[Pkg-freeipa-devel] dogtag-pki: Changes to 'upstream'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Tue Apr 5 16:45:49 UTC 2016
CMakeLists.txt | 3
base/ca/shared/conf/CS.cfg.in | 9
base/ca/shared/conf/indextasks.ldif | 31
base/ca/shared/profiles/ca/AdminCert.cfg | 4
base/ca/shared/profiles/ca/caAdminCert.cfg | 4
base/ca/shared/webapps/ca/agent/ca/displayBySerial.template | 8
base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template | 4
base/ca/shared/webapps/ca/agent/ca/queryCert.template | 4
base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template | 56
base/ca/shared/webapps/ca/ee/ca/displayBySerial.template | 8
base/ca/shared/webapps/ca/ee/ca/displayBySerial2.template | 4
base/ca/shared/webapps/ca/ee/ca/displayCaCert.template | 8
base/ca/shared/webapps/ca/ee/ca/queryCert.template | 4
base/ca/shared/webapps/ca/services.template | 6
base/ca/src/com/netscape/ca/CertificateAuthority.java | 5
base/ca/src/com/netscape/ca/SigningUnit.java | 13
base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java | 16
base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java | 11
base/common/python/pki/cli.py | 7
base/common/python/pki/client.py | 24
base/common/python/pki/nssdb.py | 533 ++++++
base/common/src/com/netscape/certsrv/apps/CMS.java | 39
base/common/src/com/netscape/certsrv/apps/ICMSEngine.java | 7
base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java | 20
base/common/src/com/netscape/certsrv/cert/CertRequestResource.java | 10
base/common/src/com/netscape/certsrv/client/PKIConnection.java | 20
base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java | 2
base/common/src/com/netscape/certsrv/profile/IProfileSubsystem.java | 5
base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java | 31
base/java-tools/man/man1/pki-cert.1 | 23
base/java-tools/man/man1/pki-client.1 | 17
base/java-tools/man/man1/pki-user-cert.1 | 8
base/java-tools/man/man1/pki-user-membership.1 | 84 +
base/java-tools/man/man1/pki.1 | 6
base/java-tools/src/com/netscape/cmstools/PKCS12Export.java | 12
base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java | 184 ++
base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java | 94 -
base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java | 168 +-
base/javadoc/CMakeLists.txt | 61
base/kra/shared/conf/CS.cfg.in | 2
base/kra/shared/conf/indextasks.ldif | 31
base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template | 4
base/kra/src/com/netscape/kra/RecoveryService.java | 2
base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java | 107 +
base/kra/src/com/netscape/kra/SecurityDataService.java | 61
base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 2
base/native-tools/src/setpin/setpin.c | 59
base/native-tools/src/setpin/setpin_options.c | 7
base/native-tools/src/sslget/sslget.c | 23
base/ocsp/shared/conf/CS.cfg.in | 7
base/ocsp/shared/conf/indextasks.ldif | 31
base/ocsp/src/com/netscape/ocsp/SigningUnit.java | 2
base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java | 54
base/server/cms/src/com/netscape/cms/authentication/TokenAuthentication.java | 38
base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java | 12
base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java | 12
base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java | 17
base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java | 12
base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java | 79 -
base/server/cms/src/com/netscape/cms/realm/PKIRealm.java | 33
base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java | 14
base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java | 67
base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java | 15
base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 45
base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java | 60
base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java | 36
base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java | 2
base/server/cms/src/com/netscape/cms/servlet/csadmin/AdminPanel.java | 332 ----
base/server/cms/src/com/netscape/cms/servlet/csadmin/AuthDBPanel.java | 125 -
base/server/cms/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java | 192 --
base/server/cms/src/com/netscape/cms/servlet/csadmin/BackupKeyCertPanel.java | 215 --
base/server/cms/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java | 375 ----
base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 115 -
base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigHSMLoginPanel.java | 296 ---
base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 771 ++++++----
base/server/cms/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java | 279 ---
base/server/cms/src/com/netscape/cms/servlet/csadmin/DatabasePanel.java | 532 ------
base/server/cms/src/com/netscape/cms/servlet/csadmin/DisplayCertChainPanel.java | 226 --
