[Pkg-freeipa-devel] dogtag-pki: Changes to 'refs/tags/debian/10.5.3-1'

Timo Aaltonen tjaalton at moszumanska.debian.org
Thu Dec 21 16:11:45 UTC 2017

Tag 'debian/10.5.3-1' created by Timo Aaltonen <tjaalton at debian.org> at 2017-12-21 16:11 +0000

tagging package dogtag-pki version debian/10.5.3-1
Version: GnuPG v1


Changes since debian/10.3.5+12-5:
Abhijeet Kasurde (1):
      Added check for pki-server-nuxwdog parameter

Ade Lee (102):
      Fix CertRequestInfo URLs
      Refactor SecurityData archival and recovery code
      Modify retrieval and archival mechanisms in KRA REST
      Add option to pass existing request to retrieveKeyCLI
      Add field to KeyData to allow request to be returned when non-synchronous
      Fix approvals for asynchronous requests
      Fix auditing and rename kra.ephemeral as per review comments
      Add python-client code for key resource changes
      Fix bug in getting secrets from approved request
      Add option to remove signing cert entry
      Fix allowed key usages list for symkey generation
      Remove unused method
      Refactored EncryptionUnit
      Parametrize the encryption functions
      Parametrize crypto methods part 2
      Parameterize crypto functions, part 3
      Cleanup exception handling
      Refactor exception handling in the EncryptionUnit
      Refactor key recovery to centralize crypt functions
      Remove unused method
      Refactored EncryptionUnit
      Parametrize the encryption functions
      Parametrize crypto methods part 2
      Parameterize crypto functions, part 3
      Cleanup exception handling
      Refactor exception handling in the EncryptionUnit
      Refactor key recovery to centralize crypt functions
      Change internal wrapping to AES
      Fix incorrect function in generating symmetric keys.
      Change transport unit to create wrapping parameters based on incoming data
      Fix wrapping params on the security data recovery service
      Refactor crypto code
      Continue to move more crypto into CryptoUtil
      Add config options to allow storage wrappings to be set
      Merge branch 'master' of github.com:dogtagpki/pki
      Merge "Add config options to allow storage wrappings to be set"
      Add config options to allow storage wrappings to be set
      Merge github.com:dogtagpki/pki
      Fix Java client to use AES
      Added infoClient to PKIClient to get server info
      Merge "Fix Java client to use AES"
      Merge "Added infoClient to PKIClient to get server info"
      Added comparator function to version
      Refactor code that creates PKIArchiveOptions objects
      Merge github.com:dogtagpki/pki
      Change CRMFPopClient to use AES-KeyWrap with padding
      Modify storage unit to generate a  new IV
      Fix retrieval for symmetric keys
      Fix generation of CRMF request for ECC keys
      Change default key size for KRA storage unit to 128
      Added python info client
      Add util code to source environment files
      Merge "Added python info client"
      Merge "Add util code to source environment files"
      Added python info client
      Add util code to source environment files
      Merge github.com:dogtagpki/pki
      Fix pylint errors
      Add python-cryptography crypto provider
      Add code in KRA python client to support multiple crypto algorithms
      Modify the classpath to work correctly with eclipse in f25+
      Add KRAInfo resource
      Add CAInfo resource
      Modified CRMFPopClient to use correct wrapping for encrypt case
      Fix python issues identified in review
      Fix symkey retrieval in python client
      Add field to indicate if key was encrypted or wrapped
      Allow key recovery to use encrypted field in key record
      Modify cert clients to check server for wrapping params
      Make sure connection is always closed
      Modify the key client to default to 3DES
      Fix DES3 using python-cryptography provider
      Fix symkey retrieval using NSS python client
      Make sure generated asym keys are extractable
      Use AES-CBC in storage unit for archival in key wrapping
      Fix symmetic key retrieval in HSM
      Encapsulate the archival audit log
      Encapsulate archival processed audit logs
      Encapsulate key recovery audit events
      Encapsulate recovery processed audit events
      Eliminate async recovery audit events
      Encapsulate key retrieval audit events
      Fix auditing in retrieveKey
      Encapsulate recovery request approval audit logs
      Fix failing audit log
      Make sure archivalID is passed through archival
      Simplify recovery audit logging
      Encapsulate symmetric and asymmetric keygen audit events
      Encapsulate key status change audit logs
      Encapsulate server side keygen audit events
      Set encryption flag for generated keys
      Convert CMC code to use AES
      Fix NPE in audit log invocation
      Refactor client to not use keysets
      Server side changes to correctly parse the new PKIArchiveOptions
      Stop using hardcoded IV in CMC
      Add possible keywrap algorithms to usage
      Add one more possible keywrap algorithm to usage
      Fix 3DES archival
      Fix token enrollment and recovery ivs
      Add doc on using nuxwdog with HSM tokens
      Add pkispawn option for ephemeral requests

Amol Kahat (2):
      Added -t and --token information in pki man page.
      Fixed typo in pki-server db command

Christian Heimes (10):
      Misc pylint, flake8 and tox fixes
      Added python3-pyldap build dependency
      Fix for pylint when using Python 3.6
      Add Travis CI to compose core RPM packages
      Spawn a CA and KRA on Travis
      Get journald output from test container
      Python 3 support and Travis testing
      pki.authority: Don't send header as POST body
      pkispawn: wait after final restart
      Ignore empty key in read_environment_files

