diff --git a/.gitignore b/.gitignore
index 0879a7b..db47ce7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-core-10.0.5.tar.gz
+SOURCES/pki-core-10.1.2.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index 3196f00..cdcdca8 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-249584b957fa8bd4478599b66b19bb8f5b1fd1bb SOURCES/pki-core-10.0.5.tar.gz
+b0d1914fa03a09f341d30e5b1c0a178583174419 SOURCES/pki-core-10.1.2.tar.gz
diff --git a/SOURCES/0000-Storing-authentication-info-in-session.patch b/SOURCES/0000-Storing-authentication-info-in-session.patch
deleted file mode 100644
index 28362b9..0000000
--- a/SOURCES/0000-Storing-authentication-info-in-session.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From 8270ef0b8861bfc6d7a4e5bbe4e6125a221d0680 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 22 Jul 2013 08:50:03 -0400
-Subject: [PATCH 0/6] Storing authentication info in session.
-
-The authenticator configuration has been modified to store the authentication
-info in the session so it can be used by the servlets. An upgrade script has
-been added to update the configuration in existing instances.
-
-The SSLAuthenticatorWithFalback was modified to propagate the configuration
-to the actual authenticator handling the request.
----
- base/ca/shared/webapps/ca/META-INF/context.xml | 4 +-
- .../cms/tomcat/SSLAuthenticatorWithFallback.java | 5 ++
- base/kra/shared/webapps/kra/META-INF/context.xml | 4 +-
- base/ocsp/shared/webapps/ocsp/META-INF/context.xml | 4 +-
- base/server/upgrade/10.0.4/.gitignore | 4 ++
- .../upgrade/10.0.5/01-EnableSessionInAuthenticator | 69 ++++++++++++++++++++++
- base/tks/shared/webapps/tks/META-INF/context.xml | 4 +-
- 7 files changed, 90 insertions(+), 4 deletions(-)
- create mode 100644 base/server/upgrade/10.0.4/.gitignore
- create mode 100755 base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator
-
-diff --git a/base/ca/shared/webapps/ca/META-INF/context.xml b/base/ca/shared/webapps/ca/META-INF/context.xml
-index 032fd14..e838503 100644
---- a/base/ca/shared/webapps/ca/META-INF/context.xml
-+++ b/base/ca/shared/webapps/ca/META-INF/context.xml
-@@ -28,7 +28,9 @@
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-
- <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback"
-- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-+ alwaysUseSession="true"
-+ secureRandomProvider="Mozilla-JSS"
-+ secureRandomAlgorithm="pkcs11prng"/>
-
- <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
-
-diff --git a/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
-index d1b3dc3..20bf85d 100644
---- a/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
-+++ b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
-@@ -140,8 +140,13 @@ public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
- @Override
- protected void initInternal() throws LifecycleException {
- log("Initializing authenticators");
-+
- super.initInternal();
-+
-+ sslAuthenticator.setAlwaysUseSession(alwaysUseSession);
- sslAuthenticator.init();
-+
-+ fallbackAuthenticator.setAlwaysUseSession(alwaysUseSession);
- fallbackAuthenticator.init();
- }
-
-diff --git a/base/kra/shared/webapps/kra/META-INF/context.xml b/base/kra/shared/webapps/kra/META-INF/context.xml
-index 032fd14..e838503 100644
---- a/base/kra/shared/webapps/kra/META-INF/context.xml
-+++ b/base/kra/shared/webapps/kra/META-INF/context.xml
-@@ -28,7 +28,9 @@
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-
- <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback"
-- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-+ alwaysUseSession="true"
-+ secureRandomProvider="Mozilla-JSS"
-+ secureRandomAlgorithm="pkcs11prng"/>
-
- <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
-
-diff --git a/base/ocsp/shared/webapps/ocsp/META-INF/context.xml b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
-index 032fd14..e838503 100644
---- a/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
-+++ b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
-@@ -28,7 +28,9 @@
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-
- <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback"
-- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-+ alwaysUseSession="true"
-+ secureRandomProvider="Mozilla-JSS"
-+ secureRandomAlgorithm="pkcs11prng"/>
-
- <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
-
-diff --git a/base/server/upgrade/10.0.4/.gitignore b/base/server/upgrade/10.0.4/.gitignore
-new file mode 100644
-index 0000000..5e7d273
---- /dev/null
-+++ b/base/server/upgrade/10.0.4/.gitignore
-@@ -0,0 +1,4 @@
-+# Ignore everything in this directory
-+*
-+# Except this file
-+!.gitignore
-diff --git a/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator b/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator
-new file mode 100755
-index 0000000..7aee780
---- /dev/null
-+++ b/base/server/upgrade/10.0.5/01-EnableSessionInAuthenticator
-@@ -0,0 +1,69 @@
-+#!/usr/bin/python
-+# Authors:
-+# Endi S. Dewata <edewata@redhat.com>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; version 2 of the License.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License along
-+# with this program; if not, write to the Free Software Foundation, Inc.,
-+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Copyright (C) 2013 Red Hat, Inc.
-+# All rights reserved.
-+#
-+
-+import os
-+from lxml import etree
-+
-+import pki.server.upgrade
-+
-+
-+class EnableSessionInAuthenticator(pki.server.upgrade.PKIServerUpgradeScriptlet):
-+
-+ def __init__(self):
-+
-+ self.message = 'Enable session in authenticator'
-+
-+ self.parser = etree.XMLParser(remove_blank_text=True)
-+
-+ def upgrade_subsystem(self, instance, subsystem):
-+
-+ context_xml = os.path.join(
-+ instance.base_dir, 'webapps', subsystem.name, 'META-INF', 'context.xml')
-+ self.backup(context_xml)
-+
-+ document = etree.parse(context_xml, self.parser)
-+
-+ self.enable_session(document)
-+
-+ with open(context_xml, 'w') as f:
-+ f.write(etree.tostring(document, pretty_print=True))
-+
-+ def enable_session(self, document):
-+
-+ context = document.getroot()
-+ valves = context.findall('Valve')
-+ authenticator = None
-+
-+ # Find existing authenticator
-+ for valve in valves:
-+ className = valve.get('className')
-+ if className != 'com.netscape.cms.tomcat.SSLAuthenticatorWithFallback':
-+ continue
-+
-+ # Found existing authenticator
-+ authenticator = valve
-+ break
-+
-+ if authenticator is None:
-+ raise Exception('Missing SSLAuthenticatorWithFallback')
-+
-+ # Update authenticator's attributes
-+ authenticator.set('alwaysUseSession', 'true')
-diff --git a/base/tks/shared/webapps/tks/META-INF/context.xml b/base/tks/shared/webapps/tks/META-INF/context.xml
-index 032fd14..e838503 100644
---- a/base/tks/shared/webapps/tks/META-INF/context.xml
-+++ b/base/tks/shared/webapps/tks/META-INF/context.xml
-@@ -28,7 +28,9 @@
- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-
- <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback"
-- secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
-+ alwaysUseSession="true"
-+ secureRandomProvider="Mozilla-JSS"
-+ secureRandomAlgorithm="pkcs11prng"/>
-
- <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
-
---
-1.8.3.1
-
diff --git a/SOURCES/0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch b/SOURCES/0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch
deleted file mode 100644
index f00caae..0000000
--- a/SOURCES/0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 166a4b291a573d2c9f346a1b1051a2e9b45ff375 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 16 Oct 2013 09:41:12 -0400
-Subject: [PATCH 1/6] Fixed error handling in DoUnrevoke servlet.
-
-The DoUnrevoke servlet has been modified to re-throw the EBaseException
-such that the error message can be returned properly to the client.
-
-Ticket #739
----
- base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java
-index cca8381..2b30720 100644
---- a/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java
-+++ b/base/common/src/com/netscape/cms/servlet/cert/DoUnrevoke.java
-@@ -40,7 +40,6 @@ import com.netscape.certsrv.authorization.AuthzToken;
- import com.netscape.certsrv.authorization.EAuthzAccessDenied;
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.IArgBlock;
--import com.netscape.certsrv.base.PKIException;
- import com.netscape.certsrv.ca.ICRLIssuingPoint;
- import com.netscape.certsrv.ca.ICertificateAuthority;
- import com.netscape.certsrv.dbs.certdb.CertId;
-@@ -274,7 +273,7 @@ public class DoUnrevoke extends CMSServlet {
- processor.log(ILogger.LL_FAILURE, "Error " + e);
- processor.auditChangeRequest(ILogger.FAILURE);
-
-- throw new PKIException(e.getMessage());
-+ throw e;
- }
-
- // change audit processing from "REQUEST" to "REQUEST_PROCESSED"
-@@ -419,6 +418,8 @@ public class DoUnrevoke extends CMSServlet {
- } catch (EBaseException e) {
- processor.log(ILogger.LL_FAILURE, "Error " + e);
- processor.auditChangeRequestProcessed(ILogger.FAILURE);
-+
-+ throw e;
- }
- }
-
---
-1.8.3.1
-
diff --git a/SOURCES/0002-Fixed-errors-during-Tomcat-shutdown.patch b/SOURCES/0002-Fixed-errors-during-Tomcat-shutdown.patch
deleted file mode 100644
index 0bf5ce9..0000000
--- a/SOURCES/0002-Fixed-errors-during-Tomcat-shutdown.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 981fdba088b14f975555b9dceb92db614acf631c Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 25 Oct 2013 09:28:05 -0400
-Subject: [PATCH 2/6] Fixed errors during Tomcat shutdown.
-
-Previously the CMS.shutdown() was called multiple times during Tomcat
-shutdown, one by CMSStarServlet.destroy() and the other by the shutdown
-hook, causing some errors. The shutdown hook should only be used in a
-standalone application, so it has been moved into CMS.main().
-
-Bugzilla #1018628
----
- base/common/src/com/netscape/certsrv/apps/CMS.java | 17 +++++++++++++++++
- .../com/netscape/cms/servlet/base/CMSStartServlet.java | 3 +++
- .../common/src/com/netscape/cmscore/apps/CMSEngine.java | 16 ----------------
- 3 files changed, 20 insertions(+), 16 deletions(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
-index 27cddad..fbcf65a 100644
---- a/base/common/src/com/netscape/certsrv/apps/CMS.java
-+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
-@@ -1661,5 +1661,22 @@ public final class CMS {
- start(path);
- } catch (EBaseException e) {
- }
-+
-+ // Use shutdown hook in stand-alone application
-+ // to catch SIGINT, SIGTERM, or SIGHUP.
-+ Runtime.getRuntime().addShutdownHook(new Thread() {
-+ public void run() {
-+ /*LogDoc
-+ *
-+ * @phase watchdog check
-+ */
-+ CMS.getLogger().log(ILogger.EV_SYSTEM,
-+ ILogger.S_OTHER,
-+ ILogger.LL_INFO,
-+ "CMSEngine: Received shutdown signal");
-+
-+ CMS.shutdown();
-+ };
-+ });
- }
- }
-diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
-index e00f2bd..34bbb2e 100644
---- a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
-+++ b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
-@@ -120,6 +120,9 @@ public class CMSStartServlet extends HttpServlet {
- return "CMS startup servlet";
- }
-
-+ /**
-+ * This method will be called when Tomcat is shutdown.
-+ */
- public void destroy() {
- CMS.shutdown();
- super.destroy();
-diff --git a/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
-index 834918a..482b5ea 100644
---- a/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
-+++ b/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
-@@ -262,22 +262,6 @@ public class CMSEngine implements ICMSEngine {
- * private constructor.
- */
- public CMSEngine() {
--
-- // Shutdown on SIGINT, SIGTERM, or SIGHUP.
-- Runtime.getRuntime().addShutdownHook(new Thread() {
-- public void run() {
-- /*LogDoc
-- *
-- * @phase watchdog check
-- */
-- getLogger().log(ILogger.EV_SYSTEM,
-- ILogger.S_OTHER,
-- ILogger.LL_INFO,
-- "OS: Received shutdown signal");
--
-- shutdown();
-- };
-- });
- }
-
- /**
---
-1.8.3.1
-
diff --git a/SOURCES/0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch b/SOURCES/0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch
deleted file mode 100644
index 2b151d1..0000000
--- a/SOURCES/0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch
+++ /dev/null
@@ -1,199 +0,0 @@
-From fb9acc2c02ad35443eb8b6ac0f2279dddd9449ab Mon Sep 17 00:00:00 2001
-From: Ade Lee <alee@redhat.com>
-Date: Wed, 30 Oct 2013 15:50:28 -0400
-Subject: [PATCH 3/6] Fixed logic for setting admin cert signing algorithm
-
-Should now be SHA256 by default.
-Bugzilla BZ 1024445
----
- base/ca/shared/conf/CS.cfg.in | 1 +
- base/ca/shared/profiles/ca/caAdminCert.cfg | 2 +-
- .../com/netscape/cms/servlet/csadmin/CertUtil.java | 123 +++++++++++++--------
- 3 files changed, 81 insertions(+), 45 deletions(-)
-
-diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
-index c1acc57..cca5209 100644
---- a/base/ca/shared/conf/CS.cfg.in
-+++ b/base/ca/shared/conf/CS.cfg.in
-@@ -660,6 +660,7 @@ ca.notification.requestInQ.senderEmail=
- ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_ID]
- ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
- ca.ocsp_signing.tokenname=internal
-+ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC
- ca.publish.createOwnDNEntry=false
- ca.publish.queue.enable=true
- ca.publish.queue.maxNumberOfThreads=3
-diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg
-index c44079a..cd29703 100644
---- a/base/ca/shared/profiles/ca/caAdminCert.cfg
-+++ b/base/ca/shared/profiles/ca/caAdminCert.cfg
-@@ -81,7 +81,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
- policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
- policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl
- policyset.adminCertSet.8.constraint.name=No Constraint
--policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
-+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC
- policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl
- policyset.adminCertSet.8.default.name=Signing Alg
- policyset.adminCertSet.8.default.params.signingAlg=-
-diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-index 789c0aa..1936b2c 100644
---- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-+++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-@@ -17,14 +17,15 @@
- // --- END COPYRIGHT BLOCK ---
- package com.netscape.cms.servlet.csadmin;
-
--import java.io.BufferedReader;
- import java.io.ByteArrayInputStream;
--import java.io.DataInputStream;
- import java.io.FileInputStream;
-+import java.io.FileNotFoundException;
- import java.io.IOException;
--import java.io.InputStreamReader;
- import java.math.BigInteger;
- import java.util.Date;
-+import java.util.Iterator;
-+import java.util.Properties;
-+import java.util.Set;
-
- import javax.servlet.http.HttpServletResponse;
-
-@@ -36,6 +37,8 @@ import netscape.security.x509.X509CertImpl;
- import netscape.security.x509.X509CertInfo;
- import netscape.security.x509.X509Key;
-
-+import org.apache.commons.lang.ArrayUtils;
-+import org.apache.commons.lang.StringUtils;
- import org.apache.velocity.context.Context;
- import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.crypto.PrivateKey;
-@@ -271,52 +274,84 @@ public class CertUtil {
- }
-
- /**
-- * reads from the admin cert profile caAdminCert.profile and takes the first
-- * entry in the list of allowed algorithms. Users that wish a different algorithm
-- * can specify it in the profile using default.params.signingAlg
-+ * reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows:
-+ *
-+ * 1. First gets list of allowed algorithms from profile (constraint.params.signingAlgsAllowed)
-+ * If entry does not exist, uses entry "ca.profiles.defaultSigningAlgsAllowed" from CS.cfg
-+ * If that entry does not exist, uses basic default
-+ *
-+ * 2. Gets default.params.signingAlg from profile.
-+ * If entry does not exist or equals "-", selects first algorithm in allowed algorithm list
-+ * that matches CA signing key type
-+ * Otherwise returns entry if it matches signing CA key type.
-+ *
-+ * @throws EBaseException
-+ * @throws IOException
-+ * @throws FileNotFoundException
- */
-
-- public static String getAdminProfileAlgorithm(IConfigStore config) {
-- String algorithm = "SHA256withRSA";
-- try {
-- String caSigningKeyType = config.getString("preop.cert.signing.keytype", "rsa");
-- String pfile = config.getString("profile.caAdminCert.config");
-- FileInputStream fis = new FileInputStream(pfile);
-- DataInputStream in = new DataInputStream(fis);
-- BufferedReader br = new BufferedReader(new InputStreamReader(in));
--
-- String strLine;
-- while ((strLine = br.readLine()) != null) {
-- String marker2 = "default.params.signingAlg=";
-- int indx = strLine.indexOf(marker2);
-- if (indx != -1) {
-- String alg = strLine.substring(indx + marker2.length());
-- if ((alg.length() > 0) && (!alg.equals("-"))) {
-- algorithm = alg;
-- break;
-- }
-- ;
-- }
-- ;
--
-- String marker = "signingAlgsAllowed=";
-- indx = strLine.indexOf(marker);
-- if (indx != -1) {
-- String[] algs = strLine.substring(indx + marker.length()).split(",");
-- for (int i = 0; i < algs.length; i++) {
-- if ((caSigningKeyType.equals("rsa") && (algs[i].indexOf("RSA") != -1)) ||
-- (caSigningKeyType.equals("ecc") && (algs[i].indexOf("EC") != -1))) {
-- algorithm = algs[i];
-- break;
-- }
-- }
-+ public static String getAdminProfileAlgorithm(IConfigStore config) throws EBaseException, FileNotFoundException,
-+ IOException {
-+ String caSigningKeyType = config.getString("preop.cert.signing.keytype", "rsa");
-+ String pfile = config.getString("profile.caAdminCert.config");
-+ Properties props = new Properties();
-+ props.load(new FileInputStream(pfile));
-+
-+ Set<String> keys = props.stringPropertyNames();
-+ Iterator<String> iter = keys.iterator();
-+ String defaultAlg = null;
-+ String[] algsAllowed = null;
-+
-+ while (iter.hasNext()) {
-+ String key = iter.next();
-+ if (key.endsWith("default.params.signingAlg")) {
-+ defaultAlg = props.getProperty(key);
-+ }
-+ if (key.endsWith("constraint.params.signingAlgsAllowed")) {
-+ algsAllowed = StringUtils.split(props.getProperty(key), ",");
-+ }
-+ }
-+
-+ if (algsAllowed == null) { //algsAllowed not defined in profile, use a global setting
-+ algsAllowed = StringUtils.split(config.getString("ca.profiles.defaultSigningAlgsAllowed",
-+ "SHA256withRSA,SHA256withEC,SHA1withDSA"), ",");
-+ }
-+
-+ if (ArrayUtils.isEmpty(algsAllowed)) {
-+ throw new EBaseException("No allowed signing algorithms defined.");
-+ }
-+
-+ if (StringUtils.isNotEmpty(defaultAlg) && !defaultAlg.equals("-")) {
-+ // check if the defined default algorithm is valid
-+ if (! isAlgorithmValid(caSigningKeyType, defaultAlg)) {
-+ throw new EBaseException("Administrator cert cannot be signed by specfied algorithm." +
-+ "Algorithm incompatible with signing key");
-+ }
-+
-+ for (String alg : algsAllowed) {
-+ if (defaultAlg.trim().equals(alg.trim())) {
-+ return defaultAlg;
- }
- }
-- in.close();
-- } catch (Exception e) {
-- CMS.debug("getAdminProfleAlgorithm: exception: " + e);
-+ throw new EBaseException(
-+ "Administrator Certificate cannot be signed by the specified algorithm " +
-+ "as it is not one of the allowed signing algorithms. Check the admin cert profile.");
- }
-- return algorithm;
-+
-+ // no algorithm specified. Pick the first allowed algorithm.
-+ for (String alg : algsAllowed) {
-+ if (isAlgorithmValid(caSigningKeyType, alg)) return alg;
-+ }
-+
-+ throw new EBaseException(
-+ "Admin certificate cannot be signed by any of the specified possible algorithms." +
-+ "Algorithm is incompatible with the CA signing key type" );
-+ }
-+
-+ private static boolean isAlgorithmValid(String signingKeyType, String algorithm) {
-+ return ((signingKeyType.equals("rsa") && algorithm.contains("RSA")) ||
-+ (signingKeyType.equals("ecc") && algorithm.contains("EC")) ||
-+ (signingKeyType.equals("dsa") && algorithm.contains("DSA")));
- }
-
- public static X509CertImpl createLocalCert(IConfigStore config, X509Key x509key,
---
-1.8.3.1
-
diff --git a/SOURCES/0004-Backup-upgrade-tracker.patch b/SOURCES/0004-Backup-upgrade-tracker.patch
deleted file mode 100644
index 7cbb6ec..0000000
--- a/SOURCES/0004-Backup-upgrade-tracker.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 75bf654f1023e36f67b27d8e47e077400c072b84 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 28 Oct 2013 17:21:59 -0400
-Subject: [PATCH 4/6] Backup upgrade tracker.
-
-The upgrade framework has been modified to backup the files used
-to track the upgrade progress. If the tracker file is also modified
-by the upgrade scriptlet, it will only keep the initial backup
-(before any modifications were made).