base/server/cms/src/com/netscape/cms/servlet/csadmin/DonePanel.java | 313 ----
base/server/cms/src/com/netscape/cms/servlet/csadmin/HierarchyPanel.java | 194 --
base/server/cms/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java | 340 ----
base/server/cms/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java | 145 -
base/server/cms/src/com/netscape/cms/servlet/csadmin/ModulePanel.java | 338 ----
base/server/cms/src/com/netscape/cms/servlet/csadmin/NamePanel.java | 622 --------
base/server/cms/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java | 235 ---
base/server/cms/src/com/netscape/cms/servlet/csadmin/SavePKCS12Panel.java | 144 -
base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainPanel.java | 482 ------
base/server/cms/src/com/netscape/cms/servlet/csadmin/SizePanel.java | 491 ------
base/server/cms/src/com/netscape/cms/servlet/csadmin/WelcomePanel.java | 128 -
base/server/cms/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java | 306 ---
base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java | 85 -
base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java | 3
base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java | 66
base/server/cms/src/com/netscape/cms/servlet/wizard/IWizardPanel.java | 111 -
base/server/cms/src/com/netscape/cms/servlet/wizard/WizardServlet.java | 489 ------
base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java | 10
base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 90 -
base/server/cmsbundle/src/UserMessages.properties | 2
base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 230 ++
base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java | 4
base/server/cmscore/src/com/netscape/cmscore/authentication/PasswdUserDBAuthentication.java | 80 -
base/server/cmscore/src/com/netscape/cmscore/base/LDAPConfigStore.java | 57
base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java | 80 -
base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java | 53
base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java | 202 ++
base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java | 2
base/server/etc/default.cfg | 12
base/server/man/man1/pkidaemon.1 | 14
base/server/man/man5/pki_default.cfg.5 | 10
base/server/man/man8/pki-server-subsystem.8 | 26
base/server/man/man8/pkispawn.8 | 4
base/server/python/pki/server/__init__.py | 225 ++
base/server/python/pki/server/ca.py | 92 +
base/server/python/pki/server/cli/ca.py | 206 ++
base/server/python/pki/server/cli/instance.py | 28
base/server/python/pki/server/cli/migrate.py | 14
base/server/python/pki/server/cli/nuxwdog.py | 4
base/server/python/pki/server/cli/subsystem.py | 519 +++++-
base/server/python/pki/server/deployment/pkihelper.py | 179 +-
base/server/python/pki/server/deployment/pkimessages.py | 8
base/server/python/pki/server/deployment/pkiparser.py | 66
base/server/python/pki/server/deployment/scriptlets/configuration.py | 132 +
base/server/python/pki/server/deployment/scriptlets/finalization.py | 12
base/server/python/pki/server/deployment/scriptlets/security_databases.py | 12
base/server/python/pki/server/upgrade.py | 3
base/server/sbin/pki-server | 2
base/server/sbin/pkidestroy | 2
base/server/sbin/pkispawn | 41
base/server/share/conf/ciphers.info | 74
base/server/share/webapps/ROOT/index.jsp | 9
base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java | 6
base/server/tomcat7/conf/server.xml | 9
base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java | 5
base/server/tomcat8/conf/server.xml | 9
base/server/tomcat8/src/CMakeLists.txt | 10
base/server/upgrade/10.2.6/01-RemoveInaccessableURLsFromServerXML | 2
base/tks/shared/conf/CS.cfg.in | 2
base/tks/shared/conf/indextasks.ldif | 31
base/tps/shared/conf/CS.cfg.in | 26
base/tps/shared/conf/indextasks.ldif | 14
base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java | 2
base/tps/src/org/dogtagpki/server/tps/installer/CAInfoPanel.java | 171 --
base/tps/src/org/dogtagpki/server/tps/installer/DRMInfoPanel.java | 154 -
base/tps/src/org/dogtagpki/server/tps/installer/TKSInfoPanel.java | 150 -
base/tps/src/org/dogtagpki/server/tps/mapping/FilterMappingResolver.java | 17
base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java | 15
base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 12
base/util/src/com/netscape/cmsutil/ldap/LDAPPostReadControl.java | 106 +
base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java | 18
specs/pki-core.spec | 297 +++
150 files changed, 5146 insertions(+), 8751 deletions(-)
New commits:
commit e8daf1a7476682ad19bd736d81a5142a78560663
Author: Matthew Harmsen <mharmsen at pki.usersys.redhat.com>
Date: Thu Mar 17 15:37:51 2016 -0600
Inserted Fedora 22 specific dependencies into 'pki-core.spec' (Dogtag 10.2.6)
to be in sync with Fedora 22 in Koji.
