schema.ldif', ++ 'database.ldif', ++ 'manager.ldif', ++ 'pki.xml', ++ 'logging.properties' ++ } +diff --git a/base/server/share/conf/logging.properties b/base/server/share/conf/logging.properties +index dfdc0a4..7c1ac37 100644 +--- a/base/server/share/conf/logging.properties ++++ b/base/server/share/conf/logging.properties +@@ -21,28 +21,11 @@ + + handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler + +-.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler +- + ############################################################ + # Handler specific properties. + # Describes specific configuration info for Handlers. + ############################################################ + +-# Change the following settings to allow for more granular debugging: +-# +-# * 1catalina.org.apache.juli.FileHandler.level = ALL +-# * 2localhost.org.apache.juli.FileHandler.level = ALL +-# +-# and add the following lines to the end of this file: +-# +-# * org.apache.catalina.loader.level = FINEST +-# * org.apache.catalina.loader.WebappClassLoader.level = FINEST +-# * org.apache.catalina.loader.StandardClassLoader.level = FINEST +-# * com.netscape.cms.servlet.base.level = FINEST +-# * com.netscape.cms.servlet.base.CMSStartServlet.level = FINEST +-# * java.net.URLClassLoader.level = FINEST +-# +- + 1catalina.org.apache.juli.FileHandler.level = FINE + 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs + 1catalina.org.apache.juli.FileHandler.prefix = catalina. +@@ -59,15 +42,18 @@ handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.Fil + 4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs + 4host-manager.org.apache.juli.FileHandler.prefix = host-manager. + +-java.util.logging.ConsoleHandler.level = FINE ++java.util.logging.ConsoleHandler.level = ALL + java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter +- ++java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n + + ############################################################ + # Facility specific properties. + # Provides extra control for each logger. + ############################################################ + ++.level = WARNING ++.handlers = java.util.logging.ConsoleHandler ++ + org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO + org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler + +-- +1.8.3.1 + + +From c7f0585680dbfdd0019da6d2713dc9b1ded42761 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 17 Nov 2016 03:41:25 +0100 +Subject: [PATCH 4/8] Updated log4j.properties. + +To reduce maintenance the log4j.properties is no longer copied +into the instance folder during deployment. Instead, a link will +be created in the /var/lib/pki//lib folder pointing to +the default file in /usr/share/pki/server/conf. + +The default log4j.properties has been updated to remove redundant +lines. By default only log messages with level WARN or higher will +be logged on the console. + +https://fedorahosted.org/pki/ticket/1897 +(cherry picked from commit bfd7fc1c9ec665b4affda5bf48c9aca20f8f5775) +(cherry picked from commit 4f381a0832ec069370f9461aabbbd1033371d6b0) +--- + .../deployment/scriptlets/instance_layout.py | 7 +++- + base/server/share/conf/log4j.properties | 45 ++++++++++------------ + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index 07eecbd..330aa46 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -139,8 +139,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + os.path.join( + deployer.mdict['pki_instance_lib'], + name)) ++ ++ # Link /var/lib/pki//lib/log4j.properties ++ # to /usr/share/pki/server/conf/log4j.properties. + deployer.symlink.create( +- deployer.mdict['pki_instance_conf_log4j_properties'], ++ os.path.join(deployer.mdict['pki_source_server_path'], ++ "log4j.properties"), + deployer.mdict['pki_instance_lib_log4j_properties']) + + # Link /var/lib/pki//common to /usr/share/pki/server/common +@@ -231,5 +235,6 @@ def file_ignore_callback_src_server(src, names): + 'database.ldif', + 'manager.ldif', + 'pki.xml', ++ 'log4j.properties', + 'logging.properties' + } +diff --git a/base/server/share/conf/log4j.properties b/base/server/share/conf/log4j.properties +index dd4bd93..43b6009 100644 +--- a/base/server/share/conf/log4j.properties ++++ b/base/server/share/conf/log4j.properties +@@ -1,30 +1,27 @@ + # --- BEGIN COPYRIGHT BLOCK --- +-# Copyright (C) 2012 Red Hat, Inc. ++# Copyright (C) 2016 Red Hat, Inc. + # All rights reserved. + # Modifications: configuration parameters + # --- END COPYRIGHT BLOCK --- + +-log4j.rootLogger=debug, R +-log4j.appender.R=org.apache.log4j.RollingFileAppender +-log4j.appender.R.File=${catalina.base}/logs/catalina.out +-log4j.appender.R.MaxFileSize=10MB +-log4j.appender.R.MaxBackupIndex=10 +-log4j.appender.R.layout=org.apache.log4j.PatternLayout +-log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n +-log4j.logger.org.apache.catalina=DEBUG, R +-log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R +-log4j.logger.org.apache.catalina.core=DEBUG, R +-log4j.logger.org.apache.catalina.session=DEBUG, R ++# Licensed to the Apache Software Foundation (ASF) under one or more ++# contributor license agreements. See the NOTICE file distributed with ++# this work for additional information regarding copyright ownership. ++# The ASF licenses this file to You under the Apache License, Version 2.0 ++# (the "License"); you may not use this file except in compliance with ++# the License. You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. + +-#resteasy +-log4j.appender.stdout=org.apache.log4j.ConsoleAppender +-log4j.appender.stdout.Target=System.out +-log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +-log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p (%c:%L) - %m%n +-log4j.rootLogger=warn, stdout +-log4j.rootCategory=debug, stdout +-log4j.category.org.jboss.resteasy.core=debug +-log4j.category.org.jboss.resteasy.plugins.providers=debug +-log4j.category.org.jboss.resteasy.specimpl=debug +-log4j.category.org.jboss.resteasy.plugins.server=debug +-log4j.logger.org.jboss.resteasy.mock=debug ++log4j.appender.console = org.apache.log4j.ConsoleAppender ++log4j.appender.console.Target = System.err ++log4j.appender.console.layout = org.apache.log4j.PatternLayout ++log4j.appender.console.layout.ConversionPattern = %p: %m%n ++ ++log4j.rootLogger = WARN, console +-- +1.8.3.1 + + +From 730880bbd32aca11d5dd075c25aca68a8840b883 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 8 Nov 2016 16:42:01 +0100 +Subject: [PATCH 5/8] Added man pages for logging configuration. + +New man pages have been added for the common and server logging +configurations. + +https://fedorahosted.org/pki/ticket/1897 +(cherry picked from commit dbff34d56615e888823c89a4a4f6d476bb1ccf17) +(cherry picked