-
-Ticket #763
----
- base/common/python/pki/upgrade.py | 8 ++++++--
- base/common/python/pki/util.py | 6 +++++-
- base/server/python/pki/server/upgrade.py | 1 +
- 3 files changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py
-index bd78ec9..7e48180 100644
---- a/base/common/python/pki/upgrade.py
-+++ b/base/common/python/pki/upgrade.py
-@@ -110,6 +110,7 @@ class PKIUpgradeTracker(object):
- index_key='PKI_UPGRADE_INDEX'):
-
- self.name = name
-+ self.filename = filename
-
- self.version_key = version_key
- self.index_key = index_key
-@@ -267,6 +268,7 @@ class PKIUpgradeScriptlet(object):
- # in this version, update the tracker version.
-
- tracker = self.upgrader.get_tracker()
-+ self.backup(tracker.filename)
-
- if not self.last:
- tracker.set_index(self.index)
-@@ -389,7 +391,8 @@ class PKIUpgradeScriptlet(object):
-
- if os.path.isfile(path):
- if verbose: print 'Saving ' + path
-- pki.util.copyfile(path, dest)
-+ # do not overwrite initial backup
-+ pki.util.copyfile(path, dest, overwrite=False)
-
- else:
- for sourcepath, _, filenames in os.walk(path):
-@@ -405,7 +408,8 @@ class PKIUpgradeScriptlet(object):
- targetfile = os.path.join(destpath, filename)
-
- if verbose: print 'Saving ' + sourcefile
-- pki.util.copyfile(sourcefile, targetfile)
-+ # do not overwrite initial backup
-+ pki.util.copyfile(sourcefile, targetfile, overwrite=False)
-
- else:
-
-diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
-index 4d25390..62aec2c 100644
---- a/base/common/python/pki/util.py
-+++ b/base/common/python/pki/util.py
-@@ -53,11 +53,15 @@ def copy(source, dest):
- targetfile = os.path.join(destpath, filename)
- copyfile(sourcefile, targetfile)
-
--def copyfile(source, dest):
-+def copyfile(source, dest, overwrite=True):
- """
- Copy a file or link while preserving its attributes.
- """
-
-+ # if dest already exists and not overwriting, do nothing
-+ if os.path.exists(dest) and not overwrite:
-+ return
-+
- if os.path.islink(source):
- target = os.readlink(source)
- os.symlink(target, dest)
-diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py
-index 940dbe4..ee0dfed 100644
---- a/base/server/python/pki/server/upgrade.py
-+++ b/base/server/python/pki/server/upgrade.py
-@@ -60,6 +60,7 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
- # in this version, update the tracker version.
-
- tracker = self.upgrader.get_tracker(instance, subsystem)
-+ self.backup(tracker.filename)
-
- if not self.last:
- tracker.set_index(self.index)
---
-1.8.3.1
-
diff --git a/SOURCES/0005-Added-CLI-command-aliases.patch b/SOURCES/0005-Added-CLI-command-aliases.patch
deleted file mode 100644
index 2192344..0000000
--- a/SOURCES/0005-Added-CLI-command-aliases.patch
+++ /dev/null
@@ -1,2554 +0,0 @@
-From 7efc9fbd120885109eb19bfc98d6109a98751b25 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 29 Oct 2013 10:56:15 -0400
-Subject: [PATCH 5/6] Added CLI command aliases.
-
-New aliases for some CLI commands have been added for consistency:
-
-* client-cert-find -> client-find-cert
-* client-cert-import -> client-import-cert
-* client-cert-del -> client-remove-cert
-* group-member-add -> group-add-member
-* group-member-find -> group-find-member
-* group-member-show -> group-show-member
-* group-member-del -> group-remove-member
-* user-cert-add -> user-add-cert
-* user-cert-find -> user-find-cert
-* user-cert-show -> user-show-cert
-* user-cert-del -> user-remove-cert
-* user-membership-add -> user-add-membership
-* user-membership-find -> user-find-membership
-* user-membership-show -> user-show-membership
-* user-membership-del -> user-remove-membership
-
-The original commands will continue to work as before.
----
- base/java-tools/man/man1/pki.1 | 4 +-
- .../src/com/netscape/cmstools/cli/CLI.java | 55 +++++++++
- .../com/netscape/cmstools/client/ClientCLI.java | 24 +---
- .../cmstools/client/ClientCertFindCLI.java | 89 +++++++++++++++
- .../cmstools/client/ClientCertImportCLI.java | 124 +++++++++++++++++++++
- .../cmstools/client/ClientCertRemoveCLI.java | 70 ++++++++++++
- .../cmstools/client/ClientFindCertCLI.java | 60 +---------
- .../cmstools/client/ClientImportCertCLI.java | 95 +---------------
- .../cmstools/client/ClientRemoveCertCLI.java | 41 +------
- .../netscape/cmstools/group/GroupAddMemberCLI.java | 32 +-----
- .../src/com/netscape/cmstools/group/GroupCLI.java | 23 +---
- .../cmstools/group/GroupFindMemberCLI.java | 79 +------------
- .../netscape/cmstools/group/GroupMemberAddCLI.java | 61 ++++++++++
- .../cmstools/group/GroupMemberFindCLI.java | 108 ++++++++++++++++++
- .../cmstools/group/GroupMemberRemoveCLI.java | 58 ++++++++++
- .../cmstools/group/GroupMemberShowCLI.java | 61 ++++++++++
- .../cmstools/group/GroupRemoveMemberCLI.java | 29 +----
- .../cmstools/group/GroupShowMemberCLI.java | 32 +-----
- .../com/netscape/cmstools/user/UserAddCertCLI.java | 72 +-----------
- .../cmstools/user/UserAddMembershipCLI.java | 32 +-----
- .../src/com/netscape/cmstools/user/UserCLI.java | 28 ++---
- .../com/netscape/cmstools/user/UserCertAddCLI.java | 105 +++++++++++++++++
- .../netscape/cmstools/user/UserCertFindCLI.java | 108 ++++++++++++++++++
- .../netscape/cmstools/user/UserCertRemoveCLI.java | 65 +++++++++++
- .../netscape/cmstools/user/UserCertShowCLI.java | 100 +++++++++++++++++
- .../netscape/cmstools/user/UserFindCertCLI.java | 79 +------------
- .../cmstools/user/UserFindMembershipCLI.java | 79 +------------
- .../cmstools/user/UserMembershipAddCLI.java | 61 ++++++++++
- .../cmstools/user/UserMembershipFindCLI.java | 108 ++++++++++++++++++
- .../cmstools/user/UserMembershipRemoveCLI.java | 58 ++++++++++
- .../netscape/cmstools/user/UserRemoveCertCLI.java | 35 +-----
- .../cmstools/user/UserRemoveMembershipCLI.java | 29 +----
- .../netscape/cmstools/user/UserShowCertCLI.java | 71 +-----------
- 33 files changed, 1290 insertions(+), 785 deletions(-)
- create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java
- create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java
-
-diff --git a/base/java-tools/man/man1/pki.1 b/base/java-tools/man/man1/pki.1
-index ec0af7c..b3c5356 100644
---- a/base/java-tools/man/man1/pki.1
-+++ b/base/java-tools/man/man1/pki.1
-@@ -199,11 +199,11 @@ To delete a group:
-
- To add a user to a group:
-
--.B pki <admin authentication> group-add-member <group ID> <Member ID>
-+.B pki <admin authentication> group-member-add <group ID> <Member ID>
-
- To delete a user from a group:
-
--.B pki <admin authentication> group-remove-member <group ID> <Member ID>
-+.B pki <admin authentication> group-member-del <group ID> <Member ID>
-
- .\".SS Key Management Commands
- .\"\fBpki\fP can be used with a KRA to find specific keys and key requests. This will be documented in more detail at a later time.
-diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
-index a1fc4f7..c9c3606 100644
---- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
-@@ -18,6 +18,8 @@
-
- package com.netscape.cmstools.cli;
-
-+import java.util.ArrayList;
-+import java.util.Collection;
- import java.util.LinkedHashMap;
- import java.util.Map;
-
-@@ -25,6 +27,7 @@ import org.apache.commons.cli.CommandLineParser;
- import org.apache.commons.cli.HelpFormatter;
- import org.apache.commons.cli.Options;
- import org.apache.commons.cli.PosixParser;
-+import org.apache.commons.lang.StringUtils;
-
-
- /**
-@@ -64,6 +67,10 @@ public class CLI {
- this.description = description;
- }
-
-+ public boolean isDeprecated() {
-+ return getClass().getAnnotation(Deprecated.class) != null;
-+ }
-+
- public void addModule(CLI module) {
- modules.put(module.getName(), module);
- }
-@@ -75,7 +82,55 @@ public class CLI {
- public void execute(String[] args) throws Exception {
- }
-
-+ public Collection<CLI> getDeprecatedModules() {
-+ Collection<CLI> list = new ArrayList<CLI>();
-+ for (CLI module : modules.values()) {
-+ if (!module.isDeprecated()) continue;
-+ list.add(module);
-+ }
-+ return list;
-+ }
-+
- public void printHelp() {
-+
-+ int leftPadding = 1;
-+ int rightPadding = 25;
-+
-+ System.out.println("Commands:");
-+
-+ for (CLI module : modules.values()) {
-+ if (module.isDeprecated()) continue;
-+
-+ String label = name + "-" + module.getName();
-+
-+ int padding = rightPadding - leftPadding - label.length();
-+ if (padding < 1)
-+ padding = 1;
-+
-+ System.out.print(StringUtils.repeat(" ", leftPadding));
-+ System.out.print(label);
-+ System.out.print(StringUtils.repeat(" ", padding));
-+ System.out.println(module.getDescription());
-+ }
-+
-+ Collection<CLI> deprecatedModules = getDeprecatedModules();
-+
-+ if (!deprecatedModules.isEmpty()) {
-+ System.out.println();
-+ System.out.println("Deprecated:");
-+
-+ for (CLI module : deprecatedModules) {
-+ String label = name+"-"+module.getName();
-+
-+ int padding = rightPadding - leftPadding - label.length();
-+ if (padding < 1) padding = 1;
-+
-+ System.out.print(StringUtils.repeat(" ", leftPadding));
-+ System.out.print(label);
-+ System.out.print(StringUtils.repeat(" ", padding));
-+ System.out.println(module.getDescription());
-+ }
-+ }
- }
-
- public static boolean isVerbose() {
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java
-index 34d09f3..147b4d6 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCLI.java
-@@ -20,7 +20,6 @@ package com.netscape.cmstools.client;
-
- import java.util.Arrays;
-
--import org.apache.commons.lang.StringUtils;
- import org.mozilla.jss.crypto.X509Certificate;
-
- import com.netscape.certsrv.dbs.certdb.CertId;
-@@ -41,27 +40,10 @@ public class ClientCLI extends CLI {
- addModule(new ClientFindCertCLI(this));
- addModule(new ClientImportCertCLI(this));
- addModule(new ClientRemoveCertCLI(this));
-- }
--
-- public void printHelp() {
--
-- System.out.println("Commands:");
--
-- int leftPadding = 1;
-- int rightPadding = 25;
-
-- for (CLI module : modules.values()) {
-- String label = name + "-" + module.getName();
--
-- int padding = rightPadding - leftPadding - label.length();
-- if (padding < 1)
-- padding = 1;
--
-- System.out.print(StringUtils.repeat(" ", leftPadding));
-- System.out.print(label);
-- System.out.print(StringUtils.repeat(" ", padding));
-- System.out.println(module.getDescription());
-- }
-+ addModule(new ClientCertFindCLI(this));
-+ addModule(new ClientCertImportCLI(this));
-+ addModule(new ClientCertRemoveCLI(this));
- }
-
- public void execute(String[] args) throws Exception {
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java
-new file mode 100644
-index 0000000..c4e1aca
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertFindCLI.java
-@@ -0,0 +1,89 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2013 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.client;
-+
-+import org.apache.commons.cli.CommandLine;
-+import org.mozilla.jss.crypto.X509Certificate;
-+
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class ClientCertFindCLI extends CLI {
-+
-+ public ClientCLI parent;
-+
-+ public ClientCertFindCLI(String name, ClientCLI parent) {
-+ super(name, "Find certificates in client security database");
-+ this.parent = parent;
-+ }
-+
-+ public ClientCertFindCLI(ClientCLI parent) {
-+ this("cert-find", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ options.addOption(null, "ca", false, "Find CA certificates only");
-+
-+ CommandLine cmd = null;
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ X509Certificate[] certs;
-+ if (cmd.hasOption("ca")) {
-+ certs = parent.parent.client.getCACerts();
-+ } else {
-+ certs = parent.parent.client.getCerts();
-+ }
-+
-+ if (certs == null || certs.length == 0) {
-+ MainCLI.printMessage("No certificates found");
-+ System.exit(0); // valid result
-+ }
-+
-+ MainCLI.printMessage(certs.length + " certificate(s) found");
-+
-+ boolean first = true;
-+
-+ for (X509Certificate cert : certs) {
-+ if (first) {
-+ first = false;
-+ } else {
-+ System.out.println();
-+ }
-+
-+ ClientCLI.printCertInfo(cert);
-+ }
-+
-+ MainCLI.printMessage("Number of entries returned " + certs.length);
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
-new file mode 100644
-index 0000000..ffd68d9
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
-@@ -0,0 +1,124 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2013 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.client;
-+
-+import java.io.File;
-+
-+import org.apache.commons.cli.CommandLine;
-+import org.apache.commons.cli.Option;
-+import org.apache.commons.io.FileUtils;
-+import org.mozilla.jss.crypto.X509Certificate;
-+
-+import com.netscape.certsrv.client.ClientConfig;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class ClientCertImportCLI extends CLI {
-+
-+ public ClientCLI parent;
-+
-+ public ClientCertImportCLI(String name, ClientCLI parent) {
-+ super(name, "Import certificate into client security database");
-+ this.parent = parent;
-+ }
-+
-+ public ClientCertImportCLI(ClientCLI parent) {
-+ this("cert-import", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ Option option = new Option(null, "cert", true, "Import certificate file");
-+ option.setArgName("path");
-+ options.addOption(option);
-+
-+ option = new Option(null, "ca-cert", true, "Import CA certificate file");
-+ option.setArgName("path");
-+ options.addOption(option);
-+
-+ options.addOption(null, "ca-server", false, "Import CA certificate from CA server");
-+
-+ CommandLine cmd = null;
-+
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ byte[] bytes = null;
-+ X509Certificate cert = null;
-+
-+ String certPath = cmd.getOptionValue("cert");
-+ String caCertPath = cmd.getOptionValue("ca-cert");
-+ boolean importFromCAServer = cmd.hasOption("ca-server");
-+
-+ boolean isCACert = false;
-+
-+ // load the certificate
-+ if (certPath != null) {
-+ if (verbose) System.out.println("Loading certificate from " + certPath + ".");
-+ bytes = FileUtils.readFileToByteArray(new File(certPath));
-+
-+
-+ } else if (caCertPath != null) {
-+ if (verbose) System.out.println("Loading CA certificate from " + caCertPath + ".");
-+ bytes = FileUtils.readFileToByteArray(new File(caCertPath));
-+
-+ isCACert = true;
-+
-+ } else if (importFromCAServer) {
-+ ClientConfig config = parent.parent.config;
-+ String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca";
-+
-+ if (verbose) System.out.println("Downloading CA certificate from " + caServerURI + ".");
-+ bytes = parent.parent.client.downloadCACertChain(caServerURI);
-+
-+ isCACert = true;
-+
-+ } else {
-+ System.err.println("Error: Missing certificate to import");
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ // import the certificate
-+ if (isCACert) {
-+ if (verbose) System.out.println("Importing CA certificate.");
-+ cert = parent.parent.client.importCACertPackage(bytes);
-+
-+ } else {
-+ if (verbose) System.out.println("Importing certificate.");
-+ cert = parent.parent.client.importCertPackage(bytes, parent.parent.client.config.getCertNickname());
-+ }
-+
-+ MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\"");
-+ ClientCLI.printCertInfo(cert);
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java
-new file mode 100644
-index 0000000..2c05446
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRemoveCLI.java
-@@ -0,0 +1,70 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2013 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.client;
-+
-+import org.apache.commons.cli.CommandLine;
-+
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class ClientCertRemoveCLI extends CLI {
-+
-+ public ClientCLI parent;
-+
-+ public ClientCertRemoveCLI(String name, ClientCLI parent) {
-+ super(name, "Remove certificate from client security database");
-+ this.parent = parent;
-+ }
-+
-+ public ClientCertRemoveCLI(ClientCLI parent) {
-+ this("cert-del", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <nickname>", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ CommandLine cmd = null;
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String[] cmdArgs = cmd.getArgs();
-+
-+ if (cmdArgs.length != 1) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String nickname = cmdArgs[0];
-+ parent.parent.client.removeCert(nickname);
-+
-+ MainCLI.printMessage("Removed certificate \"" + nickname + "\"");
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java
-index 80690b7..379e95a 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientFindCertCLI.java
-@@ -18,68 +18,14 @@
-
- package com.netscape.cmstools.client;
-
--import org.apache.commons.cli.CommandLine;
--import org.mozilla.jss.crypto.X509Certificate;
--
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class ClientFindCertCLI extends CLI {
--
-- public ClientCLI parent;
-+@Deprecated
-+public class ClientFindCertCLI extends ClientCertFindCLI {
-
- public ClientFindCertCLI(ClientCLI parent) {
-- super("find-cert", "Find certificates in client security database");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options);
-+ super("find-cert", parent);
- }
--
-- public void execute(String[] args) throws Exception {
--
-- options.addOption(null, "ca", false, "Find CA certificates only");
--
-- CommandLine cmd = null;
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- X509Certificate[] certs;
-- if (cmd.hasOption("ca")) {
-- certs = parent.parent.client.getCACerts();
-- } else {
-- certs = parent.parent.client.getCerts();
-- }
--
-- if (certs == null || certs.length == 0) {
-- MainCLI.printMessage("No certificates found");
-- System.exit(0); // valid result
-- }
--
-- MainCLI.printMessage(certs.length + " certificate(s) found");
--
-- boolean first = true;
--
-- for (X509Certificate cert : certs) {
-- if (first) {
-- first = false;
-- } else {
-- System.out.println();
-- }
--
-- ClientCLI.printCertInfo(cert);
-- }
--
-- MainCLI.printMessage("Number of entries returned " + certs.length);
-- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java
-index e89f954..db0736d 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientImportCertCLI.java
-@@ -18,103 +18,14 @@
-
- package com.netscape.cmstools.client;
-
--import java.io.File;
--
--import org.apache.commons.cli.CommandLine;
--import org.apache.commons.cli.Option;
--import org.apache.commons.io.FileUtils;
--import org.mozilla.jss.crypto.X509Certificate;
--
--import com.netscape.certsrv.client.ClientConfig;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class ClientImportCertCLI extends CLI {
--
-- public ClientCLI parent;
-+@Deprecated
-+public class ClientImportCertCLI extends ClientCertImportCLI {
-
- public ClientImportCertCLI(ClientCLI parent) {
-- super("import-cert", "Import certificate into client security database");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " [OPTIONS]", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- Option option = new Option(null, "cert", true, "Import certificate file");
-- option.setArgName("path");
-- options.addOption(option);
--
-- option = new Option(null, "ca-cert", true, "Import CA certificate file");
-- option.setArgName("path");
-- options.addOption(option);
--
-- options.addOption(null, "ca-server", false, "Import CA certificate from CA server");
--
-- CommandLine cmd = null;
--
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- byte[] bytes = null;
-- X509Certificate cert = null;
--
-- String certPath = cmd.getOptionValue("cert");
-- String caCertPath = cmd.getOptionValue("ca-cert");
-- boolean importFromCAServer = cmd.hasOption("ca-server");
--
-- boolean isCACert = false;
--
-- // load the certificate
-- if (certPath != null) {
-- if (verbose) System.out.println("Loading certificate from " + certPath + ".");
-- bytes = FileUtils.readFileToByteArray(new File(certPath));
--
--
-- } else if (caCertPath != null) {
-- if (verbose) System.out.println("Loading CA certificate from " + caCertPath + ".");
-- bytes = FileUtils.readFileToByteArray(new File(caCertPath));
--
-- isCACert = true;
--
-- } else if (importFromCAServer) {
-- ClientConfig config = parent.parent.config;
-- String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca";
--
-- if (verbose) System.out.println("Downloading CA certificate from " + caServerURI + ".");
-- bytes = parent.parent.client.downloadCACertChain(caServerURI);
--
-- isCACert = true;
--
-- } else {
-- System.err.println("Error: Missing certificate to import");
-- printHelp();
-- System.exit(1);
-- }
--
-- // import the certificate
-- if (isCACert) {
-- if (verbose) System.out.println("Importing CA certificate.");
-- cert = parent.parent.client.importCACertPackage(bytes);
--
-- } else {
-- if (verbose) System.out.println("Importing certificate.");
-- cert = parent.parent.client.importCertPackage(bytes, parent.parent.client.config.getCertNickname());
-- }
--
-- MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\"");
-- ClientCLI.printCertInfo(cert);
-+ super("import-cert", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java
-index fab4296..2b217ac 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientRemoveCertCLI.java
-@@ -18,49 +18,14 @@
-
- package com.netscape.cmstools.client;
-
--import org.apache.commons.cli.CommandLine;
--
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class ClientRemoveCertCLI extends CLI {
--
-- public ClientCLI parent;
-+@Deprecated
-+public class ClientRemoveCertCLI extends ClientCertRemoveCLI {
-
- public ClientRemoveCertCLI(ClientCLI parent) {
-- super("remove-cert", "Remove certificate from client security database");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <nickname>", options);
-+ super("remove-cert", parent);
- }
--
-- public void execute(String[] args) throws Exception {
--
-- CommandLine cmd = null;
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- String[] cmdArgs = cmd.getArgs();
--
-- if (cmdArgs.length != 1) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String nickname = cmdArgs[0];
-- parent.parent.client.removeCert(nickname);
--
-- MainCLI.printMessage("Removed certificate \"" + nickname + "\"");
-- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java
-index 36d3c06..a761853 100644
---- a/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupAddMemberCLI.java
-@@ -18,40 +18,14 @@
-
- package com.netscape.cmstools.group;
-
--import com.netscape.certsrv.group.GroupMemberData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class GroupAddMemberCLI extends CLI {
--
-- public GroupCLI parent;
-+@Deprecated
-+public class GroupAddMemberCLI extends GroupMemberAddCLI {
-
- public GroupAddMemberCLI(GroupCLI parent) {
