[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 515 commits: Added man page for PKCS10Client

Timo Aaltonen gitlab at salsa.debian.org
Sun May 20 13:06:32 BST 2018


Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki


Commits:
9ab493e3 by Amol Kahat at 2017-10-20T15:42:25+05:30
Added man page for PKCS10Client

- - - - -
92341c5b by Dinesh Prasanth M K at 2017-12-13T09:49:18-05:00
Fixed Travis python issue

pyenv variable has been update in response to
Travis CI current update: https://docs.travis-ci.com/user/build-environment-updates/2017-12-12/

Change-Id: Id6a65a895a5f56415582a5dfe369f5f7ed4179b1

- - - - -
c2f41579 by Endi S. Dewata at 2017-12-13T19:58:15+01:00
Fixed pylint warnings.

Some Python files have been modified to avoid pylint warnings due
to subsequent changes.

https://pagure.io/dogtagpki/issue/167

Change-Id: If16e5d7f60cef776c6b65ad9f803b178ba52bc85

- - - - -
d56a5543 by Endi S. Dewata at 2017-12-13T20:02:57+01:00
Added wrappers for pkispawn and pkidestroy.

The existing pkispawn and pkidestroy Python scripts have been
moved into pki.server package. New shell wrappers have been added
as replacements. The wrappers will allow loading the environment
variables defined in pki.conf.

https://pagure.io/dogtagpki/issue/167

Change-Id: I9a4a360229b589164c4c21a9ab345e4b46f9fd06

- - - - -
e8e504c9 by Endi S. Dewata at 2017-12-14T04:22:15+01:00
Added pki.util.chmod().

A new chmod() function has been added to set file or folder
permissions recursively. The existing chown() has been modified
to work with files as well.

https://pagure.io/dogtagpki/issue/167

Change-Id: I219bfe54d97afaedb864c71cb4f7e53e87a2733d

- - - - -
fd842db8 by Endi S. Dewata at 2017-12-14T04:24:25+01:00
Added PKIDeployer.record().

The code that generates manifest records has been refactored into
a new record() method in the PKIDeployer class.

https://pagure.io/dogtagpki/issue/167

Change-Id: If3073e618c0b40b320e93c19406542acf66bc8c6

- - - - -
c945f3d4 by Endi S. Dewata at 2017-12-16T00:13:03+01:00
Updated version number to 10.6.0-1.

Change-Id: I48753242fd05fc1fe652c270e0ae0ba1e105b0bc

- - - - -
c7cd967c by Endi S. Dewata at 2017-12-16T19:09:32+01:00
Removed hard-coded app server names in CMake scripts.

Currently PKI only supports Tomcat 7.0 and 8.0 and the related
files are stored in tomcat7 and tomcat8 folders, respectively.
The folder is selected during build using WITH_TOMCAT7 or
WITH_TOMCAT8 variables in CMake scripts.

To support other app servers (e.g. Tomcat 8.5), the app server
name now can be specified using APP_SERVER variable which will be
used to select the folder to use.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I4229a341e23f992a290ceeb15b518ff209a3f6d9

- - - - -
22d486c1 by Endi S. Dewata at 2017-12-16T19:12:13+01:00
Removed hard-coded app server names in pki-core.spec.

Currently PKI only supports Tomcat 7.0 and 8.0 and the app server
is selected during build using with_tomcat7 and with_tomcat8 macros.

To support other app servers (e.g. Tomcat 8.5), the app server name
now can be specified using app_server macro which will be used to
set the APP_SERVER variable in CMake scripts.

https://pagure.io/dogtagpki/issue/2560

Change-Id: Ied83799289f2e4ae00d2eb763f7ecbb2b27ef158

- - - - -
f54b4a8d by Endi S. Dewata at 2017-12-18T23:33:17+01:00
Fixed missing admin PKCS #12 file on external KRA/OCSP installation.

The deployment tool has been modified to generate a PKCS #12 file
that contains the admin certificate for KRA/OCSP installation with
external certificates.

https://pagure.io/dogtagpki/issue/2873

Change-Id: Ide6b08ba8f2121b4cdf21208c32d745534893f0f

- - - - -
d7269edb by Ade Lee at 2018-01-03T09:19:58-05:00
Fix various PEP8 and pylint issues

Change-Id: I8b2b52599ab6b2d4738b748f36598319f11477c7

- - - - -
6e4a1050 by Ade Lee at 2018-01-03T09:20:22-05:00
Modified systemd invocations in pkispawn to handle nuxwdog

The systemd invocations in pkispawn/pkidestroy did not account for
nuxwdog enabled instances.  This patch allows pkispawn/pkidestroy to
use the right service name if the nuxwdog service unit files exist.

Also modified instance_layout deployment script to delete the right
systemd link.

Change-Id: I25eac0555aad022784d7728913ae4a335eab3463

- - - - -
7ef597aa by Ade Lee at 2018-01-03T09:20:22-05:00
Allow prompting for token passwords if not present

Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff

- - - - -
e7ae46a7 by bbhavsar at 2018-01-04T10:20:11-05:00
Added Banner CLI Automation

Change-Id: Ia6f72b847d90bccc86a983f943d95188d35c6350
Signed-off-by: bbhavsar <bbhavsar at redhat.com>

- - - - -
057f75b1 by Endi S. Dewata at 2018-01-04T10:44:21-05:00
Removed temp script creation in compose scripts (part 1).

The compose scripts have been modified to execute rpmbuild command
directly without using a temporary script.

Change-Id: I6abac3b11e1903b741efcdc0e374432ee6c70b6a

- - - - -
da712a52 by Endi S. Dewata at 2018-01-04T16:45:25+01:00
Removed temp script creation in compose scripts (part 2).

The compose scripts have been modified to remove unused code
related to temporary script creation.

Change-Id: I95b4b5e12d2aa6cea7b3d9d8fea8d3b5e34bb5ec

- - - - -
7bc83bb4 by Endi S. Dewata at 2018-01-04T17:25:02+01:00
Removed temp script creation in compose scripts (part 3).

The compose scripts have been modified to define the rpmbuild
operation in a separate variable.

Change-Id: Ie6495b73b861fb867df6d75d3fabf7989abb4b36

- - - - -
db2c54dc by Endi S. Dewata at 2018-01-05T06:39:00+01:00
Updated version number to 10.6.0-0.1.

Change-Id: I2e2c7684ec04e43b672eea0686295381e95acced

- - - - -
e66cf40d by Christina Fu at 2018-01-05T11:43:00-08:00
Ticket #2604 adding FIPS support-RFE: shared token storage and retrieval mechanism

This patch adds FIPS support to the original ticket 2604.  Two changes were
made:
1. in CMCSharedToken tool, "-p" is used to specify the password for token login
and "-s" is used to specify the shared secret (or passphrase)
2. on the server side, in SharedSecret, an existing configuration parameter, cmc.token is utilized for admin to specify
the token where the issuance protection cert's private key resides on.

Change-Id: Ia454598bca7843bfc0a6ad21f57f6a74d05d67fe

- - - - -
3c61c4a7 by Endi S. Dewata at 2018-01-10T12:12:02-06:00
Added pki-server <subsystem>-audit-event-find command.

A new pki-server <subsystem>-audit-event-find command has been
added to list audit events and their attributes (e.g. filter).
Currently the command can only list enabled events.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I7319ac4e449045d7456e9ae225aca58075093bcd

- - - - -
b142b035 by Endi S. Dewata at 2018-01-10T12:32:14-06:00
Merged CMC_USER_SIGNED_REQUEST_SIG_VERIFY events.

The CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS and
CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE events have
been merged into CMC_USER_SIGNED_REQUEST_SIG_VERIFY event,
and encapsulated using CMCUserSignedRequestSigVerifyEvent
class.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I85ec9c871526da9ca8711ebcd6c9281086e2199f

- - - - -
a669e4d2 by Sumedh Sidhaye at 2018-01-11T15:57:33-05:00
added role user creation code and a sanity test for it

Change-Id: I10924fa1cf6ff03dbb46d27db1ced196027668be
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>

- - - - -
52a7543e by Ade Lee at 2018-01-12T13:39:00-05:00
Modify get_cert to get rid of spurious certutil error messages

Also shortened some lines to comply with PEP8
rhbz# 1520277

Change-Id: I71d5ecb24c979c1be642a0c3529aebfae6e98aa7

- - - - -
fc3067f2 by Fraser Tweedale at 2018-01-16T14:53:51+11:00
Set nextUpdate in OCSP responses

Some OCSP clients adhere to the Lightweight OCSP Profile (RFC 5019)
which requires that the OCSP response include the nextUpdate field.

Update the CA subsystem's OCSP responder to include the nextUpdate
field when it is configured to use the CRL cache.  The nextUpdate
field in the OCSP response is set to the nextUpdate time of the
"master" CRL issuing point.

If the OCSP responder is not configured to use the CRL cache, there
is no reasonable value for nextUpdate.  In this case, we continue to
omit it.

Fixes: https://pagure.io/dogtagpki/issue/2661
Change-Id: Idbf7354b0ecc45c0498c4b7c05458f726f40336f

- - - - -
2922cdaa by Endi S. Dewata at 2018-01-17T18:32:11+01:00
Removed redundant constants in CA's SigningUnit.

Some constants in CA's SigningUnit have been removed since they
are already defined in ISigningUnit.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I130bb22eb09fb59b8ce30a2f0bac8d4024daad7d

- - - - -
ce8872cf by Ade Lee at 2018-01-17T13:07:35-05:00
Make sure tomcat is running as pki user with nuxwdog

The nuxwdog process needs to run as a privileged user to be able
to retrieve the passwords from the systemd tty agent in systemctl.
Therefore, the nuxwdog unit file should NOT specify the PKI user
there.

However, we have added an option to nuxwdog to specify the user
in the nuxwdog config file, so that the process that nuxwdog spawns
(ie. tomcat) will run as the specified user.

The code changes in this patch ensure that when the nuxwdog conf
file is created, the user is set correctly as the value of the
variable TOMCAT_USER.

Change-Id: I0b4f8caedb048aaedf6a8a8f72b24fab39ad7bbf

- - - - -
982e4da5 by Endi S. Dewata at 2018-01-17T19:33:30+01:00
Renamed constants in ISigningUnit.

The constants in ISigningUnit have been renamed to be more
consistent with OCSP's SigningUnit.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I0b9137c80ad2be0a6c7dd063382629c85961a7f3

- - - - -
991f263f by Endi S. Dewata at 2018-01-17T20:02:15+01:00
Removed redundant constants in OCSP's SigningUnit.

Some constants in OCSP's SigningUnit have been removed since they
are already defined in ISigningUnit.

https://pagure.io/dogtagpki/issue/2901

Change-Id: Ie9b00194782f07499b595c108e0bf311946505ed

- - - - -
e715c8a9 by Endi S. Dewata at 2018-01-17T21:00:09+01:00
Fixed pki-server cert-find to work with HSM.

Previously the pki-server cert-find command would prompt for
token password if used with HSM. It has been fixed with the
following changes:

The PKISubsystem.create_subsystem_cert_object() was modified to
get the certificate info from the proper token.

The NSSDatabase.get_cert_info() was modified to specify the token
name in the certutil command if provided.

https://pagure.io/dogtagpki/issue/2901

Change-Id: If8862abe4c3057f3094c414134b9719088796963

- - - - -
c52c51c6 by Christina Fu at 2018-01-17T16:59:26-05:00
Ticket #2675 additional fix to allow requests without POP

This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism.

Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b

- - - - -
f65ea152 by Endi S. Dewata at 2018-01-17T18:14:33-05:00
Fixed pki-server subsystem-cert-verify to work with HSM.

The pki-server subsystem-cert-verify has been modified to use the
proper token name to call pki client-cert-verify.

https://pagure.io/dogtagpki/issue/2901

Change-Id: Ifc496beb0f81c1c6310b183175037243b71a1926

- - - - -
fe33d958 by Endi S. Dewata at 2018-01-17T17:26:50-06:00
Merge pull request #4 from amolkahat/man-pages

Added man page for PKCS10Client
- - - - -
b4797134 by Amol Kahat at 2018-01-17T17:32:12-06:00
Fixed small error message of certificte-revoke.

Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
c8f90584 by Endi S. Dewata at 2018-01-17T23:20:51-05:00
Fixed nssdb.add_cert() for HSM.

The nssdb.add_cert() has been modified to import certificates
properly. If HSM is used, the certificate will be imported into
HSM without trust attributes. If trust attributes are specified,
the certificate will be imported into internal token as well with
the trust attributes. If no HSM is used, the certificate will be
imported into the internal token with the trust attributes if
available.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I4027b3064694ecf41bc616cf1b67581e4d103531

- - - - -
95f2931c by Endi S. Dewata at 2018-01-18T23:06:53+01:00
Added CalledProcessError handler for pkispawn.

A CalledProcessError handler has been added for pkispawn to show
the command that failed.

Change-Id: I0027bf1d82f0739e9f20ca8ad9ba5e9fa4a3a5d7

- - - - -
d1435e2b by Ade Lee at 2018-01-18T19:04:18-05:00
Allow instances to be created with custom users

Some folks want to run instances under a different user and
group (ie. not pkiuser).  They may even want a different user for
each instance.  The way to do this in systemd is to create systemd
override files for the specific instance.

The deployment scriptlets have been updated to create (and delete)
these override files.

Change-Id: Icb0b6d15c6c8542dbbd565987d5fb3f1bddf6037

- - - - -
1cda0ab3 by Endi S. Dewata at 2018-01-19T05:43:10+01:00
Added default CA cert nickname in pki client-cert-import.

The pki client-cert-import has been modified to support optional
nickname for CA cert. If not specified, a default nickname will
be generated based on the subject DN.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I285a6f1ceb68d388fdf8bb5638f3767a312854a5

- - - - -
ca5e4fde by Endi S. Dewata at 2018-01-19T06:47:17+01:00
Added NSSDatabase.add_ca_cert().

A new NSSDatabase.add_ca_cert() method has been added to import
CA cert without nickname using pki client-cert-import.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I45d83938e92293dd54ec5af6e05c6edb215f80ea

- - - - -
ad67ee99 by Endi S. Dewata at 2018-01-19T06:54:05+01:00
Refactored ClientCertImportCLI.sort().

The ClientCertImportCLI.sort() has been changed to support sorting
in both directions. It also has been renamed to sortCertificateChain().

https://pagure.io/dogtagpki/issue/2901

Change-Id: I431b80e65e4a859d8d6deadf43af6af6aeefad4d

- - - - -
1622094a by Endi S. Dewata at 2018-01-19T06:54:49+01:00
Moved ClientCertImportCLI.sortCertificateChain().

The ClientCertImportCLI.sortCertificateChain() has been moved into
CryptoUtil for reusability. It also has been changed to use SLF4J
logger.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I465c99b9763147357c38ad0526137302acf90a5e

- - - - -
96a3bb4d by Matthew Harmsen at 2018-01-19T11:25:13-05:00
Fixed setup of ECC CA

Restored ECC functionality that was lost during
'Refactoring SSL server cert creation'
(https://pagure.io/dogtagpki/issue/2786).

Additionally, to avoid confusion, deprecated
'pki_admin_keysize' and use 'pki_admin_key_size'
to make parameters consistent across different
certificate key types.

Fixes:  https://pagure.io/dogtagpki/issue/2887
Change-Id: I1206b37a00b7da5e30fef5b2d12fb266e2779cfb

- - - - -
165c7865 by Endi S. Dewata at 2018-01-19T12:21:06-05:00
Added pki pkcs7 CLI.

A new pki pkcs7 CLI has been added to manage a certificate chain in
a PKCS #7 file. The pki pkcs7-cert-find can be used to inspect the
certificates. The pki pkcs7-cert-export can be used to export the
certificates into separate files. The output certificates are sorted
from root to leaf so they can be processed further more consistently.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I7e5c9e2dc0ddd12db126955114b3314f75d475d7

- - - - -
3d231ae0 by Endi S. Dewata at 2018-01-19T12:37:12-05:00
Fixed NSSDatabase.import_pkcs7() for HSM.

