[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 205 commits: Fixed Servlet API dependency

Timo Aaltonen gitlab at salsa.debian.org
Thu Aug 23 07:13:47 BST 2018

Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki

7b9aa323 by Endi S. Dewata at 2018-05-04T13:48:13Z
Fixed Servlet API dependency

The pki-tools package has been modified to depend on Servlet
API 4.0 package provided by Tomcat 9 on Fedora 29.

Change-Id: I6228fd86b5594c862a2c5285b6ca80ee6322c96d

- - - - -
a690f291 by Endi S. Dewata at 2018-05-04T16:07:14Z
Updated version number to 10.6.1-2

Change-Id: I8b4bde7bd9c73e7dde56584a43bc2af9a9454aa9

- - - - -
c0709155 by Endi S. Dewata at 2018-05-04T16:37:31Z
Fixed some rpmlint warnings

Change-Id: If496da802b68a8f25ddbea905d3b5a5905d849dd

- - - - -
b01ca991 by Endi S. Dewata at 2018-05-04T19:57:42Z
Fixed build order

The build.sh has been modified to build the RPM sources first
before the RPM spec file.

Change-Id: I6aa15251bab28ce443a6e3334011c76db1e4c7bf

- - - - -
fbe9664c by Endi S. Dewata at 2018-05-04T20:01:17Z
Fixed empty patch generation

The build.sh has been modified to prevent generating empty
patch file if there are no new commits since the specified
source tag.

Change-Id: Ica76a4709b05778b79174ec1dd7ecdfabb47033d

- - - - -
4f176a79 by Endi S. Dewata at 2018-05-05T03:16:32Z
Simplified CMake parameters

The spec templates have been modified to use a cleaner way to
construct some CMake parameter values from RPM macros.

Change-Id: Ib033404f47d83975d0e11995ca626cdf01f56aa5

- - - - -
6a7067b5 by Endi S. Dewata at 2018-05-05T04:44:25Z
Simplified CMake parameters (part 2)

The spec templates have been modified to use a cleaner way to
construct some CMake parameter values from RPM macros.

Change-Id: Ib220b16fcc5479c5124838006273f6b00fb80a16

- - - - -
0e8dfcec by Endi S. Dewata at 2018-05-07T16:01:14Z
Cleaned up sed commands in build.sh

The build.sh has been modified to concatenate the sed commands
into a single string then execute it only once.

Change-Id: Ibf93bc69bb1e26e435c3668eb456d9ba75ffa9fa

- - - - -
1e211fd2 by Endi S. Dewata at 2018-05-07T18:00:22Z
Generating spec with hard-coded test option

The build.sh has been modified to hard-code the test option
so the SRPM can be rebuilt with the same option.

Change-Id: I62ee5c2954a0f648b04ffd98c2cf3b3a0f602425

- - - - -
59796de3 by Endi S. Dewata at 2018-05-07T18:12:25Z

The PKI_NSS_DB_TYPE build parameter has been renamed to
NSS_DEFAULT_DB_TYPE for consistency.

Change-Id: I756f64ad3288c621620cc1aa98c2a60e1c7b4339

- - - - -
ff827730 by Endi S. Dewata at 2018-05-07T18:39:04Z
Added nss_default_db_type macro

The spec templates have been modified to define the default NSS
database type in nss_default_db_type macro for clarity.

Change-Id: I07107cd23c8fb66f857595a8fa0b9444f4646afb

- - - - -
5c160ef4 by Endi S. Dewata at 2018-05-08T04:41:13Z
Added RPM build option for debug packages

The spec template has been modified to provide a --with/--without
option for debug packages.

Change-Id: Ieab171bd444be297f3e31b86525f6770098426af

- - - - -
c942f0d0 by Amol Kahat at 2018-05-08T05:48:20Z
Minor changes in audit.py and ca.py file.

Change-Id: I74f0167d8319505af4dbd9e2977478c42e818043
Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
a843a5cd by Endi S. Dewata at 2018-05-08T15:58:17Z
Added package_option macro

The spec template has been simplified by wrapping the
bcond_with and bcond_without options for a package
with package_option macro.


Change-Id: I4e63b3bb47204296915af5e38bec2ff50c1975a4

- - - - -
1c836008 by Endi S. Dewata at 2018-05-09T00:25:06Z
Generating spec with hard-coded packages

The build.sh has been modified to hard-code the list of
packages to build into the spec file such that the SRPM
can be rebuilt to produce the same packages.


Change-Id: Icf8af29c601529bcaf45dce80cdf90d6107a04b4

- - - - -
2a3d006b by Endi S. Dewata at 2018-05-09T02:00:01Z
Updated build.sh to rebuild RPM from SRPM.

The build.sh has been modified to rebuild the RPM packages from
SRPM package that contains hard-coded options.


Change-Id: Ibe7dc700ca9b0c2ecfe07c1834aded8c8ff72a02

- - - - -
e7344dbb by Endi S. Dewata at 2018-05-13T11:11:19Z
Updated version number to 10.6.1-3

The spec templates have been modified to use the standard Tomcat
8.0 on F27 to simplify development.

Change-Id: Ia8f482a1600d7d93e544cf0f37c1ab2d3887c2bd

- - - - -
e2b0c192 by Endi S. Dewata at 2018-05-13T22:43:34Z
Fixed warnings in AdminConnection

Change-Id: Ief9eba0a554e9e447a25da5712d50e62384e4208

- - - - -
79e135f5 by Endi S. Dewata at 2018-05-13T22:59:16Z
Fixed warnings in CMSAdmin

Change-Id: I7e4851093ff8a4c5d2ae056d00fa8a9d8b1c3125

- - - - -
067bace3 by Endi S. Dewata at 2018-05-14T00:45:00Z
Updated loggers in CAInstallerService

Change-Id: I4e9d089126f9cbc2736465e59d652b768c6bcf79

- - - - -
16334542 by Endi S. Dewata at 2018-05-14T00:45:43Z
Removed redundant CMS methods.

Some methods in CMS class have been removed since the actual
methods in CMSEngine can be called directly.

Change-Id: I1f1d02168234ced01b53c6c19895f2c5d71a25da

- - - - -
55a09191 by Endi S. Dewata at 2018-05-14T03:15:15Z
Refactored CMSEngine.initSubsystems()

The doSetId parameter in CMSEngine.initSubsystems() has been
coverted into SubsystemInfo.updateIdOnInit field.

Change-Id: I95df5c556ee67948e878f89a8e8246e3aaa9db42

- - - - -
517dca6f by Endi S. Dewata at 2018-05-14T03:41:47Z
Updated loggers in CMSEngine

Change-Id: I59053009e6985e9f7e5d0f4b87f4e5a3a55231db

- - - - -
e35a3214 by Endi S. Dewata at 2018-05-14T10:36:00Z
Removed dead code

Some classes have been modified to remove the dead code reported
by Eclipse.

Change-Id: I529d0a94efe7844e324fad1f2e4d0d2f3091d2b9

- - - - -
00fbc9de by Endi S. Dewata at 2018-05-14T11:24:26Z
Updated CAEngine

The CAEngine has been modified to disable additional subsystems
during installation to prevent misleading exceptions.


Change-Id: Iebeeeab5a9c75ab37b2a899f39c41961b3215bac

- - - - -
dd5eaab0 by Endi S. Dewata at 2018-05-14T11:26:56Z
Added KRAEngine

A new KRAEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.


Change-Id: Ie5917d686a3be09fc8bffe52d7f5e5c026629247

- - - - -
4110c928 by Endi S. Dewata at 2018-05-14T11:28:18Z
Added OCSPEngine

A new OCSPEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.


Change-Id: I8c741da8f750968644f8651d217d9b096caa82be

- - - - -
275e0770 by Endi S. Dewata at 2018-05-14T11:29:44Z
Added TKSEngine

A new TKSEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.