-- super("add-member", "Add group member");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <Group ID> <Member ID>", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- if (args.length != 2) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String groupID = args[0];
-- String memberID = args[1];
--
-- GroupMemberData groupMemberData = parent.client.addGroupMember(groupID, memberID);
--
-- MainCLI.printMessage("Added group member \""+memberID+"\"");
--
-- GroupCLI.printGroupMember(groupMemberData);
-+ super("add-member", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
-index bd8cec7..bc4d573 100644
---- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
-@@ -51,26 +51,11 @@ public class GroupCLI extends CLI {
- addModule(new GroupShowMemberCLI(this));
- addModule(new GroupAddMemberCLI(this));
- addModule(new GroupRemoveMemberCLI(this));
-- }
--
-- public void printHelp() {
--
-- System.out.println("Commands:");
--
-- int leftPadding = 1;
-- int rightPadding = 25;
-
-- for (CLI module : modules.values()) {
-- String label = name+"-"+module.getName();
--
-- int padding = rightPadding - leftPadding - label.length();
-- if (padding < 1) padding = 1;
--
-- System.out.print(StringUtils.repeat(" ", leftPadding));
-- System.out.print(label);
-- System.out.print(StringUtils.repeat(" ", padding));
-- System.out.println(module.getDescription());
-- }
-+ addModule(new GroupMemberFindCLI(this));
-+ addModule(new GroupMemberShowCLI(this));
-+ addModule(new GroupMemberAddCLI(this));
-+ addModule(new GroupMemberRemoveCLI(this));
- }
-
- public void execute(String[] args) throws Exception {
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java
-index f0498f0..4850910 100644
---- a/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupFindMemberCLI.java
-@@ -18,87 +18,14 @@
-
- package com.netscape.cmstools.group;
-
--import java.util.Collection;
--
--import org.apache.commons.cli.CommandLine;
--import org.apache.commons.cli.Option;
--
--import com.netscape.certsrv.group.GroupMemberCollection;
--import com.netscape.certsrv.group.GroupMemberData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class GroupFindMemberCLI extends CLI {
--
-- public GroupCLI parent;
-+@Deprecated
-+public class GroupFindMemberCLI extends GroupMemberFindCLI {
-
- public GroupFindMemberCLI(GroupCLI parent) {
-- super("find-member", "Find group members");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <Group ID> [OPTIONS...]", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- Option option = new Option(null, "start", true, "Page start");
-- option.setArgName("start");
-- options.addOption(option);
--
-- option = new Option(null, "size", true, "Page size");
-- option.setArgName("size");
-- options.addOption(option);
--
-- CommandLine cmd = null;
--
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- String[] cmdArgs = cmd.getArgs();
--
-- if (cmdArgs.length != 1) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String groupID = cmdArgs[0];
--
-- String s = cmd.getOptionValue("start");
-- Integer start = s == null ? null : Integer.valueOf(s);
--
-- s = cmd.getOptionValue("size");
-- Integer size = s == null ? null : Integer.valueOf(s);
--
-- GroupMemberCollection response = parent.client.findGroupMembers(groupID, start, size);
--
-- Collection<GroupMemberData> entries = response.getMembers();
--
-- MainCLI.printMessage(entries.size()+" group member(s) matched");
--
-- boolean first = true;
--
-- for (GroupMemberData groupMemberData : entries) {
--
-- if (first) {
-- first = false;
-- } else {
-- System.out.println();
-- }
--
-- GroupCLI.printGroupMember(groupMemberData);
-- }
--
-- MainCLI.printMessage("Number of entries returned "+entries.size());
-+ super("find-member", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java
-new file mode 100644
-index 0000000..5945e21
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberAddCLI.java
-@@ -0,0 +1,61 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.group;
-+
-+import com.netscape.certsrv.group.GroupMemberData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class GroupMemberAddCLI extends CLI {
-+
-+ public GroupCLI parent;
-+
-+ public GroupMemberAddCLI(String name, GroupCLI parent) {
-+ super(name, "Add group member");
-+ this.parent = parent;
-+ }
-+
-+ public GroupMemberAddCLI(GroupCLI parent) {
-+ this("member-add", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <Group ID> <Member ID>", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ if (args.length != 2) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String groupID = args[0];
-+ String memberID = args[1];
-+
-+ GroupMemberData groupMemberData = parent.client.addGroupMember(groupID, memberID);
-+
-+ MainCLI.printMessage("Added group member \""+memberID+"\"");
-+
-+ GroupCLI.printGroupMember(groupMemberData);
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java
-new file mode 100644
-index 0000000..c36d041
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberFindCLI.java
-@@ -0,0 +1,108 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.group;
-+
-+import java.util.Collection;
-+
-+import org.apache.commons.cli.CommandLine;
-+import org.apache.commons.cli.Option;
-+
-+import com.netscape.certsrv.group.GroupMemberCollection;
-+import com.netscape.certsrv.group.GroupMemberData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class GroupMemberFindCLI extends CLI {
-+
-+ public GroupCLI parent;
-+
-+ public GroupMemberFindCLI(String name, GroupCLI parent) {
-+ super(name, "Find group members");
-+ this.parent = parent;
-+ }
-+
-+ public GroupMemberFindCLI(GroupCLI parent) {
-+ this("member-find", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <Group ID> [OPTIONS...]", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ Option option = new Option(null, "start", true, "Page start");
-+ option.setArgName("start");
-+ options.addOption(option);
-+
-+ option = new Option(null, "size", true, "Page size");
-+ option.setArgName("size");
-+ options.addOption(option);
-+
-+ CommandLine cmd = null;
-+
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String[] cmdArgs = cmd.getArgs();
-+
-+ if (cmdArgs.length != 1) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String groupID = cmdArgs[0];
-+
-+ String s = cmd.getOptionValue("start");
-+ Integer start = s == null ? null : Integer.valueOf(s);
-+
-+ s = cmd.getOptionValue("size");
-+ Integer size = s == null ? null : Integer.valueOf(s);
-+
-+ GroupMemberCollection response = parent.client.findGroupMembers(groupID, start, size);
-+
-+ Collection<GroupMemberData> entries = response.getMembers();
-+
-+ MainCLI.printMessage(entries.size()+" group member(s) matched");
-+
-+ boolean first = true;
-+
-+ for (GroupMemberData groupMemberData : entries) {
-+
-+ if (first) {
-+ first = false;
-+ } else {
-+ System.out.println();
-+ }
-+
-+ GroupCLI.printGroupMember(groupMemberData);
-+ }
-+
-+ MainCLI.printMessage("Number of entries returned "+entries.size());
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java
-new file mode 100644
-index 0000000..db85822
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberRemoveCLI.java
-@@ -0,0 +1,58 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.group;
-+
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class GroupMemberRemoveCLI extends CLI {
-+
-+ public GroupCLI parent;
-+
-+ public GroupMemberRemoveCLI(String name, GroupCLI parent) {
-+ super(name, "Remove group member");
-+ this.parent = parent;
-+ }
-+
-+ public GroupMemberRemoveCLI(GroupCLI parent) {
-+ this("member-del", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <Group ID> <Member ID>", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ if (args.length != 2) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String groupID = args[0];
-+ String memberID = args[1];
-+
-+ parent.client.removeGroupMember(groupID, memberID);
-+
-+ MainCLI.printMessage("Deleted group member \""+memberID+"\"");
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java
-new file mode 100644
-index 0000000..214f71d
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupMemberShowCLI.java
-@@ -0,0 +1,61 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.group;
-+
-+import com.netscape.certsrv.group.GroupMemberData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class GroupMemberShowCLI extends CLI {
-+
-+ public GroupCLI parent;
-+
-+ public GroupMemberShowCLI(String name, GroupCLI parent) {
-+ super(name, "Show group member");
-+ this.parent = parent;
-+ }
-+
-+ public GroupMemberShowCLI(GroupCLI parent) {
-+ this("member-show", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <Group ID> <Member ID>", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ if (args.length != 2) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String groupID = args[0];
-+ String memberID = args[1];
-+
-+ GroupMemberData groupMemberData = parent.client.getGroupMember(groupID, memberID);
-+
-+ MainCLI.printMessage("Group member \""+memberID+"\"");
-+
-+ GroupCLI.printGroupMember(groupMemberData);
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java
-index c12cc89..9672488 100644
---- a/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupRemoveMemberCLI.java
-@@ -18,37 +18,14 @@
-
- package com.netscape.cmstools.group;
-
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class GroupRemoveMemberCLI extends CLI {
--
-- public GroupCLI parent;
-+@Deprecated
-+public class GroupRemoveMemberCLI extends GroupMemberRemoveCLI {
-
- public GroupRemoveMemberCLI(GroupCLI parent) {
-- super("remove-member", "Remove group member");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <Group ID> <Member ID>", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- if (args.length != 2) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String groupID = args[0];
-- String memberID = args[1];
--
-- parent.client.removeGroupMember(groupID, memberID);
--
-- MainCLI.printMessage("Deleted group member \""+memberID+"\"");
-+ super("remove-member", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java
-index 47ca43c..6e493d3 100644
---- a/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupShowMemberCLI.java
-@@ -18,40 +18,14 @@
-
- package com.netscape.cmstools.group;
-
--import com.netscape.certsrv.group.GroupMemberData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class GroupShowMemberCLI extends CLI {
--
-- public GroupCLI parent;
-+@Deprecated
-+public class GroupShowMemberCLI extends GroupMemberShowCLI {
-
- public GroupShowMemberCLI(GroupCLI parent) {
-- super("show-member", "Show group member");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <Group ID> <Member ID>", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- if (args.length != 2) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String groupID = args[0];
-- String memberID = args[1];
--
-- GroupMemberData groupMemberData = parent.client.getGroupMember(groupID, memberID);
--
-- MainCLI.printMessage("Group member \""+memberID+"\"");
--
-- GroupCLI.printGroupMember(groupMemberData);
-+ super("show-member", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java
-index 7bec2ff..528d39c 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserAddCertCLI.java
-@@ -18,80 +18,14 @@
-
- package com.netscape.cmstools.user;
-
--import java.io.File;
--import java.util.Scanner;
--
--import org.apache.commons.cli.CommandLine;
--import org.apache.commons.cli.Option;
--
--import com.netscape.certsrv.user.UserCertData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class UserAddCertCLI extends CLI {
--
-- public UserCLI parent;
-+@Deprecated
-+public class UserAddCertCLI extends UserCertAddCLI {
-
- public UserAddCertCLI(UserCLI parent) {
-- super("add-cert", "Add user cert");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <User ID> [OPTIONS...]", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- Option option = new Option(null, "input", true, "Input file");
-- option.setArgName("file");
-- option.setRequired(true);
-- options.addOption(option);
--
-- CommandLine cmd = null;
--
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- String[] cmdArgs = cmd.getArgs();
--
-- if (cmdArgs.length != 1) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String userId = cmdArgs[0];
-- String file = cmd.getOptionValue("input");
--
-- // get cert from file
-- if (verbose) {
-- System.out.println("Reading cert from "+file+".");
-- }
-- String encoded = new Scanner(new File(file)).useDelimiter("\\A").next();
-- if (verbose) {
-- System.out.println(encoded);
-- }
--
-- UserCertData userCertData = new UserCertData();
-- userCertData.setEncoded(encoded);
--
-- if (verbose) {
-- System.out.println(userCertData);
-- }
--
-- userCertData = parent.client.addUserCert(userId, userCertData);
--
-- MainCLI.printMessage("Added certificate \"" + userCertData.getID() + "\"");
--
-- UserCLI.printCert(userCertData, false, false);
-+ super("add-cert", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java
-index 224f226..43a55ea 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java
-@@ -18,40 +18,14 @@
-
- package com.netscape.cmstools.user;
-
--import com.netscape.certsrv.user.UserMembershipData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class UserAddMembershipCLI extends CLI {
--
-- public UserCLI parent;
-+@Deprecated
-+public class UserAddMembershipCLI extends UserMembershipAddCLI {
-
- public UserAddMembershipCLI(UserCLI parent) {
-- super("add-membership", "Add user membership");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <User ID> <Group ID>", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- if (args.length != 2) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String userID = args[0];
-- String groupID = args[1];
--
-- UserMembershipData userMembershipData = parent.client.addUserMembership(userID, groupID);
--
-- MainCLI.printMessage("Added membership in \""+groupID+"\"");
--
-- UserCLI.printUserMembership(userMembershipData);
-+ super("add-membership", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
-index 2343d19..be404b8 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
-@@ -53,30 +53,18 @@ public class UserCLI extends CLI {
- addModule(new UserAddCertCLI(this));
- addModule(new UserRemoveCertCLI(this));
-
-+ addModule(new UserCertFindCLI(this));
-+ addModule(new UserCertShowCLI(this));
-+ addModule(new UserCertAddCLI(this));
-+ addModule(new UserCertRemoveCLI(this));
-+
- addModule(new UserFindMembershipCLI(this));
- addModule(new UserAddMembershipCLI(this));
- addModule(new UserRemoveMembershipCLI(this));
-- }
--
-- public void printHelp() {
--
-- System.out.println("Commands:");
-
-- int leftPadding = 1;
-- int rightPadding = 25;
--
-- for (CLI module : modules.values()) {
-- String label = name + "-" + module.getName();
--
-- int padding = rightPadding - leftPadding - label.length();
-- if (padding < 1)
-- padding = 1;
--
-- System.out.print(StringUtils.repeat(" ", leftPadding));
-- System.out.print(label);
-- System.out.print(StringUtils.repeat(" ", padding));
-- System.out.println(module.getDescription());
-- }
-+ addModule(new UserMembershipFindCLI(this));
-+ addModule(new UserMembershipAddCLI(this));
-+ addModule(new UserMembershipRemoveCLI(this));
- }
-
- public void execute(String[] args) throws Exception {
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
-new file mode 100644
-index 0000000..6e2e5cc
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
-@@ -0,0 +1,105 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.user;
-+
-+import java.io.File;
-+import java.util.Scanner;
-+
-+import org.apache.commons.cli.CommandLine;
-+import org.apache.commons.cli.Option;
-+
-+import com.netscape.certsrv.user.UserCertData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class UserCertAddCLI extends CLI {
-+
-+ public UserCLI parent;
-+
-+ public UserCertAddCLI(String name, UserCLI parent) {
-+ super(name, "Add user cert");
-+ this.parent = parent;
-+ }
-+
-+ public UserCertAddCLI(UserCLI parent) {
-+ this("cert-add", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <User ID> [OPTIONS...]", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ Option option = new Option(null, "input", true, "Input file");
-+ option.setArgName("file");
-+ option.setRequired(true);
-+ options.addOption(option);
-+
-+ CommandLine cmd = null;
-+
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String[] cmdArgs = cmd.getArgs();
-+
-+ if (cmdArgs.length != 1) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String userId = cmdArgs[0];
-+ String file = cmd.getOptionValue("input");
-+
-+ // get cert from file
-+ if (verbose) {
-+ System.out.println("Reading cert from "+file+".");
-+ }
-+
-+ UserCertData userCertData = new UserCertData();
-+
-+ try (Scanner scanner = new Scanner(new File(file))) {
-+ String encoded = scanner.useDelimiter("\\A").next();
-+ if (verbose) {
-+ System.out.println(encoded);
-+ }
-+
-+ userCertData.setEncoded(encoded);
-+ }
-+
-+ if (verbose) {
-+ System.out.println(userCertData);
-+ }
-+
-+ userCertData = parent.client.addUserCert(userId, userCertData);
-+
-+ MainCLI.printMessage("Added certificate \"" + userCertData.getID() + "\"");
-+
-+ UserCLI.printCert(userCertData, false, false);
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java
-new file mode 100644
-index 0000000..c0c85a0
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertFindCLI.java
-@@ -0,0 +1,108 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.user;
-+
-+import java.util.Collection;
-+
-+import org.apache.commons.cli.CommandLine;
-+import org.apache.commons.cli.Option;
-+
-+import com.netscape.certsrv.user.UserCertCollection;
-+import com.netscape.certsrv.user.UserCertData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class UserCertFindCLI extends CLI {
-+
-+ public UserCLI parent;
-+
-+ public UserCertFindCLI(String name, UserCLI parent) {
-+ super(name, "Find user certs");
-+ this.parent = parent;
-+ }
-+
-+ public UserCertFindCLI(UserCLI parent) {
-+ this("cert-find", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <User ID> [OPTIONS...]", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ Option option = new Option(null, "start", true, "Page start");
-+ option.setArgName("start");
-+ options.addOption(option);
-+
-+ option = new Option(null, "size", true, "Page size");
-+ option.setArgName("size");
-+ options.addOption(option);
-+
-+ CommandLine cmd = null;
-+
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String[] cmdArgs = cmd.getArgs();
-+
-+ if (cmdArgs.length != 1) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String userID = cmdArgs[0];
-+
-+ String s = cmd.getOptionValue("start");
-+ Integer start = s == null ? null : Integer.valueOf(s);
-+
-+ s = cmd.getOptionValue("size");
-+ Integer size = s == null ? null : Integer.valueOf(s);
-+
-+ UserCertCollection response = parent.client.findUserCerts(userID, start, size);
-+
-+ Collection<UserCertData> entries = response.getCerts();
-+
-+ MainCLI.printMessage(entries.size() + " user cert(s) matched");
-+
-+ boolean first = true;
-+
-+ for (UserCertData userCertData : entries) {
-+
-+ if (first) {
-+ first = false;
-+ } else {
-+ System.out.println();
-+ }
-+
-+ UserCLI.printCert(userCertData, false, false);
-+ }
-+
-+ MainCLI.printMessage("Number of entries returned " + entries.size());
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java
-new file mode 100644
-index 0000000..503e137
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertRemoveCLI.java
-@@ -0,0 +1,65 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.user;
-+
-+import java.net.URLEncoder;
-+
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class UserCertRemoveCLI extends CLI {
-+
-+ public UserCLI parent;
-+
-+ public UserCertRemoveCLI(String name, UserCLI parent) {
-+ super(name, "Remove user cert");
-+ this.parent = parent;
-+ }
-+
-+ public UserCertRemoveCLI(UserCLI parent) {
-+ this("cert-del", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <User ID> <Cert ID>", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ if (args.length != 2) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String userID = args[0];
-+ String certID = args[1];
-+
-+ if (verbose) {
-+ System.out.println("Removing cert "+certID+" from user "+userID+".");
-+ }
-+
-+ parent.client.removeUserCert(userID, URLEncoder.encode(certID, "UTF-8"));
-+
-+ MainCLI.printMessage("Deleted certificate \"" + certID + "\"");
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java
-new file mode 100644
-index 0000000..fcf5159
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertShowCLI.java
-@@ -0,0 +1,100 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2012 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.user;
-+
-+import java.io.FileWriter;
-+import java.io.PrintWriter;
-+import java.net.URLEncoder;
-+
-+import org.apache.commons.cli.CommandLine;
-+import org.apache.commons.cli.Option;
-+
-+import com.netscape.certsrv.user.UserCertData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class UserCertShowCLI extends CLI {
-+
-+ public UserCLI parent;
-+
-+ public UserCertShowCLI(String name, UserCLI parent) {
-+ super(name, "Show user cert");
-+ this.parent = parent;
-+ }
-+
-+ public UserCertShowCLI(UserCLI parent) {
-+ this("cert-show", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <User ID> <Cert ID> [OPTIONS...]", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ Option option = new Option(null, "output", true, "Output file");
-+ option.setArgName("file");
-+ options.addOption(option);
-+
-+ options.addOption(null, "pretty", false, "Pretty print");
-+ options.addOption(null, "encoded", false, "Base-64 encoded");
-+
-+ CommandLine cmd = null;
-+
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ boolean showPrettyPrint = cmd.hasOption("pretty");
-+ boolean showEncoded = cmd.hasOption("encoded");
-+
-+ String[] cmdArgs = cmd.getArgs();
-+
-+ if (cmdArgs.length != 2) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String userID = cmdArgs[0];
-+ String certID = cmdArgs[1];
-+ String file = cmd.getOptionValue("output");
-+
-+ UserCertData userCertData = parent.client.getUserCert(userID, URLEncoder.encode(certID, "UTF-8"));
-+
-+ String encoded = userCertData.getEncoded();
-+ if (encoded != null && file != null) {
-+ // store cert to file
-+ PrintWriter out = new PrintWriter(new FileWriter(file));
-+ out.print(encoded);
-+ out.close();
-+ }
-+
-+ MainCLI.printMessage("Certificate \"" + userCertData.getID() + "\"");
-+
-+ UserCLI.printCert(userCertData, showPrettyPrint, showEncoded);
