diff --git a/.gitignore b/.gitignore index 0879a7b..db47ce7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-core-10.0.5.tar.gz +SOURCES/pki-core-10.1.2.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 3196f00..cdcdca8 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -249584b957fa8bd4478599b66b19bb8f5b1fd1bb SOURCES/pki-core-10.0.5.tar.gz +b0d1914fa03a09f341d30e5b1c0a178583174419 SOURCES/pki-core-10.1.2.tar.gz diff --git a/SOURCES/0000-Storing-authentication-info-in-session.patch b/SOURCES/0000-Storing-authentication-info-in-session.patch deleted file mode 100644 index 28362b9..0000000 --- a/SOURCES/0000-Storing-authentication-info-in-session.patch +++ /dev/null @@ -1,189 +0,0 @@ -From 8270ef0b8861bfc6d7a4e5bbe4e6125a221d0680 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 22 Jul 2013 08:50:03 -0400 -Subject: [PATCH 0/6] Storing authentication info in session. - -The authenticator configuration has been modified to store the authentication -info in the session so it can be used by the servlets. An upgrade script has -been added to update the configuration in existing instances. - -The SSLAuthenticatorWithFalback was modified to propagate the configuration -to the actual authenticator handling the request. ---- - base/ca/shared/webapps/ca/META-INF/context.xml | 4 +- - .../cms/tomcat/SSLAuthenticatorWithFallback.java | 5 ++ - base/kra/shared/webapps/kra/META-INF/context.xml | 4 +- - base/ocsp/shared/webapps/ocsp/META-INF/context.xml | 4 +- - base/server/upgrade/10.0.4/.gitignore | 4 ++ - .../upgrade/10.0.5/01-EnableSessionInAuthenticator | 69 ++++++++++++++++++++++ - base/tks/shared/webapps/tks/META-INF/context.xml | 4 +- - 7 files changed, 90 insertions(+), 4 deletions(-) - create mode 100644 base/server/upgrade/10.0.4/.gitignore - create mode 100755 base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator - -diff --git a/base/ca/shared/webapps/ca/META-INF/context.xml b/base/ca/shared/webapps/ca/META-INF/context.xml -index 032fd14..e838503 100644 ---- a/base/ca/shared/webapps/ca/META-INF/context.xml -+++ b/base/ca/shared/webapps/ca/META-INF/context.xml -@@ -28,7 +28,9 @@ - secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> - - -+ alwaysUseSession="true" -+ secureRandomProvider="Mozilla-JSS" -+ secureRandomAlgorithm="pkcs11prng"/> - - - -diff --git a/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java -index d1b3dc3..20bf85d 100644 ---- a/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java -+++ b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java -@@ -140,8 +140,13 @@ public class SSLAuthenticatorWithFallback extends AuthenticatorBase { - @Override - protected void initInternal() throws LifecycleException { - log("Initializing authenticators"); -+ - super.initInternal(); -+ -+ sslAuthenticator.setAlwaysUseSession(alwaysUseSession); - sslAuthenticator.init(); -+ -+ fallbackAuthenticator.setAlwaysUseSession(alwaysUseSession); - fallbackAuthenticator.init(); - } - -diff --git a/base/kra/shared/webapps/kra/META-INF/context.xml b/base/kra/shared/webapps/kra/META-INF/context.xml -index 032fd14..e838503 100644 ---- a/base/kra/shared/webapps/kra/META-INF/context.xml -+++ b/base/kra/shared/webapps/kra/META-INF/context.xml -@@ -28,7 +28,9 @@ - secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> - - -+ alwaysUseSession="true" -+ secureRandomProvider="Mozilla-JSS" -+ secureRandomAlgorithm="pkcs11prng"/> - - - -diff --git a/base/ocsp/shared/webapps/ocsp/META-INF/context.xml b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml -index 032fd14..e838503 100644 ---- a/base/ocsp/shared/webapps/ocsp/META-INF/context.xml -+++ b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml -@@ -28,7 +28,9 @@ - secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> - - -+ alwaysUseSession="true" -+ secureRandomProvider="Mozilla-JSS" -+ secureRandomAlgorithm="pkcs11prng"/> - - - -diff --git a/base/server/upgrade/10.0.4/.gitignore b/base/server/upgrade/10.0.4/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/server/upgrade/10.0.4/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator b/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator -new file mode 100755 -index 0000000..7aee780 ---- /dev/null -+++ b/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator -@@ -0,0 +1,69 @@ -+#!/usr/bin/python -+# Authors: -+# Endi S. Dewata -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not, write to the Free Software Foundation, Inc., -+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Copyright (C) 2013 Red Hat, Inc. -+# All rights reserved. -+# -+ -+import os -+from lxml import etree -+ -+import pki.server.upgrade -+ -+ -+class EnableSessionInAuthenticator(pki.server.upgrade.PKIServerUpgradeScriptlet): -+ -+ def __init__(self): -+ -+ self.message = 'Enable session in authenticator' -+ -+ self.parser = etree.XMLParser(remove_blank_text=True) -+ -+ def upgrade_subsystem(self, instance, subsystem): -+ -+ context_xml = os.path.join( -+ instance.base_dir, 'webapps', subsystem.name, 'META-INF', 'context.xml') -+ self.backup(context_xml) -+ -+ document = etree.parse(context_xml, self.parser) -+ -+ self.enable_session(document) -+ -+ with open(context_xml, 'w') as f: -+ f.write(etree.tostring(document, pretty_print=True)) -+ -+ def enable_session(self, document): -+ -+ context = document.getroot() -+ valves = context.findall('Valve') -+ authenticator = None -+ -+ # Find existing authenticator -+ for valve in valves: -+ className = valve.get('className') -+ if className != 'com.netscape.cms.tomcat.SSLAuthenticatorWithFallback': -+ continue -+ -+ # Found existing authenticator -+ authenticator = valve -+ break -+ -+ if authenticator is None: -+ raise Exception('Missing SSLAuthenticatorWithFallback') -+ -+ # Update authenticator's attributes -+ authenticator.set('alwaysUseSession', 'true') -diff --git a/base/tks/shared/webapps/tks/META-INF/context.xml b/base/tks/shared/webapps/tks/META-INF/context.xml -index 032fd14..e838503 100644 ---- a/base/tks/shared/webapps/tks/META-INF/context.xml -+++ b/base/tks/shared/webapps/tks/META-INF/context.xml -@@ -28,7 +28,9 @@ - secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/> - - -+ alwaysUseSession="true" -+ secureRandomProvider="Mozilla-JSS" -+ secureRandomAlgorithm="pkcs11prng"/> - - - --- -1.8.3.1 - diff --git a/SOURCES/0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch b/SOURCES/0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch deleted file mode 100644 index f00caae..0000000 --- a/SOURCES/0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 166a4b291a573d2c9f346a1b1051a2e9b45ff375 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 16 Oct 2013 09:41:12 -0400 -Subject: [PATCH 1/6] Fixed error handling in DoUnrevoke servlet. - -The DoUnrevoke servlet has been modified to re-throw the EBaseException -such that the error message can be returned properly to the client. - -Ticket #739 ---- - base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java -index cca8381..2b30720 100644 ---- a/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java -+++ b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java -@@ -40,7 +40,6 @@ import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.authorization.EAuthzAccessDenied; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IArgBlock; --import com.netscape.certsrv.base.PKIException; - import com.netscape.certsrv.ca.ICRLIssuingPoint; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.dbs.certdb.CertId; -@@ -274,7 +273,7 @@ public class DoUnrevoke extends CMSServlet { - processor.log(ILogger.LL_FAILURE, "Error " + e); - processor.auditChangeRequest(ILogger.FAILURE); - -- throw new PKIException(e.getMessage()); -+ throw e; - } - - // change audit processing from "REQUEST" to "REQUEST_PROCESSED" -@@ -419,6 +418,8 @@ public class DoUnrevoke extends CMSServlet { - } catch (EBaseException e) { - processor.log(ILogger.LL_FAILURE, "Error " + e); - processor.auditChangeRequestProcessed(ILogger.FAILURE); -+ -+ throw e; - } - } - --- -1.8.3.1 - diff --git a/SOURCES/0002-Fixed-errors-during-Tomcat-shutdown.patch b/SOURCES/0002-Fixed-errors-during-Tomcat-shutdown.patch deleted file mode 100644 index 0bf5ce9..0000000 --- a/SOURCES/0002-Fixed-errors-during-Tomcat-shutdown.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 981fdba088b14f975555b9dceb92db614acf631c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 25 Oct 2013 09:28:05 -0400 -Subject: [PATCH 2/6] Fixed errors during Tomcat shutdown. - -Previously the CMS.shutdown() was called multiple times during Tomcat -shutdown, one by CMSStarServlet.destroy() and the other by the shutdown -hook, causing some errors. The shutdown hook should only be used in a -standalone application, so it has been moved into CMS.main(). - -Bugzilla #1018628 ---- - base/common/src/com/netscape/certsrv/apps/CMS.java | 17 +++++++++++++++++ - .../com/netscape/cms/servlet/base/CMSStartServlet.java | 3 +++ - .../common/src/com/netscape/cmscore/apps/CMSEngine.java | 16 ---------------- - 3 files changed, 20 insertions(+), 16 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java -index 27cddad..fbcf65a 100644 ---- a/base/common/src/com/netscape/certsrv/apps/CMS.java -+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java -@@ -1661,5 +1661,22 @@ public final class CMS { - start(path); - } catch (EBaseException e) { - } -+ -+ // Use shutdown hook in stand-alone application -+ // to catch SIGINT, SIGTERM, or SIGHUP. -+ Runtime.getRuntime().addShutdownHook(new Thread() { -+ public void run() { -+ /*LogDoc -+ * -+ * @phase watchdog check -+ */ -+ CMS.getLogger().log(ILogger.EV_SYSTEM, -+ ILogger.S_OTHER, -+ ILogger.LL_INFO, -+ "CMSEngine: Received shutdown signal"); -+ -+ CMS.shutdown(); -+ }; -+ }); - } - } -diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java -index e00f2bd..34bbb2e 100644 ---- a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java -+++ b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java -@@ -120,6 +120,9 @@ public class CMSStartServlet extends HttpServlet { - return "CMS startup servlet"; - } - -+ /** -+ * This method will be called when Tomcat is shutdown. -+ */ - public void destroy() { - CMS.shutdown(); - super.destroy(); -diff --git a/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/base/common/src/com/netscape/cmscore/apps/CMSEngine.java -index 834918a..482b5ea 100644 ---- a/base/common/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/common/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -262,22 +262,6 @@ public class CMSEngine implements ICMSEngine { - * private constructor. - */ - public CMSEngine() { -- -- // Shutdown on SIGINT, SIGTERM, or SIGHUP. -- Runtime.getRuntime().addShutdownHook(new Thread() { -- public void run() { -- /*LogDoc -- * -- * @phase watchdog check -- */ -- getLogger().log(ILogger.EV_SYSTEM, -- ILogger.S_OTHER, -- ILogger.LL_INFO, -- "OS: Received shutdown signal"); -- -- shutdown(); -- }; -- }); - } - - /** --- -1.8.3.1 - diff --git a/SOURCES/0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch b/SOURCES/0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch deleted file mode 100644 index 2b151d1..0000000 --- a/SOURCES/0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch +++ /dev/null @@ -1,199 +0,0 @@ -From fb9acc2c02ad35443eb8b6ac0f2279dddd9449ab Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 30 Oct 2013 15:50:28 -0400 -Subject: [PATCH 3/6] Fixed logic for setting admin cert signing algorithm - -Should now be SHA256 by default. -Bugzilla BZ 1024445 ---- - base/ca/shared/conf/CS.cfg.in | 1 + - base/ca/shared/profiles/ca/caAdminCert.cfg | 2 +- - .../com/netscape/cms/servlet/csadmin/CertUtil.java | 123 +++++++++++++-------- - 3 files changed, 81 insertions(+), 45 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in -index c1acc57..cca5209 100644 ---- a/base/ca/shared/conf/CS.cfg.in -+++ b/base/ca/shared/conf/CS.cfg.in -@@ -660,6 +660,7 @@ ca.notification.requestInQ.senderEmail= - ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID] - ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA - ca.ocsp_signing.tokenname=internal -+ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC - ca.publish.createOwnDNEntry=false - ca.publish.queue.enable=true - ca.publish.queue.maxNumberOfThreads=3 -diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg -index c44079a..cd29703 100644 ---- a/base/ca/shared/profiles/ca/caAdminCert.cfg -+++ b/base/ca/shared/profiles/ca/caAdminCert.cfg -@@ -81,7 +81,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false - policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.adminCertSet.8.constraint.name=No Constraint --policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC -+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC - policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.adminCertSet.8.default.name=Signing Alg - policyset.adminCertSet.8.default.params.signingAlg=- -diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java -index 789c0aa..1936b2c 100644 ---- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java -+++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java -@@ -17,14 +17,15 @@ - // --- END COPYRIGHT BLOCK --- - package com.netscape.cms.servlet.csadmin; - --import java.io.BufferedReader; - import java.io.ByteArrayInputStream; --import java.io.DataInputStream; - import java.io.FileInputStream; -+import java.io.FileNotFoundException; - import java.io.IOException; --import java.io.InputStreamReader; - import java.math.BigInteger; - import java.util.Date; -+import java.util.Iterator; -+import java.util.Properties; -+import java.util.Set; - - import javax.servlet.http.HttpServletResponse; - -@@ -36,6 +37,8 @@ import netscape.security.x509.X509CertImpl; - import netscape.security.x509.X509CertInfo; - import netscape.security.x509.X509Key; - -+import org.apache.commons.lang.ArrayUtils; -+import org.apache.commons.lang.StringUtils; - import org.apache.velocity.context.Context; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.PrivateKey; -@@ -271,52 +274,84 @@ public class CertUtil { - } - - /** -- * reads from the admin cert profile caAdminCert.profile and takes the first -- * entry in the list of allowed algorithms. Users that wish a different algorithm -- * can specify it in the profile using default.params.signingAlg -+ * reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows: -+ * -+ * 1. First gets list of allowed algorithms from profile (constraint.params.signingAlgsAllowed) -+ * If entry does not exist, uses entry "ca.profiles.defaultSigningAlgsAllowed" from CS.cfg -+ * If that entry does not exist, uses basic default -+ * -+ * 2. Gets default.params.signingAlg from profile. -+ * If entry does not exist or equals "-", selects first algorithm in allowed algorithm list -+ * that matches CA signing key type -+ * Otherwise returns entry if it matches signing CA key type. -+ * -+ * @throws EBaseException -+ * @throws IOException -+ * @throws FileNotFoundException - */ - -- public static String getAdminProfileAlgorithm(IConfigStore config) { -- String algorithm = "SHA256withRSA"; -- try { -- String caSigningKeyType = config.getString("preop.cert.signing.keytype", "rsa"); -- String pfile = config.getString("profile.caAdminCert.config"); -- FileInputStream fis = new FileInputStream(pfile); -- DataInputStream in = new DataInputStream(fis); -- BufferedReader br = new BufferedReader(new InputStreamReader(in)); -- -- String strLine; -- while ((strLine = br.readLine()) != null) { -- String marker2 = "default.params.signingAlg="; -- int indx = strLine.indexOf(marker2); -- if (indx != -1) { -- String alg = strLine.substring(indx + marker2.length()); -- if ((alg.length() > 0) && (!alg.equals("-"))) { -- algorithm = alg; -- break; -- } -- ; -- } -- ; -- -- String marker = "signingAlgsAllowed="; -- indx = strLine.indexOf(marker); -- if (indx != -1) { -- String[] algs = strLine.substring(indx + marker.length()).split(","); -- for (int i = 0; i < algs.length; i++) { -- if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) || -- (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC") != -1))) { -- algorithm = algs[i]; -- break; -- } -- } -+ public static String getAdminProfileAlgorithm(IConfigStore config) throws EBaseException, FileNotFoundException, -+ IOException { -+ String caSigningKeyType = config.getString("preop.cert.signing.keytype", "rsa"); -+ String pfile = config.getString("profile.caAdminCert.config"); -+ Properties props = new Properties(); -+ props.load(new FileInputStream(pfile)); -+ -+ Set keys = props.stringPropertyNames(); -+ Iterator iter = keys.iterator(); -+ String defaultAlg = null; -+ String[] algsAllowed = null; -+ -+ while (iter.hasNext()) { -+ String key = iter.next(); -+ if (key.endsWith("default.params.signingAlg")) { -+ defaultAlg = props.getProperty(key); -+ } -+ if (key.endsWith("constraint.params.signingAlgsAllowed")) { -+ algsAllowed = StringUtils.split(props.getProperty(key), ","); -+ } -+ } -+ -+ if (algsAllowed == null) { //algsAllowed not defined in profile, use a global setting -+ algsAllowed = StringUtils.split(config.getString("ca.profiles.defaultSigningAlgsAllowed", -+ "SHA256withRSA,SHA256withEC,SHA1withDSA"), ","); -+ } -+ -+ if (ArrayUtils.isEmpty(algsAllowed)) { -+ throw new EBaseException("No allowed signing algorithms defined."); -+ } -+ -+ if (StringUtils.isNotEmpty(defaultAlg) && !defaultAlg.equals("-")) { -+ // check if the defined default algorithm is valid -+ if (! isAlgorithmValid(caSigningKeyType, defaultAlg)) { -+ throw new EBaseException("Administrator cert cannot be signed by specfied algorithm." + -+ "Algorithm incompatible with signing key"); -+ } -+ -+ for (String alg : algsAllowed) { -+ if (defaultAlg.trim().equals(alg.trim())) { -+ return defaultAlg; - } - } -- in.close(); -- } catch (Exception e) { -- CMS.debug("getAdminProfleAlgorithm: exception: " + e); -+ throw new EBaseException( -+ "Administrator Certificate cannot be signed by the specified algorithm " + -+ "as it is not one of the allowed signing algorithms. Check the admin cert profile."); - } -- return algorithm; -+ -+ // no algorithm specified. Pick the first allowed algorithm. -+ for (String alg : algsAllowed) { -+ if (isAlgorithmValid(caSigningKeyType, alg)) return alg; -+ } -+ -+ throw new EBaseException( -+ "Admin certificate cannot be signed by any of the specified possible algorithms." + -+ "Algorithm is incompatible with the CA signing key type" ); -+ } -+ -+ private static boolean isAlgorithmValid(String signingKeyType, String algorithm) { -+ return ((signingKeyType.equals("rsa") && algorithm.contains("RSA")) || -+ (signingKeyType.equals("ecc") && algorithm.contains("EC")) || -+ (signingKeyType.equals("dsa") && algorithm.contains("DSA"))); - } - - public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key, --- -1.8.3.1 - diff --git a/SOURCES/0004-Backup-upgrade-tracker.patch b/SOURCES/0004-Backup-upgrade-tracker.patch deleted file mode 100644 index 7cbb6ec..0000000 --- a/SOURCES/0004-Backup-upgrade-tracker.