Change-Id: Ieae18c800ff71e33b8aa0bd73f3969ff98817418

- - - - -
9f52e75c by Endi S. Dewata at 2018-05-14T19:08:47Z
Fixed warnings in CMSStatus

Change-Id: I48a2fe2612ffdd18f2a4e0fdb26bfd666898bd20

- - - - -
4d696e97 by Endi S. Dewata at 2018-05-14T22:45:09Z
Added log messages in TPSInstaller

The TPSInstaller has been modified to provide additional log
messages to help troubleshooting.

Change-Id: I04f21568e9c6814116999861ded41bb4c6b9c228

- - - - -
2a9073e0 by Endi S. Dewata at 2018-05-14T23:32:55Z
Refactored ConfigurationUtils.reInitSubsystem()

The ConfigurationUtils.reInitSubsystem() has been converted into


Change-Id: Ib6ef2f30095f5a043f8d6870893106b36e77aa8e

- - - - -
0be09139 by Endi S. Dewata at 2018-05-15T00:06:27Z
Renamed .travis folder

The .travis folder has been renamed to travis for simplicity.

Change-Id: I2a1edc856b96fe0ea2705bae5a8adfd7c20bc522

- - - - -
eb5b163c by Endi S. Dewata at 2018-05-15T00:50:53Z
Removed duplicate CI tests

The pki-test.sh has been modified to remove duplicate tests.


Change-Id: I776cd848a0214be6bc03cb010e373dd13e3b27d4

- - - - -
ba8293e1 by Endi S. Dewata at 2018-05-15T01:27:52Z
Updated loggers in TPSSubsystem

Change-Id: I3530de27e89f3760552e4b45df04037eab48c923

- - - - -
01f01226 by Endi S. Dewata at 2018-05-15T02:24:30Z
Added basic OCSP installation test

Change-Id: I2837dce498d70822795e4de6d847a5b4c6efccb1

- - - - -
7f741fd3 by Endi S. Dewata at 2018-05-15T03:40:39Z
Fixed explicit-lib-dependency libselinux-python3 error


Change-Id: I903d7a1e57c3848b962b2ac9e29f592f812de306

- - - - -
2bbdec65 by Endi S. Dewata at 2018-05-15T03:56:36Z
Fixed non-executable-script error


Change-Id: I229a4a2ce8f7922da05f848334b2e58ba1d38c1d

- - - - -
28bbc5b8 by Endi S. Dewata at 2018-05-15T04:01:44Z
Added basic TKS installation test

Change-Id: Ib6ca651503055fd611d0cc199e723256570ebf35

- - - - -
719cfd4f by Endi S. Dewata at 2018-05-15T06:38:41Z
Added basic TPS installation test

Change-Id: Ic88a6b87fa1396076bd576bb3ab59f556f7b82ea

- - - - -
c72c62f4 by Endi S. Dewata at 2018-05-15T07:45:27Z
Cleaned up set_gerrit_message.sh

The set_gerrit_message.sh has been renamed to send-result.sh for
clarity. A new parameter has been added to read the message from

Change-Id: Ia8196b8c96a9926560493ceeed6608be782f5738

- - - - -
520bc3f6 by Endi S. Dewata at 2018-05-15T09:48:07Z
Renamed TRANSFER_SH_URLS variable

The TRANSFER_SH_URLS variable has been renamed to LOGS for clarity.

Change-Id: I565a36446b824e8e08476c9b913b35a8bffdba12

- - - - -
92a279f9 by Endi S. Dewata at 2018-05-15T10:14:49Z
Refactored init_task.sh

The code that initializes the builder container has been moved
from init_task.sh into a new builder-init.sh.

Change-Id: Ibc2c0e9a49aa642f0449ab652eafe5616c35ccc3

- - - - -
6e3daff7 by Endi S. Dewata at 2018-05-15T13:07:39Z
Merged CI build scripts

The code that installs the dependencies and executes the build
have been merged into a single script.

Change-Id: I1a878796f1a51bb7a64ed3cfb809fab90fa9ebb3

- - - - -
4d105479 by Endi S. Dewata at 2018-05-15T15:12:54Z
Refactored pki-test.sh

The code that builds and installs PKI packages have been moved
from pki-test.sh into the install section in .travis.yml.

Change-Id: If84ce2420986fa74cd700a5a17b117b1b6115de4

- - - - -
b882fbb9 by Endi S. Dewata at 2018-05-15T16:02:50Z
Split pki-test.sh and remove-all.sh

The pki-test.sh and remove-all.sh have been split into separate
scripts for each subsystem.

Change-Id: Ia0d3d2451f0d2ef53700581d46412439a58ad476

- - - - -
8bc024ba by Endi S. Dewata at 2018-05-15T17:39:54Z
Fixed timestamp and commit ID in spec templates

The compose scripts have been modified to generate the proper
timestamp and commit ID in all spec templates.

Change-Id: I926f433f42920d4d633732e9236588c469ecb6c2

- - - - -
080aef27 by Endi S. Dewata at 2018-05-16T01:44:07Z
Cleaned up ipa-test.sh

The code that installs ipa-docker-test-runner has been moved from
ipa-test.sh into ipa-init.sh.

Change-Id: I377283d60beb0e9fbd1c5a8acbdd4b53966c7376

- - - - -
becd0514 by Endi S. Dewata at 2018-05-16T11:04:08Z
Cleaned up CI logs

Some CI variable names and log file names have been renamed
for clarity.

Change-Id: Ibfed36dbe129269914e2e51f8a0ccda8b397686f

- - - - -
9a8c3232 by Endi S. Dewata at 2018-05-16T13:01:26Z
Added -quiet param for javadoc

Change-Id: Iad09a9d447345b2effccec285a63173d75db0c20

- - - - -
71a4f987 by Endi S. Dewata at 2018-05-16T17:12:48Z
Cleaned up CMake output

The CMake script has been modified to suppress install messages.

Change-Id: Ia1420935a993afd0791cf20a5ca9c1d2c184902e

- - - - -
24490f21 by Endi S. Dewata at 2018-05-16T18:08:12Z
Added TPSEngine

A new TPSEngine has been added to disable some subsystems
during installation to prevent misleading exceptions.


Change-Id: Id52966431635819de5f2d98d159964dfc02fb707

- - - - -
e7799ed1 by Endi S. Dewata at 2018-05-17T01:44:05Z
Cleaned up CMake output (part 2)

The spec templates have been modified to suppress excessive
CMake messages about build target dependencies.

Change-Id: I629288038b885319b66a7bc054cf688e85a65333

- - - - -
ba497148 by Endi S. Dewata at 2018-05-17T02:22:11Z

Change-Id: I21de12b9aac61e7277a3163ce4c4bcef24825455

- - - - -
5973c554 by Endi S. Dewata at 2018-05-17T14:51:57Z
Converted README to Markdown

Change-Id: I7d5ebb3a722010f71a9981044607676b44dc985f

- - - - -
37d6e3ae by Christina Fu at 2018-05-17T17:18:38Z
Ticket 1741 ECDSA Signature Algorithm encoding

This patch addresses part of the issue where params were in the AlgorithmIdentifier of the ECDSA signature algorithm. The JSS portion is addressed by https://pagure.io/jss/issue/3

Fixes https://pagure.io/dogtagpki/issue/1741

Change-Id: I5dfea6eb2ca4711da2a983382c3f6607d95f3e0d

- - - - -
3c020c16 by Christina Fu at 2018-05-17T22:13:18Z
Ticket 3018 CMC profiles: Some CMC profiles have wrong input class_id

This patch fixes the profile input area where
cmcCertReqInputImpl should replace certReqInputImpl
and submitterInfoInputImpl should not be present

fixes https://pagure.io/dogtagpki/issue/3018

Change-Id: Id4e03961110b19b2c73ebd9def89919d5dd3b0ad

- - - - -
b743abbe by Endi S. Dewata at 2018-05-17T23:40:01Z
Fixed typo in pki-securitydomain man page

Change-Id: I84ec4d1da62ac9ee3c90c41f38c35445d1a1bc55

- - - - -
9b72967a by Timo Aaltonen at 2018-05-20T21:21:01Z
tests: Fix the test loop.