Christina Fu (38):
      Ticket #2446 pkispawn: make subject_dn defaults unique per instance name (for shared HSM)
      Ticket #1527 TPS Enrollment always goes to "ca1" (bug fix)
      Ticket #2496 Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches
      Ticket #2498 Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true
      a few simple debugging messages in TPS that will make debugging easier.
      Ticket #2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status
      Ticket #2534 (additional) - reset cert status after successful unrevoke
      Ticket #1741 ECDSA certs Alg IDs contian parameter field
      pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)
      pagure#2605 (add one missing method) CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)
      Bug 1419734 CMC: id-cmc-identityProofV2 feature implementation This patch adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
      Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
      Bug #2615 CMC: cleanup code for Encrypted Decrypted POP This patch adds more error checking and debugging
      Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation This patch provides the feature for CMC on handling id-cmc-popLinkWitnessV2
      Ticket #2717 CMC user-signed enrollment request
      Ticket #2617 added the new caFullCMCUserSignedCert profile in CS.cfg
      Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error
      Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof
      Ticket#2618 feature: pre-signed CMC renewal request
      Ticket #2617 part2: add revocation check to signing cert
      Ticket #2619 Allow CA to process user-signed CMC revocation requests
      Ticket#2737 CMC: check HTTPS client authentication cert against CMC signer
      Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison
      Ticket #2616 CMC: id-cmc-statusInfo ==> id-cmc-statusInfoV2
      Ticket #2779 cmc plugin default change
      Ticket #2757 CMC enrollment profiles for system certificates
      Ticket #2788 Missing CN in user signing cert would cause error in cmc user-signed
      Ticket #1665 (code realignment) Certificate Revocation Reasons not being updated in some cases
      Ticket #2742 CMC: CMC request are available on the CA Agent page even after Rejected status in Audit logs
      Merge branch 'cmcReqs'
      Ticket #1559 email notification failed.
      Ticket #2772 TPS: correct tokenOrigin and tokenType attrs for recovered externalReg certs
      Ticket 2772 (added patch) ExternalReg tokenOrigin for recovered cert
      Ticket #2631 ExternalReg Recovery needs to go to the kra in user record
      Ticket #2604 RFE: shared token storage and retrieval mechanism
      Ticket #2834-Missing CN causing NPE in CMCAuth
      Ticket #2819  Incorrect SubjectID for CMC_SIGNED_REQUEST_SIG_VERIFY
      Ticket #2861 ExternalCA: Failures in ExternalCA when tried to setup with CMC signed certificates

Dinesh Prasanth M K (13):
      Smoke test with FreeIPA
      Patch for "pki-server subsystem-cert-update" command
      Temp SSL Certificate Creation - Offline System Certificate Renewal
      Added CLI tools to pki-server
      Added support to create & import cert in pki-server tool
      Added tool for create permanent certificates online
      Updated cert-create and nssdb tool to get cert info
      Concurrent Travis CI build
      Added man pages for `pki-server cert` module
      Fixed Travis CI python env
      Docker images have been updated to Fedora 26
      Added tool for selftest enable/disable through CLI
      Updated Travis to use the Docker image from new repo.