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 75bf654f1023e36f67b27d8e47e077400c072b84 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 28 Oct 2013 17:21:59 -0400 -Subject: [PATCH 4/6] Backup upgrade tracker. - -The upgrade framework has been modified to backup the files used -to track the upgrade progress. If the tracker file is also modified -by the upgrade scriptlet, it will only keep the initial backup -(before any modifications were made). - -Ticket #763 ---- - base/common/python/pki/upgrade.py | 8 ++++++-- - base/common/python/pki/util.py | 6 +++++- - base/server/python/pki/server/upgrade.py | 1 + - 3 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py -index bd78ec9..7e48180 100644 ---- a/base/common/python/pki/upgrade.py -+++ b/base/common/python/pki/upgrade.py -@@ -110,6 +110,7 @@ class PKIUpgradeTracker(object): - index_key='PKI_UPGRADE_INDEX'): - - self.name = name -+ self.filename = filename - - self.version_key = version_key - self.index_key = index_key -@@ -267,6 +268,7 @@ class PKIUpgradeScriptlet(object): - # in this version, update the tracker version. - - tracker = self.upgrader.get_tracker() -+ self.backup(tracker.filename) - - if not self.last: - tracker.set_index(self.index) -@@ -389,7 +391,8 @@ class PKIUpgradeScriptlet(object): - - if os.path.isfile(path): - if verbose: print 'Saving ' + path -- pki.util.copyfile(path, dest) -+ # do not overwrite initial backup -+ pki.util.copyfile(path, dest, overwrite=False) - - else: - for sourcepath, _, filenames in os.walk(path): -@@ -405,7 +408,8 @@ class PKIUpgradeScriptlet(object): - targetfile = os.path.join(destpath, filename) - - if verbose: print 'Saving ' + sourcefile -- pki.util.copyfile(sourcefile, targetfile) -+ # do not overwrite initial backup -+ pki.util.copyfile(sourcefile, targetfile, overwrite=False) - - else: - -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 4d25390..62aec2c 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -53,11 +53,15 @@ def copy(source, dest): - targetfile = os.path.join(destpath, filename) - copyfile(sourcefile, targetfile) - --def copyfile(source, dest): -+def copyfile(source, dest, overwrite=True): - """ - Copy a file or link while preserving its attributes. - """ - -+ # if dest already exists and not overwriting, do nothing -+ if os.path.exists(dest) and not overwrite: -+ return -+ - if os.path.islink(source): - target = os.readlink(source) - os.symlink(target, dest) -diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py -index 940dbe4..ee0dfed 100644 ---- a/base/server/python/pki/server/upgrade.py -+++ b/base/server/python/pki/server/upgrade.py -@@ -60,6 +60,7 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet): - # in this version, update the tracker version. - - tracker = self.upgrader.get_tracker(instance, subsystem) -+ self.backup(tracker.filename) - - if not self.last: - tracker.set_index(self.index) --- -1.8.3.1 - diff --git a/SOURCES/0005-Added-CLI-command-aliases.patch b/SOURCES/0005-Added-CLI-command-aliases.patch deleted file mode 100644 index 2192344..0000000 --- a/SOURCES/0005-Added-CLI-command-aliases.patch +++ /dev/null @@ -1,2554 +0,0 @@ -From 7efc9fbd120885109eb19bfc98d6109a98751b25 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 29 Oct 2013 10:56:15 -0400 -Subject: [PATCH 5/6] Added CLI command aliases. - -New aliases for some CLI commands have been added for consistency: - -* client-cert-find -> client-find-cert -* client-cert-import -> client-import-cert -* client-cert-del -> client-remove-cert -* group-member-add -> group-add-member -* group-member-find -> group-find-member -* group-member-show -> group-show-member -* group-member-del -> group-remove-member -* user-cert-add -> user-add-cert -* user-cert-find -> user-find-cert -* user-cert-show -> user-show-cert -* user-cert-del -> user-remove-cert -* user-membership-add -> user-add-membership -* user-membership-find -> user-find-membership -* user-membership-show -> user-show-membership -* user-membership-del -> user-remove-membership - -The original commands will continue to work as before. ---- - base/java-tools/man/man1/pki.1 | 4 +- - .../src/com/netscape/cmstools/cli/CLI.java | 55 +++++++++ - .../com/netscape/cmstools/client/ClientCLI.java | 24 +--- - .../cmstools/client/ClientCertFindCLI.java | 89 +++++++++++++++ - .../cmstools/client/ClientCertImportCLI.java | 124 +++++++++++++++++++++ - .../cmstools/client/ClientCertRemoveCLI.java | 70 ++++++++++++ - .../cmstools/client/ClientFindCertCLI.java | 60 +--------- - .../cmstools/client/ClientImportCertCLI.java | 95 +--------------- - .../cmstools/client/ClientRemoveCertCLI.java | 41 +------ - .../netscape/cmstools/group/GroupAddMemberCLI.java | 32 +----- - .../src/com/netscape/cmstools/group/GroupCLI.java | 23 +--- - .../cmstools/group/GroupFindMemberCLI.java | 79 +------------ - .../netscape/cmstools/group/GroupMemberAddCLI.java | 61 ++++++++++ - .../cmstools/group/GroupMemberFindCLI.java | 108 ++++++++++++++++++ - .../cmstools/group/GroupMemberRemoveCLI.java | 58 ++++++++++ - .../cmstools/group/GroupMemberShowCLI.java | 61 ++++++++++ - .../cmstools/group/GroupRemoveMemberCLI.java | 29 +---- - .../cmstools/group/GroupShowMemberCLI.java | 32 +----- - .../com/netscape/cmstools/user/UserAddCertCLI.java | 72 +----------- - .../cmstools/user/UserAddMembershipCLI.java | 32 +----- - .../src/com/netscape/cmstools/user/UserCLI.java | 28 ++--- - .../com/netscape/cmstools/user/UserCertAddCLI.java | 105 +++++++++++++++++ - .../netscape/cmstools/user/UserCertFindCLI.java | 108 ++++++++++++++++++ - .../netscape/cmstools/user/UserCertRemoveCLI.java | 65 +++++++++++ - .../netscape/cmstools/user/UserCertShowCLI.java | 100 +++++++++++++++++ - .../netscape/cmstools/user/UserFindCertCLI.java | 79 +------------ - .../cmstools/user/UserFindMembershipCLI.java | 79 +------------ - .../cmstools/user/UserMembershipAddCLI.java | 61 ++++++++++ - .../cmstools/user/UserMembershipFindCLI.java | 108 ++++++++++++++++++ - .../cmstools/user/UserMembershipRemoveCLI.java | 58 ++++++++++ - .../netscape/cmstools/user/UserRemoveCertCLI.java | 35 +----- - .../cmstools/user/UserRemoveMembershipCLI.java | 29 +---- - .../netscape/cmstools/user/UserShowCertCLI.java | 71 +----------- - 33 files changed, 1290 insertions(+), 785 deletions(-) - create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java - -diff --git a/base/java-tools/man/man1/pki.1 b/base/java-tools/man/man1/pki.1 -index ec0af7c..b3c5356 100644 ---- a/base/java-tools/man/man1/pki.1 -+++ b/base/java-tools/man/man1/pki.1 -@@ -199,11 +199,11 @@ To delete a group: - - To add a user to a group: - --.B pki group-add-member -+.B pki group-member-add - - To delete a user from a group: - --.B pki group-remove-member -+.B pki group-member-del - - .\".SS Key Management Commands - .\"\fBpki\fP can be used with a KRA to find specific keys and key requests. This will be documented in more detail at a later time. -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java -index a1fc4f7..c9c3606 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java -@@ -18,6 +18,8 @@ - - package com.netscape.cmstools.cli; - -+import java.util.ArrayList; -+import java.util.Collection; - import java.util.LinkedHashMap; - import java.util.Map; - -@@ -25,6 +27,7 @@ import org.apache.commons.cli.CommandLineParser; - import org.apache.commons.cli.HelpFormatter; - import org.apache.commons.cli.Options; - import org.apache.commons.cli.PosixParser; -+import org.apache.commons.lang.StringUtils; - - - /** -@@ -64,6 +67,10 @@ public class CLI { - this.description = description; - } - -+ public boolean isDeprecated() { -+ return getClass().getAnnotation(Deprecated.class) != null; -+ } -+ - public void addModule(CLI module) { - modules.put(module.getName(), module); - } -@@ -75,7 +82,55 @@ public class CLI { - public void execute(String[] args) throws Exception { - } - -+ public Collection getDeprecatedModules() { -+ Collection list = new ArrayList(); -+ for (CLI module : modules.values()) { -+ if (!module.isDeprecated()) continue; -+ list.add(module); -+ } -+ return list; -+ } -+ - public void printHelp() { -+ -+ int leftPadding = 1; -+ int rightPadding = 25; -+ -+ System.out.println("Commands:"); -+ -+ for (CLI module : modules.values()) { -+ if (module.isDeprecated()) continue; -+ -+ String label = name + "-" + module.getName(); -+ -+ int padding = rightPadding - leftPadding - label.length(); -+ if (padding < 1) -+ padding = 1; -+ -+ System.out.print(StringUtils.repeat(" ", leftPadding)); -+ System.out.print(label); -+ System.out.print(StringUtils.repeat(" ", padding)); -+ System.out.println(module.getDescription()); -+ } -+ -+ Collection deprecatedModules = getDeprecatedModules(); -+ -+ if (!deprecatedModules.isEmpty()) { -+ System.out.println(); -+ System.out.println("Deprecated:"); -+ -+ for (CLI module : deprecatedModules) { -+ String label = name+"-"+module.getName(); -+ -+ int padding = rightPadding - leftPadding - label.length(); -+ if (padding < 1) padding = 1; -+ -+ System.out.print(StringUtils.repeat(" ", leftPadding)); -+ System.out.print(label); -+ System.out.print(StringUtils.repeat(" ", padding)); -+ System.out.println(module.getDescription()); -+ } -+ } - } - - public static boolean isVerbose() { -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java -index 34d09f3..147b4d6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java -@@ -20,7 +20,6 @@ package com.netscape.cmstools.client; - - import java.util.Arrays; - --import org.apache.commons.lang.StringUtils; - import org.mozilla.jss.crypto.X509Certificate; - - import com.netscape.certsrv.dbs.certdb.CertId; -@@ -41,27 +40,10 @@ public class ClientCLI extends CLI { - addModule(new ClientFindCertCLI(this)); - addModule(new ClientImportCertCLI(this)); - addModule(new ClientRemoveCertCLI(this)); -- } -- -- public void printHelp() { -- -- System.out.println("Commands:"); -- -- int leftPadding = 1; -- int rightPadding = 25; - -- for (CLI module : modules.values()) { -- String label = name + "-" + module.getName(); -- -- int padding = rightPadding - leftPadding - label.length(); -- if (padding < 1) -- padding = 1; -- -- System.out.print(StringUtils.repeat(" ", leftPadding)); -- System.out.print(label); -- System.out.print(StringUtils.repeat(" ", padding)); -- System.out.println(module.getDescription()); -- } -+ addModule(new ClientCertFindCLI(this)); -+ addModule(new ClientCertImportCLI(this)); -+ addModule(new ClientCertRemoveCLI(this)); - } - - public void execute(String[] args) throws Exception { -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java -new file mode 100644 -index 0000000..c4e1aca ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java -@@ -0,0 +1,89 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.client; -+ -+import org.apache.commons.cli.CommandLine; -+import org.mozilla.jss.crypto.X509Certificate; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class ClientCertFindCLI extends CLI { -+ -+ public ClientCLI parent; -+ -+ public ClientCertFindCLI(String name, ClientCLI parent) { -+ super(name, "Find certificates in client security database"); -+ this.parent = parent; -+ } -+ -+ public ClientCertFindCLI(ClientCLI parent) { -+ this("cert-find", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ options.addOption(null, "ca", false, "Find CA certificates only"); -+ -+ CommandLine cmd = null; -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ X509Certificate[] certs; -+ if (cmd.hasOption("ca")) { -+ certs = parent.parent.client.getCACerts(); -+ } else { -+ certs = parent.parent.client.getCerts(); -+ } -+ -+ if (certs == null || certs.length == 0) { -+ MainCLI.printMessage("No certificates found"); -+ System.exit(0); // valid result -+ } -+ -+ MainCLI.printMessage(certs.length + " certificate(s) found"); -+ -+ boolean first = true; -+ -+ for (X509Certificate cert : certs) { -+ if (first) { -+ first = false; -+ } else { -+ System.out.println(); -+ } -+ -+ ClientCLI.printCertInfo(cert); -+ } -+ -+ MainCLI.printMessage("Number of entries returned " + certs.length); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -new file mode 100644 -index 0000000..ffd68d9 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -0,0 +1,124 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.client; -+ -+import java.io.File; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+import org.apache.commons.io.FileUtils; -+import org.mozilla.jss.crypto.X509Certificate; -+ -+import com.netscape.certsrv.client.ClientConfig; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class ClientCertImportCLI extends CLI { -+ -+ public ClientCLI parent; -+ -+ public ClientCertImportCLI(String name, ClientCLI parent) { -+ super(name, "Import certificate into client security database"); -+ this.parent = parent; -+ } -+ -+ public ClientCertImportCLI(ClientCLI parent) { -+ this("cert-import", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ Option option = new Option(null, "cert", true, "Import certificate file"); -+ option.setArgName("path"); -+ options.addOption(option); -+ -+ option = new Option(null, "ca-cert", true, "Import CA certificate file"); -+ option.setArgName("path"); -+ options.addOption(option); -+ -+ options.addOption(null, "ca-server", false, "Import CA certificate from CA server"); -+ -+ CommandLine cmd = null; -+ -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ byte[] bytes = null; -+ X509Certificate cert = null; -+ -+ String certPath = cmd.getOptionValue("cert"); -+ String caCertPath = cmd.getOptionValue("ca-cert"); -+ boolean importFromCAServer = cmd.hasOption("ca-server"); -+ -+ boolean isCACert = false; -+ -+ // load the certificate -+ if (certPath != null) { -+ if (verbose) System.out.println("Loading certificate from " + certPath + "."); -+ bytes = FileUtils.readFileToByteArray(new File(certPath)); -+ -+ -+ } else if (caCertPath != null) { -+ if (verbose) System.out.println("Loading CA certificate from " + caCertPath + "."); -+ bytes = FileUtils.readFileToByteArray(new File(caCertPath)); -+ -+ isCACert = true; -+ -+ } else if (importFromCAServer) { -+ ClientConfig config = parent.parent.config; -+ String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca"; -+ -+ if (verbose) System.out.println("Downloading CA certificate from " + caServerURI + "."); -+ bytes = parent.parent.client.downloadCACertChain(caServerURI); -+ -+ isCACert = true; -+ -+ } else { -+ System.err.println("Error: Missing certificate to import"); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ // import the certificate -+ if (isCACert) { -+ if (verbose) System.out.println("Importing CA certificate."); -+ cert = parent.parent.client.importCACertPackage(bytes); -+ -+ } else { -+ if (verbose) System.out.println("Importing certificate."); -+ cert = parent.parent.client.importCertPackage(bytes, parent.parent.client.config.getCertNickname()); -+ } -+ -+ MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\""); -+ ClientCLI.printCertInfo(cert); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java -new file mode 100644 -index 0000000..2c05446 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java -@@ -0,0 +1,70 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.client; -+ -+import org.apache.commons.cli.CommandLine; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class ClientCertRemoveCLI extends CLI { -+ -+ public ClientCLI parent; -+ -+ public ClientCertRemoveCLI(String name, ClientCLI parent) { -+ super(name, "Remove certificate from client security database"); -+ this.parent = parent; -+ } -+ -+ public ClientCertRemoveCLI(ClientCLI parent) { -+ this("cert-del", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " ", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ CommandLine cmd = null; -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length != 1) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String nickname = cmdArgs[0]; -+ parent.parent.client.removeCert(nickname); -+ -+ MainCLI.printMessage("Removed certificate \"" + nickname + "\""); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java -index 80690b7..379e95a 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java -@@ -18,68 +18,14 @@ - - package com.netscape.cmstools.client; - --import org.apache.commons.cli.CommandLine; --import org.mozilla.jss.crypto.X509Certificate; -- --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class ClientFindCertCLI extends CLI { -- -- public ClientCLI parent; -+@Deprecated -+public class ClientFindCertCLI extends ClientCertFindCLI { - - public ClientFindCertCLI(ClientCLI parent) { -- super("find-cert", "Find certificates in client security database"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options); -+ super("find-cert", parent); - } -- -- public void execute(String[] args) throws Exception { -- -- options.addOption(null, "ca", false, "Find CA certificates only"); -- -- CommandLine cmd = null; -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- X509Certificate[] certs; -- if (cmd.hasOption("ca")) { -- certs = parent.parent.client.getCACerts(); -- } else { -- certs = parent.parent.client.getCerts(); -- } -- -- if (certs == null || certs.length == 0) { -- MainCLI.printMessage("No certificates found"); -- System.exit(0); // valid result -- } -- -- MainCLI.printMessage(certs.length + " certificate(s) found"); -- -- boolean first = true; -- -- for (X509Certificate cert : certs) { -- if (first) { -- first = false; -- } else { -- System.out.println(); -- } -- -- ClientCLI.printCertInfo(cert); -- } -- -- MainCLI.printMessage("Number of entries returned " + certs.length); -- } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java -index e89f954..db0736d 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java -@@ -18,103 +18,14 @@ - - package com.netscape.cmstools.client; - --import java.io.File; -- --import org.apache.commons.cli.CommandLine; --import org.apache.commons.cli.Option; --import org.apache.commons.io.FileUtils; --import org.mozilla.jss.crypto.X509Certificate; -- --import com.netscape.certsrv.client.ClientConfig; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class ClientImportCertCLI extends CLI { -- -- public ClientCLI parent; -+@Deprecated -+public class ClientImportCertCLI extends ClientCertImportCLI { - - public ClientImportCertCLI(ClientCLI parent) { -- super("import-cert", "Import certificate into client security database"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- Option option = new Option(null, "cert", true, "Import certificate file"); -- option.setArgName("path"); -- options.addOption(option); -- -- option = new Option(null, "ca-cert", true, "Import CA certificate file"); -- option.setArgName("path"); -- options.addOption(option); -- -- options.addOption(null, "ca-server", false, "Import CA certificate from CA server"); -- -- CommandLine cmd = null; -- -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- byte[] bytes = null; -- X509Certificate cert = null; -- -- String certPath = cmd.getOptionValue("cert"); -- String caCertPath = cmd.getOptionValue("ca-cert"); -- boolean importFromCAServer = cmd.hasOption("ca-server"); -- -- boolean isCACert = false; -- -- // load the certificate -- if (certPath != null) { -- if (verbose) System.out.println("Loading certificate from " + certPath + "."); -- bytes = FileUtils.readFileToByteArray(new File(certPath)); -- -- -- } else if (caCertPath != null) { -- if (verbose) System.out.println("Loading CA certificate from " + caCertPath + "."); -- bytes = FileUtils.readFileToByteArray(new File(caCertPath)); -- -- isCACert = true; -- -- } else if (importFromCAServer) { -- ClientConfig config = parent.parent.config; -- String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca"; -- -- if (verbose) System.out.println("Downloading CA certificate from " + caServerURI + "."); -- bytes = parent.parent.client.downloadCACertChain(caServerURI); -- -- isCACert = true; -- -- } else { -- System.err.println("Error: Missing certificate to import"); -- printHelp(); -- System.exit(1); -- } -- -- // import the certificate -- if (isCACert) { -- if (verbose) System.out.println("Importing CA certificate."); -- cert = parent.parent.client.importCACertPackage(bytes); -- -- } else { -- if (verbose) System.out.println("Importing certificate."); -- cert = parent.parent.client.importCertPackage(bytes, parent.parent.client.config.getCertNickname()); -- } -- -- MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\""); -- ClientCLI.printCertInfo(cert); -+ super("import-cert", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java -index fab4296..2b217ac 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java -@@ -18,49 +18,14 @@ - - package com.netscape.cmstools.client; - --import org.apache.commons.cli.CommandLine; -- --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class ClientRemoveCertCLI extends CLI { -- -- public ClientCLI parent; -+@Deprecated -+public class ClientRemoveCertCLI extends ClientCertRemoveCLI { - - public ClientRemoveCertCLI(ClientCLI parent) { -- super("remove-cert", "Remove certificate from client security database"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " ", options); -+ super("remove-cert", parent); - } -- -- public void execute(String[] args) throws Exception { -- -- CommandLine cmd = null; -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- String[] cmdArgs = cmd.getArgs(); -- -- if (cmdArgs.length != 1) { -- printHelp(); -- System.exit(1); -- } -- -- String nickname = cmdArgs[0]; -- parent.parent.client.removeCert(nickname); -- -- MainCLI.printMessage("Removed certificate \"" + nickname + "\""); -- } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java -index 36d3c06..a761853 100644 ---- a/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java -@@ -18,40 +18,14 @@ - - package com.netscape.cmstools.group; - --import com.netscape.certsrv.group.GroupMemberData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class GroupAddMemberCLI extends CLI { -- -- public GroupCLI parent; -+@Deprecated -+public class GroupAddMemberCLI extends GroupMemberAddCLI { - - public GroupAddMemberCLI(GroupCLI parent) { -- super("add-member", "Add group member"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " ", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- if (args.length != 2) { -- printHelp(); -- System.exit(1); -- } -- -- String groupID = args[0]; -- String memberID = args[1]; -- -- GroupMemberData groupMemberData = parent.client.addGroupMember(groupID, memberID); -- -- MainCLI.printMessage("Added group member \""+memberID+"\""); -- -- GroupCLI.printGroupMember(groupMemberData); -+ super("add-member", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -index bd8cec7..bc4d573 100644 ---- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java -@@ -51,26 +51,11 @@ public class GroupCLI extends CLI { - addModule(new GroupShowMemberCLI(this)); - addModule(new GroupAddMemberCLI(this)); - addModule(new GroupRemoveMemberCLI(this)); -- } -- -- public void printHelp() { -- -- System.out.println("Commands:"); -- -- int leftPadding = 1; -- int rightPadding = 25; - -- for (CLI module : modules.values()) { -- String label = name+"-"+module.getName(); -- -- int padding = rightPadding - leftPadding - label.length(); -- if (padding < 1) padding = 1; -- -- System.out.print(StringUtils.repeat(" ", leftPadding)); -- System.out.print(label); -- System.out.print(StringUtils.repeat(" ", padding)); -- System.out.println(module.getDescription()); -- } -+ addModule(new GroupMemberFindCLI(this)); -+ addModule(new GroupMemberShowCLI(this)); -+ addModule(new GroupMemberAddCLI(this)); -+ addModule(new GroupMemberRemoveCLI(this)); - } - - public void execute(String[] args) throws Exception { -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java -index f0498f0..4850910 100644 ---- a/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java -@@ -18,87 +18,14 @@ - - package com.netscape.cmstools.group; - --import java.util.Collection; -- --import org.apache.commons.cli.CommandLine; --import org.apache.commons.cli.Option; -- --import com.netscape.certsrv.group.GroupMemberCollection; --import com.netscape.certsrv.group.GroupMemberData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class GroupFindMemberCLI extends CLI { -- -- public GroupCLI parent; -+@Deprecated -+public class GroupFindMemberCLI extends GroupMemberFindCLI { - - public GroupFindMemberCLI(GroupCLI parent) { -- super("find-member", "Find group members"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- Option option = new Option(null, "start", true, "Page start"); -- option.setArgName("start"); -- options.addOption(option); -- -- option = new Option(null, "size", true, "Page size"); -- option.setArgName("size"); -- options.addOption(option); -- -- CommandLine cmd = null; -- -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- String[] cmdArgs = cmd.getArgs(); -- -- if (cmdArgs.length != 1) { -- printHelp(); -- System.exit(1); -- } -- -- String groupID = cmdArgs[0]; -- -- String s = cmd.getOptionValue("start"); -- Integer start = s == null ? null : Integer.valueOf(s); -- -- s = cmd.getOptionValue("size"); -- Integer size = s == null ? null : Integer.valueOf(s); -- -- GroupMemberCollection response = parent.client.findGroupMembers(groupID, start, size); -- -- Collection entries = response.getMembers(); -- -- MainCLI.printMessage(entries.size()+" group member(s) matched"); -- -- boolean first = true; -- -- for (GroupMemberData groupMemberData : entries) { -- -- if (first) { -- first = false; -- } else { -- System.out.println(); -- } -- -- GroupCLI.printGroupMember(groupMemberData); -- } -- -- MainCLI.printMessage("Number of entries returned "+entries.size()); -+ super("find-member", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java -new file mode 100644 -index 0000000..5945e21 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java -@@ -0,0 +1,61 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.group; -+ -+import com.netscape.certsrv.group.GroupMemberData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class GroupMemberAddCLI extends CLI { -+ -+ public GroupCLI parent; -+ -+ public GroupMemberAddCLI(String name, GroupCLI parent) { -+ super(name, "Add group member"); -+ this.parent = parent; -+ } -+ -+ public GroupMemberAddCLI(GroupCLI parent) { -+ this("member-add", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " ", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ if (args.length != 2) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String groupID = args[0]; -+ String memberID = args[1]; -+ -+ GroupMemberData groupMemberData = parent.client.addGroupMember(groupID, memberID); -+ -+ MainCLI.printMessage("Added group member \""+memberID+"\""); -+ -+ GroupCLI.printGroupMember(groupMemberData); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java -new file mode 100644 -index 0000000..c36d041 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java -@@ -0,0 +1,108 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.group; -+ -+import java.util.Collection; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.certsrv.group.GroupMemberCollection; -+import com.netscape.certsrv.group.GroupMemberData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class GroupMemberFindCLI extends CLI { -+ -+ public GroupCLI parent; -+ -+ public GroupMemberFindCLI(String name, GroupCLI parent) { -+ super(name, "Find group members"); -+ this.parent = parent; -+ } -+ -+ public GroupMemberFindCLI(GroupCLI parent) { -+ this("member-find", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ Option option = new Option(null, "start", true, "Page start"); -+ option.setArgName("start"); -+ options.addOption(option); -+ -+ option = new Option(null, "size", true, "Page size"); -+ option.setArgName("size"); -+ options.addOption(option); -+ -+ CommandLine cmd = null; -+ -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length != 1) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String groupID = cmdArgs[0]; -+ -+ String s = cmd.getOptionValue("start"); -+ Integer start = s == null ? null : Integer.valueOf(s); -+ -+ s = cmd.getOptionValue("size"); -+ Integer size = s == null ? null : Integer.valueOf(s); -+ -+ GroupMemberCollection response = parent.client.findGroupMembers(groupID, start, size); -+ -+ Collection entries = response.getMembers(); -+ -+ MainCLI.printMessage(entries.size()+" group member(s) matched"); -+ -+ boolean first = true; -+ -+ for (GroupMemberData groupMemberData : entries) { -+ -+ if (first) { -+ first = false; -+ } else { -+ System.out.println(); -+ } -+ -+ GroupCLI.printGroupMember(groupMemberData); -+ } -+ -+ MainCLI.printMessage("Number of entries returned "+entries.size()); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java -new file mode 100644 -index 0000000..db85822 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java -@@ -0,0 +1,58 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.group; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class GroupMemberRemoveCLI extends CLI { -+ -+ public GroupCLI parent; -+ -+ public GroupMemberRemoveCLI(String name, GroupCLI parent) { -+ super(name, "Remove group member"); -+ this.parent = parent; -+ } -+ -+ public GroupMemberRemoveCLI(GroupCLI parent) { -+ this("member-del", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " ", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ if (args.length != 2) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String groupID = args[0]; -+ String memberID = args[1]; -+ -+ parent.client.removeGroupMember(groupID, memberID); -+ -+ MainCLI.printMessage("Deleted group member \""+memberID+"\""); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java -new file mode 100644 -index 0000000..214f71d ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java -@@ -0,0 +1,61 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.group; -+ -+import com.netscape.certsrv.group.GroupMemberData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class GroupMemberShowCLI extends CLI { -+ -+ public GroupCLI parent; -+ -+ public GroupMemberShowCLI(String name, GroupCLI parent) { -+ super(name, "Show group member"); -+ this.parent = parent; -+ } -+ -+ public GroupMemberShowCLI(GroupCLI parent) { -+ this("member-show", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " ", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ if (args.length != 2) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String groupID = args[0]; -+ String memberID = args[1]; -+ -+ GroupMemberData groupMemberData = parent.client.getGroupMember(groupID, memberID); -+ -+ MainCLI.printMessage("Group member \""+memberID+"\""); -+ -+ GroupCLI.printGroupMember(groupMemberData); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java -index c12cc89..9672488 100644 ---- a/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java -@@ -18,37 +18,14 @@ - - package com.netscape.cmstools.group; - --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class GroupRemoveMemberCLI extends CLI { -- -- public GroupCLI parent; -+@Deprecated -+public class GroupRemoveMemberCLI extends GroupMemberRemoveCLI { - - public GroupRemoveMemberCLI(GroupCLI parent) { -- super("remove-member", "Remove group member"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " ", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- if (args.length != 2) { -- printHelp(); -- System.exit(1); -- } -- -- String groupID = args[0]; -- String memberID = args[1]; -- -- parent.client.removeGroupMember(groupID, memberID); -- -- MainCLI.printMessage("Deleted group member \""+memberID+"\""); -+ super("remove-member", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java -index 47ca43c..6e493d3 100644 ---- a/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java -@@ -18,40 +18,14 @@ - - package com.netscape.cmstools.group; - --import com.netscape.certsrv.group.GroupMemberData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class GroupShowMemberCLI extends CLI { -- -- public GroupCLI parent; -+@Deprecated -+public class GroupShowMemberCLI extends GroupMemberShowCLI { - - public GroupShowMemberCLI(GroupCLI parent) { -- super("show-member", "Show group member"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " ", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- if (args.length != 2) { -- printHelp(); -- System.exit(1); -- } -- -- String groupID = args[0]; -- String memberID = args[1]; -- -- GroupMemberData groupMemberData = parent.client.getGroupMember(groupID, memberID); -- -- MainCLI.printMessage("Group member \""+memberID+"\""); -- -- GroupCLI.printGroupMember(groupMemberData); -+ super("show-member", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java -index 7bec2ff..528d39c 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java -@@ -18,80 +18,14 @@ - - package com.netscape.cmstools.user; - --import java.io.File; --import java.util.Scanner; -- --import org.apache.commons.cli.CommandLine; --import org.apache.commons.cli.Option; -- --import com.netscape.certsrv.user.UserCertData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class UserAddCertCLI extends CLI { -- -- public UserCLI parent; -+@Deprecated -+public class UserAddCertCLI extends UserCertAddCLI { - - public UserAddCertCLI(UserCLI parent) { -- super("add-cert", "Add user cert"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- Option option = new Option(null, "input", true, "Input file"); -- option.setArgName("file"); -- option.setRequired(true); -- options.addOption(option); -- -- CommandLine cmd = null; -- -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- String[] cmdArgs = cmd.getArgs(); -- -- if (cmdArgs.length != 1) { -- printHelp(); -- System.exit(1); -- } -- -- String userId = cmdArgs[0]; -- String file = cmd.getOptionValue("input"); -- -- // get cert from file -- if (verbose) { -- System.out.println("Reading cert from "+file+"."); -- } -- String encoded = new Scanner(new File(file)).useDelimiter("\\A").next(); -- if (verbose) { -- System.out.println(encoded); -- } -- -- UserCertData userCertData = new UserCertData(); -- userCertData.setEncoded(encoded); -- -- if (verbose) { -- System.out.println(userCertData); -- } -- -- userCertData = parent.client.addUserCert(userId, userCertData); -- -- MainCLI.printMessage("Added certificate \"" + userCertData.getID() + "\""); -- -- UserCLI.printCert(userCertData, false, false); -+ super("add-cert", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java -index 224f226..43a55ea 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java -@@ -18,40 +18,14 @@ - - package com.netscape.cmstools.user; - --import com.netscape.certsrv.user.UserMembershipData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class UserAddMembershipCLI extends CLI { -- -- public UserCLI parent; -+@Deprecated -+public class UserAddMembershipCLI extends UserMembershipAddCLI { - - public UserAddMembershipCLI(UserCLI parent) { -- super("add-membership", "Add user membership"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " ", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- if (args.length != 2) { -- printHelp(); -- System.exit(1); -- } -- -- String userID = args[0]; -- String groupID = args[1]; -- -- UserMembershipData userMembershipData = parent.client.addUserMembership(userID, groupID); -- -- MainCLI.printMessage("Added membership in \""+groupID+"\""); -- -- UserCLI.printUserMembership(userMembershipData); -+ super("add-membership", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -index 2343d19..be404b8 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java -@@ -53,30 +53,18 @@ public class UserCLI extends CLI { - addModule(new UserAddCertCLI(this)); - addModule(new UserRemoveCertCLI(this)); - -+ addModule(new UserCertFindCLI(this)); -+ addModule(new UserCertShowCLI(this)); -+ addModule(new UserCertAddCLI(this)); -+ addModule(new UserCertRemoveCLI(this)); -+ - addModule(new UserFindMembershipCLI(this)); - addModule(new UserAddMembershipCLI(this)); - addModule(new UserRemoveMembershipCLI(this)); -- } -- -- public void printHelp() { -- -- System.out.println("Commands:"); - -- int leftPadding = 1; -- int rightPadding = 25; -- -- for (CLI module : modules.values()) { -- String label = name + "-" + module.getName(); -- -- int padding = rightPadding - leftPadding - label.length(); -- if (padding < 1) -- padding = 1; -- -- System.out.print(StringUtils.repeat(" ", leftPadding)); -- System.out.print(label); -- System.out.print(StringUtils.repeat(" ", padding)); -- System.out.println(module.getDescription()); -- } -+ addModule(new UserMembershipFindCLI(this)); -+ addModule(new UserMembershipAddCLI(this)); -+ addModule(new UserMembershipRemoveCLI(this)); - } - - public void execute(String[] args) throws Exception { -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java -new file mode 100644 -index 0000000..6e2e5cc ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java -@@ -0,0 +1,105 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.user; -+ -+import java.io.File; -+import java.util.Scanner; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.certsrv.user.UserCertData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class UserCertAddCLI extends CLI { -+ -+ public UserCLI parent; -+ -+ public UserCertAddCLI(String name, UserCLI parent) { -+ super(name, "Add user cert"); -+ this.parent = parent; -+ } -+ -+ public UserCertAddCLI(UserCLI parent) { -+ this("cert-add", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ Option option = new Option(null, "input", true, "Input file"); -+ option.setArgName("file"); -+ option.setRequired(true); -+ options.addOption(option); -+ -+ CommandLine cmd = null; -+ -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length != 1) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String userId = cmdArgs[0]; -+ String file = cmd.getOptionValue("input"); -+ -+ // get cert from file -+ if (verbose) { -+ System.out.println("Reading cert from "+file+"."); -+ } -+ -+ UserCertData userCertData = new UserCertData(); -+ -+ try (Scanner scanner = new Scanner(new File(file))) { -+ String encoded = scanner.useDelimiter("\\A").next(); -+ if (verbose) { -+ System.out.println(encoded); -+ } -+ -+ userCertData.setEncoded(encoded); -+ } -+ -+ if (verbose) { -+ System.out.println(userCertData); -+ } -+ -+ userCertData = parent.client.addUserCert(userId, userCertData); -+ -+ MainCLI.printMessage("Added certificate \"" + userCertData.getID() + "\""); -+ -+ UserCLI.printCert(userCertData, false, false); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java -new file mode 100644 -index 0000000..c0c85a0 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java -@@ -0,0 +1,108 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.user; -+ -+import java.util.Collection; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.certsrv.user.UserCertCollection; -+import com.netscape.certsrv.user.UserCertData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class UserCertFindCLI extends CLI { -+ -+ public UserCLI parent; -+ -+ public UserCertFindCLI(String name, UserCLI parent) { -+ super(name, "Find user certs"); -+ this.parent = parent; -+ } -+ -+ public UserCertFindCLI(UserCLI parent) { -+ this("cert-find", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ Option option = new Option(null, "start", true, "Page start"); -+ option.setArgName("start"); -+ options.addOption(option); -+ -+ option = new Option(null, "size", true, "Page size"); -+ option.setArgName("size"); -+ options.addOption(option); -+ -+ CommandLine cmd = null; -+ -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length != 1) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String userID = cmdArgs[0]; -+ -+ String s = cmd.getOptionValue("start"); -+ Integer start = s == null ? null : Integer.valueOf(s); -+ -+ s = cmd.getOptionValue("size"); -+ Integer size = s == null ? null : Integer.valueOf(s); -+ -+ UserCertCollection response = parent.client.findUserCerts(userID, start, size); -+ -+ Collection entries = response.getCerts(); -+ -+ MainCLI.printMessage(entries.size() + " user cert(s) matched"); -+ -+ boolean first = true; -+ -+ for (UserCertData userCertData : entries) { -+ -+ if (first) { -+ first = false; -+ } else { -+ System.out.println(); -+ } -+ -+ UserCLI.printCert(userCertData, false, false); -+ } -+ -+ MainCLI.printMessage("Number of entries returned " + entries.size()); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java -new file mode 100644 -index 0000000..503e137 