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 51416f9..565b4b5 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -122,9 +122,13 @@ BuildRequires: tomcatjss >= 7.1.0-6
%if 0%{?fedora} >= 23
BuildRequires: tomcatjss >= 7.1.3
%else
+%if 0%{?fedora} == 22
+BuildRequires: tomcatjss >= 7.1.2-2
+%else
BuildRequires: tomcatjss >= 7.1.2
%endif
%endif
+%endif
# additional build requirements needed to build native 'tpsclient'
@@ -406,7 +410,9 @@ Requires: jpackage-utils >= 0:1.7.5-10
%if 0%{?fedora} >= 23
Requires: tomcat-servlet-3.1-api >= 8.0.32
%else
-%if 0%{?fedora} >= 22
+%if 0%{?fedora} == 22
+Requires: tomcat-servlet-3.0-api >= 7.0.68
+%else
Requires: tomcat-servlet-3.0-api
%endif
%endif
@@ -471,12 +477,19 @@ Requires: tomcat-el-3.0-api >= 8.0.32
Requires: tomcat-jsp-2.3-api >= 8.0.32
Requires: tomcat-servlet-3.1-api >= 8.0.32
%else
+%if 0%{?fedora} == 22
+Requires: tomcat >= 7.0.68
+Requires: tomcat-el-2.2-api >= 7.0.68
+Requires: tomcat-jsp-2.2-api >= 7.0.68
+Requires: tomcat-servlet-3.0-api >= 7.0.68
+%else
Requires: tomcat >= 7.0.47
Requires: tomcat-el-2.2-api
Requires: tomcat-jsp-2.2-api
Requires: tomcat-servlet-3.0-api
%endif
%endif
+%endif
Requires: velocity
Requires(post): systemd-units
@@ -490,9 +503,13 @@ Requires: tomcatjss >= 7.1.0-6
%if 0%{?fedora} >= 23
Requires: tomcatjss >= 7.1.3
%else
+%if 0%{?fedora} == 22
+Requires: tomcatjss >= 7.1.2-2
+%else
Requires: tomcatjss >= 7.1.2
%endif
%endif
+%endif
%description -n pki-server
The PKI Server Framework is required by the following four PKI subsystems:
commit d388b08bc354e456e0571dcfae6ecd67e097ec26
Author: Matthew Harmsen <mharmsen at pki.usersys.redhat.com>
Date: Thu Mar 17 15:26:14 2016 -0600
Changed 'pki-core.spec' (Dogtag 10.2.6) to be in sync with Fedora 23 in Koji.
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 61a01e2..51416f9 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -9,7 +9,6 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%define with_tomcat7 0
%define with_tomcat8 1
%else
-# 0%{?rhel} || 0%{?fedora} <= 22
%define with_tomcat7 1
%define with_tomcat8 0
%endif
@@ -18,7 +17,6 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%if 0%{?rhel}
%define resteasy_lib /usr/share/java/resteasy-base
%else
-# 0%{?fedora}
%define resteasy_lib /usr/share/java/resteasy
%endif
@@ -40,7 +38,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: pki-core
Version: 10.2.6
-Release: 13%{?dist}
+Release: 16%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -202,6 +200,18 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{
#Patch39: pki-core-Replaced-legacy-HttpClient.patch
## pki-core-10.2.6-12
#Patch40: pki-core-Added-automatic-Tomcat-migration.patch
+## pki-core-10.2.6-13
+#Patch41: pki-core-sslget-must-set-host-HTTP-header.patch
+## pki-core-10.2.6-14
+#Patch42: pki-core-Profile-creation-LDAPProfileSubsystem-can-fail-due-to-race-condition.patch
+#Patch43: pki-core-Block-startup-until-initial-profile-load-completed.patch
+## pki-core-10.2.6-15
+#Patch44: pki-core-Added-support-for-existing-CA-case-CS9.patch
+#Patch45: pki-core-Fixed-mismatching-certificate-validity-calculation.patch
+#Patch46: pki-core-Fix-to-determine-supported-javadoc-options.patch
+## pki-core-10.2.6-16
+#Patch47: pki-core-Modify-dnsdomainname-test-in-pkispawn.patch
+#Patch48: pki-core-Build-with-Tomcat-8.0.32.patch
%global saveFileContext() \
if [ -s /etc/selinux/config ]; then \
@@ -394,7 +404,7 @@ Requires: java-headless >= 1:1.7.0
Requires: pki-base = %{version}-%{release}
Requires: jpackage-utils >= 0:1.7.5-10
%if 0%{?fedora} >= 23
-Requires: tomcat-servlet-3.1-api
