diff --git a/.gitignore b/.gitignore
index 2e17446..87aa2ea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-10.10.5.tar.gz
+SOURCES/pki-10.11.0-alpha3.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index a910798..21eb60c 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-61641f173fb9de15b4f16bdcef95ca97479bc947 SOURCES/pki-10.10.5.tar.gz
+a0707cfdb0ae99679e4d101261d8e2a59a90b6d7 SOURCES/pki-10.11.0-alpha3.tar.gz
diff --git a/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch b/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch
deleted file mode 100644
index d6b5032..0000000
--- a/SOURCES/0001-Fix-permission-for-existing-installation-logs.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 17 May 2021 17:39:50 -0500
-Subject: [PATCH] Fix permission for existing installation logs
-
-The spec file has been updated to remove world access
-from existing installation logs in /var/log/pki.
-
-Resolves: CVE-2021-3551
----
- pki.spec | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/pki.spec b/pki.spec
-index a9ea345d8f..64bfd4fe7d 100644
---- a/pki.spec
-+++ b/pki.spec
-@@ -991,6 +991,10 @@ fi
- ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
- ## PKI deployment process
-
-+# CVE-2021-3551
-+# Remove world access from existing installation logs
-+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
-+
- # Reload systemd daemons on upgrade only
- if [ "$1" == "2" ]
- then
---
-2.30.2
-
diff --git a/SOURCES/0001-Fix-permission-for-new-installation-logs.patch b/SOURCES/0001-Fix-permission-for-new-installation-logs.patch
deleted file mode 100644
index 5f97ff3..0000000
--- a/SOURCES/0001-Fix-permission-for-new-installation-logs.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 17 May 2021 15:39:44 -0500
-Subject: [PATCH] Fix permission for new installation logs
-
-The enable_pki_logger() has been updated to disable
-world access for new installation logs to be created
-in /var/log/pki.
-
-Resolves: CVE-2021-3551
----
- .../python/pki/server/deployment/pkilogging.py | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py
-index 089a292559..0926173700 100644
---- a/base/server/python/pki/server/deployment/pkilogging.py
-+++ b/base/server/python/pki/server/deployment/pkilogging.py
-@@ -21,8 +21,12 @@
- # System Imports
- from __future__ import absolute_import
- import logging
-+import os
-+import pathlib
- import pprint
-
-+import pki
-+
- sensitive_parameters = []
-
- # Initialize 'pretty print' for objects
-@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name):
- console_format = logging.Formatter('%(levelname)s: %(message)s')
- console.setFormatter(console_format)
-
-- # Configure file handler
-- log_file = logging.FileHandler(filename, 'w')
-+ # Create an empty file with the proper permission
-+ pathlib.Path(filename).touch()
-+ os.chmod(filename, pki.server.DEFAULT_FILE_MODE)
-+
-+ # Configure file handler with append mode to preserve the permission
-+ log_file = logging.FileHandler(filename)
- file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s',
- '%Y-%m-%d %H:%M:%S')
- log_file.setFormatter(file_format)
---
-2.30.2
-
diff --git a/SOURCES/0001-Fix-renewal-profile-approval-process.patch b/SOURCES/0001-Fix-renewal-profile-approval-process.patch
deleted file mode 100644
index 2aa7f35..0000000
--- a/SOURCES/0001-Fix-renewal-profile-approval-process.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From 608e9bbe537aba314b124ceef70f9b606ab7e121 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 13 Jan 2021 18:27:46 +1100
-Subject: [PATCH] Fix renewal profile approval process
-
-Due to a recent change in PKI CLI, the CLI now passes along user
-authentication with submissions to the renewal endpoint. Unlike the EE
-pages, the REST API has passed along this authentication for a while.
-Due to a bug in the RenewalProcessor, requests with credentials against
-profiles with no authentication method and no ACLs result in the
-certificiate automatically being approved. This occurs because, when
-an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
-the code to allow Light-Weight SubCAs to issue certificates, validation
-wasn't done on the passed principal, to see if it was a trusted agent.