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java
-index 08f6879..baf73c9 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserFindCertCLI.java
-@@ -18,87 +18,14 @@
-
- package com.netscape.cmstools.user;
-
--import java.util.Collection;
--
--import org.apache.commons.cli.CommandLine;
--import org.apache.commons.cli.Option;
--
--import com.netscape.certsrv.user.UserCertCollection;
--import com.netscape.certsrv.user.UserCertData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class UserFindCertCLI extends CLI {
--
-- public UserCLI parent;
-+@Deprecated
-+public class UserFindCertCLI extends UserCertFindCLI {
-
- public UserFindCertCLI(UserCLI parent) {
-- super("find-cert", "Find user certs");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <User ID> [OPTIONS...]", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- Option option = new Option(null, "start", true, "Page start");
-- option.setArgName("start");
-- options.addOption(option);
--
-- option = new Option(null, "size", true, "Page size");
-- option.setArgName("size");
-- options.addOption(option);
--
-- CommandLine cmd = null;
--
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- String[] cmdArgs = cmd.getArgs();
--
-- if (cmdArgs.length != 1) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String userID = cmdArgs[0];
--
-- String s = cmd.getOptionValue("start");
-- Integer start = s == null ? null : Integer.valueOf(s);
--
-- s = cmd.getOptionValue("size");
-- Integer size = s == null ? null : Integer.valueOf(s);
--
-- UserCertCollection response = parent.client.findUserCerts(userID, start, size);
--
-- Collection<UserCertData> entries = response.getCerts();
--
-- MainCLI.printMessage(entries.size() + " user cert(s) matched");
--
-- boolean first = true;
--
-- for (UserCertData userCertData : entries) {
--
-- if (first) {
-- first = false;
-- } else {
-- System.out.println();
-- }
--
-- UserCLI.printCert(userCertData, false, false);
-- }
--
-- MainCLI.printMessage("Number of entries returned " + entries.size());
-+ super("find-cert", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java
-index 494c3c3..24fb9ca 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserFindMembershipCLI.java
-@@ -18,87 +18,14 @@
-
- package com.netscape.cmstools.user;
-
--import java.util.Collection;
--
--import org.apache.commons.cli.CommandLine;
--import org.apache.commons.cli.Option;
--
--import com.netscape.certsrv.user.UserMembershipCollection;
--import com.netscape.certsrv.user.UserMembershipData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class UserFindMembershipCLI extends CLI {
--
-- public UserCLI parent;
-+@Deprecated
-+public class UserFindMembershipCLI extends UserMembershipFindCLI {
-
- public UserFindMembershipCLI(UserCLI parent) {
-- super("find-membership", "Find user memberships");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <User ID> [OPTIONS...]", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- Option option = new Option(null, "start", true, "Page start");
-- option.setArgName("start");
-- options.addOption(option);
--
-- option = new Option(null, "size", true, "Page size");
-- option.setArgName("size");
-- options.addOption(option);
--
-- CommandLine cmd = null;
--
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- String[] cmdArgs = cmd.getArgs();
--
-- if (cmdArgs.length != 1) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String userID = cmdArgs[0];
--
-- String s = cmd.getOptionValue("start");
-- Integer start = s == null ? null : Integer.valueOf(s);
--
-- s = cmd.getOptionValue("size");
-- Integer size = s == null ? null : Integer.valueOf(s);
--
-- UserMembershipCollection response = parent.client.findUserMemberships(userID, start, size);
--
-- Collection<UserMembershipData> entries = response.getMemberships();
--
-- MainCLI.printMessage(entries.size()+" membership(s) matched");
--
-- boolean first = true;
--
-- for (UserMembershipData userMembershipData : entries) {
--
-- if (first) {
-- first = false;
-- } else {
-- System.out.println();
-- }
--
-- UserCLI.printUserMembership(userMembershipData);
-- }
--
-- MainCLI.printMessage("Number of entries returned "+entries.size());
-+ super("find-membership", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java
-new file mode 100644
-index 0000000..44cb578
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipAddCLI.java
-@@ -0,0 +1,61 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2013 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.user;
-+
-+import com.netscape.certsrv.user.UserMembershipData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class UserMembershipAddCLI extends CLI {
-+
-+ public UserCLI parent;
-+
-+ public UserMembershipAddCLI(String name, UserCLI parent) {
-+ super(name, "Add user membership");
-+ this.parent = parent;
-+ }
-+
-+ public UserMembershipAddCLI(UserCLI parent) {
-+ this("membership-add", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <User ID> <Group ID>", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ if (args.length != 2) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String userID = args[0];
-+ String groupID = args[1];
-+
-+ UserMembershipData userMembershipData = parent.client.addUserMembership(userID, groupID);
-+
-+ MainCLI.printMessage("Added membership in \""+groupID+"\"");
-+
-+ UserCLI.printUserMembership(userMembershipData);
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java
-new file mode 100644
-index 0000000..beca5f4
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipFindCLI.java
-@@ -0,0 +1,108 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2013 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.user;
-+
-+import java.util.Collection;
-+
-+import org.apache.commons.cli.CommandLine;
-+import org.apache.commons.cli.Option;
-+
-+import com.netscape.certsrv.user.UserMembershipCollection;
-+import com.netscape.certsrv.user.UserMembershipData;
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class UserMembershipFindCLI extends CLI {
-+
-+ public UserCLI parent;
-+
-+ public UserMembershipFindCLI(String name, UserCLI parent) {
-+ super(name, "Find user memberships");
-+ this.parent = parent;
-+ }
-+
-+ public UserMembershipFindCLI(UserCLI parent) {
-+ this("membership-find", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <User ID> [OPTIONS...]", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ Option option = new Option(null, "start", true, "Page start");
-+ option.setArgName("start");
-+ options.addOption(option);
-+
-+ option = new Option(null, "size", true, "Page size");
-+ option.setArgName("size");
-+ options.addOption(option);
-+
-+ CommandLine cmd = null;
-+
-+ try {
-+ cmd = parser.parse(options, args);
-+
-+ } catch (Exception e) {
-+ System.err.println("Error: " + e.getMessage());
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String[] cmdArgs = cmd.getArgs();
-+
-+ if (cmdArgs.length != 1) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String userID = cmdArgs[0];
-+
-+ String s = cmd.getOptionValue("start");
-+ Integer start = s == null ? null : Integer.valueOf(s);
-+
-+ s = cmd.getOptionValue("size");
-+ Integer size = s == null ? null : Integer.valueOf(s);
-+
-+ UserMembershipCollection response = parent.client.findUserMemberships(userID, start, size);
-+
-+ Collection<UserMembershipData> entries = response.getMemberships();
-+
-+ MainCLI.printMessage(entries.size()+" membership(s) matched");
-+
-+ boolean first = true;
-+
-+ for (UserMembershipData userMembershipData : entries) {
-+
-+ if (first) {
-+ first = false;
-+ } else {
-+ System.out.println();
-+ }
-+
-+ UserCLI.printUserMembership(userMembershipData);
-+ }
-+
-+ MainCLI.printMessage("Number of entries returned "+entries.size());
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java
-new file mode 100644
-index 0000000..ba43b05
---- /dev/null
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserMembershipRemoveCLI.java
-@@ -0,0 +1,58 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2013 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cmstools.user;
-+
-+import com.netscape.cmstools.cli.CLI;
-+import com.netscape.cmstools.cli.MainCLI;
-+
-+/**
-+ * @author Endi S. Dewata
-+ */
-+public class UserMembershipRemoveCLI extends CLI {
-+
-+ public UserCLI parent;
-+
-+ public UserMembershipRemoveCLI(String name, UserCLI parent) {
-+ super(name, "Remove user membership");
-+ this.parent = parent;
-+ }
-+
-+ public UserMembershipRemoveCLI(UserCLI parent) {
-+ this("membership-del", parent);
-+ }
-+
-+ public void printHelp() {
-+ formatter.printHelp(parent.name + "-" + name + " <User ID> <Group ID>", options);
-+ }
-+
-+ public void execute(String[] args) throws Exception {
-+
-+ if (args.length != 2) {
-+ printHelp();
-+ System.exit(1);
-+ }
-+
-+ String userID = args[0];
-+ String groupID = args[1];
-+
-+ parent.client.removeUserMembership(userID, groupID);
-+
-+ MainCLI.printMessage("Deleted membership in group \""+groupID+"\"");
-+ }
-+}
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java
-index 264458b..58fd57e 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveCertCLI.java
-@@ -18,44 +18,15 @@
-
- package com.netscape.cmstools.user;
-
--import java.net.URLEncoder;
--
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
-
- /**
- * @author Endi S. Dewata
- */
--public class UserRemoveCertCLI extends CLI {
--
-- public UserCLI parent;
-+@Deprecated
-+public class UserRemoveCertCLI extends UserCertRemoveCLI {
-
- public UserRemoveCertCLI(UserCLI parent) {
-- super("remove-cert", "Remove user cert");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <User ID> <Cert ID>", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- if (args.length != 2) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String userID = args[0];
-- String certID = args[1];
--
-- if (verbose) {
-- System.out.println("Removing cert "+certID+" from user "+userID+".");
-- }
--
-- parent.client.removeUserCert(userID, URLEncoder.encode(certID, "UTF-8"));
--
-- MainCLI.printMessage("Deleted certificate \"" + certID + "\"");
-+ super("remove-cert", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java
-index 26a5a6e..4cafcec 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java
-@@ -18,37 +18,14 @@
-
- package com.netscape.cmstools.user;
-
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class UserRemoveMembershipCLI extends CLI {
--
-- public UserCLI parent;
-+@Deprecated
-+public class UserRemoveMembershipCLI extends UserMembershipRemoveCLI {
-
- public UserRemoveMembershipCLI(UserCLI parent) {
-- super("remove-membership", "Remove user membership");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <User ID> <Group ID>", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- if (args.length != 2) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String userID = args[0];
-- String groupID = args[1];
--
-- parent.client.removeUserMembership(userID, groupID);
--
-- MainCLI.printMessage("Deleted membership in group \""+groupID+"\"");
-+ super("remove-membership", parent);
- }
- }
-diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java
-index f30c723..5177281 100644
---- a/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/user/UserShowCertCLI.java
-@@ -18,79 +18,14 @@
-
- package com.netscape.cmstools.user;
-
--import java.io.FileWriter;
--import java.io.PrintWriter;
--import java.net.URLEncoder;
--
--import org.apache.commons.cli.CommandLine;
--import org.apache.commons.cli.Option;
--
--import com.netscape.certsrv.user.UserCertData;
--import com.netscape.cmstools.cli.CLI;
--import com.netscape.cmstools.cli.MainCLI;
-
- /**
- * @author Endi S. Dewata
- */
--public class UserShowCertCLI extends CLI {
--
-- public UserCLI parent;
-+@Deprecated
-+public class UserShowCertCLI extends UserCertShowCLI {
-
- public UserShowCertCLI(UserCLI parent) {
-- super("show-cert", "Show user cert");
-- this.parent = parent;
-- }
--
-- public void printHelp() {
-- formatter.printHelp(parent.name + "-" + name + " <User ID> <Cert ID> [OPTIONS...]", options);
-- }
--
-- public void execute(String[] args) throws Exception {
--
-- Option option = new Option(null, "output", true, "Output file");
-- option.setArgName("file");
-- options.addOption(option);
--
-- options.addOption(null, "pretty", false, "Pretty print");
-- options.addOption(null, "encoded", false, "Base-64 encoded");
--
-- CommandLine cmd = null;
--
-- try {
-- cmd = parser.parse(options, args);
--
-- } catch (Exception e) {
-- System.err.println("Error: " + e.getMessage());
-- printHelp();
-- System.exit(1);
-- }
--
-- boolean showPrettyPrint = cmd.hasOption("pretty");
-- boolean showEncoded = cmd.hasOption("encoded");
--
-- String[] cmdArgs = cmd.getArgs();
--
-- if (cmdArgs.length != 2) {
-- printHelp();
-- System.exit(1);
-- }
--
-- String userID = cmdArgs[0];
-- String certID = cmdArgs[1];
-- String file = cmd.getOptionValue("output");
--
-- UserCertData userCertData = parent.client.getUserCert(userID, URLEncoder.encode(certID, "UTF-8"));
--
-- String encoded = userCertData.getEncoded();
-- if (encoded != null && file != null) {
-- // store cert to file
-- PrintWriter out = new PrintWriter(new FileWriter(file));
-- out.print(encoded);
-- out.close();
-- }
--
-- MainCLI.printMessage("Certificate \"" + userCertData.getID() + "\"");
--
-- UserCLI.printCert(userCertData, showPrettyPrint, showEncoded);
-+ super("show-cert", parent);
- }
- }
---
-1.8.3.1
-
diff --git a/SOURCES/0006-Added-new-link-for-resteasy-dependency.patch b/SOURCES/0006-Added-new-link-for-resteasy-dependency.patch
deleted file mode 100644
index ac0feb9..0000000
--- a/SOURCES/0006-Added-new-link-for-resteasy-dependency.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From cbd26eee9194438627a7f0949bde9fa4f582ca8c Mon Sep 17 00:00:00 2001
-From: Ade Lee <alee@redhat.com>
-Date: Wed, 30 Oct 2013 17:03:15 -0400
-Subject: [PATCH 6/6] Added new link for resteasy dependency
-
- Resteasy 2.3.5 uses apache-commons-io. Not having a link to
- this jar results in IPA replica installs failing.
-
- Resolves: rhbz 1024679
----
- base/common/shared/conf/pki.policy | 4 ++++
- base/java-tools/pki | 1 +
- base/server/etc/default.cfg | 2 ++
- base/server/scripts/operations | 1 +
- base/server/src/scriptlets/instance_layout.py | 2 ++
- 5 files changed, 10 insertions(+)
-
-diff --git a/base/common/shared/conf/pki.policy b/base/common/shared/conf/pki.policy
-index 52e3d7f..df9157e 100644
---- a/base/common/shared/conf/pki.policy
-+++ b/base/common/shared/conf/pki.policy
-@@ -46,6 +46,10 @@ grant codeBase "file:/usr/share/java/apache-commons-collections.jar" {
- permission java.security.AllPermission;
- };
-
-+grant codeBase "file:/usr/share/java/apache-commons-io.jar" {
-+ permission java.security.AllPermission;
-+};
-+
- grant codeBase "file:/usr/share/java/apache-commons-lang.jar" {
- permission java.security.AllPermission;
- };
-diff --git a/base/java-tools/pki b/base/java-tools/pki
-index b7d9bfe..5821620 100755
---- a/base/java-tools/pki
-+++ b/base/java-tools/pki
-@@ -80,6 +80,7 @@ $ENV{CLASSPATH} = "/usr/share/java/${PRODUCT}/pki-certsrv.jar:"
- . "/usr/share/java/${PRODUCT}/pki-tools.jar:"
- . "/usr/share/java/apache-commons-cli.jar:"
- . "/usr/share/java/apache-commons-codec.jar:"
-+ . "/usr/share/java/apache-commons-io.jar:"
- . "/usr/share/java/apache-commons-lang.jar:"
- . "/usr/share/java/apache-commons-logging.jar:"
- . "/usr/share/java/commons-httpclient.jar:"
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index f4ad2be..8559b42 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -275,6 +275,7 @@ pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.
- pki_jss_jar=%(jni_jar_dir)s/jss4.jar
- pki_symkey_jar=%(jni_jar_dir)s/symkey.jar
- pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar
-+pki_apache_commons_io_jar=/usr/share/java/apache-commons-io.jar
- pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar
- pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar
- pki_commons_codec_jar=/usr/share/java/commons-codec.jar
-@@ -304,6 +305,7 @@ pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar
- pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar
- pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar
- pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar
-+pki_apache_commons_io_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-io.jar
- pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar
- pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar
- pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar
-diff --git a/base/server/scripts/operations b/base/server/scripts/operations
-index 8a703d6..df89ea6 100644
---- a/base/server/scripts/operations
-+++ b/base/server/scripts/operations
-@@ -1197,6 +1197,7 @@ verify_symlinks()
- common_jar_symlinks=(
- [apache-commons-codec.jar]=${java_dir}/commons-codec.jar
- [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar
-+ [apache-commons-io.jar]=${java_dir}/apache-commons-io.jar
- [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar
- [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar
- [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar
-diff --git a/base/server/src/scriptlets/instance_layout.py b/base/server/src/scriptlets/instance_layout.py
-index 07ae03e..1f75de7 100644
---- a/base/server/src/scriptlets/instance_layout.py
-+++ b/base/server/src/scriptlets/instance_layout.py
-@@ -88,6 +88,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- # establish Tomcat instance common lib jar symbolic links
- util.symlink.create(master['pki_apache_commons_collections_jar'],
- master['pki_apache_commons_collections_jar_link'])
-+ util.symlink.create(master['pki_apache_commons_io_jar'],
-+ master['pki_apache_commons_io_jar_link'])
- util.symlink.create(master['pki_apache_commons_lang_jar'],
- master['pki_apache_commons_lang_jar_link'])
- util.symlink.create(master['pki_apache_commons_logging_jar'],
---
-1.8.3.1
-
diff --git a/SOURCES/pki-core-10.1.2-bz1151147.patch b/SOURCES/pki-core-10.1.2-bz1151147.patch
new file mode 100644
index 0000000..0585660
--- /dev/null
+++ b/SOURCES/pki-core-10.1.2-bz1151147.patch
@@ -0,0 +1,308 @@
+From a8fe431dc77f03a8237ec0820c02c542762ecb9f Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 15 Oct 2014 10:30:31 -0700
+Subject: [PATCH] Bug1151147 issuerDN encoding correction
+
+---
+ base/ca/src/com/netscape/ca/CAService.java | 13 ++++++--
+ .../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++-
+ .../netscape/certsrv/ca/ICertificateAuthority.java | 5 +++
+ .../netscape/cms/profile/common/EnrollProfile.java | 16 +++++++--
+ .../com/netscape/cms/servlet/csadmin/CertUtil.java | 16 +++++++--
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java | 18 ++++++++--
+ .../src/netscape/security/x509/X509CertImpl.java | 8 +++++
+ .../src/netscape/security/x509/X509CertInfo.java | 8 +++++
+ 8 files changed, 114 insertions(+), 9 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
+index 1977850..6edaf2a 100644
+--- a/base/ca/src/com/netscape/ca/CAService.java
++++ b/base/ca/src/com/netscape/ca/CAService.java
+@@ -821,8 +821,17 @@ public class CAService implements ICAService, IService {
+ }
+
+ try {
+- certi.set(X509CertInfo.ISSUER,
+- new CertificateIssuerName(mCA.getX500Name()));
++ if (mCA.getIssuerObj() != null) {
++ // this ensures the isserDN has the same encoding as the
++ // subjectDN of the CA signing cert
++ CMS.debug("CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding");
++ certi.set(X509CertInfo.ISSUER,
++ mCA.getIssuerObj());
++ } else {
++ CMS.debug("CAService: issueX509Cert: mCA.getIssuerObj() is null, creating new CertificateIssuerName");
++ certi.set(X509CertInfo.ISSUER,
++ new CertificateIssuerName(mCA.getX500Name()));
++ }
+ } catch (CertificateException e) {
+ mCA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SET_ISSUER", e.toString()));
+ throw new ECAException(CMS.getUserMessage("CMS_CA_SET_ISSUER_FAILED", rid));
+diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+index 73ce6df..6529611 100644
+--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+@@ -43,6 +43,8 @@ import netscape.security.util.DerOutputStream;
+ import netscape.security.util.DerValue;
+ import netscape.security.x509.AlgorithmId;
+ import netscape.security.x509.CertificateChain;
++import netscape.security.x509.CertificateIssuerName;
++import netscape.security.x509.CertificateSubjectName;
+ import netscape.security.x509.CertificateVersion;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CRLImpl;
+@@ -143,6 +145,8 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
+ protected SigningUnit mOCSPSigningUnit;
+ protected SigningUnit mCRLSigningUnit;
+
++ protected CertificateIssuerName mIssuerObj = null;
++ protected CertificateSubjectName mSubjectObj = null;
+ protected X500Name mName = null;
+ protected X500Name mCRLName = null;
+ protected X500Name mOCSPName = null;
+@@ -888,6 +892,14 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
+ return mName;
+ }
+
++ public CertificateIssuerName getIssuerObj() {
++ return mIssuerObj;
++ }
++
++ public CertificateSubjectName getSubjectObj() {
++ return mSubjectObj;
++ }
++
+ public X500Name getCRLX500Name() {
+ return mCRLName;
+ }
+@@ -1199,6 +1211,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
+ IConfigStore caSigningCfg =
+ mConfig.getSubStore(PROP_SIGNING_SUBSTORE);
+
++ String caSigningCertStr = caSigningCfg.getString("cert", "");
++ if (caSigningCertStr.equals("")) {
++ CMS.debug("CertificateAuthority:initSigUnit: ca.signing.cert not found");
++ } else { //ca cert found
++ CMS.debug("CertificateAuthority:initSigUnit: ca cert found");
++ mCaCert = new X509CertImpl(CMS.AtoB(caSigningCertStr));
++ // this ensures the isserDN and subjectDN have the same encoding
++ // as that of the CA signing cert
++ CMS.debug("CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj");
++ mSubjectObj = mCaCert.getSubjectObj();
++ // this mIssuerObj is the "issuerDN" obj for the certs this CA
++ // issues, NOT necessarily the isserDN obj of the CA signing cert
++ mIssuerObj = new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
++ }
++
+ mSigningUnit.init(this, caSigningCfg);
+ CMS.debug("CA signing unit inited");
+
+@@ -1295,11 +1322,21 @@ public class CertificateAuthority implements ICertificateAuthority, ICertAuthori
+ }
+ mOCSPCertChain = new CertificateChain(ocspImplchain);
+ CMS.debug("in init - got OCSP chain from JSS.");
+- // init issuer name - take name from the cert.