- - - - -
6fa2f87c by Endi S. Dewata at 2018-05-21T09:35:26Z
Removed old references to pki-selinux

The spec templates have been modified to remove references to
pki-selinux package that has been obsolete for quite a while.

Change-Id: I090d3fb5acdceb6cda421722fa925ce94d1f3886

- - - - -
7cfe5e18 by Endi S. Dewata at 2018-05-21T09:47:39Z
Added %doc macro for pki-base-java

The spec templates have been modified to provide a %doc macro
for pki-base-java package.

Change-Id: I825f8f82a8ff3c19f4eb8a880e3739558c0b2472

- - - - -
cce5ca5e by Endi S. Dewata at 2018-05-21T10:19:42Z
Renamed CI env vars for clarity

Change-Id: Id99119236e6467db2aa2ddba83a8b5bf3819d774

- - - - -
76ca5e2c by Endi S. Dewata at 2018-05-21T15:55:13Z
Fixed rpmlint warnings

Change-Id: I3e00379ac23487a18ec53b6ecb1521cd0e2040a5

- - - - -
cb7b0d12 by Endi S. Dewata at 2018-05-21T16:21:41Z
Removed references to old theme packages

The spec templates have been modified to remove references to
old theme packages that have been removed sometime ago.

Change-Id: Id8d3f9e0b5ac1dcff2d4b605c3b3818e705b55a1

- - - - -
f1167a6d by Christina Fu at 2018-05-21T16:38:13Z
Ticket #2995 SAN in internal SSL server certificate in pkispawn configuration step

This patch adds CommonNameToSANDefault to all server profiles so that
SAN will be placed in server certs by default.
For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault
will have to be used instead.

fixes: https://pagure.io/dogtagpki/issue/2995

Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641

- - - - -
94e0a563 by Jack Magne at 2018-05-21T18:16:56Z
Fix  #2996 ECC installation for non CA subsystems needs improvement.

The problem is that the installation of say a KRA, which is ECC enabled fails out of the box.

This is due to the fact that the internal cert profiles for the following certificates is incorrect:

1. sslserver cert
2. subsystem cert
3. admin cert

In the ECC case there is some hard coding that references the well known cert profiles for RSA versions of the above certs.

What we need in the ECC case is a way to correctly select the ECC versions of the above profiles.
Therefore this fix does the following:

1. Makes the selection of either the ECC version or the RSA version of the above internal cert profiles based on the key type, ecc or rsa. This solution relies upon well known profile names, but can be modified in the future to be more customizable , should the need arise.

2. I found a related problem when trying to create a ECC enabled KRA in a SHARED instance scenario. There was some final cloning related config code that was grossly RSA specific and throws exceptions when ECC is involved. I altered this piece of code to skip over the bad things with ECC and let the RSA case run unimpeded. We may need further refinement for the ECC case, but I felt this was needed to allow something like an ECC kra to be installed in a shared instance scenario.

Change-Id: I192dc18e50c87403624dd46754c5f22bc988d9a7

- - - - -
d021dc2b by Christian Heimes at 2018-05-22T10:09:13Z
Fix banner file loading

The banner code was loading the banner file with
codecs.open(filename, 'UTF-8'), but the second argument to codecs.open()
is not an encoding but a mode.

Since Dogtag no longer supports Python 2.6, the io.open() function does a
much better job here. It's equivalent to Python 3's open() builtin. By
default, it loads text files with UTF-8 codec.

Change-Id: I2fbaea04bb313bdaf21ceaa0c0c68d0cfcd5ea9a
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
0b8d0c91 by Endi S. Dewata at 2018-05-22T14:16:51Z
Added UnicodeDecodeError handler

The pki-server banner-validate CLI has been modified to catch
UnicodeDecodeError and show a proper error message.

The XML validation is no longer needed so it has been removed.


Change-Id: I90f0d1068d974d611b6c269766e66bbeaef3a0d2

- - - - -
9e7f2352 by Christian Heimes at 2018-05-23T11:37:13Z
py3: write generic extension data in binary mode

Generic extension data gets supplied in pkispawn configuration as
hex-encoded text.  pkispawn decodes it and writes the binary data to
a file that will be read by `certutil -R`.  The datum being written
is bytes, so we must open the file in binary mode.

Change-Id: I934652e3408b12558532025e979eed6eb98106c2
Co-authored-by: Fraser Tweedale <ftweedal at redhat.com>
Fixes: https://pagure.io/dogtagpki/issue/3020

- - - - -
d06ff364 by Timo Aaltonen at 2018-05-23T19:30:28Z
control, rules: Add libjboss-annotations-1.2-api-java to pki-server depends, add links to lib directories.

- - - - -
d5b6913a by Endi S. Dewata at 2018-05-24T12:45:22Z
Added -Xlint:deprecation option for javac

The CMake script has been modified to use -Xlint:deprecation option
when compiling Java code to show deprecated code.

Change-Id: I176284a0fe4eed81b30974d74ab63b86ca687f23

- - - - -
a05e82c7 by Endi S. Dewata at 2018-05-24T21:20:12Z
Cleaned up .travis.yml

The code the posts test status in .travis.yml has been moved into
separate scripts for clarity.

Change-Id: I8dc1ac699cf3826650aeefd61e76f8735b15d2b9

- - - - -
b0f9a67f by gkapoor at 2018-05-29T14:22:15Z
Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1544843

Change-Id: Id8d45bfc804a9f26a1a475cb928cf184975a8f5f
Signed-off-by: gkapoor <gkapoor at redhat.com>

- - - - -
fc63ceab by Fraser Tweedale at 2018-05-30T00:15:40Z
Bump required jss version

jss-4.4.4 fixes a problem with key unwrapping that broke lightweight
CA key replication.  The problem only occurs when the SQL-based
NSSDB backend is in use.  Bump the jss min version for environments
that use the SQL DB by default.

Change-Id: I022600631d3251560d69ab0ba41cda7d1345d3eb

- - - - -
8e556e34 by Endi S. Dewata at 2018-05-30T19:42:59Z
Bump required jss version (part 2)

The pki and pki-core spec templates have been modified to match
the JSS requirements in pki-core.

Change-Id: I902319ff6621f52d888a2d481e383ad9c99391b7

- - - - -
a16ec662 by Endi S. Dewata at 2018-05-30T21:40:01Z
Moved default.cfg

The default.cfg has been moved from /etc/pki to
/usr/share/pki/server/etc to fix non-conffile-in-etc
rpmlint warning.


Change-Id: Ia74f5ba7fdf3dde2d29636fb02725874d45c479f

- - - - -
231d1fb1 by Endi S. Dewata at 2018-05-30T23:26:07Z
Fixed pylint error on F29

The upgrade.py has been modified to fix the try-except-raise
pylint error on F29.

Change-Id: I4f123ad2d38a5f353ec9be9c8b760cb35199fedf

- - - - -
8f4fbe3e by Endi S. Dewata at 2018-06-01T01:59:05Z
Updated loggers in CryptoUtil

The CryptoUtil class has been modified to use SLF4J loggers.

Change-Id: I23248b66723774b13adfb60fe94a3bc78a57d693

- - - - -
5efa4199 by Amol Kahat at 2018-06-01T06:51:03Z
Added pki CA authentication plugins automation tests.

Change-Id: I91e72faf458f4d4bbe3b912a6e08512951345f99
Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
4b68c6e7 by Endi S. Dewata at 2018-06-04T17:40:49Z
Fixed BadPaddingException deprecation

The deprecated org.mozilla.jss.crypto.BadPaddingException has been
replaced with javax.crypto.BadPaddingException.