Previously NSSDatabase.import_pkcs7() was implemented using pki
client-cert-import --pkcs7 which uses JSS to import the certificate
chain from a PKCS #7 file. Apparently, when it is used with HSM
outside of PKI server JSS imports the certificates incorrectly.

The method has been changed to use pki pkcs7-cert-export to sort
and split the certificate chain into separate files. The CA certs
will be imported with pki client-cert-import --ca-cert (such that
the nickname will be consistently generated by JSS), and the user
certificate will be imported using certutil with the nickname
provided by the caller. This method seems to be working fine with
HSM.

https://pagure.io/dogtagpki/issue/2901

Change-Id: If04963eb6ad86737593df7d64eef8b17f7bde75f

- - - - -
26bc6988 by Ade Lee at 2018-01-19T14:09:32-05:00
Fix masking in the archived deployment.cfg

Resolves rhbz#1532759
Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4

- - - - -
91c6c781 by Christina Fu at 2018-01-19T14:45:17-08:00
Ticket #2675 take care of PKCS#10 for cmc.popLinkWitnessRequired

This patch adds support to handle PKCS#10 which was neglected in previous
"additional" fix.

Fixes: https://pagure.io/dogtagpki/issue/2675
Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055

- - - - -
2ffa4485 by Endi S. Dewata at 2018-01-22T16:32:29+01:00
Fixed cert chain importation.

For KRA/OCSP installation with external certs, the installer has
been modified to always import the cert chain into the internal
token regardless if HSM is used.

https://pagure.io/dogtagpki/issue/2901

Change-Id: Ifedb54e88ea6c8fc2ef3b562e15fb4077ec5179a

- - - - -
c86eb1bc by Endi S. Dewata at 2018-01-22T17:14:44+01:00
Refactored replace_sslserver_cert() in configuration.py.

The replace_sslserver_cert() in configuration.py has been split into
separate methods for removing the temp SSL server cert and importing
the permanent SSL server cert.

https://pagure.io/dogtagpki/issue/2901

Change-Id: I35cb95e61959ff99c235f116304c7272a39694e5

- - - - -
249c323d by Endi S. Dewata at 2018-01-22T17:54:58+01:00
Fixed SSL server cert creation and replacement.

The configuration.py has been modified to generate the temp SSL certificates
(and remove it later) in internal token regardless of HSM. It also has been
modified to import the perm cert if it has not been imported already.

https://pagure.io/dogtagpki/issue/2901

Change-Id: If473e2b314727399854638a94c6ec5a148fc52fb

- - - - -
1127a63c by Endi S. Dewata at 2018-01-22T18:33:44+01:00
Fixed admin cert processing.

For KRA/OCSP installation with external certs, the installation
tool has been modified to import the externaly-generated admin
cert and also copy it to a location normally expected by admin.

https://pagure.io/dogtagpki/issue/2901

Change-Id: Id18ec2b6b8b1c3f307af11e2acba7866b2b5ee75

- - - - -
441b832f by Endi S. Dewata at 2018-01-22T21:14:38+01:00
Fixed cert import for exiting certs case.

The configuration servlet has been fixed to properly import the
externally-signed certs in existing CA and external KRA/OCSP cases.

https://pagure.io/dogtagpki/issue/2901

Change-Id: Ida7bd7758670c72063765462b7d735f69a465804

- - - - -
3f9def4c by Matthew Harmsen at 2018-01-24T18:34:36-07:00
Updated dependencies in spec files

- https://pagure.io/dogtagpki/issue/2870 - openssl
- https://pagure.io/dogtagpki/issue/2904 - nuxwdog
- https://pagure.io/dogtagpki/issue/2911 - jss

Change-Id: I1e5b5c7ea5d1f5be51e4b3eb262b04d71114f626

- - - - -
1c262721 by Jack Magne at 2018-01-24T18:32:53-08:00
Fix Bug 1501436 - TPS CS.cfg should be reflected with the changes after an in-place upgrade.

This upgrade script will add the needed config params to an existing CS.cfg for TPS.

The params consist of the params required for the token profile : externalRegISEtoken.

The code also grabs the unsecure phone home url out of the instances's server.xml.
This way the new profile is configured exactly like what happens when doing a pkispawn.
The correct nonsecure url will be in place.

Added some review changes. Also we modified the python properties file class to be able to
handle a property value that happens to contain the delimeter "=". Ex name=cn=people.

Added directory server/upgrade/10.5.1 so rhel can use it when performing this upgrade.

Change-Id: I2478013b396082ffdc3d99ed86a821ec86ac4c5d

- - - - -
70978157 by Jack Magne at 2018-01-24T18:47:00-08:00
Fix Bug 1501436 - TPS CS.cfg should be reflected with the changes after an in-place upgrade.

Spec file changes only for the main commit that fixes this bug.

Change-Id: If5bea41591c2b4c33bee2285e705e36b23d62b7b

- - - - -
e2a72fff by Endi S. Dewata at 2018-01-26T08:55:05+01:00
Updated RollingLogFile.EXPIRATION_TIME.

The RollingLogFile.EXPIRATION_TIME has been changed to 0 such that
log expiration is disabled in case the log.instance.*.expirationTime
parameter is missing from the CS.cfg.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I8c8c7a1560f986920244f9660b0de10e197f93b4

- - - - -
c006503c by Endi S. Dewata at 2018-01-26T09:07:44+01:00
Merged TOKEN_APPLET_UPGRADE events.

The TOKEN_APPLET_UPGRADE_* events have been merged into a single
event with different outcomes. Also, it has been encapsulated into
TokenAppletUpgradeEvent class.

https://pagure.io/dogtagpki/issue/2656

Change-Id: Ifa34eacaa5a0da1c8026eb702e09828234d7f0f5

- - - - -
2c614e98 by Endi S. Dewata at 2018-01-26T09:26:00+01:00
Merged TOKEN_KEY_CHANGEOVER events.

The TOKEN_KEY_CHANGEOVER_* events have been merged into a single
event with different outcomes. Also, it has been encapsulated into
TokenKeyChangeoverEvent class.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I09c5179645c2037ff6208e923f35177104e5babd

- - - - -
d928a667 by Endi S. Dewata at 2018-01-27T00:13:09+01:00
Updated default audit events.

The default audit events and their filters have been updated in
all PKI subsystem configuration files.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I867a38a366ad7cc23d71f2a0c22996a9ccce8088

- - - - -
a1ff57e0 by Endi S. Dewata at 2018-01-26T18:41:45-05:00
Using case-insensitive audit event filter.

The code that evaluates audit event filter has been modified to
use case-insensitive attribute value comparison.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I548dee048b0ed70779fb67a8cdfc39943f2bc9b7

- - - - -
5dcab6c7 by Endi S. Dewata at 2018-01-30T21:08:24+01:00
Refactored pkispawn and pkidestroy logger configuration

The method that configures the loggers for pkispawn and pkidestroy
has been modified to configure the global pki logger as well.

https://pagure.io/dogtagpki/issue/2916

Change-Id: I724d9e0fae37e8c6407fc36a73dca4c38af2b16d

- - - - -
2660c8ca by Endi S. Dewata at 2018-01-30T22:32:30+01:00
Added pki.nssdb logger.

To help troubleshooting, the pki.nssdb module has been modified to
generate debug logs using the standard Python logger.

https://pagure.io/dogtagpki/issue/2916

Change-Id: Iba74df01fd796fa9fe5fa48f117721d790b7337c

- - - - -
bde116f2 by Endi S. Dewata at 2018-01-30T22:49:09+01:00
Fixed NSSDatabase.get_cert().

The NSSDatabase.get_cert() method has been modified to ignore the
certutil exit code due to bug #1539996.

https://pagure.io/dogtagpki/issue/2916

Change-Id: I10e489d14bdaaace9f917b797a7da14ac64a9a67

- - - - -
d6a70005 by Endi S. Dewata at 2018-01-31T02:32:31+01:00
Fixed NSSDatabase.get_cert_info().

The NSSDatabase.get_cert_info() has been modified to use get_cert()
to retrieve the cert since it has the workaround for bug #1539996.
Then it will use Python Cryptography to get the cert info.

A new method has been added into pki module to convert X.509 Name
into NSS-style DN string.

https://pagure.io/dogtagpki/issue/2916

Change-Id: I726e2c442e5b7f351dac2d9515e9f13965d7de3f

- - - - -
8f370068 by Matthew Harmsen at 2018-01-31T18:58:48-07:00
Enable FIPS ciphers as the new default cipher suites

https://pagure.io/dogtagpki/issue/2855

Change-Id: I968cd0e08f69401cb30ecdbdc86eb1f5049a5f37

- - - - -
8319105b by Endi S. Dewata at 2018-02-01T17:44:00+01:00
Fixed inconsistent CERT_REQUEST_PROCESSED outcomes.

Some CERT_REQUEST_PROCESSED events in ProcessCertReq have been
modified to generate a FAILURE outcome since there is no cert
issued for the request.

https://pagure.io/dogtagpki/issue/2838

Change-Id: I38656f950599f06bd9969c278137fdd192e26ae8

- - - - -
79e8a8e9 by Ade Lee at 2018-02-01T15:42:44-05:00
More fixes for non-standard users

Needed to fix some python code that was added that works only on Python 3.
The top level directories for the registry should be owned by
root and be world readable/executable so that different users
can read the registry.

Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282

- - - - -
dcc66d50 by Ade Lee at 2018-02-01T15:43:06-05:00
Spec file changes to add registry directories to package

Change-Id: Ib1c3761e33ed4adf107e0288e0fe8452d6071076

- - - - -
c1f607dc by Endi S. Dewata at 2018-02-01T22:39:37+01:00
Refactored SecurityDataArchivalProcessedEvent.

The SecurityDataArchivalProcessedEvent has been modified to provide
separate factory methods for SUCCESS and FAILURE events.

https://pagure.io/dogtagpki/issue/2848

Change-Id: Ie102aabaa81553ac1ea6963841a0568f1b6e04a5

- - - - -
3c4770d5 by Endi S. Dewata at 2018-02-02T00:42:40+01:00
Changed audit event types in EnrollmentService.

The EnrollmentService has been modified to generate
SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED instead of.
SECURITY_DATA_ARCHIVAL_REQUEST.

https://pagure.io/dogtagpki/issue/2848

Change-Id: I63017c4d9c058daac92fe606f0096402ca78b6ec

- - - - -
933db6ae by Endi S. Dewata at 2018-02-02T01:47:01+01:00
Added IMAGE_REPO variable for Travis configuration.

The Travis configuration has been modified to support IMAGE_REPO
variable to specify a different image repository. By default it
will use dogtagpki/pki-ci.

Change-Id: Ie34c0950a20298507755748aa5f28a7f54385abd

- - - - -
8a387264 by Endi S. Dewata at 2018-02-02T17:16:28+01:00
Cleaned up Travis configuration.

The .test_runner_config.yaml has been renamed to ipa-test.yaml and
moved into .travis folder. The task names in .travis_run_task.sh
have been simplified.

Change-Id: I84ed747a6e104ab4037259e0f4f05a3b949f8c6b

- - - - -
55a6fa09 by Christina Fu at 2018-02-02T14:52:22-05:00
Ticket #2880 missing CMC request and response record

This patch adds audit events to record received CMC requests and signed CMC responses:
CMC_REQUEST_RECEIVED
CMC_RESPONSE_SENT

This patch fixes https://pagure.io/dogtagpki/issue/2880

Change-Id: Id093225b22a2c434e680726442c49b410fa738a3

- - - - -
4d54490f by Endi S. Dewata at 2018-02-02T21:54:01+01:00
Fixed try-catch block in NetkeyKeygenService.serviceRequest().

The try-catch block in NetkeyKeygenService.serviceRequest() has
been fixed to return false on exception. It also has been split
into two blocks.

https://pagure.io/dogtagpki/issue/2848

Change-Id: Ia78bd5371720dc551c2470898d83597d554183b7

- - - - -
e7ec7d30 by Christina Fu at 2018-02-02T16:39:30-08:00
Ticket #2920 CMC: Audit Events needed for failures in SharedToken scenarios

This patch adds the missing CERT_STATUS_CHANGE_REQUEST_PROCESSED event in case of shared token failure at revocation;
In addition, a missing validate() call is made for decrypted POP request as well as the failure audit event.

fixes: https://pagure.io/dogtagpki/issue/2920
Change-Id: I45b53f579794c3a5f32cc475a6293240025922c2

- - - - -
74d72d9b by Endi S. Dewata at 2018-02-02T20:35:55-05:00
Added SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED events in NetkeyKeygenService.

The NetkeyKeygenService.serviceRequest() has been modified to catch
all exceptions and generate SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
with FAILURE outcome.

https://pagure.io/dogtagpki/issue/2848

Change-Id: I08608fbb21ef14fddc2076d2e993766c30fd3cf0

- - - - -
268cc707 by Jack Magne at 2018-02-03T00:14:47-05:00
Fix Bug 1522938 - CC: Missing failure resumption detection and audit event logging at startup

This patch addressed two cases listed in the bug:

1. Signing Failure due to bad HSM connection.
2. Audit log failure of some kind.

I felt the best and safest way to handle these conditions was to simply write to the
error console, which results in a simple System.err.println being sent to the former
catalina.out file now covered with the journalctl command.

I considered using some other dogtag log file, but if we are in some sort of emergency
or resource constrained  situation, it is best to write the log out mostly simply.

Quick testing instructions:

1. To see signing failure put this in the CS.cfg for ONLY testing purposes.

ca.signing.testSignatureFailure=true   , This will force an error when trying to sign and log it.

 Approve a certificate request, which will trigger a signing operation.
2. Check the journalctl for a log message.

3. Remove the config value to resume normal operation.

4. To see an audit log failure do the following:

[root at localhost signedAudit]# ps -fe | grep pki
pkiuser   8456     1  2 14:39 ?        00:00:32 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java

lsof /var/lib/pki/pki-tomcat/ca/logs/signedAudit/ca_audit
java    9905 pkiuser  124u   REG  253,0    17298 3016784 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit

gdb /usr/lib/jvm/jre-1.8.0-openjdk/bin/java 8456   , Use the pid from above

Inside gdb do this:

call close(124)

This will close the file descriptor for the running server.

5. Now just try to do anything with the CS UI and observe errors written to the journalctl log,
having to do with not being able to write to the ca_adit file. If signed audid logging is configured,
many of these conditions will result in the the shutdown of the server.

Change-Id: I21c62a5ad6bedfe8678144a764bff2e2a4716dce

- - - - -
c2c5bdad by Christina Fu at 2018-02-03T22:59:12-05:00
Ticket #2921 CMC: Revocation works with an unknown revRequest.issuer

This patche adds check between the issuer value of the RevokeRequest against the issuer of the certificate to be revoked.

fixes: https://pagure.io/dogtagpki/issue/2921
Change-Id: Ib2bb2debeb7d1c7ffea1799b5c32630062ddca6a

- - - - -
e634316e by Fraser Tweedale at 2018-02-04T23:51:45-05:00
Fix profile import dropping backslash characters

When writing (importing, updating) RAW profile data, config values
that have backslashes in them have the backslashes dropped, leading
to issuance failures or issuance of incorrect certificates.  For
example:

  policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat\, Inc.

becomes:

  policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat, Inc.

which causes issuance failures due to parse failure of the resulting
DN.

This occurs because java.util.Properties is opinionated about what
does or doesn't need to be escaped.  The ProfileSubsystem "raw"
methods originally used Properties to avoid more use of our "custom"
SimpleProperties class.  That turned out to be a mistake, due to
Properties' incompatible treatment of backslashes.  Switch over to
SimpleProperties for handling raw profile data.