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java -@@ -0,0 +1,65 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.user; -+ -+import java.net.URLEncoder; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class UserCertRemoveCLI extends CLI { -+ -+ public UserCLI parent; -+ -+ public UserCertRemoveCLI(String name, UserCLI parent) { -+ super(name, "Remove user cert"); -+ this.parent = parent; -+ } -+ -+ public UserCertRemoveCLI(UserCLI parent) { -+ this("cert-del", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " ", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ if (args.length != 2) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String userID = args[0]; -+ String certID = args[1]; -+ -+ if (verbose) { -+ System.out.println("Removing cert "+certID+" from user "+userID+"."); -+ } -+ -+ parent.client.removeUserCert(userID, URLEncoder.encode(certID, "UTF-8")); -+ -+ MainCLI.printMessage("Deleted certificate \"" + certID + "\""); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java -new file mode 100644 -index 0000000..fcf5159 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java -@@ -0,0 +1,100 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2012 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.user; -+ -+import java.io.FileWriter; -+import java.io.PrintWriter; -+import java.net.URLEncoder; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.certsrv.user.UserCertData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class UserCertShowCLI extends CLI { -+ -+ public UserCLI parent; -+ -+ public UserCertShowCLI(String name, UserCLI parent) { -+ super(name, "Show user cert"); -+ this.parent = parent; -+ } -+ -+ public UserCertShowCLI(UserCLI parent) { -+ this("cert-show", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ Option option = new Option(null, "output", true, "Output file"); -+ option.setArgName("file"); -+ options.addOption(option); -+ -+ options.addOption(null, "pretty", false, "Pretty print"); -+ options.addOption(null, "encoded", false, "Base-64 encoded"); -+ -+ CommandLine cmd = null; -+ -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ boolean showPrettyPrint = cmd.hasOption("pretty"); -+ boolean showEncoded = cmd.hasOption("encoded"); -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length != 2) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String userID = cmdArgs[0]; -+ String certID = cmdArgs[1]; -+ String file = cmd.getOptionValue("output"); -+ -+ UserCertData userCertData = parent.client.getUserCert(userID, URLEncoder.encode(certID, "UTF-8")); -+ -+ String encoded = userCertData.getEncoded(); -+ if (encoded != null && file != null) { -+ // store cert to file -+ PrintWriter out = new PrintWriter(new FileWriter(file)); -+ out.print(encoded); -+ out.close(); -+ } -+ -+ MainCLI.printMessage("Certificate \"" + userCertData.getID() + "\""); -+ -+ UserCLI.printCert(userCertData, showPrettyPrint, showEncoded); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java -index 08f6879..baf73c9 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java -@@ -18,87 +18,14 @@ - - package com.netscape.cmstools.user; - --import java.util.Collection; -- --import org.apache.commons.cli.CommandLine; --import org.apache.commons.cli.Option; -- --import com.netscape.certsrv.user.UserCertCollection; --import com.netscape.certsrv.user.UserCertData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class UserFindCertCLI extends CLI { -- -- public UserCLI parent; -+@Deprecated -+public class UserFindCertCLI extends UserCertFindCLI { - - public UserFindCertCLI(UserCLI parent) { -- super("find-cert", "Find user certs"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- Option option = new Option(null, "start", true, "Page start"); -- option.setArgName("start"); -- options.addOption(option); -- -- option = new Option(null, "size", true, "Page size"); -- option.setArgName("size"); -- options.addOption(option); -- -- CommandLine cmd = null; -- -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- String[] cmdArgs = cmd.getArgs(); -- -- if (cmdArgs.length != 1) { -- printHelp(); -- System.exit(1); -- } -- -- String userID = cmdArgs[0]; -- -- String s = cmd.getOptionValue("start"); -- Integer start = s == null ? null : Integer.valueOf(s); -- -- s = cmd.getOptionValue("size"); -- Integer size = s == null ? null : Integer.valueOf(s); -- -- UserCertCollection response = parent.client.findUserCerts(userID, start, size); -- -- Collection entries = response.getCerts(); -- -- MainCLI.printMessage(entries.size() + " user cert(s) matched"); -- -- boolean first = true; -- -- for (UserCertData userCertData : entries) { -- -- if (first) { -- first = false; -- } else { -- System.out.println(); -- } -- -- UserCLI.printCert(userCertData, false, false); -- } -- -- MainCLI.printMessage("Number of entries returned " + entries.size()); -+ super("find-cert", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java -index 494c3c3..24fb9ca 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java -@@ -18,87 +18,14 @@ - - package com.netscape.cmstools.user; - --import java.util.Collection; -- --import org.apache.commons.cli.CommandLine; --import org.apache.commons.cli.Option; -- --import com.netscape.certsrv.user.UserMembershipCollection; --import com.netscape.certsrv.user.UserMembershipData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class UserFindMembershipCLI extends CLI { -- -- public UserCLI parent; -+@Deprecated -+public class UserFindMembershipCLI extends UserMembershipFindCLI { - - public UserFindMembershipCLI(UserCLI parent) { -- super("find-membership", "Find user memberships"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- Option option = new Option(null, "start", true, "Page start"); -- option.setArgName("start"); -- options.addOption(option); -- -- option = new Option(null, "size", true, "Page size"); -- option.setArgName("size"); -- options.addOption(option); -- -- CommandLine cmd = null; -- -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- String[] cmdArgs = cmd.getArgs(); -- -- if (cmdArgs.length != 1) { -- printHelp(); -- System.exit(1); -- } -- -- String userID = cmdArgs[0]; -- -- String s = cmd.getOptionValue("start"); -- Integer start = s == null ? null : Integer.valueOf(s); -- -- s = cmd.getOptionValue("size"); -- Integer size = s == null ? null : Integer.valueOf(s); -- -- UserMembershipCollection response = parent.client.findUserMemberships(userID, start, size); -- -- Collection entries = response.getMemberships(); -- -- MainCLI.printMessage(entries.size()+" membership(s) matched"); -- -- boolean first = true; -- -- for (UserMembershipData userMembershipData : entries) { -- -- if (first) { -- first = false; -- } else { -- System.out.println(); -- } -- -- UserCLI.printUserMembership(userMembershipData); -- } -- -- MainCLI.printMessage("Number of entries returned "+entries.size()); -+ super("find-membership", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java -new file mode 100644 -index 0000000..44cb578 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java -@@ -0,0 +1,61 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.user; -+ -+import com.netscape.certsrv.user.UserMembershipData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class UserMembershipAddCLI extends CLI { -+ -+ public UserCLI parent; -+ -+ public UserMembershipAddCLI(String name, UserCLI parent) { -+ super(name, "Add user membership"); -+ this.parent = parent; -+ } -+ -+ public UserMembershipAddCLI(UserCLI parent) { -+ this("membership-add", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " ", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ if (args.length != 2) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String userID = args[0]; -+ String groupID = args[1]; -+ -+ UserMembershipData userMembershipData = parent.client.addUserMembership(userID, groupID); -+ -+ MainCLI.printMessage("Added membership in \""+groupID+"\""); -+ -+ UserCLI.printUserMembership(userMembershipData); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java -new file mode 100644 -index 0000000..beca5f4 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java -@@ -0,0 +1,108 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.user; -+ -+import java.util.Collection; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.certsrv.user.UserMembershipCollection; -+import com.netscape.certsrv.user.UserMembershipData; -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class UserMembershipFindCLI extends CLI { -+ -+ public UserCLI parent; -+ -+ public UserMembershipFindCLI(String name, UserCLI parent) { -+ super(name, "Find user memberships"); -+ this.parent = parent; -+ } -+ -+ public UserMembershipFindCLI(UserCLI parent) { -+ this("membership-find", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ Option option = new Option(null, "start", true, "Page start"); -+ option.setArgName("start"); -+ options.addOption(option); -+ -+ option = new Option(null, "size", true, "Page size"); -+ option.setArgName("size"); -+ options.addOption(option); -+ -+ CommandLine cmd = null; -+ -+ try { -+ cmd = parser.parse(options, args); -+ -+ } catch (Exception e) { -+ System.err.println("Error: " + e.getMessage()); -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String[] cmdArgs = cmd.getArgs(); -+ -+ if (cmdArgs.length != 1) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String userID = cmdArgs[0]; -+ -+ String s = cmd.getOptionValue("start"); -+ Integer start = s == null ? null : Integer.valueOf(s); -+ -+ s = cmd.getOptionValue("size"); -+ Integer size = s == null ? null : Integer.valueOf(s); -+ -+ UserMembershipCollection response = parent.client.findUserMemberships(userID, start, size); -+ -+ Collection entries = response.getMemberships(); -+ -+ MainCLI.printMessage(entries.size()+" membership(s) matched"); -+ -+ boolean first = true; -+ -+ for (UserMembershipData userMembershipData : entries) { -+ -+ if (first) { -+ first = false; -+ } else { -+ System.out.println(); -+ } -+ -+ UserCLI.printUserMembership(userMembershipData); -+ } -+ -+ MainCLI.printMessage("Number of entries returned "+entries.size()); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java -new file mode 100644 -index 0000000..ba43b05 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java -@@ -0,0 +1,58 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.user; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+/** -+ * @author Endi S. Dewata -+ */ -+public class UserMembershipRemoveCLI extends CLI { -+ -+ public UserCLI parent; -+ -+ public UserMembershipRemoveCLI(String name, UserCLI parent) { -+ super(name, "Remove user membership"); -+ this.parent = parent; -+ } -+ -+ public UserMembershipRemoveCLI(UserCLI parent) { -+ this("membership-del", parent); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(parent.name + "-" + name + " ", options); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ if (args.length != 2) { -+ printHelp(); -+ System.exit(1); -+ } -+ -+ String userID = args[0]; -+ String groupID = args[1]; -+ -+ parent.client.removeUserMembership(userID, groupID); -+ -+ MainCLI.printMessage("Deleted membership in group \""+groupID+"\""); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java -index 264458b..58fd57e 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java -@@ -18,44 +18,15 @@ - - package com.netscape.cmstools.user; - --import java.net.URLEncoder; -- --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - - /** - * @author Endi S. Dewata - */ --public class UserRemoveCertCLI extends CLI { -- -- public UserCLI parent; -+@Deprecated -+public class UserRemoveCertCLI extends UserCertRemoveCLI { - - public UserRemoveCertCLI(UserCLI parent) { -- super("remove-cert", "Remove user cert"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " ", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- if (args.length != 2) { -- printHelp(); -- System.exit(1); -- } -- -- String userID = args[0]; -- String certID = args[1]; -- -- if (verbose) { -- System.out.println("Removing cert "+certID+" from user "+userID+"."); -- } -- -- parent.client.removeUserCert(userID, URLEncoder.encode(certID, "UTF-8")); -- -- MainCLI.printMessage("Deleted certificate \"" + certID + "\""); -+ super("remove-cert", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java -index 26a5a6e..4cafcec 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java -@@ -18,37 +18,14 @@ - - package com.netscape.cmstools.user; - --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class UserRemoveMembershipCLI extends CLI { -- -- public UserCLI parent; -+@Deprecated -+public class UserRemoveMembershipCLI extends UserMembershipRemoveCLI { - - public UserRemoveMembershipCLI(UserCLI parent) { -- super("remove-membership", "Remove user membership"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " ", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- if (args.length != 2) { -- printHelp(); -- System.exit(1); -- } -- -- String userID = args[0]; -- String groupID = args[1]; -- -- parent.client.removeUserMembership(userID, groupID); -- -- MainCLI.printMessage("Deleted membership in group \""+groupID+"\""); -+ super("remove-membership", parent); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java -index f30c723..5177281 100644 ---- a/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java -@@ -18,79 +18,14 @@ - - package com.netscape.cmstools.user; - --import java.io.FileWriter; --import java.io.PrintWriter; --import java.net.URLEncoder; -- --import org.apache.commons.cli.CommandLine; --import org.apache.commons.cli.Option; -- --import com.netscape.certsrv.user.UserCertData; --import com.netscape.cmstools.cli.CLI; --import com.netscape.cmstools.cli.MainCLI; - - /** - * @author Endi S. Dewata - */ --public class UserShowCertCLI extends CLI { -- -- public UserCLI parent; -+@Deprecated -+public class UserShowCertCLI extends UserCertShowCLI { - - public UserShowCertCLI(UserCLI parent) { -- super("show-cert", "Show user cert"); -- this.parent = parent; -- } -- -- public void printHelp() { -- formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); -- } -- -- public void execute(String[] args) throws Exception { -- -- Option option = new Option(null, "output", true, "Output file"); -- option.setArgName("file"); -- options.addOption(option); -- -- options.addOption(null, "pretty", false, "Pretty print"); -- options.addOption(null, "encoded", false, "Base-64 encoded"); -- -- CommandLine cmd = null; -- -- try { -- cmd = parser.parse(options, args); -- -- } catch (Exception e) { -- System.err.println("Error: " + e.getMessage()); -- printHelp(); -- System.exit(1); -- } -- -- boolean showPrettyPrint = cmd.hasOption("pretty"); -- boolean showEncoded = cmd.hasOption("encoded"); -- -- String[] cmdArgs = cmd.getArgs(); -- -- if (cmdArgs.length != 2) { -- printHelp(); -- System.exit(1); -- } -- -- String userID = cmdArgs[0]; -- String certID = cmdArgs[1]; -- String file = cmd.getOptionValue("output"); -- -- UserCertData userCertData = parent.client.getUserCert(userID, URLEncoder.encode(certID, "UTF-8")); -- -- String encoded = userCertData.getEncoded(); -- if (encoded != null && file != null) { -- // store cert to file -- PrintWriter out = new PrintWriter(new FileWriter(file)); -- out.print(encoded); -- out.close(); -- } -- -- MainCLI.printMessage("Certificate \"" + userCertData.getID() + "\""); -- -- UserCLI.printCert(userCertData, showPrettyPrint, showEncoded); -+ super("show-cert", parent); - } - } --- -1.8.3.1 - diff --git a/SOURCES/0006-Added-new-link-for-resteasy-dependency.patch b/SOURCES/0006-Added-new-link-for-resteasy-dependency.patch deleted file mode 100644 index ac0feb9..0000000 --- a/SOURCES/0006-Added-new-link-for-resteasy-dependency.patch +++ /dev/null @@ -1,92 +0,0 @@ -From cbd26eee9194438627a7f0949bde9fa4f582ca8c Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 30 Oct 2013 17:03:15 -0400 -Subject: [PATCH 6/6] Added new link for resteasy dependency - - Resteasy 2.3.5 uses apache-commons-io. Not having a link to - this jar results in IPA replica installs failing. - - Resolves: rhbz 1024679 ---- - base/common/shared/conf/pki.policy | 4 ++++ - base/java-tools/pki | 1 + - base/server/etc/default.cfg | 2 ++ - base/server/scripts/operations | 1 + - base/server/src/scriptlets/instance_layout.py | 2 ++ - 5 files changed, 10 insertions(+) - -diff --git a/base/common/shared/conf/pki.policy b/base/common/shared/conf/pki.policy -index 52e3d7f..df9157e 100644 ---- a/base/common/shared/conf/pki.policy -+++ b/base/common/shared/conf/pki.policy -@@ -46,6 +46,10 @@ grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { - permission java.security.AllPermission; - }; - -+grant codeBase "file:/usr/share/java/apache-commons-io.jar" { -+ permission java.security.AllPermission; -+}; -+ - grant codeBase "file:/usr/share/java/apache-commons-lang.jar" { - permission java.security.AllPermission; - }; -diff --git a/base/java-tools/pki b/base/java-tools/pki -index b7d9bfe..5821620 100755 ---- a/base/java-tools/pki -+++ b/base/java-tools/pki -@@ -80,6 +80,7 @@ $ENV{CLASSPATH} = "/usr/share/java/${PRODUCT}/pki-certsrv.jar:" - . "/usr/share/java/${PRODUCT}/pki-tools.jar:" - . "/usr/share/java/apache-commons-cli.jar:" - . "/usr/share/java/apache-commons-codec.jar:" -+ . "/usr/share/java/apache-commons-io.jar:" - . "/usr/share/java/apache-commons-lang.jar:" - . "/usr/share/java/apache-commons-logging.jar:" - . "/usr/share/java/commons-httpclient.jar:" -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index f4ad2be..8559b42 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -275,6 +275,7 @@ pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil. - pki_jss_jar=%(jni_jar_dir)s/jss4.jar - pki_symkey_jar=%(jni_jar_dir)s/symkey.jar - pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar -+pki_apache_commons_io_jar=/usr/share/java/apache-commons-io.jar - pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar - pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar - pki_commons_codec_jar=/usr/share/java/commons-codec.jar -@@ -304,6 +305,7 @@ pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar - pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar - pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar - pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar -+pki_apache_commons_io_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-io.jar - pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar - pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar - pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar -diff --git a/base/server/scripts/operations b/base/server/scripts/operations -index 8a703d6..df89ea6 100644 ---- a/base/server/scripts/operations -+++ b/base/server/scripts/operations -@@ -1197,6 +1197,7 @@ verify_symlinks() - common_jar_symlinks=( - [apache-commons-codec.jar]=${java_dir}/commons-codec.jar - [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar -+ [apache-commons-io.jar]=${java_dir}/apache-commons-io.jar - [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar - [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar - [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar -diff --git a/base/server/src/scriptlets/instance_layout.py b/base/server/src/scriptlets/instance_layout.py -index 07ae03e..1f75de7 100644 ---- a/base/server/src/scriptlets/instance_layout.py -+++ b/base/server/src/scriptlets/instance_layout.py -@@ -88,6 +88,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # establish Tomcat instance common lib jar symbolic links - util.symlink.create(master['pki_apache_commons_collections_jar'], - master['pki_apache_commons_collections_jar_link']) -+ util.symlink.create(master['pki_apache_commons_io_jar'], -+ master['pki_apache_commons_io_jar_link']) - util.symlink.create(master['pki_apache_commons_lang_jar'], - master['pki_apache_commons_lang_jar_link']) - util.symlink.create(master['pki_apache_commons_logging_jar'], --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.1.2-bz1151147.patch b/SOURCES/pki-core-10.1.2-bz1151147.patch new file mode 100644 index 0000000..0585660 --- /dev/null +++ b/SOURCES/pki-core-10.1.2-bz1151147.patch @@ -0,0 +1,308 @@ +From a8fe431dc77f03a8237ec0820c02c542762ecb9f Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 15 Oct 2014 10:30:31 -0700 +Subject: [PATCH] Bug1151147 issuerDN encoding correction + +--- + base/ca/src/com/netscape/ca/CAService.java | 13 ++++++-- + .../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++- + .../netscape/certsrv/ca/ICertificateAuthority.java | 5 +++ + .../netscape/cms/profile/common/EnrollProfile.java | 16 +++++++-- + .../com/netscape/cms/servlet/csadmin/CertUtil.java | 16 +++++++-- + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 18 ++++++++-- + .../src/netscape/security/x509/X509CertImpl.java | 8 +++++ + .../src/netscape/security/x509/X509CertInfo.java | 8 +++++ + 8 files changed, 114 insertions(+), 9 deletions(-) + +diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java +index 1977850..6edaf2a 100644 +--- a/base/ca/src/com/netscape/ca/CAService.java ++++ b/base/ca/src/com/netscape/ca/CAService.java +@@ -821,8 +821,17 @@ public class CAService implements ICAService, IService { + } + + try { +- certi.set(X509CertInfo.ISSUER, +- new CertificateIssuerName(mCA.getX500Name())); ++ if (mCA.getIssuerObj() != null) { ++ // this ensures the isserDN has the same encoding as the ++ // subjectDN of the CA signing cert ++ CMS.debug("CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding"); ++ certi.set(X509CertInfo.ISSUER, ++ mCA.getIssuerObj()); ++ } else { ++ CMS.debug("CAService: issueX509Cert: mCA.getIssuerObj() is null, creating new CertificateIssuerName"); ++ certi.set(X509CertInfo.ISSUER, ++ new CertificateIssuerName(mCA.getX500Name())); ++ } + } catch (CertificateException e) { + mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid)); +diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java +index 73ce6df..6529611 100644 +--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java ++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java +@@ -43,6 +43,8 @@ import netscape.security.util.DerOutputStream; + import netscape.security.util.DerValue; + import netscape.security.x509.AlgorithmId; + import netscape.security.x509.CertificateChain; ++import netscape.security.x509.CertificateIssuerName; ++import netscape.security.x509.CertificateSubjectName; + import netscape.security.x509.CertificateVersion; + import netscape.security.x509.X500Name; + import netscape.security.x509.X509CRLImpl; +@@ -143,6 +145,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori + protected SigningUnit mOCSPSigningUnit; + protected SigningUnit mCRLSigningUnit; + ++ protected CertificateIssuerName mIssuerObj = null; ++ protected CertificateSubjectName mSubjectObj = null; + protected X500Name mName = null; + protected X500Name mCRLName = null; + protected X500Name mOCSPName = null; +@@ -888,6 +892,14 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori + return mName; + } + ++ public CertificateIssuerName getIssuerObj() { ++ return mIssuerObj; ++ } ++ ++ public CertificateSubjectName getSubjectObj() { ++ return mSubjectObj; ++ } ++ + public X500Name getCRLX500Name() { + return mCRLName; + } +@@ -1199,6 +1211,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori + IConfigStore caSigningCfg = + mConfig.getSubStore(PROP_SIGNING_SUBSTORE); + ++ String caSigningCertStr = caSigningCfg.getString("cert", ""); ++ if (caSigningCertStr.equals("")) { ++ CMS.debug("CertificateAuthority:initSigUnit: ca.signing.cert not found"); ++ } else { //ca cert found ++ CMS.debug("CertificateAuthority:initSigUnit: ca cert found"); ++ mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr)); ++ // this ensures the isserDN and subjectDN have the same encoding ++ // as that of the CA signing cert ++ CMS.debug("CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj"); ++ mSubjectObj = mCaCert.getSubjectObj(); ++ // this mIssuerObj is the "issuerDN" obj for the certs this CA ++ // issues, NOT necessarily the isserDN obj of the CA signing cert ++ mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); ++ } ++ + mSigningUnit.init(this, caSigningCfg); + CMS.debug("CA signing unit inited"); + +@@ -1295,11 +1322,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori + } + mOCSPCertChain = new CertificateChain(ocspImplchain); + CMS.debug("in init - got OCSP chain from JSS."); +- // init issuer name - take name from the cert. + + mCaX509Cert = mSigningUnit.getCert(); + mCaCert = new X509CertImpl(mCaX509Cert.getEncoded()); + getCASigningAlgorithms(); ++ mSubjectObj = mCaCert.getSubjectObj(); ++ if (mSubjectObj != null) { ++ // this ensures the isserDN and subjectDN have the same encoding ++ // as that of the CA signing cert ++ CMS.debug("CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj"); ++ // this mIssuerObj is the "issuerDN" obj for the certs this CA ++ // issues, NOT necessarily the isserDN obj of the CA signing cert ++ // unless the CA is self-signed ++ mIssuerObj = ++ new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME)); ++ } + mName = (X500Name) mCaCert.getSubjectDN(); + + mCRLX509Cert = mCRLSigningUnit.getCert(); +diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +index 39f336b..f87f154 100644 +--- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java ++++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +@@ -23,6 +23,8 @@ import java.util.Map; + import javax.servlet.http.HttpServletRequest; + + import netscape.security.x509.CertificateChain; ++import netscape.security.x509.CertificateIssuerName; ++import netscape.security.x509.CertificateSubjectName; + import netscape.security.x509.CertificateVersion; + import netscape.security.x509.X500Name; + import netscape.security.x509.X509CRLImpl; +@@ -510,4 +512,7 @@ public interface ICertificateAuthority extends ISubsystem { + * @return processed times for OCSP requests + */ + public long getOCSPTotalData(); ++ ++ public CertificateIssuerName getIssuerObj(); ++ public CertificateSubjectName getSubjectObj(); + } +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index ca665ba..9e89e69 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -88,6 +88,7 @@ import com.netscape.certsrv.authority.IAuthority; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.EPropertyNotFound; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.EDeferException; + import com.netscape.certsrv.profile.EProfileException; +@@ -220,8 +221,19 @@ public abstract class EnrollProfile extends BasicProfile + new CertificateVersion(CertificateVersion.V3)); + info.set(X509CertInfo.SERIAL_NUMBER, + new CertificateSerialNumber(new BigInteger("0"))); +- info.set(X509CertInfo.ISSUER, +- new CertificateIssuerName(issuerName)); ++ ICertificateAuthority authority = ++ (ICertificateAuthority) getAuthority(); ++ if (authority.getIssuerObj() != null) { ++ // this ensures the isserDN has the same encoding as the ++ // subjectDN of the CA signing cert ++ CMS.debug("EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding"); ++ info.set(X509CertInfo.ISSUER, ++ authority.getIssuerObj()); ++ } else { ++ CMS.debug("EnrollProfile: setDefaultCertInfo: authority.getIssuerObj() is null, creating new CertificateIssuerName"); ++ info.set(X509CertInfo.ISSUER, ++ new CertificateIssuerName(issuerName)); ++ } + info.set(X509CertInfo.KEY, + new CertificateX509Key(X509Key.parse(new DerValue(dummykey)))); + info.set(X509CertInfo.SUBJECT, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +index ede632e..22f0929 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +@@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse; + + import netscape.security.pkcs.PKCS10; + import netscape.security.x509.CertificateExtensions; ++import netscape.security.x509.CertificateIssuerName; + import netscape.security.x509.X500Name; + import netscape.security.x509.X509CertImpl; + import netscape.security.x509.X509CertInfo; +@@ -390,6 +391,7 @@ public class CertUtil { + cr = ca.getCertificateRepository(); + BigInteger serialNo = cr.getNextSerialNumber(); + if (type.equals("selfsign")) { ++ CMS.debug("Creating local certificate... selfsign cert"); + CMS.debug("Creating local certificate... issuerdn=" + dn); + CMS.debug("Creating local certificate... dn=" + dn); + info = CryptoUtil.createX509CertInfo(x509key, serialNo, dn, dn, date, date, keyAlgorithm); +@@ -397,8 +399,18 @@ public class CertUtil { + String issuerdn = config.getString("preop.cert.signing.dn", ""); + CMS.debug("Creating local certificate... issuerdn=" + issuerdn); + CMS.debug("Creating local certificate... dn=" + dn); +- +- info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm); ++ if (ca.getIssuerObj() != null) { ++ // this ensures the isserDN has the same encoding as the ++ // subjectDN of the CA signing cert ++ CMS.debug("Creating local certificate... setting issuerDN using exact CA signing cert subjectDN encoding"); ++ CertificateIssuerName issuerdnObj = ++ ca.getIssuerObj(); ++ ++ info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdnObj, dn, date, date, keyAlgorithm); ++ } else { ++ CMS.debug("Creating local certificate... ca.getIssuerObj() is null, creating new CertificateIssuerName"); ++ info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm); ++ } + } + CMS.debug("Cert Template: " + info.toString()); + +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 5e8e323..c87ebb1 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -1050,14 +1050,28 @@ public class CryptoUtil { + CertificateException, + InvalidKeyException, + NoSuchAlgorithmException { ++ CertificateIssuerName issuernameObj = ++ new CertificateIssuerName(new X500Name(issuername)); ++ return createX509CertInfo(x509key, serialno, issuernameObj, subjname, notBefore, notAfter, alg); ++ } ++ ++ public static X509CertInfo createX509CertInfo(X509Key x509key, ++ BigInteger serialno, CertificateIssuerName issuernameObj, String subjname, ++ Date notBefore, Date notAfter, String alg) ++ throws IOException, ++ CertificateException, ++ InvalidKeyException, ++ NoSuchAlgorithmException { + X509CertInfo info = new X509CertInfo(); + + info.set(X509CertInfo.VERSION, new + CertificateVersion(CertificateVersion.V3)); + info.set(X509CertInfo.SERIAL_NUMBER, new + CertificateSerialNumber(serialno)); +- info.set(X509CertInfo.ISSUER, new +- CertificateIssuerName(new X500Name(issuername))); ++ if (issuernameObj != null) { ++ info.set(X509CertInfo.ISSUER, ++ issuernameObj); ++ } + info.set(X509CertInfo.SUBJECT, new + CertificateSubjectName(new X500Name(subjname))); + info.set(X509CertInfo.VALIDITY, new +diff --git a/base/util/src/netscape/security/x509/X509CertImpl.java b/base/util/src/netscape/security/x509/X509CertImpl.java +index 111cd3b..a021ee1 100755 +--- a/base/util/src/netscape/security/x509/X509CertImpl.java ++++ b/base/util/src/netscape/security/x509/X509CertImpl.java +@@ -725,6 +725,10 @@ public class X509CertImpl extends X509Certificate + } + } + ++ public CertificateSubjectName getSubjectObj() { ++ return info.getSubjectObj(); ++ } ++ + /** + * Gets the issuer distinguished name from the certificate. + * +@@ -743,6 +747,10 @@ public class X509CertImpl extends X509Certificate + } + } + ++ public CertificateIssuerName getIssuerObj() { ++ return info.getIssuerObj(); ++ } ++ + /** + * Gets the notBefore date from the validity period of the certificate. + * +diff --git a/base/util/src/netscape/security/x509/X509CertInfo.java b/base/util/src/netscape/security/x509/X509CertInfo.java +index 2ad17eb..29757ec 100644 +--- a/base/util/src/netscape/security/x509/X509CertInfo.java ++++ b/base/util/src/netscape/security/x509/X509CertInfo.java +@@ -873,6 +873,10 @@ public class X509CertInfo implements CertAttrSet, Serializable { + issuer = (CertificateIssuerName) val; + } + ++ public CertificateIssuerName getIssuerObj() { ++ return issuer; ++ } ++ + /** + * Set the validity interval of the certificate. + * +@@ -901,6 +905,10 @@ public class X509CertInfo implements CertAttrSet, Serializable { + subject = (CertificateSubjectName) val; + } + ++ public CertificateSubjectName getSubjectObj() { ++ return subject; ++ } ++ + /** + * Set the public key in the certificate. + * +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.1.2-bz1155654.patch b/SOURCES/pki-core-10.1.2-bz1155654.patch new file mode 100644 index 0000000..df7bfed --- /dev/null +++ b/SOURCES/pki-core-10.1.2-bz1155654.patch @@ -0,0 +1,44 @@ +From 43de35ee65f5097abafb898210e7921a4a7d7665 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 13 Nov 2014 14:14:56 -0700 +Subject: [PATCH] Check for null values in GetConfigEntries + +* Bugzilla Bug #1155654 - Replica install fails when using --setup-ca option + (AKA - PKI TRAC Ticket #1142 - NPE in getconfigEntries when internaldb + password is removed from master) +--- + .../com/netscape/cms/servlet/csadmin/GetConfigEntries.java | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java +index ee013ef..dcb8bdf 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java +@@ -180,9 +180,11 @@ public class GetConfigEntries extends CMSServlet { + continue; + } + +- Node container = xmlObj.createContainer(root, "Config"); +- xmlObj.addItemToContainer(container, "name", name); +- xmlObj.addItemToContainer(container, "value", value); ++ if (value != null) { ++ Node container = xmlObj.createContainer(root, "Config"); ++ xmlObj.addItemToContainer(container, "name", name); ++ xmlObj.addItemToContainer(container, "value", value); ++ } + } + } + +@@ -192,7 +194,8 @@ public class GetConfigEntries extends CMSServlet { + + outputResult(httpResp, "application/xml", cb); + } catch (Exception e) { +- CMS.debug("Failed to send the XML output"); ++ CMS.debug("Failed to send the XML output: " + e); ++ e.printStackTrace(); + } + } + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.1.2-bz1158410.patch b/SOURCES/pki-core-10.1.2-bz1158410.patch new file mode 100644 index 0000000..9251af1 --- /dev/null +++ b/SOURCES/pki-core-10.1.2-bz1158410.patch @@ -0,0 +1,240 @@ +From 02eb00b312539f455d13b8a282cc523e11f2715e Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 12 Nov 2014 15:29:04 -0800 +Subject: [PATCH] Bug 1158410 add TLS range support to server.xml by default + and upgrade + +--- + base/server/config/pkislots.cfg | 3 + + .../python/pki/server/deployment/pkiparser.py | 43 ++++++++- + base/server/share/conf/server.xml | 8 +- + base/server/upgrade/10.1.2/.gitignore | 4 - + base/server/upgrade/10.1.2/01-AddTLSRangeSupport | 102 +++++++++++++++++++++ + 5 files changed, 153 insertions(+), 7 deletions(-) + delete mode 100644 base/server/upgrade/10.1.2/.gitignore + create mode 100755 base/server/upgrade/10.1.2/01-AddTLSRangeSupport + +diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg +index ce1ac78..ffcef2d 100644 +--- a/base/server/config/pkislots.cfg ++++ b/base/server/config/pkislots.cfg +@@ -101,4 +101,7 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] + TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] + TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] + TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] ++TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM] ++TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM] ++TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS] + TPS_DIR_SLOT=[TPS_DIR] +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index df636d4..2d7fadc 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -899,6 +899,45 @@ class PKIConfigParser: + "/var/run/pki/tomcat/" + self.pki_master_dict['pki_instance_name'] + ".pid" + self.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] = \ + self.pki_master_dict['pki_tomcat_server_port'] ++ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \ ++ "tls1_0:tls1_2" ++ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ ++ "tls1_1:tls1_2" ++ self.pki_master_dict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ ++ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" + self.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ + "-SSL2_RC4_128_WITH_MD5," + \ + "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ +@@ -922,8 +961,8 @@ class PKIConfigParser: + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + self.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] = \ +- "ssl2=true," + \ +- "ssl3=true," + \ ++ "ssl2=false," + \ ++ "ssl3=false," + \ + "tls=true" + self.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] = \ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ +diff --git a/base/server/share/conf/server.xml b/base/server/share/conf/server.xml +index 8fbdf0f..306ebf2 100644 +--- a/base/server/share/conf/server.xml ++++ b/base/server/share/conf/server.xml +@@ -142,6 +142,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + 'ssl2Ciphers' + 'ssl3Ciphers' + 'tlsCiphers' ++ 'sslVersionRangeStream' ++ 'sslVersionRangeDatagram' ++ 'sslRangeCiphers' + 'serverCertNickFile' + 'passwordFile' + 'passwordClass' +@@ -184,12 +187,15 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" +- strictCiphers="false" ++ strictCiphers="true" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tlsCiphers="[TOMCAT_TLS_CIPHERS]" ++ sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" ++ sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" ++ sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" +diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore +deleted file mode 100644 +index 5e7d273..0000000 +--- a/base/server/upgrade/10.1.2/.gitignore ++++ /dev/null +@@ -1,4 +0,0 @@ +-# Ignore everything in this directory +-* +-# Except this file +-!.gitignore +diff --git a/base/server/upgrade/10.1.2/01-AddTLSRangeSupport b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport +new file mode 100755 +index 0000000..b5b83f4 +--- /dev/null ++++ b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport +@@ -0,0 +1,102 @@ ++#!/usr/bin/python ++# Authors: ++# Christina Fu ++# Endi S. Dewata ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 of the License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License along ++# with this program; if not, write to the Free Software Foundation, Inc., ++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Copyright (C) 2014 Red Hat, Inc. ++# All rights reserved. ++# ++ ++import os ++from lxml import etree ++ ++import pki.server.upgrade ++ ++ ++class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet): ++ ++ def __init__(self): ++ ++ self.message = 'Add TLS Range Support' ++ ++ self.parser = etree.XMLParser(remove_blank_text=True) ++ ++ ++ def upgrade_instance(self, instance): ++ ++ server_xml = os.path.join(instance.conf_dir, 'server.xml') ++ #Backup the file before modify ++ self.backup(server_xml) ++ #Parse the server.xml into an XML object ++ document = etree.parse(server_xml, self.parser) ++ #perform the upgrade in memory ++ self.add_tls_range(document) ++ #Once all changes are made, write the XML back into the same server.xml ++ #This way we're preserving any other customization that has been done ++ # to the server.xml ++ with open(server_xml, 'w') as f: ++ f.write(etree.tostring(document, pretty_print=True)) ++ ++ def add_tls_range(self, document): ++ ++ # Find existing Connector ++ server = document.getroot() ++ connectors = server.findall('.