[Pkg-freeipa-devel] dogtag-pki: Changes to 'upstream'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Fri Sep 30 15:16:25 UTC 2016
Rebased ref, commits from common ancestor:
commit 259300466be4431ebadb7a4ca3f54d447d2ec68c
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Mon Aug 8 15:38:24 2016 -0600
Update version number to 10.3.5-1
diff --git a/specs/dogtag-pki-theme.spec b/specs/dogtag-pki-theme.spec
index 027972c..74e673c 100644
--- a/specs/dogtag-pki-theme.spec
+++ b/specs/dogtag-pki-theme.spec
@@ -1,6 +1,6 @@
Name: dogtag-pki-theme
Version: 10.3.5
-Release: 0.1%{?dist}
+Release: 1%{?dist}
Summary: Certificate System - Dogtag PKI Theme Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -159,6 +159,9 @@ cd build
%changelog
+* Mon Aug 8 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-1
+- Updated version number to 10.3.5-1
+
* Tue Jul 5 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-0.1
- Updated version number to 10.3.5-0.1
diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec
index 87fc353..d76c79b 100644
--- a/specs/dogtag-pki.spec
+++ b/specs/dogtag-pki.spec
@@ -7,7 +7,7 @@
Summary: Dogtag Public Key Infrastructure (PKI) Suite
Name: dogtag-pki
Version: 10.3.5
-Release: 0.1%{?dist}
+Release: 1%{?dist}
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
License: GPLv2 and LGPLv2
URL: http://pki.fedoraproject.org/
@@ -124,6 +124,9 @@ rm -rf %{buildroot}
%doc README
%changelog
+* Mon Aug 8 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-1
+- Updated version number to 10.3.5-1
+
* Tue Jul 5 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-0.1
- Updated version number to 10.3.5-0.1
diff --git a/specs/pki-console.spec b/specs/pki-console.spec
index 70493b0..e44e56d 100644
--- a/specs/pki-console.spec
+++ b/specs/pki-console.spec
@@ -1,6 +1,6 @@
Name: pki-console
Version: 10.3.5
-Release: 0.1%{?dist}
+Release: 1%{?dist}
Summary: Certificate System - PKI Console
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -98,6 +98,9 @@ cd build
%changelog
+* Mon Aug 8 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-1
+- Updated version number to 10.3.5-1
+
* Tue Jul 5 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-0.1
- Updated version number to 10.3.5-0.1
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 98dad00..4010a56 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -65,7 +65,7 @@
Name: pki-core
Version: 10.3.5
-Release: 0.1%{?dist}
+Release: 1%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -1298,6 +1298,9 @@ systemctl daemon-reload
%endif # %{with server}
%changelog
+* Mon Aug 8 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-1
+- Updated version number to 10.3.5-1
+
* Tue Jul 5 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-0.1
- Updated version number to 10.3.5-0.1
commit a808013629d4b4de886ec1563daebf6ea5138f0c
Author: Endi S. Dewata <edewata at redhat.com>
Date: Mon Aug 8 19:19:16 2016 +0200
Improved SystemConfigService.configure() error message.
The pkispawn has been modified to improve the way it displays the
error message returned by SystemConfigService.configure(). If the
method throws a PKIException, the response is returned as a JSON
message, so pkispawn will parse it and display the actual error
message. For other exceptions pkispawn will display the entire
HTML message returned by Tomcat.