Fixes: https://pagure.io/dogtagpki/issue/2909
Change-Id: I5cd738651cbfba0cad607d2b02edea04fe6be561

- - - - -
8629de7f by Matthew Harmsen at 2018-02-07T15:26:27-07:00
Removed install section from dogtag-pki.spec file

- Bug 1542743 - Unable to build 'dogtag-pki' meta package in Fedora rawhide

Removing the %install section remedied this problem on Fedora 28, and was
basically some benign artifact on previous Fedora platforms.

Change-Id: I5d47e14467ccef29543981573c1323207fe61079

- - - - -
ff70df12 by Jack Magne at 2018-02-07T17:59:43-05:00
Fix Bug 1542210 - pki console configurations that involves ldap passwords leave the plain text password in debug logs

Simple sensitive data debug log prevention here.

Change-Id: Ic409aaf7e392403c6a4c5afb255a421e1d351c46

- - - - -
49825ff4 by Fraser Tweedale at 2018-02-08T15:41:54+11:00
Fix lightweight CA key replication

The resolution for issue https://pagure.io/dogtagpki/issue/2654
caused a regression in lightweight CA key replication.  When the
authorityMonitor encounters a CA whose keys are not present,
signingUnit initialisation fails (as expected).  The signing info
event logging behaviour introduced in commit
4551eb1ce6b14e4a37f9c70b3bfd6c9050e13f10 then results in a
NullPointerException, crashing the authorityMonitor thread.

Fix the issue by extracting the signing info event logging behaviour
to a separate method, and invoke that method as the final step of
signingUnit initialisation.

Fixes: https://pagure.io/dogtagpki/issue/2929
Change-Id: Ic6663c09c30754f4fb914dcaf0bc2d902aa91473

- - - - -
9eae7da2 by Endi S. Dewata at 2018-02-08T21:45:22-05:00
Refactored add_junit_test() (part 1).

The add_junit_test() function has been modified to use lowercase
variable names for clarity.

https://pagure.io/dogtagpki/issue/2908

Change-Id: I2d216fdf946a2fb2420b43030cd1963cfac42587

- - - - -
17fcac5f by Endi S. Dewata at 2018-02-09T05:15:13+01:00
Disabled failing unit tests.

Some unit tests have been disabled since they are currently
failing. This allows other tests to be enabled later. These
failures need to be investigated further.

https://pagure.io/dogtagpki/issue/2908

Change-Id: If5aa31c10f89fb8388085b59377347338ae729a1

- - - - -
d90ffc38 by Endi S. Dewata at 2018-02-09T06:01:20+01:00
Refactored add_junit_test() (part 2).

The add_junit_test() function has been modified to support target
dependencies.

The util and server tests have been modified to depend on the
corresponding classes.

https://pagure.io/dogtagpki/issue/2908

Change-Id: Ied9c270f074621f74a69ba20a817ddad7b16b4ed

- - - - -
19b06d85 by Endi S. Dewata at 2018-02-09T06:16:11+01:00
Added CMake option to run unit tests.

The CMake script has been modified to provide a WITH_TEST option
to control unit test execution. The option is enabled by default.

https://pagure.io/dogtagpki/issue/2908

Change-Id: Iaa7a4ef6f0f72dd9cd20d19f15b916d7cac12a0a

- - - - -
e4616df9 by Endi S. Dewata at 2018-02-09T16:18:07+01:00
Updated TestRunner output.

The TestRunner has been modified to show the test result and the
location of the test reports.

https://pagure.io/dogtagpki/issue/2908

Change-Id: Icf16ffc56c661ea13667ac48f75e949988ef0069

- - - - -
60ea5173 by Endi S. Dewata at 2018-02-09T17:00:05+01:00
Added unit test option in pki-core.spec.

The pki-core.spec file has been modified to provide a
"--without test" option to control unit test execution.
The unit test is enabled by default.

The redundant WITH_SERVER parameter has been removed
from CMake invocation.

https://pagure.io/dogtagpki/issue/2908

Change-Id: I614c58adf6852a06254c8e3de5cf53ef212f207b

- - - - -
77ec93da by Timo Aaltonen at 2018-02-09T14:19:50-05:00
Don't assume /bin -> /usr/bin symlink exists

Be more consistent with hardcoding paths, and use paths that work on
other distros too which don't have a /bin -> /usr/bin symlink.

Change-Id: Ic2c85f074b6703367b882a9e5eb67fce47eff5ab

- - - - -
775dda50 by Endi S. Dewata at 2018-02-09T21:13:12+01:00
Added unit test option in compose script.

The compose script has been modified to provide a "--without-test"
option to control unit test execution. The unit test is enabled by
default.

https://pagure.io/dogtagpki/issue/2908

Change-Id: I322fb64723457310fc39edacc7f3040508fff1b2

- - - - -
56a9bbb2 by Christian Heimes at 2018-02-12T11:14:46-05:00
Improve shebang handling and script generation

Instead of hardcoded Python interpreter, the pki, pkispawn, pkidestroy,
pki-upgrade, and pki-server-upgrade are now shell wrappers that are
created by cmake and use @PYTHON_EXECUTABLE@ to use the current Python
interpreter. This will make it easier to update all scripts to Python 3
in the future.

- Convert remaining commands to shell script wrappers.
- Update shell scripts to use @PYTHON_EXECUTABLE@ instead of hard-coded
  'python' binary.
- Remove shebang and executable bit from all Python scriplets. The
  scriptlets have neither a __main__ entry point nor code.
- Remove shebang from .py files that are installed in site-packages
- Update all remaining /usr/bin/python shebangs to use python2
  explicitly.

Change-Id: I0bf1db42b6d64cba4b854d2f41be1ed6c357f4c8
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
b3af944f by Christian Heimes at 2018-02-12T17:49:46+01:00
Add flags for Python 2 / 3 support

Add flags to enable / disable support for Python 2, Python 3 and to
build pki.server with Python 3 instead of 2.

Change-Id: I75cd5caffa310ae662fc1dff8f6defd58ada346f
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
7455cc20 by Endi S. Dewata at 2018-02-12T18:38:01-05:00
Added two-step installation mode in pkispawn man page.

The pkispawn man page has been updated to include the two-step
installation mode.

https://pagure.io/dogtagpki/issue/2938

Change-Id: Icf2edad5477072e33c8eab556b95d5ad4b986131

- - - - -
d11d6b58 by Endi S. Dewata at 2018-02-13T10:34:58-05:00
Added Key ID encoder and decoder.

The following methods have been added to encode and decode NSS key
ID properly:
 - CryptoUtil.encodeKeyID()
 - CryptoUtil.decodeKeyID()

A unit test has been added to verify the functionality.

https://pagure.io/dogtagpki/issue/2884

Change-Id: Ib295bc1cb449f544cd0220bfaea1ed0d71136365

- - - - -
275b706f by Endi S. Dewata at 2018-02-13T10:34:58-05:00
Fixed Key ID encoding and decoding.

The code that encodes and decodes NSS key ID has been changed to
use CryptoUtil.encodeKeyID() and decodeKeyID(), respectively.

https://pagure.io/dogtagpki/issue/2884

Change-Id: Ic97a9f8ea1ad7819c8f6ff0faf732ee04a2174e8

- - - - -
1671d9c3 by Fraser Tweedale at 2018-02-15T15:27:41+11:00
PKIConnection.get: time out after 5s

There is a contention between the timeouts of PKIConnection.get (the
default for connect(2)) and Instance.wait_for_startup (60s).  When
/etc/hosts contains an IP address for the host which is routable but
not responded to (e.g. during FreeIPA installation with --setup-dns
and --ip-address=<not-yet-existant>), the connection attempt causes
pkispawn() to block for a long duration.  By the time it unblocks,
the Instance.wait_for_startup() timeout has been exceeded and no
further connection attempts are made.  Installation fails.

Avoid this situation by setting a timeout of 5 seconds on
PKIConnection.get().

Fixes: https://pagure.io/dogtagpki/issue/2939
Change-Id: Id746faee9bd9a2a61bbc15f55d9ccbc652997bf1

- - - - -
8fce616a by Christian Heimes at 2018-02-16T02:16:32-05:00
Fix Python 3 bug in nssdb.get_cert()

In Python 3, subprocess returns stderr and stdout as bytes. Therefore
startswith() must also use bytes to check the error output. cert_data
(stdout) is also bytes, but both b64encode and cryptography's load_pem()
require bytes any way.

Change-Id: I70f1b235c65ee1d2d3e90d610cb9a9b3444bdd91
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
d7db5fa8 by Endi S. Dewata at 2018-02-16T10:27:33-05:00
Fixed SERVER_SIDE_KEYGEN_REQUEST_PROCESSED filter in KRA.

The filter definition for SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
event in KRA's CS.cfg has been updated to fix a typo.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I6f2e3d38597355e04b1899aeb324db43caefd4df

- - - - -
5d80aee3 by Endi S. Dewata at 2018-02-16T14:16:48-05:00
Revert "PKIConnection.get: time out after 5s"

The patch apparently causes installation with HSM to fail
since the timeout is too short. It probably should be
implemented as a configurable parameter.

This reverts commit 1671d9c3b3b2bdd48fd74c3229c2869e5cfac80c.

Change-Id: Ibb54ca4b0e2b0071fe5079206dbc0c4e089a7b04

- - - - -
2f8fa5bb by Endi S. Dewata at 2018-02-16T14:23:23-05:00
Fixed NSSDatabase.add_ca_cert().

The NSSDatabase.add_ca_cert() has been modified to import CA
certificates into internal token instead of HSM since trust
validation is done by NSS using internal token.

https://pagure.io/dogtagpki/issue/2944

Change-Id: I460cd752d741f3f91306c510ce469a023828343b

- - - - -
bc6e505e by Endi S. Dewata at 2018-02-16T20:21:58-05:00
Converted OPTIONS variable into array.

The OPTIONS variable in compose scripts has been converted into
array such that it can be modified more easily.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I9ec7d0ca8c9bf04138424fda629cfad26c59feed

- - - - -
6016cea8 by Endi S. Dewata at 2018-02-16T21:08:00-05:00
Merged release and stage numbers.

The compose_functions has been modified to merge the release and
the stage numbers for simplicity. The USE_STAGE variable is no
longer needed so it has been removed.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I29d01207efc53591152649b56649c842a58099e7

- - - - -
29d10f46 by Endi S. Dewata at 2018-02-17T03:36:52+01:00
Merged release and stage macros.

The <platform>_release and <platform>_stage macros in all RPM specs
have been merged for simplicity.

https://pagure.io/dogtagpki/issue/2852

Change-Id: Ib422fa7dd5af348f0234ca3911f320aa97d4a9ae

- - - - -
e0275aa8 by Endi S. Dewata at 2018-02-17T04:16:17+01:00
Added timestamp and commit ID macros.

The RPM specs have been modified to provide _timestamp and _commit
macros for inclusion in the release number.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I1240f9d89c712a19efce12474e1966a0e138b588

- - - - -
cd64f2dd by Endi S. Dewata at 2018-02-17T05:18:40+01:00
Replaced PKI_RELEASE with macro definitions.

The compose_functions has been modified to use the new macros to
specify the timestamp and commit ID for building the package.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I2d45956d1099e056a40406a406504dfc69febd8c

- - - - -
8542e347 by Endi S. Dewata at 2018-02-16T23:48:22-05:00
Fixed redundant builds.

The spec files have been modified to combine the make all and make
install commands to avoid redundant builds.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I52a3fa8607d07770e5f60fcf97b1f0042ddc3e6c

- - - - -
11924963 by Endi S. Dewata at 2018-02-17T05:49:18+01:00
Removed unused PKI_RELEASE variable.

The PKI_RELEASE variable is no longer used so it has been removed
from the compose scripts.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I615840675983c0e353a3aa0648e2a29d3190c07f

- - - - -
7fa0d55d by Endi S. Dewata at 2018-02-17T05:53:58+01:00
Removed unused pki_release macro.

The pki_release macro is no longer used so it has been removed
from the spec files.

https://pagure.io/dogtagpki/issue/2852

Change-Id: Ide29c52c8be02b8a18d9a1de8d7f24e6d9dce8c8

- - - - -
367d06c6 by Endi S. Dewata at 2018-02-17T06:36:34+01:00
Removed unused default_release_value variable.

The default_release_value variable is no longer used so it has
been removed from the compose_functions.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I8840ae38d19fc89b9cf2a601e158cf09e7119c6d

- - - - -
2a9db610 by Endi S. Dewata at 2018-02-17T07:14:19+01:00
Removed unused default_release macro.

The default_release macro is no longer used so it has been removed
from the spec files.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I589bc007139f75bfec8faa879fe0fba8798815bb

- - - - -
f37fca0d by Fraser Tweedale at 2018-02-19T14:50:57-05:00
Add SystemCertData.toString()

When debugging instance configuration problems related to
certificates, it will be helpful to see the actual certificate data
(e.g. so missing fields can be identified).  Define the toString
method so that the debug log will contain a richer expression of the
value.

Fixes: https://pagure.io/dogtagpki/issue/2859
Change-Id: I3bc5a16278912903a31a207e5d26c26029c725eb

- - - - -
e0c29881 by Dinesh Prasanth M K at 2018-02-19T17:02:05-05:00
Updated PKI image and disabled IPA tests

Configured to use following config:
- F27
- copr pki 10.6
- Disabled IPA tests

Change-Id: I721756ec1a89a2312d5836f2ea849b1a6c761e33

- - - - -
dff4dcb0 by Endi S. Dewata at 2018-02-19T23:14:14+01:00
Updated PKIListener.

Previously TomcatJSS was initialized at the first SSL connection
to the server. The PKIListener has been modified to initialize
TomcatJSS at startup time.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I6ac820fe4399b14897b59d88217abd66164db56a

- - - - -
df19661b by Dinesh Prasanth M K at 2018-02-19T18:47:55-05:00
Added and updated IPA tests

- IPA tests now runs from python3-ipatests.
- Runs on F27 image
- Uses IPA COPR 4-6 version

Change-Id: I40c1ddb9967d9565ef0fae2d1479bf1b815b2b6f

- - - - -
e4a72429 by Endi S. Dewata at 2018-02-19T19:26:58-05:00
Fixed exception handling in CertificateAuthority.initSigUnit().

The CertificateAuthority.initSigUnit() has been modified to chain
the original exception to help troubleshooting.

Change-Id: Id6f7985daf8ed3f5539ce50d22b7b906b784ed3b

- - - - -
17194729 by Endi S. Dewata at 2018-02-20T01:32:12+01:00
Refactored PKISubsystem.load().

The PKISubsystem.load() has been modified to check whether the
CS.cfg exists before loading it. This allows the class to be
used to construct a subsystem from scratch.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I80dd8f78f96b3c0583ff540742dda234b0be37b0

- - - - -
d1377a16 by Endi S. Dewata at 2018-02-20T01:59:22+01:00
Added ServerConfiguration class.

A new ServerConfiguration class has been added to encapsulate
Tomcat configuration that has been loaded from server.xml.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I58624314c67631c94b8149d8c716e7df98a26095

- - - - -
16bbf68a by Endi S. Dewata at 2018-02-20T02:42:34+01:00
Removed unused server-minimal.xml.

https://pagure.io/dogtagpki/issue/773

Change-Id: Ia8f3707c8f043a4d7fc3d4427c9f4c62664031ec

- - - - -
6f9b3dd5 by Endi S. Dewata at 2018-02-20T02:50:49+01:00
Removed unused workers.properties.

https://pagure.io/dogtagpki/issue/773

Change-Id: I44a9f9a185b135d533d00bc4fb121234874d6f4f

- - - - -
4c93e74d by Christian Heimes at 2018-02-20T10:53:20+01:00
NSS DB related doc updates

In preparation of the DBM to SQL format switch, occurances of "cert8.db",
"key3.db", and "secmod.db" have been replaced with the more generic term
"NSS database".