//Connector') ++ ++ for connector in connectors: ++ ++ secure = connector.get('secure') ++ if secure == 'true': ++ # Update Connector's attributes ++ connector.set('strictCiphers', 'true') ++ connector.set('sslVersionRangeStream', 'tls1_0:tls1_2') ++ connector.set('sslVersionRangeDatagram', 'tls1_1:tls1_2') ++ connector.set('sslRangeCiphers', ++ '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,' \ ++ '-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,' \ ++ '+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,' \ ++ '+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,' \ ++ '+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,' \ ++ '-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,' \ ++ '+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,' \ ++ '+TLS_RSA_WITH_3DES_EDE_CBC_SHA,' \ ++ '+TLS_RSA_WITH_AES_128_CBC_SHA,' \ ++ '+TLS_RSA_WITH_AES_256_CBC_SHA,' \ ++ '+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,' \ ++ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,' \ ++ '-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,' \ ++ '-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,' \ ++ '-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,' \ ++ '+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,' \ ++ '+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,' \ ++ '+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,' \ ++ '+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,' \ ++ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,' \ ++ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,' \ ++ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,' \ ++ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,' \ ++ '+TLS_RSA_WITH_AES_128_CBC_SHA256,' \ ++ '+TLS_RSA_WITH_AES_256_CBC_SHA256,' \ ++ '+TLS_RSA_WITH_AES_128_GCM_SHA256,' \ ++ '+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,' \ ++ '+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,' \ ++ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,' \ ++ '+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,' \ ++ '+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,' \ ++ '+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,' \ ++ '+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,' \ ++ '+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256') ++ + + diff --git a/SOURCES/pki-core-10.1.2-bz1165351-2.patch b/SOURCES/pki-core-10.1.2-bz1165351-2.patch new file mode 100644 index 0000000..6fda15e --- /dev/null +++ b/SOURCES/pki-core-10.1.2-bz1165351-2.patch @@ -0,0 +1,77 @@ +From b88754da750bc87fe9ae99d0571fc4432d87f8d3 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Wed, 26 Nov 2014 11:19:41 -0700 +Subject: [PATCH] Remove legacy multilib JNI_JAR_DIR logic (revised) + +* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages + not found - fixed shell tests +--- + base/java-tools/templates/pki_java_command_wrapper.in | 4 +--- + base/java-tools/templates/pretty_print_cert_command_wrapper.in | 4 +--- + base/java-tools/templates/pretty_print_crl_command_wrapper.in | 4 +--- + base/server/scripts/operations | 4 +--- + 4 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in +index e9bea58..2c13d66 100644 +--- a/base/java-tools/templates/pki_java_command_wrapper.in ++++ b/base/java-tools/templates/pki_java_command_wrapper.in +@@ -125,9 +125,7 @@ fi + ## order this command wrapper uses to find jar files. ## + ############################################################################### + +-JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` +-# Override JNI_JAR_DIR using a user-defined value if one exists +-JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` ++JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + CP=${JNI_JAR_DIR}/jss4.jar + CP=/usr/share/java/commons-codec.jar:${CP} + CP=/usr/share/java/ldapjdk.jar:${CP} +diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in +index 0c15184..cd4888a 100644 +--- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in ++++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in +@@ -125,9 +125,7 @@ fi + ## order this command wrapper uses to find jar files. ## + ############################################################################### + +-JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` +-# Override JNI_JAR_DIR using a user-defined value if one exists +-JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` ++JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + CP=${JNI_JAR_DIR}/jss4.jar + CP=/usr/share/java/commons-codec.jar:${CP} + CP=/usr/share/java/ldapjdk.jar:${CP} +diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in +index 02e223c..3596fae 100644 +--- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in ++++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in +@@ -125,9 +125,7 @@ fi + ## order this command wrapper uses to find jar files. ## + ############################################################################### + +-JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` +-# Override JNI_JAR_DIR using a user-defined value if one exists +-JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` ++JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + CP=${JNI_JAR_DIR}/jss4.jar + + CP=/usr/share/java/commons-codec.jar:${CP} +diff --git a/base/server/scripts/operations b/base/server/scripts/operations +index e89f1f6..92d01c3 100644 +--- a/base/server/scripts/operations ++++ b/base/server/scripts/operations +@@ -1059,9 +1059,7 @@ verify_symlinks() + declare -A systemd_symlinks + + # Dogtag 10 Conditional Variables +- jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` +- # Override jni_jar_dir using a user-defined value if one exists +- jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` ++ jni_jar_dir=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + + # Dogtag 10 Symbolic Link Target Variables + java_dir="/usr/share/java" +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.1.2-bz1165351.patch b/SOURCES/pki-core-10.1.2-bz1165351.patch new file mode 100644 index 0000000..ee8270f --- /dev/null +++ b/SOURCES/pki-core-10.1.2-bz1165351.patch @@ -0,0 +1,91 @@ +From d3b2f55279c540f70d468cd969a4ae16d0f2fbb3 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Wed, 19 Nov 2014 14:57:43 -0700 +Subject: [PATCH] Remove legacy multilib JNI_JAR_DIR logic + +* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not + found +--- + base/common/share/etc/pki.conf | 2 +- + base/java-tools/templates/pki_java_command_wrapper.in | 2 ++ + .../templates/pretty_print_cert_command_wrapper.in | 2 ++ + .../templates/pretty_print_crl_command_wrapper.in | 2 ++ + base/server/python/pki/server/deployment/pkiparser.py | 3 ++- + base/server/scripts/operations | 2 ++ + 6 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf +index f352344..a43d1d6 100644 +--- a/base/common/share/etc/pki.conf ++++ b/base/common/share/etc/pki.conf +@@ -1,2 +1,2 @@ + # JNI jar file location +-JNI_JAR_DIR=${JNI_JAR_DIR} ++JNI_JAR_DIR=/usr/lib/java +diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in +index e9ff005..e9bea58 100644 +--- a/base/java-tools/templates/pki_java_command_wrapper.in ++++ b/base/java-tools/templates/pki_java_command_wrapper.in +@@ -126,6 +126,8 @@ fi + ############################################################################### + + JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` ++# Override JNI_JAR_DIR using a user-defined value if one exists ++JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + CP=${JNI_JAR_DIR}/jss4.jar + CP=/usr/share/java/commons-codec.jar:${CP} + CP=/usr/share/java/ldapjdk.jar:${CP} +diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in +index 811935e..0c15184 100644 +--- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in ++++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in +@@ -126,6 +126,8 @@ fi + ############################################################################### + + JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` ++# Override JNI_JAR_DIR using a user-defined value if one exists ++JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + CP=${JNI_JAR_DIR}/jss4.jar + CP=/usr/share/java/commons-codec.jar:${CP} + CP=/usr/share/java/ldapjdk.jar:${CP} +diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in +index e70b9ab..02e223c 100644 +--- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in ++++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in +@@ -126,6 +126,8 @@ fi + ############################################################################### + + JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` ++# Override JNI_JAR_DIR using a user-defined value if one exists ++JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + CP=${JNI_JAR_DIR}/jss4.jar + + CP=/usr/share/java/commons-codec.jar:${CP} +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index df636d4..971cb45 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -170,7 +170,8 @@ class PKIConfigParser: + + # JNI jar location + jni_jar_dir = subprocess.check_output( +- 'source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR', ++ '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf ' ++ '&& echo $JNI_JAR_DIR', + shell=True) + # workaround for pylint error E1103 + jni_jar_dir = str(jni_jar_dir).strip() +diff --git a/base/server/scripts/operations b/base/server/scripts/operations +index 7d026fe..e89f1f6 100644 +--- a/base/server/scripts/operations ++++ b/base/server/scripts/operations +@@ -1060,6 +1060,8 @@ verify_symlinks() + + # Dogtag 10 Conditional Variables + jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR` ++ # Override jni_jar_dir using a user-defined value if one exists ++ jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR` + + # Dogtag 10 Symbolic Link Target Variables + java_dir="/usr/share/java" + diff --git a/SOURCES/pki-core-10.1.2-bz790924.patch b/SOURCES/pki-core-10.1.2-bz790924.patch new file mode 100644 index 0000000..d4b197d --- /dev/null +++ b/SOURCES/pki-core-10.1.2-bz790924.patch @@ -0,0 +1,406 @@ +From 7da4d9802f058f2f78777928c7e259578ad6daef Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 25 Sep 2014 14:26:11 -0700 +Subject: [PATCH] ticket #1110 pkispawn (configuration) does not provide CA + extensions in subordinate certificate signing requests (CSR) + +--- + .../netscape/certsrv/system/SystemCertData.java | 40 ++++++++++++ + .../cms/servlet/csadmin/ConfigurationUtils.java | 76 +++++++++++++++++++++- + .../cms/servlet/csadmin/SystemConfigService.java | 10 +++ + base/server/etc/default.cfg | 5 ++ + .../python/pki/server/deployment/pkihelper.py | 25 +++++++ + .../python/pki/server/deployment/pkiparser.py | 3 + + .../com/netscape/cmsutil/crypto/CryptoUtil.java | 53 ++++++++++++++- + 7 files changed, 208 insertions(+), 4 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/system/SystemCertData.java b/base/common/src/com/netscape/certsrv/system/SystemCertData.java +index a509e3f..064d8e1 100644 +--- a/base/common/src/com/netscape/certsrv/system/SystemCertData.java ++++ b/base/common/src/com/netscape/certsrv/system/SystemCertData.java +@@ -43,6 +43,9 @@ public class SystemCertData { + public static final String SUBJECT_DN = "subjectDN"; + public static final String CERT = "cert"; + public static final String CERT_CHAIN = "certChain"; ++ public static final String REQUEST_EXT_OID = "req_ext_oid"; ++ public static final String REQUEST_EXT_CRITICAL = "req_ext_critial"; ++ public static final String REQUEST_EXT_DATA = "req_ext_data"; + + @XmlElement + protected String tag; +@@ -80,6 +83,15 @@ public class SystemCertData { + @XmlElement + protected String certChain; + ++ @XmlElement ++ protected String req_ext_oid; ++ ++ @XmlElement ++ protected String req_ext_critical; ++ ++ @XmlElement ++ protected String req_ext_data; ++ + public SystemCertData() { + // required for JAXB + } +@@ -97,6 +109,10 @@ public class SystemCertData { + subjectDN = form.getFirst(SUBJECT_DN); + cert = form.getFirst(CERT); + certChain = form.getFirst(CERT_CHAIN); ++ //support extension in CSR ++ req_ext_oid = form.getFirst(REQUEST_EXT_OID); ++ req_ext_critical = form.getFirst(REQUEST_EXT_CRITICAL); ++ req_ext_data = form.getFirst(REQUEST_EXT_DATA); + } + + /** +@@ -267,4 +283,28 @@ public class SystemCertData { + this.certChain = certChain; + } + ++ /** ++ * @return the req_ext_oid ++ */ ++ public String getReqExtOID() { ++ return req_ext_oid; ++ } ++ ++ /** ++ * @return the req_ext_data ++ */ ++ public String getReqExtData() { ++ return req_ext_data; ++ } ++ ++ /** ++ * @return the req_ext_critical ++ */ ++ public boolean getReqExtCritical() { ++ if (req_ext_critical.equals("true")) ++ return true; ++ else ++ return false; ++ } ++ + } +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 9f112ea..2ac2344 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -71,8 +71,14 @@ import netscape.security.pkcs.ContentInfo; + import netscape.security.pkcs.PKCS10; + import netscape.security.pkcs.PKCS7; + import netscape.security.pkcs.SignerInfo; ++import netscape.security.util.DerOutputStream; ++import netscape.security.util.ObjectIdentifier; + import netscape.security.x509.AlgorithmId; ++import netscape.security.x509.BasicConstraintsExtension; + import netscape.security.x509.CertificateChain; ++import netscape.security.x509.Extension; ++import netscape.security.x509.Extensions; ++import netscape.security.x509.KeyUsageExtension; + import netscape.security.x509.X500Name; + import netscape.security.x509.X509CertImpl; + import netscape.security.x509.X509Key; +@@ -2598,6 +2604,7 @@ public class ConfigurationUtils { + EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException, + NoSuchProviderException, CertificateException, SignatureException, IOException { + ++ CMS.debug("ConfigurationUtils: handleCertRequest() begins"); + // get public key + String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype"); + String algorithm = config.getString(PCERT_PREFIX + certTag + ".keyalgorithm"); +@@ -2631,7 +2638,12 @@ public class ConfigurationUtils { + String caDN = config.getString(PCERT_PREFIX + certTag + ".dn"); + + cert.setDN(caDN); +- PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, privk, algorithm); ++ Extensions exts = null; ++ if (certTag.equals("signing")) { ++ CMS.debug("handleCertRequest: certTag is siging -- about to call createBasicCAExtensions()"); ++ exts = createBasicCAExtensions(config); ++ } ++ PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, privk, algorithm, exts); + + CMS.debug("handleCertRequest: created cert request"); + byte[] certReqb = certReq.toByteArray(); +@@ -2645,6 +2657,68 @@ public class ConfigurationUtils { + + } + ++ /* ++ * createBasicCAExtensions creates the basic Extensions needed for a CSR to a ++ * CA signing certificate ++ */ ++ private static Extensions createBasicCAExtensions(IConfigStore config) throws IOException { ++ Extensions exts = new Extensions(); ++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: begins"); ++ ++ // create BasicConstraintsExtension ++ BasicConstraintsExtension bcExt = new BasicConstraintsExtension(true, -1); ++ exts.add(bcExt); ++ ++ // create KeyUsageExtension ++ boolean[] kuBits = new boolean[KeyUsageExtension.NBITS]; ++ for (int i = 0; i < kuBits.length; i++) { ++ kuBits[i] = false; ++ } ++ kuBits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = true; ++ kuBits[KeyUsageExtension.NON_REPUDIATION_BIT] = true; ++ kuBits[KeyUsageExtension.KEY_CERTSIGN_BIT] = true; ++ kuBits[KeyUsageExtension.CRL_SIGN_BIT] = true; ++ KeyUsageExtension kuExt = new KeyUsageExtension(true, kuBits); ++ exts.add(kuExt); ++ /* save this for later when we want to allow more selection for pkispawn configuration ++ // create NSCertTypeExtension ++ boolean[] nsBits = new boolean[NSCertTypeExtension.NBITS]; ++ for (int i = 0; i < nsBits.length; i++) { ++ nsBits[i] = false; ++ } ++ nsBits[NSCertTypeExtension.SSL_CA_BIT] = true; ++ NSCertTypeExtension nsctExt = new NSCertTypeExtension(false, nsBits); ++ exts.add(nsctExt); ++ */ ++ ++ // add a generic extension ++ Extension genExt = null; ++ try { ++ String oidString = config.getString(PCERT_PREFIX + "signing.ext.oid"); ++ String dataString = config.getString(PCERT_PREFIX + "signing.ext.data"); ++ boolean critical = false; ++ if (oidString != null && dataString != null) { ++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: processing generic extension"); ++ critical = config.getBoolean("preop.cert.signing.ext.critical"); ++ ObjectIdentifier oid = new ObjectIdentifier(oidString); ++ ++ byte data[] = CryptoUtil.hexString2Bytes(dataString); ++ DerOutputStream out = new DerOutputStream(); ++ out.putOctetString(data); ++ genExt = new Extension(oid, critical, out.toByteArray()); ++ out.close(); ++ ++ exts.add(genExt); ++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: generic extension added: " + oidString); ++ } ++ } catch (EBaseException e) { ++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: generic extension not processed:" + e); ++ } ++ ++ return exts; ++ } ++ ++ + public static X509Key getECCX509Key(IConfigStore config, String certTag) throws EPropertyNotFound, EBaseException, + InvalidKeyException { + X509Key pubk = null; +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java +index 252a584..b44cdf9 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java +@@ -275,6 +275,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + if (cdata.getTag().equals(ct)) { + cdata_found = true; + CMS.debug("Found data for '" + ct + "'"); ++ if (ct.equals("signing") && ++ cdata.getReqExtOID() != null && ++ cdata.getReqExtData() != null) { ++ CMS.debug("SystemConfigService:processCerts: adding request extension to config"); ++ cs.putString("preop.cert.signing.ext.oid", cdata.getReqExtOID()); ++ cs.putString("preop.cert.signing.ext.data", cdata.getReqExtData()); ++ cs.putBoolean("preop.cert.signing.ext.critical", cdata.getReqExtCritical()); ++ } ++ + break; + } + } +@@ -342,6 +351,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou + cs.putString("preop.cert." + ct + ".signingalgorithm", signingalgorithm); + cs.putString("preop.cert." + ct + ".nickname", nickname); + cs.putString("preop.cert." + ct + ".dn", dn); ++ cs.commit(false); + + if (!data.getStepTwo()) { + if (keytype.equals("ecc")) { +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 94d34b2..ba1f466 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -369,6 +369,11 @@ pki_external_csr_path=%(pki_instance_configuration_path)s/ca_signing.csr + pki_external_step_two=False + pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert + pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert ++pki_req_ext_add=False ++# MS subca request ext data ++pki_req_ext_oid=1.3.6.1.4.1.311.20.2 ++pki_req_ext_critical=False ++pki_req_ext_data=1E0A00530075006200430041 + pki_import_admin_cert=False + pki_ocsp_signing_key_algorithm=SHA256withRSA + pki_ocsp_signing_key_size=2048 +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 3d34edc..091c4de 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -432,7 +432,16 @@ class ConfigurationFile: + self.master_dict = deployer.master_dict + # set useful 'boolean' object variables for this class + self.clone = config.str2bool(self.master_dict['pki_clone']) ++ # generic extension support in CSR - for external CA ++ self.add_req_ext = config.str2bool( ++ self.master_dict['pki_req_ext_add']) + self.external = config.str2bool(self.master_dict['pki_external']) ++ if self.external: ++ # generic extension support in CSR - for external CA ++ if self.add_req_ext: ++ self.req_ext_oid = self.master_dict['pki_req_ext_oid'] ++ self.req_ext_critical = self.master_dict['pki_req_ext_critical'] ++ self.req_ext_data = self.master_dict['pki_req_ext_data'] + self.external_step_two = config.str2bool( + self.master_dict['pki_external_step_two']) + self.skip_configuration = config.str2bool( +@@ -657,6 +666,11 @@ class ConfigurationFile: + # External CA (Step 1) + self.confirm_data_exists("pki_external_csr_path") + self.confirm_missing_file("pki_external_csr_path") ++ # generic extension support in CSR - for external CA ++ if self.add_req_ext: ++ self.confirm_data_exists("pki_req_ext_oid") ++ self.confirm_data_exists("pki_req_ext_critical") ++ self.confirm_data_exists("pki_req_ext_data") + else: + # External CA (Step 