https://fedorahosted.org/pki/ticket/2399
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 8a1dbdd..b6eacf1 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3959,28 +3959,7 @@ class ConfigClient:
admin_cert = response['adminCert']['cert']
self.process_admin_cert(admin_cert)
- except Exception as e:
- config.pki_log.error(
- log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e),
- extra=config.PKI_INDENTATION_LEVEL_2)
-
- if hasattr(e, 'response'):
- text = e.response.text # pylint: disable=E1101
- try:
- root = ET.fromstring(text)
- except ET.ParseError as pe:
- config.pki_log.error(
- "ParseError: %s: %s " % (pe, text),
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise
-
- if root.tag == 'PKIException':
- message = root.findall('.//Message')[0].text
- if message is not None:
- config.pki_log.error(
- log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " +
- message,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ except:
raise
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 13139fa..c87c49a 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -527,8 +527,24 @@ def main(argv):
scriptlet.spawn(deployer)
- # pylint: disable=W0703
- except Exception as e:
+ except requests.HTTPError as e:
+ r = e.response
+ print()
+
+ print('Installation failed:')
+ if r.headers['content-type'] == 'application/json':
+ data = r.json()
+ print('%s: %s' % (data['ClassName'], data['Message']))
+ else:
+ print(r.text)
+
+ print()
+ print('Please check the %s logs in %s.' %
+ (config.pki_subsystem, deployer.mdict['pki_subsystem_log_path']))
+
+ sys.exit(1)
+
+ except Exception as e: # pylint: disable=broad-except
log_error_details()
print()
print("Installation failed: %s" % e)
commit a38b8b875e40d0d8551752af7aa2567d2891384a
Author: Christina Fu <cfu at dhcp-16-189.sjc.redhat.com>
Date: Mon Aug 8 11:34:52 2016 -0700
Ticket #2428 - part2 handle NullPointerException
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
index caf2cf1..0073bd2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
@@ -423,8 +423,8 @@ public class ProfileReviewServlet extends ProfileServlet {
try {
defValue = def.getValue(defName, locale, req);
- } catch (EPropertyException ee) {
- CMS.debug("ProfileReviewServlet: " + ee.toString());
+ } catch (Exception exp) {
+ CMS.debug("ProfileReviewServlet: " + exp.toString());
}
defset.set(ARG_DEF_ID, defName);
commit e948a42f8bf7823b18ad4551a8fe8a5db991e966
Author: Christian Heimes <cheimes at redhat.com>
Date: Mon Aug 8 13:08:17 2016 +0200
Improve setup.py for standalone Dogtag client releases
PyPI requires a different spelling of LGPLv3+ classifier.
The correct name for installation requirements is 'install_requires',
not 'requirements'.
Add a new version_info command that rewrites setup.py in place to
include the current version. This fixes a problem with source
distributions of the client package.
diff --git a/base/common/python/setup.cfg b/base/common/python/setup.cfg
index ad43486..32f2126 100644
--- a/base/common/python/setup.cfg
+++ b/base/common/python/setup.cfg
@@ -2,5 +2,5 @@
universal = 1
[aliases]
-packages = clean --all egg_info bdist_wheel sdist --format=zip
+packages = clean --all version_info egg_info bdist_wheel sdist --format=zip
release = packages register upload
diff --git a/base/common/python/setup.py b/base/common/python/setup.py
index 86e0704..e0920c1 100644
--- a/base/common/python/setup.py
+++ b/base/common/python/setup.py
@@ -43,28 +43,67 @@ try:
except ImportError:
from distutils.core import setup
+from distutils.cmd import Command
+
+
+class VersionInfo(Command):
+ user_options = []
-def get_version(specfile='../../../specs/pki-core.spec'):
version_re = re.compile('^Version:\s*(\d+\.\d+\.\d+)')
release_re = re.compile('^Release:.*?([\d\.]+)')
- version = release = None
- with open(specfile) as f:
- for line in f:
- if version is None:
- match = version_re.match(line)
- if match is not None:
- version = match.group(1)
- if release is None:
- match = release_re.match(line)
- if match is not None:
- release = match.group(1)
- if version is not None and release is not None:
- break
- if version is None or release is None:
- raise ValueError(version, release)
- return "%s.%s" % (version, release)
-
-VERSION = get_version()
+ specfile = '../../../specs/pki-core.spec'
+
+ def initialize_options(self):