+Requires: tomcat-servlet-3.1-api >= 8.0.32
%else
%if 0%{?fedora} >= 22
Requires: tomcat-servlet-3.0-api
@@ -455,12 +465,13 @@ Obsoletes: pki-selinux
%if 0%{?rhel}
Requires: tomcat >= 7.0.54
%else
-Requires: tomcat >= 7.0.47
%if 0%{?fedora} >= 23
-Requires: tomcat-el-3.0-api
-Requires: tomcat-jsp-2.3-api
-Requires: tomcat-servlet-3.1-api
+Requires: tomcat >= 8.0.32
+Requires: tomcat-el-3.0-api >= 8.0.32
+Requires: tomcat-jsp-2.3-api >= 8.0.32
+Requires: tomcat-servlet-3.1-api >= 8.0.32
%else
+Requires: tomcat >= 7.0.47
Requires: tomcat-el-2.2-api
Requires: tomcat-jsp-2.2-api
Requires: tomcat-servlet-3.0-api
@@ -745,6 +756,14 @@ This package is a part of the PKI Core used by the Certificate System.
#%patch38 -p1
#%patch39 -p1
#%patch40 -p1
+#%patch41 -p1
+#%patch42 -p1
+#%patch43 -p1
+#%patch44 -p1
+#%patch45 -p1
+#%patch46 -p1
+#%patch47 -p1
+#%patch48 -p1
%clean
%{__rm} -rf %{buildroot}
@@ -1098,12 +1117,33 @@ systemctl daemon-reload
%endif # %{with server}
%changelog
-* Thu Feb 4 2016 Dogtag Team <pki-devel at redhat.com> 10.2.6-13
+* Mon Mar 14 2016 Dogtag Team <pki-devel at redhat.com> 10.2.6-16
+- Modify dnsdomainname test in pkispawn
+- PKI TRAC Ticket #2222 - Add missing tomcat-api.jar to javac classpath
+- Updated tomcat dependencies to >= 8.0.32 on F23 and later
+
+* Tue Feb 23 2016 Dogtag Team <pki-devel at redhat.com> 10.2.6-15
- PKI TRAC Ticket #1714 - mod_revocator and mod_nss dependency for tps
- should be removed
+ should be removed [mharmsen]
+- PKI TRAC Ticket #456 - The user have a chance to import own CA certificate
+ with private key [edewata]
+- PKI TRAC Ticket #1681 - pkispawn: External CA option: allow shutdown and
+ restart between phase 1 and 2 [edewata]
+- PKI TRAC Ticket #1682 - Mismatching certificate validity calculation
+ [edewata]
+- PKI TRAC Ticket #2040 - Determine supported javadoc options [mharmsen]
+
+* Thu Jan 21 2016 Dogtag Team <pki-devel at redhat.com> 10.2.6-14
+- PKI TRAC Ticket #1700 - Profile creation (LDAPProfileSubsystem) can fail
+ due to race condition [ftweedal]
+- PKI TRAC Ticket #1702 - getStatus reports ready before LDAPProfileSubsystem
+ has loaded all profiles [ftweedal]
+
+* Tue Dec 15 2015 Dogtag Team <pki-devel at redhat.com> 10.2.6-13
+- PKI TRAC Ticket #1704 - sslget must set host HTTP header [cheimes]
* Fri Oct 30 2015 Dogtag Team <pki-devel at redhat.com> 10.2.6-12
-- PKI TRAC Ticket #1310 - Auto migration to Tomcat 8
+- PKI TRAC Ticket #1310 - Auto migration to Tomcat 8 [edewata]
* Fri Oct 23 2015 Dogtag Team <pki-devel at redhat.com> 10.2.6-11
- PKI TRAC Ticket #1120 - Removed unused WizardServlet [edewata]
commit 7638c5af03e50c4a59a2f7a2c96483bfae27045c
Author: Matthew Harmsen <mharmsen at pki.usersys.redhat.com>
Date: Tue Mar 15 17:43:10 2016 -0600
Build using tomcat 7.0.68 on F22
diff --git a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
index 094c056..c5e845b 100644
--- a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
+++ b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
@@ -60,6 +60,11 @@ public class ProxyRealm implements Realm {
}
@Override
+ public Principal authenticate(String username) {
+ return realm.authenticate(username);
+ }
+
+ @Override
public Principal authenticate(String username, String password) {
return realm.authenticate(username, password);
}
commit a7055d92466463d444da83db94c7b775a33e6aa0
Author: Christian Heimes <cheimes at redhat.com>
Date: Thu Feb 25 12:33:34 2016 +0100
pki-tomcat8 needs tomcat-api.jar to compile
Tomcat 8.0.32 has moved org.apache.tomcat.ContextBind into
tomcat-api.jar. Add tomcat-api.jar to javac classpath to compile pki
with latest Tomcat.