Change-Id: Ifdbc571ac80c8e4af40045437a95cff2a9ba5937
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
fa884a1c by Christian Heimes at 2018-02-20T10:20:49-05:00
Add methods to convert NSSDB from DBM to SQL

A new method NSSDatabase.get_db_type() guesses the database format from
file names. It also validates that all additional files exist if the
master cert[89].db is present.

NSSDatabase.convert_db() converts a database from DBM to SQL format
while preserving ownership and permission as well as fixing SELinux
context. The old files are backed up.

The new feature will be used in a subsequent patch to convert
/etc/pki/pki-tomcat/alias on Fedora 28+.

Change-Id: If338bc8eed77d8f0bd7a6d5703f5cd29ef6f7a7b
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
841497dc by Endi S. Dewata at 2018-02-20T10:43:17-05:00
Removed unused tomcat-users.xml.

https://pagure.io/dogtagpki/issue/773

Change-Id: I757d78964869e0237202b7be6eeb05dcbd204b1f

- - - - -
a73eb66d by Christian Heimes at 2018-02-20T10:53:02-05:00
Add Python 3 default to pki-core.spec

The pki-core packages now support Python 3 as default Python for all
commands like pkispawn and pkidestroy. The pki-base and pki-server
packages can be build for Python 3. Optionally packages can be build
without Python 2 support and without any Python 2 dependencies.

The Python 2 and 3 client packages have been renamed to python[23]-pki
to follow Fedora's packaging guidelines. The packages still provide
pki-base-python[23].

A new package python2-pki has been added that contains the Python 2 bits
of pki client package. The pki-base package either depends on
python2-pki or python3-pki.

See http://pki.fedoraproject.org/wiki/PKI_10.6_Python_Support for more
details.

Change-Id: I020766027f38da9bb0982d85dd4ae7d39a7487ac
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
90d633bc by Christian Heimes at 2018-02-20T18:14:56+01:00
Unify config loading and NSS default db type

The inclusion of pki.conf shell snippets and handling of
NSS_DEFAULT_DB_TYPE env var is now simplified and unified. The default
DB type is no longer a user modifyable setting. The selection of NSS DB
type is platform and release specific. The value is controlled by the
CMake flag PKI_NSS_DB_TYPE.

All shell scripts source a common /usr/share/pki/scripts/config file.
The config file loads default, system-wide, and user pki.conf. It also
ensures that NSS_DEFAULT_DB_TYPE is set correctly. Now all scripts support
~/.dogtag/pki.conf, too.

Tomcat services load a default tomcat.conf environment file from
/usr/share/pki/etc/, which sets NSS_DEFAULT_DB_TYPE for pki-tomcatd and
pki-tomcatd-nuxwdog.

Change-Id: I36fc28e9098de9db9f81a1dfd521292b27d57550
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
72dc1a87 by Endi S. Dewata at 2018-02-20T14:42:11-05:00
Removed unused web.xml.

https://pagure.io/dogtagpki/issue/773

Change-Id: Ibe86c2f85f5c86e1bfb003bcc2548f53e5f9fadd

- - - - -
edd79d6c by Christian Heimes at 2018-02-20T15:46:15-05:00
Export all conf vars in single location

All exports of pki.conf vars is handled in central config script.
pki-upgrade now also includes the config script, too.

Change-Id: Icc5e6fe13d6ce70adb6770ff5d2673ec3d642148
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
cbc83853 by Endi S. Dewata at 2018-02-20T16:40:49-05:00
Added pki-server http-connector CLI.

A new CLI module has been added to manage PKI server's HTTP
secure and unsecure connectors.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I1fec1275ede117c9e2c74d5eea248a96d6174759

- - - - -
4ff46e50 by Endi S. Dewata at 2018-02-20T20:49:14-05:00
Fixed local ID encoding for pki pkcs12 CLI.

The pki pkcs12 CLI has been modified to use byte array to store
local ID instead of BigInteger to ensure proper encoding.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I5a3801b5d796621a65d3db2867d1ff219cc99b70

- - - - -
4d05bf71 by Fraser Tweedale at 2018-02-21T11:49:52-05:00
Bump tomcatjss dependency to 7.3.0

Commit dff4dcb05883ec9d60ed57339f20ce9906df61eb introduced a
dependency on tomcatjss >= 7.3, but there was no corresponding bump
in the spec file.  Bump it now.

Change-Id: I026bc6ed8586ad8aa183e6b60b4ee769b8f95c86

- - - - -
dfeb3c66 by Fraser Tweedale at 2018-02-21T13:20:12-05:00
libtps.so: link zlib

nss-3.35 no longer links zlib.  libtps calls `compress` and
`uncompress` but we were not explicitly linking zlib so the build
fails as of nss-3.35.  Include -lz when linking libtps.

Fixes: https://pagure.io/dogtagpki/issue/2946
Change-Id: If26d71d8c6ad2cc89f60c0de26ccf48673971d55

- - - - -
d7ecd7c2 by Endi S. Dewata at 2018-02-22T01:49:07+01:00
Fixed CalledProcessError handlers in pki and pki-server CLI.

The pki and pki-server CLIs have been modified to show the external
command as a string instead of array to simplify troubleshooting.

Change-Id: I15d8dfae05e5cf70b1ae2dba844302e679ee4622

- - - - -
210f0c64 by Endi S. Dewata at 2018-02-22T03:01:37+01:00
Updated friendly name field in PKCS12KeyInfo.

The PKCS12KeyInfo has been modified to store the certificate
nickname instead of subject DN in the friendlyName field.

https://pagure.io/dogtagpki/issue/2945

Change-Id: Ieb7675b9e48bd0392fe32cc9538d8ff9123d6655

- - - - -
00f42e80 by Endi S. Dewata at 2018-02-22T03:32:13+01:00
Updated friendly name field in PKCS12CertInfo.

The nickname field in PKCS12CertInfo and related variables and
methods have been renamed to friendlyName for consistency.

https://pagure.io/dogtagpki/issue/2945

Change-Id: Ida5e9b63975670a0ac3a34e7ee83abae30c3c554

- - - - -
285f8213 by Endi S. Dewata at 2018-02-22T03:33:33+01:00
Removed redundant PKCS12Util.createLocalID().

The PKCS12Util.createLocalID() has been replaced with
SafeBag.getLocalKeyIDFromCert().

https://pagure.io/dogtagpki/issue/2945

Change-Id: I6fc232617b2bf1453192df201794ccf3aacf0f40

- - - - -
48864895 by Christian Heimes at 2018-02-22T10:39:25-05:00
Use cached results of read_environment_files()

KeyClient.get_client_keyset() no longer calls read_environment_files()
in every call. The read_environment_files() spawns a shell process to
source default and global pki.conf and update's the process' environ.

The get_client_keyset() only parses the function, when KEY_WRAP_PARAMETER_SET
env var is not present yet.

Fixes: https://pagure.io/dogtagpki/issue/2851
Change-Id: Ibe285d9070487fc78200b8b11e14e0ca651ab458
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
aedf5d7a by Christian Heimes at 2018-02-22T19:26:56+01:00
Drop pki_root_prefix parameter

The pki_root_prefix parameter allows installing PKI instances in
non-standard locations, but those instances will not be upgraded
automatically, which may cause confusions. To avoid this problem, the
pki_root_prefix should be dropped.

Fixes: https://pagure.io/dogtagpki/issue/2919
Change-Id: I4700489f047b1fea95f6fa5db1f65f40776caa28
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
8fbe83f9 by Christian Heimes at 2018-02-22T15:26:38-05:00
Use SQL format NSS database on F28

On Fedora 28, Dogtag now uses the new SQL format for NSS databases instead of
the old DBM format. The SQL format with sqlite files is the new default format
since Fedora 28. It supports concurrent access.

Existing NSS database are migrated from DBM to SQL format. All commands
use SQL format.

Change-Id: I3f470f6cfe5dd8545a97a7c09b1822656656ea17
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
4a066ac2 by Endi S. Dewata at 2018-02-22T15:33:26-05:00
Fixed key and cert order in PKCS12Util.generatePFX().

The PKCS12Util.generatePFX() has been modified to import the keys
before the certificates to match pk12util.

https://pagure.io/dogtagpki/issue/2945

Change-Id: I8df8696762241b6f305c4d91bda7904bf60feac6

- - - - -
78af477f by Endi S. Dewata at 2018-02-22T21:35:32+01:00
Fixed MAC computation in PKCS12Util.generatePFX().

The PKCS12Util.generatePFX() has been modified to use the same
salt size and number of iterations as in pk12util when computing
MAC data.

https://pagure.io/dogtagpki/issue/2945

Change-Id: I73a4ac277e524e1b5ec7306c3940bb672a254cdb

- - - - -
bc3020ef by Endi S. Dewata at 2018-02-23T00:06:13+01:00
Added cert/key encryption options for pki pkcs12 CLI.

The pki pkcs12-export and pki-server cert-export commands have been
modified to provide options to select the cert and key encryption
algorithms to use.

https://pagure.io/dogtagpki/issue/2945

Change-Id: Ic841790221589bf81c9bc91d1e2373f193a370be

- - - - -
eeef5567 by Christian Heimes at 2018-02-23T11:10:50-05:00
Fix Fedora 28 requirements and NSS db type

On Fedora 28, pki-server now uses correct Python 3 dependencies and
shared SQL NSS database.

pki-server's requirements for Python 2 and 3 where switched. The cmake
wasn't updated after the variable was renamed to PKI_NSS_DB_TYPE.

Change-Id: Ibfea8ec8ce62be927d4ff0c7ad1e20095a5a7797
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
00bd20cb by Endi S. Dewata at 2018-02-23T19:16:02+01:00
Updated logging in realm classes.

The logging in PKIRealm and ProxyRealm classes has been updated
to use SLF4J logger.

https://pagure.io/dogtagpki/issue/195

Change-Id: I314f0a2ab46b4204c9c2adec134b58ba34d91d66

- - - - -
39c45d0d by Endi S. Dewata at 2018-02-24T01:44:27+01:00
Refactored logger level configuration.

The code that configures logger level for PKI classes has been
consolidated into PKILogger.setLevel().

https://pagure.io/dogtagpki/issue/195

Change-Id: Iff9bb9ad4ff843e37c3e2d6d53ce7b7a2f564823

- - - - -
bdb987c8 by Endi S. Dewata at 2018-02-24T02:24:19+01:00
Replaced JUL API with SLF4J API.

The code that logs using JUL API has been modified to use the more
generic SLF4J API.

https://pagure.io/dogtagpki/issue/195

Change-Id: I2803275b31421cd69aa38eb9a1d3affce4c68c4a

- - - - -
1c40faea by Endi S. Dewata at 2018-02-24T05:51:16+01:00
Updated logging in CMSEngine.

The CMSEngine has been modified to use SLF4J logging API.

https://pagure.io/dogtagpki/issue/195

Change-Id: I5696ecfd62391ea98a9448eaebb063f587f77a82

- - - - -
05b2e6c4 by Endi S. Dewata at 2018-02-25T21:09:56+01:00
Updated logging in AccountService.

The AccountService has been modiifed to use SLF4J logging API.

https://pagure.io/dogtagpki/issue/195

Change-Id: I6b287ec62da2f7540123f2036f7d9b755f701280

- - - - -
3e3a840c by Endi S. Dewata at 2018-02-25T21:42:52+01:00
Updated logging in PKI Tomcat classes.

PKI Tomcat classes have been modified to use JUL instead of SLF4J
to avoid library loading issue.

https://pagure.io/dogtagpki/issue/195

Change-Id: I012182400f8731e10d4a494578b1560ba8043638

- - - - -
881ab15e by Endi S. Dewata at 2018-02-26T02:59:48+01:00
Fixed pki pkcs12-import.

The pki pkcs12-import has been modified to parse the
pki pkcs12-cert-find output properly.

https://pagure.io/dogtagpki/issue/2945

Change-Id: I1bcdea496896a6f70156f7ca5bb2419c3966f132

- - - - -
5e1e2104 by Endi S. Dewata at 2018-02-26T03:38:35+01:00
Updated CMake scripts for PKI Tomcat classes.

The CMake scripts have been modified to compile all PKI Tomcat
classes at once such that the dependency can be defined properly
for each Tomcat version.

https://pagure.io/dogtagpki/issue/2560

Change-Id: Ie72cf2098dbff3242ab3dc3e498611a48a7f3690

- - - - -
18a61b2f by Endi S. Dewata at 2018-02-26T16:16:47+01:00
Removed NSS DBM dependency in security_databases.py.

The security_databases.py has been modified to set the permission
and remove the whole NSS database directory instead of individual
NSS DBM files.

https://pagure.io/dogtagpki/issue/167

Change-Id: I1542c7858dea16c781ebb3e415b2540abbf6720b

- - - - -
25a3e940 by Christian Heimes at 2018-02-26T11:18:22-05:00
Execute upgrade and NSSDB conversion with service

pki-server-upgrade calls have been moved out of the RPM post install
hook into the systemd service. Each instance start ensures that the
instance is up to date.

10.6.0 update may not trigger the NSSDB migration, e.g. on Fedora 27.
Attempt to migrate for all version upgrades and in systemd service. It's a
fast and idempotent call.

Change-Id: Ia8c1f910570a361e9fa29519a856180f37d5d7a1
See: https://pagure.io/dogtagpki/issue/167
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
61bec69f by Endi S. Dewata at 2018-02-27T01:28:27+01:00
Fixed pki-server cert CLI.

The pki-server cert CLI has been changed such that it can run
based on the list of certificates defined in CS.cfg even if the
certificate themselves are not available yet in the NSS database.

The security_databases.py has been modified to store the system
cert nicknames and token names in CS.cfg such that the pki-server
cert CLI can be used to export certificates during installation.

https://pagure.io/dogtagpki/issue/203

Change-Id: I046cfa7d45e2d0ae7b6de353d0840db0899789f7

- - - - -
d9ec2bee by Endi S. Dewata at 2018-02-27T00:31:06-05:00
Added separate logging for each subsystem.

The links to SLF4J libraries have been moved into each subsystem
to allow separate logging. A new logging.properties files has been
added to each subsystem as well.

The pki.policy has been modified to allow Tomcat JULI to read the
logging.properties and write log files for each subsystem.

https://pagure.io/dogtagpki/issue/195

Change-Id: I6c8b6e6744408e21d620ca1983b2be18c353de73

- - - - -
3912fd55 by Endi S. Dewata at 2018-02-27T00:31:06-05:00
Updated CMS.debug() to use Tomcat JULI.

The CMS.debug() method has been modified to use Tomcat JULI logger.
The PKI log levels (1=OBNOXIOUS, 5=VERBOSE, 10=INFORM) are mapped
to FINEST, FINE, INFO, and anything above 10 is mapped to WARNING.

Unused code in the Debug class has been removed.

https://pagure.io/dogtagpki/issue/195

Change-Id: Ib6193833bc25561758dffbfc316ce3a8cd7db4d3

- - - - -
c6630a42 by Christina Fu at 2018-02-27T13:15:14-05:00
Ticket #2949 CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database

This patch addresses the "TokenException: Unable to insert certificate into temporary database" issue caused by CMC authentication.  During the CMC authentication, looks like the following JSS CryptoManager call actually tries to import the certificate temporarily into the token and causes conflicts:
public boolean isCertValid(byte[] certPackage, boolean checkSig,
            CertUsage certUsage)
That call is not appropriate for the purpose.

Looking closely,  certificate validation has been done in various places:
* SSL client authentication (if used)
* the isRevoked() call either in agent authentication or in CMCUserSignedAuth
* the cert.checkValidity() call in CMCUserSignedAuth

The extra isCertValid call is not only redundant but also problematic.