+ self.rpm_version = None
+
+ def finalize_options(self):
+ try:
+ version, release = self.get_version()
+ except IOError:
+ pass
+ else:
+ self.rpm_version = "%s.%s" % (version, release)
+
+ def run(self):
+ if self.rpm_version is not None:
+ self.distribution.metadata.version = self.rpm_version
+ self.rewrite_setup_py()
+ else:
+ raise ValueError(
+ 'Cannot load version from {}'.format(self.specfile)
+ )
+
+ def get_version(self):
+ version = release = None
+ with open(self.specfile) as f:
+ for line in f:
+ if version is None:
+ match = self.version_re.match(line)
+ if match is not None:
+ version = match.group(1)
+ if release is None:
+ match = self.release_re.match(line)
+ if match is not None:
+ release = match.group(1)
+ if version is not None and release is not None:
+ break
+ if version is None or release is None:
+ raise ValueError(version, release)
+ return version, release
+
+ def rewrite_setup_py(self):
+ with open(__file__) as f:
+ lines = list(f)
+ for i, line in enumerate(lines):
+ if line.startswith('VERSION ='):
+ lines[i] = "VERSION = '{}'\n".format(self.rpm_version)
+ with open(__file__, 'w') as f:
+ f.write(''.join(lines))
+
+
+# auto-generated by version_info
+VERSION = None
+
setup(
author='Dogtag Certificate System Team',
@@ -85,7 +124,8 @@ and set up in less than an hour.""",
keywords='pki x509 cert certificate',
url='http://pki.fedoraproject.org/',
packages=['pki', 'pki.cli'],
- requirements=['python-nss', 'requests', 'six'],
+ install_requires=['python-nss', 'requests', 'six'],
+ cmdclass={'version_info': VersionInfo},
classifiers=[
'Development Status :: 5 - Production/Stable',
'Environment :: Web Environment',
@@ -93,7 +133,8 @@ and set up in less than an hour.""",
'Operating System :: OS Independent',
'Programming Language :: Python :: 2.7',
'Programming Language :: Python :: 3.4',
- 'License :: OSI Approved :: GNU Lesser General Public License v3+ (LGPLv3+)',
+ 'License :: OSI Approved :: GNU Lesser General Public License ' +
+ 'v3 or later (LGPLv3+)',
'Topic :: Security :: Cryptography',
],
)
commit 7bed80ef6b1529f948da260a6b43f2052c6ffb21
Author: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon Aug 8 14:39:01 2016 +1000
Fix lightweight CA PEM-encoded PKCS #7 cert chain retrieval
The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
Return proper PKCS #7 data.
Fixes: https://fedorahosted.org/pki/ticket/2433
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 7bca10f..246a3f0 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -173,7 +173,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
@Override
public Response getChainPEM(String aidString) {
- byte[] der = (byte[]) getCert(aidString).getEntity();
+ byte[] der = (byte[]) getChain(aidString).getEntity();
return Response.ok(toPem("PKCS7", der)).build();
}
commit 018b5c1f3295fadd263d256d00866dd7b9d31163
Author: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue Jul 26 14:07:10 2016 +1000
Fix CA OCSP responder when LWCAs are not in use
The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request. Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred. If they
have not, the OCSP responder always fails.
Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.
Fixes: https://fedorahosted.org/pki/ticket/2420
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 502ab18..a5397da 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2240,6 +2240,10 @@ public class CertificateAuthority
* employ some heuristic to deal with this case. Our
* heuristic is:
*
+ * 0. If caMap contains no CAs, then lightweight CAs are not
+ * enabled. There is only one CA, and 'this' is it. Go
+ * straight to validation.
+ *
* 1. Find the issuer of the cert identified by the first
* CertID in the request.
*
@@ -2254,7 +2258,7 @@ public class CertificateAuthority
* aggregate OCSP response.
*/
ICertificateAuthority ocspCA = this;
- if (tbsReq.getRequestCount() > 0) {
+ if (caMap.size() > 0 && tbsReq.getRequestCount() > 0) {
com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0);
BigInteger serialNo = req.getCertID().getSerialNumber();
X509CertImpl cert = mCertRepot.getX509Certificate(serialNo);
commit 1d0abd0630d5847c288c65a7adeff580c9c9776b
Author: Endi S. Dewata <edewata at redhat.com>
Date: Sat Aug 6 02:33:53 2016 +0200
Moved upgrade scripts for RHEL.