https://fedorahosted.org/pki/attachment/ticket/2222
(cherry picked from commit 263dc2152640a95c8ca9b2829e74cce3a877f077)
diff --git a/base/server/tomcat8/src/CMakeLists.txt b/base/server/tomcat8/src/CMakeLists.txt
index a2badac..74d789b 100644
--- a/base/server/tomcat8/src/CMakeLists.txt
+++ b/base/server/tomcat8/src/CMakeLists.txt
@@ -44,6 +44,13 @@ find_file(TOMCAT_CATALINA_JAR
/usr/share/java/tomcat
)
+find_file(TOMCAT_API_JAR
+ NAMES
+ tomcat-api.jar
+ PATHS
+ /usr/share/java/tomcat
+)
+
find_file(TOMCAT_UTIL_SCAN_JAR
NAMES
tomcat-util-scan.jar
@@ -123,7 +130,8 @@ javac(pki-tomcat8-classes
SOURCES
com/netscape/cms/tomcat/*.java
CLASSPATH
- ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
+ ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} ${TOMCAT_API_JAR}
+ ${CMAKE_BINARY_DIR}/../../tomcat
OUTPUT_DIR
${CMAKE_BINARY_DIR}/../../tomcat
)
commit 795465f8620a0a10092435dce46e4cff93dbc20a
Author: Ade Lee <alee at redhat.com>
Date: Mon Mar 14 16:52:48 2016 -0400
Modify dnsdomainname test in pkispawn
We do a check for the dnsdomainname, which fails in Openstack
CI because this is not set. Instead of exiting, default to
the hostname.
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index cc91021..c68a40d 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -70,7 +70,7 @@ PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = \
PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = \
"Directory '%s' is either missing or is NOT a directory!"
PKI_DNS_DOMAIN_NOT_SET = \
- "A valid DNS domain name MUST be established to use PKI services!"
+ "DNS domain name has not been set - using the hostname instead."
PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!"
PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = \
"File '%s' already exists BUT it is NOT a file!"
diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy
index abc11dc..459b755 100755
--- a/base/server/sbin/pkidestroy
+++ b/base/server/sbin/pkidestroy
@@ -91,7 +91,7 @@ def main(argv):
config.pki_dns_domainname = str(dnsdomainname).rstrip('\n')
if not len(config.pki_dns_domainname):
print log.PKI_DNS_DOMAIN_NOT_SET
- sys.exit(1)
+ config.pki_dns_domainname = config.pki_hostname
except subprocess.CalledProcessError as exc:
print log.PKI_SUBPROCESS_ERROR_1 % exc
sys.exit(1)
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 7ab11a5..f362b9e 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -92,7 +92,7 @@ def main(argv):
config.pki_dns_domainname = str(dnsdomainname).rstrip('\n')
if not len(config.pki_dns_domainname):
print log.PKI_DNS_DOMAIN_NOT_SET
- sys.exit(1)
+ config.pki_dns_domainname = config.pki_hostname
except subprocess.CalledProcessError as exc:
print log.PKI_SUBPROCESS_ERROR_1 % exc
sys.exit(1)
commit 7f2e9f9d2619bf1b57642abc23d84a745617c499
Author: Endi S. Dewata <edewata at redhat.com>
Date: Tue Feb 2 03:32:50 2016 +0100
Fixed KRA installation.