from commit 751df721c158f98320d6abc37ef4380acf29a42a) +--- + base/common/man/man5/pki-logging.5 | 94 +++++++++++++++ + base/common/share/etc/logging.properties | 2 - + base/server/man/man5/pki-server-logging.5 | 191 ++++++++++++++++++++++++++++++ + 3 files changed, 285 insertions(+), 2 deletions(-) + create mode 100644 base/common/man/man5/pki-logging.5 + create mode 100644 base/server/man/man5/pki-server-logging.5 + +diff --git a/base/common/man/man5/pki-logging.5 b/base/common/man/man5/pki-logging.5 +new file mode 100644 +index 0000000..ab37402 +--- /dev/null ++++ b/base/common/man/man5/pki-logging.5 +@@ -0,0 +1,94 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH pki-logging 5 "November 3, 2016" "version 10.3" "PKI Common Logging Configuration" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++pki-logging \- PKI Common Logging Configuration ++ ++.SH LOCATION ++/usr/share/pki/etc/logging.properties, /etc/pki/logging.properties ++ ++.SH DESCRIPTION ++ ++PKI clients and tools use java.util.logging (JUL) as the logging framework ++(see https://docs.oracle.com/javase/8/docs/api/java/util/logging/package-summary.html). ++ ++The default logging configuration is located at /usr/share/pki/etc/logging.properties. ++ ++By default only log messages with level WARNING or higher will be logged on the console. ++ ++.IP ++.nf ++java.util.logging.ConsoleHandler.level = ALL ++java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter ++java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n ++ ++\[char46]level = WARNING ++\[char46]handlers = java.util.logging.ConsoleHandler ++.fi ++.PP ++ ++For more information see the following documents: ++ ++.nf ++- https://docs.oracle.com/javase/8/docs/api/java/util/logging/ConsoleHandler.html ++- https://docs.oracle.com/javase/8/docs/api/java/util/logging/Level.html ++- https://docs.oracle.com/javase/8/docs/api/java/util/logging/SimpleFormatter.html ++- https://docs.oracle.com/javase/8/docs/api/java/util/Formatter.html ++.fi ++ ++.SH CUSTOMIZATION ++ ++To customize the logging configuration, copy the default logging configuration into a new location: ++ ++$ cp /usr/share/pki/etc/logging.properties /etc/pki/logging.properties ++ ++Then edit the file as needed. ++For example, to troubleshoot issues with PKI library add the following lines: ++ ++.IP ++.nf ++netscape.level = ALL ++com.netscape.level = ALL ++org.dogtagpki.level = ALL ++.fi ++.PP ++ ++To troubleshoot issues with RESTEasy add the following line: ++ ++.IP ++.nf ++org.jboss.resteasy.level = ALL ++.fi ++.PP ++ ++Then specify the location of the custom logging configuration in the following parameter in /etc/pki/pki.conf: ++ ++.IP ++.nf ++LOGGING_CONFIG=/etc/pki/logging.properties ++.fi ++.PP ++ ++Then restart the application. ++ ++.SH AUTHORS ++Dogtag Team . ++ ++.SH COPYRIGHT ++Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR pki-server-logging(5) +diff --git a/base/common/share/etc/logging.properties b/base/common/share/etc/logging.properties +index fe879c4..2a14c4e 100644 +--- a/base/common/share/etc/logging.properties ++++ b/base/common/share/etc/logging.properties +@@ -19,8 +19,6 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + +-handlers = java.util.logging.ConsoleHandler +- + java.util.logging.ConsoleHandler.level = ALL + java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n +diff --git a/base/server/man/man5/pki-server-logging.5 b/base/server/man/man5/pki-server-logging.5 +new file mode 100644 +index 0000000..9aed7d8 +--- /dev/null ++++ b/base/server/man/man5/pki-server-logging.5 +@@ -0,0 +1,191 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH pki-server-logging 5 "November 3, 2016" "version 10.3" "PKI Server Logging Configuration" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++pki-server-logging \- PKI Server Logging Configuration ++ ++.SH LOCATION ++/etc/pki//logging.properties, /var/lib/pki//lib/log4j.properties, /etc/pki///CS.cfg ++ ++.SH DESCRIPTION ++ ++PKI server logging can be configured using the following logging frameworks: ++ ++.nf ++- java.util.logging (JUL) (https://docs.oracle.com/javase/8/docs/api/java/util/logging/package-summary.html) ++- Log4j (http://logging.apache.org/log4j/1.2/) ++- Internal Logging ++.fi ++ ++.SS java.util.logging (JUL) ++ ++Tomcat uses JUL as the default logging framework. ++The configuration is described in http://tomcat.apache.org/tomcat-7.0-doc/logging.html and http://tomcat.apache.org/tomcat-8.0-doc/logging.html. ++ ++The default configuration is located at /usr/share/pki/server/conf/logging.properties. ++During server deployment a link will be created at /etc/pki//logging.properties. ++ ++By default only log messages with level WARNING or higher will be logged on the console (i.e. systemd journal). ++ ++.IP ++.nf ++java.util.logging.ConsoleHandler.level = ALL ++java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter ++java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n ++ ++\[char46]level = WARNING ++\[char46]handlers = java.util.logging.ConsoleHandler ++.fi ++.PP ++ ++The systemd journal can be viewed with the following command: ++ ++.nf ++$ journalctl -u pki-tomcatd@.service ++.fi ++ ++For more information see the following documents: ++ ++.nf ++- https://docs.oracle.com/javase/8/docs/api/java/util/logging/ConsoleHandler.html ++- https://docs.oracle.com/javase/8/docs/api/java/util/logging/Level.html ++- https://docs.oracle.com/javase/8/docs/api/java/util/logging/SimpleFormatter.html ++- https://docs.oracle.com/javase/8/docs/api/java/util/Formatter.html ++.fi ++ ++.SS Log4j ++ ++The default Tomcat 7 classpath does include Log4j, but the server itself is not configured to use Log4j for logging by default. ++However, since the Log4j is in the classpath the RESTEasy will use Log4j for logging automatically (see https://docs.jboss.org/resteasy/docs/3.0.6.Final/userguide/html/Installation_Configuration.html#RESTEasyLogging). ++ ++The default Log4j configuration is located at /usr/share/pki/server/conf/log4j.properties. ++During server deployment a link will be created at /var/lib/pki//lib/log4j.properties. ++ ++By default only log messages with level WARN or higher will be logged on the console (i.e. systemd journal). ++ ++.IP ++.nf ++log4j.appender.console = org.apache.log4j.ConsoleAppender ++log4j.appender.console.Target = System.err ++log4j.appender.console.layout = org.apache.log4j.PatternLayout ++log4j.appender.console.layout.ConversionPattern = %p: %m%n ++ ++log4j.rootLogger = WARN, console ++.fi ++.PP ++ ++The default Tomcat 8 classpath does not include Log4j, so RESTEasy will use JUL instead. ++ ++For more information see the following documents: ++ ++.nf ++- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/ConsoleAppender.html ++- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/Level.html ++- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayout.html ++.fi ++ ++.SS Internal Logging ++ ++Each PKI subsystem uses an internal logging framework for debugging purposes. ++ ++The logging configuration is stored in /etc/pki///CS.cfg. ++ ++.IP ++.nf ++debug.enabled=true ++debug.level=0 ++debug.filename=/var/lib/pki//logs//debug ++debug.hashkeytypes= ++debug.showcaller=false ++.fi ++.PP ++ ++The \fBdebug.enabled\fP determines whether the debug log is enabled. By default it is enabled. ++ ++The \fBdebug.level\fP determines the amount of details to be logged. The value ranges from 0 (most details) to 10 (least details). The default is 0. ++ ++The \fBdebug.filename\fP determines the debug log file location. By default it is located at /var/lib/pki//logs//debug. ++ ++The \fBdebug.hashkeytypes\fP is a comma-separated list of additional components to log. By default it's empty. ++ ++The \fBdebug.showcaller\fP determines whether to include the caller information in the log message. By default it's disabled. ++ ++.SH CUSTOMIZATION ++ ++.SS java.util.logging (JUL) ++ ++To customize JUL configuration, replace the link with a copy of the default configuration: ++ ++.nf ++$ rm -f /etc/pki//logging.properties ++$ cp /usr/share/pki/server/conf/logging.properties /etc/pki/ ++$ chown pkiuser.pkiuser /etc/pki//logging.properties ++.fi ++ ++Then edit the file as needed. ++For example, to troubleshoot issues with PKI library add the following lines: ++ ++.IP ++.nf ++netscape.level = ALL ++com.netscape.level = ALL ++org.dogtagpki.level = ALL ++.fi ++.PP ++ ++To troubleshoot issues with RESTEasy add the following line (unless Log4j is installed in Tomcat classpath): ++ ++.IP ++.nf ++org.jboss.resteasy.level = ALL ++.fi ++.PP ++ ++Then restart the server. ++ ++.SS Log4j ++ ++To customize Log4j configuration, replace the link with a copy of the default configuration: ++ ++.nf ++$ rm -f /var/lib/pki//lib/log4j.properties ++$ cp /usr/share/pki/server/conf/log4j.properties /var/lib/pki//lib ++$ chown pkiuser.pkiuser /var/lib/pki//lib/log4j.properties ++.fi ++ ++Then edit the file as needed. ++For example, to troubleshoot issues with RESTEasy add the following line (unless Log4j is not installed in Tomcat classpath): ++ ++.IP ++.nf ++log4j.logger.org.jboss.resteasy = ALL ++.fi ++.PP ++ ++Then restart the server. ++ ++.SS Internal Logging ++ ++To customize the internal logging configuration, edit the CS.cfg as needed, then restart the server. ++ ++.SH AUTHORS ++Dogtag Team . ++ ++.SH COPYRIGHT ++Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR pki-logging(5) +-- +1.8.3.1 + + +From f76d73502c7b013f0fe7eb3b5665553a8005ad02 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 29 Oct 2016 07:53:02 +0200 +Subject: [PATCH 7/8] Added man pages for PKCS #12 utilities. + +New man pages have been added: pki-pkcs12, pki-pkcs12-cert, and +pki-pkcs12-key. + +https://fedorahosted.org/pki/ticket/1920 +(cherry picked from commit e8b2aa675f617efd2d40984651e0b501dc334690) +(cherry picked from commit 580410f5b2a90a46b0a456c2a6c8523e56e55f77) +--- + base/java-tools/man/man1/pki-pkcs12-cert.1 | 122 +++++++++++++++++++++++++++++ + base/java-tools/man/man1/pki-pkcs12-key.1 | 76 ++++++++++++++++++ + base/java-tools/man/man1/pki-pkcs12.1 | 114 +++++++++++++++++++++++++++ + 3 files changed, 312 insertions(+) + create mode 100644 base/java-tools/man/man1/pki-pkcs12-cert.1 + create mode 100644 base/java-tools/man/man1/pki-pkcs12-key.1 + create mode 100644 base/java-tools/man/man1/pki-pkcs12.1 + +diff --git a/base/java-tools/man/man1/pki-pkcs12-cert.1 b/base/java-tools/man/man1/pki-pkcs12-cert.1 +new file mode 100644 +index 0000000..8a94de7 +--- /dev/null ++++ b/base/java-tools/man/man1/pki-pkcs12-cert.1 +@@ -0,0 +1,122 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH pki-pkcs12-cert 1 "Oct 28, 2016" "version 10.3" "PKI PKCS #12 Certificate Management Commands" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++pki-pkcs12-cert \- Command-Line Interface for managing individual certificates in PKCS #12 file. ++ ++.SH SYNOPSIS ++.nf ++\fBpki\fR [CLI options] \fBpkcs12-cert\fR ++\fBpki\fR [CLI options] \fBpkcs12-cert-find\fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-cert-export \fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-cert-add \fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-cert-mod \fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-cert-del \fR [command options] ++.fi ++ ++.SH DESCRIPTION ++.PP ++The \fBpki pkcs12-cert\fR commands provide command-line interfaces to manage certificates in a PKCS #12 file. ++ ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-cert-find\fR [command options] ++.RS 4 ++This command is to list certificates in a PKCS #12 file. ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-cert-export \fR [command options] ++.RS 4 ++This command is to export a certificate from a PKCS #12 file. ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-cert-add \fR [command options] ++.RS 4 ++This command is to add a certificate into a PKCS #12 file. ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-cert-mod \fR [command options] ++.RS 4 ++This command is to modify a certificate in a PKCS #12 file. ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-cert-del \fR [command options] ++.RS 4 ++This command is to delete a certificate from a PKCS #12 file. ++.RE ++ ++.SH OPTIONS ++The CLI options are described in \fBpki\fR(1). ++ ++.SH OPERATIONS ++ ++To view available profile commands, type \fBpki pkcs12-cert\fP. To view each command's usage, type \fB pki pkcs12-cert- \-\-help\fP. ++ ++All \fBpkcs12-cert\fP commands require a PKCS #12 file and its password. ++The PKCS #12 file can be specified with the \fB--pkcs12-file\fP parameter. ++The password can be specified either directly with the \fB--pkcs12-password\fP parameter, or in a file with the \fB--pkcs12-password-file\fP parameter. ++ ++Some \fBpki pkcs12-cert\fP commands require an NSS database and its password. ++The NSS database location can be specified with the \fB-d\fP parameter (default: ~/.dogtag/nssdb). ++The NSS database password can be specified with the \fB-c\fP or the \fB-C\fP parameter. ++ ++.SS Viewing certificates in a PKCS #12 file ++ ++To list the certificates in a PKCS #12 file: ++ ++.B pki pkcs12-cert-find ++ ++.SS Exporting a certificate from a PKCS #12 file ++ ++To export a certificate from a PKCS #12 file into a file in PEM format: ++ ++.B pki pkcs12-cert-export ++ ++The certificate file can be specified with the \fB--cert-file\fP parameter. ++ ++.SS Adding a certificate from an NSS database