On RHEL the upgrade scripts after 10.3.3 have been moved into the
10.3.3 folder to match RHEL version number.
https://fedorahosted.org/pki/ticket/2403
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 12f1d94..98dad00 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -867,6 +867,12 @@ ln -s %{_datadir}/pki/java-tools/KRATool.cfg %{buildroot}%{_datadir}/pki/java-to
# Create compatibility symlink for DRMTool.1.gz -> KRATool.1.gz
ln -s %{_mandir}/man1/KRATool.1.gz %{buildroot}%{_mandir}/man1/DRMTool.1.gz
+# Customize system upgrade scripts in /usr/share/pki/upgrade
+%if 0%{?rhel}
+/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.4
+/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.5
+%endif
+
# Customize client library links in /usr/share/pki/lib
%if 0%{?fedora} >= 24
rm -f %{buildroot}%{_datadir}/pki/lib/scannotation.jar
@@ -893,6 +899,14 @@ fi
%if %{with server}
+# Customize server upgrade scripts in /usr/share/pki/server/upgrade
+%if 0%{?rhel}
+mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/01-FixServerLibrary %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/02-FixServerLibrary
+mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/02-FixSELinuxContexts %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/03-FixSELinuxContexts
+/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.4
+/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5
+%endif
+
# Customize server library links in /usr/share/pki/server/common/lib
%if 0%{?fedora} >= 24
rm -f %{buildroot}%{_datadir}/pki/server/common/lib/scannotation.jar
commit 0432343ee3d00d3eaa495fe5bba272a414cfd991
Author: Endi S. Dewata <edewata at redhat.com>
Date: Sat Aug 6 02:20:35 2016 +0200
Split link customization in RPM spec.
The code that customizes the links to the JAR files has been split
between client and server packages.
https://fedorahosted.org/pki/ticket/2403
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 017ecf6..12f1d94 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -867,29 +867,17 @@ ln -s %{_datadir}/pki/java-tools/KRATool.cfg %{buildroot}%{_datadir}/pki/java-to
# Create compatibility symlink for DRMTool.1.gz -> KRATool.1.gz
ln -s %{_mandir}/man1/KRATool.1.gz %{buildroot}%{_mandir}/man1/DRMTool.1.gz
-%if %{with server}
-
-# Customize symlinks for each platform
+# Customize client library links in /usr/share/pki/lib
%if 0%{?fedora} >= 24
- # /usr/share/pki/lib
rm -f %{buildroot}%{_datadir}/pki/lib/scannotation.jar
rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-api.jar
rm -f %{buildroot}%{_datadir}/pki/lib/resteasy-jaxrs-jandex.jar
ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/lib/jboss-jaxrs-2.0-api.jar
ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar
-
- # /usr/share/pki/server/common/lib
- rm -f %{buildroot}%{_datadir}/pki/server/common/lib/scannotation.jar
- rm -f %{buildroot}%{_datadir}/pki/server/common/lib/resteasy-jaxrs-api.jar
- ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar
- ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar
- ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar
-
%else
if [ -f /etc/debian_version ]; then
- # /usr/share/pki/lib
ln -sf /usr/share/java/httpclient.jar %{buildroot}%{_datadir}/pki/lib/httpclient.jar
ln -sf /usr/share/java/httpcore.jar %{buildroot}%{_datadir}/pki/lib/httpcore.jar
ln -sf /usr/share/java/jackson-core-asl.jar %{buildroot}%{_datadir}/pki/lib/jackson-core-asl.jar
@@ -899,8 +887,23 @@ if [ -f /etc/debian_version ]; then
ln -sf /usr/share/java/jackson-smile.jar %{buildroot}%{_datadir}/pki/lib/jackson-smile.jar
ln -sf /usr/share/java/jackson-xc.jar %{buildroot}%{_datadir}/pki/lib/jackson-xc.jar
ln -sf /usr/share/java/jss4.jar %{buildroot}%{_datadir}/pki/lib/jss4.jar
+fi
+
+%endif
- # /usr/share/pki/server/common/lib
+%if %{with server}
+
+# Customize server library links in /usr/share/pki/server/common/lib
+%if 0%{?fedora} >= 24
+ rm -f %{buildroot}%{_datadir}/pki/server/common/lib/scannotation.jar
+ rm -f %{buildroot}%{_datadir}/pki/server/common/lib/resteasy-jaxrs-api.jar
+ ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar
+ ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar
+ ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar
+
+%else
+
+if [ -f /etc/debian_version ]; then
ln -sf /usr/share/java/commons-collections3.jar %{buildroot}%{_datadir}/pki/server/common/lib/commons-collections.jar
ln -sf /usr/share/java/httpclient.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpclient.jar
ln -sf /usr/share/java/httpcore.jar %{buildroot}%{_datadir}/pki/server/common/lib/httpcore.jar
commit 066628e929378761563706522b7174cc47094cdf
Author: Endi S. Dewata <edewata at redhat.com>
Date: Sat Aug 6 02:13:23 2016 +0200
Fixed RPM spec for client-only build.