-Because profiles requring Agent approval have an empty ACL list (as, no
-user should be able to submit a certificate request and have it
-automatically signed without agent approval), authorize allows any user
-to approve this request and thus accepts the AuthToken.
-
-Critical analysis: the RenewalProcessor code interprets (authToken
-!= null) as evidence that the authenticated user is /authorized/ to
-immediately issue the certificate. This mismatch of concerns (authn
-vs authz) resulted in a misunderstanding of system behaviour. The
-"latent" AuthToken (from the HTTP request) was assigned to authToken
-without realising that authorization needed to be performed.
-
-We fix this by splitting the logic on whether the profile defines an
-authenticator. If so, we (re)authenticate and authorize the user
-according to the profile configuration.
-
-If the profile does not define an authenticator but there is a
-principal in the HTTP request, if (and only if) the user has
-permission to approve certificate requests *and* the requested
-renewal profile is caManualRenewal (which is hardcoded to be used
-for LWCA renewal), then we issue the certificate immediately. This
-special case ensures that LWCA renewal keeps working.
-
-Otherwise, if there is no principal in the HTTP request or the
-principal does not have permission to approve certificate requests,
-we leave the authToken unset. The resulting renewal request will be
-created with status PENDING, i.e. enqueued for agent review.
-
-Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- .../com/netscape/ca/CertificateAuthority.java | 10 +++
- .../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++--
- 2 files changed, 79 insertions(+), 6 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index 560507168a..431ce9ff78 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -1929,6 +1929,16 @@ public class CertificateAuthority
- }
-
- ProfileSubsystem ps = engine.getProfileSubsystem();
-+ /* NOTE: hard-coding the profile to use for Lightweight CA renewal
-+ * might be OK, but caManualRenewal was not the right one to use.
-+ * As a consequence, we have an undesirable special case in
-+ * RenewalProcessor.processRenewal().
-+ *
-+ * We should introduce a new profile specifically for LWCA renewal,
-+ * with an authenticator and ACLs to match the authz requirements
-+ * for the renewAuthority REST resource itself. Then we can use
-+ * it here, and remove the workaround from RenewalProcessor.
-+ */
- Profile profile = ps.getProfile("caManualRenewal");
- CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
- new ArgBlock(), profile, httpReq.getLocale());
-diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
-index 4293cdd064..fd20f48267 100644
---- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
-+++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
-@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
-
- import org.apache.commons.lang3.StringUtils;
- import org.dogtagpki.server.ca.CAEngine;
-+import org.dogtagpki.server.authorization.AuthzToken;
- import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
- import org.mozilla.jss.netscape.security.x509.X509CertImpl;
-
-@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor {
-
- // before creating the request, authenticate the request
- IAuthToken authToken = null;
-- Principal principal = request.getUserPrincipal();
-- if (principal instanceof PKIPrincipal)
-- authToken = ((PKIPrincipal) principal).getAuthToken();
-- if (authToken == null && authenticator != null) {
-- authToken = authenticate(request, origReq, authenticator, context, true, credentials);
-+
-+ if (authenticator != null) {
-+ /* The profile specifies an authenticator. Use it to
-+ * authenticate the user. Ignore the "latent" session
-+ * principal (if any).
-+ */
-+ authToken = authenticate(
-+ request,
-+ origReq,
-+ authenticator,
-+ context,
-+ true /* isRenewal */,
-+ credentials);
-+ } else {
-+ /* When authenticator is null, we expect manual agent
-+ * review (leave authToken as null).