2) + self.confirm_data_exists("pki_external_ca_cert_chain_path") +@@ -3178,6 +3192,9 @@ class ConfigClient: + self.subordinate = config.str2bool(self.master_dict['pki_subordinate']) + # set useful 'string' object variables for this class + self.subsystem = self.master_dict['pki_subsystem'] ++ # generic extension support in CSR - for external CA ++ self.add_req_ext = config.str2bool( ++ self.master_dict['pki_req_ext_add']) + + def configure_pki_data(self, data): + config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, +@@ -3486,6 +3503,14 @@ class ConfigClient: + cert1 = self.create_system_cert("ca_signing") + cert1.signingAlgorithm = \ + self.master_dict['pki_ca_signing_signing_algorithm'] ++ # generic extension support in CSR - for external CA ++ if self.add_req_ext: ++ cert1.req_ext_oid = \ ++ self.master_dict['pki_req_ext_oid'] ++ cert1.req_ext_critical = \ ++ self.master_dict['pki_req_ext_critical'] ++ cert1.req_ext_data = \ ++ self.master_dict['pki_req_ext_data'] + if self.external_step_two: + # External CA (Step 2) or Stand-alone PKI (Step 2) + if not self.subsystem == "CA": +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index b7cece7..df636d4 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -542,6 +542,9 @@ class PKIConfigParser: + if not self.pki_master_dict.has_key('pki_external') or\ + not len(self.pki_master_dict['pki_external']): + self.pki_master_dict['pki_external'] = "false" ++ if not self.pki_master_dict.has_key('pki_req_ext_add') or\ ++ not len(self.pki_master_dict['pki_req_ext_add']): ++ self.pki_master_dict['pki_req_ext_add'] = "false" + if not self.pki_master_dict.has_key('pki_external_step_two') or\ + not len(self.pki_master_dict['pki_external_step_two']): + self.pki_master_dict['pki_external_step_two'] = "false" +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index 5e8e323..bcdb404 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -45,7 +45,10 @@ import java.util.Vector; + import javax.crypto.SecretKey; + + import netscape.security.pkcs.PKCS10; ++import netscape.security.pkcs.PKCS10Attribute; ++import netscape.security.pkcs.PKCS10Attributes; + import netscape.security.pkcs.PKCS7; ++import netscape.security.pkcs.PKCS9Attribute; + import netscape.security.util.BigInt; + import netscape.security.util.DerInputStream; + import netscape.security.util.DerOutputStream; +@@ -61,6 +64,7 @@ import netscape.security.x509.CertificateSubjectName; + import netscape.security.x509.CertificateValidity; + import netscape.security.x509.CertificateVersion; + import netscape.security.x509.CertificateX509Key; ++import netscape.security.x509.Extensions; + import netscape.security.x509.X500Name; + import netscape.security.x509.X500Signer; + import netscape.security.x509.X509CertImpl; +@@ -1176,14 +1180,38 @@ public class CryptoUtil { + public static PKCS10 createCertificationRequest(String subjectName, + X509Key pubk, PrivateKey prik, String alg) + throws NoSuchAlgorithmException, NoSuchProviderException, +- InvalidKeyException, IOException, CertificateException, +- SignatureException { ++ InvalidKeyException, IOException, CertificateException, ++ SignatureException { ++ return createCertificationRequest(subjectName, pubk, prik, alg, null); ++ } ++ ++ /* ++ * This createCertificationRequest() allows extensions to be added to the CSR ++ */ ++ public static PKCS10 createCertificationRequest(String subjectName, ++ X509Key pubk, PrivateKey prik, String alg, Extensions exts) ++ throws NoSuchAlgorithmException, NoSuchProviderException, ++ InvalidKeyException, IOException, CertificateException, ++ SignatureException { + X509Key key = pubk; + java.security.Signature sig = java.security.Signature.getInstance(alg, + "Mozilla-JSS"); + + sig.initSign(prik); +- PKCS10 pkcs10 = new PKCS10(key); ++ PKCS10 pkcs10 = null; ++ ++ if (exts != null) { ++ PKCS10Attribute attr = new ++ PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ++ exts); ++ PKCS10Attributes attrs = new PKCS10Attributes(); ++ ++ attrs.setAttribute(attr.getAttributeValue().getName(), attr); ++ ++ pkcs10 = new PKCS10(key, attrs); ++ } else { ++ pkcs10 = new PKCS10(key); ++ } + X500Name name = new X500Name(subjectName); + X500Signer signer = new X500Signer(sig, name); + +@@ -1345,6 +1373,25 @@ public class CryptoUtil { + } + + /** ++ * Converts string containing pairs of characters in the range of '0' ++ * to '9', 'a' to 'f' to an array of bytes such that each pair of ++ * characters in the string represents an individual byte ++ */ ++ public static byte[] hexString2Bytes(String string) { ++ if (string == null) ++ return null; ++ int stringLength = string.length(); ++ if ((stringLength == 0) || ((stringLength % 2) != 0)) ++ return null; ++ byte[] bytes = new byte[(stringLength / 2)]; ++ for (int i = 0, b = 0; i < stringLength; i += 2, ++b) { ++ String nextByte = string.substring(i, (i + 2)); ++ bytes[b] = (byte) Integer.parseInt(nextByte, 0x10); ++ } ++ return bytes; ++ } ++ ++ /** + * Retrieves a private key from a unique key ID. + */ + public static PrivateKey findPrivateKeyFromID(byte id[]) +-- +1.8.4.2 + diff --git a/SOURCES/pki-core-10.1.2-bz871171.patch b/SOURCES/pki-core-10.1.2-bz871171.patch new file mode 100644 index 0000000..f35e120 --- /dev/null +++ b/SOURCES/pki-core-10.1.2-bz871171.patch @@ -0,0 +1,235 @@ +From 53134a2d0ba5a497ad789ee0412ba92c2d4ef11c Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 18 Nov 2014 18:28:53 -0800 +Subject: [PATCH] bugzilla 871171 (client-side code) Provide Tomcat support + for TLS v1.1 and TLS v1.2 + +--- + .../com/netscape/certsrv/client/PKIConnection.java | 19 +++++++ + .../src/com/netscape/cmstools/HttpClient.java | 59 +++++++------------- + .../cmscore/ldapconn/LdapJssSSLSocketFactory.java | 7 ++- + .../netscape/cmsutil/http/JssSSLSocketFactory.java | 62 ++-------------------- + 4 files changed, 44 insertions(+), 103 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +index cf103a9..4d298a7 100644 +--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java ++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java +@@ -472,6 +472,23 @@ public class PKIConnection { + localAddr = localAddress.getAddress(); + } + ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = ++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); ++ ++ SSLSocket.setSSLVersionRangeDefault( ++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, ++ stream_range); ++ ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = ++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); ++ ++ SSLSocket.setSSLVersionRangeDefault( ++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, ++ datagram_range); + SSLSocket socket; + if (sock == null) { + socket = new SSLSocket(InetAddress.getByName(hostName), +@@ -484,6 +501,8 @@ public class PKIConnection { + } else { + socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null); + } ++// setSSLVersionRange needs to be exposed in jss ++// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + + String certNickname = config.getCertNickname(); + if (certNickname != null) { +diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java +index cd6a6ea..1323752 100644 +--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java +@@ -55,27 +55,6 @@ public class HttpClient { + private boolean _secure = false; + + public static final int ARGC = 1; +- static final int cipherSuites[] = { +- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, +- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA, +- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, +- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, +- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, +- SSLSocket.SSL3_RSA_WITH_NULL_MD5, +- SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, +- SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, +- 0 +- }; + + public HttpClient(String host, int port, String secure) + throws Exception { +@@ -148,27 +127,27 @@ public class HttpClient { + + int i; + +- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) { +- try { +- SSLSocket.setCipherPreferenceDefault(i, false); +- } catch (SocketException e) { +- } +- } +- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5 +- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) { +- try { +- SSLSocket.setCipherPreferenceDefault(i, false); +- } catch (SocketException e) { +- } +- } +- for (i = 0; cipherSuites[i] != 0; ++i) { +- try { +- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); +- } catch (SocketException e) { +- } +- } + SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this); ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = ++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); ++ ++ SSLSocket.setSSLVersionRangeDefault( ++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, ++ stream_range); ++ ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = ++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); ++ ++ SSLSocket.setSSLVersionRangeDefault( ++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, ++ datagram_range); + sslSocket = new SSLSocket(_host, _port); ++ // setSSLVersionRange needs to be exposed in jss ++ // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + sslSocket.addHandshakeCompletedListener(listener); + + CryptoToken tt = cm.getThreadToken(); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java +index 4d9e602..720882a 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java +@@ -51,12 +51,11 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt { + SSLSocket s = null; + + try { +- SSLSocket.enableSSL2Default(false); ++ /* ++ * let inherit TLS range and cipher settings ++ */ + s = new SSLSocket(host, port); + s.setUseClientMode(true); +- s.enableSSL2(false); +- //TODO Do we really want to set the default each time? +- SSLSocket.enableSSL2Default(false); + s.enableV2CompatibleHello(false); + + SSLHandshakeCompletedListener listener = null; +diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +index fcf5fc1..2f8a40c 100644 +--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java ++++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +@@ -47,54 +47,6 @@ public class JssSSLSocketFactory implements ISocketFactory { + mClientAuthCertNickname = certNickname; + } + +- // XXX remove these static SSL cipher suite initializations later on. +- static final int cipherSuites[] = { +- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5, +- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA, +- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA, +- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5, +- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5, +- SSLSocket.SSL3_RSA_WITH_NULL_MD5, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +- //SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, +- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, +- 0 +- }; +- +- static { +- int i; +- +- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) { +- try { +- SSLSocket.setCipherPreferenceDefault(i, false); +- } catch (SocketException e) { +- } +- } +- +- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5 +- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) { +- try { +- SSLSocket.setCipherPreferenceDefault(i, false); +- } catch (SocketException e) { +- } +- } +- for (i = 0; cipherSuites[i] != 0; ++i) { +- try { +- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); +- } catch (SocketException e) { +- } +- } +- } +- + public Socket makeSocket(String host, int port) + throws IOException, UnknownHostException { + return makeSocket(host, port, null, null); +@@ -106,20 +58,12 @@ public class JssSSLSocketFactory implements ISocketFactory { + throws IOException, UnknownHostException { + + try { ++ /* ++ * let inherit tls range and cipher settings ++ */ + s = new SSLSocket(host, port, null, 0, certApprovalCallback, + clientCertCallback); +- for (int i = 0; cipherSuites[i] != 0; ++i) { +- try { +- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true); +- } catch (SocketException e) { +- } +- } +- + s.setUseClientMode(true); +- s.enableSSL2(false); +- //TODO Do we rally want to set the default each time? +- SSLSocket.enableSSL2Default(false); +- s.enableV2CompatibleHello(false); + + SSLHandshakeCompletedListener listener = null; + +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 56699ea..c3bc788 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -4,8 +4,8 @@ distutils.sysconfig import get_python_lib; print(get_python_lib())")} distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: pki-core -Version: 10.0.5 -Release: 3%{?dist} +Version: 10.1.2 +Release: 7%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -15,12 +15,13 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: cmake >= 2.8.9-1 BuildRequires: zip -BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: java-devel >= 1:1.7.0 BuildRequires: redhat-rpm-config BuildRequires: ldapjdk BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io +BuildRequires: jakarta-commons-httpclient BuildRequires: nspr-devel BuildRequires: nss-devel BuildRequires: openldap-devel @@ -30,47 +31,42 @@ BuildRequires: velocity BuildRequires: xalan-j2 BuildRequires: xerces-j2 -%if 0%{?rhel} -BuildRequires: resteasy-base-atom-provider -BuildRequires: resteasy-base-jaxb-provider -BuildRequires: resteasy-base-jaxrs -BuildRequires: resteasy-base-jaxrs-api -BuildRequires: resteasy-base-jettison-provider +%if 0%{?rhel} +BuildRequires: resteasy-base-atom-provider >= 3.0.6-1 +BuildRequires: resteasy-base-client >= 3.0.6-1 +BuildRequires: resteasy-base-jaxb-provider >= 3.0.6-1 +BuildRequires: resteasy-base-jaxrs >= 3.0.6-1 +BuildRequires: resteasy-base-jaxrs-api >= 3.0.6-1 +BuildRequires: resteasy-base-jettison-provider >= 3.0.6-1 %else -BuildRequires: resteasy >= 2.3.2-1 +BuildRequires: resteasy >= 3.0.1-3 %endif +%if ! 0%{?rhel} +BuildRequires: pylint +%endif +BuildRequires: python-requests +BuildRequires: libselinux-python +BuildRequires: policycoreutils-python +BuildRequires: python-ldap BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} || 0%{?fedora} >= 19 -BuildRequires: jss >= 4.2.6-28 -%else -BuildRequires: jss >= 4.2.6-24 -%endif +BuildRequires: jss >= 4.2.6-35 BuildRequires: systemd-units -%if 0%{?rhel} || 0%{?fedora} >= 19 -BuildRequires: tomcatjss >= 7.1.0 -%endif -%if 0%{?fedora} == 18 -BuildRequires: tomcatjss >= 7.0.0-4 -%endif -%if ! 0%{?rhel} && 0%{?fedora} <= 17 -BuildRequires: tomcatjss >= 6.0.2 -BuildRequires: selinux-policy-devel >= 3.10.0-151 -%endif +BuildRequires: tomcatjss >= 7.1.0-5 Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz -Patch0: 0000-Storing-authentication-info-in-session.patch -Patch1: 0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch -Patch2: 0002-Fixed-errors-during-Tomcat-shutdown.patch -Patch3: 0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch -Patch4: 0004-Backup-upgrade-tracker.patch -Patch5: 0005-Added-CLI-command-aliases.patch -Patch6: 0006-Added-new-link-for-resteasy-dependency.patch +Patch0: %{name}-%{version}-bz790924.patch +Patch1: %{name}-%{version}-bz1151147.patch +Patch2: %{name}-%{version}-bz1155654.patch +Patch3: %{name}-%{version}-bz871171.patch +Patch4: %{name}-%{version}-bz1158410.patch +Patch5: %{name}-%{version}-bz1165351.patch +Patch6: %{name}-%{version}-bz1165351-2.patch %if 0%{?rhel} -ExcludeArch: ppc ppc64 s390 s390x +ExcludeArch: ppc ppc64 ppcle ppc64le s390 s390x %endif %global saveFileContext() \ @@ -104,27 +100,27 @@ PKI Core contains ALL top-level java-based Tomcat PKI components: \ * pki-symkey \ * pki-base \ * pki-tools \ - * pki-selinux (f17 only) \ * pki-server \ * pki-ca \ - * pki-kra (fedora only) \ - * pki-ocsp (fedora only) \ - * pki-tks (fedora only) \ + * pki-kra \ + * pki-ocsp \ + * pki-tks \ + * pki-tps-tomcat \ * pki-javadoc \ \ which comprise the following corresponding PKI subsystems: \ \ * Certificate Authority (CA) \ - * Data Recovery Manager (DRM) (fedora only) \ - * Online Certificate Status Protocol (OCSP) Manager (fedora only) \ - * Token Key Service (TKS) (fedora only) \ + * Data Recovery Manager (DRM) \ + * Online Certificate Status Protocol (OCSP) Manager \ + * Token Key Service (TKS) \ + * Token Processing Service (TPS) \ \ For deployment purposes, PKI Core contains fundamental packages \ required by BOTH native-based Apache AND java-based Tomcat \ Certificate System instances consisting of the following components: \ \ * pki-tools \ - * pki-selinux (f17 only) \ \ Additionally, PKI Core contains the following fundamental packages \ required ONLY by ALL java-based Tomcat Certificate System instances: \ @@ -163,14 +159,10 @@ least one PKI Theme package: \ Summary: Symmetric Key JNI Package Group: System Environment/Libraries -Requires: java >= 1:1.6.0 +Requires: java >= 1:1.7.0 Requires: nss Requires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} || 0%{?fedora} >= 19 -Requires: jss >= 4.2.6-28 -%else -Requires: jss >= 4.2.6-24 -%endif +Requires: jss >= 4.2.6-35 Provides: symkey = %{version}-%{release} @@ -203,27 +195,24 @@ Requires: apache-commons-codec Requires: apache-commons-io Requires: apache-commons-lang Requires: apache-commons-logging -Requires: java >= 1:1.6.0 +Requires: jakarta-commons-httpclient +Requires: java >= 1:1.7.0 Requires: javassist Requires: jettison Requires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} || 0%{?fedora} >= 19 -Requires: jss >= 4.2.6-28 -%else -Requires: jss >= 4.2.6-24 -%endif +Requires: jss >= 4.2.6-35 Requires: ldapjdk Requires: python-ldap Requires: python-lxml Requires: python-requests >= 1.1.0-3 -%if 0%{?rhel} -Requires: resteasy-base-atom-provider -Requires: resteasy-base-jaxb-provider -Requires: resteasy-base-jaxrs -Requires: resteasy-base-jaxrs-api -Requires: resteasy-base-jettison-provider +%if 0%{?rhel} +Requires: resteasy-base-atom-provider >= 3.0.6-1 +Requires: resteasy-base-jaxb-provider >= 3.0.6-1 +Requires: resteasy-base-jaxrs >= 3.0.6-1 +Requires: resteasy-base-jaxrs-api >= 3.0.6-1 +Requires: resteasy-base-jettison-provider >= 3.0.6-1 %else -Requires: resteasy >= 2.3.2-1 +Requires: resteasy >= 3.0.1-3 %endif Requires: xalan-j2 Requires: xerces-j2 @@ -250,7 +239,7 @@ Obsoletes: pki-java-tools < %{version}-%{release} Requires: openldap-clients Requires: nss Requires: nss-tools -Requires: java >= 1:1.6.0 +Requires: java >= 1:1.7.0 Requires: pki-base = %{version}-%{release} Requires: jpackage-utils >= 0:1.7.5-10 @@ -277,7 +266,7 @@ Obsoletes: pki-deploy < %{version}-%{release} Obsoletes: pki-setup < %{version}-%{release} Obsoletes: pki-silent < %{version}-%{release} -Requires: java >= 1:1.6.0 +Requires: java >= 1:1.7.0 Requires: java-atk-wrapper Requires: net-tools Requires: perl(File::Slurp) @@ -286,72 +275,46 @@ Requires: perl-Crypt-SSLeay Requires: policycoreutils Requires: openldap-clients Requires: pki-base = %{version}-%{release} -Requires: pki-symkey = %{version}-%{release} Requires: pki-tools = %{version}-%{release} +Requires: policycoreutils-python -%if ! 0%{?rhel} && 0%{?fedora} <= 17 -Requires: pki-selinux = %{version}-%{release} -%else Requires: selinux-policy-base >= 3.11.1-43 Obsoletes: pki-selinux -Requires: tomcat >= 7.0.27 + +%if 0%{?rhel} +Requires: tomcat >= 7.0.54 +%else +Requires: tomcat >= 7.0.47 %endif Requires: velocity Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -Requires: tomcat >= 7.0.27 -%if 0%{?rhel} || 0%{?fedora} >= 19 -Requires: tomcatjss >= 7.1.0 -%endif -%if 0%{?fedora} == 18 -Requires: tomcatjss >= 7.0.0-4 -%endif -%if ! 0%{?rhel} && 0%{?fedora} <= 17 -Requires: tomcatjss >= 6.0.2 -%endif + +Requires: tomcatjss >= 7.1.0-5 %description -n pki-server The PKI Server Framework is required by the following four PKI subsystems: the Certificate Authority (CA), the Data Recovery Manager (DRM), - the Online Certificate Status Protocol (OCSP) Manager, and - the Token Key Service (TKS). + the Online Certificate Status Protocol (OCSP) Manager, + the Token Key Service (TKS), and + the Token Processing Service (TPS). This package is a part of the PKI Core used by the Certificate System. The package contains scripts to create and remove PKI subsystems. %{overview} -%if ! 