The RPM spec has been fixed not to include the %pre script for the
pki-server package if --without-server parameter is specified.
https://fedorahosted.org/pki/ticket/2403
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index c206b27..017ecf6 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -981,6 +981,8 @@ if (test("/etc/sysconfig/pki/ca") or
end
%endif
+%if %{with server}
+
%pre -n pki-server
getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
if ! getent passwd %{pki_username} >/dev/null ; then
@@ -992,6 +994,8 @@ if ! getent passwd %{pki_username} >/dev/null ; then
fi
exit 0
+%endif # %{with server}
+
%post -n pki-base
if [ $1 -eq 1 ]
commit b04707631a362581804574edd0641a3fdbc16565
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Fri Aug 5 14:34:57 2016 -0600
Added python-urllib3 dependency
* PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index fac7192..c206b27 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -156,6 +156,11 @@ BuildRequires: python3-flake8
BuildRequires: python-nss
BuildRequires: python-requests
BuildRequires: python-six
+%if 0%{?rhel}
+BuildRequires: python-urllib3
+%else
+BuildRequires: python2-urllib3
+%endif
BuildRequires: libselinux-python
BuildRequires: policycoreutils-python
%if 0%{?fedora} >= 23
@@ -182,6 +187,7 @@ BuildRequires: python3-devel
BuildRequires: python3-nss
BuildRequires: python3-requests
BuildRequires: python3-six
+BuildRequires: python3-urllib3
%endif # with_python3
BuildRequires: python-devel
@@ -338,6 +344,11 @@ Conflicts: freeipa-server < 3.0.0
Requires: python-nss
Requires: python-requests >= 1.1.0-3
Requires: python-six
+%if 0%{?rhel}
+Requires: python-urllib3
+%else
+Requires: python2-urllib3
+%endif
%description -n pki-base
The PKI Framework contains the common and client libraries and utilities
@@ -424,6 +435,7 @@ Requires: pki-base = %{version}-%{release}
Requires: python3-nss
Requires: python3-requests
Requires: python3-six
+Requires: python3-urllib3
%description -n pki-base-python3
This package contains PKI client library for Python 3.
commit b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56
Author: Endi S. Dewata <edewata at redhat.com>
Date: Mon Aug 1 22:35:32 2016 +0200
Fixed PKCS #12 import for cloning.
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index fe65bb8..3494882 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -834,7 +834,8 @@ public class ConfigurationUtils {
BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
NoSuchItemOnTokenException, InvalidBERException, IOException {
- // TODO: refactor into a PKCS #12 utility class
+ // TODO: The PKCS #12 file is already imported in security_database.py.