+
+ mCaX509Cert = mSigningUnit.getCert();
+ mCaCert = new X509CertImpl(mCaX509Cert.getEncoded());
+ getCASigningAlgorithms();
++ mSubjectObj = mCaCert.getSubjectObj();
++ if (mSubjectObj != null) {
++ // this ensures the isserDN and subjectDN have the same encoding
++ // as that of the CA signing cert
++ CMS.debug("CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj");
++ // this mIssuerObj is the "issuerDN" obj for the certs this CA
++ // issues, NOT necessarily the isserDN obj of the CA signing cert
++ // unless the CA is self-signed
++ mIssuerObj =
++ new CertificateIssuerName((X500Name)mSubjectObj.get(CertificateIssuerName.DN_NAME));
++ }
+ mName = (X500Name) mCaCert.getSubjectDN();
+
+ mCRLX509Cert = mCRLSigningUnit.getCert();
+diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
+index 39f336b..f87f154 100644
+--- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
++++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
+@@ -23,6 +23,8 @@ import java.util.Map;
+ import javax.servlet.http.HttpServletRequest;
+
+ import netscape.security.x509.CertificateChain;
++import netscape.security.x509.CertificateIssuerName;
++import netscape.security.x509.CertificateSubjectName;
+ import netscape.security.x509.CertificateVersion;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CRLImpl;
+@@ -510,4 +512,7 @@ public interface ICertificateAuthority extends ISubsystem {
+ * @return processed times for OCSP requests
+ */
+ public long getOCSPTotalData();
++
++ public CertificateIssuerName getIssuerObj();
++ public CertificateSubjectName getSubjectObj();
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index ca665ba..9e89e69 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -88,6 +88,7 @@ import com.netscape.certsrv.authority.IAuthority;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.EPropertyNotFound;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -220,8 +221,19 @@ public abstract class EnrollProfile extends BasicProfile
+ new CertificateVersion(CertificateVersion.V3));
+ info.set(X509CertInfo.SERIAL_NUMBER,
+ new CertificateSerialNumber(new BigInteger("0")));
+- info.set(X509CertInfo.ISSUER,
+- new CertificateIssuerName(issuerName));
++ ICertificateAuthority authority =
++ (ICertificateAuthority) getAuthority();
++ if (authority.getIssuerObj() != null) {
++ // this ensures the isserDN has the same encoding as the
++ // subjectDN of the CA signing cert
++ CMS.debug("EnrollProfile: setDefaultCertInfo: setting issuerDN using exact CA signing cert subjectDN encoding");
++ info.set(X509CertInfo.ISSUER,
++ authority.getIssuerObj());
++ } else {
++ CMS.debug("EnrollProfile: setDefaultCertInfo: authority.getIssuerObj() is null, creating new CertificateIssuerName");
++ info.set(X509CertInfo.ISSUER,
++ new CertificateIssuerName(issuerName));
++ }
+ info.set(X509CertInfo.KEY,
+ new CertificateX509Key(X509Key.parse(new DerValue(dummykey))));
+ info.set(X509CertInfo.SUBJECT,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+index ede632e..22f0929 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+@@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse;
+
+ import netscape.security.pkcs.PKCS10;
+ import netscape.security.x509.CertificateExtensions;
++import netscape.security.x509.CertificateIssuerName;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CertImpl;
+ import netscape.security.x509.X509CertInfo;
+@@ -390,6 +391,7 @@ public class CertUtil {
+ cr = ca.getCertificateRepository();
+ BigInteger serialNo = cr.getNextSerialNumber();
+ if (type.equals("selfsign")) {
++ CMS.debug("Creating local certificate... selfsign cert");
+ CMS.debug("Creating local certificate... issuerdn=" + dn);
+ CMS.debug("Creating local certificate... dn=" + dn);
+ info = CryptoUtil.createX509CertInfo(x509key, serialNo, dn, dn, date, date, keyAlgorithm);
+@@ -397,8 +399,18 @@ public class CertUtil {
+ String issuerdn = config.getString("preop.cert.signing.dn", "");
+ CMS.debug("Creating local certificate... issuerdn=" + issuerdn);
+ CMS.debug("Creating local certificate... dn=" + dn);
+-
+- info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm);
++ if (ca.getIssuerObj() != null) {
++ // this ensures the isserDN has the same encoding as the
++ // subjectDN of the CA signing cert
++ CMS.debug("Creating local certificate... setting issuerDN using exact CA signing cert subjectDN encoding");
++ CertificateIssuerName issuerdnObj =
++ ca.getIssuerObj();
++
++ info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdnObj, dn, date, date, keyAlgorithm);
++ } else {
++ CMS.debug("Creating local certificate... ca.getIssuerObj() is null, creating new CertificateIssuerName");
++ info = CryptoUtil.createX509CertInfo(x509key, serialNo, issuerdn, dn, date, date, keyAlgorithm);
++ }
+ }
+ CMS.debug("Cert Template: " + info.toString());
+
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index 5e8e323..c87ebb1 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -1050,14 +1050,28 @@ public class CryptoUtil {
+ CertificateException,
+ InvalidKeyException,
+ NoSuchAlgorithmException {
++ CertificateIssuerName issuernameObj =
++ new CertificateIssuerName(new X500Name(issuername));
++ return createX509CertInfo(x509key, serialno, issuernameObj, subjname, notBefore, notAfter, alg);
++ }
++
++ public static X509CertInfo createX509CertInfo(X509Key x509key,
++ BigInteger serialno, CertificateIssuerName issuernameObj, String subjname,
++ Date notBefore, Date notAfter, String alg)
++ throws IOException,
++ CertificateException,
++ InvalidKeyException,
++ NoSuchAlgorithmException {
+ X509CertInfo info = new X509CertInfo();
+
+ info.set(X509CertInfo.VERSION, new
+ CertificateVersion(CertificateVersion.V3));
+ info.set(X509CertInfo.SERIAL_NUMBER, new
+ CertificateSerialNumber(serialno));
+- info.set(X509CertInfo.ISSUER, new
+- CertificateIssuerName(new X500Name(issuername)));
++ if (issuernameObj != null) {
++ info.set(X509CertInfo.ISSUER,
++ issuernameObj);
++ }
+ info.set(X509CertInfo.SUBJECT, new
+ CertificateSubjectName(new X500Name(subjname)));
+ info.set(X509CertInfo.VALIDITY, new
+diff --git a/base/util/src/netscape/security/x509/X509CertImpl.java b/base/util/src/netscape/security/x509/X509CertImpl.java
+index 111cd3b..a021ee1 100755
+--- a/base/util/src/netscape/security/x509/X509CertImpl.java
++++ b/base/util/src/netscape/security/x509/X509CertImpl.java
+@@ -725,6 +725,10 @@ public class X509CertImpl extends X509Certificate
+ }
+ }
+
++ public CertificateSubjectName getSubjectObj() {
++ return info.getSubjectObj();
++ }
++
+ /**
+ * Gets the issuer distinguished name from the certificate.
+ *
+@@ -743,6 +747,10 @@ public class X509CertImpl extends X509Certificate
+ }
+ }
+
++ public CertificateIssuerName getIssuerObj() {
++ return info.getIssuerObj();
++ }
++
+ /**
+ * Gets the notBefore date from the validity period of the certificate.
+ *
+diff --git a/base/util/src/netscape/security/x509/X509CertInfo.java b/base/util/src/netscape/security/x509/X509CertInfo.java
+index 2ad17eb..29757ec 100644
+--- a/base/util/src/netscape/security/x509/X509CertInfo.java
++++ b/base/util/src/netscape/security/x509/X509CertInfo.java
+@@ -873,6 +873,10 @@ public class X509CertInfo implements CertAttrSet, Serializable {
+ issuer = (CertificateIssuerName) val;
+ }
+
++ public CertificateIssuerName getIssuerObj() {
++ return issuer;
++ }
++
+ /**
+ * Set the validity interval of the certificate.
+ *
+@@ -901,6 +905,10 @@ public class X509CertInfo implements CertAttrSet, Serializable {
+ subject = (CertificateSubjectName) val;
+ }
+
++ public CertificateSubjectName getSubjectObj() {
++ return subject;
++ }
++
+ /**
+ * Set the public key in the certificate.
+ *
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-10.1.2-bz1155654.patch b/SOURCES/pki-core-10.1.2-bz1155654.patch
new file mode 100644
index 0000000..df7bfed
--- /dev/null
+++ b/SOURCES/pki-core-10.1.2-bz1155654.patch
@@ -0,0 +1,44 @@
+From 43de35ee65f5097abafb898210e7921a4a7d7665 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Thu, 13 Nov 2014 14:14:56 -0700
+Subject: [PATCH] Check for null values in GetConfigEntries
+
+* Bugzilla Bug #1155654 - Replica install fails when using --setup-ca option
+ (AKA - PKI TRAC Ticket #1142 - NPE in getconfigEntries when internaldb
+ password is removed from master)
+---
+ .../com/netscape/cms/servlet/csadmin/GetConfigEntries.java | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java
+index ee013ef..dcb8bdf 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetConfigEntries.java
+@@ -180,9 +180,11 @@ public class GetConfigEntries extends CMSServlet {
+ continue;
+ }
+
+- Node container = xmlObj.createContainer(root, "Config");
+- xmlObj.addItemToContainer(container, "name", name);
+- xmlObj.addItemToContainer(container, "value", value);
++ if (value != null) {
++ Node container = xmlObj.createContainer(root, "Config");
++ xmlObj.addItemToContainer(container, "name", name);
++ xmlObj.addItemToContainer(container, "value", value);
++ }
+ }
+ }
+
+@@ -192,7 +194,8 @@ public class GetConfigEntries extends CMSServlet {
+
+ outputResult(httpResp, "application/xml", cb);
+ } catch (Exception e) {
+- CMS.debug("Failed to send the XML output");
++ CMS.debug("Failed to send the XML output: " + e);
++ e.printStackTrace();
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-10.1.2-bz1158410.patch b/SOURCES/pki-core-10.1.2-bz1158410.patch
new file mode 100644
index 0000000..9251af1
--- /dev/null
+++ b/SOURCES/pki-core-10.1.2-bz1158410.patch
@@ -0,0 +1,240 @@
+From 02eb00b312539f455d13b8a282cc523e11f2715e Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 12 Nov 2014 15:29:04 -0800
+Subject: [PATCH] Bug 1158410 add TLS range support to server.xml by default
+ and upgrade
+
+---
+ base/server/config/pkislots.cfg | 3 +
+ .../python/pki/server/deployment/pkiparser.py | 43 ++++++++-
+ base/server/share/conf/server.xml | 8 +-
+ base/server/upgrade/10.1.2/.gitignore | 4 -
+ base/server/upgrade/10.1.2/01-AddTLSRangeSupport | 102 +++++++++++++++++++++
+ 5 files changed, 153 insertions(+), 7 deletions(-)
+ delete mode 100644 base/server/upgrade/10.1.2/.gitignore
+ create mode 100755 base/server/upgrade/10.1.2/01-AddTLSRangeSupport
+
+diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
+index ce1ac78..ffcef2d 100644
+--- a/base/server/config/pkislots.cfg
++++ b/base/server/config/pkislots.cfg
+@@ -101,4 +101,7 @@ TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS]
+ TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS]
+ TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS]
+ TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS]
++TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM]
++TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]
++TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS]
+ TPS_DIR_SLOT=[TPS_DIR]
+diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
+index df636d4..2d7fadc 100644
+--- a/base/server/python/pki/server/deployment/pkiparser.py
++++ b/base/server/python/pki/server/deployment/pkiparser.py
+@@ -899,6 +899,45 @@ class PKIConfigParser:
+ "/var/run/pki/tomcat/" + self.pki_master_dict['pki_instance_name'] + ".pid"
+ self.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] = \
+ self.pki_master_dict['pki_tomcat_server_port']
++ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \
++ "tls1_0:tls1_2"
++ self.pki_master_dict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \
++ "tls1_1:tls1_2"
++ self.pki_master_dict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
++ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
++ "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
++ "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \
++ "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
++ "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
++ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
++ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
++ "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
++ "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
++ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
++ "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
++ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
++ "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
++ "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
++ "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
++ "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
++ "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
++ "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
++ "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
++ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
++ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
++ "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
++ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
++ "+TLS_RSA_WITH_AES_128_GCM_SHA256," + \
++ "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
++ "+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
++ "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
++ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
++ "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
++ "+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
++ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
++ "+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
+ self.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] = \
+ "-SSL2_RC4_128_WITH_MD5," + \
+ "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \
+@@ -922,8 +961,8 @@ class PKIConfigParser:
+ "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+ self.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] = \
+- "ssl2=true," + \
+- "ssl3=true," + \
++ "ssl2=false," + \
++ "ssl3=false," + \
+ "tls=true"
+ self.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] = \
+ "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
+diff --git a/base/server/share/conf/server.xml b/base/server/share/conf/server.xml
+index 8fbdf0f..306ebf2 100644
+--- a/base/server/share/conf/server.xml
++++ b/base/server/share/conf/server.xml
+@@ -142,6 +142,9 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
+ 'ssl2Ciphers'
+ 'ssl3Ciphers'
+ 'tlsCiphers'
++ 'sslVersionRangeStream'
++ 'sslVersionRangeDatagram'
++ 'sslRangeCiphers'
+ 'serverCertNickFile'
+ 'passwordFile'
+ 'passwordClass'
+@@ -184,12 +187,15 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
+ ocspMinCacheEntryDuration="60"
+ ocspMaxCacheEntryDuration="120"
+ ocspTimeout="10"
+- strictCiphers="false"
++ strictCiphers="true"
+ clientAuth="[PKI_AGENT_CLIENTAUTH]"
+ sslOptions="[TOMCAT_SSL_OPTIONS]"
+ ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
+ ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
+ tlsCiphers="[TOMCAT_TLS_CIPHERS]"
++ sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
++ sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
++ sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
+ serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
+ passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
+ passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
+diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore
+deleted file mode 100644
+index 5e7d273..0000000
+--- a/base/server/upgrade/10.1.2/.gitignore
++++ /dev/null
+@@ -1,4 +0,0 @@
+-# Ignore everything in this directory
+-*
+-# Except this file
+-!.gitignore
+diff --git a/base/server/upgrade/10.1.2/01-AddTLSRangeSupport b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport
+new file mode 100755
+index 0000000..b5b83f4
+--- /dev/null
++++ b/base/server/upgrade/10.1.2/01-AddTLSRangeSupport
+@@ -0,0 +1,102 @@
++#!/usr/bin/python
++# Authors:
++# Christina Fu <cfu@redhat.com>
++# Endi S. Dewata <edewata@redhat.com>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; version 2 of the License.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Copyright (C) 2014 Red Hat, Inc.
++# All rights reserved.