Change-Id: I9a685c9f56aea2bdccba0f45a48b1892a113c1fc

- - - - -
30002ee8 by Endi S. Dewata at 2018-06-04T19:02:29Z
Updated JSS dependencies

Change-Id: I0027c85f1199793df7ce7024bd49332c8fc815f6

- - - - -
bd936525 by Christina Fu at 2018-06-04T20:56:22Z
Ticket 3028 CMC CRMF request results in InvalidKeyFormatException when signing algorithm is ECC

This patch fixes the issue where in case of CRMF request with ECC keys the
public key was encoded incorrectly previously.

The fix was done in a way that RSA portion is unaffected.

Fixes https://pagure.io/dogtagpki/issue/3028

Change-Id: I3eb62638f2970dc7a9df37abb19015bd287b383d

- - - - -
33f532f4 by Christina Fu at 2018-06-04T20:57:52Z
Ticket 3028 additional error checking

Change-Id: If660fabd21b9992416dd1d5463b6ffd68fa1bf43

- - - - -
6c3ca7d4 by Endi S. Dewata at 2018-06-04T22:44:25Z
Added cert path validation during installation

The installer has been modified to validate the presence of the
mandatory certificates for existing/external CA scenarios and
external/standalone KRA/OCSP scenarios.


Change-Id: I60aa5118a9048b1ea77c1b203a36e8e164d03af7

- - - - -
6ff2dfc3 by Fraser Tweedale at 2018-06-07T02:55:10Z
Handle empty NameConstraints subtrees when reading extension

When reading stored NameConstraints extension data on a request, if
includedSubtrees or excludedSubtrees is empty, an exception is
thrown.  But these are valid cases, so do not thrown an exception.

Also perform some minor drive-by refactors and add the 'static'
qualifier to a few methods to improve readability.

Part of: https://pagure.io/dogtagpki/issue/2922

Change-Id: I925d8a64b96dd0f45b0548ceb11dbee4223cd64c

- - - - -
2ea0bd67 by Fraser Tweedale at 2018-06-07T02:55:10Z
IPAddressName: fix toString method

IPAddressName.toString() is invoked when saving
NameConstraintDefault configurations.  Its implementation was wrong;
it produced bogus output for the netmasked variants used for
NameConstraints.  This resulted in issuance failures.  Update the
method to produce correct output for both netmasked and
non-netmasked addresses.

Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I3012565379961add5ac8286043f55c8e30520ddd

- - - - -
d6132233 by Endi S. Dewata at 2018-06-07T03:23:43Z
Removed dependency on sun.security.util.DerValue

All references to sun.security.util.DerValue have been replaced
with netscape.security.util.DerValue.


Change-Id: I669cf3d59533921e99aa5867eae40a6ce6f058a9

- - - - -
6a95f01f by Christina Fu at 2018-06-08T23:31:06Z
Ticket 3033  CRMFPopClient tool - should allow option to do no key archival

This patch allows key transport cert file to not be specified, which would
then not include key archive option in the CRMF request.

fixes https://pagure.io/dogtagpki/issue/3033

Change-Id: I087bfa6700f22c794e7a316f4451b3a9dc800265

- - - - -
7b01ff4b by Christina Fu at 2018-06-09T00:22:31Z
Bugzilla #1580527 CMCAuth Authorization for agents.

This patch adds proper authz entries to enrollment profiles using CMCAuth;
It also adds proper acl check inside ProfileSubmitCMCServlet for CMCAuth.

Fixes 2nd part of Bugzilla #1580527

Change-Id: I61fa1613f752c5bc203ab18d6a073eb7a13c966b

- - - - -
b6142812 by Endi S. Dewata at 2018-06-11T20:00:20Z
Removed pki-tools dependency on Servlet API

The unused CertSearchRequest.buildFromServletRequest() has been
removed such that pki-tools package no longer depends on Servlet


Change-Id: Ic1e5a384ee1db5eae1c790fb6fe70e98a16872d3

- - - - -
f4b5423c by Endi S. Dewata at 2018-06-11T21:39:23Z
Cleaned up Tomcat dependencies

Change-Id: I585d371ea007652a06811141b0704a42e18e2393

- - - - -
64c8d80a by Endi S. Dewata at 2018-06-12T21:52:49Z
Added default build target

Change-Id: I1dbdab42118554c196ece6b69e343e50b0180f17

- - - - -
80d26225 by Endi S. Dewata at 2018-06-12T22:22:25Z
Added logging in ProxyRealm

Change-Id: I6b7965f413abd1a4a96821c75489cf5b06565ec5

- - - - -
5c5fba6f by Endi S. Dewata at 2018-06-13T00:53:20Z
Refactored pki.upgrade.Version

The pki.upgrade.Version has been moved into pki.util.Version
to make it more usable in general.

Change-Id: Ib5b9475b7ee2ea0c139b15c59bd90951f04285f1

- - - - -
0aa0a4a7 by Endi S. Dewata at 2018-06-13T03:24:17Z
Refactored Tomcat.get_major_version()

The Tomcat.get_major_version() has been converted into
get_version() which returns the full version number in
an instance of pki.util.Version.

Change-Id: Ief0f658a71479171e8c5f49a934c1916f6a18455

- - - - -
8d4f8ea9 by Endi S. Dewata at 2018-06-13T04:03:47Z
Added generics for Enumerations

Change-Id: I129457bf95572053f6b78160c419ca83fa29034d

- - - - -
2a044a9b by Endi S. Dewata at 2018-06-13T20:46:59Z
Added generics for Hashtables

Change-Id: I8bc616da33f38b3c4d60e4c8d6354e705fa28be3

- - - - -
7108352a by Endi S. Dewata at 2018-06-14T04:27:39Z
Added generics for JComboBoxes

Change-Id: I9c15064373ed556e03216b741b66092a305e3b87

- - - - -
a7913e9d by Endi S. Dewata at 2018-06-15T00:53:05Z
Added generics for CustomComboBox

Change-Id: Iedd680fd555beafe781e28e4b457c11fb730d655

- - - - -
ea97e0b2 by Endi S. Dewata at 2018-06-15T01:15:39Z
Added generics for JList

Change-Id: I910ebd25914839e1dd25d31e291fef7c5ea0864f

- - - - -
47fa845c by Endi S. Dewata at 2018-06-17T05:31:13Z
Ignored Flake8 warnings on Rawhide

The tox.ini has been modified to ignore Flake8 W504 warnings
to avoid build failure on Rawhide. In the future the code should
be fixed properly.


Change-Id: I1ca9bf9d7fa3d2fdfae352d48d9122bdf0c1e5a1

- - - - -
871bb116 by Endi S. Dewata at 2018-06-17T05:31:25Z
Updated version number to 10.6.2

The spec files have been modified to update the version number,
Tomcat and JSS dependencies, and to remove redundant code.

Change-Id: Ic3fa7655972a535a8e9ac7549e634c6f4f11fafa

- - - - -
0addaf58 by Endi S. Dewata at 2018-06-18T19:49:29Z
Updated Python dependencies

Change-Id: Ife0f3461adfa42c5507acebe32ba023a4383f374

- - - - -
085e747f by Endi S. Dewata at 2018-06-19T00:43:50Z
Updated Python dependencies (part 2)

Change-Id: If6642363aacdc1daf75636c0ea6ece19ad072c2d

- - - - -
2746c4f7 by Christina Fu at 2018-06-20T02:21:24Z
Ticket 3037 CMC SharedToken SubjectDN default

This patch adds proper subjectDN to CMC requests authenticated via ShardToken.
Specifically, the AuthTokenSubjectNameDefault profile default is added to
the default CMC profiles that authenticates via SharedToken.
Code were added to ensure that the proper subjectDN retrieved from the
mapped user entry is added to the AuthToken for such utilization.

Fixes https://pagure.io/dogtagpki/issue/3037

Change-Id: Id92d9496ab5b41ea7b5dcffb8d73d3ffe8b29fbc

- - - - -
0d568974 by Endi S. Dewata at 2018-06-21T04:03:38Z
Temporarily disabled cert validation for transfer.sh

The curl commands in Travis CI have been modified to ignore the
expired transfer.sh cert. Once the cert is renewed, the cert
validation should be restored.