+ // This method should be removed.
byte b[] = new byte[1000000];
FileInputStream fis = new FileInputStream(p12File);
@@ -1109,10 +1110,14 @@ public class ConfigurationUtils {
InternalCertificate icert = (InternalCertificate) xcert;
if (isCASigningCert) {
- // we need to change the trust attribute to CT
+ // set trust flags to CT,C,C
icert.setSSLTrust(InternalCertificate.TRUSTED_CA
| InternalCertificate.TRUSTED_CLIENT_CA
| InternalCertificate.VALID_CA);
+ icert.setEmailTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
+ icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
} else if (isAuditSigningCert(name)) {
icert.setObjectSigningTrust(InternalCertificate.USER
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 99daf15..e80a1d0 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -150,8 +150,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Import certificates
nssdb.import_pkcs12(
pkcs12_file=pki_clone_pkcs12_path,
- pkcs12_password=pki_clone_pkcs12_password,
- no_user_certs=True)
+ pkcs12_password=pki_clone_pkcs12_password)
+
+ # Set certificate trust flags
+ if subsystem.type == 'CA':
+ nssdb.modify_cert(
+ nickname=deployer.mdict['pki_ca_signing_nickname'],
+ trust_attributes='CTu,Cu,Cu')
+
+ nssdb.modify_cert(
+ nickname=deployer.mdict['pki_audit_signing_nickname'],
+ trust_attributes='u,u,Pu')
print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 9cabdc5..b02c363 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -47,33 +47,6 @@ import java.util.Random;
import java.util.StringTokenizer;
import java.util.Vector;
-import netscape.security.pkcs.PKCS10;
-import netscape.security.pkcs.PKCS10Attribute;
-import netscape.security.pkcs.PKCS10Attributes;
-import netscape.security.pkcs.PKCS7;
-import netscape.security.pkcs.PKCS9Attribute;
-import netscape.security.util.BigInt;
-import netscape.security.util.DerInputStream;
-import netscape.security.util.DerOutputStream;
-import netscape.security.util.DerValue;
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.CertificateAlgorithmId;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateIssuerName;
-import netscape.security.x509.CertificateSerialNumber;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.Extensions;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X500Signer;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509Key;
-
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.CryptoManager.NotInitializedException;
import org.mozilla.jss.NoSuchTokenException;
@@ -132,6 +105,33 @@ import org.mozilla.jss.util.Password;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS10Attribute;
+import netscape.security.pkcs.PKCS10Attributes;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.PKCS9Attribute;
+import netscape.security.util.BigInt;
+import netscape.security.util.DerInputStream;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateIssuerName;
+import netscape.security.x509.CertificateSerialNumber;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.Extensions;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500Signer;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509Key;
+
@SuppressWarnings("serial")
public class CryptoUtil {
@@ -1164,10 +1164,16 @@ public class CryptoUtil {
if (certchains != null) {
cert = certchains[certchains.length - 1];
}
+
+ // set trust flags to CT,C,C
InternalCertificate icert = (InternalCertificate) cert;
icert.setSSLTrust(InternalCertificate.TRUSTED_CA
| InternalCertificate.TRUSTED_CLIENT_CA
| InternalCertificate.VALID_CA);
+ icert.setEmailTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
+ icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
+ | InternalCertificate.VALID_CA);
}
public static SEQUENCE parseCRMFMsgs(byte cert_request[])
commit da66600e8ae07fa4169d24909c7d04ed69d2906c
Author: Endi S. Dewata <edewata at redhat.com>
Date: Mon Aug 1 22:35:32 2016 +0200
Added log messages for certificate import during cloning.
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index a0b0302..ed45654 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -398,6 +398,16 @@ class NSSDatabase(object):
if rc:
raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc)
+ def show_certs(self):
+
+ cmd = [
+ 'certutil',
+ '-L',
+ '-d', self.directory
+ ]
+
+ subprocess.check_call(cmd)
+
def get_cert(self, nickname, output_format='pem'):
if output_format == 'pem':
diff --git a/base/common/python/pki/pkcs12.py b/base/common/python/pki/pkcs12.py
new file mode 100644
index 0000000..a62ca09
--- /dev/null
+++ b/base/common/python/pki/pkcs12.py
@@ -0,0 +1,73 @@
+# Authors:
+# Endi S. Dewata <edewata at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+import os
+import shutil
+import subprocess
+import tempfile
+
+
+class PKCS12(object):
+
+ def __init__(self, path, password=None, password_file=None, nssdb=None):
+
+ # The pki CLI needs an NSS database to run PKCS #12 operations
+ # as required by JSS. If the nssdb parameter is provided, the CLI
+ # will use the specified NSS database object. Otherwise, it will use
+ # the default NSS database in ~/.dogtag/nssdb.