++#
++
++import os
++from lxml import etree
++
++import pki.server.upgrade
++
++
++class AddTLSRangeSupport(pki.server.upgrade.PKIServerUpgradeScriptlet):
++
++ def __init__(self):
++
++ self.message = 'Add TLS Range Support'
++
++ self.parser = etree.XMLParser(remove_blank_text=True)
++
++
++ def upgrade_instance(self, instance):
++
++ server_xml = os.path.join(instance.conf_dir, 'server.xml')
++ #Backup the file before modify
++ self.backup(server_xml)
++ #Parse the server.xml into an XML object
++ document = etree.parse(server_xml, self.parser)
++ #perform the upgrade in memory
++ self.add_tls_range(document)
++ #Once all changes are made, write the XML back into the same server.xml
++ #This way we're preserving any other customization that has been done
++ # to the server.xml
++ with open(server_xml, 'w') as f:
++ f.write(etree.tostring(document, pretty_print=True))
++
++ def add_tls_range(self, document):
++
++ # Find existing Connector
++ server = document.getroot()
++ connectors = server.findall('.//Connector')
++
++ for connector in connectors:
++
++ secure = connector.get('secure')
++ if secure == 'true':
++ # Update Connector's attributes
++ connector.set('strictCiphers', 'true')
++ connector.set('sslVersionRangeStream', 'tls1_0:tls1_2')
++ connector.set('sslVersionRangeDatagram', 'tls1_1:tls1_2')
++ connector.set('sslRangeCiphers',
++ '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,' \
++ '-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,' \
++ '+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,' \
++ '+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,' \
++ '+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,' \
++ '-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,' \
++ '+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,' \
++ '+TLS_RSA_WITH_3DES_EDE_CBC_SHA,' \
++ '+TLS_RSA_WITH_AES_128_CBC_SHA,' \
++ '+TLS_RSA_WITH_AES_256_CBC_SHA,' \
++ '+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,' \
++ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,' \
++ '-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,' \
++ '-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,' \
++ '-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,' \
++ '+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,' \
++ '+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,' \
++ '+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,' \
++ '+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,' \
++ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,' \
++ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,' \
++ '+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,' \
++ '+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,' \
++ '+TLS_RSA_WITH_AES_128_CBC_SHA256,' \
++ '+TLS_RSA_WITH_AES_256_CBC_SHA256,' \
++ '+TLS_RSA_WITH_AES_128_GCM_SHA256,' \
++ '+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,' \
++ '+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,' \
++ '+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,' \
++ '+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,' \
++ '+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,' \
++ '+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,' \
++ '+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,' \
++ '+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256')
++
+
+
diff --git a/SOURCES/pki-core-10.1.2-bz1165351-2.patch b/SOURCES/pki-core-10.1.2-bz1165351-2.patch
new file mode 100644
index 0000000..6fda15e
--- /dev/null
+++ b/SOURCES/pki-core-10.1.2-bz1165351-2.patch
@@ -0,0 +1,77 @@
+From b88754da750bc87fe9ae99d0571fc4432d87f8d3 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Wed, 26 Nov 2014 11:19:41 -0700
+Subject: [PATCH] Remove legacy multilib JNI_JAR_DIR logic (revised)
+
+* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages
+ not found - fixed shell tests
+---
+ base/java-tools/templates/pki_java_command_wrapper.in | 4 +---
+ base/java-tools/templates/pretty_print_cert_command_wrapper.in | 4 +---
+ base/java-tools/templates/pretty_print_crl_command_wrapper.in | 4 +---
+ base/server/scripts/operations | 4 +---
+ 4 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in
+index e9bea58..2c13d66 100644
+--- a/base/java-tools/templates/pki_java_command_wrapper.in
++++ b/base/java-tools/templates/pki_java_command_wrapper.in
+@@ -125,9 +125,7 @@ fi
+ ## order this command wrapper uses to find jar files. ##
+ ###############################################################################
+
+-JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
+-# Override JNI_JAR_DIR using a user-defined value if one exists
+-JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
++JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+ CP=${JNI_JAR_DIR}/jss4.jar
+ CP=/usr/share/java/commons-codec.jar:${CP}
+ CP=/usr/share/java/ldapjdk.jar:${CP}
+diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
+index 0c15184..cd4888a 100644
+--- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in
++++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
+@@ -125,9 +125,7 @@ fi
+ ## order this command wrapper uses to find jar files. ##
+ ###############################################################################
+
+-JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
+-# Override JNI_JAR_DIR using a user-defined value if one exists
+-JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
++JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+ CP=${JNI_JAR_DIR}/jss4.jar
+ CP=/usr/share/java/commons-codec.jar:${CP}
+ CP=/usr/share/java/ldapjdk.jar:${CP}
+diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in
+index 02e223c..3596fae 100644
+--- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in
++++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in
+@@ -125,9 +125,7 @@ fi
+ ## order this command wrapper uses to find jar files. ##
+ ###############################################################################
+
+-JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
+-# Override JNI_JAR_DIR using a user-defined value if one exists
+-JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
++JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+ CP=${JNI_JAR_DIR}/jss4.jar
+
+ CP=/usr/share/java/commons-codec.jar:${CP}
+diff --git a/base/server/scripts/operations b/base/server/scripts/operations
+index e89f1f6..92d01c3 100644
+--- a/base/server/scripts/operations
++++ b/base/server/scripts/operations
+@@ -1059,9 +1059,7 @@ verify_symlinks()
+ declare -A systemd_symlinks
+
+ # Dogtag 10 Conditional Variables
+- jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
+- # Override jni_jar_dir using a user-defined value if one exists
+- jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
++ jni_jar_dir=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+
+ # Dogtag 10 Symbolic Link Target Variables
+ java_dir="/usr/share/java"
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-10.1.2-bz1165351.patch b/SOURCES/pki-core-10.1.2-bz1165351.patch
new file mode 100644
index 0000000..ee8270f
--- /dev/null
+++ b/SOURCES/pki-core-10.1.2-bz1165351.patch
@@ -0,0 +1,91 @@
+From d3b2f55279c540f70d468cd969a4ae16d0f2fbb3 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Wed, 19 Nov 2014 14:57:43 -0700
+Subject: [PATCH] Remove legacy multilib JNI_JAR_DIR logic
+
+* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not
+ found
+---
+ base/common/share/etc/pki.conf | 2 +-
+ base/java-tools/templates/pki_java_command_wrapper.in | 2 ++
+ .../templates/pretty_print_cert_command_wrapper.in | 2 ++
+ .../templates/pretty_print_crl_command_wrapper.in | 2 ++
+ base/server/python/pki/server/deployment/pkiparser.py | 3 ++-
+ base/server/scripts/operations | 2 ++
+ 6 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
+index f352344..a43d1d6 100644
+--- a/base/common/share/etc/pki.conf
++++ b/base/common/share/etc/pki.conf
+@@ -1,2 +1,2 @@
+ # JNI jar file location
+-JNI_JAR_DIR=${JNI_JAR_DIR}
++JNI_JAR_DIR=/usr/lib/java
+diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in
+index e9ff005..e9bea58 100644
+--- a/base/java-tools/templates/pki_java_command_wrapper.in
++++ b/base/java-tools/templates/pki_java_command_wrapper.in
+@@ -126,6 +126,8 @@ fi
+ ###############################################################################
+
+ JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
++# Override JNI_JAR_DIR using a user-defined value if one exists
++JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+ CP=${JNI_JAR_DIR}/jss4.jar
+ CP=/usr/share/java/commons-codec.jar:${CP}
+ CP=/usr/share/java/ldapjdk.jar:${CP}
+diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
+index 811935e..0c15184 100644
+--- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in
++++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
+@@ -126,6 +126,8 @@ fi
+ ###############################################################################
+
+ JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
++# Override JNI_JAR_DIR using a user-defined value if one exists
++JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+ CP=${JNI_JAR_DIR}/jss4.jar
+ CP=/usr/share/java/commons-codec.jar:${CP}
+ CP=/usr/share/java/ldapjdk.jar:${CP}
+diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in
+index e70b9ab..02e223c 100644
+--- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in
++++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in
+@@ -126,6 +126,8 @@ fi
+ ###############################################################################
+
+ JNI_JAR_DIR=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
++# Override JNI_JAR_DIR using a user-defined value if one exists
++JNI_JAR_DIR=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+ CP=${JNI_JAR_DIR}/jss4.jar
+
+ CP=/usr/share/java/commons-codec.jar:${CP}
+diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
+index df636d4..971cb45 100644
+--- a/base/server/python/pki/server/deployment/pkiparser.py
++++ b/base/server/python/pki/server/deployment/pkiparser.py
+@@ -170,7 +170,8 @@ class PKIConfigParser:
+
+ # JNI jar location
+ jni_jar_dir = subprocess.check_output(
+- 'source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR',
++ '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf '
++ '&& echo $JNI_JAR_DIR',
+ shell=True)
+ # workaround for pylint error E1103
+ jni_jar_dir = str(jni_jar_dir).strip()
+diff --git a/base/server/scripts/operations b/base/server/scripts/operations
+index 7d026fe..e89f1f6 100644
+--- a/base/server/scripts/operations
++++ b/base/server/scripts/operations
+@@ -1060,6 +1060,8 @@ verify_symlinks()
+
+ # Dogtag 10 Conditional Variables
+ jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
++ # Override jni_jar_dir using a user-defined value if one exists
++ jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
+
+ # Dogtag 10 Symbolic Link Target Variables
+ java_dir="/usr/share/java"
+
diff --git a/SOURCES/pki-core-10.1.2-bz790924.patch b/SOURCES/pki-core-10.1.2-bz790924.patch
new file mode 100644
index 0000000..d4b197d
--- /dev/null
+++ b/SOURCES/pki-core-10.1.2-bz790924.patch
@@ -0,0 +1,406 @@
+From 7da4d9802f058f2f78777928c7e259578ad6daef Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 25 Sep 2014 14:26:11 -0700
+Subject: [PATCH] ticket #1110 pkispawn (configuration) does not provide CA
+ extensions in subordinate certificate signing requests (CSR)
+
+---
+ .../netscape/certsrv/system/SystemCertData.java | 40 ++++++++++++
+ .../cms/servlet/csadmin/ConfigurationUtils.java | 76 +++++++++++++++++++++-
+ .../cms/servlet/csadmin/SystemConfigService.java | 10 +++
+ base/server/etc/default.cfg | 5 ++
+ .../python/pki/server/deployment/pkihelper.py | 25 +++++++
+ .../python/pki/server/deployment/pkiparser.py | 3 +
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java | 53 ++++++++++++++-
+ 7 files changed, 208 insertions(+), 4 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/system/SystemCertData.java b/base/common/src/com/netscape/certsrv/system/SystemCertData.java
+index a509e3f..064d8e1 100644
+--- a/base/common/src/com/netscape/certsrv/system/SystemCertData.java
++++ b/base/common/src/com/netscape/certsrv/system/SystemCertData.java
+@@ -43,6 +43,9 @@ public class SystemCertData {
+ public static final String SUBJECT_DN = "subjectDN";
+ public static final String CERT = "cert";
+ public static final String CERT_CHAIN = "certChain";
++ public static final String REQUEST_EXT_OID = "req_ext_oid";
++ public static final String REQUEST_EXT_CRITICAL = "req_ext_critial";
++ public static final String REQUEST_EXT_DATA = "req_ext_data";
+
+ @XmlElement
+ protected String tag;
+@@ -80,6 +83,15 @@ public class SystemCertData {
+ @XmlElement
+ protected String certChain;
+
++ @XmlElement
++ protected String req_ext_oid;
++
++ @XmlElement
++ protected String req_ext_critical;
++
++ @XmlElement
++ protected String req_ext_data;
++
+ public SystemCertData() {
+ // required for JAXB
+ }
+@@ -97,6 +109,10 @@ public class SystemCertData {
+ subjectDN = form.getFirst(SUBJECT_DN);
+ cert = form.getFirst(CERT);
+ certChain = form.getFirst(CERT_CHAIN);
++ //support extension in CSR
++ req_ext_oid = form.getFirst(REQUEST_EXT_OID);
++ req_ext_critical = form.getFirst(REQUEST_EXT_CRITICAL);
++ req_ext_data = form.getFirst(REQUEST_EXT_DATA);
+ }
+
+ /**
+@@ -267,4 +283,28 @@ public class SystemCertData {
+ this.certChain = certChain;
+ }
+
++ /**
++ * @return the req_ext_oid
++ */
++ public String getReqExtOID() {
++ return req_ext_oid;
++ }
++
++ /**
++ * @return the req_ext_data
++ */
++ public String getReqExtData() {
++ return req_ext_data;
++ }
++
++ /**
++ * @return the req_ext_critical
++ */
++ public boolean getReqExtCritical() {
++ if (req_ext_critical.equals("true"))
++ return true;
++ else
++ return false;
++ }
++
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index 9f112ea..2ac2344 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -71,8 +71,14 @@ import netscape.security.pkcs.ContentInfo;
+ import netscape.security.pkcs.PKCS10;
+ import netscape.security.pkcs.PKCS7;
+ import netscape.security.pkcs.SignerInfo;
++import netscape.security.util.DerOutputStream;
++import netscape.security.util.ObjectIdentifier;
+ import netscape.security.x509.AlgorithmId;
++import netscape.security.x509.BasicConstraintsExtension;
+ import netscape.security.x509.CertificateChain;
++import netscape.security.x509.Extension;
++import netscape.security.x509.Extensions;
++import netscape.security.x509.KeyUsageExtension;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CertImpl;
+ import netscape.security.x509.X509Key;
+@@ -2598,6 +2604,7 @@ public class ConfigurationUtils {
+ EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException,
+ NoSuchProviderException, CertificateException, SignatureException, IOException {
+
++ CMS.debug("ConfigurationUtils: handleCertRequest() begins");
+ // get public key
+ String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype");
+ String algorithm = config.getString(PCERT_PREFIX + certTag + ".keyalgorithm");
+@@ -2631,7 +2638,12 @@ public class ConfigurationUtils {
+ String caDN = config.getString(PCERT_PREFIX + certTag + ".dn");
+
+ cert.setDN(caDN);
+- PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, privk, algorithm);
++ Extensions exts = null;
++ if (certTag.equals("signing")) {
++ CMS.debug("handleCertRequest: certTag is siging -- about to call createBasicCAExtensions()");
++ exts = createBasicCAExtensions(config);
++ }
++ PKCS10 certReq = CryptoUtil.createCertificationRequest(caDN, pubk, privk, algorithm, exts);
+
+ CMS.debug("handleCertRequest: created cert request");
+ byte[] certReqb = certReq.toByteArray();
+@@ -2645,6 +2657,68 @@ public class ConfigurationUtils {
+
+ }
+
++ /*
++ * createBasicCAExtensions creates the basic Extensions needed for a CSR to a
++ * CA signing certificate
++ */
++ private static Extensions createBasicCAExtensions(IConfigStore config) throws IOException {
++ Extensions exts = new Extensions();
++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: begins");
++
++ // create BasicConstraintsExtension
++ BasicConstraintsExtension bcExt = new BasicConstraintsExtension(true, -1);
++ exts.add(bcExt);
++
++ // create KeyUsageExtension
++ boolean[] kuBits = new boolean[KeyUsageExtension.NBITS];
++ for (int i = 0; i < kuBits.length; i++) {
++ kuBits[i] = false;
++ }
++ kuBits[KeyUsageExtension.DIGITAL_SIGNATURE_BIT] = true;
++ kuBits[KeyUsageExtension.NON_REPUDIATION_BIT] = true;
++ kuBits[KeyUsageExtension.KEY_CERTSIGN_BIT] = true;
++ kuBits[KeyUsageExtension.CRL_SIGN_BIT] = true;
++ KeyUsageExtension kuExt = new KeyUsageExtension(true, kuBits);
++ exts.add(kuExt);
++ /* save this for later when we want to allow more selection for pkispawn configuration
++ // create NSCertTypeExtension
++ boolean[] nsBits = new boolean[NSCertTypeExtension.NBITS];
++ for (int i = 0; i < nsBits.length; i++) {
++ nsBits[i] = false;
++ }
++ nsBits[NSCertTypeExtension.SSL_CA_BIT] = true;
++ NSCertTypeExtension nsctExt = new NSCertTypeExtension(false, nsBits);
++ exts.add(nsctExt);
++ */
++
++ // add a generic extension
++ Extension genExt = null;
++ try {
++ String oidString = config.getString(PCERT_PREFIX + "signing.ext.oid");
++ String dataString = config.getString(PCERT_PREFIX + "signing.ext.data");
++ boolean critical = false;
++ if (oidString != null && dataString != null) {
++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: processing generic extension");
++ critical = config.getBoolean("preop.cert.signing.ext.critical");
++ ObjectIdentifier oid = new ObjectIdentifier(oidString);
++
++ byte data[] = CryptoUtil.hexString2Bytes(dataString);
++ DerOutputStream out = new DerOutputStream();
++ out.putOctetString(data);
++ genExt = new Extension(oid, critical, out.toByteArray());
++ out.close();
++
++ exts.add(genExt);
++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: generic extension added: " + oidString);
++ }
++ } catch (EBaseException e) {
++ CMS.debug("ConfigurationUtils: createBasicCAExtensions: generic extension not processed:" + e);
++ }
++
++ return exts;
++ }
++
++
+ public static X509Key getECCX509Key(IConfigStore config, String certTag) throws EPropertyNotFound, EBaseException,
+ InvalidKeyException {
+ X509Key pubk = null;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
+index 252a584..b44cdf9 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
+@@ -275,6 +275,15 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
+ if (cdata.getTag().equals(ct)) {
+ cdata_found = true;
+ CMS.debug("Found data for '" + ct + "'");
++ if (ct.equals("signing") &&
++ cdata.getReqExtOID() != null &&
++ cdata.getReqExtData() != null) {
++ CMS.debug("SystemConfigService:processCerts: adding request extension to config");
++ cs.putString("preop.cert.signing.ext.oid", cdata.getReqExtOID());
++ cs.putString("preop.cert.signing.ext.data", cdata.getReqExtData());
++ cs.putBoolean("preop.cert.signing.ext.critical", cdata.getReqExtCritical());
++ }
++
+ break;
+ }
+ }
+@@ -342,6 +351,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
+ cs.putString("preop.cert." + ct + ".signingalgorithm", signingalgorithm);
+ cs.putString("preop.cert." + ct + ".nickname", nickname);
+ cs.putString("preop.cert." + ct + ".dn", dn);
++ cs.commit(false);
+
+ if (!data.getStepTwo()) {
+ if (keytype.equals("ecc")) {
+diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
+index 94d34b2..ba1f466 100644
+--- a/base/server/etc/default.cfg
++++ b/base/server/etc/default.cfg
+@@ -369,6 +369,11 @@ pki_external_csr_path=%(pki_instance_configuration_path)s/ca_signing.csr
+ pki_external_step_two=False
+ pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
+ pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
++pki_req_ext_add=False
++# MS subca request ext data
++pki_req_ext_oid=1.3.6.1.4.1.311.20.2
++pki_req_ext_critical=False
++pki_req_ext_data=1E0A00530075006200430041
+ pki_import_admin_cert=False
+ pki_ocsp_signing_key_algorithm=SHA256withRSA
+ pki_ocsp_signing_key_size=2048
+diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
+index 3d34edc..091c4de 100644
+--- a/base/server/python/pki/server/deployment/pkihelper.py
++++ b/base/server/python/pki/server/deployment/pkihelper.py
+@@ -432,7 +432,16 @@ class ConfigurationFile:
+ self.master_dict = deployer.master_dict
+ # set useful 'boolean' object variables for this class
+ self.clone = config.str2bool(self.master_dict['pki_clone'])
++ # generic extension support in CSR - for external CA
++ self.add_req_ext = config.str2bool(
++ self.master_dict['pki_req_ext_add'])
+ self.external = config.str2bool(self.master_dict['pki_external'])
++ if self.external:
++ # generic extension support in CSR - for external CA
++ if self.add_req_ext:
++ self.req_ext_oid = self.master_dict['pki_req_ext_oid']
++ self.req_ext_critical = self.master_dict['pki_req_ext_critical']
++ self.req_ext_data = self.master_dict['pki_req_ext_data']
+ self.external_step_two = config.str2bool(
+ self.master_dict['pki_external_step_two'])
+ self.skip_configuration = config.str2bool(
+@@ -657,6 +666,11 @@ class ConfigurationFile:
+ # External CA (Step 1)
+ self.confirm_data_exists("pki_external_csr_path")
+ self.confirm_missing_file("pki_external_csr_path")
++ # generic extension support in CSR - for external CA
++ if self.add_req_ext:
++ self.confirm_data_exists("pki_req_ext_oid")
++ self.confirm_data_exists("pki_req_ext_critical")
++ self.confirm_data_exists("pki_req_ext_data")
+ else:
+ # External CA (Step 2)
+ self.confirm_data_exists("pki_external_ca_cert_chain_path")
+@@ -3178,6 +3192,9 @@ class ConfigClient:
+ self.subordinate = config.str2bool(self.master_dict['pki_subordinate'])
+ # set useful 'string' object variables for this class
+ self.subsystem = self.master_dict['pki_subsystem']
++ # generic extension support in CSR - for external CA
++ self.add_req_ext = config.str2bool(
++ self.master_dict['pki_req_ext_add'])
+
+ def configure_pki_data(self, data):
+ config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA,
+@@ -3486,6 +3503,14 @@ class ConfigClient:
+ cert1 = self.create_system_cert("ca_signing")
+ cert1.signingAlgorithm = \
+ self.master_dict['pki_ca_signing_signing_algorithm']
++ # generic extension support in CSR - for external CA
++ if self.add_req_ext:
++ cert1.req_ext_oid = \
++ self.master_dict['pki_req_ext_oid']
++ cert1.req_ext_critical = \
++ self.master_dict['pki_req_ext_critical']
++ cert1.req_ext_data = \
++ self.master_dict['pki_req_ext_data']
+ if self.external_step_two:
+ # External CA (Step 2) or Stand-alone PKI (Step 2)
+ if not self.subsystem == "CA":
+diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
+index b7cece7..df636d4 100644
+--- a/base/server/python/pki/server/deployment/pkiparser.py
++++ b/base/server/python/pki/server/deployment/pkiparser.py
+@@ -542,6 +542,9 @@ class PKIConfigParser:
+ if not self.pki_master_dict.has_key('pki_external') or\
+ not len(self.pki_master_dict['pki_external']):
+ self.pki_master_dict['pki_external'] = "false"
++ if not self.pki_master_dict.has_key('pki_req_ext_add') or\
++ not len(self.pki_master_dict['pki_req_ext_add']):
++ self.pki_master_dict['pki_req_ext_add'] = "false"
+ if not self.pki_master_dict.has_key('pki_external_step_two') or\
+ not len(self.pki_master_dict['pki_external_step_two']):
+ self.pki_master_dict['pki_external_step_two'] = "false"
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index 5e8e323..bcdb404 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -45,7 +45,10 @@ import java.util.Vector;
+ import javax.crypto.SecretKey;
+
+ import netscape.security.pkcs.PKCS10;
++import netscape.security.pkcs.PKCS10Attribute;
++import netscape.security.pkcs.PKCS10Attributes;
+ import netscape.security.pkcs.PKCS7;
++import netscape.security.pkcs.PKCS9Attribute;
+ import netscape.security.util.BigInt;
+ import netscape.security.util.DerInputStream;
+ import netscape.security.util.DerOutputStream;
+@@ -61,6 +64,7 @@ import netscape.security.x509.CertificateSubjectName;
+ import netscape.security.x509.CertificateValidity;
+ import netscape.security.x509.CertificateVersion;
+ import netscape.security.x509.CertificateX509Key;
++import netscape.security.x509.Extensions;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X500Signer;
+ import netscape.security.x509.X509CertImpl;
+@@ -1176,14 +1180,38 @@ public class CryptoUtil {
+ public static PKCS10 createCertificationRequest(String subjectName,
+ X509Key pubk, PrivateKey prik, String alg)
+ throws NoSuchAlgorithmException, NoSuchProviderException,
+- InvalidKeyException, IOException, CertificateException,
+- SignatureException {
++ InvalidKeyException, IOException, CertificateException,
++ SignatureException {
++ return createCertificationRequest(subjectName, pubk, prik, alg, null);
++ }
++
++ /*
++ * This createCertificationRequest() allows extensions to be added to the CSR
++ */
++ public static PKCS10 createCertificationRequest(String subjectName,
++ X509Key pubk, PrivateKey prik, String alg, Extensions exts)
++ throws NoSuchAlgorithmException, NoSuchProviderException,
++ InvalidKeyException, IOException, CertificateException,
++ SignatureException {
+ X509Key key = pubk;
+ java.security.Signature sig = java.security.Signature.getInstance(alg,
+ "Mozilla-JSS");
+
+ sig.initSign(prik);
+- PKCS10 pkcs10 = new PKCS10(key);
++ PKCS10 pkcs10 = null;
++
++ if (exts != null) {
++ PKCS10Attribute attr = new
++ PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID,
++ exts);
++ PKCS10Attributes attrs = new PKCS10Attributes();
++
++ attrs.setAttribute(attr.getAttributeValue().getName(), attr);
++
++ pkcs10 = new PKCS10(key, attrs);
++ } else {
++ pkcs10 = new PKCS10(key);
++ }
+ X500Name name = new X500Name(subjectName);
+ X500Signer signer = new X500Signer(sig, name);
+
+@@ -1345,6 +1373,25 @@ public class CryptoUtil {
+ }
+
+ /**
++ * Converts string containing pairs of characters in the range of '0'
++ * to '9', 'a' to 'f' to an array of bytes such that each pair of
++ * characters in the string represents an individual byte
++ */
++ public static byte[] hexString2Bytes(String string) {
++ if (string == null)
++ return null;
++ int stringLength = string.length();
++ if ((stringLength == 0) || ((stringLength % 2) != 0))
++ return null;
++ byte[] bytes = new byte[(stringLength / 2)];
++ for (int i = 0, b = 0; i < stringLength; i += 2, ++b) {
++ String nextByte = string.substring(i, (i + 2));
++ bytes[b] = (byte) Integer.parseInt(nextByte, 0x10);
++ }
++ return bytes;
++ }
++
++ /**
+ * Retrieves a private key from a unique key ID.