Change-Id: Idfdcfc265bebf9351af12c2ef570e8091525d1fb

- - - - -
25aea9fd by Endi S. Dewata at 2018-06-21T04:31:10Z
Refactored replication configuration

The code that configures replication has been moved from
ConfigurationUtils class into a new ReplicationUtil class.

Change-Id: Ib3d27e7ca104fb6e531fa8664944d083582b49cf

- - - - -
bb1e72b3 by Endi S. Dewata at 2018-06-21T19:58:06Z
Updated pki.util.Version

The pki.util.Version has been modified to parse the first three
digits in the version number and ignore the rest.

Change-Id: I0d36a684d607ef4be02080a81ad1e37fec724d34

- - - - -
0bfc946c by Christina Fu at 2018-06-22T00:17:49Z
Ticket 2920 Part2 of SharedToken Audit

This patch addresses the issue that the original audit message for failure
got overwritten for SharedToken.

fixes https://pagure.io/dogtagpki/issue/2920

Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4

- - - - -
3bb33d5e by Endi S. Dewata at 2018-06-22T20:43:04Z
Added pki pkcs11-cert-find

A new pki pkcs11-cert-find CLI has been added to list the certs in
PKCS #11 keystore.

Change-Id: I718fa72a5b11de046f110f70c7b286e7df8eaf83

- - - - -
b02912f5 by Endi S. Dewata at 2018-06-22T22:21:27Z
Added pki pkcs11-key-find

A new pki pkcs11-key-find CLI has been added to list the keys in
PKCS #11 keystore.

Change-Id: I3d0a3aa35b18064cce776734f5dbf2a84589353e

- - - - -
43a5d6c7 by Endi S. Dewata at 2018-06-22T23:12:58Z
Deprecated pki cert CLI

The pki cert CLI has been deprecataed in favor of pki ca-cert to
clarify that the operation will be performed on the CA instead of

Change-Id: I79e2b02ea733352e1d4fa5bfdd5a35109cfd7591

- - - - -
aed9a40c by Endi S. Dewata at 2018-06-22T23:50:03Z
Deprecated pki key CLI

The pki key CLI has been deprecataed in favor of pki kra-key to
clarify that the operation will be performed on the KRA instead of

Change-Id: I7545133738f0655b65cd97db74d446e2f1a33f3e

- - - - -
657dad20 by Endi S. Dewata at 2018-06-23T02:35:25Z
Moved pki ca-cert classes

The classes that implement the pki ca-cert CLIs have been moved
from com.netscape.cmstools.cert into com.netscape.cmstools.ca.

Change-Id: I53aabcb0acbe531213136d9a86d13106415b8d5d

- - - - -
f2804623 by Endi S. Dewata at 2018-06-23T02:39:55Z
Moved pki kra-key classes

The classes that implement the pki kra-key CLIs have been moved
from com.netscape.cmstools.key into com.netscape.cmstools.kra.

Change-Id: I3411f0857d508b3406557912c79ff29b1889eb8d

- - - - -
59c323a8 by Endi S. Dewata at 2018-06-23T03:33:23Z
Clearing Password objects

The MainCLI has been modified to clear the Password objects

Change-Id: Id0cb1727d1a8ca69e05cfd50deee06a03b1b94ab

- - - - -
01fa6d2f by Endi S. Dewata at 2018-06-23T04:03:11Z
Updated loggers in PKCS10

The PKCS10 class has been modified to use SLF4J loggers.

Change-Id: I0852f9876e262c9f8f032a5bf094ad28b48a489a

- - - - -
8622bce2 by Endi S. Dewata at 2018-06-24T03:26:20Z
Fixed static field access

Various classes have been modified to access static fields by their
classes insted of instances.

Change-Id: Ib338af5c4e0ccf8b89705d147f1127f7e220e011

- - - - -
1cca8f13 by Endi S. Dewata at 2018-06-24T03:37:15Z
Removed unused imports

Change-Id: I4fb6790954d6886c9169b2da174b5bc3f7493068

- - - - -
651b9ab9 by Endi S. Dewata at 2018-06-25T17:35:48Z
Moved TomcatJSS configuration into PKIListener

The code that loads TomcatJSS configuration from server.xml
has been moved into PKIListener to provide more control on
the initialization process.

Change-Id: Ic40fc7ef467ca9eaa5b9cd62fa1c87eaed397a77

- - - - -
9993d32b by Endi S. Dewata at 2018-06-25T18:23:03Z
Updated TomcatJSS initialization in PKIListener

The PKIListener has been modified to initialize TomcatJSS before
the initialization phase.

Change-Id: If4b96192a9edf6d0b8c61aaa1dc2f0c2637311e7

- - - - -
8c58112f by Endi S. Dewata at 2018-06-25T22:35:41Z
Updated pki-server migrate to use PKCS #11 keystore

The pki-server migrate CLI has been modified to configure the
HTTP Connector with PKCS #11 keystore instead of PKCS #12 file.


Change-Id: I0c928c48bcb8d5ed09e3de27078f8ca333b2a228

- - - - -
df8198d6 by Fraser Tweedale at 2018-06-26T00:40:30Z
IPAddressName: fix construction from String

The IPAddressName(String) constructor (the non-netmask case) was
broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6.  Fix it,
and rename one of the helper methods to clarify its behaviour.

Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea

- - - - -
b1c244cf by Endi S. Dewata at 2018-06-26T01:01:06Z
Updated operations script

The operations script has been modified to no longer export the
SSL server cert into a PKCS #12 file since the HTTP connector
will now use a PKCS #11 keystore instead.


Change-Id: I9289c00a1ebfa4b1cf4d1738e9c2a3507d36da77

- - - - -
21d0899b by Endi S. Dewata at 2018-06-26T02:52:37Z
Updated JSS dependencies

The spec templates have been modified to depend on JSS version
that provides PKCS #11 keystore implementation.


Change-Id: I3b771acc8b5fc7bfb4fa9b1f8a4302f8c1f4d9c2

- - - - -
e3c0a585 by Christina Fu at 2018-06-26T16:50:48Z
Ticket 3003 AuditVerify failure due to line breaks

This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks
in audit entry from running pki ca-user-cert-add which would cause AuditVerify
to fail. (note: adding user cert via the java console does not have such issue)

fixes https://pagure.io/dogtagpki/issue/3003

Change-Id: Iac60089349e78755ff94ce3231ee294ce8668f72

- - - - -
0c1ddc42 by Endi S. Dewata at 2018-06-26T19:08:30Z
Added generics for Vectors

Change-Id: Ic4016c09efe7b71cf84193aea3b426675d3bc1f6

- - - - -
1288df31 by Endi S. Dewata at 2018-06-26T20:36:01Z
Added support for pre-release phases

The build script and spec templates have been modified to support
pre-release phases (e.g. a1, b2).

Change-Id: I8410126d280fa8958e12e86faaf92ed35bd37c80

- - - - -
f2caa294 by Endi S. Dewata at 2018-06-26T21:46:24Z
Removed unused private methods

Change-Id: Ib2f970c24da7c3219a0fd7df868285eafb9afaae

- - - - -
ca0919b9 by Endi S. Dewata at 2018-06-26T23:17:31Z
Added support for custom spec file

The build script has been modified to provide an option to use
a custom spec file.

Change-Id: I2188430ad3fac32638f3fa06ccc1caccd6367a05

- - - - -
9c8e15e2 by Endi S. Dewata at 2018-06-26T23:32:32Z
Updated version number to 10.6.3

Change-Id: Iabcca3c2c5b71ebd4921c8a6935243dbfe5a23c4

- - - - -
f917433f by Christina Fu at 2018-06-26T23:47:42Z
Ticket 2992 CMC Simple request profiles and CMCResponse to support simple response

This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.