Due to a recent change the KRA installation failed because the
installer was trying to read the pki_external_csr_path parameter
which is not available for KRA installation. The installer has
been fixed to read the parameter in external CA case only.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit d42f39334ce4b4f5fa89707bfb6145039ff04579)
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 07a5ce4..e859139 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -492,7 +492,6 @@ class ConfigurationFile:
self.external = config.str2bool(self.mdict['pki_external'])
self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two'])
self.external_step_two = not self.external_step_one
- self.external_csr_path = self.mdict['pki_external_csr_path']
if self.external:
# generic extension support in CSR - for external CA
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 54f1c6e..e7b257f 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -96,7 +96,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
external = deployer.configuration_file.external
step_one = deployer.configuration_file.external_step_one
step_two = deployer.configuration_file.external_step_two
- external_csr_path = deployer.configuration_file.external_csr_path
try:
if external and step_one: # external/existing CA step 1
@@ -128,6 +127,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# If filename specified, generate CA cert request and
# import it into CS.cfg.
+ external_csr_path = deployer.mdict['pki_external_csr_path']
if external_csr_path:
nssdb.create_request(
subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
@@ -150,6 +150,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
elif external and step_two: # external/existing CA step 2
# If specified, import existing CA cert request into CS.cfg.
+ external_csr_path = deployer.mdict['pki_external_csr_path']
if external_csr_path:
with open(external_csr_path) as f:
signing_csr = f.read()
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 967d5f5..7ab11a5 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -613,9 +613,9 @@ def main(argv):
external = deployer.configuration_file.external
step_one = deployer.configuration_file.external_step_one
- external_csr_path = deployer.configuration_file.external_csr_path
if external and step_one:
+ external_csr_path = deployer.mdict['pki_external_csr_path']
if external_csr_path:
print_external_ca_step_one_information(parser.mdict)
else:
commit 8ace5536715238ac91ac77d5c84873ee3caaec4f
Author: Endi S. Dewata <edewata at redhat.com>
Date: Fri Jan 22 17:34:19 2016 +0100
Renamed pki.nss into pki.nssdb.
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 9609f4e6035d3cdff19a0f78caee2d08b095c8ba)
diff --git a/base/common/python/pki/nss.py b/base/common/python/pki/nss.py
deleted file mode 100644
index 67fd90b..0000000
--- a/base/common/python/pki/nss.py
+++ /dev/null
@@ -1,533 +0,0 @@
-#!/usr/bin/python
-# Authors:
-# Endi S. Dewata <edewata at redhat.com>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2015 Red Hat, Inc.
-# All rights reserved.
-#
-
-import base64
-import os
-import shutil
-import subprocess
-import tempfile
-
-
-CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----'
-CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----'
-
-CERT_HEADER = '-----BEGIN CERTIFICATE-----'
-CERT_FOOTER = '-----END CERTIFICATE-----'
-
-PKCS7_HEADER = '-----BEGIN PKCS7-----'
-PKCS7_FOOTER = '-----END PKCS7-----'
-
-
-def convert_data(data, input_format, output_format, header=None, footer=None):
-
- if input_format == output_format:
- return data
-
- if input_format == 'base64' and output_format == 'pem':
-
- # join base-64 data into a single line
- data = data.replace('\r', '').replace('\n', '')
-
- # re-split the line into fixed-length lines
- lines = [data[i:i+64] for i in range(0, len(data), 64)]
-
- # add header and footer
- return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer)
-
- if input_format == 'pem' and output_format == 'base64':
-
- # join multiple lines into a single line
- lines = []
- for line in data.splitlines():
- line = line.rstrip('\r\n')
- if line == header:
- continue
- if line == footer:
- continue
- lines.append(line)