+ */
+ public static PrivateKey findPrivateKeyFromID(byte id[])
+--
+1.8.4.2
+
diff --git a/SOURCES/pki-core-10.1.2-bz871171.patch b/SOURCES/pki-core-10.1.2-bz871171.patch
new file mode 100644
index 0000000..f35e120
--- /dev/null
+++ b/SOURCES/pki-core-10.1.2-bz871171.patch
@@ -0,0 +1,235 @@
+From 53134a2d0ba5a497ad789ee0412ba92c2d4ef11c Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Tue, 18 Nov 2014 18:28:53 -0800
+Subject: [PATCH] bugzilla 871171 (client-side code) Provide Tomcat support
+ for TLS v1.1 and TLS v1.2
+
+---
+ .../com/netscape/certsrv/client/PKIConnection.java | 19 +++++++
+ .../src/com/netscape/cmstools/HttpClient.java | 59 +++++++-------------
+ .../cmscore/ldapconn/LdapJssSSLSocketFactory.java | 7 ++-
+ .../netscape/cmsutil/http/JssSSLSocketFactory.java | 62 ++--------------------
+ 4 files changed, 44 insertions(+), 103 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+index cf103a9..4d298a7 100644
+--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+@@ -472,6 +472,23 @@ public class PKIConnection {
+ localAddr = localAddress.getAddress();
+ }
+
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
++
++ SSLSocket.setSSLVersionRangeDefault(
++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
++ stream_range);
++
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
++
++ SSLSocket.setSSLVersionRangeDefault(
++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
++ datagram_range);
+ SSLSocket socket;
+ if (sock == null) {
+ socket = new SSLSocket(InetAddress.getByName(hostName),
+@@ -484,6 +501,8 @@ public class PKIConnection {
+ } else {
+ socket = new SSLSocket(sock, hostName, new ServerCertApprovalCB(), null);
+ }
++// setSSLVersionRange needs to be exposed in jss
++// socket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+
+ String certNickname = config.getCertNickname();
+ if (certNickname != null) {
+diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+index cd6a6ea..1323752 100644
+--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+@@ -55,27 +55,6 @@ public class HttpClient {
+ private boolean _secure = false;
+
+ public static final int ARGC = 1;
+- static final int cipherSuites[] = {
+- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
+- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
+- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
+- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
+- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+- SSLSocket.SSL3_RSA_WITH_NULL_MD5,
+- SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+- SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+- 0
+- };
+
+ public HttpClient(String host, int port, String secure)
+ throws Exception {
+@@ -148,27 +127,27 @@ public class HttpClient {
+
+ int i;
+
+- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) {
+- try {
+- SSLSocket.setCipherPreferenceDefault(i, false);
+- } catch (SocketException e) {
+- }
+- }
+- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5
+- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) {
+- try {
+- SSLSocket.setCipherPreferenceDefault(i, false);
+- } catch (SocketException e) {
+- }
+- }
+- for (i = 0; cipherSuites[i] != 0; ++i) {
+- try {
+- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
+- } catch (SocketException e) {
+- }
+- }
+ SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
++
++ SSLSocket.setSSLVersionRangeDefault(
++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
++ stream_range);
++
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
++
++ SSLSocket.setSSLVersionRangeDefault(
++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
++ datagram_range);
+ sslSocket = new SSLSocket(_host, _port);
++ // setSSLVersionRange needs to be exposed in jss
++ // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+ sslSocket.addHandshakeCompletedListener(listener);
+
+ CryptoToken tt = cm.getThreadToken();
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
+index 4d9e602..720882a 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
+@@ -51,12 +51,11 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
+ SSLSocket s = null;
+
+ try {
+- SSLSocket.enableSSL2Default(false);
++ /*
++ * let inherit TLS range and cipher settings
++ */
+ s = new SSLSocket(host, port);
+ s.setUseClientMode(true);
+- s.enableSSL2(false);
+- //TODO Do we really want to set the default each time?
+- SSLSocket.enableSSL2Default(false);
+ s.enableV2CompatibleHello(false);
+
+ SSLHandshakeCompletedListener listener = null;
+diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
+index fcf5fc1..2f8a40c 100644
+--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
++++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
+@@ -47,54 +47,6 @@ public class JssSSLSocketFactory implements ISocketFactory {
+ mClientAuthCertNickname = certNickname;
+ }
+
+- // XXX remove these static SSL cipher suite initializations later on.
+- static final int cipherSuites[] = {
+- SSLSocket.SSL3_RSA_WITH_RC4_128_MD5,
+- SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
+- SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA,
+- SSLSocket.SSL3_RSA_EXPORT_WITH_RC4_40_MD5,
+- SSLSocket.SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+- SSLSocket.SSL3_RSA_WITH_NULL_MD5,
+- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- //SSLSocket.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+- //SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+- SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+- SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+- 0
+- };
+-
+- static {
+- int i;
+-
+- for (i = SSLSocket.SSL2_RC4_128_WITH_MD5; i <= SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5; ++i) {
+- try {
+- SSLSocket.setCipherPreferenceDefault(i, false);
+- } catch (SocketException e) {
+- }
+- }
+-
+- //skip SSL_EN_IDEA_128_EDE3_CBC_WITH_MD5
+- for (i = SSLSocket.SSL2_DES_64_CBC_WITH_MD5; i <= SSLSocket.SSL2_DES_192_EDE3_CBC_WITH_MD5; ++i) {
+- try {
+- SSLSocket.setCipherPreferenceDefault(i, false);
+- } catch (SocketException e) {
+- }
+- }
+- for (i = 0; cipherSuites[i] != 0; ++i) {
+- try {
+- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
+- } catch (SocketException e) {
+- }
+- }
+- }
+-
+ public Socket makeSocket(String host, int port)
+ throws IOException, UnknownHostException {
+ return makeSocket(host, port, null, null);
+@@ -106,20 +58,12 @@ public class JssSSLSocketFactory implements ISocketFactory {
+ throws IOException, UnknownHostException {
+
+ try {
++ /*
++ * let inherit tls range and cipher settings
++ */
+ s = new SSLSocket(host, port, null, 0, certApprovalCallback,
+ clientCertCallback);
+- for (int i = 0; cipherSuites[i] != 0; ++i) {
+- try {
+- SSLSocket.setCipherPreferenceDefault(cipherSuites[i], true);
+- } catch (SocketException e) {
+- }
+- }
+-
+ s.setUseClientMode(true);
+- s.enableSSL2(false);
+- //TODO Do we rally want to set the default each time?
+- SSLSocket.enableSSL2Default(false);
+- s.enableV2CompatibleHello(false);
+
+ SSLHandshakeCompletedListener listener = null;
+
+--
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 56699ea..c3bc788 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -4,8 +4,8 @@ distutils.sysconfig import get_python_lib; print(get_python_lib())")}
distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: pki-core
-Version: 10.0.5
-Release: 3%{?dist}
+Version: 10.1.2
+Release: 7%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -15,12 +15,13 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: cmake >= 2.8.9-1
BuildRequires: zip
-BuildRequires: java-devel >= 1:1.6.0
+BuildRequires: java-devel >= 1:1.7.0
BuildRequires: redhat-rpm-config
BuildRequires: ldapjdk
BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
+BuildRequires: jakarta-commons-httpclient
BuildRequires: nspr-devel
BuildRequires: nss-devel
BuildRequires: openldap-devel
@@ -30,47 +31,42 @@ BuildRequires: velocity
BuildRequires: xalan-j2
BuildRequires: xerces-j2
-%if 0%{?rhel}
-BuildRequires: resteasy-base-atom-provider
-BuildRequires: resteasy-base-jaxb-provider
-BuildRequires: resteasy-base-jaxrs
-BuildRequires: resteasy-base-jaxrs-api
-BuildRequires: resteasy-base-jettison-provider
+%if 0%{?rhel}
+BuildRequires: resteasy-base-atom-provider >= 3.0.6-1
+BuildRequires: resteasy-base-client >= 3.0.6-1
+BuildRequires: resteasy-base-jaxb-provider >= 3.0.6-1
+BuildRequires: resteasy-base-jaxrs >= 3.0.6-1
+BuildRequires: resteasy-base-jaxrs-api >= 3.0.6-1
+BuildRequires: resteasy-base-jettison-provider >= 3.0.6-1
%else
-BuildRequires: resteasy >= 2.3.2-1
+BuildRequires: resteasy >= 3.0.1-3
%endif
+%if ! 0%{?rhel}
+BuildRequires: pylint
+%endif
+BuildRequires: python-requests
+BuildRequires: libselinux-python
+BuildRequires: policycoreutils-python
+BuildRequires: python-ldap
BuildRequires: junit
BuildRequires: jpackage-utils >= 0:1.7.5-10
-%if 0%{?rhel} || 0%{?fedora} >= 19
-BuildRequires: jss >= 4.2.6-28
-%else
-BuildRequires: jss >= 4.2.6-24
-%endif
+BuildRequires: jss >= 4.2.6-35
BuildRequires: systemd-units
-%if 0%{?rhel} || 0%{?fedora} >= 19
-BuildRequires: tomcatjss >= 7.1.0
-%endif
-%if 0%{?fedora} == 18
-BuildRequires: tomcatjss >= 7.0.0-4
-%endif
-%if ! 0%{?rhel} && 0%{?fedora} <= 17
-BuildRequires: tomcatjss >= 6.0.2
-BuildRequires: selinux-policy-devel >= 3.10.0-151
-%endif
+BuildRequires: tomcatjss >= 7.1.0-5
Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz
-Patch0: 0000-Storing-authentication-info-in-session.patch
-Patch1: 0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch
-Patch2: 0002-Fixed-errors-during-Tomcat-shutdown.patch
-Patch3: 0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch
-Patch4: 0004-Backup-upgrade-tracker.patch
-Patch5: 0005-Added-CLI-command-aliases.patch
-Patch6: 0006-Added-new-link-for-resteasy-dependency.patch
+Patch0: %{name}-%{version}-bz790924.patch
+Patch1: %{name}-%{version}-bz1151147.patch
+Patch2: %{name}-%{version}-bz1155654.patch
+Patch3: %{name}-%{version}-bz871171.patch
+Patch4: %{name}-%{version}-bz1158410.patch
+Patch5: %{name}-%{version}-bz1165351.patch
+Patch6: %{name}-%{version}-bz1165351-2.patch
%if 0%{?rhel}
-ExcludeArch: ppc ppc64 s390 s390x
+ExcludeArch: ppc ppc64 ppcle ppc64le s390 s390x
%endif
%global saveFileContext() \
@@ -104,27 +100,27 @@ PKI Core contains ALL top-level java-based Tomcat PKI components: \
* pki-symkey \
* pki-base \
* pki-tools \
- * pki-selinux (f17 only) \
* pki-server \
* pki-ca \
- * pki-kra (fedora only) \
- * pki-ocsp (fedora only) \
- * pki-tks (fedora only) \
+ * pki-kra \
+ * pki-ocsp \
+ * pki-tks \
+ * pki-tps-tomcat \
* pki-javadoc \
\
which comprise the following corresponding PKI subsystems: \
\
* Certificate Authority (CA) \
- * Data Recovery Manager (DRM) (fedora only) \
- * Online Certificate Status Protocol (OCSP) Manager (fedora only) \
- * Token Key Service (TKS) (fedora only) \
+ * Data Recovery Manager (DRM) \
+ * Online Certificate Status Protocol (OCSP) Manager \
+ * Token Key Service (TKS) \
+ * Token Processing Service (TPS) \
\
For deployment purposes, PKI Core contains fundamental packages \
required by BOTH native-based Apache AND java-based Tomcat \
Certificate System instances consisting of the following components: \
\
* pki-tools \
- * pki-selinux (f17 only) \
\
Additionally, PKI Core contains the following fundamental packages \
required ONLY by ALL java-based Tomcat Certificate System instances: \
@@ -163,14 +159,10 @@ least one PKI Theme package: \
Summary: Symmetric Key JNI Package
Group: System Environment/Libraries
-Requires: java >= 1:1.6.0
+Requires: java >= 1:1.7.0
Requires: nss
Requires: jpackage-utils >= 0:1.7.5-10
-%if 0%{?rhel} || 0%{?fedora} >= 19
-Requires: jss >= 4.2.6-28
-%else
-Requires: jss >= 4.2.6-24
-%endif
+Requires: jss >= 4.2.6-35
Provides: symkey = %{version}-%{release}
@@ -203,27 +195,24 @@ Requires: apache-commons-codec
Requires: apache-commons-io
Requires: apache-commons-lang
Requires: apache-commons-logging
-Requires: java >= 1:1.6.0
+Requires: jakarta-commons-httpclient
+Requires: java >= 1:1.7.0
Requires: javassist
Requires: jettison
Requires: jpackage-utils >= 0:1.7.5-10
-%if 0%{?rhel} || 0%{?fedora} >= 19
-Requires: jss >= 4.2.6-28
-%else
-Requires: jss >= 4.2.6-24
-%endif
+Requires: jss >= 4.2.6-35
Requires: ldapjdk
Requires: python-ldap
Requires: python-lxml
Requires: python-requests >= 1.1.0-3
-%if 0%{?rhel}
-Requires: resteasy-base-atom-provider
-Requires: resteasy-base-jaxb-provider
-Requires: resteasy-base-jaxrs
-Requires: resteasy-base-jaxrs-api
-Requires: resteasy-base-jettison-provider
+%if 0%{?rhel}
+Requires: resteasy-base-atom-provider >= 3.0.6-1
+Requires: resteasy-base-jaxb-provider >= 3.0.6-1
+Requires: resteasy-base-jaxrs >= 3.0.6-1
+Requires: resteasy-base-jaxrs-api >= 3.0.6-1
+Requires: resteasy-base-jettison-provider >= 3.0.6-1
%else
-Requires: resteasy >= 2.3.2-1
+Requires: resteasy >= 3.0.1-3
%endif
Requires: xalan-j2
Requires: xerces-j2
@@ -250,7 +239,7 @@ Obsoletes: pki-java-tools < %{version}-%{release}
Requires: openldap-clients
Requires: nss
Requires: nss-tools
-Requires: java >= 1:1.6.0
+Requires: java >= 1:1.7.0
Requires: pki-base = %{version}-%{release}
Requires: jpackage-utils >= 0:1.7.5-10
@@ -277,7 +266,7 @@ Obsoletes: pki-deploy < %{version}-%{release}
Obsoletes: pki-setup < %{version}-%{release}
Obsoletes: pki-silent < %{version}-%{release}
-Requires: java >= 1:1.6.0
+Requires: java >= 1:1.7.0
Requires: java-atk-wrapper
Requires: net-tools
Requires: perl(File::Slurp)
@@ -286,72 +275,46 @@ Requires: perl-Crypt-SSLeay
Requires: policycoreutils
Requires: openldap-clients
Requires: pki-base = %{version}-%{release}
-Requires: pki-symkey = %{version}-%{release}
Requires: pki-tools = %{version}-%{release}
+Requires: policycoreutils-python
-%if ! 0%{?rhel} && 0%{?fedora} <= 17
-Requires: pki-selinux = %{version}-%{release}
-%else
Requires: selinux-policy-base >= 3.11.1-43
Obsoletes: pki-selinux
-Requires: tomcat >= 7.0.27
+
+%if 0%{?rhel}
+Requires: tomcat >= 7.0.54
+%else
+Requires: tomcat >= 7.0.47
%endif
Requires: velocity
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
-Requires: tomcat >= 7.0.27
-%if 0%{?rhel} || 0%{?fedora} >= 19
-Requires: tomcatjss >= 7.1.0
-%endif
-%if 0%{?fedora} == 18
-Requires: tomcatjss >= 7.0.0-4
-%endif
-%if ! 0%{?rhel} && 0%{?fedora} <= 17
-Requires: tomcatjss >= 6.0.2
-%endif
+
+Requires: tomcatjss >= 7.1.0-5
%description -n pki-server
The PKI Server Framework is required by the following four PKI subsystems:
the Certificate Authority (CA),
the Data Recovery Manager (DRM),
- the Online Certificate Status Protocol (OCSP) Manager, and
- the Token Key Service (TKS).
+ the Online Certificate Status Protocol (OCSP) Manager,
+ the Token Key Service (TKS), and
+ the Token Processing Service (TPS).
This package is a part of the PKI Core used by the Certificate System.
The package contains scripts to create and remove PKI subsystems.
%{overview}
-%if ! 0%{?rhel} && 0%{?fedora} <= 17
-%package -n pki-selinux
-Summary: Certificate System - PKI Selinux Policies
-Group: System Environment/Base
-
-BuildArch: noarch
-
-Requires: policycoreutils
-Requires: selinux-policy-targeted
-Conflicts: selinux-policy-base >= 3.11.1-43
-Requires: selinux-policy >= 3.10.0-151
-
-%description -n pki-selinux
-Selinux policies for the PKI components.
-
-This package is a part of the PKI Core used by the Certificate System.
-
-%{overview}
-%endif
-
%package -n pki-ca
Summary: Certificate System - Certificate Authority
Group: System Environment/Daemons
BuildArch: noarch
-Requires: java >= 1:1.6.0
+Requires: java >= 1:1.7.0
Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -372,14 +335,13 @@ provided by the PKI Core used by the Certificate System.
%{overview}
-%if ! 0%{?rhel}
%package -n pki-kra
Summary: Certificate System - Data Recovery Manager
Group: System Environment/Daemons
BuildArch: noarch
-Requires: java >= 1:1.6.0
+Requires: java >= 1:1.7.0
Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -404,17 +366,15 @@ This package is one of the top-level java-based Tomcat PKI subsystems
provided by the PKI Core used by the Certificate System.
%{overview}
-%endif
-%if ! 0%{?rhel}
%package -n pki-ocsp
Summary: Certificate System - Online Certificate Status Protocol Manager
Group: System Environment/Daemons
BuildArch: noarch
-Requires: java >= 1:1.6.0
+Requires: java >= 1:1.7.0
Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -446,18 +406,17 @@ This package is one of the top-level java-based Tomcat PKI subsystems
provided by the PKI Core used by the Certificate System.
%{overview}
-%endif
-%if ! 0%{?rhel}
%package -n pki-tks
Summary: Certificate System - Token Key Service
Group: System Environment/Daemons
BuildArch: noarch
-Requires: java >= 1:1.6.0
+Requires: java >= 1:1.7.0
Requires: pki-server = %{version}-%{release}
+Requires: pki-symkey = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -482,7 +441,38 @@ This package is one of the top-level java-based Tomcat PKI subsystems
provided by the PKI Core used by the Certificate System.
%{overview}
-%endif
+
+
+%package -n pki-tps-tomcat
+Summary: Certificate System - Token Processing Service
+Group: System Environment/Daemons
+
+BuildArch: noarch
+
+Provides: pki-tps
+Requires: java >= 1:1.7.0
+Requires: pki-server = %{version}-%{release}
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+
+%description -n pki-tps-tomcat
+The Token Processing System (TPS) is an optional PKI subsystem that acts
+as a Registration Authority (RA) for authenticating and processing
+enrollment requests, PIN reset requests, and formatting requests from
+the Enterprise Security Client (ESC).
+
+TPS is designed to communicate with tokens that conform to
+Global Platform's Open Platform Specification.
+
+TPS communicates over SSL with various PKI backend subsystems (including
+the Certificate Authority (CA), the Data Recovery Manager (DRM), and the
+Token Key Service (TKS)) to fulfill the user's requests.
+
+TPS also interacts with the token database, an LDAP server that stores
+information about individual tokens.
+
+%{overview}
%package -n pki-javadoc
@@ -536,14 +526,6 @@ cd build
-DRESTEASY_LIB=/usr/share/java/resteasy \
%endif
%{?_without_javadoc:-DWITH_JAVADOC:BOOL=OFF} \
-%if ! 0%{?rhel} && 0%{?fedora} <= 17
- -DBUILD_PKI_SELINUX:BOOL=ON \
-%endif
-%if 0%{?rhel}
- -DBUILD_PKI_KRA:BOOL=OFF \
- -DBUILD_PKI_OCSP:BOOL=OFF \
- -DBUILD_PKI_TKS:BOOL=OFF \
-%endif
..