-+ *
-+ * But as a special case to ensure Lightweight CA (LWCA)
-+ * renewal works, if there is a latent user in the HTTP
-+ * request, we use that user (i.e. set authToken to the
-+ * principal's IAuthToken) if and only if:
-+ *
-+ * - The renewal profile is caManualRenewal (LWCA renewal
-+ * is hardcoded to use this profile); AND
-+ *
-+ * - The latent user is authorized to "execute"
-+ * certificate requests (i.e. agent approval)
-+ *
-+ * See also CertificateAuthority.renewAuthority().
-+ */
-+
-+ Principal principal = request.getUserPrincipal();
-+ if (
-+ renewProfileId.equals("caManualRenewal")
-+ && principal instanceof PKIPrincipal
-+ ) {
-+ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken();
-+ AuthzToken authzToken = authorize(
-+ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute");
-+ if (authzToken != null) {
-+ // Success (no exception); user is authorized to approve
-+ // cert requests. Set the authToken.
-+ //
-+ // NOTE: This authz does not replace or subsume the
-+ // profile-specific authz check below.
-+ authToken = latentToken;
-+ } else {
-+ // leave authToken as null to enqueue a pending request.
-+ }
-+ } else {
-+ // not caManualRenewal or no latent principal;
-+ // leave authToken as null to enqueue a pending request.
-+ }
- }
-
-- // authentication success, now authorize
-+ /* Authorize the request.
-+ *
-+ * If authToken != null, it will be checked against ACLs specified
-+ * in the profile (if any). If ACLs are defined and authToken does
-+ * not match, throws an authorization exception.
-+ *
-+ * If authToken == null, no check is performed (even if the profile
-+ * defines ACLs). This is fine, because null authToken will cause
-+ * the request status to be 'pending' [agent approval].
-+ */
- authorize(profileId, renewProfile, authToken);
-
-+ /* At this point, the request will be created. If authToken
-+ * is non-null, then the certificate will be issued
-+ * immediately. Otherwise the request will be pending. */
-+
-+
- ///////////////////////////////////////////////
- // create and populate requests
- ///////////////////////////////////////////////
---
-2.26.2
-
diff --git a/SOURCES/0001-Removed-dependency-on-pytest-runner.patch b/SOURCES/0001-Removed-dependency-on-pytest-runner.patch
deleted file mode 100644
index 5d5c1b1..0000000
--- a/SOURCES/0001-Removed-dependency-on-pytest-runner.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From ab8b87af09b26c3c7ec257e0fb8e5ae931153120 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 8 Feb 2020 21:56:41 -0600
-Subject: [PATCH] Removed dependency on pytest-runner
-
----
- base/server/healthcheck/setup.py | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/base/server/healthcheck/setup.py b/base/server/healthcheck/setup.py
-index 22db8bd0f..c629e34c0 100644
---- a/base/server/healthcheck/setup.py
-+++ b/base/server/healthcheck/setup.py
-@@ -32,6 +32,5 @@ setup(
- 'Programming Language :: Python :: 3.6',
- ],
- python_requires='!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*',
-- setup_requires=['pytest-runner'],
- tests_require=['pytest'],
- )
---
-2.21.0
-
diff --git a/SOURCES/0001-Use-password-file-when-creating-admin-user.patch b/SOURCES/0001-Use-password-file-when-creating-admin-user.patch
deleted file mode 100644
index f873dd3..0000000
--- a/SOURCES/0001-Use-password-file-when-creating-admin-user.patch
+++ /dev/null
@@ -1,236 +0,0 @@
-From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 17 May 2021 18:17:26 -0500
-Subject: [PATCH] Use password file when creating admin user
-
-The pki-server <subsystem>-user-add has been updated to
-provide a --password-file option. The deployment tool
-has been modified to use this option when creating the
-admin user to avoid the password from getting logged in
-the debug mode.