+
+ self.path = path
+ self.nssdb = nssdb
+
+ self.tmpdir = tempfile.mkdtemp()
+
+ if password:
+ self.password_file = os.path.join(self.tmpdir, 'password.txt')
+ with open(self.password_file, 'w') as f:
+ f.write(password)
+
+ elif password_file:
+ self.password_file = password_file
+
+ else:
+ raise Exception('Missing PKCS #12 password')
+
+ def close(self):
+ shutil.rmtree(self.tmpdir)
+
+ def show_certs(self):
+
+ cmd = ['pki']
+
+ if self.nssdb:
+ cmd.extend([
+ '-d', self.nssdb.directory,
+ '-C', self.nssdb.password_file
+ ])
+
+ cmd.extend([
+ 'pkcs12-cert-find',
+ '--pkcs12-file', self.path,
+ '--pkcs12-password-file', self.password_file
+ ])
+
+ subprocess.check_call(cmd)
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 18fc3e1..99daf15 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -19,9 +19,11 @@
#
from __future__ import absolute_import
+from __future__ import print_function
import os
import pki.nssdb
+import pki.pkcs12
import pki.server
# PKI Deployment Imports
@@ -104,9 +106,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
directory=deployer.mdict['pki_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
- nssdb.import_pkcs12(
- pkcs12_file=pki_server_pkcs12_path,
- pkcs12_password=pki_server_pkcs12_password)
+ try:
+ nssdb.import_pkcs12(
+ pkcs12_file=pki_server_pkcs12_path,
+ pkcs12_password=pki_server_pkcs12_password)
+ finally:
+ nssdb.close()
# update external CA file (if needed)
external_certs_path = deployer.mdict['pki_server_external_certs_path']
@@ -127,10 +132,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
directory=deployer.mdict['pki_database_path'],
password_file=deployer.mdict['pki_shared_pfile'])
- nssdb.import_pkcs12(
- pkcs12_file=pki_clone_pkcs12_path,
- pkcs12_password=pki_clone_pkcs12_password,
- no_user_certs=True)
+ try:
+ print('Importing certificates from %s:' % pki_clone_pkcs12_path)
+
+ # The PKCS12 class requires an NSS database to run. For simplicity
+ # it uses the NSS database that has just been created.
+ pkcs12 = pki.pkcs12.PKCS12(
+ path=pki_clone_pkcs12_path,
+ password=pki_clone_pkcs12_password,
+ nssdb=nssdb)
+
+ try:
+ pkcs12.show_certs()
+ finally:
+ pkcs12.close()
+
+ # Import certificates
+ nssdb.import_pkcs12(
+ pkcs12_file=pki_clone_pkcs12_path,
+ pkcs12_password=pki_clone_pkcs12_password,
+ no_user_certs=True)
+
+ print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
+
+ nssdb.show_certs()
+
+ finally:
+ nssdb.close()
if len(deployer.instance.tomcat_instance_subsystems()) < 2:
commit f726f9a668b523c4e5a9438d8ea301f4b556efd4
Author: Endi S. Dewata <edewata at redhat.com>
Date: Mon Aug 1 22:35:32 2016 +0200
Added log messages for certificate validation.
The ConfigCertApprovalCallback has been modified such that it
logs the server certificate being validated and can be configured
to ignore certain validation errors.
The ConfigurationUtils has been modified to use the
ConfigCertApprovalCallback to show and validate the server
certificate in all GET and POST operations except for the
importCertChain() in which the code needs to ignore untrusted
issuer in order to get the certificate chain via SSL.
https://fedorahosted.org/pki/ticket/2424
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
index 956c285..9b741af 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
@@ -17,17 +17,78 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.servlet.csadmin;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Set;
+
import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+import com.netscape.certsrv.apps.CMS;
+
public class ConfigCertApprovalCallback
implements SSLCertificateApprovalCallback {
More information about the Pkg-freeipa-devel
mailing list