In addition, CMCResponse has been improved to handle CMC simple response.

fixes https://pagure.io/dogtagpki/issue/2992

Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a

- - - - -
baf67e4a by Endi S. Dewata at 2018-06-27T15:05:19Z
Updated build process in Travis CI

The Travis CI configuration has been modified to use the build.sh
instead of the compose scripts to build PKI packages.

Change-Id: I886cbc76b1312d8566ef6a83f30672abf7fdbdfe

- - - - -
02f186a0 by Endi S. Dewata at 2018-06-27T17:30:03Z
Cleaned up spec templates

The spec templates have been modified to work properly on all
supported platforms.

Change-Id: I86ecac418fcf7d835534a0f52668643e48d46b1a

- - - - -
2308efef by Endi S. Dewata at 2018-06-27T18:21:05Z
Updated build script

The build script has been modified to keep the original macros
before substition for clarity.

Change-Id: I2c59e4084b478b634f3c5ea3a082c27845207e88

- - - - -
c0584406 by Endi S. Dewata at 2018-06-27T20:08:30Z
Updated spec template to support branding

The spec template has been modified to generate theme and meta
packages that match the spec file name to support branding.

Change-Id: Iea9f483b5082df09bd71920f9a1e91bc747e4750

- - - - -
c68b42ce by Endi S. Dewata at 2018-06-27T21:44:48Z
Cleaned up conditional macros

The conditional macros in pki.spec.in have been cleaned up for

Change-Id: I760f28957de20967052b36456b515bca047d9491

- - - - -
174bf99d by Endi S. Dewata at 2018-06-27T22:39:36Z
Synchronized spec template changes

The changes in pki.spec.in have been synchronized into
pki-core.spec.in and dogtag-pki.spec.in.

Change-Id: Id413f03f4de94abb48eea0fa25f592cb633abfa7

- - - - -
11fa1e2c by John Morris at 2018-06-28T00:45:23Z
server deployment:  don't fail if /proc/sys/crypto/fips_enabled absent

Running `sysctl crypto.fips_enabled -bn` on a system where
`/proc/sys/crypto/fips_enabled` doesn't exist needlessly raises an

This patch checks if that file is absent and returns gracefully if so.

Fixes #3039.

- - - - -
eedf40c1 by Amol Kahat at 2018-06-28T00:55:43Z
Added man pages. (#14)

* Documented --renewal option in pki cert man page.

Pagure issue: 2900
BZ: 1532579

Signed-off-by: Amol Kahat <akahat at redhat.com>

* Added pki-server ca, kra, ocsp, tks, tps man pages.

Signed-off-by: Amol Kahat <akahat at redhat.com>

* Added man page documentation for:

pki-server <subsystem>-audit-event-enable
pki-server <subsystem>-audit-event-modify
pki-server <subsystem>-audit-event-diable

Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
9a8e54ab by Christina Fu at 2018-06-28T01:20:47Z
Ticket #2959 Address pkispawn ECC profile overrides

This patch enables proper ECC profiles to be automatically applied during

This patch would eliminate the need for the workaround documented here:

The idea is to use the % replacement strings as part of the profile names
in the default.cfg file for pkispawn,
and change the profile names to mach the format. So for example:


would either be translated to rsaAdminCert.profile or eccAdminCert.profile
depending  on the value in pki_admin_key_type

fixes https://pagure.io/dogtagpki/issue/2959

Change-Id: I9a9f70e415438e0b4130294abb725c74fd6e1b95

- - - - -
dfc71ca3 by Endi S. Dewata at 2018-06-28T19:31:42Z
Fixed Python-related macros

The spec templates have been modified to evaluate Python-related
macros (i.e. with_python2, with_python3, and with_python3_default)

Change-Id: Ifc4d3194f2d9fbca8ccb5a6e3ef6088fb22ba421

- - - - -
e4dd55d1 by Christina Fu at 2018-06-28T22:41:55Z
Ticket 2865 X500Name.directoryStringEncodingOrder overridden by CSR encoding

This patch allows profile to have control over whether to override the subjectDN
encoding in the CSR with the encoding set by the system.

New parameter in profile:
policyset.<policy set>.<#>.default.params.useSysEncoding=true

where "true" means to override the subjectdn with the system default order or
the order set by X500Name.directoryStringEncodingOrder in CS.cfg

by default, without useSysEncoding in profile, it is treated as false.

fixes https://pagure.io/dogtagpki/issue/2865

Change-Id: I41f8f5371f26668909624f056a77ffbf66f0f5e1

- - - - -
43bc63dd by Endi S. Dewata at 2018-06-29T02:00:17Z
Added pki pkcs11-cert-show and pki pkcs11-key-show

New CLIs have been added to show the details of a cert/key in
a PKCS #11 token.

Change-Id: I85fff753ef1d57195d63c95d15d21eac07997989

- - - - -
0c0fe02d by Endi S. Dewata at 2018-06-29T02:00:17Z
Added pki pkcs11-cert-del and pki pkcs11-key-del

New CLIs have been added to remove a cert/key from a PKCS #11

Change-Id: I089c36855f0f74d3be26461618ec6912d3d41c1d

- - - - -
e6347753 by Amol Kahat at 2018-07-02T20:13:53Z
Added CLI for enable/disable audit signing.

Change-Id: I9320e9ecd1081d60fd1673d408558ef1603e8655
Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
1becf0cc by Endi S. Dewata at 2018-07-03T18:02:45Z
Added support for custom package name

The build.sh has been modified to support custom package name
which will be used to create the working directory and as the
spec file name. The source tarball and patch file generated by
build.sh will continue to use pki- prefix to match the upstream
project name.

Change-Id: I1c2aa09240f0ac56319fc1e40a0113a998987e75

- - - - -
f674d2e2 by Endi S. Dewata at 2018-07-03T18:02:45Z
Merged PKI source packages

Currently PKI uses four source packages on Fedora: pki-core,
pki-console, dogtag-pki-theme, and dogtag-pki. To simplify
maintenance the console and theme source packages have been
merged into the other source packages.

The pki-core.spec.in has been replaced with pki.spec.in that has
been customized with the following command:

 $ ./build.sh \
     --name=pki-core \
     --with-pkgs=base,server,ca,kra,ocsp,tks,tps,javadoc,console,debug \

The new spec will generate all binary packages except the theme
and meta packages.

The dogtag-pki.spec.in has been replaced with pki.spec.in that has
been customized with the following command:

 $ ./build.sh \
     --name=dogtag-pki \
     --with-pkgs=theme,meta,debug \

The new spec will only generate the theme and meta packages.

The compose script for the meta package has also been modified
to generate a source tarball for the theme packages.


Change-Id: Iecb23c006c91caad3ed504c2d370989dc9769351

- - - - -
4bb50eb2 by Endi S. Dewata at 2018-07-05T21:35:17Z
Updated references to CertificateUsage

Change-Id: I2dcd2695d096897cefe37d8d01987b6cb442a22d

- - - - -
cf097374 by Endi S. Dewata at 2018-07-05T21:35:56Z
Updated references to NotInitializedException

Change-Id: I61c4dbb278474d9a4fd668ffa1edffce4bcf41a2

- - - - -
b815c8b9 by Endi S. Dewata at 2018-07-05T21:36:57Z
Updated references to NicknameConflictException

Change-Id: I75d44a5cd1302629dcee434774550ddeb90ed38b

- - - - -
63848823 by Endi S. Dewata at 2018-07-05T21:36:58Z
Updated references to UserCertConflictException

Change-Id: I7057ed7223d5135f893bde83502ef23407df221c

- - - - -
c5b25878 by Endi S. Dewata at 2018-07-05T21:36:58Z
Updated references to InitializationValues

Change-Id: I5c926e0fff84e6b89618fc32d480fb0f775aa634

- - - - -
f36cf6c0 by Endi S. Dewata at 2018-07-05T21:36:59Z
Updated spec templates

The spec templates have been updated to require the latest JSS
and TomcatJSS.

Change-Id: I35c61e0e806b25e48de8370603656ca6abd3b0ae

- - - - -
c03b1d77 by gkapoor at 2018-07-06T14:36:06Z
Added ExternalCA Automation for dogtag,openssl and nssdb.

Change-Id: I72ed48122ef93d903b7014b296c95d44d741c046
Signed-off-by: gkapoor <gkapoor at redhat.com>

- - - - -
3ec850bc by Christina Fu at 2018-07-12T21:15:59Z
Bugzilla 1548203 LDAP password from console update in audit

This patch replace ldap passwords with "(sensitive)" in audit log.

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203

Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a

- - - - -
0329387a by bbhavsar at 2018-07-13T15:56:18Z
added .gitlab-ci.yml and some changes for fedora28

Change-Id: Iac74cd48216bb3b951a85bcfdfec8f773b24f8c3
Signed-off-by: bbhavsar <bbhavsar at redhat.com>

- - - - -
bf36dcb7 by Endi S. Dewata at 2018-07-21T01:09:39Z
Fixed pylint issues

Change-Id: I0a0707d5b4be97f95fa10e5a5b6b7c9da03aaf11

- - - - -
c2c4f6fa by Endi S. Dewata at 2018-07-21T02:38:02Z
Fixed SLF4J dependency

Change-Id: Ic83a0f201825220a49e4fc2af0c58b0ce7013710

- - - - -
521099ea by Endi S. Dewata at 2018-07-21T02:38:31Z
Updated version number to 10.6.4

The JSS and TomcatJSS dependencies have been updated. The unused
spec templates and build scripts have been removed.

Change-Id: I81ddc3835610aa3c35cea60863c928c7211efcc0

- - - - -
e11b24fb by Endi S. Dewata at 2018-07-25T02:01:05Z
Updated Eclipse classpath

Change-Id: I1d741af7b46cc60008c4d45b6847ca16dc0c4231

- - - - -
d7e1ecab by bbhavsar at 2018-07-26T11:49:18Z
fix for password file for certutil

Change-Id: Ia321c4fd3bae593a091c102b08f28f8f87b22423
Signed-off-by: bbhavsar <bbhavsar at redhat.com>

- - - - -
70094107 by bbhavsar at 2018-07-26T14:48:54Z
Added installation sanity job in gitlab-ci

Change-Id: Id5d5db6c30a2f3671e6a2f1433e227bdd60f47d4

- - - - -
accb6bba by Fraser Tweedale at 2018-07-26T15:22:14Z
Merge remote-tracking branch 'gerrit/master'

Change-Id: Ic88d84a89c8fa2512cd14be2e72597e2bc75bc8d

- - - - -
588fe37f by Roshni Pattath at 2018-07-26T21:05:29Z
Automation of BZ 1523410 and 1534030

Change-Id: I2f78c2bc1458c15cfaf53c35a87541daf53c0bf6

- - - - -
c87d7820 by Jack Magne at 2018-07-27T23:05:53Z
Test fix for TPS server side key gen for only identity cert problem.

Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d

- - - - -
724866d2 by Endi S. Dewata at 2018-07-31T22:45:36Z
Getting version number from installed Tomcat

The spec template has been modified to get the Tomcat version
from the installed Tomcat instead of pre-defined constant. This
allows PKI to be built with non-standard Tomcat package.

Change-Id: I50ca2209180854f0cbc916ba373efd3f06263f42

- - - - -
26093834 by Christina Fu at 2018-08-01T17:44:48Z
Bug 1601071 Certificate generation happens with partial attributes in CMCRequest file

This patch addresses the issue where when a cmcSelfSisnged profile is used
in a cmcUserSigned case, the certificate is issued.
been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
to verify.
In additional, all profiles that authenticate through CMCUserSignedAuth are
turned off by default to allow site administrators to make conscious decision
on their own for these features.
Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.

Change-Id: I8405b2e83f7ea3e3da98164cbc87762cdfa7475f

- - - - -
efe9bf15 by Christina Fu at 2018-08-01T22:22:03Z
Bug 1593805  Better understanding of NSS_USE_DECODED_CKA_EC_POINT for ECC

This patch removes the outdated reference to EC environment variable
NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage.

More info in the usage are updated as well for correctness and clarity.

Change-Id: I60fc56eee1e94c73f401a5d46ea3ea9f1aa0a4c0

- - - - -
8147769f by Alexander Bokovoy at 2018-08-02T07:29:43Z
ReplicationUtil: support new format for nsds5replicaLastInitStatus value

pkispawn is reading the attribute nsds5replicaLastInitStatus in
tree,cn=config in order to find the replication status.  The new format
(in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update
succeeded" but pkispawn is expecting "0 Total update succeeded"

389-ds-base introduced this change with https://pagure.io/389-ds-base/issue/49599

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1596629

- - - - -
2bb0624f by Endi S. Dewata at 2018-08-03T16:21:53Z
Cleaned up IPA test

The ipa-test.sh has been modified to remove the redundant
--developer-mode option for ipa-docker-test-runner.

The ipa-test.yaml has been modified to remove the redundant
--setup-dns option for ipa-server-install.

The curl commands have been moved from ipa-test.yaml to
ipa-test.sh such that the ipa-docker-test-runner can be
run locally without uploading the logs.

Change-Id: Iefb3ae0097632bccf06e2ee57b0b67c9be445a5e

- - - - -
94f28d4d by Christina Fu at 2018-08-03T18:15:40Z
Bug1608375 - CMC Revocations throws exception with same reqIssuer & certissuer

This patch resolves the possible encoding mismatch between the actual CA cert
and the X500Name gleaned from the CMC revocation request.

Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d

- - - - -
dfa1b02a by Fraser Tweedale at 2018-08-06T14:47:48Z
CLI: avoid improper escaping of profile config

Profile configuration in the `pki ca-profile` CLI is currently
handled using java.util.Properties.  This class eagerly escapes some
characters in values (e.g. ':'), resulting in incorrect or broken
profile configurations.

This issue is similar to https://pagure.io/dogtagpki/issue/2909,
which was resolved in e634316eb7f2aedc65fe528fb572b15e1bdc1eb2.

Handle the profile configurations as byte[], only converting to
Properties for high-level syntax validation and inspecting fields
like 'profileId' and 'enabled'.

Fixes: https://pagure.io/dogtagpki/issue/3029
Change-Id: I3446e2a5dd47e597989441b5d498e6321338caab

- - - - -
e4da86f9 by Endi S. Dewata at 2018-08-06T15:39:02Z
Updated version number to 10.6.5

Change-Id: I5147424819c1d6684a53ebc3b18032ccc1a26aa6

- - - - -
a96aefb6 by Endi S. Dewata at 2018-08-06T19:03:28Z
Cleaned up server.xml

An upgrade script has been added to clean up upgraded server.xml
such that it is more consistent with newly created server.xml.

Change-Id: I674f59ade5e22de2472c249885992a2d33a0c437

- - - - -
5ad1607a by Endi S. Dewata at 2018-08-06T19:51:16Z
Removed PKI_AGENT_CLIENTAUTH parameter

The PKI_AGENT_CLIENTAUTH parameter is not customizable so it has
been replaced with the actual value.

Change-Id: Id6026615a11abfb9e8ec41687c82eab0fef9bdb0

- - - - -
0e96c701 by Endi S. Dewata at 2018-08-06T19:51:43Z
Removed unused parameters

Change-Id: I64e40798be9cb62e2db0d1fdbdbb49a99ba7e039

- - - - -
e08209ad by Endi S. Dewata at 2018-08-06T22:47:35Z
Added SSLHostConfig for Tomcat 8.5

The server.xml for Tomcat 8.5 has been modified to use the new
SSLHostConfig. The migration tool has been modified to move some
attributes from Connector to SSLHostConfig.

Change-Id: I60e3d967a530e794877dd11fe052debe314412e4

- - - - -
9c11419d by Endi S. Dewata at 2018-08-08T03:09:25Z
Updated JSS and TomcatJSS dependencies

Change-Id: Ie5acde9e5afb26abacf3aa36dad3c2cc10dcaab5

- - - - -
e550502e by Endi S. Dewata at 2018-08-08T03:09:48Z
Removed unused spec files

Change-Id: Ibf31a1fe80dac1a5262c29281a7ffdd4f6fa92c8

- - - - -
7c937639 by Alexander Bokovoy at 2018-08-08T16:42:58Z
Do not override system-wide crypto policy

System-wide crypto policy may dictate use of TLS 1.3. Instead of
overriding existing crypto policy, bound our requirements by the system
policy itself.

Note that both jss and pki-core define SSLVersion class which Java
compilers see as two different classes. As result, we have to convert
via integer values (getMinEnum() / getMaxEnum()) between them at the

- - - - -
9a367fe8 by Alexander Bokovoy at 2018-08-08T16:43:02Z
Add TLS 1.3 ciphers

- - - - -
10501872 by Dinesh Prasanth M K at 2018-08-09T14:42:32Z
Adding build status icon (#28)

Build status icon is loaded from https://travis-ci.org/dogtagpki/pki-nightly-test

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
07a82189 by Christina Fu at 2018-08-10T00:24:41Z
Ticket #3041 Enable all config audit events

This patch enables the audit events concerning role actions (mostly config)
by default.

Two additional minor issues are also addressed:
1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
   (bugzilla #1610718)
2. removing unrecommended signing algorithms

fixes: https://pagure.io/dogtagpki/issue/3041
Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d

- - - - -
df287935 by Endi S. Dewata at 2018-08-10T23:15:40Z
Moved Dogtag theme into themes folder

Change-Id: I1f577d670b505723bda9cc9dd331e87cb71f65d5

- - - - -
9c4788ad by Christina Fu at 2018-08-11T01:52:05Z
Ticket #2481 ECC keys not supported for signing audit logs

This patch adds support for ECC audit log signing key.
All enrollment profiles for audit signing certificate are updated to allow that.

fixes https://pagure.io/dogtagpki/issue/2481

Change-Id: I3785365b152690f57c3904c15dfa7b2999048930

- - - - -
01e440db by Endi S. Dewata at 2018-08-11T02:57:46Z
Removed outdated Provides/Obsoletes/Conflicts

Change-Id: I1da6dce362b38a57b21ebef856f52530340c0201

- - - - -
41682a78 by Endi S. Dewata at 2018-08-11T03:01:45Z
Added RPM macro for branding

An RPM macro has been added to define the prefix of the meta
and theme packages and to define theme folder name.

Change-Id: I7b989955ecdf5750edd19302ca15b1879ac4a1ad

- - - - -
6e9f59bb by Endi S. Dewata at 2018-08-11T03:04:38Z
Removed cipher map in CryptoUtil

The code that translates cipher name into cipher ID using a map
in CryptoUtil has been replaced with SSLCipher.valueOf().

Change-Id: I8506bd1b5e20ecf249eed23ded41348d55b5991b

- - - - -
425c5da4 by Endi S. Dewata at 2018-08-11T03:22:05Z
Cleaned up cipher array in JssSubsystem

The array of integer cipher IDs in JssSubsystem has been
replaced with array of SSLCiphers.

Change-Id: I221eaf963b6491ea0c5325a95759d48e883f0c65

- - - - -
915816c9 by Endi S. Dewata at 2018-08-11T04:01:57Z
Refactored CMake variables for theme

have been replaced with a single THEME variable. If not specifed,
it will default to "dogtag". If it's empty, the theme packages
will not be build. If it's not empty, the theme packages will be
built with the specified theme.

Change-Id: I913fa670a41795da61746c2acddac981c2f84a84

- - - - -
1043ebd3 by Endi S. Dewata at 2018-08-13T15:58:04Z
Removed redundant %defattr directives

Change-Id: I9199974de6fd3c52d7d891d298c9a0d2f369b5a7

- - - - -
1aee1b8f by Endi S. Dewata at 2018-08-13T17:27:11Z
Fixed meta package

The spec template has been modified such that it generates
dogtag-pki meta package properly regardless of the name of the
spec file.

Change-Id: I7de3246b97de971cebdddd1be00556ce37a22167

- - - - -
82e89a7d by Endi S. Dewata at 2018-08-13T18:20:05Z
Moved pki.spec.in

The pki.spec.in has been moved into the top-level directory and
renamed into pki.spec for consistency with other projects.

Change-Id: I90c8fa3cbc955ce9eadcfb101c1f029e7f782c31

- - - - -
3cc549b2 by Endi S. Dewata at 2018-08-13T23:33:33Z
Updated version number to 10.6.6

The RPM spec template has been modified to update jss, tomcatjss,
and ldapjdk dependencies, also to remove redundant dependencies.

Change-Id: I1b0e066965697e28a2b7b1e9676f692146fe2f86

- - - - -
21456951 by Timo Aaltonen at 2018-08-15T12:26:18Z
Merge branch 'upstream'

- - - - -
c462f48f by Timo Aaltonen at 2018-08-15T12:27:19Z
update version

- - - - -
458644fe by Timo Aaltonen at 2018-08-15T12:30:26Z
watch: Updated.

- - - - -
7a07493b by Timo Aaltonen at 2018-08-15T12:30:40Z
copyright: Update excluded files.

- - - - -
9b441d7e by Timo Aaltonen at 2018-08-22T21:55:20Z
debian-support.diff: Refreshed.

- - - - -
9a14731c by Timo Aaltonen at 2018-08-23T05:04:57Z
server.install: Updated.

- - - - -
2f38f65d by Timo Aaltonen at 2018-08-23T05:05:32Z
rules: Updated cmake variables for default nssdb and theme.

- - - - -
71aa4956 by Timo Aaltonen at 2018-08-23T05:58:40Z
install: updated.

- - - - -
116de4e2 by Timo Aaltonen at 2018-08-23T06:02:20Z
control: Bump {build-}depends on libjss-java, libldap-java, libtomcatjss-java and libidm-console-framework-java.

- - - - -
f7d55e44 by Timo Aaltonen at 2018-08-23T06:12:41Z
rules: Remove tomcat/ on clean.

- - - - -
159319a2 by Timo Aaltonen at 2018-08-23T06:13:26Z
releasing package dogtag-pki version 10.6.6-1

- - - - -

30 changed files:

- .classpath
- .travis.yml
- − .travis/01-install-dependencies
- − .travis/40-spawn-ca
- − .travis/50-spawn-kra
- − .travis/99-destroy
- − .travis/global_variables
- − .travis/py3rewrite
- CMakeLists.txt
- + README.md
- base/ca/shared/conf/CS.cfg
- + base/ca/shared/conf/eccAdminCert.profile
- + base/ca/shared/conf/eccServerCert.profile
- + base/ca/shared/conf/eccSubsystemCert.profile
- base/ca/shared/conf/registry.cfg
- base/ca/shared/conf/adminCert.profile → base/ca/shared/conf/rsaAdminCert.profile
- base/ca/shared/conf/serverCert.profile → base/ca/shared/conf/rsaServerCert.profile
- base/ca/shared/conf/subsystemCert.profile → base/ca/shared/conf/rsaSubsystemCert.profile
- base/ca/shared/profiles/ca/caAgentServerCert.cfg
- base/ca/shared/profiles/ca/caCMCECUserCert.cfg
- base/ca/shared/profiles/ca/caCMCECserverCert.cfg
- base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
- base/ca/shared/profiles/ca/caCMCUserCert.cfg
- base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
- base/ca/shared/profiles/ca/caCMCcaCert.cfg
- base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
- base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
- base/ca/shared/profiles/ca/caCMCocspCert.cfg

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/0fec6b8c3db6f352243b1c2b160afe6e8f7862f6...159319a280060b7742399b4eddd2a4f8292c49ac

View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/0fec6b8c3db6f352243b1c2b160afe6e8f7862f6...159319a280060b7742399b4eddd2a4f8292c49ac
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180823/80ec177d/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list