-
-Resolves: CVE-2021-3551
----
- base/server/python/pki/server/cli/user.py | 9 ++-
- .../python/pki/server/deployment/__init__.py | 5 +-
- base/server/python/pki/server/subsystem.py | 74 +++++++++++--------
- .../server/cli/SubsystemUserAddCLI.java | 11 +++
- 4 files changed, 66 insertions(+), 33 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py
-index c00a1acb50..c5c8d52956 100644
---- a/base/server/python/pki/server/cli/user.py
-+++ b/base/server/python/pki/server/cli/user.py
-@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI):
- print(' --full-name <full name> Full name')
- print(' --email <email> Email')
- print(' --password <password> Password')
-+ print(' --password-file <path> Password file')
- print(' --phone <phone> Phone')
- print(' --type <type> Type')
- print(' --state <state> State')
-@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI):
- def execute(self, argv):
- try:
- opts, args = getopt.gnu_getopt(argv, 'i:v', [
-- 'instance=', 'full-name=', 'email=', 'password=',
-+ 'instance=', 'full-name=', 'email=',
-+ 'password=', 'password-file=',
- 'phone=', 'type=', 'state=', 'tps-profiles=',
- 'verbose', 'debug', 'help'])
-
-@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI):
- full_name = None
- email = None
- password = None
-+ password_file = None
- phone = None
- user_type = None
- state = None
-@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI):
- elif o == '--password':
- password = a
-
-+ elif o == '--password-file':
-+ password_file = a
-+
- elif o == '--phone':
- phone = a
-
-@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI):
- full_name=full_name,
- email=email,
- password=password,
-+ password_file=password_file,
- phone=phone,
- user_type=user_type,
- tps_profiles=tps_profiles,
-diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
-index 347ab1acdd..6d5f083b47 100644
---- a/base/server/python/pki/server/deployment/__init__.py
-+++ b/base/server/python/pki/server/deployment/__init__.py
-@@ -373,6 +373,8 @@ class PKIDeployer:
-
- response = client.setupAdmin(request)
-
-+ # Run the command as current user such that
-+ # it can read the temporary password file.
- subsystem.add_user(
- uid,
- full_name=full_name,
-@@ -380,7 +382,8 @@ class PKIDeployer:
- password=password,
- user_type='adminType',
- state='1',
-- tps_profiles=tps_profiles)
-+ tps_profiles=tps_profiles,
-+ as_current_user=True)
-
- admin_groups = subsystem.config['preop.admin.group']
- groups = [x.strip() for x in admin_groups.split(',')]
-diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
-index a3ed0c7f3a..41d8d67c2e 100644
---- a/base/server/python/pki/server/subsystem.py
-+++ b/base/server/python/pki/server/subsystem.py
-@@ -1335,54 +1335,66 @@ class PKISubsystem(object):
- full_name=None,
- email=None,
- password=None,
-+ password_file=None,
- phone=None,
- user_type=None,
- state=None,
- tps_profiles=None,
- as_current_user=False):
-
-- cmd = [self.name + '-user-add']
-+ tmpdir = tempfile.mkdtemp()
-
-- if full_name:
-- cmd.append('--full-name')
-- cmd.append(full_name)
-+ try:
-+ if password and not password_file:
-+ password_file = os.path.join(tmpdir, 'password.txt')
-+ with open(password_file, 'w') as f:
-+ f.write(password)
-
-- if email:
-- cmd.append('--email')
-- cmd.append(email)
-+ cmd = [self.name + '-user-add']
-
-- if password:
-- cmd.append('--password')
-- cmd.append(password)
-+ if full_name:
-+ cmd.append('--full-name')
-+ cmd.append(full_name)
-
-- if phone:
-- cmd.append('--phone')