0%{?rhel} && 0%{?fedora} <= 17 -%package -n pki-selinux -Summary: Certificate System - PKI Selinux Policies -Group: System Environment/Base - -BuildArch: noarch - -Requires: policycoreutils -Requires: selinux-policy-targeted -Conflicts: selinux-policy-base >= 3.11.1-43 -Requires: selinux-policy >= 3.10.0-151 - -%description -n pki-selinux -Selinux policies for the PKI components. - -This package is a part of the PKI Core used by the Certificate System. - -%{overview} -%endif - %package -n pki-ca Summary: Certificate System - Certificate Authority Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.6.0 +Requires: java >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units @@ -372,14 +335,13 @@ provided by the PKI Core used by the Certificate System. %{overview} -%if ! 0%{?rhel} %package -n pki-kra Summary: Certificate System - Data Recovery Manager Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.6.0 +Requires: java >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units @@ -404,17 +366,15 @@ This package is one of the top-level java-based Tomcat PKI subsystems provided by the PKI Core used by the Certificate System. %{overview} -%endif -%if ! 0%{?rhel} %package -n pki-ocsp Summary: Certificate System - Online Certificate Status Protocol Manager Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.6.0 +Requires: java >= 1:1.7.0 Requires: pki-server = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units @@ -446,18 +406,17 @@ This package is one of the top-level java-based Tomcat PKI subsystems provided by the PKI Core used by the Certificate System. %{overview} -%endif -%if ! 0%{?rhel} %package -n pki-tks Summary: Certificate System - Token Key Service Group: System Environment/Daemons BuildArch: noarch -Requires: java >= 1:1.6.0 +Requires: java >= 1:1.7.0 Requires: pki-server = %{version}-%{release} +Requires: pki-symkey = %{version}-%{release} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -482,7 +441,38 @@ This package is one of the top-level java-based Tomcat PKI subsystems provided by the PKI Core used by the Certificate System. %{overview} -%endif + + +%package -n pki-tps-tomcat +Summary: Certificate System - Token Processing Service +Group: System Environment/Daemons + +BuildArch: noarch + +Provides: pki-tps +Requires: java >= 1:1.7.0 +Requires: pki-server = %{version}-%{release} +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n pki-tps-tomcat +The Token Processing System (TPS) is an optional PKI subsystem that acts +as a Registration Authority (RA) for authenticating and processing +enrollment requests, PIN reset requests, and formatting requests from +the Enterprise Security Client (ESC). + +TPS is designed to communicate with tokens that conform to +Global Platform's Open Platform Specification. + +TPS communicates over SSL with various PKI backend subsystems (including +the Certificate Authority (CA), the Data Recovery Manager (DRM), and the +Token Key Service (TKS)) to fulfill the user's requests. + +TPS also interacts with the token database, an LDAP server that stores +information about individual tokens. + +%{overview} %package -n pki-javadoc @@ -536,14 +526,6 @@ cd build -DRESTEASY_LIB=/usr/share/java/resteasy \ %endif %{?_without_javadoc:-DWITH_JAVADOC:BOOL=OFF} \ -%if ! 0%{?rhel} && 0%{?fedora} <= 17 - -DBUILD_PKI_SELINUX:BOOL=ON \ -%endif -%if 0%{?rhel} - -DBUILD_PKI_KRA:BOOL=OFF \ - -DBUILD_PKI_OCSP:BOOL=OFF \ - -DBUILD_PKI_TKS:BOOL=OFF \ -%endif .. %{__make} VERBOSE=1 %{?_smp_mflags} all # %{__make} VERBOSE=1 %{?_smp_mflags} test @@ -554,61 +536,20 @@ cd build cd build %{__make} install DESTDIR=%{buildroot} INSTALL="install -p" -# Fedora 18 and 17: Substitute 'tomcat7jss.jar' for 'tomcatjss.jar' -%if ! 0%{?rhel} && 0%{?fedora} <= 18 - sed -i -e 's/grant codeBase "file:\/usr\/share\/java\/tomcatjss.jar" {/grant codeBase "file:\/usr\/share\/java\/tomcat7jss.jar" {/' %{buildroot}%{_datadir}/pki/server/conf/pki.policy - sed -i -e 's/pki_tomcatjss_jar=\/usr\/share\/java\/tomcatjss.jar/pki_tomcatjss_jar=\/usr\/share\/java\/tomcat7jss.jar/' %{buildroot}%{_sysconfdir}/pki/default.cfg - sed -i -e 's/ \[tomcatjss.jar\]=\${java_dir}\/tomcatjss.jar/ \[tomcatjss.jar\]=\${java_dir}\/tomcat7jss.jar/' %{buildroot}%{_datadir}/pki/scripts/operations -%endif - -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d -# generate 'pki-ca.conf' under the 'tmpfiles.d' directory -echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf -echo "D /run/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf -echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf -echo "D /run/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf -%if ! 0%{?rhel} -# generate 'pki-kra.conf' under the 'tmpfiles.d' directory -echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -echo "D /run/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -echo "D /run/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf -%endif -%if ! 0%{?rhel} -# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory -echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -echo "D /run/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -echo "D /run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -%endif -# generate 'pki-tomcat.conf' under the 'tmpfiles.d' directory -echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf -echo "D /run/lock/pki/tomcat 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf -echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf -echo "D /run/pki/tomcat 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf %if ! 0%{?rhel} -# generate 'pki-tks.conf' under the 'tmpfiles.d' directory -echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf -echo "D /run/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf -echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf -echo "D /run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +# Scanning the python code with pylint. A return value of 0 represents there are no +# errors or warnings reported by pylint. +sh ../pylint-build-scan.sh %{buildroot} `pwd` +if [ $? -eq 1 ]; then + exit 1 +fi %endif %{__rm} %{buildroot}%{_initrddir}/pki-cad -%if ! 0%{?rhel} %{__rm} %{buildroot}%{_initrddir}/pki-krad -%endif -%if ! 0%{?rhel} %{__rm} %{buildroot}%{_initrddir}/pki-ocspd -%endif -%if ! 0%{?rhel} %{__rm} %{buildroot}%{_initrddir}/pki-tksd -%endif +%{__rm} %{buildroot}%{_initrddir}/pki-tpsd %{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib @@ -628,7 +569,7 @@ fi \ %{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki %{__mkdir_p} %{buildroot}%{_sharedstatedir}/pki -%if ! 0%{?rhel} && 0%{?fedora} >= 19 +%if ! 0%{?rhel} %pretrans -n pki-base -p function test(a) if posix.stat(a) then @@ -645,9 +586,9 @@ if (test("/etc/sysconfig/pki/ca") or test("/etc/sysconfig/pki/kra") or test("/etc/sysconfig/pki/ocsp") or test("/etc/sysconfig/pki/tks")) then - msg = "Unable to upgrade to Fedora 19. There are Dogtag 9 instances\n" .. + msg = "Unable to upgrade to Fedora 20. There are Dogtag 9 instances\n" .. "that will no longer work since they require Tomcat 6, and \n" .. - "Tomcat 6 is no longer available in Fedora 19.\n\n" .. + "Tomcat 6 is no longer available in Fedora 20.\n\n" .. "Please follow these instructions to migrate the instances to \n" .. "Dogtag 10:\n\n" .. "http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10" @@ -657,17 +598,6 @@ end %post -n pki-base -%if ! 0%{?rhel} && 0%{?fedora} <= 18 -if [ "`uname -i`" == "x86_64" ] -then - sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib64\/java/' %{_datadir}/pki/etc/pki.conf -else - sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib\/java/' %{_datadir}/pki/etc/pki.conf -fi -%else - sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib\/java/' %{_datadir}/pki/etc/pki.conf -%endif - if [ $1 -eq 1 ] then # On RPM installation create system upgrade tracker @@ -688,26 +618,6 @@ then rm -f %{_sysconfdir}/pki/pki.version fi -%if ! 0%{?rhel} && 0%{?fedora} <= 17 -%pre -n pki-selinux -%saveFileContext targeted - -%post -n pki-selinux -semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp -%relabel targeted - -%preun -n pki-selinux -if [ $1 = 0 ]; then - %saveFileContext targeted -fi - -%postun -n pki-selinux -if [ $1 = 0 ]; then - semodule -s targeted -r pki - %relabel targeted -fi -%endif - %post -n pki-ca # Attempt to update ALL old "CA" instances to "systemd" if [ -d /etc/sysconfig/pki/ca ]; then @@ -739,7 +649,6 @@ fi %fix_tomcat_log ca -%if ! 0%{?rhel} %post -n pki-kra # Attempt to update ALL old "KRA" instances to "systemd" if [ -d /etc/sysconfig/pki/kra ]; then @@ -769,10 +678,8 @@ if [ -d /etc/sysconfig/pki/kra ]; then fi /bin/systemctl daemon-reload >/dev/null 2>&1 || : %fix_tomcat_log kra -%endif -%if ! 0%{?rhel} %post -n pki-ocsp # Attempt to update ALL old "OCSP" instances to "systemd" if [ -d /etc/sysconfig/pki/ocsp ]; then @@ -802,10 +709,8 @@ if [ -d /etc/sysconfig/pki/ocsp ]; then fi /bin/systemctl daemon-reload >/dev/null 2>&1 || : %fix_tomcat_log ocsp -%endif -%if ! 0%{?rhel} %post -n pki-tks # Attempt to update ALL old "TKS" instances to "systemd" if [ -d /etc/sysconfig/pki/tks ]; then @@ -835,7 +740,6 @@ if [ -d /etc/sysconfig/pki/tks ]; then fi /bin/systemctl daemon-reload >/dev/null 2>&1 || : %fix_tomcat_log tks -%endif %post -n pki-server @@ -855,31 +759,25 @@ if [ $1 = 0 ] ; then fi -%if ! 0%{?rhel} %preun -n pki-kra if [ $1 = 0 ] ; then /bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || : /bin/systemctl stop pki-krad.target > /dev/null 2>&1 || : fi -%endif -%if ! 0%{?rhel} %preun -n pki-ocsp if [ $1 = 0 ] ; then /bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || : /bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || : fi -%endif -%if ! 0%{?rhel} %preun -n pki-tks if [ $1 = 0 ] ; then /bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || : /bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || : fi -%endif ## %preun -n pki-server @@ -895,31 +793,25 @@ if [ "$1" -ge "1" ] ; then fi -%if ! 0%{?rhel} %postun -n pki-kra /bin/systemctl daemon-reload >/dev/null 2>&1 || : if [ "$1" -ge "1" ] ; then /bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || : fi -%endif -%if ! 0%{?rhel} %postun -n pki-ocsp /bin/systemctl daemon-reload >/dev/null 2>&1 || : if [ "$1" -ge "1" ] ; then /bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || : fi -%endif -%if ! 0%{?rhel} %postun -n pki-tks /bin/systemctl daemon-reload >/dev/null 2>&1 || : if [ "$1" -ge "1" ] ; then /bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || : fi -%endif ## %postun -n pki-server @@ -999,7 +891,6 @@ fi %{_sbindir}/pkidestroy %{_sbindir}/pki-server-upgrade #%{_bindir}/pki-setup-proxy -%{python_sitelib}/pki/deployment/ %{python_sitelib}/pki/server/ %dir %{_datadir}/pki/deployment %{_datadir}/pki/deployment/config/ @@ -1008,8 +899,6 @@ fi %{_datadir}/pki/scripts/pkicommon.pm %{_datadir}/pki/scripts/functions %{_datadir}/pki/scripts/pki_apache_initscript -%dir %{_localstatedir}/lock/pki -%dir %{_localstatedir}/run/pki %{_bindir}/pkidaemon %dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants %{_unitdir}/pki-tomcatd@.service @@ -1019,8 +908,6 @@ fi %{_javadir}/pki/pki-cmscore.jar %{_javadir}/pki/pki-silent.jar %{_javadir}/pki/pki-tomcat.jar -%dir %{_localstatedir}/lock/pki/tomcat -%dir %{_localstatedir}/run/pki/tomcat %dir %{_sharedstatedir}/pki %{_bindir}/pkicreate %{_bindir}/pkiremove @@ -1033,23 +920,9 @@ fi %{_mandir}/man8/pkidestroy.8.gz %{_mandir}/man8/pkispawn.8.gz -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tomcat.conf - %{_datadir}/pki/setup/ %{_datadir}/pki/server/ -%if ! 0%{?rhel} && 0%{?fedora} <= 17 -%files -n pki-selinux -%defattr(-,root,root,-) -%doc base/selinux/LICENSE -%{_datadir}/selinux/modules/pki.pp -%endif - %files -n pki-ca %defattr(-,root,root,-) %doc base/ca/LICENSE @@ -1064,17 +937,7 @@ fi %{_datadir}/pki/ca/profiles/ca/ %{_datadir}/pki/ca/setup/ %{_datadir}/pki/ca/webapps/ -%dir %{_localstatedir}/lock/pki/ca -%dir %{_localstatedir}/run/pki/ca -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ca.conf - -%if ! 0%{?rhel} %files -n pki-kra %defattr(-,root,root,-) %doc base/kra/LICENSE @@ -1086,18 +949,7 @@ fi %{_datadir}/pki/kra/conf/ %{_datadir}/pki/kra/setup/ %{_datadir}/pki/kra/webapps/ -%dir %{_localstatedir}/lock/pki/kra -%dir %{_localstatedir}/run/pki/kra -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-kra.conf -%endif - -%if ! 0%{?rhel} %files -n pki-ocsp %defattr(-,root,root,-) %doc base/ocsp/LICENSE @@ -1109,18 +961,7 @@ fi %{_datadir}/pki/ocsp/conf/ %{_datadir}/pki/ocsp/setup/ %{_datadir}/pki/ocsp/webapps/ -%dir %{_localstatedir}/lock/pki/ocsp -%dir %{_localstatedir}/run/pki/ocsp -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ocsp.conf -%endif - -%if ! 0%{?rhel} %files -n pki-tks %defattr(-,root,root,-) %doc base/tks/LICENSE @@ -1132,16 +973,18 @@ fi %{_datadir}/pki/tks/conf/ %{_datadir}/pki/tks/setup/ %{_datadir}/pki/tks/webapps/ -%dir %{_localstatedir}/lock/pki/tks -%dir %{_localstatedir}/run/pki/tks -# Details: -# -# * https://fedoraproject.org/wiki/Features/var-run-tmpfs -# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft -# -%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf -%endif +%files -n pki-tps-tomcat +%defattr(-,root,root,-) +%doc base/tps/LICENSE +%dir %{_sysconfdir}/systemd/system/pki-tpsd.target.wants +%{_unitdir}/pki-tpsd@.service +%{_unitdir}/pki-tpsd.target +%{_javadir}/pki/pki-tps.jar +%dir %{_datadir}/pki/tps +%{_datadir}/pki/tps/conf/ +%{_datadir}/pki/tps/setup/ +%{_datadir}/pki/tps/webapps/ %if %{?_without_javadoc:0}%{!?_without_javadoc:1} %files -n pki-javadoc @@ -1151,57 +994,119 @@ fi %changelog -* Fri Dec 27 2013 Daniel Mach - 10.0.5-3 -- Mass rebuild 2013-12-27 - -* Sat Nov 2 2013 Ade Lee 10.0.5-2 -- Trac #739, BZ#999722 - Fixed error handling in DoUnrevoke servlet. -- Trac #775, BZ#1018628 - Fixed errors during Tomcat shutdown. -- Trac #776, BZ#1024679 - Added missing link for apache-commons-io -- Trac #781, BZ#1024445 - Admin cert signed with SHA1, should be SHA256 -- Trac #780 - Store authentication info in session. -- Trac #763 - Backup upgrade tracker. -- Trac #779 - Renamed some CLI commands. -- Trac #743 - Fixed references to /var/run and /var/lock in tmpfiles. - -* Fri Sep 6 2013 Ade Lee 10.0.5-1 -- Roll release to next version - -* Fri Aug 2 2013 Ade Lee 10.0.4-2 -- Trac Ticket 699 - on upgrade to F19, CA fails to start. - -* Thu Jul 25 2013 Ade Lee 10.0.4-1 -- Change release number for official release - -* Wed Jul 24 2013 Matthew Harmsen 10.0.4-0.4 -- Bugzilla Bug #986506 - Need to determine RPM packages to be excluded - from compose . . . (exclude pki-kra, pki-ocsp, and pki-tks from rhel 7) - -* Wed Jul 17 2013 Endi S. Dewata 10.0.4-0.3 +* Wed Nov 26 2014 Matthew Harmsen 10.1.2-7 +- Bugzilla Bug #1165351 - Errata TPS test fails due to dependent + packages not found - fixed shell tests + +* Wed Nov 19 2014 Matthew Harmsen 10.1.2-6 +- Bugzilla Bug #1165351 - Errata TPS test fails due to dependent + packages not found + +* Thu Nov 13 2014 Christina Fu 10.1.2-5 +- Bugzilla Bug #1155654 - Check for null values in GetConfigEntries (alee) +- Bugzilla Bug #1158410 - Add TLS Range in server.xml (cfu) +- Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and TLS v1.2 + (client-side code) (cfu) +- Updated JSS from "4.2.6-28" to "4.2.6-35" (TLS) +- Require tomcatjss "7.1.0-5" (TLS) + +* Tue Oct 28 2014 Christina Fu 10.1.2-4 +- Bugzilla Bug #1151147 - External CA install does not work + with CA certificates signed by Microsoft Certificate Services + +* Fri Sep 26 2014 Christina Fu 10.1.2-3 +- Bugzilla Bug #790924 - pkispawn (configuration) does not provide CA + extensions in subordinate certificate signing requests (CSR) + +* Fri Sep 19 2014 Matthew Harmsen 10.1.2-2 +- Bugzilla Bug #1108303 - Rebase pki-core to 10.1 (RHEL) +- Bugzilla Bug #1117073 - pki-core ppc64le is missing from ExcludeArch line + of spec file (RHEL) +- Bumped required runtime version of tomcat >= 7.0.54 (RHEL) +- Changed buildtime requirement from 'resteasy-base-jackson-provider >= 3.0.6-1' + to 'resteasy-base-jettison-provider >= 3.0.6-1' (RHEL) +- Added version number of '>= 3.0.6-1' to runtime requirements for all + 'resteasy-base' packages (RHEL) + +* Thu Sep 18 2014 Ade Lee 10.1.2-1 +- Backport fix for ticket 499 +- Bump version to ensure migration scripts are run + +* Thu Sep 11 2014 Matthew Harmsen 10.1.1-2 +- Add missing 'jakarta-commons-httpclient' build and runtime requirement +- Exclude the 'ppcle' and 'ppc64le' platforms from being built on RHEL platforms +- Update 'resteasy-base' requirements on RHEL platforms +- Suppress pylint on RHEL platforms + +* Fri Mar 21 2014 Matthew Harmsen 10.1.1-1 +- PKI TRAC Ticket #840 - pkispawn requires policycoreutils-python (mharmsen) +- Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python (mharmsen) +- PKI TRAC Ticket #868 - REST API get certs links missing segment + (alee, mharmsen) +- PKI TRAC Ticket #869 - f19 ipa-server-install fails at step 6/22 of cert sys + install - systemctl start pki-tomcatd.target fails + (mharmsen) +- PKI TRAC Ticket #816 - pki-tomcat cannot be started after installation of + ipa replica with ca + (alee, cfu, edewata, mharmsen) +- Updated version number. + +* Wed Jan 29 2014 Matthew Harmsen 10.1.0-2 +- Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python +- TRAC Ticket #840 - pkispawn requires policycoreutils-python + +* Fri Nov 15 2013 Ade Lee 10.1.0-1 +- Trac Ticket 788 - Clean up spec files +- Update release number for release build +- Updated requirements for resteasy + +* Sun Nov 10 2013 Ade Lee 10.1.0-0.14 +- Change release number for beta build + +* Thu Nov 7 2013 Ade Lee 10.1.0-0.13 +- Updated requirements for tomcat + +* Fri Oct 4 2013 Ade Lee 10.1.0-0.12 +- Removed additional /var/run, /var/lock references. + +* Fri Oct 4 2013 Ade Lee 10.1.0-0.11 +- Removed delivery of /var/lock and /var/run directories for fedora 20. + +* Wed Aug 14 2013 Endi S. Dewata 10.1.0-0.10 +- Moved Tomcat-based TPS into pki-core. + +* Wed Aug 14 2013 Abhishek Koneru 10.1.0.0.9 +- Listed new packages required during build, due to issues reported + by pylint. +- Packages added: python-requests, python-ldap, libselinux-python, + policycoreutils-python + +* Fri Aug 09 2013 Abhishek Koneru 10.1.0.0.8 +- Added pylint scan to the build process. + +* Mon Jul 22 2013 Endi S. Dewata 10.1.0-0.7 - Added man pages for upgrade tools. + +* Wed Jul 17 2013 Endi S. Dewata 10.1.0-0.6 - Cleaned up the code to install man pages. -* Tue Jul 9 2013 Ade Lee 10.0.4-0.2 +* Tue Jul 16 2013 Endi S. Dewata 10.1.0-0.5 +- Reorganized deployment tools. + +* Tue Jul 9 2013 Ade Lee 10.1.0-0.4 - Bugzilla Bug 973224 - resteasy-base must be split into subpackages to simplify dependencies -* Wed Jun 26 2013 Ade Lee 10.0.4-0.1 -- Roll release to next version - -* Mon Jun 10 2013 Ade Lee 10.0.3-2 -- TRAC Ticket 646 - PKCS12Export fails on F19 -- Bugzilla Bug 961522 - allows key to be exported - -* Thu Jun 6 2013 Ade Lee 10.0.3-1 -- Change release number for official release. +* Fri Jun 14 2013 Endi S. Dewata 10.1.0-0.3 +- Updated dependencies to Java 1.7. -* Wed Jun 5 2013 Matthew Harmsen 10.0.3-0.2 +* Wed Jun 5 2013 Matthew Harmsen 10.1.0-0.2 - TRAC Ticket 606 - add restart / start at boot info to pkispawn man page - TRAC Ticket 610 - Document limitation in using GUI install - TRAC Ticket 629 - Package ownership of '/usr/share/pki/etc/' directory -* Tue May 7 2013 Ade Lee 10.0.3-0.1 -- Roll release to next version. +* Tue May 7 2013 Ade Lee 10.1.0-0.1 +- Change release number for 10.1 development * Mon May 6 2013 Endi S. Dewata 10.0.2-5 - Fixed incorrect JNI_JAR_DIR.