Endi S. Dewata (605):
      Removed PKCS #7 from add user cert dialog in TPS UI.
      Added cert validation error message in selftest log.
      Added exception wrapper for invalid LDAP attribute syntax.
      Removed misleading log in SelfTestSubsystem.
      Fixed SelfTestService.findSelfTests().
      Added debug messages for ConfigurationUtils.handleCerts().
      Allowing optional CA signing CSR.
      Updated pki-server subsystem-cert-update CLI.
      Added upgrade script to fix deployment descriptors.
      Updated RPM spec for RHEL.
      Fixed default token name for system certificates.
      Moved subsystem initialization after database initialization.
      Fixed debug log in UpdateNumberRange servlet.
      Added support to create system certificates in different tokens.
      Removed FixSELinuxContexts upgrade script.
      Updated RPM spec.
      Removed support for creating system certificates in different tokens.
      Troubleshooting improvements for SigningUnit.
      Troubleshooting improvements for ConfigurationUtils.
      Additional improvements for SigningUnit.
      Removed duplicate classes.
      Troubleshooting improvements for GetCertChain.
      Fixed NSSDatabase.create_request().
      Fixed ConfigurationUtils.importCertChain().
      Fixed Eclipse classpath for Fedora 23.
      Fixed installation error message.
      Fixed pki-nsutil build order.
      Fixed CryptoUtil.getTokenName().
      Fixed TPS UI system menu.
      Fixed TPS UI for agent approval.
      Fixed typo in UserPwdDirAuthentication.
      Troubleshooting improvement for ConfigurationUtils.handleCerts().
      Reformatted SecurityDataRecoveryService.serviceRequest().
      Fixed KRA key recovery via CLI in FIPS mode.
      Fixed default OCSP port in server.xml.
      Fixed exception message in PKCS12Util.loadFromByteArray().
      Added constructors to chain EPropertyException.
      Fixed resource leak in OtherName.
      Fixed resource leak in GenericASN1Extension.
      Fixed resource leak in OCSPNoCheckExtension.
      Fixed resource leak in ExtendedKeyUsageExtension.
      Fixed resource leak in InhibitAnyPolicyExtension.
      Replaced deprecated DefaultHttpClient.
      Replaced deprecated ProxyParser.
      Added man pages for PKCS #12 utilities.
      Updated pki-core.spec.
      Reverted policy framework deprecation.
      Generalized list of files in CMakeLists.txt.
      Moved policy framework classes to org.dogtagpki.legacy.
      Fixed problem installing subordinate CA with HSM in FIPS mode.
      Fixed hanging subordinate CA with HSM installation in FIPS mode.
      Removed unused CA and KRA logging.properties.
      Removed unused OCSP, TKS, and TPS logging.properties.
      Updated logging.properties.
      Updated log4j.properties.
      Added man pages for logging configuration.
      Updated spec file for logging configuration man pages.
      Update PKCS12Util to use SLF4J.
      Updated AccountInfo.
      Fixed TPS UI system menu.
      Fixed TPS UI for agent approval.
      Updated pki-cert man page.
      Refactored PKIConnection.get().
      Fixed problem with pki user-cert-add.
      Revert "Replaced deprecated ProxyParser."
      Revert "Replaced deprecated DefaultHttpClient."
      Updated NSS dependency on Fedora.
      Fixed user certificate renewal using pki client-cert-request.
      Fixed pki-tools build order.
      Removed redundant find_file() for Tomcat libraries.
      Refactored pki_copytree().
      Refactored master & slots dictionaries creation.
      Refactored user_config object in pkiconfig.py.
      Refactored pki_config object in pkiparser.py.
      Refactored pki_subsystem object in pkiconfig.py.
      Refactored PKIDeployer.
      Refactored PKIConfigParser.flatten_master_dict().
      Refactored deployment timestamp variables.
      Refactored deployment system variables.
      Replaced default AJP hostname with generic loopback address.
      Fixed misleading error message on duplicate cert in HSM.
      Added global TCP Keep-Alive option.
      Cleaned up error handling in PKI CLI.
      Cleaned up error handling in user and group CLIs.
      Added upgrade script to update AJP loopback address.
      Refactored Constants.PR_INTERNAL_TOKEN.
      Refactored Constants.PR_INTERNAL_TOKEN_NAME.
      Refactored Constants.PR_FULL_INTERNAL_TOKEN_NAME.
      Refactored ConfigurationRequest.TOKEN_DEFAULT.
      Refactored KRATool.INTERNAL_TOKEN.
      Refactored CMCRequest.PR_INTERNAL_TOKEN_NAME.
      Refactored CMCRevoke.PR_INTERNAL_TOKEN_NAME.
      Refactored HttpClient.PR_INTERNAL_TOKEN_NAME.
      Refactored KeyRecoveryAuthority.PR_INTERNAL_TOKEN_NAME.
      Updated wrapper script for legacy CLIs.
      Replaced internal token full name literals.
      Fixed missing SLF4J in Javadoc classpath.
      Fixed Javadoc failure caused by HTML special characters.
      Replaced internal token short name literals.
      Updated CryptoUtil.
      Fixed inconsistent internal token detection.
      Fixed problem searching the latest certificate request.
      Replaced CryptoManager.getTokenByName().
      Merged /pki webapps.
      Updated Dogtag theme build script.
      Updated Dogtag theme spec file.
      Cleaned up error handling in cert and profile CLIs.
      Cleaned up error handling in key CLIs.
      Refactored restricted command list in PKI CLI.
      Fixed Ctrl-C handling in PKI CLI.
      Troubleshooting improvements for CAEnrollProfile.
      Added --renewal param to pki ca-cert-request-submit.
      Added --serial param to pki ca-cert-request-submit.
      Cleaned up error handling in client and PKCS12 CLIs.
      Fixed MergePKIWebapps upgrade script.
      Cleaned up error handling in feature and authority CLIs.
      Cleaned up error handling in system, logging, and selftest CLIs.
      Cleaned up error handling in TPS CLIs.
      Converted library links creation into CMake scripts.
      Removed library links creation from RPM spec.
      Cleaned up CMake scripts for Jackson libraries.
      Refactored PKIService class.
      Refactored ClientConfig.
      Refactored SubsystemClient.
      Added CAClientExample.
      Added CACertClientExample.
      Updated RPM spec to include Java examples.
      Added log message in CMCAuth.
      Troubleshooting improvements for CertRequestService.
      Renamed index.html to index.jsp in CA UI.
      Renamed index.html to index.jsp in KRA UI.
      Renamed index.html to index.jsp in OCSP UI.
      Renamed index.html to index.jsp in TKS UI.
      Renamed index.html to index.jsp in TPS UI.
      Refactored pki-ui.js.
      Added Console source folder to Eclipse classpath.
      Fixed error handling for Console authentication.
      Updated classpath in Console wrapper script.
      Reorganized PKI UI pages.
      Secured PKI UI main page.
      Fixed build problem on RHEL.
      Added PKIApplication.
      Added InfoService and LoginService.
      Added access banner for PKI UI.
      Added access banner for CA UI.
      Added access banner to KRA UI.
      Added access banner to OCSP UI.
      Added access banner to TKS UI.
      Added access banner to TPS UI.
      Added access banner for PKI console.
      Added access banner for PKI CLI.
      Refactored PKIInstance.load().
      Added exception chaining for EInvalidCredentials.
      Troubleshooting improvement for ClientCertValidateCLI.
      Added cascading configuration for PKI CLI.
      Exporting environment variables for PKI client.
      Merge pull request #1 from amolkahat/pki_man
      Removed duplicate code to configure SSL version ranges.
      Cleaned up CryptoUtil.setClientCiphers().
      Added missing Eclipse dependency.
      Default NSS database for PKI CLI.
      Moved default SSL configuration out of PKIConnection.
      Cleaned up CryptoUtil.setClientCiphers(String).
      Fixed PKIClient initialization in PKI CLI.
      Added configuration parameters for SSL version ranges.
      Renamed CryptoUtil.setClientCiphers().
      Fixed error handling in CryptoUtil.unsetSSLCiphers().
      Fixed error handling in CryptoUtil.setClientCiphers().
      Refactored CryptoUtil.setClientCiphers().
      Added pki.conf parameter for SSL ciphers.
      Added pki.conf parameter for default SSL ciphers.
      Added hard-coded default values for SSL parameters in PKI CLI.
      Fixed default value for SSL datagram.
      Allowing pki client-init without NSS database password.
      Allowing pki pkcs12-import without NSS database password.
      Allowing client cert auth without NSS database password.
      Added support for hex cipher IDs in pki.conf.
      Added support for disabling SSL ciphers in pki.conf.
      Added CLI.getConfig().
      Refactored CLI.getClient().
      Refactored ClientCLI.
      Refactored ProxyCLI.
      Refactored SubsystemCLI.
      Refactored CA CertCLI.
      Refactored GroupCLI.
      Refactored KRA KeyCLI.
      Refactored SecurityDomainCLI.
      Refactored UserCLI.
      Refactored AuthorityCLI.
      Refactored FeatureCLI.
      Refactored KRAConnectorCLI for CA.
      Refactored CA ProfileCLI.
      Refactored CA ProfileMappingCLI.
      Refactored SelfTestCLI.
      Refactored TPSConnectorCLI for TKS.
      Added audit logs for SSL/TLS events.
      Refactored ActivityCLI.
      Refactored AuditCLI.
      Refactored AuthenticatorCLI.
      Refactored TPSCertCLI.
      Refactored TPS ConfigCLI.
      Refactored TPS ProfileCLI.
      Refactored TPS TokenCLI.
      Refactored TPS ConnectorCLI.
      Removed duplicate PROP_ROLLOVER_INTERVAL constant.
      Removed duplicate PROP_MAX_FILE_SIZE constant.
      Removed duplicate PROP_EXPIRATION_TIME constant.
      Fixed default subsystems for top-level CLI commands.
      Fixed pylint errors in pki.server.cli.subsystem.
      Fixed pylint error in pki.authority.
      Removed redundant Context attributes.
      Refactored AuditCLI.
      Added audit service and CLI to all subsystems.
      Added PKIRESTProvider.
      Added CLIs to access audit log files.
      Fixed PKIServerSocketListener.
      Fixed pki_console_wrapper.
      Added SSLSocketListener for PKIConnection.
      Fixed pki user and group commands.
      Deprecated -t option for pki CLI.
      Added FIPS-compliant password generator.
      Added pki-server <subsystem>-audit-file-find CLI.
      Added pki-server <subsystem>-audit-file-verify CLI.
      Added audit event constants for SSL session.
      Added audit event constants for TPS.
      Reorganized audit event constants for KRA.
      Reorganized audit event constants for TKS.
      Reorganized audit event constants for OCSP.
      Reorganized audit event constants for authentication.
      Reorganized audit event constants for CA.
      Reorganized additional audit event constants for KRA.
      Reorganized audit event constants for configuration.
      Updated CMS.getLogMessage().
      Added methods to log AuditEvent object.
      Fixed ClientIP field in SSL session audit log.
      Fixed missing IP addresses and subject ID in audit log.
      AdminConnection cleanup by Eclipse.
      Added AuditEvent.setParameters().
      Added session timeout for PKI console.
      Updated default SSL connection timeout.
      Fixed SSL connection timeouts.
      Refactored line concatenation.
      Refactored additional line concatenation.
      Added AdminServlet.audit(AuditEvent).
      Refactored CAProcessor.auditInfoCertValue().
      Refactored ConnectorServlet.auditInfoCertValue().
      Refactored ProfileSubmitCMCServlet.auditInfoCertValue().
      Fixed missing IAuditor.log(AuditEvent).
      Added AuthSuccessEvent.
      Added AuthFailEvent.
      Added AuthzSuccessEvent.
      Added AuthzFailEvent.
      Added RoleAssumeEvent.
      Added ConfigRoleEvent.
      Added CertRequestProcessedEvent.
      Updated debug logs in SystemConfigService.
      Added ConfigSignedAuditEvent.
      Added CertRequestProcessedEvent constructor for X509CertImpl.
      Added CertRequestProcessedEvent constructor for IRequest.
      Added log messages for server shutdown.
      Simplified conditions to log CERT_REQUEST_PROCESSED.
      Added AuditEvent attributes.
      Added ConfigTrustedPublicKeyEvent.
      Refactored CertRequestProcessedEvent to use AuditEvent attributes.
      Added certificate serial number for CERT_REQUEST_PROCESSED.
      Fixed audit event outcome for agent-rejected cert request.
      Fixed audit event outcome for agent-canceled cert request.
      Refactored UpdateCRL.process() (part 1).
      Refactored UpdateCRL.process() (part 2).
      Refactored UpdateCRL.process() (part 3).
      Reformatted UpdateCRL.process().
      Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.
      Added CertStatusChangeRequestProcessedEvent.
      Refactored RevocationRequestListener.accept().
      Reformatted RevocationRequestListener.accept().
      Added debug logs for UpdateCRL servlet.
      Added debug logs for JssSubsystem.
      Fixed problem with --ignore-banner option.
      Added configurable random number generator in JssSubsystem.
      Enabling all subsystems on startup.
      Moved TokenServlet into pki-tks package.
      Updated log messages in OCSPProcessor.
      Cleaned up DefStore.processRequest() (part 1).
      Cleaned up DefStore.processRequest() (part 2).
      Cleaned up DefStore.processRequest() (part 3).
      Updated OCSP log messages.
      Replaced random number generator in SecurityDataProcessor.
      Replaced random number generator in RequestQueue.
      Added CRLIssuingPoint.generateCRLExtensions().
      Added CRLIssuingPoint.generateDeltaCRL().
      Added CRLIssuingPoint.generateFullCRL().
      Replaced SHA1-based random number generators.
      Refactored CRLIssuingPoint.generateDeltaCRL().
      Refactored CRLIssuingPoint.generateFullCRL().
      Updated ECAException constructor.
      Added DELTA_CRL_GENERATION audit event.
      Added DELTA_CRL_PUBLISHING audit event.
      Added FULL_CRL_GENERATION audit event.
      Added FULL_CRL_PUBLISHING audit event.
      Added SCHEDULE_CRL_GENERATION audit event.
      Added pkispawn options for two-step installation.
      Fixed two-step subordinate CA installation.
      Fixed missing build dependency on slf4j-jdk14.
      Removed hard-coded version numbers from compose scripts.
      Fixed theme build script.
      Removed superfluous deployment configuration backup.
      Added upgrade script for keepAliveTimeout.
      Reorganized upgrade scripts.
      Added version number on supported platforms into spec files.
      Fixed random password generator.
      Excluded backslash from random password.
      Refactored MainCLI.loadPassword() (part 1).
      Refactored MainCLI.loadPassword() (part 2).
      Refactored MainCLI.loadPassword() (part 3).
      Refactored CLI.runExternal().
      Fixed pki client-cert-import CLI.
      Fixed default CA cert trust flags in pki CLI.
      Fixed client cert auth in PKI console.
      Cleaned up PKI console options.
      Updated PKI console option parser.
      Refactored AuditVerify (part 1).
      Refactored AuditVerify (part 2).
      Refactored AuditVerify (part 3).
      Added RESTEasy paths into pki-console.spec.
      Added verbose option for PKI console.
      Fixed PKI console build issue on RHEL.
      Fixed access banner normalization.
      Fixed access banner encoding.
      Fixed access banner encoding (part 2).
      Fixed initial audit log signature verification.
      Fixed audit log signature problem due to rotation.
      Fixed pki ca-cert-find and ca-cert-show output.
      Added default URL for OCSPProcessor.
      Added banner validation during server startup.
      Added search filter for pki ca-authority-find.
      Added pki ca-cert-status.
      Added log messages for OCSP service.
      Fixed OCSP service error handling.
      Fixed build dependency for javadoc.
      Refactored LogQueue class.
      Added LogCategory enumeration.
      Added LogSource enumeration.
      Refactored ILogEventFactory implementations.
      Refactored Logger class.
      Fixed build dependency for pki-cms.jar.
      Reorganized Logger classes.
      Added default log level for Logger.
      Refactored signed audit logger.
      Added LogEvent class.
      Consolidated log() for audit events.
      Fixed error message on invalid log type.
      Fixed audit events class hierarchy.
      Refactored ConfigurationUtils.configLocalCert().
      Refactored ConfigurationUtils.configRemoteCert().
      Refactored CertUtil.createLocalCert() (part 1).
      Refactored CertUtil.createLocalCert() (part 2).
      Refactored CertUtil.createLocalCert() (part 3).
      Moved cert management methods into CertUtil.
      Refactored CertUtil.importCert().
      Refactored CertUtil.importExternalCert().
      Refactored ConfigurationUtils.handleLocalCert().
      Refactored CertUtil.createLocalRequest().
      Refactored CertUtil.updateLocalRequest().
      Refactored ConfigurationUtils.updateServerCertNickConf().
      Refactored ConfigurationUtils.updateCloneConfig().
      Fixed error message in SystemConfigService.processCerts().
      Refactored SystemConfigService.processKeyPair().
      Refactored SystemConfigService.processCert().
      Merge pull request #5 from amolkahat/type_fix
      Fixed CertUtil.updateLocalRequest().
      Refactored ConfigClient.configure_pki_data().
      Refactored server restart code.
      Removed unused KRA initial profiles.
      Removed cert chain requirement for standalone KRA.
      Refactored NSSDatabase.remove_cert().
      Refactored temp SSL server cert creation (part 1).
      Refactored temp SSL server cert creation (part 2).
      Refactored SSL server cert replacement.
      Removed unnecessary UTF-8 encoding.
      Fixed installation problem.
      Refactored key parameter parsing.
      Added aliases for SSL server cert params.
      Refactored CSR generation.
      Refactored CA signing CSR generation.
      Deprecated pki_ssl_server_* parameters.
      Fixed standalone OCSP installation.
      Fixed CSR file validation for standalone installation.
      Removed unused confirm_missing_file().
      Fixed pki-server cert-find output.
      Refactored system cert requests generation.
      Refactored importing system cert requests.
      Refactored importing system certs.
      Refactored system certs configuration.
      Refactored system certs verification.
      Added parser for PKCS #7 in PEM format.
      Added CLI to import PKCS #7 file.
      Added CMCResponse option to export PKCS #7 cert chain.
      Added CMCResponse return code.
      Added support for extended key usage extension.
      Refactored standalone admin cert configuration.
      Refactored key generation for SSL server certificate.
      Refactored CSR generation for standalone installation.
      Refactored importing cert chain (part 1).
      Refactored importing cert chain (part 2).
      Refactored importing cert chain (part 3).
      Refactored importing cert chain (part 4).
      Refactored loading external system certs.
      Added banner validation in InfoService.
      Added support for importing PKCS #7 certificates.
      Added parameter validation for pki client-cert-import.
      Fixed ConfigurationTest.
      Fixed Eclipse classpath to run unit tests.
      Removed unnecessary exception handlers in CATestJunit.
      Merged local and remote cert handlers.
      Removed redundant hasSigningCert.
      Removed unused external_signing cert.
      Refactored ConfigurationUtils.configRemoteCert().
      Refactored SystemConfigService.processCert() (part 1).
      Refactored SystemConfigService.processCert() (part 2).
      Displaying tokenType and tokenOrigin in TPS UI and CLI.
      Removed redundant code in ConfigurationUtils.
      Added ConfigurationRequest.getSystemCert().
      Refactored ConfigurationUtils.loadCert().
      Removed exception handler in ConfigurationUtils.configCert().
      Removed redundant code in ConfigurationUtils.configRemoteCert().
      Refactored ConfigurationUtil.configLocalCert().
      Refactored admin configuration (part 1).
      Refactored admin configuration (part 2).
      Refactored admin configuration (part 3).
      Removed unused ConfigurationRequest.stepTwo field.
      Added X509CertImpl.getInfo() method.
      Refactored CertUtil.createLocalCert().
      Refactored system cert validator (part 1).
      Refactored system cert validator (part 2).
      Refactored SystemConfigService.configure().
      Refactored SystemConfigService.processCert().
      Refactored ConfigurationUtils.loadCertRequest().
      Removed unused code ConfigurationUtils.handleCert().
      Refactored SystemConfigService.processCert().
      Fixed ConfigurationTest.
      Refactored CertUtil.getPKCS10().
      Refactored ConfigurationUtils.createAdminCertificate().
      Refactored Cert class (part 1).
      Refactored Cert class (part 2).
      Removed redundant code in SystemConfigService.configureNewSecurityDomain().
      Fixed system cert validation.
      Refactored KRA connector configuration (part 1).
      Refactored KRA connector configuration (part 2).
      Refactored OCSP configuration update.
      Refactored importing CA cert into OCSP.
      Removed redundant import_external_ca_signing_cert().
      Fixed pki client-cert-show output.
      Renamed standalone KRA and OCSP deployment params.
      Added request record for existing self-signed CA signing cert.
      Added support for CA installation with all existing certs.
      Renamed external CA parameters.
      Added support for KRA and OCSP installation with external certs.
      Added generic CMC servlet.
      Refactored CMC_SIGNED_REQUEST_SIG_VERIFY event.
      Cleaned up Logger invocations.
      Refactored Logger class (part 1).
      Refactored Logger class (part 2).
      Refactored LogFile class (part 1).
      Refactored LogFile class (part 2).
      Refactored AUTH_SUCCESS and AUTH_FAIL events.
      Refactored Logger class (part 3).
      Refactored CA loggers.
      Refactored KRA loggers.
      Refactored OCSP loggers.
      Refactored TKS loggers.
      Refactored TPS loggers.
      Refactored log factory (part 1).
      Refactored log factory (part 2).
      Refactored LogEvent class.
      Refactored Logger class (part 4).
      Refactored log factory (part 3).
      Refactored log factory (part 4).
      Refactored log factory (part 5).
      Refactored log factory (part 6).
      Refactored AsymKeyGenerationEvent.
      Refactored AsymKeyGenerationProcessedEvent.
      Refactored CertRequestProcessedEvent.
      Refactored CertStatusChangeRequestProcessedEvent.
      Refactored CMCSignedRequestSigVerifyEvent.
      Refactored ConfigRoleEvent.
      Refactored ConfigSignedAuditEvent.
      Refactored ConfigTrustedPublicKeyEvent.
      Refactored DeltaCRLGenerationEvent.
      Refactored DeltaCRLPublishingEvent.
      Refactored FullCRLGenerationEvent.
      Refactored FullCRLPublishingEvent.
      Refactored RoleAssumeEvent.
      Refactored ScheduleCRLGenerationEvent.
      Refactored security data archival events.
      Refactored security data export event.
      Refactored security data recovery events.
      Refactored remaining security data events.
      Refactored server-side key generation events.
      Refactored symmetric key generation events.
      Refactored authorization events.
      Merged AUTH_SUCCESS and AUTH_FAIL events.
      Merged AUTHZ_SUCCESS and AUTHZ_FAIL events.
      Merge "Fix Weak ciphers (3DES) should not be enabled by default anymore."
      Added audit log message parser.
      Added audit event filter.
      Revert "Added audit event filter."
      Fixed pki client-cert-import.
      Merge changes from topic 'ticket-2689'
      Reorganized subsystem CLI classes.
      Reorganized CA cert CLI class.
      Reorganized CA cert client class.
      Cleaned up CA client objects creation.
      Fixed OCSPClient error message.
      Removed redundant OCSPAuthority.arraysEqual().
      Removed nested if-statement in DefStore.processRequest().
      Fixed error handling in LDAPStore.processRequest() (part 1).
      Fixed error handling in LDAPStore.processRequest() (part 2).
      Fixed error handling in DefStore.processRequest() (part 1).
      Fixed error handling in DefStore.processRequest() (part 2).
      Fixed error handling in DefStore.processRequest() (part 3).
      Fixed error handling in CertificateAuthority.validate().
      Added OCSP_GENERATION audit event.
      Encapsulated OCSP_ADD_CA_REQUEST events.
      Encapsulated OCSP_REMOVE_CA_REQUEST events.
      Removed trailing whitespaces in LogMessages.properties.
      Fixed OCSP_REMOVE_CA_REQUEST event.
      Encapsulated CERT_STATUS_CHANGE_REQUEST event.
      Fixed pki-cms and pki-core dependency issue.
      Refactored DoRevokeTPS.process().
      Refactored DoUnrevokeTPS.process().
      Fixed ReqID attribute in CERT_STATUS_CHANGE_REQUEST events.
      Removed unused auditRequesterID() method.
      Updated Travis CI configuration.
      Updated LDAPJDK dependency.
      Added audit event filter.
      Fixed invalid audit log format.
      Refactored Auditor.getParamString() (part 1).
      Refactored Auditor.getParamString() (part 2).
      Refactored Auditor.getParamString() (part 3).
      Added SignedAuditEvent.setAttribute() method.
      Added sub CA options for pki client-cert-request.
      Added RANDOM_GENERATION event.
      Refactored KeyRetrieverRunner._run().
      Refactored CertificateAuthority.initSigUnit() (part 1).
      Refactored CertificateAuthority.initSigUnit() (part 2).
      Refactored CertificateAuthority.initSigUnit() (part 3).
      Refactored SigningUnit.init() (part 1).
      Refactored SigningUnit.init() (part 2).
      Added SystemConfigService.handleCerts().
      Refactored ConfigurationUtils.setCertPermissions() (part 1).
      Refactored ConfigurationUtils.setCertPermissions() (part 2).
      Refactored CertRequestProcessedEvent.
      Consolidated certificate header and footer Java constants.
      Added chunking option for Utils.base64encode().
      Added signing info events.
      Consolidated Base-64 encoding methods.
      Consolidated Base-64 decoding methods.
      Removed blank line in PEM certificates.
      Refactored PKIClient.removeCert().
      Refactored PKIClient.getCerts() and getCACerts().
      Refactored PKIClient.getCert().
      Removed redundant cert import methods in PKIClient.
      Consolidated PKCS #7 header and footer for Java.
      Consolidated CSR header and footer for Java.
      Fixed CSR format in PKCS10Client and CRMFPopClient.
      Reorganized CertUtil.importCert().
      Refactored CertUtil.findCertificate() (part 1).
      Refactored CertUtil.findCertificate() (part 2).
      Refactored CertUtil.deleteCert().
      Refactored CryptoUtil.importUserCertificate().
      Refactored ConfigurationUtils.importCert().
      Refactored CryptoUtil.importUserCertificate() (part 2).
      Fixed install problem in HSM case.
      Refactored RoleAssumeEvent (part 1).
      Refactored RoleAssumeEvent (part 2).
      Cleaned up authz-related debug messages.
      Removed redundant ROLE_ASSUME events.
      Refactored SecurityDataArchivalEvent.
      Refactored CryptoUtil.encryptPassphrase().
      Refactored CryptoProvider.wrapWithSessionKey().
      Refactored KeyClient.archivePassphrase().
      Fixed unit test classpath.
      Updated pki-core.spec to run unit tests.
      Revert "Updated pki-core.spec to run unit tests."
      Refactored CryptoUtil.wrapSymmetricKey().
      Refactored KeyClient.transportCert.
      Refactored KeyClient.setTransportCert().
      Added CLI option for transport cert nickname.
      Added CLI option to archive binary data from file.
      Added CLI option to store retrieved data into file.
      Consolidated certificate parsing.
      Replaced deprecated FileUtils.readFileToString().
      Refactored EnrollmentService.verifyKeyPair().
      Added failure reason to SECURITY_DATA_ARCHIVAL_REQUEST event.
      Removed redundant audit() methods.
      Fixed inconsistent OCSP signing certificate extensions.
      Removed redundant audit() methods (part 2).
      Cleaned up CMake scripts.
      Refactored instance_layout.py.
      Refactored configuration.py.
      Removed obsolete JSS connector parameters.
      Added pki-server cert-export CLI.
      Updated logger for Tomcat-related classes.