-- cmd.append(phone)
-+ if email:
-+ cmd.append('--email')
-+ cmd.append(email)
-
-- if user_type:
-- cmd.append('--type')
-- cmd.append(user_type)
-+ if password_file:
-+ cmd.append('--password-file')
-+ cmd.append(password_file)
-
-- if state:
-- cmd.append('--state')
-- cmd.append(state)
-+ if phone:
-+ cmd.append('--phone')
-+ cmd.append(phone)
-
-- if tps_profiles:
-- cmd.append('--tps-profiles')
-- cmd.append(','.join(tps_profiles))
-+ if user_type:
-+ cmd.append('--type')
-+ cmd.append(user_type)
-
-- if logger.isEnabledFor(logging.DEBUG):
-- cmd.append('--debug')
-+ if state:
-+ cmd.append('--state')
-+ cmd.append(state)
-
-- elif logger.isEnabledFor(logging.INFO):
-- cmd.append('--verbose')
-+ if tps_profiles:
-+ cmd.append('--tps-profiles')
-+ cmd.append(','.join(tps_profiles))
-
-- cmd.append(user_id)
-+ if logger.isEnabledFor(logging.DEBUG):
-+ cmd.append('--debug')
-
-- self.run(
-- cmd,
-- as_current_user=as_current_user,
-- capture_output=True)
-+ elif logger.isEnabledFor(logging.INFO):
-+ cmd.append('--verbose')
-+
-+ cmd.append(user_id)
-+
-+ self.run(
-+ cmd,
-+ as_current_user=as_current_user,
-+ capture_output=True)
-+
-+ finally:
-+ shutil.rmtree(tmpdir)
-
- def modify_user(self, user_id, add_see_also=None, del_see_also=None,
- as_current_user=False):
-diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
-index 5a385c359f..04d68de758 100644
---- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
-+++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
-@@ -6,6 +6,8 @@
- package org.dogtagpki.server.cli;
-
- import java.io.File;
-+import java.nio.file.Files;
-+import java.nio.file.Paths;
- import java.util.Arrays;
- import java.util.List;
-
-@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI {
- option.setArgName("password");
- options.addOption(option);
-
-+ option = new Option(null, "password-file", true, "Password file");
-+ option.setArgName("path");
-+ options.addOption(option);
-+
- option = new Option(null, "phone", true, "Phone");
- option.setArgName("phone");
- options.addOption(option);
-@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI {
-
- String email = cmd.getOptionValue("email");
- String password = cmd.getOptionValue("password");
-+ String passwordFile = cmd.getOptionValue("password-file");
- String phone = cmd.getOptionValue("phone");
- String type = cmd.getOptionValue("type");
- String state = cmd.getOptionValue("state");
- String tpsProfiles = cmd.getOptionValue("tps-profiles");
-
-+ if (passwordFile != null) {
-+ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim();
-+ }
-+
- String catalinaBase = System.getProperty("catalina.base");
-
- TomcatJSS tomcatjss = TomcatJSS.getInstance();
---
-2.30.2
-
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 7ff4063..0ada9fe 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -12,9 +12,9 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
-Version: 10.10.5
-Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
-#global _phase -beta1
+Version: 10.11.0
+Release: 0.3.alpha3%{?_timestamp}%{?_commit_id}%{?dist}
+%global _phase -alpha3
# To create a tarball from a version tag:
# $ git archive \
@@ -31,16 +31,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
-# Do not remove this!! pytest-runner isn't available on RHEL. Removing this
-# patch will break RHEL builds. The error message is:
-# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/:
-# [Errno 111] Connection refused -- Some packages may not be found!