This patch fixes https://pagure.io/dogtagpki/issue/2949

- - - - -
0abff3e1 by Endi S. Dewata at 2018-02-27T20:34:51+01:00
Added SLF4J library for PKI Tomcat classes.

The build and install scripts have been modified to provide
links to SLF4J library in the <instance>/lib directory such
that it can be used by PKI Tomcat classes without interfering
with subsystem logging.

https://pagure.io/dogtagpki/issue/195

Change-Id: I049f5e826f75b6aee9e68085d37e2e2780f7e918

- - - - -
b38452d9 by Endi S. Dewata at 2018-02-27T23:40:24+01:00
Updated logging in PKI Tomcat classes.

This reverts commit 3e3a840caee07b0b0dd1bb937146f6c4d91047b8.

The PKI Tomcat classes have been updated again to use SLF4J
logging API since now it can be used without interference with
subsystem logging.

https://pagure.io/dogtagpki/issue/195

Change-Id: I7cf56b80cf3c603e4cbc57cff1583e5987ad98aa

- - - - -
dbbdf75f by Endi S. Dewata at 2018-02-27T23:45:02+01:00
Fixed CryptoUtil.sortCertificateChain().

The CryptoUtil.sortCertificateChain() has been modified to support
sorting incomplete certificate chain.

https://pagure.io/dogtagpki/issue/203

Change-Id: I978e9cc3069d78b7d46c654b8733b0bf65e86b29

- - - - -
132ddb4f by Fraser Tweedale at 2018-02-27T18:48:02-05:00
pkispawn: make status check timeout configurable

There is a contention between the timeouts of PKIConnection.get (the
default for connect(2)) and Instance.wait_for_startup (60s).  When
/etc/hosts contains an IP address for the host which is routable but
not responded to (e.g. during FreeIPA installation with --setup-dns
and --ip-address=<not-yet-existant>), the connection attempt causes
pkispawn() to block for a long duration.  By the time it unblocks,
the Instance.wait_for_startup() timeout has been exceeded and no
further connection attempts are made.  Installation fails.

This situation can be avoided by setting a reasonable timeout on
PKIConnection.get().  An earlier attempt set a fixed timeout of 5
seconds (commit 1671d9c3b3b2bdd48fd74c3229c2869e5cfac80c), but this
caused problems with installation in HSM environments and was
reverted.  This commit addresses the issue by making the timeout
configurable (defaulting to None) via the pki_status_request_timeout
pkispawn config knob.

Fixes: https://pagure.io/dogtagpki/issue/2939
Change-Id: I3c6705b3e5d7b66b269f2dbb22a099450496268e

- - - - -
94894a3b by Endi S. Dewata at 2018-02-28T02:00:52+01:00
Added trust manager for Tomcat's NIO connector.

A new PKITrustManager has been added to validate incoming SSL
client certificate against trusted CA certificates.

The class also depends on pki-nsutil.jar and pki-cmsutil.jar so
they have been moved into the commons/lib folder.

The pki-server http-connector-mod CLI has been modified to remove
the options for trustore file and password since the connector is
now configured using the trust manager instead of PKCS #12 file.

https://pagure.io/dogtagpki/issue/203

Change-Id: I00d88f43d9952f9de6e72fe4cf4f42d1b8f31178

- - - - -
a60744da by Endi S. Dewata at 2018-02-28T03:16:32+01:00
Moved PKIFormatter.

The PKIFormatter class has been moved into a more appropriate
package: org.dogtagpki.util.logging.

https://pagure.io/dogtagpki/issue/195

Change-Id: Ie7db969235838b2668453572136c445190afb6ef

- - - - -
dbce4965 by Endi S. Dewata at 2018-02-28T03:30:02+01:00
Logging cleanup.

The Debug class has been modified to use PKILogger to set the
log level. Some LoggerFactory.getLogger() invocations have been
simplified.

https://pagure.io/dogtagpki/issue/195

Change-Id: I2175888b08d04ae1f42efebbad3d213b07b82ef5

- - - - -
d94c9506 by Endi S. Dewata at 2018-02-28T06:20:58+01:00
Update pki-server migrate.

The pki-server migrate CLI has been updated to create links to
log4j.properties and SLF4J libraries in addition to the standard
Tomcat libraries.

https://pagure.io/dogtagpki/issue/195

Change-Id: I10c4c39388cd218254e870c9f74454be55f5ad95

- - - - -
dd8bdc6c by Endi S. Dewata at 2018-02-28T17:19:04+01:00
Added instance name option for pki-server migrate.

The pki-server migrate CLI has been modified to provide an option
to select the instance to be migrated. If not specified, all
instances on the system will be migrated.

https://pagure.io/dogtagpki/issue/167

Change-Id: I155919bca5ef1fbdd96aaf9bda916fed452cf707

- - - - -
d06bed84 by Endi S. Dewata at 2018-02-28T22:30:11+01:00
Moved pki-server migrate into systemd unit file.

The pki-server migrate execution has been moved from RPM spec into
systemd unit file such that the migration will be executed while
the server is not running.

https://pagure.io/dogtagpki/issue/2947

Change-Id: Id5ecc91d61e27f09cf53fd6ed6fce8db8c6ae96a

- - - - -
e4384d2c by Endi S. Dewata at 2018-02-28T22:57:18+01:00
Moved NSS migration into pki-server migrate.

The code that migrates NSS database from DBM into SQL has been
moved from pki-server-upgrade into pki-server migrate.

https://pagure.io/dogtagpki/issue/2947

Change-Id: I70f45dcbd4f84d041caf4c5b7b9b0b52fd7dd76e

- - - - -
c02268cc by Endi S. Dewata at 2018-02-28T23:26:37+01:00
Moved pki-server-upgrade into RPM spec.

The pki-server-upgrade execution has been moved back from systemd
unit file into RPM spec since some operations need root permission.

https://pagure.io/dogtagpki/issue/2947

Change-Id: I21b490c4abecba734329e9b706596f9ebd777e1f

- - - - -
b02c55c5 by Endi S. Dewata at 2018-03-02T03:13:55+01:00
Refactored wait_for_startup() (part 1).

The wait_for_startup() method in pkihelper.py has been modified
to create the PKIConnection object only once, then reuse it for
each invocation of get_instance_status().

https://pagure.io/dogtagpki/issue/203

Change-Id: I6b55e35589027b9cefd7310eacc1d7125195564a

- - - - -
0a05eab2 by Endi S. Dewata at 2018-03-02T03:18:21+01:00
Refactored wait_for_startup() (part 2).

The wait_for_startup() method in pkihelper.py has been modified
to handle the exceptions thrown by get_instance_status(). If it
is an SSLError, the method will terminate immediately. If it's a
ConnectionError, it will wait for the server to start.

https://pagure.io/dogtagpki/issue/203

Change-Id: I70f97c08b1ff3dbf54e6ee5657fcf1af1605ccaa

- - - - -
336e2a7b by Endi S. Dewata at 2018-03-02T04:15:44+01:00
Updated logging for CertUtil.

https://pagure.io/dogtagpki/issue/195

Change-Id: Ibaff829cbb9ba94e3461ba30bd13d639235ba54c

- - - - -
4dc93f0c by Endi S. Dewata at 2018-03-02T16:25:17+01:00
Updated logging in LDAPProfileSubsystem.

https://pagure.io/dogtagpki/issue/195

Change-Id: I6dabb69bfb7b4078cfde232851eeee038634c6c0

- - - - -
92d5462b by Endi S. Dewata at 2018-03-02T17:10:48+01:00
Updated logging in ConfigurationUtils.

https://pagure.io/dogtagpki/issue/195

Change-Id: Iabc876816d0ebfef48575100841413a894943be0

- - - - -
8922995b by Endi S. Dewata at 2018-03-02T17:29:01+01:00
Updated logging in GetStatus.

https://pagure.io/dogtagpki/issue/195

Change-Id: I52efafd393dd5c22a720b68badf72911d62d1cdc

- - - - -
1dce9d03 by Endi S. Dewata at 2018-03-02T21:29:19+01:00
Replaced pki pkcs12-cert-add with pki pkcs12-cert-import.

Currently the pki pkcs12-cert-add provides an option to import a
cert into a new file. For consistency, a new pki pkcs12-cert-import
has been added with an option to import the cert into an existing
file. Now the pki pkcs12-cert-add has been deprecated and the man
page has been updated accordingly.

https://pagure.io/dogtagpki/issue/203

Change-Id: Ifddcbfdd0ffb86987f575cf08b5d395169e3d1fe

- - - - -
7f0415e5 by Endi S. Dewata at 2018-03-02T17:20:02-05:00
Refactored PKIInstance.export_external_certs().

The PKIInstance.export_external_certs() has been modififed to use
the new pki pkcs12-cert-import.

https://pagure.io/dogtagpki/issue/203

Change-Id: I98532efbf5de5da021753795f09327d120459a34

- - - - -
948bddc5 by Endi S. Dewata at 2018-03-02T17:20:44-05:00
Refactored PKISubsystem.export_system_cert().

The PKISubsystem.export_system_cert() has been modififed to use
the new pki pkcs12-cert-import.

https://pagure.io/dogtagpki/issue/203

Change-Id: I9c88896bcfa0b753a4720cd63020c33b5eaba0ee

- - - - -
cb909274 by Endi S. Dewata at 2018-03-03T03:44:02+01:00
Fixed duplicate PKCS #12 import during cloning.

The pkihelper.py has been modified such that if a PKCS #12 file is
provided using pki_clone_pkcs12_path parameter, it will only be
imported once by security_database.py, and it will not be imported
again by the configuration servlet.

Change-Id: I8ecd1dfda6fe9dda402c20ab4caa5ecd288bee88

- - - - -
001f2c39 by Endi S. Dewata at 2018-03-05T15:08:28+01:00
Refactored PKCS12Util.loadCertFromNSS().

Previously PKCS12Util.loadCertFromNSS() would load a certificate
from NSS database and import it into PKCS #12 with a nickname from
the NSS database. The method has been modified provide an optional
parameter to import the certificate with a different nickname.

https://pagure.io/dogtagpki/issue/203

Change-Id: Ied6b4b341961b80ae0329ee2cf6c71c977220673

- - - - -
f4c4b3ea by Endi S. Dewata at 2018-03-05T15:19:56+01:00
Added cert and key encryption options for pki pkcs12-cert-import.

The pki pkcs12-cert-import has been modified to provide cert and
key encryption options as in pki pkcs12-export. The command also
provides an option to import with a different nickname.

https://pagure.io/dogtagpki/issue/203

Change-Id: Ie02043f9f9c2e1cfe369ac42465e97c00b1ff78d

- - - - -
7eebed29 by Endi S. Dewata at 2018-03-05T16:07:23+01:00
Added NSSDatabase.export_cert().

A new NSSDatabase.export_cert() method has been added which is
similar to export_pkcs12(), but it only exports one certificate
into a PKCS #12 file, and also provides an optional parameter to
use a different nickname.

https://pagure.io/dogtagpki/issue/203

Change-Id: Ia9764cc874c253113ac362f2b2ce5beb93e7a0e9

- - - - -
8f438fb6 by Endi S. Dewata at 2018-03-05T16:17:24+01:00
Added nickname option for pki-server cert-export.

The pki-server cert-export has been modified to provide an option
to export a system certificate into PKCS #12 with a different
nickname.

https://pagure.io/dogtagpki/issue/203

Change-Id: Icf242524ae5c2bc35265119c9c3999ca760bfe81

- - - - -
27142606 by Christian Heimes at 2018-03-05T15:05:01-05:00
Modernize sslget's TLS version and cipher suite

Disable all cipher suites unless NSS says it's a FIPS approved suite.

* SSL 2.0 and SSL 3.0 are disabled
* Broken or weak suites with 3DES, RC4 and effective key bits less than
  80 bits are disabled.

Fixes: https://pagure.io/dogtagpki/issue/2918
Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
d08ceb23 by Endi S. Dewata at 2018-03-06T01:21:36+01:00
Added nickname param for PKCS12Util.loadKeyInfoFromNSS().

Previously PKCS12Util.loadKeyInfoFromNSS() would load a key from
NSS database and import it into PKCS #12 with the certificate's
nickname in NSS database. The method been modified to provide an
optional parameter to import the key with a different nickname.

https://pagure.io/dogtagpki/issue/203

Change-Id: Ife0f436879766ed2a1a62ff7c22a0792393e5f53

- - - - -
54d1586f by Endi S. Dewata at 2018-03-06T18:30:27+01:00
Fixed pki-server migrate for Python 3.

The pki-server migrate has been fixed to write XML document as
UTF-8 encoded byte as required by Python 3.

https://pagure.io/dogtagpki/issue/2560

Change-Id: Ib7ea53105877c87a84a656e4b6e5a1b044273761

- - - - -
7d570fff by Endi S. Dewata at 2018-03-07T02:39:39+01:00
Renamed RPM spec templates to *.spec.in.

To distinguish from actual RPM specs, the RPM spec templates have
been renamed to *.spec.in. All references to the templates have
been updated accordingly.

Some unused theme build files have been removed as well.

https://pagure.io/dogtagpki/issue/2923

Change-Id: Id5fdb9a22307721e54eac708ceedef8b414d2a18

- - - - -
21b25555 by Endi S. Dewata at 2018-03-07T04:15:38+01:00
Removed changelog entries from RPM spec templates.

Changelog entries should only be added in downstream RPM spec
files (e.g. Fedora, RHEL), so they have been removed from upstream
RPM spec templates. The list of changes upstream can be obtained
directly from git repository.

https://pagure.io/dogtagpki/issue/2923

Change-Id: I58b276c441e225f7a812dd9dd09e19ef043cc3bb

- - - - -
970b3654 by Endi S. Dewata at 2018-03-07T05:20:10+01:00
Removed unused compose targets.

The unused hybrid_* and patched_* targets for compose scripts have
been removed.

https://pagure.io/dogtagpki/issue/2923

Change-Id: If32440c3dddf32be26d47e258c3d1f4295da011a

- - - - -
389773c9 by Endi S. Dewata at 2018-03-07T05:35:46+01:00
Removed unused variables and functions in compose scripts.

The following variables and functions have been removed from the
compose scripts since they are no longer used:

* FETCH_PATCH_FILES
* FETCH_SOURCE_TARBALL
* FETCH_RHEL_PATCH_FILES
* FETCH_RHEL_SOURCE_TARBALL
* Fetch_Patch_Files()
* Fetch_Source_Tarball()

https://pagure.io/dogtagpki/issue/2923

Change-Id: Iaf6ff874d1d4af6e5a4e5a4278ee5ecf711abeb3

- - - - -
67059fae by Fraser Tweedale at 2018-03-07T17:55:11-05:00
IPAddressName: remove unused getLength method

Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: I732bd39446efcce18b6dc597d9c613a6b0a6422d

- - - - -
93d6af74 by Fraser Tweedale at 2018-03-07T17:55:11-05:00
parseGeneralName: properly parse iPAddress GN with netmask

There are a couple of problems with iPAddress general name parsing
(primarily used for the Name Constraints extension).

First, an IP address with netmask expressed as e.g.
1.2.3.4,255.0.0.0 or ::1,ffff:: is outright rejected, causing
issuance failure with a message like:

  NameConstraintsExtDefault: createExtension
    netscape.security.x509.InvalidIPAddressException: Invalid IP
    Address '10.10.10.10,255.255.255.0'

Second, an IPv4 address with CIDR-style netmask is misinterpreted as
an IPv6 address _without_ netmask, e.g. the input "192.168.1.1/24"
gets misinterpreted as "c0a8:1c8:ffff:ffff:000:000:000:000", which
is not a conforming value in the Name Constraints extension.

To resolve these problems, separate the handling of these two cases
and fix the logic.  A new class, CIDRNetmask, does the heavy lifting
in the CIDR netmask case.