into a PKCS #12 file ++ ++To add a certificate including its key and trust flags from an NSS database into a PKCS #12 file: ++ ++.B pki pkcs12-cert-add ++ ++If the PKCS #12 file does not exist, it will be created automatically. ++If the PKCS #12 file already exists, the certificate will be added into the file. ++ ++The trust flags can be overwritten with the \fB--trust-flags\fP parameter. ++If the key is not needed, specify the \fB--no-key\fP parameter. ++ ++.SS Modifying a certificate in a PKCS #12 file ++ ++To modify the trust flags of a certificate in a PKCS #12 file: ++ ++.B pki pkcs12-cert-mod ++ ++The trust flags can be specified with the \fB--trust-flags\fP parameter. ++ ++.SS Deleting a certificate from a PKCS #12 file ++ ++To delete a certificate and its key from a PKCS #12 file: ++ ++.B pki pkcs12-cert-del ++ ++.SH AUTHORS ++Endi S. Dewata . ++ ++.SH COPYRIGHT ++Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR pki-pkcs12(1) +diff --git a/base/java-tools/man/man1/pki-pkcs12-key.1 b/base/java-tools/man/man1/pki-pkcs12-key.1 +new file mode 100644 +index 0000000..884278d +--- /dev/null ++++ b/base/java-tools/man/man1/pki-pkcs12-key.1 +@@ -0,0 +1,76 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH pki-pkcs12-key 1 "Oct 28, 2016" "version 10.3" "PKI PKCS #12 Key Management Commands" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++pki-pkcs12-key \- Command-Line Interface for managing individual keys in PKCS #12 file. ++ ++.SH SYNOPSIS ++.nf ++\fBpki\fR [CLI options] \fBpkcs12-key\fR ++\fBpki\fR [CLI options] \fBpkcs12-key-find\fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-key-del \fR [command options] ++.fi ++ ++.SH DESCRIPTION ++.PP ++The \fBpki pkcs12-key\fR commands provide command-line interfaces to manage keys in a PKCS #12 file. ++ ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-key-find\fR [command options] ++.RS 4 ++This command is to list keys in a PKCS #12 file. ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-key-del \fR [command options] ++.RS 4 ++This command is to delete a key from a PKCS #12 file. ++.RE ++ ++.SH OPTIONS ++The CLI options are described in \fBpki\fR(1). ++ ++.SH OPERATIONS ++ ++To view available profile commands, type \fBpki pkcs12-key\fP. To view each command's usage, type \fB pki pkcs12-key- \-\-help\fP. ++ ++All \fBpkcs12-key\fP commands require a PKCS #12 file and its password. ++The PKCS #12 file can be specified with the \fB--pkcs12-file\fP parameter. ++The password can be specified either directly with the \fB--pkcs12-password\fP parameter, or in a file with the \fB--pkcs12-password-file\fP parameter. ++ ++All \fBpkcs12-key\fP commands also require an NSS database and its password. ++The NSS database location can be specified with the \fB-d\fP parameter (default: ~/.dogtag/nssdb). ++The NSS database password can be specified with the \fB-c\fP or the \fB-C\fP parameter. ++ ++.SS Viewing keys in a PKCS #12 file ++ ++To list the keys in a PKCS #12 file: ++ ++.B pki pkcs12-key-find ++ ++.SS Deleting a key from a PKCS #12 file ++ ++To delete a key from a PKCS #12 file: ++ ++.B pki pkcs12-key-del ++ ++.SH AUTHORS ++Endi S. Dewata . ++ ++.SH COPYRIGHT ++Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR pki-pkcs12(1) +diff --git a/base/java-tools/man/man1/pki-pkcs12.1 b/base/java-tools/man/man1/pki-pkcs12.1 +new file mode 100644 +index 0000000..5056930 +--- /dev/null ++++ b/base/java-tools/man/man1/pki-pkcs12.1 +@@ -0,0 +1,114 @@ ++.\" First parameter, NAME, should be all caps ++.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection ++.\" other parameters are allowed: see man(7), man(1) ++.TH pki-pkcs12 1 "Oct 28, 2016" "version 10.3" "PKI PKCS #12 Management Commands" Dogtag Team ++.\" Please adjust this date whenever revising the man page. ++.\" ++.\" Some roff macros, for reference: ++.\" .nh disable hyphenation ++.\" .hy enable hyphenation ++.\" .ad l left justify ++.\" .ad b justify to both left and right margins ++.\" .nf disable filling ++.\" .fi enable filling ++.\" .br insert line break ++.\" .sp insert n+1 empty lines ++.\" for man page specific macros, see man(7) ++.SH NAME ++pki-pkcs12 \- Command-Line Interface for managing certificates and keys in PKCS #12 file. ++ ++.SH SYNOPSIS ++.nf ++\fBpki\fR [CLI options] \fBpkcs12\fR ++\fBpki\fR [CLI options] \fBpkcs12-export\fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-import\fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-cert\fR [command options] ++\fBpki\fR [CLI options] \fBpkcs12-key\fR [command options] ++.fi ++ ++.SH DESCRIPTION ++.PP ++The \fBpki pkcs12\fR commands provide command-line interfaces to manage certificate and keys in a PKCS #12 file. ++ ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-export\fR [command options] ++.RS 4 ++This command is to export all certificates and keys from an NSS database into a PKCS #12 file. ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-import\fR [command options] ++.RS 4 ++This command is to import all certificates and keys from a PKCS #12 file into an NSS database. ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-cert\fR [command options] ++.RS 4 ++This command is to manage individual certificates in a PKCS #12 file. See \fBpki-pkcs12-cert\fR(1). ++.RE ++.PP ++\fBpki\fR [CLI options] \fBpkcs12-key\fR [command options] ++.RS 4 ++This command is to import individual keys in a PKCS #12 file. See \fBpki-pkcs12-key\fR(1). ++.RE ++ ++.SH OPTIONS ++The CLI options are described in \fBpki\fR(1). ++ ++.SH OPERATIONS ++ ++To view available PKCS #12 commands, type \fBpki pkcs12\fP. To view each command's usage, type \fB pki pkcs12- \-\-help\fP. ++ ++All \fBpki pkcs12\fP commands require a PKCS #12 file and its password. ++The PKCS #12 file can be specified with the \fB--pkcs12-file\fP parameter. ++The password can be specified either directly with the \fB--pkcs12-password\fP parameter, or in a file with the \fB--pkcs12-password-file\fP parameter. ++ ++Some \fBpki pkcs12\fP commands require an NSS database and its password. ++The NSS database location can be specified with the \fB-d\fP parameter (default: ~/.dogtag/nssdb). ++The NSS database password can be specified with the \fB-c\fP or the \fB-C\fP parameter. ++ ++.SS Exporting all certificates and keys into a PKCS #12 file ++ ++To export all certificates and keys from an NSS database into a PKCS #12 file: ++ ++.B pki pkcs12-export [nicknames...] ++ ++By default the command will export all certificates in the NSS database. ++To export certain certificates only, specify the certificate nicknames as separate arguments. ++ ++By default the command will always create a new PKCS #12 file. ++To export into an existing PKCS #12 file, specify