-
- return ''.join(lines)
-
- raise Exception('Unable to convert data from %s to %s' % (input_format, output_format))
-
-def convert_csr(csr_data, input_format, output_format):
-
- return convert_data(csr_data, input_format, output_format, CSR_HEADER, CSR_FOOTER)
-
-def convert_cert(cert_data, input_format, output_format):
-
- return convert_data(cert_data, input_format, output_format, CERT_HEADER, CERT_FOOTER)
-
-def convert_pkcs7(pkcs7_data, input_format, output_format):
-
- return convert_data(pkcs7_data, input_format, output_format, PKCS7_HEADER, PKCS7_FOOTER)
-
-def get_file_type(filename):
-
- with open(filename, 'r') as f:
- data = f.read()
-
- if data.startswith(CSR_HEADER):
- return 'csr'
-
- if data.startswith(CERT_HEADER):
- return 'cert'
-
- if data.startswith(PKCS7_HEADER):
- return 'pkcs7'
-
- return None
-
-
-class NSSDatabase(object):
-
- def __init__(self, directory, token='internal', password=None, password_file=None):
- self.directory = directory
- self.token = token
-
- self.tmpdir = tempfile.mkdtemp()
-
- if password:
- self.password_file = os.path.join(self.tmpdir, 'password.txt')
- with open(self.password_file, 'w') as f:
- f.write(password)
-
- elif password_file:
- self.password_file = password_file
-
- else:
- raise Exception('Missing NSS database password')
-
- def close(self):
- shutil.rmtree(self.tmpdir)
-
- def add_cert(self,
- nickname,
- cert_file,
- trust_attributes=',,'):
-
- cmd = [
- 'certutil',
- '-A',
- '-d', self.directory,
- '-h', self.token,
- '-f', self.password_file,
- '-n', nickname,
- '-i', cert_file,
- '-t', trust_attributes
- ]
-
- subprocess.check_call(cmd)
-
- def modify_cert(self,
- nickname,
- trust_attributes):
-
- cmd = [
- 'certutil',
- '-M',
- '-d', self.directory,
- '-h', self.token,
- '-f', self.password_file,
- '-n', nickname,
- '-t', trust_attributes
- ]
-
- subprocess.check_call(cmd)
-
- def create_noise(self, noise_file, size=2048):
-
- subprocess.check_call([
- 'openssl',
- 'rand',
- '-out', noise_file,
- str(size)
- ])
-
- def create_request(self,
- subject_dn,
- request_file,
- noise_file=None,
- key_type=None,
- key_size=None,
- curve=None,
- hash_alg=None):
-
- tmpdir = tempfile.mkdtemp()
-
- try:
- if not noise_file:
- noise_file = os.path.join(tmpdir, 'noise.bin')
- if key_size:
- size = key_size
- else:
- size = 2048
- self.create_noise(
- noise_file=noise_file,
- size=size)
-
- binary_request_file = os.path.join(tmpdir, 'request.bin')
-
- cmd = [
- 'certutil',
- '-R',
- '-d', self.directory,
- '-h', self.token,
- '-f', self.password_file,
- '-s', subject_dn,
- '-o', binary_request_file,
- '-z', noise_file
- ]
-
- if key_type:
- cmd.extend(['-k', key_type])
-
- if key_size:
- cmd.extend(['-g', str(key_size)])
-
- if curve:
- cmd.extend(['-q', curve])
-
- if hash_alg:
- cmd.extend(['-Z', hash_alg])
-
- # generate binary request
- subprocess.check_call(cmd)
-
- # encode binary request in base-64
- b64_request_file = os.path.join(tmpdir, 'request.b64')
- subprocess.check_call([
- 'BtoA', binary_request_file, b64_request_file])
-
- # read base-64 request
- with open(b64_request_file, 'r') as f:
- b64_request = f.read()
-
- # add header and footer
- with open(request_file, 'w') as f:
- f.write('-----BEGIN NEW CERTIFICATE REQUEST-----\n')
- f.write(b64_request)
- f.write('-----END NEW CERTIFICATE REQUEST-----\n')
-
- finally:
- shutil.rmtree(tmpdir)
-
- def create_self_signed_ca_cert(self,
- subject_dn,
- request_file,
- cert_file,
- serial='1',
- validity=240):
-
- cmd = [
- 'certutil',
- '-C',
- '-x',
- '-d', self.directory,
- '-h', self.token,
- '-f', self.password_file,
- '-c', subject_dn,
- '-a',
- '-i', request_file,
- '-o', cert_file,
- '-m', serial,
- '-v', str(validity),
- '--keyUsage', 'digitalSignature,nonRepudiation,certSigning,crlSigning,critical',
- '-2',
- '-3',
- '--extSKID',
- '--extAIA'
- ]
-
- p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
-
- keystroke = ''
-
- # Is this a CA certificate [y/N]?
- keystroke += 'y\n'
-
- # Enter the path length constraint, enter to skip [<0 for unlimited path]:
- keystroke += '\n'
-
- # Is this a critical extension [y/N]?
- keystroke += 'y\n'
-
- # Enter value for the authKeyID extension [y/N]?