-Patch1: 0001-Removed-dependency-on-pytest-runner.patch
-Patch2: 0001-Fix-renewal-profile-approval-process.patch
-Patch3: 0001-Use-password-file-when-creating-admin-user.patch
-Patch4: 0001-Fix-permission-for-new-installation-logs.patch
-Patch5: 0001-Fix-permission-for-existing-installation-logs.patch
-
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
@@ -69,15 +59,14 @@ ExcludeArch: i686
# Java
################################################################################
-%define java_devel java-devel
-%define java_headless java-headless
-
-%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
-%define min_java_version 1:11
-%define java_home /usr/lib/jvm/java-11-openjdk
+%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
+%define java_devel java-1.8.0-openjdk-devel
+%define java_headless java-1.8.0-openjdk-headless
+%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
%else
-%define min_java_version 1:1.8.0
-%define java_home /usr/lib/jvm/java-1.8.0-openjdk
+%define java_devel java-11-openjdk-devel
+%define java_headless java-11-openjdk-headless
+%define java_home /usr/lib/jvm/jre-11-openjdk
%endif
################################################################################
@@ -94,8 +83,7 @@ ExcludeArch: i686
# By default the build will execute unit tests unless --without test
# option is specified.
-# bcond_without test
-%global with_test 1
+%bcond_without test
# By default all packages will be built except the ones specified with
# --without <package> option (exclusion method).
@@ -143,8 +131,6 @@ ExcludeArch: i686
%define debug_package %{nil}
%endif
-%bcond_without sdnotify
-
# ignore unpackaged files from native 'tpsclient'
# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app
%define _unpackaged_files_terminate_build 0
@@ -182,14 +168,11 @@ fi;
# Build Dependencies
################################################################################
-# autosetup
-BuildRequires: git
BuildRequires: make
-
BuildRequires: cmake >= 3.0.2
BuildRequires: gcc-c++
BuildRequires: zip
-BuildRequires: %java_devel >= %{min_java_version}
+BuildRequires: %{java_devel}
BuildRequires: javapackages-tools
BuildRequires: redhat-rpm-config
BuildRequires: ldapjdk >= 4.22.0
@@ -197,8 +180,8 @@ BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
BuildRequires: apache-commons-lang3 >= 3.2
+BuildRequires: apache-commons-logging
BuildRequires: apache-commons-net
-BuildRequires: jakarta-commons-httpclient
BuildRequires: glassfish-jaxb-api
BuildRequires: slf4j
BuildRequires: slf4j-jdk14
@@ -212,7 +195,6 @@ BuildRequires: policycoreutils
BuildRequires: python3-lxml
BuildRequires: python3-sphinx
-BuildRequires: velocity
BuildRequires: xalan-j2
BuildRequires: xerces-j2
@@ -222,7 +204,6 @@ BuildRequires: resteasy >= 3.0.26
BuildRequires: jboss-annotations-1.2-api
BuildRequires: jboss-jaxrs-2.0-api
BuildRequires: jboss-logging
-BuildRequires: resteasy-atom-provider >= 3.0.17-1
BuildRequires: resteasy-client >= 3.0.17-1
BuildRequires: resteasy-jaxb-provider >= 3.0.17-1
BuildRequires: resteasy-core >= 3.0.17-1
@@ -236,23 +217,14 @@ BuildRequires: python3-cryptography
BuildRequires: python3-lxml
BuildRequires: python3-ldap
BuildRequires: python3-libselinux
-BuildRequires: python3-nss
BuildRequires: python3-requests >= 2.6.0
BuildRequires: python3-six
-%if 0%{?fedora} || 0%{?rhel} > 8
-BuildRequires: python3-pytest-runner
-%endif
-
BuildRequires: junit
BuildRequires: jpackage-utils >= 0:1.7.5-10
-BuildRequires: jss >= 4.8.1
+BuildRequires: jss >= 4.9.0
BuildRequires: tomcatjss >= 7.6.1
-# JNA is used to bind to libsystemd
-%if %{with sdnotify}
-BuildRequires: jna
-%endif
BuildRequires: systemd-units
%if 0%{?rhel} && ! 0%{?eln}
@@ -371,9 +343,9 @@ PKI consists of the following components:
Summary: PKI Symmetric Key Package
-Requires: %java_headless >= %{min_java_version}
+Requires: %{java_headless}
Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.8.0
+Requires: jss >= 4.9.0
Requires: nss >= 3.38.0
# Ensure we end up with a useful installation
@@ -426,7 +398,6 @@ Requires: python3 >= 3.5
Requires: python3-cryptography
Requires: python3-ldap
Requires: python3-lxml
-Requires: python3-nss
Requires: python3-requests >= 2.6.0
Requires: python3-six
@@ -440,26 +411,24 @@ This package contains PKI client library for Python 3.