%{__make} VERBOSE=1 %{?_smp_mflags} all
# %{__make} VERBOSE=1 %{?_smp_mflags} test
@@ -554,61 +536,20 @@ cd build
cd build
%{__make} install DESTDIR=%{buildroot} INSTALL="install -p"
-# Fedora 18 and 17: Substitute 'tomcat7jss.jar' for 'tomcatjss.jar'
-%if ! 0%{?rhel} && 0%{?fedora} <= 18
- sed -i -e 's/grant codeBase "file:\/usr\/share\/java\/tomcatjss.jar" {/grant codeBase "file:\/usr\/share\/java\/tomcat7jss.jar" {/' %{buildroot}%{_datadir}/pki/server/conf/pki.policy
- sed -i -e 's/pki_tomcatjss_jar=\/usr\/share\/java\/tomcatjss.jar/pki_tomcatjss_jar=\/usr\/share\/java\/tomcat7jss.jar/' %{buildroot}%{_sysconfdir}/pki/default.cfg
- sed -i -e 's/ \[tomcatjss.jar\]=\${java_dir}\/tomcatjss.jar/ \[tomcatjss.jar\]=\${java_dir}\/tomcat7jss.jar/' %{buildroot}%{_datadir}/pki/scripts/operations
-%endif
-
-# Details:
-#
-# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
-# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
-#
-%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d
-# generate 'pki-ca.conf' under the 'tmpfiles.d' directory
-echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
-echo "D /run/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
-echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
-echo "D /run/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
-%if ! 0%{?rhel}
-# generate 'pki-kra.conf' under the 'tmpfiles.d' directory
-echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf
-echo "D /run/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf
-echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf
-echo "D /run/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf
-%endif
-%if ! 0%{?rhel}
-# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory
-echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
-echo "D /run/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
-echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
-echo "D /run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
-%endif
-# generate 'pki-tomcat.conf' under the 'tmpfiles.d' directory
-echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
-echo "D /run/lock/pki/tomcat 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
-echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
-echo "D /run/pki/tomcat 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
%if ! 0%{?rhel}
-# generate 'pki-tks.conf' under the 'tmpfiles.d' directory
-echo "D /run/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
-echo "D /run/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
-echo "D /run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
-echo "D /run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
+# Scanning the python code with pylint. A return value of 0 represents there are no
+# errors or warnings reported by pylint.
+sh ../pylint-build-scan.sh %{buildroot} `pwd`
+if [ $? -eq 1 ]; then
+ exit 1
+fi
%endif
%{__rm} %{buildroot}%{_initrddir}/pki-cad
-%if ! 0%{?rhel}
%{__rm} %{buildroot}%{_initrddir}/pki-krad
-%endif
-%if ! 0%{?rhel}
%{__rm} %{buildroot}%{_initrddir}/pki-ocspd
-%endif
-%if ! 0%{?rhel}
%{__rm} %{buildroot}%{_initrddir}/pki-tksd
-%endif
+%{__rm} %{buildroot}%{_initrddir}/pki-tpsd
%{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib
@@ -628,7 +569,7 @@ fi \
%{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki
%{__mkdir_p} %{buildroot}%{_sharedstatedir}/pki
-%if ! 0%{?rhel} && 0%{?fedora} >= 19
+%if ! 0%{?rhel}
%pretrans -n pki-base -p <lua>
function test(a)
if posix.stat(a) then
@@ -645,9 +586,9 @@ if (test("/etc/sysconfig/pki/ca") or
test("/etc/sysconfig/pki/kra") or
test("/etc/sysconfig/pki/ocsp") or
test("/etc/sysconfig/pki/tks")) then
- msg = "Unable to upgrade to Fedora 19. There are Dogtag 9 instances\n" ..
+ msg = "Unable to upgrade to Fedora 20. There are Dogtag 9 instances\n" ..
"that will no longer work since they require Tomcat 6, and \n" ..
- "Tomcat 6 is no longer available in Fedora 19.\n\n" ..
+ "Tomcat 6 is no longer available in Fedora 20.\n\n" ..
"Please follow these instructions to migrate the instances to \n" ..
"Dogtag 10:\n\n" ..
"http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10"
@@ -657,17 +598,6 @@ end
%post -n pki-base
-%if ! 0%{?rhel} && 0%{?fedora} <= 18
-if [ "`uname -i`" == "x86_64" ]
-then
- sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib64\/java/' %{_datadir}/pki/etc/pki.conf
-else
- sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib\/java/' %{_datadir}/pki/etc/pki.conf
-fi
-%else
- sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib\/java/' %{_datadir}/pki/etc/pki.conf
-%endif
-
if [ $1 -eq 1 ]
then
# On RPM installation create system upgrade tracker
@@ -688,26 +618,6 @@ then
rm -f %{_sysconfdir}/pki/pki.version
fi
-%if ! 0%{?rhel} && 0%{?fedora} <= 17
-%pre -n pki-selinux
-%saveFileContext targeted
-
-%post -n pki-selinux
-semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp
-%relabel targeted
-
-%preun -n pki-selinux
-if [ $1 = 0 ]; then
- %saveFileContext targeted
-fi
-
-%postun -n pki-selinux
-if [ $1 = 0 ]; then
- semodule -s targeted -r pki
- %relabel targeted
-fi
-%endif
-
%post -n pki-ca
# Attempt to update ALL old "CA" instances to "systemd"
if [ -d /etc/sysconfig/pki/ca ]; then
@@ -739,7 +649,6 @@ fi
%fix_tomcat_log ca
-%if ! 0%{?rhel}
%post -n pki-kra
# Attempt to update ALL old "KRA" instances to "systemd"
if [ -d /etc/sysconfig/pki/kra ]; then
@@ -769,10 +678,8 @@ if [ -d /etc/sysconfig/pki/kra ]; then
fi
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
%fix_tomcat_log kra
-%endif
-%if ! 0%{?rhel}
%post -n pki-ocsp
# Attempt to update ALL old "OCSP" instances to "systemd"
if [ -d /etc/sysconfig/pki/ocsp ]; then
@@ -802,10 +709,8 @@ if [ -d /etc/sysconfig/pki/ocsp ]; then
fi
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
%fix_tomcat_log ocsp
-%endif
-%if ! 0%{?rhel}
%post -n pki-tks
# Attempt to update ALL old "TKS" instances to "systemd"
if [ -d /etc/sysconfig/pki/tks ]; then
@@ -835,7 +740,6 @@ if [ -d /etc/sysconfig/pki/tks ]; then
fi
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
%fix_tomcat_log tks
-%endif
%post -n pki-server
@@ -855,31 +759,25 @@ if [ $1 = 0 ] ; then
fi
-%if ! 0%{?rhel}
%preun -n pki-kra
if [ $1 = 0 ] ; then
/bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || :
/bin/systemctl stop pki-krad.target > /dev/null 2>&1 || :
fi
-%endif
-%if ! 0%{?rhel}
%preun -n pki-ocsp
if [ $1 = 0 ] ; then
/bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || :
/bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || :
fi
-%endif
-%if ! 0%{?rhel}
%preun -n pki-tks
if [ $1 = 0 ] ; then
/bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || :
/bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || :
fi
-%endif
## %preun -n pki-server
@@ -895,31 +793,25 @@ if [ "$1" -ge "1" ] ; then
fi
-%if ! 0%{?rhel}
%postun -n pki-kra
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ "$1" -ge "1" ] ; then
/bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || :
fi
-%endif
-%if ! 0%{?rhel}
%postun -n pki-ocsp
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ "$1" -ge "1" ] ; then
/bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || :
fi
-%endif
-%if ! 0%{?rhel}
%postun -n pki-tks
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ "$1" -ge "1" ] ; then
/bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || :
fi
-%endif
## %postun -n pki-server
@@ -999,7 +891,6 @@ fi
%{_sbindir}/pkidestroy
%{_sbindir}/pki-server-upgrade
#%{_bindir}/pki-setup-proxy
-%{python_sitelib}/pki/deployment/
%{python_sitelib}/pki/server/
%dir %{_datadir}/pki/deployment
%{_datadir}/pki/deployment/config/
@@ -1008,8 +899,6 @@ fi
%{_datadir}/pki/scripts/pkicommon.pm
%{_datadir}/pki/scripts/functions
%{_datadir}/pki/scripts/pki_apache_initscript
-%dir %{_localstatedir}/lock/pki
-%dir %{_localstatedir}/run/pki
%{_bindir}/pkidaemon
%dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants
%{_unitdir}/pki-tomcatd@.service
@@ -1019,8 +908,6 @@ fi
%{_javadir}/pki/pki-cmscore.jar
%{_javadir}/pki/pki-silent.jar
%{_javadir}/pki/pki-tomcat.jar
-%dir %{_localstatedir}/lock/pki/tomcat
-%dir %{_localstatedir}/run/pki/tomcat
%dir %{_sharedstatedir}/pki
%{_bindir}/pkicreate
%{_bindir}/pkiremove
@@ -1033,23 +920,9 @@ fi
%{_mandir}/man8/pkidestroy.8.gz
%{_mandir}/man8/pkispawn.8.gz
-# Details:
-#
-# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
-# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
-#
-%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tomcat.conf
-
%{_datadir}/pki/setup/
%{_datadir}/pki/server/
-%if ! 0%{?rhel} && 0%{?fedora} <= 17
-%files -n pki-selinux
-%defattr(-,root,root,-)
-%doc base/selinux/LICENSE
-%{_datadir}/selinux/modules/pki.pp
-%endif
-
%files -n pki-ca
%defattr(-,root,root,-)
%doc base/ca/LICENSE
@@ -1064,17 +937,7 @@ fi
%{_datadir}/pki/ca/profiles/ca/
%{_datadir}/pki/ca/setup/
%{_datadir}/pki/ca/webapps/
-%dir %{_localstatedir}/lock/pki/ca
-%dir %{_localstatedir}/run/pki/ca
-# Details:
-#
-# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
-# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
-#
-%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ca.conf
-
-%if ! 0%{?rhel}
%files -n pki-kra
%defattr(-,root,root,-)
%doc base/kra/LICENSE
@@ -1086,18 +949,7 @@ fi
%{_datadir}/pki/kra/conf/
%{_datadir}/pki/kra/setup/
%{_datadir}/pki/kra/webapps/
-%dir %{_localstatedir}/lock/pki/kra
-%dir %{_localstatedir}/run/pki/kra
-# Details:
-#
-# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
-# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
-#
-%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-kra.conf
-%endif
-
-%if ! 0%{?rhel}
%files -n pki-ocsp
%defattr(-,root,root,-)
%doc base/ocsp/LICENSE
@@ -1109,18 +961,7 @@ fi
%{_datadir}/pki/ocsp/conf/
%{_datadir}/pki/ocsp/setup/
%{_datadir}/pki/ocsp/webapps/
-%dir %{_localstatedir}/lock/pki/ocsp
-%dir %{_localstatedir}/run/pki/ocsp
-# Details:
-#
-# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
-# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
-#
-%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ocsp.conf
-%endif
-
-%if ! 0%{?rhel}
%files -n pki-tks
%defattr(-,root,root,-)
%doc base/tks/LICENSE
@@ -1132,16 +973,18 @@ fi
%{_datadir}/pki/tks/conf/
%{_datadir}/pki/tks/setup/
%{_datadir}/pki/tks/webapps/
-%dir %{_localstatedir}/lock/pki/tks
-%dir %{_localstatedir}/run/pki/tks
-# Details:
-#
-# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
-# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
-#
-%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf
-%endif
+%files -n pki-tps-tomcat
+%defattr(-,root,root,-)
+%doc base/tps/LICENSE
+%dir %{_sysconfdir}/systemd/system/pki-tpsd.target.wants
+%{_unitdir}/pki-tpsd@.service
+%{_unitdir}/pki-tpsd.target
+%{_javadir}/pki/pki-tps.jar
+%dir %{_datadir}/pki/tps
+%{_datadir}/pki/tps/conf/
+%{_datadir}/pki/tps/setup/
+%{_datadir}/pki/tps/webapps/
%if %{?_without_javadoc:0}%{!?_without_javadoc:1}
%files -n pki-javadoc
@@ -1151,57 +994,119 @@ fi
%changelog
-* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 10.0.5-3
-- Mass rebuild 2013-12-27
-
-* Sat Nov 2 2013 Ade Lee <alee@redhat.com> 10.0.5-2
-- Trac #739, BZ#999722 - Fixed error handling in DoUnrevoke servlet.
-- Trac #775, BZ#1018628 - Fixed errors during Tomcat shutdown.
-- Trac #776, BZ#1024679 - Added missing link for apache-commons-io
-- Trac #781, BZ#1024445 - Admin cert signed with SHA1, should be SHA256
-- Trac #780 - Store authentication info in session.
-- Trac #763 - Backup upgrade tracker.
-- Trac #779 - Renamed some CLI commands.
-- Trac #743 - Fixed references to /var/run and /var/lock in tmpfiles.
-
-* Fri Sep 6 2013 Ade Lee <alee@redhat.com> 10.0.5-1
-- Roll release to next version
-
-* Fri Aug 2 2013 Ade Lee <alee@redhat.com> 10.0.4-2
-- Trac Ticket 699 - on upgrade to F19, CA fails to start.
-
-* Thu Jul 25 2013 Ade Lee <alee@redhat.com> 10.0.4-1
-- Change release number for official release
-
-* Wed Jul 24 2013 Matthew Harmsen <mharmsen@redhat.com> 10.0.4-0.4
-- Bugzilla Bug #986506 - Need to determine RPM packages to be excluded
- from compose . . . (exclude pki-kra, pki-ocsp, and pki-tks from rhel 7)
-
-* Wed Jul 17 2013 Endi S. Dewata <edewata@redhat.com> 10.0.4-0.3
+* Wed Nov 26 2014 Matthew Harmsen <mharmsen@redhat.com> 10.1.2-7
+- Bugzilla Bug #1165351 - Errata TPS test fails due to dependent
+ packages not found - fixed shell tests
+
+* Wed Nov 19 2014 Matthew Harmsen <mharmsen@redhat.com> 10.1.2-6
+- Bugzilla Bug #1165351 - Errata TPS test fails due to dependent
+ packages not found
+
+* Thu Nov 13 2014 Christina Fu <cfu@redhat.com> 10.1.2-5
+- Bugzilla Bug #1155654 - Check for null values in GetConfigEntries (alee)
+- Bugzilla Bug #1158410 - Add TLS Range in server.xml (cfu)
+- Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and TLS v1.2
+ (client-side code) (cfu)
+- Updated JSS from "4.2.6-28" to "4.2.6-35" (TLS)
+- Require tomcatjss "7.1.0-5" (TLS)
+
+* Tue Oct 28 2014 Christina Fu <cfu@redhat.com> 10.1.2-4
+- Bugzilla Bug #1151147 - External CA install does not work
+ with CA certificates signed by Microsoft Certificate Services
+
+* Fri Sep 26 2014 Christina Fu <cfu@redhat.com> 10.1.2-3
+- Bugzilla Bug #790924 - pkispawn (configuration) does not provide CA
+ extensions in subordinate certificate signing requests (CSR)
+
+* Fri Sep 19 2014 Matthew Harmsen <mharmsen@redhat.com> 10.1.2-2
+- Bugzilla Bug #1108303 - Rebase pki-core to 10.1 (RHEL)
+- Bugzilla Bug #1117073 - pki-core ppc64le is missing from ExcludeArch line
+ of spec file (RHEL)
+- Bumped required runtime version of tomcat >= 7.0.54 (RHEL)
+- Changed buildtime requirement from 'resteasy-base-jackson-provider >= 3.0.6-1'
+ to 'resteasy-base-jettison-provider >= 3.0.6-1' (RHEL)
+- Added version number of '>= 3.0.6-1' to runtime requirements for all
+ 'resteasy-base' packages (RHEL)
+
+* Thu Sep 18 2014 Ade Lee <alee@redhat.com> 10.1.2-1
+- Backport fix for ticket 499
+- Bump version to ensure migration scripts are run
+
+* Thu Sep 11 2014 Matthew Harmsen <mharmsen@redhat.com> 10.1.1-2
+- Add missing 'jakarta-commons-httpclient' build and runtime requirement
+- Exclude the 'ppcle' and 'ppc64le' platforms from being built on RHEL platforms
+- Update 'resteasy-base' requirements on RHEL platforms
+- Suppress pylint on RHEL platforms
+
+* Fri Mar 21 2014 Matthew Harmsen <mharmsen@redhat.com> 10.1.1-1
+- PKI TRAC Ticket #840 - pkispawn requires policycoreutils-python (mharmsen)
+- Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python (mharmsen)
+- PKI TRAC Ticket #868 - REST API get certs links missing segment
+ (alee, mharmsen)
+- PKI TRAC Ticket #869 - f19 ipa-server-install fails at step 6/22 of cert sys
+ install - systemctl start pki-tomcatd.target fails
+ (mharmsen)
+- PKI TRAC Ticket #816 - pki-tomcat cannot be started after installation of
+ ipa replica with ca
+ (alee, cfu, edewata, mharmsen)
+- Updated version number.
+
+* Wed Jan 29 2014 Matthew Harmsen <mharmsen@redhat.com> 10.1.0-2
+- Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python
+- TRAC Ticket #840 - pkispawn requires policycoreutils-python
+
+* Fri Nov 15 2013 Ade Lee <alee@redhat.com> 10.1.0-1
+- Trac Ticket 788 - Clean up spec files
+- Update release number for release build
+- Updated requirements for resteasy
+
+* Sun Nov 10 2013 Ade Lee <alee@redhat.com> 10.1.0-0.14
+- Change release number for beta build
+
+* Thu Nov 7 2013 Ade Lee <alee@redhat.com> 10.1.0-0.13
+- Updated requirements for tomcat
+
+* Fri Oct 4 2013 Ade Lee <alee@redhat.com> 10.1.0-0.12
+- Removed additional /var/run, /var/lock references.
+
+* Fri Oct 4 2013 Ade Lee <alee@redhat.com> 10.1.0-0.11
+- Removed delivery of /var/lock and /var/run directories for fedora 20.
+
+* Wed Aug 14 2013 Endi S. Dewata <edewata@redhat.com> 10.1.0-0.10
+- Moved Tomcat-based TPS into pki-core.
+
+* Wed Aug 14 2013 Abhishek Koneru <akoneru@redhat.com> 10.1.0.0.9
+- Listed new packages required during build, due to issues reported
+ by pylint.
+- Packages added: python-requests, python-ldap, libselinux-python,
+ policycoreutils-python
+
+* Fri Aug 09 2013 Abhishek Koneru <akoneru@redhat.com> 10.1.0.0.8
+- Added pylint scan to the build process.
+
+* Mon Jul 22 2013 Endi S. Dewata <edewata@redhat.com> 10.1.0-0.7
- Added man pages for upgrade tools.
+
+* Wed Jul 17 2013 Endi S. Dewata <edewata@redhat.com> 10.1.0-0.6
- Cleaned up the code to install man pages.
-* Tue Jul 9 2013 Ade Lee <alee@redhat.com> 10.0.4-0.2
+* Tue Jul 16 2013 Endi S. Dewata <edewata@redhat.com> 10.1.0-0.5
+- Reorganized deployment tools.
+
+* Tue Jul 9 2013 Ade Lee <alee@redhat.com> 10.1.0-0.4
- Bugzilla Bug 973224 - resteasy-base must be split into subpackages
to simplify dependencies
-* Wed Jun 26 2013 Ade Lee <alee@redhat.com> 10.0.4-0.1
-- Roll release to next version
-
-* Mon Jun 10 2013 Ade Lee <alee@redhat.com> 10.0.3-2
-- TRAC Ticket 646 - PKCS12Export fails on F19
-- Bugzilla Bug 961522 - allows key to be exported
-
-* Thu Jun 6 2013 Ade Lee <alee@redhat.com> 10.0.3-1
-- Change release number for official release.
+* Fri Jun 14 2013 Endi S. Dewata <edewata@redhat.com> 10.1.0-0.3
+- Updated dependencies to Java 1.7.
-* Wed Jun 5 2013 Matthew Harmsen <mharmsen@redhat.com> 10.0.3-0.2
+* Wed Jun 5 2013 Matthew Harmsen <mharmsen@redhat.com> 10.1.0-0.2
- TRAC Ticket 606 - add restart / start at boot info to pkispawn man page
- TRAC Ticket 610 - Document limitation in using GUI install
- TRAC Ticket 629 - Package ownership of '/usr/share/pki/etc/' directory
-* Tue May 7 2013 Ade Lee <alee@redhat.com> 10.0.3-0.1
-- Roll release to next version.
+* Tue May 7 2013 Ade Lee <alee@redhat.com> 10.1.0-0.1
+- Change release number for 10.1 development
* Mon May 6 2013 Endi S. Dewata <edewata@redhat.com> 10.0.2-5
- Fixed incorrect JNI_JAR_DIR.