the \fB--append\fP parameter. ++ ++By default the command will include the certificate chain. ++To export without certificate chain, specify the \fB--no-chain\fP parameter. ++ ++By default the command will include the key of each certificate. ++To export without the key, specify the \fB--no-key\fP parameter. ++ ++By default the command will include the trust flags of each certificate. ++To export without the trust flags, specify the \fB--no-trust-flags\fP parameter. ++ ++.SS Importing certificates and keys from a PKCS #12 file ++ ++To import certificates and keys from a PKCS #12 file into an NSS database: ++ ++.B pki pkcs12-import ++ ++By default the command will include all certificates in the PKCS #12 file. ++To import without the CA certificates (certificates without keys), specify the \fB--no-ca-certs\fP parameter. ++To import without the user certificates (certificates with keys), specify the \fB--no-user-certs\fP parameter. ++ ++By default the command will skip a certificate if it already exists in the NSS database. ++To overwrite the nickname, the key, and the trust flags of existing certificates, specify the \fB--overwrite\fP parameter. ++ ++By default the command will include the trust flags of each certificate. ++To import without the trust flags, specify the \fB--no-trust-flags\fP parameter. ++ ++.SH AUTHORS ++Endi S. Dewata . ++ ++.SH COPYRIGHT ++Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. ++ ++.SH SEE ALSO ++.BR pki-pkcs12-cert(1), ++.BR pki-pkcs12-key(1) +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-pkispawn-ecc-key-size-change.patch b/SOURCES/pki-core-pkispawn-ecc-key-size-change.patch new file mode 100644 index 0000000..356c7e5 --- /dev/null +++ b/SOURCES/pki-core-pkispawn-ecc-key-size-change.patch @@ -0,0 +1,53 @@ +From 74b69a5c718b21958cf17287f2fe49d3490dd80e Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Thu, 8 Dec 2016 16:35:20 -0800 +Subject: [PATCH] Resolve: pkispawn does not change default ecc key size from + nistp256 when nistp384 is specified in spawn config + +Ticket #2552. + +This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the +"keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense. + +(cherry picked from commit ae350a3d4e0ae9b82fa44ebdfa37654f0083b4c1) +(cherry picked from commit ad986509b8446d8fbe02d68f4ff62cb3d39c3fdd) +--- + .../cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +index 9d7c176..26c97fe 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +@@ -34,6 +34,8 @@ import javax.ws.rs.core.HttpHeaders; + import javax.ws.rs.core.Request; + import javax.ws.rs.core.UriInfo; + ++import netscape.security.x509.X509CertImpl; ++ + import org.apache.commons.lang.StringUtils; + import org.apache.commons.lang.mutable.MutableBoolean; + import org.mozilla.jss.CryptoManager; +@@ -66,8 +68,6 @@ import com.netscape.cms.servlet.csadmin.SystemCertDataFactory; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Utils; + +-import netscape.security.x509.X509CertImpl; +- + /** + * @author alee + * +@@ -457,8 +457,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + + } else if (!request.getStepTwo()) { + if (keytype.equals("ecc")) { +- String curvename = certData.getKeyCurveName() != null ? +- certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default"); ++ String curvename = certData.getKeySize() != null ? ++ certData.getKeySize() : cs.getString("keys.ecc.curve.default"); + cs.putString("preop.cert." + tag + ".curvename.name", curvename); + ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch b/SOURCES/pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch new file mode 100644 index 0000000..1b3ba6d --- /dev/null +++ b/SOURCES/pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch @@ -0,0 +1,199 @@ +From ea4121886b2f8d9f2de34edcb20b1a9caae9c2c5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 15 Nov 2016 21:32:53 +0100 +Subject: [PATCH 1/2] Fixed problem installing subordinate CA with HSM in FIPS + mode. + +Due to certutil issue (bug #1393668) the installation code has +been modified to import certificates into the NSS database in +two steps. This workaround is needed to install subordinate CA +with HSM in FIPS mode. + +First, the certificate will be imported into the HSM using the +HSM password without the trust attributes. Then, the certificate +will be imported into the internal token using the internal token +password with the trust attributes. + +https://fedorahosted.org/pki/ticket/2543 +(cherry picked from commit 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b) +(cherry picked from commit b058ded6f9708edc601041077339947f0f87c19f) +--- + base/common/python/pki/nssdb.py | 51 ++++++++++++++++++++++++------- + base/server/python/pki/server/__init__.py | 3 +- + 2 files changed, 42 insertions(+), 12 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index 736efca..0a674c0 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -99,7 +99,8 @@ def get_file_type(filename): + + class NSSDatabase(object): + +- def __init__(self, directory=None, token=None, password=None, password_file=None): ++ def __init__(self, directory=None, token=None, password=None, password_file=None, ++ internal_password=None, internal_password_file=None): + + if not directory: + directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb') +@@ -124,25 +125,53 @@ class NSSDatabase(object): + else: + raise Exception('Missing NSS database password') + ++ if internal_password: ++ # Store the specified internal token into password file. ++ self.internal_password_file = os.path.join(self.tmpdir, 'internal_password.txt') ++ with open(self.internal_password_file, 'w') as f: ++ f.write(internal_password) ++ ++ elif internal_password_file: ++ # Use the specified internal token password file. ++ self.internal_password_file = internal_password_file ++ ++ else: ++ # By default use the same password for both internal token and HSM. ++ self.internal_password_file = self.password_file ++ + def close(self): + shutil.rmtree(self.tmpdir) + + def add_cert(self, nickname, cert_file, trust_attributes=',,'): +- cmd = [ +- 'certutil', +- '-A', +- '-d', self.directory +- ] + ++ # Add cert in two steps due to bug #1393668. ++ ++ # First, import cert into HSM without trust attributes. + if self.token: +- cmd.extend(['-h', self.token]) ++ cmd = [ ++ 'certutil', ++ '-A', ++ '-d', self.directory, ++ '-h', self.token, ++ '-f', self.password_file, ++ '-n', nickname, ++ '-i', cert_file, ++ '-t', '' ++ ] + +- cmd.extend([ +- '-f', self.password_file, ++ # Ignore return code due to bug #1393668. ++ subprocess.call(cmd) ++ ++ # Then, import cert into internal token with trust attributes. ++ cmd = [ ++ 'certutil', ++ '-A', ++ '-d', self.directory, ++ '-f', self.internal_password_file, + '-n', nickname, + '-i', cert_file, + '-t', trust_attributes +- ]) ++ ] + + subprocess.check_call(cmd) + +@@ -584,7 +613,7 @@ class NSSDatabase(object): + else: + n = '%s #%d' % (nickname, counter) + +- self.add_cert(n, cert_file, trust_attributes) ++ self.add_cert(n, cert_file, trust_attributes=trust_attributes) + nicks.append(n) + + counter += 1 +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 13b3258..d556312 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -654,7 +654,8 @@ class PKIInstance(object): + return pki.nssdb.NSSDatabase( + directory=self.nssdb_dir, + token=token, +- password=self.get_token_password(token)) ++ password=self.get_token_password(token), ++ internal_password=self.get_token_password()) + + def external_cert_exists(self, nickname, token): + for cert in self.external_certs: +-- +1.8.3.1 + + +From de51508e2262cf98de4360c92af69249e2ef0876 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 16 Nov 2016 03:42:49 +0100 +Subject: [PATCH 2/2] Fixed hanging subordinate CA with HSM installation in + FIPS mode. + +When installing subordinate CA with HSM, the installer calls the +pki CLI (which is implemented using JSS) to validate the imported +CA certificate in HSM. Normally, the HSM password is specified as +CLI parameter, but in FIPS mode JSS requires both the HSM and the +internal token passwords. Since the CLI only takes one password, +JSS will prompt for the missing one on the console causing the +installation to hang. + +As a temporary solution, the pki-server subsystem-cert-validate +command has been modified to validate certificates stored in the +internal token only and it will use the internal token password, +so only a single password is required. Further investigation in +CLI/JSS/NSS is needed to support validating certificates in HSM +without password prompts. + +https://fedorahosted.org/pki/ticket/2543 +(cherry picked from commit 65013d222a9e612aaaaf49ee03ceed5d6c154f59) +(cherry picked from commit c8553a5308e23b66cee7fc1a357042f99d07b0c7) +--- + base/server/python/pki/server/cli/subsystem.py | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 42da26e..04461f2 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -951,11 +951,8 @@ class SubsystemCertValidateCLI(pki.cli.CLI): + + print(' Token: %s' % token) + +- if token and token.lower() in ['internal', 'internal key storage token']: +- token = None +- +- # get token password and store in temporary file +- passwd = instance.get_token_password(token) ++ # get internal token password and store in temporary file ++ passwd = instance.get_token_password() + + pwfile_handle, pwfile_path = mkstemp() + os.write(pwfile_handle, passwd) +@@ -964,15 +961,13 @@ class SubsystemCertValidateCLI(pki.cli.CLI): + try: + cmd = ['pki', + '-d', instance.nssdb_dir, +- '-C', pwfile_path] +- +- if token: +- cmd.extend(['--token', token]) ++ '-C', pwfile_path, ++ 'client-cert-validate', ++ nickname, ++ '--certusage', usage] + +- cmd.extend(['client-cert-validate', +- nickname, +- '--certusage', usage +- ]) ++ if self.verbose: ++ print('Command: %s' % cmd) + + subprocess.check_output(cmd, stderr=subprocess.STDOUT) + print(' Status: VALID') +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-updated-account-info.patch b/SOURCES/pki-core-updated-account-info.patch new file mode 100644 index 0000000..f4d1a22 --- /dev/null +++ b/SOURCES/pki-core-updated-account-info.patch @@ -0,0 +1,170 @@ +From ebe79a4db05662091bd15efc860ef6923beff2aa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 20 Oct 2016 00:54:47 +0200 +Subject: [PATCH] Updated AccountInfo. + +The AccountInfo has been changed to extend the ResourceMessage +such that it can be used to pass the list of accessible +components as an attribute. + +https://fedorahosted.org/pki/ticket/2523 +(cherry picked from commit 6d5d15edebeb1ba113e4f3d5b2bb1ba93a92ce1d) +(cherry picked from commit 388e443b99999dd2aa0832aaed0cdf43ee260b81) +--- + .../com/netscape/certsrv/account/AccountInfo.java | 8 ++-- + .../com/netscape/certsrv/base/ResourceMessage.java | 11 +++++- + .../org/dogtagpki/server/rest/AccountService.java | 46 ++++++++-------------- + 3 files changed, 31 insertions(+), 34 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/account/AccountInfo.java b/base/common/src/com/netscape/certsrv/account/AccountInfo.java +index 7943d22..3310bf0 100644 +--- a/base/common/src/com/netscape/certsrv/account/AccountInfo.java ++++ b/base/common/src/com/netscape/certsrv/account/AccountInfo.java +@@ -33,11 +33,13 @@ import javax.xml.bind.annotation.XmlRootElement; + import javax.xml.bind.annotation.adapters.XmlAdapter; + import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; + ++import com.netscape.certsrv.base.ResourceMessage; ++ + /** + * @author Endi S. Dewata + */ + @XmlRootElement(name="Account") +-public class AccountInfo { ++public class AccountInfo extends ResourceMessage { + + public static Marshaller marshaller; + public static Unmarshaller unmarshaller; +@@ -98,7 +100,7 @@ public class AccountInfo { + @Override + public int hashCode() { + final int prime = 31; +- int result = 1; ++ int result = super.hashCode(); + result = prime * result + ((email == null) ? 0 : email.hashCode()); + result = prime * result + ((fullName == null) ? 0 : fullName.hashCode()); + result = prime * result + ((id == null) ? 0 : id.hashCode()); +@@ -110,7 +112,7 @@ public class AccountInfo { + public boolean equals(Object obj) { + if (this == obj) + return true; +- if (obj == null) ++ if (!super.equals(obj)) + return false; + if (getClass() != obj.getClass()) + return false; +diff --git a/base/common/src/com/netscape/certsrv/base/ResourceMessage.java b/base/common/src/com/netscape/certsrv/base/ResourceMessage.java +index 1214b45..85d0d07 100644 +--- a/base/common/src/com/netscape/certsrv/base/ResourceMessage.java ++++ b/base/common/src/com/netscape/certsrv/base/ResourceMessage.java +@@ -26,6 +26,7 @@ import javax.xml.bind.annotation.XmlValue; + import javax.xml.bind.annotation.adapters.XmlAdapter; + import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; + ++import com.netscape.certsrv.account.AccountInfo; + import com.netscape.certsrv.key.AsymKeyGenerationRequest; + import com.netscape.certsrv.key.KeyArchivalRequest; + import com.netscape.certsrv.key.KeyRecoveryRequest; +@@ -35,8 +36,14 @@ import com.netscape.certsrv.key.SymKeyGenerationRequest; + * @author Ade Lee + */ + @XmlRootElement(name = "ResourceMessage") +-@XmlSeeAlso({ KeyArchivalRequest.class, KeyRecoveryRequest.class, SymKeyGenerationRequest.class, +- PKIException.Data.class, AsymKeyGenerationRequest.class }) ++@XmlSeeAlso({ ++ AccountInfo.class, ++ KeyArchivalRequest.class, ++ KeyRecoveryRequest.class, ++ SymKeyGenerationRequest.class, ++ PKIException.Data.class, ++ AsymKeyGenerationRequest.class ++}) + @XmlAccessorType(XmlAccessType.NONE) + public class ResourceMessage { + +diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java +index 827e99e..673db45 100644 +--- a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java ++++ b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java +@@ -21,13 +21,8 @@ package org.dogtagpki.server.rest; + import java.security.Principal; + import java.util.Arrays; + +-import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpSession; +-import javax.ws.rs.core.Context; +-import javax.ws.rs.core.HttpHeaders; +-import javax.ws.rs.core.Request; + import javax.ws.rs.core.Response; +-import javax.ws.rs.core.UriInfo; + + import org.apache.catalina.realm.GenericPrincipal; + import org.apache.commons.lang.StringUtils; +@@ -43,47 +38,40 @@ import com.netscape.cms.servlet.base.PKIService; + */ + public class AccountService extends PKIService implements AccountResource { + +- @Context +- private UriInfo uriInfo; +- +- @Context +- private HttpHeaders headers; +- +- @Context +- private Request request; +- +- @Context +- private HttpServletRequest servletRequest; +- +- @Override +- public Response login() { +- HttpSession session = servletRequest.getSession(); +- System.out.println("Creating session "+session.getId()); +- ++ protected AccountInfo createAccountInfo() { + Principal principal = servletRequest.getUserPrincipal(); +- System.out.println("Principal: "+principal); ++ System.out.println("Principal: " + principal); + +- AccountInfo response = new AccountInfo(); ++ AccountInfo accountInfo = new AccountInfo(); + String name = principal.getName(); +- response.setID(name); ++ accountInfo.setID(name); + + if (principal instanceof PKIPrincipal) { + PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; + IUser user = pkiPrincipal.getUser(); + + String fullName = user.getFullName(); +- if (!StringUtils.isEmpty(fullName)) response.setFullName(fullName); ++ if (!StringUtils.isEmpty(fullName)) accountInfo.setFullName(fullName); + + String email = user.getEmail(); +- if (!StringUtils.isEmpty(email)) response.setEmail(email); ++ if (!StringUtils.isEmpty(email)) accountInfo.setEmail(email); + } + + if (principal instanceof GenericPrincipal) { + String[] roles = ((GenericPrincipal) principal).getRoles(); +- response.setRoles(Arrays.asList(roles)); ++ accountInfo.setRoles(Arrays.asList(roles)); + } + +- return createOKResponse(response); ++ return accountInfo; ++ } ++ ++ @Override ++ public Response login() { ++ HttpSession session = servletRequest.getSession(); ++ System.out.println("Creating session " + session.getId()); ++ ++ AccountInfo accountInfo = createAccountInfo(); ++ return createOKResponse(accountInfo); + } + + @Override +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-user-cert-add-authentication-failure.patch b/SOURCES/pki-core-user-cert-add-authentication-failure.patch new file mode 100644 index 0000000..6f8d4be --- /dev/null +++ b/SOURCES/pki-core-user-cert-add-authentication-failure.patch @@ -0,0 +1,137 @@ +From b408cbc053d02f462b87fc3648b181ce318a5b0a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 23 Nov 2016 04:30:00 +0100 +Subject: [PATCH 1/2] Refactored PKIConnection.get(). + +The PKIConnection has been modified to provide two get() methods: +one returning a generic Response object wnd the other returning an +object with the specified type. The ConfigurationUtils has been +modified accordingly. + +https://fedorahosted.org/pki/ticket/1517 +(cherry picked from commit 20656a1a0bb3fa402494fb5c1374c2b14dd29f2d) +--- + base/common/src/com/netscape/certsrv/client/PKIConnection.java | 8 ++++++-- + .../src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 2 +- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +index 88a2089..301c4c6 100644 +--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java ++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +@@ -458,13 +458,17 @@ public class PKIConnection { + } + } + +- public String get(String path) throws Exception { ++ public Response get(String path) throws Exception { ++ return get(path, Response.class); ++ } ++ ++ public T get(String path, Class responseType) throws Exception { + String uri = config.getServerURI().toString(); + if (path != null) { + uri += path; + } + ResteasyWebTarget target = resteasyClient.target(uri); +- return target.request().get(String.class); ++ return target.request().get(responseType); + } + + public String post(String path, MultivaluedMap content) throws Exception { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index afd8d28..bc6431c 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -234,7 +234,7 @@ public class ConfigurationUtils { + PKIConnection connection = new PKIConnection(config); + if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback; + connection.setCallback(certApprovalCallback); +- return connection.get(path); ++ return connection.get(path, String.class); + } + + public static String post(String hostname, int port, boolean secure, +-- +1.8.3.1 + + +From 222fd9bd489dbf6605c228353ac7c5bbef0eb5f7 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 23 Nov 2016 05:17:43 +0100 +Subject: [PATCH 2/2] Fixed problem with pki user-cert-add. + +Previously the pki user-cert-add fails to check whether the server +has a CA subsystem when it's invoked over SSL. That is because the +CLI tries to establish a new but improperly set up SSL connection. +Now the CLI has been modified to use the existing server +connection. + +https://fedorahosted.org/pki/ticket/1517 +(cherry picked from commit 2cc925cad40b5ec65e4c1c553c25e4165ee955f4) +--- + .../netscape/certsrv/client/SubsystemClient.java | 26 +++++----------------- + 1 file changed, 6 insertions(+), 20 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java +index 3d44bce..bf329af 100644 +--- a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java ++++ b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java +@@ -17,12 +17,9 @@ + // --- END COPYRIGHT BLOCK --- + package com.netscape.certsrv.client; + +-import java.net.URI; + import java.net.URISyntaxException; + +-import org.apache.http.HttpResponse; +-import org.apache.http.client.methods.HttpGet; +-import org.apache.http.impl.client.DefaultHttpClient; ++import javax.ws.rs.core.Response; + + import com.netscape.certsrv.account.AccountClient; + +@@ -51,23 +48,12 @@ public class SubsystemClient extends Client { + + public boolean exists() throws Exception { + +- ClientConfig config = client.getConfig(); +- URI serverURI = config.getServerURI(); + +- URI subsystemURI = new URI( +- serverURI.getScheme(), +- null, +- serverURI.getHost(), +- serverURI.getPort(), +- "/" + name, +- null, +- null); ++ PKIConnection connection = client.getConnection(); ++ Response response = connection.get("/" + name); + +- DefaultHttpClient client = new DefaultHttpClient(); +- HttpGet method = new HttpGet(subsystemURI); + try { +- HttpResponse response = client.execute(method); +- int code = response.getStatusLine().getStatusCode(); ++ int code = response.getStatus(); + + if (code == 200) { + return true; +@@ -76,11 +62,11 @@ public class SubsystemClient extends Client { + return false; + + } else { +- throw new Exception("Error: " + response.getStatusLine()); ++ throw new Exception("Error: " + response.getStatusInfo()); + } + + } finally { +- method.releaseConnection(); ++ response.close(); + } + } + +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 0b2b688..9fbafa5 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -65,8 +65,8 @@ Name: pki-core Version: 10.3.3 -Release: 14.el7_3 -#Release: 14%{?dist} +#Release: 16%{?dist} +Release: 16.el7_3 Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -208,23 +208,41 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz %endif +####################### ## pki-core-10.3.3-2 +####################### Patch1: pki-core-Fix-build-on-Fedora-25.patch +####################### ## pki-core-10.3.3-3 +####################### Patch2: pki-core-post-re-base.patch +####################### ## pki-core-10.3.3-5 +####################### Patch3: pki-core-beta.patch +####################### ## pki-core-10.3.3-7 +####################### Patch4: pki-core-snapshot-1.patch +####################### ## pki-core-10.3.3-8 +####################### Patch5: pki-core-snapshot-2.patch +####################### ## pki-core-10.3.3-9 +####################### Patch6: pki-core-snapshot-3.patch +####################### ## pki-core-10.3.3-10 +####################### Patch7: pki-core-snapshot-4.patch +####################### ## pki-core-10.3.3-11 +####################### #Patch8: pki-core-rhel-post-snapshot-1.patch +####################### ## pki-core-10.3.3-12 +####################### ## RHEL 7.3.z Batch Update 1 Patch9: pki-core-two-step-external-CA-authorityID.patch Patch10: pki-core-compare-serial-DNs-host-authz-check.patch @@ -236,12 +254,36 @@ Patch14: pki-core-typo-in-UserPwdDirAuthentication.patch #Patch15: pki-core-token-format-external-reg.patch #Patch16: pki-core-encryption-cert-auto-recovery-damaged-token.patch #Patch17: pki-core-pin-reset-policy.patch +## RHEL 7.3.z Batch Update 1 Patch18: pki-core-tps-token-setupSecureChannel-fips-mode.patch +####################### ## pki-core-10.3.3-13 +####################### ## RHCS 9.1.z Batch Update 1 ##Patch19: pki-core-target-agent-approve-list.patch ## RHEL 7.3.z Batch Update 1 Patch20: pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch +####################### +## pki-core-10.3.3-15 +####################### +## RHEL 7.3.z Batch Update 2 +Patch21: pki-core-user-cert-add-authentication-failure.patch +Patch22: pki-core-ca-cert-request-submit-missing-authentication.patch +Patch23: pki-core-updated-account-info.patch +Patch24: pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch +Patch25: pki-core-pkispawn-ecc-key-size-change.patch +Patch26: pki-core-log-properties-and-man-pages.patch +## RHCS 9.1.z Batch Update 2 +#Patch27: pki-core-TPS-UI-target-agent-approve-list.patch +#Patch28: pki-core-TPS-tokendb-encryption-cert-automatic-recovery.patch +####################### +## pki-core-10.3.3-16 +####################### +## RHCS 9.1.z Batch Update 2 +#Patch29: pki-core-TPS-format-G-and-D-cards.patch +#Patch30: pki-core-RHCS-log-properties.patch +## RHEL 7.3.z Batch Update 2 +Patch31: pki-core-BASE-format-G-and-D-cards.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -876,6 +918,17 @@ This package is a part of the PKI Core used by the Certificate System. %patch18 -p1 ##%patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +#%patch27 -p1 +#%patch28 -p1 +#%patch29 -p1 +#%patch30 -p1 +%patch31 -p1 %clean %{__rm} -rf %{buildroot} @@ -1169,8 +1222,9 @@ systemctl daemon-reload %{python2_sitelib}/pki %dir %{_localstatedir}/log/pki %{_sbindir}/pki-upgrade -%{_mandir}/man8/pki-upgrade.8.gz %{_mandir}/man1/pki-python-client.1.gz +%{_mandir}/man5/pki-logging.5.gz +%{_mandir}/man8/pki-upgrade.8.gz %endif %if 0%{?package_fedora_packages} || 0%{?package_rhel_packages} @@ -1244,6 +1298,9 @@ systemctl daemon-reload %{_mandir}/man1/pki-group.1.gz %{_mandir}/man1/pki-group-member.1.gz %{_mandir}/man1/pki-key.1.gz +%{_mandir}/man1/pki-pkcs12-cert.1.gz +%{_mandir}/man1/pki-pkcs12-key.1.gz +%{_mandir}/man1/pki-pkcs12.1.gz %{_mandir}/man1/pki-securitydomain.1.gz %{_mandir}/man1/pki-tps-profile.1.gz %{_mandir}/man1/pki-user.1.gz @@ -1284,6 +1341,7 @@ systemctl daemon-reload %dir %{_sharedstatedir}/pki %{_mandir}/man1/pkidaemon.1.gz %{_mandir}/man5/pki_default.cfg.5.gz +%{_mandir}/man5/pki-server-logging.5.gz %{_mandir}/man8/pki-server-upgrade.8.gz %{_mandir}/man8/pkidestroy.8.gz %{_mandir}/man8/pkispawn.8.gz @@ -1376,6 +1434,38 @@ systemctl daemon-reload %endif # %{with server} %changelog +* Thu Dec 15 2016 Dogtag Team 10.3.3-16 +- Separate original patches into RHEL and RHCS portions +- ## RHEL 7.3.z Batch Update 2 +- Bugzilla Bug #1404176 - logging properties and man pages (edewata) +- Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (jmagne) +- ## RHCS 9.1.z Batch Update 2 +- Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (jmagne) +- Bugzilla Bug #1404900 - RHCS logging properties (edewata) + +* Tue Dec 13 2016 Dogtag Team 10.3.3-15 +- ## RHEL 7.3.z Batch Update 2 +- Bugzilla Bug #1404173 - user-cert-add --serial CLI request to secure port + with remote CA shows authentication failure (edewata) +- Bugzilla Bug #1404175 - pki ca-cert-request-submit fails presumably because + of missing authentication even if it should not require any (edewata) +- Bugzilla Bug #1404178 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI [pki-base] (edewata) +- Bugzilla Bug #1404172 - Unable to install subordinate CA with HSM in FIPS + mode (edewata) +- Bugzilla Bug #1403689 - pkispawn does not change default ecc key size from + nistp256 when nistp384 is specified in spawn config (jmagne) +- Bugzilla Bug #1404176 - logging properties and man pages (edewata) +- ## RHCS 9.1.z Batch Update 2 +- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is + not reflected in the TPS Web UI [pki-tps] (edewata) +- Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS + tokendb shows different certificate status (cfu) +- Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and + enroll G&D Cards (jmagne) + * Tue Nov 8 2016 Dogtag Team 10.3.3-14 - Marked the following RHCS 9.1.z bug: Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel