[Pkg-freeipa-devel] dogtag-pki: Changes to 'upstream'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Wed Feb 15 09:08:40 UTC 2017
CMakeLists.txt | 1
base/ca/shared/conf/logging.properties | 70 -
base/ca/src/CMakeLists.txt | 4
base/ca/src/com/netscape/ca/CertificateAuthority.java | 131 +-
base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java | 7
base/ca/src/com/netscape/ca/SigningUnit.java | 26
base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java | 2
base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java | 50
base/common/man/man5/pki-logging.5 | 94 +
base/common/python/pki/nssdb.py | 64 -
base/common/share/etc/logging.properties | 3
base/common/src/CMakeLists.txt | 4
base/common/src/com/netscape/certsrv/account/AccountInfo.java | 8
base/common/src/com/netscape/certsrv/apps/CMS.java | 5
base/common/src/com/netscape/certsrv/apps/ICMSEngine.java | 8
base/common/src/com/netscape/certsrv/base/ResourceMessage.java | 11
base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java | 2
base/common/src/com/netscape/certsrv/client/PKIConnection.java | 8
base/common/src/com/netscape/certsrv/client/SubsystemClient.java | 26
base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java | 6
base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java | 3
base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java | 4
base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java | 32
base/common/src/org/dogtagpki/tps/apdu/APDU.java | 3
base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java | 35
base/console/src/CMakeLists.txt | 5
base/java-tools/man/man1/CMCEnroll.1 | 570 ++++++++++
base/java-tools/man/man1/pki-cert.1 | 5
base/java-tools/man/man1/pki-pkcs12-cert.1 | 122 ++
base/java-tools/man/man1/pki-pkcs12-key.1 | 76 +
base/java-tools/man/man1/pki-pkcs12.1 | 114 ++
base/java-tools/src/CMakeLists.txt | 4
base/java-tools/src/com/netscape/cmstools/CMCEnroll.java | 13
base/java-tools/src/com/netscape/cmstools/CMCRequest.java | 4
base/java-tools/src/com/netscape/cmstools/CMCRevoke.java | 11
base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 8
base/java-tools/src/com/netscape/cmstools/HttpClient.java | 2
base/java-tools/src/com/netscape/cmstools/PKCS10Client.java | 11
base/javadoc/CMakeLists.txt | 1
base/kra/shared/conf/logging.properties | 70 -
base/kra/src/CMakeLists.txt | 4
base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java | 30
base/ocsp/shared/conf/logging.properties | 70 -
base/ocsp/src/CMakeLists.txt | 4
base/ocsp/src/com/netscape/ocsp/SigningUnit.java | 44
base/server/cms/src/CMakeLists.txt | 4
base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java | 2
base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java | 22
base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java | 22
base/server/cms/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java | 22
base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java | 2
base/server/cms/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java | 11
base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java | 17
base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java | 15
base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java | 15
base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java | 2
base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 73 +
base/server/cms/src/com/netscape/cms/servlet/csadmin/GetCertChain.java | 21
base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java | 3
base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java | 1
base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java | 6
base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java | 4
base/server/cms/src/org/dogtagpki/server/rest/AccountService.java | 46
base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java | 2
base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 11
base/server/cms/src/org/dogtagpki/server/rest/UserService.java | 2
base/server/cmsbundle/src/LogMessages.properties | 2
base/server/cmscore/src/CMakeLists.txt | 4
base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 15
base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java | 2
base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java | 8
base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java | 117 --
base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java | 211 +++
base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java | 13
base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 18
base/server/etc/default.cfg | 54
base/server/man/man5/pki-server-logging.5 | 191 +++
base/server/man/man5/pki_default.cfg.5 | 2
base/server/python/pki/server/__init__.py | 3
base/server/python/pki/server/cli/subsystem.py | 74 -
base/server/python/pki/server/deployment/pkihelper.py | 16
base/server/python/pki/server/deployment/pkiparser.py | 33
base/server/python/pki/server/deployment/scriptlets/instance_layout.py | 23
base/server/sbin/pki-server-nuxwdog | 12
base/server/share/conf/log4j.properties | 45
base/server/share/conf/logging.properties | 24
base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java | 5
base/server/upgrade/10.3.5/02-FixDeploymentDescriptor | 110 +
base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36
base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress | 62 +
base/symkey/src/CMakeLists.txt | 4
base/symkey/src/com/netscape/symkey/CMakeLists.txt | 2
base/tks/shared/conf/logging.properties | 70 -
base/tks/src/CMakeLists.txt | 4
base/tps-client/src/CMakeLists.txt | 1
base/tps-client/src/apdu/Get_Lifecycle_APDU.cpp | 41
base/tps-client/src/include/apdu/APDU.h | 3
base/tps-client/src/include/apdu/Get_Lifecycle_APDU.h | 58 +
base/tps-client/src/main/ConfigStore.cpp | 2
base/tps-client/src/main/RollingLogFile.cpp | 2
base/tps-client/tools/raclient/RA_Conn.cpp | 14
base/tps-client/tools/raclient/RA_Token.cpp | 4
base/tps/shared/conf/CS.cfg | 36
base/tps/shared/conf/logging.properties | 70 -
base/tps/shared/webapps/tps/js/profile.js | 85 -
base/tps/shared/webapps/tps/js/tps.js | 132 ++
base/tps/shared/webapps/tps/ui/index.html | 60 -
base/tps/shared/webapps/tps/ui/user-certs.html | 2
base/tps/src/CMakeLists.txt | 4
base/tps/src/org/dogtagpki/server/tps/TPSAccountService.java | 80 +
base/tps/src/org/dogtagpki/server/tps/TPSTokenPolicy.java | 8
base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 109 -
base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java | 48
base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java | 45
base/tps/src/org/dogtagpki/server/tps/dbs/TokenCertStatus.java | 43
base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java | 15
base/tps/src/org/dogtagpki/server/tps/main/ExternalRegAttrs.java | 35
base/tps/src/org/dogtagpki/server/tps/main/ExternalRegCertToRecover.java | 27
base/tps/src/org/dogtagpki/server/tps/main/PKCS11Obj.java | 3
base/tps/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java | 32
base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java | 337 ++++-
base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java | 34
base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 54
base/tps/src/org/dogtagpki/server/tps/rest/TPSApplication.java | 4
base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java | 2
base/util/src/CMakeLists.txt | 8
base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 23
base/util/src/netscape/security/pkcs/PKCS12.java | 6
base/util/src/netscape/security/x509/AlgorithmId.java | 41
specs/pki-console.spec | 10
specs/pki-core.spec | 364 +++++-
131 files changed, 3726 insertions(+), 1354 deletions(-)
New commits:
commit 47e65f8e69d88340586203f89fdf85ce8aa77035
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Tue Jan 31 20:02:45 2017 -0700
Checked-in under trivial file fix.
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index dbf529c..14e6624 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -257,6 +257,7 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{
#Patch35: pki-core-slf4j-api.patch
#Patch36: pki-core-javadoc-special-characters.patch
#Patch37: pki-core-reset-cert-status-after-successful-unrevoke.patch
+#Patch38: pki-core-cast-char-ptr-to-const-char-ptr-in-cpp-files.patch
@@ -933,6 +934,7 @@ This package is a part of the PKI Core used by the Certificate System.
#%patch35 -p1
#%patch36 -p1
#%patch37 -p1
+#%patch38 -p1
%clean
%{__rm} -rf %{buildroot}
commit 97509c5a496178a61bf1f34d5cced030a9fbf473
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Tue Jan 31 19:56:47 2017 -0700
Cast 'char *' to 'const char *' in C++ files.
(cherry picked from commit 30e5295d75edd79f30f3c24b7d5576109de02b3d)
diff --git a/base/tps-client/src/main/ConfigStore.cpp b/base/tps-client/src/main/ConfigStore.cpp
index e526b40..f91fb2c 100644
--- a/base/tps-client/src/main/ConfigStore.cpp
+++ b/base/tps-client/src/main/ConfigStore.cpp
@@ -758,7 +758,7 @@ TPS_PUBLIC int ConfigStore::Commit(const bool backup, char *error_msg, int len)
if (strrchr(m_cfg_file_path, '/') != NULL) {
PR_snprintf((char *) basename, 256, "%s", strrchr(m_cfg_file_path, '/') +1);
PR_snprintf((char *) dirname, PL_strlen(m_cfg_file_path) - PL_strlen(basename), "%s", m_cfg_file_path);
- PL_strcat(dirname, '\0');
+ PL_strcat(dirname, (const char *) '\0');
} else {
PR_snprintf((char *) basename, 256, "%s", m_cfg_file_path);
PR_snprintf((char *) dirname, 256, ".");
diff --git a/base/tps-client/src/main/RollingLogFile.cpp b/base/tps-client/src/main/RollingLogFile.cpp
index 692a943..699dcb9 100644
--- a/base/tps-client/src/main/RollingLogFile.cpp
+++ b/base/tps-client/src/main/RollingLogFile.cpp
@@ -400,7 +400,7 @@ void RollingLogFile::expire() {
if (strrchr(m_fname, '/') != NULL) {
PR_snprintf((char *) basename, 256, "%s", strrchr(m_fname, '/') +1);
PR_snprintf((char *) dirname, PL_strlen(m_fname) - PL_strlen(basename), "%s", m_fname);
- PL_strcat(dirname, '\0');
+ PL_strcat(dirname, (const char *) '\0');
} else {
PR_snprintf((char *) basename, 256, "%s", m_fname);
PR_snprintf((char *) dirname, 256, ".");
commit e39c08043a321d2a76011abe369c96216f127f6e
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Tue Jan 31 16:20:57 2017 -0700
Updated pki-core spec file for 10.3.5-11.
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index e22eb0c..dbf529c 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -65,7 +65,7 @@
Name: pki-core
Version: 10.3.5
-Release: 9%{?dist}
+Release: 11%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -246,6 +246,18 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{
#Patch25: pki-core-TPS-UI-target-agent-approve-list.patch
#Patch26: pki-core-TPS-tokendb-encryption-cert-automatic-recovery.patch
#Patch27: pki-core-TPS-format-G-and-D-cards.patch
+## pki-core-10.3.5-11
+#Patch28: pki-core-replace-default-AJP-hostname-with-localhost.patch
+#Patch29: pki-core-added-global-TCP-Keep-Alive-option.patch
+#Patch30: pki-core-added-upgrade-script-to-update-AJP-localhost.patch
+#Patch31: pki-core-fixed-problem-searching-for-latest-cert-req.patch
+#Patch32: pki-core-omit-parameter-field-from-ECDSA-certs-Alg-IDs.patch
+#Patch33: pki-core-added-option-to-remove-signing-cert-entry.patch
+#Patch34: pki-core-use-BigInteger-for-entryUSN.patch
+#Patch35: pki-core-slf4j-api.patch
+#Patch36: pki-core-javadoc-special-characters.patch
+#Patch37: pki-core-reset-cert-status-after-successful-unrevoke.patch
+
# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
@@ -911,6 +923,16 @@ This package is a part of the PKI Core used by the Certificate System.
#%patch25 -p1
#%patch26 -p1
#%patch27 -p1
+#%patch28 -p1
+#%patch29 -p1
+#%patch30 -p1
+#%patch31 -p1
+#%patch32 -p1
+#%patch33 -p1
+#%patch34 -p1
+#%patch35 -p1
+#%patch36 -p1
+#%patch37 -p1
%clean
%{__rm} -rf %{buildroot}
@@ -1416,6 +1438,11 @@ systemctl daemon-reload
%endif # %{with server}
%changelog
+* Tue Jan 31 2017 Dogtag Team <pki-devel at redhat.com> 10.3.5-11
+
+* Thu Dec 22 2016 Miro Hrončok <mhroncok at redhat.com> - 10.3.5-10
+- Rebuild for Python 3.6 (Fedora 26)
+
* Tue Dec 13 2016 Dogtag Team <pki-devel at redhat.com> 10.3.5-9
- PKI TRAC Ticket #1517 - user-cert-add --serial CLI request to secure port
with remote CA shows authentication failure (edewata)
commit 423c986c57a0baacf1dc8d817dc8b356b9cf0d06
Author: Endi S. Dewata <edewata at redhat.com>
Date: Tue Jan 24 22:00:12 2017 +0100
Fixed Javadoc failure caused by HTML special characters.
The CMSTemplate has been fixed to escape HTML special characters
in method documentation.
(cherry picked from commit 8c6707f1117e56c68d147e0b37c018efa3c81fb2)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
index ba4e840..fe5a14b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
@@ -343,7 +343,7 @@ public class CMSTemplate extends CMSFile {
/**
* Escape the contents of src string in preparation to be enclosed in
- * double quotes as a JavaScript String Literal within an <script>
+ * double quotes as a JavaScript String Literal within an <script>
* portion of an HTML document.
* stevep - performance improvements - about 4 times faster than before.
*/
commit eab6f76739e575f8d7a7fb9da7c1e6de3c8e3bfa
Author: Endi S. Dewata <edewata at redhat.com>
Date: Tue Jan 24 21:42:58 2017 +0100
Fixed missing SLF4J in Javadoc classpath.
The CMake script for Javadoc has been fixed to include the missing
SLF4J library in the class path.
(cherry picked from commit 69cfd4328504ee78646bb34a551ef5d711ea3f18)
diff --git a/base/javadoc/CMakeLists.txt b/base/javadoc/CMakeLists.txt
index 1341935..a71270c 100644
--- a/base/javadoc/CMakeLists.txt
+++ b/base/javadoc/CMakeLists.txt
@@ -88,6 +88,7 @@ javadoc(pki-javadoc
com.netscape.cmsutil
org.dogtagpki
CLASSPATH
+ ${SLF4J_API_JAR}
${XALAN_JAR} ${XERCES_JAR}
${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR}
commit 10b07027a8ff4bf60e4d3b7a0d6a47e8eccab19c
Author: Christina Fu <cfu at dhcp-16-189.sjc.redhat.com>
Date: Wed Jan 4 11:20:06 2017 -0800
Ticket #2534 (additional) - reset cert status after successful unrevoke
(cherry picked from commit c1656bd16dfca8bb5eef4436ee64b95daaac70c8)
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java b/base/tps/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java
index 35793c7..9395001 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/EnrolledCertsInfo.java
@@ -163,6 +163,10 @@ public class EnrolledCertsInfo {
certStatuses.add(status);
}
+ public void setCertStatus(int index, TokenCertStatus status) {
+ certStatuses.set(index, status);
+ }
+
public void setStartProgress(int startP) {
startProgress = startP;
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 64cc571..aba0e99 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -1960,7 +1960,8 @@ public class TPSEnrollProcessor extends TPSProcessor {
auditRevoke(certToRecover.getTokenID(), false /*off-hold*/, -1 /*na*/,
String.valueOf(response.getStatus()), serialToRecover, caConnId, null);
// successful unrevoke should mark the cert "active"
- certsInfo.addCertStatus(TokenCertStatus.ACTIVE);
+ CMS.debug(method + ": unrevoke successful. Setting cert status to active for actualCertIndex:" + actualCertIndex);
+ certsInfo.setCertStatus(actualCertIndex, TokenCertStatus.ACTIVE);
} catch (EBaseException e) {
logMsg = "failed getting CARemoteRequestHandler";
CMS.debug(method + ":" + logMsg);
commit 7727940c7f43161d5a7597756cf01f159b2a72d8
Author: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon Jan 23 17:11:26 2017 +1000
Use BigInteger for entryUSN
Currently we try to parse the entryUSN into an Integer, which wraps
the 'int' primitive type. If entryUSN value is too large to fit in
'int', NumberFormatException is raised.
Change LDAPProfileSubsystem and CertificateAuthority to use
BigInteger for entryUSN values.
Fixes: https://fedorahosted.org/pki/ticket/2579
(cherry picked from commit 79c6d70a8434cf52f9bac8bfa0367876baccb054)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index ae90d3a..9b2ba03 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -333,7 +333,7 @@ public class CertificateAuthority
/* Maps and sets of entryUSNs and nsUniqueIds for avoiding race
* conditions and unnecessary reloads related to replication */
- private static TreeMap<AuthorityID,Integer> entryUSNs = new TreeMap<>();
+ private static TreeMap<AuthorityID,BigInteger> entryUSNs = new TreeMap<>();
private static TreeMap<AuthorityID,String> nsUniqueIds = new TreeMap<>();
private static TreeSet<String> deletedNsUniqueIds = new TreeSet<>();
@@ -2904,7 +2904,7 @@ public class CertificateAuthority
LDAPAttribute attr = entry.getAttribute("entryUSN");
if (attr != null) {
- Integer entryUSN = new Integer(attr.getStringValueArray()[0]);
+ BigInteger entryUSN = new BigInteger(attr.getStringValueArray()[0]);
entryUSNs.put(aid, entryUSN);
CMS.debug("postCommit: new entryUSN = " + entryUSN);
}
@@ -3270,7 +3270,7 @@ public class CertificateAuthority
return;
}
- Integer newEntryUSN = null;
+ BigInteger newEntryUSN = null;
LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
if (entryUSNAttr == null) {
CMS.debug("readAuthority: no entryUSN");
@@ -3287,14 +3287,14 @@ public class CertificateAuthority
// entryUSN attribute being added.
}
} else {
- newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
+ newEntryUSN = new BigInteger(entryUSNAttr.getStringValueArray()[0]);
CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
}
- Integer knownEntryUSN = entryUSNs.get(aid);
+ BigInteger knownEntryUSN = entryUSNs.get(aid);
if (newEntryUSN != null && knownEntryUSN != null) {
CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
- if (newEntryUSN <= knownEntryUSN) {
+ if (newEntryUSN.compareTo(knownEntryUSN) <= 0) {
CMS.debug("readAuthority: data is current");
return;
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index 6dea1a0..348a9ab 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
@@ -19,6 +19,7 @@ package com.netscape.cmscore.profile;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
+import java.math.BigInteger;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.LinkedHashMap;
@@ -64,7 +65,7 @@ public class LDAPProfileSubsystem
/* Map of profileId -> entryUSN for the most recent view
* of the profile entry that this instance has seen */
- private TreeMap<String,Integer> entryUSNs;
+ private TreeMap<String,BigInteger> entryUSNs;
private TreeMap<String,String> nsUniqueIds;
@@ -149,14 +150,14 @@ public class LDAPProfileSubsystem
}
profileId = LDAPDN.explodeDN(dn, true)[0];
- Integer newEntryUSN = new Integer(
+ BigInteger newEntryUSN = new BigInteger(
ldapProfile.getAttribute("entryUSN").getStringValueArray()[0]);
CMS.debug("readProfile: new entryUSN = " + newEntryUSN);
- Integer knownEntryUSN = entryUSNs.get(profileId);
+ BigInteger knownEntryUSN = entryUSNs.get(profileId);
if (knownEntryUSN != null) {
CMS.debug("readProfile: known entryUSN = " + knownEntryUSN);
- if (newEntryUSN <= knownEntryUSN) {
+ if (newEntryUSN.compareTo(knownEntryUSN) <= 0) {
CMS.debug("readProfile: data is current");
return;
}
@@ -327,10 +328,10 @@ public class LDAPProfileSubsystem
return;
}
- Integer entryUSN = null;
+ BigInteger entryUSN = null;
LDAPAttribute attr = entry.getAttribute("entryUSN");
if (attr != null)
- entryUSN = new Integer(attr.getStringValueArray()[0]);
+ entryUSN = new BigInteger(attr.getStringValueArray()[0]);
entryUSNs.put(id, entryUSN);
CMS.debug("commitProfile: new entryUSN = " + entryUSN);
commit 42bc6fc8eeef3c8bea036a7fc327696983dcf17c
Author: Ade Lee <alee at redhat.com>
Date: Fri Jan 20 11:01:41 2017 -0500
Add option to remove signing cert entry
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
(cherry picked from commit 049a4e3e09328bfcdff62dc189ad95917647fb22)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
index 3c7e483..309f68d 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
@@ -24,8 +24,7 @@ import java.net.MalformedURLException;
import java.net.URL;
import java.util.StringTokenizer;
-import netscape.ldap.LDAPAttribute;
-
+import org.apache.commons.lang.StringUtils;
import org.dogtagpki.server.rest.SystemConfigService;
import com.netscape.certsrv.apps.CMS;
@@ -41,6 +40,10 @@ import com.netscape.cms.servlet.csadmin.ConfigurationUtils;
import com.netscape.cmscore.base.LDAPConfigStore;
import com.netscape.cmscore.profile.LDAPProfileSubsystem;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPException;
+
/**
* @author alee
*
@@ -93,6 +96,19 @@ public class CAInstallerService extends SystemConfigService {
CMS.debug(e);
throw new PKIException("Error enabling profile subsystem");
}
+
+ if (! request.createSigningCertRecord()) {
+ // This is the migration case. In this case, we will delete the
+ // record that was created during the install process.
+
+ try {
+ String serialNumber = request.getSigningCertSerialNumber();
+ deleteSigningRecord(serialNumber);
+ } catch (Exception e) {
+ CMS.debug(e);
+ throw new PKIException("Error deleting signing cert record:" + e, e);
+ }
+ }
}
@Override
@@ -189,9 +205,37 @@ public class CAInstallerService extends SystemConfigService {
configStore.commit(false /* no backup */);
}
+ private void deleteSigningRecord(String serialNumber) throws EBaseException, LDAPException {
+
+ if (StringUtils.isEmpty(serialNumber)) {
+ throw new PKIException("signing certificate serial number not specified in configuration request");
+ }
+
+ LDAPConnection conn = null;
+ try {
+ IConfigStore dbCfg = cs.getSubStore("internaldb");
+ ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory("CAInstallerService");
+ dbFactory.init(dbCfg);
+ conn = dbFactory.getConn();
+
+ String basedn = dbCfg.getString("basedn", "");
+ String dn = "cn=" + serialNumber + ",ou=certificateRepository,ou=ca," + basedn;
+
+ conn.delete(dn);
+ } finally {
+ try {
+ if (conn != null)
+ conn.disconnect();
+ } catch (LDAPException e) {
+ CMS.debug(e);
+ CMS.debug("releaseConnection: " + e);
+ }
+ }
+ }
+
private void configureStartingCRLNumber(ConfigurationRequest data) {
CMS.debug("CAInstallerService:configureStartingCRLNumber entering.");
- cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber() );
+ cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber());
}
private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException {
diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
index cd9d3c8..5d69200 100644
--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
@@ -237,6 +237,12 @@ public class ConfigurationRequest {
@XmlElement
protected String startingCRLNumber;
+ @XmlElement
+ protected Boolean createSigningCertRecord;
+
+ @XmlElement
+ protected String signingCertSerialNumber;
+
public ConfigurationRequest() {
// required for JAXB
}
@@ -943,6 +949,30 @@ public class ConfigurationRequest {
this.startingCRLNumber = startingCRLNumber;
}
+ public String getIsClone() {
+ return isClone;
+ }
+
+ public void setIsClone(String isClone) {
+ this.isClone = isClone;
+ }
+
+ public Boolean createSigningCertRecord() {
+ return createSigningCertRecord;
+ }
+
+ public void setCreateSigningCertRecord(Boolean createSigningCertRecord) {
+ this.createSigningCertRecord = createSigningCertRecord;
+ }
+
+ public String getSigningCertSerialNumber() {
+ return signingCertSerialNumber;
+ }
+
+ public void setSigningCertSerialNumber(String signingCertSerialNumber) {
+ this.signingCertSerialNumber = signingCertSerialNumber;
+ }
+
@Override
public String toString() {
return "ConfigurationRequest [pin=XXXX" +
@@ -1007,6 +1037,8 @@ public class ConfigurationRequest {
", subordinateSecurityDomainName=" + subordinateSecurityDomainName +
", reindexData=" + reindexData +
", startingCrlNumber=" + startingCRLNumber +
+ ", createSigningCertRecord=" + createSigningCertRecord +
+ ", signingCertSerialNumber=" + signingCertSerialNumber +
"]";
}
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index f35b6a7..b3e056a 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -291,6 +291,8 @@ pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
+pki_ca_signing_record_create=True
+pki_ca_signing_serial_number=1
pki_ca_signing_signing_algorithm=SHA256withRSA
pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ca_signing_token=
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index f20daa1..ad76aad 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4097,6 +4097,12 @@ class ConfigClient:
# Misc CA parameters
if self.subsystem == "CA":
data.startingCRLNumber = self.mdict['pki_ca_starting_crl_number']
+ data.createSigningCertRecord = (
+ self.mdict['pki_ca_signing_record_create'].lower()
+ )
+ data.signingCertSerialNumber = (
+ self.mdict['pki_ca_signing_serial_number'].lower()
+ )
return data
commit 1e567854e643f50a7ca1f24daac0e92359eafe81
Author: Christina Fu <cfu at dhcp-16-189.sjc.redhat.com>
Date: Fri Jan 20 16:01:17 2017 -0800
Ticket #1741 ECDSA certs Alg IDs contian parameter field
Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field.
Note: Since we do not support DSA, this patch does not attempt to address them.
Also, while we do not claim to support sha224, the patch adds enough code to process the OID just for completeness. However, it does not attempt to offer it as part of the signing algorithms.
(cherry picked from commit 76ca6d1691e56274945b6f03760273208fafd791)
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
index 08c9c4f..a89843e 100644
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
@@ -230,10 +230,18 @@ public class AlgorithmId implements Serializable, DerEncoder {
try (DerOutputStream tmp = new DerOutputStream()) {
DerOutputStream bytes = new DerOutputStream();
bytes.putOID(algid);
- if (params == null)
- bytes.putNull();
- else
- bytes.putDerValue(params);
+
+ // omit parameter field for ECDSA
+ if (!algid.equals(sha224WithEC_oid) &&
+ !algid.equals(sha256WithEC_oid) &&
+ !algid.equals(sha384WithEC_oid) &&
+ !algid.equals(sha512WithEC_oid)) {
+ if (params == null) {
+ bytes.putNull();
+ } else
+ bytes.putDerValue(params);
+ }
+
tmp.write(DerValue.tag_Sequence, bytes);
out.write(tmp.toByteArray());
}
@@ -246,12 +254,19 @@ public class AlgorithmId implements Serializable, DerEncoder {
public final byte[] encode() throws IOException {
try (DerOutputStream out = new DerOutputStream()) {
DerOutputStream bytes = new DerOutputStream();
-
bytes.putOID(algid);
- if (params == null)
- bytes.putNull();
- else
- bytes.putDerValue(params);
+
+ // omit parameter field for ECDSA
+ if (!algid.equals(sha224WithEC_oid) &&
+ !algid.equals(sha256WithEC_oid) &&
+ !algid.equals(sha384WithEC_oid) &&
+ !algid.equals(sha512WithEC_oid)) {
+ if (params == null) {
+ bytes.putNull();
+ } else
+ bytes.putDerValue(params);
+ }
+
out.write(DerValue.tag_Sequence, bytes);
return out.toByteArray();
}
@@ -314,6 +329,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
if (name.equals("SHA1withEC") || name.equals("SHA1/EC")
|| name.equals("1.2.840.10045.4.1"))
return AlgorithmId.sha1WithEC_oid;
+ if (name.equals("SHA224withEC") || name.equals("SHA224/EC")
+ || name.equals("1.2.840.10045.4.3.1"))
+ return AlgorithmId.sha224WithEC_oid;
if (name.equals("SHA256withEC") || name.equals("SHA256/EC")
|| name.equals("1.2.840.10045.4.3.2"))
return AlgorithmId.sha256WithEC_oid;
@@ -646,6 +664,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
*/
private static final int sha1WithEC_data[] =
{ 1, 2, 840, 10045, 4, 1 };
+ private static final int sha224WithEC_data[] =
+ { 1, 2, 840, 10045, 4, 3, 1 };
private static final int sha256WithEC_data[] =
{ 1, 2, 840, 10045, 4, 3, 2 };
private static final int sha384WithEC_data[] =
@@ -676,6 +696,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
public static final ObjectIdentifier sha1WithEC_oid = new
ObjectIdentifier(sha1WithEC_data);
+ public static final ObjectIdentifier sha224WithEC_oid = new
+ ObjectIdentifier(sha224WithEC_data);
+
public static final ObjectIdentifier sha256WithEC_oid = new
ObjectIdentifier(sha256WithEC_data);
commit 196ae21e55a3210ef9db1ad6b8c84d64d4d1959e
Author: Endi S. Dewata <edewata at redhat.com>
Date: Thu Jan 26 23:38:53 2017 +0100
Fixed problem searching the latest certificate request.
Previously if a certificate request page only has one entry the
entry itself will be removed from the page, resulting in a blank
page.
The QueryReq.trim() has been modified not to remove the marker
entry if it's the only entry in the page.
https://fedorahosted.org/pki/ticket/2450
(cherry picked from commit 755fb2834d22131628ad1929c1bd4b1cd7592203)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
index d05da10..376349b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
@@ -503,6 +503,12 @@ public class QueryReq extends CMSServlet {
*/
private void trim(Vector<IRequest> v, RequestId marker) {
int i = v.size() - 1;
+
+ if (i == 0) {
+ // do not remove the only element in the list
+ return;
+ }
+
if (v.elementAt(i).getRequestId().toString().equals(
marker.toString())) {
v.remove(i);
commit 6b8c54d29cfc4f448566f50cb27a40eda07052ca
Author: Endi S. Dewata <edewata at redhat.com>
Date: Thu Jan 19 21:43:24 2017 +0100
Added upgrade script to update AJP loopback address.
An upgrade script has been added to replace IPv4- and IPv6-specific
AJP loopback address with a more generic "localhost" in existing
instances.
https://fedorahosted.org/pki/ticket/2570
(cherry picked from commit cb839206d6c1d562e2e4385f6822c7934e9455c6)
diff --git a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress b/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress
new file mode 100755
index 0000000..b7d5c0e
--- /dev/null
+++ b/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress
@@ -0,0 +1,62 @@
+#!/usr/bin/python
+# Authors:
+# Endi S. Dewata <edewata at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+import os
+from lxml import etree
+
+import pki
+
+
+class UpdateAJPLoopbackAddress(
+ pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+ def __init__(self):
+ super(UpdateAJPLoopbackAddress, self).__init__()
+ self.message = 'Update AJP loopback address'
+
+ self.parser = etree.XMLParser(remove_blank_text=True)
+
+ def upgrade_instance(self, instance):
+
+ server_xml = os.path.join(instance.conf_dir, 'server.xml')
+ self.backup(server_xml)
+
+ document = etree.parse(server_xml, self.parser)
+
+ server = document.getroot()
+ connectors = server.findall('.//Connector')
+
+ # replace IPv4- or IPv6-specific AJP loopback address with localhost
+ for connector in connectors:
+
+ protocol = connector.get('protocol')
+ if protocol != 'AJP/1.3':
+ continue
+
+ address = connector.get('address')
+ if address != '127.0.0.1' and address != '::1':
+ continue
+
+ connector.set('address', 'localhost')
+
+ with open(server_xml, 'wb') as f:
+ document.write(f, pretty_print=True, encoding='utf-8')
commit 4252656c27f230a5198a01a6085dad4b8e4df59f
Author: Endi S. Dewata <edewata at redhat.com>
Date: Sat Jan 7 02:32:47 2017 +0100
Added global TCP Keep-Alive option.
A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.
The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.
All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.
https://fedorahosted.org/pki/ticket/2564
(cherry picked from commit b3ee1c28f658a70468c5a5fcf3cb4840574be756)
diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index bc82a98..907b5bb 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -91,6 +91,7 @@ import com.netscape.cmsutil.password.IPasswordStore;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPException;
import netscape.ldap.LDAPSSLSocketFactoryExt;
+import netscape.ldap.LDAPSocketFactory;
import netscape.security.util.ObjectIdentifier;
import netscape.security.x509.Extension;
import netscape.security.x509.GeneralName;
@@ -1345,6 +1346,10 @@ public final class CMS {
return _engine.getLdapJssSSLSocketFactory();
}
+ public static LDAPSocketFactory getLDAPSocketFactory(boolean secure) {
+ return _engine.getLDAPSocketFactory(secure);
+ }
+
/**
* Creates a LDAP Auth Info object.
*
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index f781c41..7cf73fa 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -75,6 +75,7 @@ import com.netscape.cmsutil.password.IPasswordStore;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPException;
import netscape.ldap.LDAPSSLSocketFactoryExt;
+import netscape.ldap.LDAPSocketFactory;
import netscape.security.util.ObjectIdentifier;
import netscape.security.x509.Extension;
import netscape.security.x509.GeneralName;
@@ -648,6 +649,13 @@ public interface ICMSEngine extends ISubsystem {
public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory();
/**
+ * Creates an LDAP socket factory.
+ *
+ * @return LDAP SSL socket factory
+ */
+ public LDAPSocketFactory getLDAPSocketFactory(boolean secure);
+
+ /**
* Creates a LDAP Auth Info object.
*
* @return LDAP authentication info
diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
index f740ef3..c7f818a 100644
--- a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
@@ -22,6 +22,15 @@ import java.security.cert.X509Certificate;
import java.util.Locale;
import java.util.Vector;
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.certsrv.ldap.ELdapServerDownException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.publish.ILdapPublisher;
+
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPConnection;
import netscape.ldap.LDAPEntry;
@@ -32,15 +41,6 @@ import netscape.ldap.LDAPSSLSocketFactoryExt;
import netscape.ldap.LDAPSearchResults;
import netscape.ldap.LDAPv2;
-import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.base.IConfigStore;
-import com.netscape.certsrv.base.IExtendedPluginInfo;
-import com.netscape.certsrv.ldap.ELdapException;
-import com.netscape.certsrv.ldap.ELdapServerDownException;
-import com.netscape.certsrv.logging.ILogger;
-import com.netscape.certsrv.publish.ILdapPublisher;
-
/**
* Interface for publishing a CA certificate to
*
@@ -179,9 +179,11 @@ public class LdapCaCertPublisher
int portVal = Integer.parseInt(port);
int version = Integer.parseInt(mConfig.getString("version", "2"));
String cert_nick = mConfig.getString("clientCertNickname", null);
- LDAPSSLSocketFactoryExt sslSocket = null;
+ LDAPSSLSocketFactoryExt sslSocket;
if (cert_nick != null) {
sslSocket = CMS.getLdapJssSSLSocketFactory(cert_nick);
+ } else {
+ sslSocket = CMS.getLdapJssSSLSocketFactory();
}
String mgr_dn = mConfig.getString("bindDN", null);
String mgr_pwd = mConfig.getString("bindPWD", null);
diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
index 80ffa3c..64df143 100644
--- a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
@@ -22,6 +22,15 @@ import java.security.cert.X509CRL;
import java.util.Locale;
import java.util.Vector;
More information about the Pkg-freeipa-devel
mailing list