Fraser Tweedale (76):
      Revoke lightweight CA certificate on deletion
      Prevent deletion of host CA cert and key from NSSDB
      Accept LWCA entry with missing entryUSN if plugin enabled
      Perform host authority check before entryUSN check
      Do not attempt LWCA key retrieval for host authority
      Compare serialised DNs in host authority check
      Block reads during reload of LDAP-based profiles
      Remove unused member
      LDAPProfileSubsystem: log exception if profile creation fails
      Remove unused string constant
      Replace duplicate string literals with a constant
      Move AuthToken key constants to IAuthToken
      Merge duplicate authz plugin code into superclass
      Allow ':' to appear in ACL expressions
      Add getAuthzManagerNameByRealm to IAuthzSubsystem
      Define "auth_token" IRequest extdata key prefix in one place
      Define "profileId" IRequest extdata key in one place
      Define "req_authority_id" IRequest extdata key in IRequest
      Remove principal type assumption from AuthorityService
      Use BigInteger for entryUSN
      Remove unused dependency from tomcat classes build
      DNSName: add method to get value
      GeneralName: add method to get at inner value
      SubjectAlternativeNameExtension: add GeneralNames getter/setter
      X500Name: add method to get all attributes of a given type
      Add profile component that copies CN to SAN dNSName
      Add upgrade script to add CommonNameToSANDefault plugin
      Allow DirAclAuthz to be configured to read alternative entry
      Fix NPE in server shutdown when startup failed
      Remove unused import
      Refactor CertRetrievalRequest construction
      Include revocation reason in REST cert data
      pkispawn.8: fix setup-ds.pl command name
      pki_default.cfg.5: fix ca_signing tag name
      Define AgentCertAuthentication token keys in IAuthToken
      CertProcessor: extract method setAuthTokenIntoRequest
      Add groups and request attributes to external principals
      Add IAuthToken implementation for external principals
      Update AuthMethodInterceptor to handle external principals
      Update SessionContextInterceptor to handle external principals
      Update ACLInterceptor to support external principals
      CMS.getLogMessage: escape format elements in arguments
      Allow arbitrary user data in cert request
      CertProcessor: set external principal attributes into request
      Add ExternalProcessConstraint for request validation
      Add authn manager that reuses auth token from session
      LDAPProfileSubsystem: avoid duplicating logic in superclass
      ISourceConfigStore: add clear() method to interface
      ProfileService: clear profile attributes when modifying
      KRA: do not accumulate recovered keys in token
      Add upgrade script that adds KRA wrapping params
      PKCS12Util: use AES to encrypt private keys
      PKCS12Util: add some much-needed comments
      KRA: use AES in PKCS #12 recovery for wrapped keys
      CAInfoService: retrieve info from KRA
      Fix PKCS #12 import during clone installation
      Delete unused methods
      Fix NPE in lightweight CA creation
      Improve exception message for null AuthorityKeyIdentifier
      KRA PKCS #12 export: add config to use 3DES PBE encryption
      Fix regression in pkcs12 key bag creation
      Fix FixDeploymentDescriptor upgrade script if source file is missing
      pkispawn: allow override of server startup timeout
      KeyClient: fix json encoding in Python 3
      Fix regression in lightweight CA replication
      KRA: use AES in PKCS #12 recovery for encrypted keys
      Make PKCS #12 files compatible with OpenSSL, NSS >= 3.31
      Fix external CA CSR generation with custom extension
      Fix pki-server subsystem-cert-validate command with big serial
      UserSubjectNameDefault: don't change attribute encodings
      Fix issuance when CA cert lacks Subject Key ID ext
      CMSServlet.renderFinalError: log exception
      TokenAuthenticate: avoid NPE on null session table
      TokenAuthentication: log error message on error
      Sleep after security domain login during configuration
      pkispawn: make security domain login sleep duration configurable

Geetika Kapoor (2):
      Fix for BZ 1358462
      Added ansible playbooks code and documentation for setup

Jack Magne (25):
      Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working.
      Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
      Another Fix for: Add ability to disallow TPS to enroll a single user on multiple tokens. #1664
      Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches
      PIN_RESET policy is not giving expected results when set on a token.
      TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode.
      Change lifecycle at end of enrollment if it is not already set.
      Resolve: pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config
      Ticket #2569: Token memory not wiped after key deletion
      First cut of scp03 support. Supports the g&d smartcafe out of the box.
      SCP03 support for g&d sc 7 card.
      CA in the certificate profiles the startTime parameter is not working as expected.
      Non server keygen issue in SCP03.
      Now the program can create and import shared secret keys while under FIPS mode.
      Resolve  #1663 Add SCP03 support .
      Minor fix to already fixed issue:
      SCP03 support: fix Key Changeover with HSM (RHCS)
      TPS new configuration to allow the protocol of the to determine applet loaded.
      Fix Weak ciphers (3DES) should not be enabled by default anymore.
      Fix: #2695 Replacing Random with SecureRandom.
      Fix: #792 Support SHA256 for SKI
      Fix #2735 Secure removal of secret data storage.
      Fix #2735 Secure removal of secret data storage (phase 2)
      ReFix for  #2824 TPS new configuration to allow the protocol of the to determine applet loaded.
      Fix #2735 Secure removal of secret data storage (phase 3)

Matthew Harmsen (57):
      Updated version number to 10.4.0-0.1
      Resolves:  rhbz #1366465
      pki-tools HEADER/FOOTER changes
      pki-tools CMCEnroll man page
      pki-tools CMCEnroll man page (spec file)
      Resolve python-requests dependencies appropriately by adding minimum required
      Added openssl runtime dependency for support of External CA.
      Fix for flake8 errors on Fedora 26 (cheimes)
      Revert "Fixed TPS UI for agent approval."
      Revert "Fixed TPS UI system menu."
      Removed all references to 'xenroll.dll'
      Cast 'char *' to 'const char *' in C++ files.
      Re-base Dogtag pki packages to 10.4.x
      Upgraded remaining 10.3.3 references to 10.4.0.
      Synced changelog with Koji pki-core master.
      Fixed typo.
      Synced local source spec files with their upstream Koji counterparts.
      Updated version number to 10.4.1-0.1
      Synced up local spec files with latest release
      Checked-in under one-liner/trivial rule.
      Fixed typo.
      dogtagpki Pagure Issue #2633 - Missing python-cryptography dependencies
      Synced up local spec files with latest release
      Synced up local spec files with latest release
      Updated source version number to 10.4.3-1.1
      Synced up local spec files with latest release (10.4.4)
      Updated source version number to 10.4.4-1.1
      Fix CA installation with HSM in FIPS mode
      Added FIPS class to pkispawn
      Added runtime requirement on sysctl to pki-core spec file
      Correct section headings in user deployment configuration file
      Fixed hardcoded values in ca CS.cfg
      Synced up local spec files with latest release (10.4.5)
      Updated source version number to 10.4.5-1.1
      Always check FIPS mode at installation time
      Updated minimum selinux-policy-targeted runtime requirement.
      Synced up local spec files with latest release (10.4.6)
      synced compose scripts to 10.4.6
      Fixed pylint issues
      Revert "Fixed theme build script."
      Resolves: dogtag Pagure Issues #1663,2556,2674,2676,2687,2707,2713,2714,2717,2721,2726
      Updated 'selinux-policy-targeted' and 'tomcatjss' requirements.
      Updated source version number to 10.4.7-1.1
      dogtagpki Pagure Issue #2745 - Platform Dependent Python Import
      Synced up local spec files with latest release (10.4.8)
      Update development spec file templates
      Apply development spec file templates across all platforms
      Unset build env variables
      Fixed theme build script.
      Updated LDAPJDK dependency.
      Fixed builds on CentOS and synced spec file templates with Koji.
      Cleanup spec file conditionals
      Fix seobject pylint issues
      Synced up local spec files with latest release (10.5.2)
      Set the default NSS DB type
      Set the default NSS DB type for console
      Fix nuxwdog to work on all platforms

Nathan Kinder (1):
      Remove dependency on svrcore library

Stanislav Laznicka (1):
      PKIConnection: allow separation of client cert and pkey

Stanislav Levin (1):
      Fix version compare for sphinx python module

Timo Aaltonen (22):
      Merge branch 'upstream' into m-n
      Merge branch 'master' into master-next
      bump changelog
      watch: Updated, upstream provides proper tags now.
      copyright: Add Files-Excluded for tarball rebuild.
      patches: Drop fix-CVE-2017-7537.diff, refresh others.
      delete more binaries
      Merge branch 'upstream-next' into master-next
      use-usr-bin.diff: Replace with an upstreamed patch.
      refresh create-target-wants.diff
      bump changelog
      Drop fix-junit-jar.diff, add fix-jar-search.diff and modify debian- support.diff and rules to not hardcode distro-specific jar names.
      control: Add build-depends/depends
      rules: Use dh_missing, and drop creating links under subsys dirs as that is handled by CMake now.

More information about the Pkg-freeipa-devel mailing list