Summary: PKI Base Java Package
BuildArch: noarch
-Requires: %java_headless >= %{min_java_version}
+Requires: %{java_headless}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
Requires: apache-commons-lang3 >= 3.2
Requires: apache-commons-logging
Requires: apache-commons-net
-Requires: jakarta-commons-httpclient
Requires: glassfish-jaxb-api
Requires: slf4j
Requires: slf4j-jdk14
Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.7.0
+Requires: jss >= 4.9.0
Requires: ldapjdk >= 4.22.0
Requires: pki-base = %{version}-%{release}
%if 0%{?rhel} && 0%{?rhel} <= 8
Requires: resteasy >= 3.0.26
%else
-Requires: resteasy-atom-provider >= 3.0.17-1
Requires: resteasy-client >= 3.0.17-1
Requires: resteasy-jaxb-provider >= 3.0.17-1
Requires: resteasy-core >= 3.0.17-1
@@ -535,7 +504,6 @@ Requires: pki-servlet-engine
Requires: tomcat >= 1:9.0.7
%endif
-Requires: velocity
Requires: sudo
Requires: systemd
Requires(post): systemd-units
@@ -544,11 +512,6 @@ Requires(postun): systemd-units
Requires(pre): shadow-utils
Requires: tomcatjss >= 7.6.1
-# JNA is used to bind to libsystemd
-%if %{with sdnotify}
-Requires: jna
-%endif
-
# pki-healthcheck depends on the following library
%if 0%{?rhel}
Requires: ipa-healthcheck-core
@@ -861,7 +824,7 @@ This package contains PKI test suite.
%prep
################################################################################
-%autosetup -n pki-%{version}%{?_phase} -p 1 -S git
+%autosetup -n pki-%{version}%{?_phase} -p 1
################################################################################
%build
@@ -875,7 +838,7 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se
java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
# assume tomcat app_server
-app_server=tomcat-8.5
+app_server=tomcat-9.0
%if 0%{?rhel} && 0%{?rhel} <= 8
%{__mkdir_p} build
@@ -888,8 +851,8 @@ cd build
-DVAR_INSTALL_DIR:PATH=/var \
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
-DJAVA_VERSION=${java_version} \
- -DJAVA_HOME=%java_home \
- -DPKI_JAVA_PATH=%java_home/bin/java \
+ -DJAVA_HOME=%{java_home} \
+ -DPKI_JAVA_PATH=%{java_home}/bin/java \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
-DAPP_SERVER=$app_server \
@@ -907,7 +870,6 @@ cd build
-DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \
-DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \
-DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \
- -DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
@@ -949,7 +911,7 @@ cd %{_vpath_builddir}
--no-print-directory \
install
-%if %{with_test}
+%if %{with test}
ctest --output-on-failure
%endif
@@ -1251,10 +1213,6 @@ fi
%{_datadir}/pki/setup/
%{_datadir}/pki/server/
-%if %{with sdnotify}
-%{_javadir}/pki/pki-systemd.jar
-%endif
-
# with server
%endif
@@ -1402,15 +1360,14 @@ fi
################################################################################
%changelog
-* Wed May 19 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-3
-- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
+* Mon Jun 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.3
+- Rebase to PKI 10.11.0-alpha3
-* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
-- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate
+* Thu Jun 03 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.2
+- Fix JAVA_HOME
-* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
-- Rebase to PKI 10.10.5
-- Bug 1929067 - PKI instance creation failed with new 389-ds-base build
+* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.1
+- Rebase to PKI 10.11.0-alpha2
* Mon Feb 08 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.4-1
- Rebase to PKI 10.10.4