- keystroke += 'y\n'
-
- # TODO: generate SHA1 ID (see APolicyRule.formSHA1KeyId())
- # Enter value for the key identifier fields,enter to omit:
- keystroke += '2d:7e:83:37:75:5a:fd:0e:8d:52:a3:70:16:93:36:b8:4a:d6:84:9f\n'
-
- # Select one of the following general name type:
- keystroke += '0\n'
-
- # Enter value for the authCertSerial field, enter to omit:
- keystroke += '\n'
-
- # Is this a critical extension [y/N]?
- keystroke += '\n'
-
- # TODO: generate SHA1 ID (see APolicyRule.formSHA1KeyId())
- # Adding Subject Key ID extension.
- # Enter value for the key identifier fields,enter to omit:
- keystroke += '2d:7e:83:37:75:5a:fd:0e:8d:52:a3:70:16:93:36:b8:4a:d6:84:9f\n'
-
- # Is this a critical extension [y/N]?
- keystroke += '\n'
-
- # Enter access method type for Authority Information Access extension:
- keystroke += '2\n'
-
- # Select one of the following general name type:
- keystroke += '7\n'
-
- # TODO: replace with actual hostname name and port number
- # Enter data:
- keystroke += 'http://server.example.com:8080/ca/ocsp\n'
-
- # Select one of the following general name type:
- keystroke += '0\n'
-
- # Add another location to the Authority Information Access extension [y/N]
- keystroke += '\n'
-
- # Is this a critical extension [y/N]?
- keystroke += '\n'
-
- p.communicate(keystroke)
-
- rc = p.wait()
-
- if rc:
- raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc)
-
- def get_cert(self, nickname, output_format='pem'):
-
- if output_format == 'pem':
- output_format_option = '-a'
-
- elif output_format == 'base64':
- output_format_option = '-r'
-
- else:
- raise Exception('Unsupported output format: %s' % output_format)
-
- cmd = [
- 'certutil',
- '-L',
- '-d', self.directory,
- '-h', self.token,
- '-f', self.password_file,
- '-n', nickname,
- output_format_option
- ]
-
- cert_data = subprocess.check_output(cmd)
-
- if output_format == 'base64':
- cert_data = base64.b64encode(cert_data)
-
- return cert_data
-
- def remove_cert(self, nickname):
-
- cmd = [
- 'certutil',
- '-D',
- '-d', self.directory,
- '-h', self.token,
- '-f', self.password_file,
- '-n', nickname
- ]
-
- subprocess.check_call(cmd)
-
- def import_cert_chain(self, nickname, cert_chain_file, trust_attributes=None):
-
- tmpdir = tempfile.mkdtemp()
-
- try:
- file_type = get_file_type(cert_chain_file)
-
- if file_type == 'cert': # import single PEM cert
- self.add_cert(
- nickname=nickname,
- cert_file=cert_chain_file,
- trust_attributes=trust_attributes)
- return self.get_cert(
- nickname=nickname,
- output_format='base64')
-
- elif file_type == 'pkcs7': # import PKCS #7 cert chain
- return self.import_pkcs7(
- pkcs7_file=cert_chain_file,
- nickname=nickname,
- trust_attributes=trust_attributes,
- output_format='base64')
-
- else: # import PKCS #7 data without header/footer
- with open(cert_chain_file, 'r') as f:
- base64_data = f.read()
- pkcs7_data = convert_pkcs7(base64_data, 'base64', 'pem')
-
- tmp_cert_chain_file = os.path.join(tmpdir, 'cert_chain.p7b')
- with open(tmp_cert_chain_file, 'w') as f:
- f.write(pkcs7_data)
-
- self.import_pkcs7(
- pkcs7_file=tmp_cert_chain_file,
- nickname=nickname,
- trust_attributes=trust_attributes)
-
- return base64_data
-
- finally:
- shutil.rmtree(tmpdir)
-
- def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None, output_format='pem'):
-
- tmpdir = tempfile.mkdtemp()
-
- try:
- # export certs from PKCS #7 into PEM output
- output = subprocess.check_output([
- 'openssl',
- 'pkcs7',
- '-print_certs',
- '-in', pkcs7_file
- ])
-
- # parse PEM output into separate PEM certificates
- certs = []
- lines = []
- state = 'header'
-
- for line in output.splitlines():
-
- if state == 'header':
- if line != CERT_HEADER:
- # ignore header lines
- pass
- else:
- # save cert header
- lines.append(line)
- state = 'body'
-
- elif state == 'body':
- if line != CERT_FOOTER:
- # save cert body
- lines.append(line)
- else:
More information about the Pkg-freeipa-devel
mailing list