Consider the following configuration (irrelevant keys and key
prefixes omitted for brevity). It contains values which caused
failures or incorrect outputs:

  nameConstraintsExcludedSubtreeNameChoice_0=IPAddress
  nameConstraintsExcludedSubtreeNameValue_0=10.10.10.10/24
  nameConstraintsExcludedSubtreeNameChoice_1=IPAddress
  nameConstraintsExcludedSubtreeNameValue_1=10.10.10.10,255.255.255.0
  nameConstraintsExcludedSubtreeNameChoice_2=IPAddress
  nameConstraintsExcludedSubtreeNameValue_2=dead:beef::1/128
  nameConstraintsExcludedSubtreeNameChoice_3=IPAddress
  nameConstraintsExcludedSubtreeNameValue_3=dead:beef::,ffff:ffff::

This configuration now succeeds and produces the correct output.
The extension value produced using the above configuration is (per
OpenSSL pretty print):

  X509v3 Name Constraints: critical
    Excluded:
      IP:10.10.10.10/255.255.255.0
      IP:10.10.10.10/255.255.255.0
      IP:DEAD:BEEF:0:0:0:0:0:1/FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
      IP:DEAD:BEEF:0:0:0:0:0:0/FFFF:FFFF:0:0:0:0:0:0

Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: I61d5fcceadcca28cc951802ee4b95691653dd356

- - - - -
c8ca22a5 by Fraser Tweedale at 2018-03-07T17:55:11-05:00
GeneralNameInterface: methods for checking name validity

Some general names may be valid only for describing a single subject
(e.g. Subject Alt Name extension), or for describing a range of
subjects (e.g. Name Constraints extension).  For example, an
iPAddress name MUST have 4 (IPv4) or 16 (IPv6) octets in the
"single" context, or 8 (IPv4) or 32 (IPv6) octets in range context.

Add the validSingle() and validSubtree() methods to
GeneralNameInterface and all implementing classes.  These methods
can be used to check whether the value is valid for use in the
corresponding context.

Part of: https://pagure.io/dogtagpki/issue/2922

Change-Id: Ib77286b309f1d505fe15313483ec658a55780f83

- - - - -
ab401936 by Fraser Tweedale at 2018-03-07T17:55:11-05:00
Check validity of Subject/Issuer Alt Names and Name Constraints

Different forms of some GeneralName types (in particular, iPAddress)
are valid only in "single subject" or "multiple subject / range"
context.  Update SubjectAltNameExtDefault, IssuerAltNameExtDefault
and NameConstraintsExtDefault to check the validity of GeneralName
values for use in the prevailing context.

This change prevents certificates being issued with netmasked
iPAddress values in the SAN/Issuer Alt Name extension, or
non-netmasked iPAddress values in the Name Constraints extension.

Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I42478e2b554e7d53a7c07db59208bf855b476572

- - - - -
628ace0c by Fraser Tweedale at 2018-03-07T17:55:11-05:00
IPAddressName: refactoring

Merge the content of some classes that don't need to be classes into
the main IPAddressName.  Rename the 'getIPAddress' method to
'fillIPv(4|6)Address', to better reflect its behaviour.  Enhance
initAddress to not only intialise the byte[] but also populate the
address.

Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: If9cd9f3134ef2086b283a51abc35f2918869aca2

- - - - -
b23ed156 by Endi S. Dewata at 2018-03-08T00:19:58+01:00
Moved DRMTool compatibility links creation into CMake scripts.

The code that creates the compatibility links for DRMTool, its
configuration, and man page has been moved from RPM spec into
CMake scripts.

https://pagure.io/dogtagpki/issue/2923

Change-Id: Ic750a539cad9a515f4be53d8c54609dfce23925f

- - - - -
2e3c503d by Endi S. Dewata at 2018-03-08T01:00:32+01:00
Moved admin console links creation into CMake scripts.

The code that creates admin console links in the subsystem UI has
been moved from RPM spec into CMake scripts.

https://pagure.io/dogtagpki/issue/2923

Change-Id: I2b4da3e42b9a2f3a5b7dbe9f6e56cb9a5b7fc31c

- - - - -
099c123d by Endi S. Dewata at 2018-03-08T16:48:23+01:00
Removing tests/dogtag/dev_java_tests/bin folder.

The .classpath has been modified to no longer create a separate
folder (i.e. tests/dogtag/dev_java_tests/bin) for test classes.

The folder can be removed from local repository with this command:

 rm -rf tests/dogtag/dev_java_tests/bin

The .gitignore file has been modified to remove this folder and
other unnecessary in-source build directories. To simplify
maintenance, in-source builds should be done in the top-level
'build' folder only.

https://pagure.io/dogtagpki/issue/2923

Change-Id: I6701959fa40db006628730b819a8c190de5a016c

- - - - -
5a11c0c4 by Endi S. Dewata at 2018-03-08T12:30:09-05:00
Added pki password-generate CLI.

A new pki password-generate CLI has been added to generate a
FIPS-compliant password.

https://pagure.io/dogtagpki/issue/203

Change-Id: Ia70ed2ad9cbee33286c94fa4e4bcfa52c8124831

- - - - -
847a52cc by Endi S. Dewata at 2018-03-08T14:20:10-05:00
Removed buildroot definitions and cleanups.

The RPM spec templates have been modified to no longer define or
clean up buildroot directories since they are managed by the system.

https://pagure.io/dogtagpki/issue/2923

Change-Id: Ia2d854275635d3e4a2ba7eedc12bf7d76263c2ab

- - - - -
f46a81a0 by Endi S. Dewata at 2018-03-08T14:49:38-05:00
Removed deprecated RPM groups.

The RPM spec templates have been modified to remove deprecated
RPM groups (https://fedoraproject.org/wiki/RPMGroups).

https://pagure.io/dogtagpki/issue/2923

Change-Id: I22b04b64b11e1eb076545fc183697efd4535dc12

- - - - -
af1ea318 by Endi S. Dewata at 2018-03-09T00:26:01+01:00
Added missing gcc-c++ build dependency.

The console and theme spec file templates have been updated to
include gcc-c++ build dependency since it is required by CMake.

https://pagure.io/dogtagpki/issue/2923

Change-Id: Ie5da5fcc1b8d6f33a2f334a079dfc04679c1a9f7

- - - - -
675c7722 by Endi S. Dewata at 2018-03-09T04:48:12+01:00
Removed redundant extract_release_information().

The extract_release_information() in compose_function is now
redundant due to various refactoring so it has been removed.

https://pagure.io/dogtagpki/issue/2852

Change-Id: Id667e9c91d9e5bc043fc975e91f1dbe0d91a95b9

- - - - -
ce9c1049 by Endi S. Dewata at 2018-03-09T16:29:01+01:00
Refactored compute_release_information().

The compute_release_information() in compose scripts has been
renamed into compute_build_options(). The unused spec file
parameter has been removed as well.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I3c42f82eee1d59a4823d713f404bceb253585576

- - - - -
b6323edf by Endi S. Dewata at 2018-03-09T18:35:22+01:00
Fixed timestamp and commit ID in RPM packages

The compose scripts have been modified to insert timestamp and
commit ID while copying the spec template into actual spec file,
so the information is stored in the SRPM. This way when the SRPM
is used to build RPM packages, the file names of the packages will
contain the timestamp and commit ID.

https://pagure.io/dogtagpki/issue/2852

Change-Id: I62a622ebbac2d5f781737ab0157aa18b80da4d5e

- - - - -
a7da82f4 by Endi S. Dewata at 2018-03-09T18:58:44-05:00
Exporting SSL server certificate on startup.

The operations script has been modified such that if nuxwdog is disabled,
it will export the SSL server certificate into a PKCS #12 keystore with a
random password. The PKCS #12 keystore will be used by Tomcat's built-in
HTTP NIO connector later.

https://pagure.io/dogtagpki/issue/203

Change-Id: Ib79bfd3fabb7b4931842901fb6a46bf299f31f1e

- - - - -
3be16204 by Endi S. Dewata at 2018-03-09T18:58:44-05:00
Switching to HTTP NIO connector.

The server.xml has been modified to use Tomcat's built-in HTTP NIO
connector with SSL server certificate in a PKCS #12 keystore by
default.

The pki-server migrate tool has been modified to automatically
convert existing instances to use the HTTP NIO connector.

The pki-server http-connector tool has been modified to configure
the SSL server certificate friendly name in the PKCS #12 keystore.

https://pagure.io/dogtagpki/issue/203

Change-Id: I1966aea3c04b95f750607856663b37ab6381126d

- - - - -
a379703d by Endi S. Dewata at 2018-03-10T04:25:15+01:00
Fixed missing exception stack trace in log message

To fix CMS.debug(exc), the Debug.printStackTrace() has been
modified to generate a log message that includes the exception
class name and the stack trace.

To fix Logger.warn(msg, exc) and Logger.error(msg, exc), the
PKIFormatter.format() has been modified to append the stack trace
to the log message.

https://pagure.io/dogtagpki/issue/195

Change-Id: Ia3b67b7edb3b6dc78de069f8f9b1ad2b4d295ddd

- - - - -
d7882556 by Endi S. Dewata at 2018-03-12T16:28:42+01:00
Reorganized Tomcat files.

Tomcat 7.0 and 8.0 files have been moved into tomcat-7.0 and
tomcat-8.0 folders for consistency.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I38c901fae4e4bb1bd500a326e672328f021f9dc9

- - - - -
27cf99ef by Christina Fu at 2018-03-12T17:52:02-04:00
Ticket #2950 Need ECC-specific Enrollment Profiles for standard conformance

This patch adds ECC-specific enrollment profiles where the Key Usage Extension
bits for SSL server and client certificates are notably different per RFC 6960:

       new file:   base/ca/shared/conf/ECadminCert.profile
       new file:   base/ca/shared/conf/ECserverCert.profile
       new file:   base/ca/shared/conf/ECsubsystemCert.profile
       new file:   base/ca/shared/profiles/ca/ECAdminCert.cfg
       new file:   base/ca/shared/profiles/ca/caCMCECUserCert.cfg
       new file:   base/ca/shared/profiles/ca/caCMCECserverCert.cfg
       new file:   base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
       new file:   base/ca/shared/profiles/ca/caECAdminCert.cfg
       new file:   base/ca/shared/profiles/ca/caECAgentServerCert.cfg
       new file:   base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
       new file:   base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
       new file:   base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg
       new file:   base/ca/shared/profiles/ca/caECServerCert.cfg
       new file:   base/ca/shared/profiles/ca/caECSubsystemCert.cfg
       new file:   base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
       new file:   base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
       new file:   base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
       new file:   base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg

In addition, some existing enrollment profiles are adjusted.
And while in there, signing algorithms with SHA1, MD2, and MD5 are removed

No attempt has been made for TPS enrollment profiles in this round.
No attempt has been made for adding ECDH-appropriate profile.

This patch addresses: https://pagure.io/dogtagpki/issue/2950

Change-Id: I26e7f9888372acbab4fbd185883427ef030d5e8d

- - - - -
7809f40b by Matthew Harmsen at 2018-03-12T17:52:02-04:00
Permit additional FIPS ciphers to be enabled by default for RSA . . .

It was determined that the following additional FIPS ciphers should be
enabled by default for RSA:

    * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Reference: dogtagpki Pagure Issue #2855 - restrict default cipher suite to
           those ciphers permitted in fips mode

Fixes: https://pagure.io/dogtagpki/issue/2952
Change-Id: I0947e8581beb3140e4c07800dd2c6bc9d90a6cd8

- - - - -
dab54826 by Endi S. Dewata at 2018-03-12T19:27:17-04:00
Updated compose scripts to create full source tarballs

Previously the compose scripts for core, console, and theme would
create different tarballs which contained the relevant sources
only even though they are coming from the same source repository.

To reduce maintenance, the compose scripts will now generate
identical tarballs that contain the complete source files in the
repository.

In this patch the tarballs will still have different names, but
in a subsequent patch they will be changed to use the same name.

https://pagure.io/dogtagpki/issue/2923

Change-Id: I453b044fa8ecb9df16b4f81a2aac942ed0f9fd55

- - - - -
5c57b446 by Endi S. Dewata at 2018-03-12T19:27:17-04:00
Updated RPM spec templates to use the same source tarball

The RPM spec templates for core, console, and theme packages have
been modified to use the same tarball from GitHub which contains
the entire source repository.

The compose scripts have been updated to generate tarballs from
local repository with the same name.

https://pagure.io/dogtagpki/issue/2923

Change-Id: Iaa8a9790eaa4e87741853c49284ba6b986da23c7

- - - - -
405de41e by Endi S. Dewata at 2018-03-13T00:29:47+01:00
Fixed outdated global web.xml

The web.xml in /usr/share/pki/server/conf is outdated so it has
been replaced with a direct link to Tomcat's web.xml.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I71f3613772861e1b1e31e9803d29c0825cfa844a

- - - - -
b017b929 by Endi S. Dewata at 2018-03-13T00:30:08+01:00
Fixed outdated global context.xml

The context.xml in /usr/share/pki/server/conf is outdated so it
has been replaced with a direct link to Tomcat's context.xml.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I3dde88e8c04d9c9a0f49b51afd1db7595599de90

- - - - -
69434ec0 by Amol Kahat at 2018-03-13T02:32:41-04:00
Fixed BZ 1549632: Not able to generate certificate request
with ECC using pki client-cert-request

Change-Id: I23a51af2c9e9bcc62983332bee22fe3c56ce1409
Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
a32fbda3 by Endi S. Dewata at 2018-03-13T16:36:27+01:00
Fixed outdated catalina.properties (part 1)

The catalina.properties in /usr/share/pki/server/conf is outdated
so it has been refreshed with the latest from Tomcat 7.0 and 8.0.

The TOMCAT_INSTANCE_COMMON_LIB in common.loader property has been
replaced with ${catalina.base}/commons/lib/*.jar.

http://pagure.io/dogtagpki/issue/2560

Change-Id: Idb62fc3603725a39e838e8b89ec58ef6170b8489

- - - - -
cdbad9ce by Endi S. Dewata at 2018-03-13T12:06:15-04:00
Fixed outdated catalina.properties (part 2)

The catalina.properties in <instance>/conf folder has been
replaced with a link to simplify upgrades.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I4c1ca71e9c87dbd0afbf87e79af5ed8eeeb7ef4c

- - - - -
30d17258 by Endi S. Dewata at 2018-03-13T12:06:39-04:00
Cleaned up server.xml

The server.xml files for Tomcat 7.0 and 8.0 have been cleaned up
to simplify keeping track of customizations.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I509c37fcf2a26149f1d503c8680c555f49c93694

- - - - -
29092bd3 by Fraser Tweedale at 2018-03-13T22:26:17-04:00
Move parseACL to ACL.java

The parseACL function currently lives in CMSEngine, which is an
awkward place for it.  Move it into the ACL class as a static
method.

Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I2a22618a8e295864e218e067fadf4255ceada9b3

- - - - -
f5e399a6 by Fraser Tweedale at 2018-03-13T22:26:17-04:00
ACL.java: Remove unused constructor

Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: Id8eee2d31538e2c95debb03a6102e0a7fdb0bd60

- - - - -
f4edd440 by Fraser Tweedale at 2018-03-13T22:26:17-04:00
ACL.java: Make constructor private and add sanity check

Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I5b15695df8692941646151b92ddaa893b3f93468

- - - - -
db05fc2c by Fraser Tweedale at 2018-03-13T22:26:17-04:00
ACL.java: retain all resourceACLs strings when merging

When writing a merged ACL back to the database, only the first
resourceACLs string is written, and the other resourceACLs strings
are lost.

Retain all the original resourceACLs strings when merging ACLs and
write them all back to the database when saving.

This commit also performs some minor refactors.  Extract the merging
routine into ACL.merge().  Remove the now-unused addRight(),
addEntry() and setName() methods.

Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: Ica36f1ed1517b4d13f13fd78259b6bb78ef1f22c

- - - - -
8f0b4a2f by Fraser Tweedale at 2018-03-13T22:26:17-04:00
ACL.java: remove setDescription method

The only place setDescription was used was in parseACL() which is
now part of this class, so we can replace that method with a new
constructor argument and avoid another way to unreasonably mutate
an ACL.

Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I8cff0cbb5cb47b80b7b0e6dc37702e16ec2a85e0

- - - - -
476320b4 by Fraser Tweedale at 2018-03-13T22:26:17-04:00
ACLEntry.java: return null on parse error

If an ACL entry has an empty permission expression a
StringIndexOutOfBoundsException is thrown because an expected space
character cannot be found.  Detect this condition and return null.

Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I1518f53f68e106e877d24d7dce8a5756ca5aedbd

- - - - -
f62f8931 by Fraser Tweedale at 2018-03-13T22:26:17-04:00
DirAclAuthz.updateACLs: re-throw ACL exception

Currently DirAclAuthz catches EACLsException when attempting to
update an ACL, logs the error, and then throws a new EACLsException,
discarding the info about where the original exception occurred.
There is no need to throw a new exception of the same type, so
re-throw the caught exception.

Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: If6e38e2217b8884b54b7daf07a7b79e23b8175d7

- - - - -
223e6980 by Fraser Tweedale at 2018-03-13T22:26:17-04:00
console: prohibit empty ACL expression

The ACL expression (e.g. ``user=caadmin || group="Administrators"``)
gets parsed and validated on the client side before sending the ACL
update command to the admin servlet.  But empty expressions are
currently permitted on the client side and prohibited on the server
side.  Leaving the expression field empty can result in unhelpful
error messages and stack trace in the server logs.

Update the validation logic in pkiconsole to treat an empty
expression as a syntax error.

Also do some drive-by updates for type safety, instantiating the
Vector<> type parameter at String.

Fixes: https://pagure.io/dogtagpki/issue/2957
Change-Id: I5317d2a86f6d2add7482729661bcbae9ebadc4d9

- - - - -
4fa7e826 by Endi S. Dewata at 2018-03-14T06:05:14+01:00
Moved pki.server.pkiserverupgrade

The pki.server.pkiserverupgrade Python module has been moved into
pki.server.cli.upgrade for consistency.

https://pagure.io/dogtagpki/issue/1129

Change-Id: I990bfbfce9223fa85850ebeac2278df7841465d4

- - - - -
40777dfb by Endi S. Dewata at 2018-03-14T06:24:00+01:00
Using Python logging in pki-server-upgrade

The pki-server-upgrade CLI and related modules have been modified
to use Python logging.

https://pagure.io/dogtagpki/issue/1129

Change-Id: I8454a4d7338fbb04d4747bd55e533062b8df3ed2

- - - - -
268f8b94 by Christian Heimes at 2018-03-14T12:38:24-04:00
Don't install tomcat.conf.in

Change-Id: I4a4ee986ecaef9fb1379666e4778702d7b2ccd52
Closes: https://pagure.io/dogtagpki/issue/2962
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
7188137b by Christian Heimes at 2018-03-14T13:08:55-04:00
Remove NSS_DEFAULT_DB_TYPE from /etc/sysconfig

A Dogtag 10.5 installation may contain NSS_DEFAULT_DB_TYPE="dbm" in
/etc/sysconfig/pki-tomcat. The setting interfers with new global
configuration in /usr/share/pki/etc/tomcat.conf. A new migration step
removes the config stanza from instance's sysconfig file.

Change-Id: I5123e719eb9ecaa32ad02d8aa737e5426a442c80
Closes: https://pagure.io/dogtagpki/issue/2963
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
e9089a4e by Endi S. Dewata at 2018-03-14T18:32:34+01:00
Added rich comparison methods into pki.upgrade.Version.

The pki.upgrade.Version class has been modified to include
additional rich comparison methods.

https://pagure.io/dogtagpki/issue/1129

Change-Id: I2dff91f9dd1321b026ac5ca53f02c86d0ccda370

- - - - -
738a37f5 by Endi S. Dewata at 2018-03-14T19:07:12+01:00
Fixed upgrade framework

The upgrade framework has been fixed such that the upgrade path
always starts from the current version and stops at the target
version.

https://pagure.io/dogtagpki/issue/1129

Change-Id: Ie9bb62465a77f52027a74210a1e78c8375f9a79e

- - - - -
fb087d2a by Endi S. Dewata at 2018-03-14T19:16:27+01:00
Removed empty upgrade folders

Due to a recent change in the upgrade framework, it is no longer
necessary to create an empty upgrade folder for each released
version.

https://pagure.io/dogtagpki/issue/1129

Change-Id: I8b5a30fbc1365f1f68ed971b644b4e0bdd2a790e

- - - - -
4d4f6b9b by Endi S. Dewata at 2018-03-14T23:37:25+01:00
Fixed outdated ciphers.info.

The pkispawn has been modified to link ciphers.info instead
of copying it into the instance folder so it can be upgraded
automatically.

https://pagure.io/dogtagpki/issue/2560

Change-Id: Ieb05a9c214807aa90024025559dbb3a9ffcbabf8

- - - - -
44b39b11 by Endi S. Dewata at 2018-03-15T00:31:53+01:00
Added upgrade script to fix outdated server configuration

An upgrade script has been added to replace some configuration
files in existing instances with links as in new installations,
which will simplify future upgrades. The original files will be
backed up so they can be restored if necessary.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I35a6e539a214dadeee88a9aab9bb085434236e49

- - - - -
6228c90b by Endi S. Dewata at 2018-03-14T21:18:41-04:00
Switching to Tomcat 8.5 on Fedora 27.

New server configuration files, webapp context files, library files,
and CMake scripts have been added for Tomcat 8.5.

The RPM spec template has been modified to use Tomcat 8.5 on
Fedora 27. The build and runtime dependencies have been updated
accordingly.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I6f8be772cc099bd95ec3482415b9ab99a9747ab1

- - - - -
a114b40a by Endi S. Dewata at 2018-03-15T03:03:03+01:00
Updated version number to 10.6.0-0.2

The version number has been changed to 10.6.0-0.2 due to the new
Tomcat 8.5 dependency.

https://pagure.io/dogtagpki/issue/2560

Change-Id: I3eec3fb7fdd5b4bd0e2e17da87bbabf4f7533535

- - - - -
704a1078 by Timo Aaltonen at 2018-03-15T16:43:34+02:00
Merge tag 'v10.5.5' into m-n

Build for 10.5.5-1 for F27 and F28

- - - - -
35c19aff by Timo Aaltonen at 2018-03-15T16:43:39+02:00
Merge branch 'master' into m-n

- - - - -
cc8e5179 by Christian Heimes at 2018-03-15T16:40:05+01:00
sslget: Use relative include for sslproto.h

sslget.c uses relative, local includes except for sslproto.h. The global
include was added in 27142606.

Change-Id: I4ce05417a0679a373dc610b8a4b2fae4eca7ca79
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
156f1883 by Endi S. Dewata at 2018-03-15T12:41:03-04:00
Refactored MainCLI.printHelp().

The MainCLI.printHelp() has been modified to call CLI.printHelp()
which displays deprecated commands properly.

https://pagure.io/dogtagpki/issue/2536

Change-Id: I803c0bcf041624eb7e37b04db5f455337e73caed

- - - - -
96df98aa by Endi S. Dewata at 2018-03-15T12:41:03-04:00
Deprecated pki user command

The pki user command has been replaced with pki <subsystem>-user,
so it has been deprecated by adding a deprecated ProxyUserCLI
class.

https://pagure.io/dogtagpki/issue/2536

Change-Id: Ida1123620d99e9237cb55d380eaded4deba78a27

- - - - -
5b73386f by Endi S. Dewata at 2018-03-15T12:41:03-04:00
Deprecated pki group command

The pki group command has been replaced with pki <subsystem>-group,
so it has been deprecated by adding a deprecated ProxyGroupCLI
class.

https://pagure.io/dogtagpki/issue/2536

Change-Id: Iebdef91d47c758a34e817b5379fa8f980e518862

- - - - -
bba477dd by Timo Aaltonen at 2018-03-15T19:01:59+02:00
update the changelog

- - - - -
fa9ce343 by Timo Aaltonen at 2018-03-15T19:01:59+02:00
patches: Refreshed.

- - - - -
ae4a3f2b by Timo Aaltonen at 2018-03-15T19:01:59+02:00
control, rules: Build using tomcat 8.5, adjust dependencies to match.

- - - - -
991ff279 by Timo Aaltonen at 2018-03-15T19:01:59+02:00
fix-jar-search.diff: Updated to find jaspic-api.jar.

- - - - -
bd0750aa by Timo Aaltonen at 2018-03-15T19:01:59+02:00
fix-sslproto-include.diff: Fix including sslproto.h.

- - - - -
e59cc83b by Timo Aaltonen at 2018-03-15T19:01:59+02:00
rules: Use sql nssdb's by default.

- - - - -
5e8c0fa6 by Timo Aaltonen at 2018-03-15T19:01:59+02:00
fix service file

- - - - -
60e2863a by Timo Aaltonen at 2018-03-15T22:39:24+02:00
debian-support.diff: Be more robust when starting the server, don't continue until it's serving content. Add curl to server depends.

- - - - -
c2be88ce by Timo Aaltonen at 2018-03-15T23:31:47+02:00
refresh fix-cve-2016-1240.diff

- - - - -
4b5ce752 by Christian Heimes at 2018-03-16T14:22:54+01:00
Fix verify_certificate_exists() call

verify_certificate_exists() no longer takes certdb, keydb and secmod
args.

Change-Id: Idcf781cc85a01d33867349a4ba25a81b60afc344
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
7e240d1a by Christian Heimes at 2018-03-16T10:53:42-04:00
Add with_python[23] to console and theme package

Add with_python2, with_python3 and with_python3_default to console and
theme package. The theme package can now be built without Python 2
present.

Change-Id: I06a513145e2d3a3512f2d2211d4c2a45ef58d3bd
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
1597b5bc by Christina Fu at 2018-03-16T12:37:35-04:00
Ticket #2940 [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken, and CMCRevoke

This patch adds man pages for CMCRequest, CMCResponse, and CMCSharedToken.
In addition, the usage in CMCResponse has been enhanced to include a
verbose mode which will output certs in Base64 encoding individually.
A "note" has been added to CMCRevoke --help to direct users to CMCRequest
for better usability. The man page for CMCRevoke is intentionaly left out
for this reason.

The URL in CMCRequest.1 is a placeholder for the follow-up patch.  It will
be replaced once the examples are complete.

This patch addresses https://pagure.io/dogtagpki/issue/2940

Change-Id: Id1df31a29207a0d12d50b7a3b959a3abcd9748d0

- - - - -
20799a8f by Christian Heimes at 2018-03-16T13:32:45-04:00
Only detect Python for core and console packages

The theme package doesn't depend on Python. Only detect Python when
building the pki core or pki console package.

Change-Id: I7a156a88371597cfe46938eb463f2293210d6f82
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
827fe40c by Christina Fu at 2018-03-16T19:00:31-04:00
Ticket #2940 (spec file only)

Change-Id: Ice17b4f985a7dc7c092902d920d40272c751941a

- - - - -
2195cce1 by Dinesh Prasanth M K at 2018-03-19T16:01:15-04:00
Adding console, meta and theme packages to CI

The CI now tries to build and install the following:
- pki-core
- pki-theme
- pki-console
- pki-meta

Ticket: https://pagure.io/dogtagpki/issue/2969

Change-Id: I148f9cafe4ba43371f58051368307fd746bf5f4b

- - - - -
0f09829c by Endi S. Dewata at 2018-03-20T05:00:07+01:00
Fixed NSSDatabase.export_cert()

The NSSDatabase.export_cert() has been modified to use the
certificate's full name which consists of nickname and token
name (if available) when invoking pki pkcs12-client-import.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ibfbb0d310b0f9b71bed47603b0d9f8396fe33e34

- - - - -
94c23b3e by Endi S. Dewata at 2018-03-20T05:02:44+01:00
Fixed PKCS12Util.loadCertFromNSS()

The PKCS12Util.loadCertFromNSS() has been modified to check whether
the specified certificate exists in the NSS database.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I336233e8734c4e02b959edef16860ea27d64ce56

- - - - -
c4c4db19 by Endi S. Dewata at 2018-03-20T14:56:29+01:00
Added PKIInstance.get_sslserver_cert_nickname()

A new PKIInstance.get_sslserver_cert_nickname() method has
been added to get the SSL server certificate nickname from
serverCertNick.conf.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I892a782c50ef2d40ba9161986290f61bc42e86fb

- - - - -
aa0a5a8a by Endi S. Dewata at 2018-03-20T15:19:45+01:00
Refactored pki-server cert-export (part 1)

The pki-server cert-export has been modified to use the token name
of the certificate when opening the NSS database.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ia34aeff300501026f1d51dd72bf859f5b1ff7876

- - - - -
f83c341b by Endi S. Dewata at 2018-03-20T15:29:54+01:00
Refactored pki-server cert-export (part 2)

The pki-server cert-export has been modified to get the SSL server
certificate nickname and token name from serverCertNick.conf
instead of CS.cfg.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I805a35efc83773562b3aafdcf4d0cd1cefaf0613

- - - - -
7acd6297 by Endi S. Dewata at 2018-03-20T20:57:13+01:00
Updated logging in SystemConfigService

https://pagure.io/dogtagpki/issue/195

Change-Id: I25924c347bb082954981576ca9c1c61cda6e0e83

- - - - -
a6a3dd81 by Endi S. Dewata at 2018-03-20T16:35:44-04:00
Fixed CSR format in configuration servlet's response

The configuration servlet has been changed to return system cert
CSRs as base64-encoded data. The Python code will then store them
into files in PEM format.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I156ab11191d6cd12b26283452547026d91a4a31d

- - - - -
178d0e04 by Endi S. Dewata at 2018-03-20T16:35:44-04:00
Fixed SSL server cert replacement.

The code that replaces the temporary SSL server cert with the
permanent one has been fixed to use the token name specified
for the SSL server cert instead of the global one.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I5014aa681d4aa04a0218a883697e932dd75022a4

- - - - -
169f5cf1 by Endi S. Dewata at 2018-03-20T23:23:42+01:00
Renamed client security database in PKI CLI messages.

The PKI CLI has been modified to use a more generic term of NSS
database instead of client security database since the command can
also be used to manage the server's NSS database.

Change-Id: I2f47637d8279bec10b4ffbce0d90217dc9e7f9ba

- - - - -
e61fd269 by Endi S. Dewata at 2018-03-20T23:35:46+01:00
Renamed client security database in man pages.

The man pages have been modified to use a more generic term of NSS
database instead of client security database since the command can
also be used to manage the server's NSS database.

Change-Id: Idcd6fc9a2641585b0a91efb9a4037066f600b864

- - - - -
feadd4a1 by Endi S. Dewata at 2018-03-20T23:38:36+01:00
Renamed client security database in test scripts.

The test scripts have been updated to reflect the recent changes
in PKI CLI messages.

Change-Id: Icae10e97c04202643d7d49ed83d2c752796dd192

- - - - -
bb66002a by Endi S. Dewata at 2018-03-21T01:58:39+01:00
Refactored ClientConfig fields

The certDatabase and certPassword fields have been renamed to
nssDatabase and nssPassword for clarity. New setter and getter
methods have been added. Existing setter and getter methods are
retained for backward compatibility.

Change-Id: I7a3981cbc55a9d2baa4991e00236e0b33e868bf7

- - - - -
47623442 by Endi S. Dewata at 2018-03-21T03:05:38+01:00
Added ClientConfig.nssPasswords field.

A new field has been added to ClientConfig to store NSS token
passwords.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I9febcd31d46574cb41690a60e966790b59cc87ee

- - - - -
3cf485f9 by Endi S. Dewata at 2018-03-21T03:32:42+01:00
Deprecated setters and getters in ClientConfig.

The setters and getters for the old certDatabase and certPassword
fields have been deprecated. The code that calls these methods
have been modified to use the new methods.

Change-Id: I311e0f3bcaaaaadc8f40cc944f62eecdf9121a20

- - - - -
25282e3d by Endi S. Dewata at 2018-03-21T05:03:16+01:00
Deprecated ClientConfig.serverURI setter and getter.

The setter and getter for the old serverURI field have been
deprecated. The code that calls these methods have been modified
to use the new methods. The man pages have been updated as well.

Change-Id: I518e2df364c7ab844548ea7f00c4dd3cdafd2d05

- - - - -
152ed503 by Endi S. Dewata at 2018-03-21T05:11:41+01:00
Updated test scripts due to server URI deprecation.

Test scripts that check for "server URI" have been modified to
check for "server URL" instead.

Change-Id: I41b2dc140a749370d847e5852bf9fbfaae66a407

- - - - -
f8f526f4 by Endi S. Dewata at 2018-03-21T16:33:17+01:00
Renamed NSS-related variables in MainCLI.parseOptions()

Some NSS-related variables in MainCLI.parseOptions() have been
renamed for clarity.

Change-Id: Ic67747943cc42f7c5b9d1a683974910508fb2872

- - - - -
578c2804 by Endi S. Dewata at 2018-03-21T17:20:40+01:00
Fixed exception handling in MainCLI.init()

The code that handles token login in MainCLI.init() has been
modified to include the token name in the exception message in
case the password is wrong.

Change-Id: I99aaf16f02c822b7c7179ed3aa29f0d0f66fa6e0

- - - - -
8c45ff35 by Endi S. Dewata at 2018-03-21T18:38:13+01:00
Fixed password handling in MainCLI.parseOptions()

The MainCLI.parseOptions() has been modified such that the NSS
password parameters are validated regardless of authentication
methods.

Change-Id: I67f91a2059272a6e044f9b2d067c285f5a7f443d

- - - - -
d62dbf9b by Endi S. Dewata at 2018-03-21T23:08:08+01:00
Updated PKI CLI help messages.

PKI CLI help messages have been updated for clarity.

Change-Id: I4f87ab1674c5e615d900ce08b97699ddd40330de

- - - - -
8746f09d by Endi S. Dewata at 2018-03-22T00:42:14+01:00
Added password configuration option for PKI CLI.

The PKI CLI has been modified to support an option to provide
multiple token passwords via a configuration file. This option
can be used to run the CLI using the server's NSS database and
password.conf.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I84a3da9e57556a1431c8864984cde614d2fbe83b

- - - - -
0012e50e by Endi S. Dewata at 2018-03-22T17:07:15+01:00
Refactored configuration.py

The code that imports system certs in configuration.py has been
refactored into a new import_system_cert() method.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ife5f7f526589f70a7db12d980b50569c4a67c98a

- - - - -
f1ec2c0c by Endi S. Dewata at 2018-03-22T20:27:52+01:00
Refactored internal token name literals

The literals for internal token names have been converted into
constants. A new method was added to normalize token name.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I3605edba57ebf5c38b4be3dcea05f12cf87134c3

- - - - -
79db3ceb by Timo Aaltonen at 2018-03-22T22:41:39+02:00
fix-symkey-path.diff: Move symkey.jar handling here from fix-jar- search.diff.

- - - - -
4e237910 by Christina Fu at 2018-03-22T16:43:54-04:00
fix TPS CS.cfg param from tps.connector.connCAList to tps.connCAList

Change-Id: Ic391b845358736daab4b814c86e6f7f512a209bb

- - - - -
1a85a016 by Timo Aaltonen at 2018-03-22T22:46:48+02:00
fix-tomcat-conf-path.diff: Use skel/conf/web.xml.

- - - - -
cd596bf0 by Timo Aaltonen at 2018-03-22T23:36:24+02:00
tools: DRMTool links are handled by cmake now, drop .links.

- - - - -
968b1d47 by Timo Aaltonen at 2018-03-22T23:41:30+02:00
rules: Don't clean usr/share/pki/server/lib before dh_install, it's jar symlinks now.

- - - - -
c5041432 by Timo Aaltonen at 2018-03-22T23:42:04+02:00
base.install: Updated.

- - - - -
4fa5af23 by Timo Aaltonen at 2018-03-22T23:44:53+02:00
rules: Fix NSS DB option name

- - - - -
d8639cd7 by Endi S. Dewata at 2018-03-22T22:57:49+01:00
Fixed NSSDatabase.add_cert() default trust attributes

The NSSDatabase.add_cert() has been fixed to accept None value in
trust_attributes parameter and convert it into the proper string.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I5a0acb51618476cf08e00d5f1a51ea2ff3cdf519

- - - - -
428a00c4 by Endi S. Dewata at 2018-03-22T22:58:41+01:00
Added NSSDatabase.create_password_file()

The code that creates password files in NSSDatabase has been
refactored into a new create_password_file() method.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I4f7106129ccd2f84d2279d4dc7c98831e9243721

- - - - -
0c116658 by Timo Aaltonen at 2018-03-23T00:07:56+02:00
control, rules: Build using JDK8.

- - - - -
f3ade427 by Timo Aaltonen at 2018-03-23T00:08:24+02:00
control: Add python3-distutils to build-depends.

- - - - -
85c58d29 by Endi S. Dewata at 2018-03-23T00:11:30+01:00
Added param to override default token in NSSDatabase.

Some NSSDatabase methods have been modified to provide an
optional token parameter to override the default token name.

A new NSSDatabase.get_effective_token() has been added to
return the effective token name.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I4caa2e1ab3f64b9d667396f62a00878fa6557ebe

- - - - -
419e20bc by Endi S. Dewata at 2018-03-23T01:03:09+01:00
Added temp directory for NSSDatabase.add_cert()

The NSSDatabase.add_cert() has been modified to create and remove
a temp directory which will be used by a subsequent patch.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I89ef58420ea4771ec2ea1f3903186d5b19c3a291

- - - - -
0ddc8cbc by Endi S. Dewata at 2018-03-23T01:07:57+01:00
Added password map for NSSDatabase

The NSSDatabase has been modified to support password map
to store multiple token passwords. Some methods have been
modified to use the password map if available.

A new NSSDatabase.get_password_file() has been added to
create a temp password file to store the token password
from the password map.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I7edefade4cc348c681f0fdce1a392f14a03c1c63

- - - - -
cc37bad0 by Endi S. Dewata at 2018-03-23T02:26:57+01:00
Fixed default filename for NSSDatabase.create_password_file()

The NSSDatabase.create_password_file() has been modified to accept
None value as filename which will be converted into 'password.txt'.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ib2e1ebaece65e02d6e4f35c775ac6b8bc326f9f9

- - - - -
25de859d by Endi S. Dewata at 2018-03-23T03:01:47+01:00
Added logging in PropConfigStore

https://pagure.io/dogtagpki/issue/195

Change-Id: I8474a91b8dc250a33564407b21bccb32a0cc3fb5

- - - - -
c84ac1bd by Endi S. Dewata at 2018-03-23T03:23:28+01:00
Refactored ConfigurationUtils.updateConfig()

The ConfigurationUtils.updateConfig() has been modified to take
a Cert object instead of certificate tag.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I48b6059822fe9093582de87c5add5deb0e72a07c

- - - - -
fa28b755 by Timo Aaltonen at 2018-03-23T13:37:59+02:00
Add an upstreamed patch to rework tomcat setup, which also folds in the CVE fix. Refresh debian-support.diff.

- - - - -
2b4ccfee by Timo Aaltonen at 2018-03-23T14:28:07+02:00
fix-jar-search.diff: Replaced with upstreamed patch.

- - - - -
47ae4108 by Timo Aaltonen at 2018-03-23T09:41:35-04:00
tps-client: Fix a typo in the service file.

https://pagure.io/dogtagpki/issue/2965

Change-Id: Ib9b28e0461f6846ac02f642ca51b4dcbe6f60fff

- - - - -
b39f3600 by Timo Aaltonen at 2018-03-23T09:50:33-04:00
Fixes to Debian tomcat setup

- scripts/operations has bashism, so best to force bash
- Debian doesn't use sysvinit anymore
- use system specific config dirs
- fix tomcat paths / variables
- fix CVE-2016-1240 regarding starting a tomcat instance
- modify start_instance to be common

https://pagure.io/dogtagpki/issue/2968

Change-Id: Icba3299fb540fcea513f53730914275b4f52590e

- - - - -
85ed28c8 by Endi S. Dewata at 2018-03-24T04:39:32+01:00
Refactored serverCertNick.conf configuration

A new PKIInstance.set_sslserver_cert_nickname() method has
been added to configure serverCertNick.conf when the SSL
server certificate is about to be created or imported.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ia5d7203b96b2e8007b441b241f6d88d3bbbfc672

- - - - -
2b072dd5 by Endi S. Dewata at 2018-03-24T04:55:00+01:00
Removed unused code

The old code for configuring serverCertNick.conf is no longer used
so they have been removed.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ie7471b29a825d6145f1f28648633c087b4e70189

- - - - -
353de17f by Christian Heimes at 2018-03-27T00:15:57+02:00
Retry request on timeout error

Commit 0a05eab2 introduced a regression in wait_for_startup. The routine
now catches and retries timeout errors along with connection errors. A
timeout error may occur while a server is starting but is not ready to
respond to a request fast enough.

Change-Id: Ica2ccea4a5b5feb92a46a69284950bf8cfd06258
Closes: https://pagure.io/freeipa/issue/7425
Closes: https://pagure.io/dogtagpki/issue/2973
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
13a8aef5 by Endi S. Dewata at 2018-03-28T03:17:21+02:00
Fixed token name properties in CS.cfg.

The configuration servlet has been modified to store each cert's
token name as specified in the pkispawn configuration instead of
the global one.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ibca8e664cb50d9886c5be7c7883db6d69e22838a

- - - - -
76b82fb0 by Timo Aaltonen at 2018-03-27T21:55:45-04:00
Rename LOGGING_CONFIG

It conflicts with Debian catalina startup.

https://pagure.io/dogtagpki/issue/2966

Change-Id: I00648bd62d4c3d14fce49795b84acf610fb1d4d9

- - - - -
fc925dff by Timo Aaltonen at 2018-03-28T16:14:33-04:00
Fix jar search and path hardcodings to support Debian

- add /usr/share/java to search paths
- check jar names found on Debian
- get rid of path hardcodings from symlink commands
- also be consistent and use only shortname of commons*.jar
- don't link to resteasy-jaxrs-jandex.jar anymore
- drop some duplicate jar searches

Change-Id: I0fd1f132cc0b67d5f630dd2b954efc8966e063fd

- - - - -
2581e314 by Endi S. Dewata at 2018-03-29T04:19:15+02:00
Fixed cert token in configuration.py

The configuration.py has been modified to use each cert's
token specified in pkispawn config when generating a CSR and
importing the cert.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I0e2cb7dcc81f9bd496e277dec02d562f62b18e6c

- - - - -
3ce3ae9b by Christina Fu at 2018-03-29T13:01:35-04:00
reflect dogtagpki url change in CMCRequest man page.

Change-Id: I8eb5884a26850b87f378c4417939c873c27fd409

- - - - -
99568215 by Christina Fu at 2018-03-29T13:46:11-04:00
quick fix on wrong keyType in profile

Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87

- - - - -
4d91ae44 by Endi S. Dewata at 2018-03-29T13:49:15-04:00
Updated version number to 10.6.0-0.3

The version number in the spec files have been updated to
10.6.0-0.3. Some changes from Fedora have been merged as well.

Change-Id: Ic55f505379076d3827885fe812905bda40452149

- - - - -
8890ca33 by Timo Aaltonen at 2018-03-29T23:39:17+03:00
Merge remote-tracking branch 'upstream/master' into master-next

- - - - -
ebefe034 by Timo Aaltonen at 2018-03-29T23:40:48+03:00
update changelog

- - - - -
605c4421 by Timo Aaltonen at 2018-03-29T23:57:35+03:00
drop upstreamed patches, update changelog

- - - - -
03c138d1 by Endi S. Dewata at 2018-03-30T06:35:31+02:00
Cleaned up SystemConfigService.updateConfiguration().

The code that stores the cert and cert request data into CS.cfg in
SystemConfigService.updateConfiguration() has been removed since
it's already done in generate_csr() and configure_system_cert() in
configuration.py.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I5d06792fdb988534f7ad313cc3d16652d09ba8eb

- - - - -
867c0951 by Timo Aaltonen at 2018-03-30T08:50:25+03:00
debian-support.diff: fix an upgrade test to not use /etc/sysconfig

- - - - -
8cc0e208 by Timo Aaltonen at 2018-03-30T09:10:36+03:00
fix-tomcat-paths.diff: Use a single patch for tomcat paths.

- - - - -
beded862 by Timo Aaltonen at 2018-03-30T09:18:30+03:00
debian-support: Drop using curl, it should cover more than just a local CA install. Bump the sleep instead.

- - - - -
f31ce95a by Timo Aaltonen at 2018-03-30T09:21:32+03:00
releasing package dogtag-pki version 10.6.0~beta2-1

- - - - -
8fda31da by Endi S. Dewata at 2018-04-02T18:06:08+02:00
Reformatted pkihelper.py

The logging commands in pkihelper.py have been reformatted to
simplify further cleanups.

https://pagure.io/dogtagpki/issue/195

Change-Id: I7e449ce6fd3d389e6ce80ff3e3beecf66447e3f5

- - - - -
439f9d14 by Endi S. Dewata at 2018-04-02T21:23:13+02:00
Fixed SystemConfigService.processCerts() to use cert token

The SystemConfigService.processCerts() has been modified to
generate the keys and certificates in each cert's token as
specified in pki_<cert>_token instead of in pki_token_name.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Iddac29e16f0ef306401f7f073dd8d976ed473f9c

- - - - -
16ce6bd0 by Endi S. Dewata at 2018-04-03T00:23:26+02:00
Fixed TPSInstaller.configureSubsystem()

The TPSInstaller.configureSubsystem() has been modified to use
each cert's token instead of the global one when creating the
subsystem connectors.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ifd5c09df6a35ea51d91a6fb8d620e7d01d80a7d3

- - - - -
9182f6d7 by Endi S. Dewata at 2018-04-03T03:21:11+02:00
Added logging for pki-server cert-find

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ib353e5f3a5f652e8d6c1d3898b1a9855bc97e7eb

- - - - -
f48a073d by Endi S. Dewata at 2018-04-03T23:26:45+02:00
Refactored pki-server cert-find

The pki-server cert-find has been modified such that it shows
the certificate as soon as it's retrieved from the NSS database
instead of waiting until all certificates are retrieved.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Id3f6776e67d089a457457cf4c8f41e0da4bd8450

- - - - -
6d958402 by Endi S. Dewata at 2018-04-04T00:20:09+02:00
Added logger for pki-server cert-create

https://pagure.io/dogtagpki/issue/2449

Change-Id: I16b05a3ebd80474b99ca53b509d0145a4924f1e8

- - - - -
2dee96d4 by Endi S. Dewata at 2018-04-04T00:45:21+02:00
Added logger for pki-server cert-import

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ie27062f1704ce287f670c144953abca1004b5017

- - - - -
2cf43d8d by Endi S. Dewata at 2018-04-03T21:07:01-04:00
Added logger for pki-server cert-update

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ia2527e8c5277e1d9bf0307807bb1259eb133271b

- - - - -
d123569c by Endi S. Dewata at 2018-04-03T21:57:15-04:00
Added pki-server cert-show

A new pki-server cert-show command has been added to display the
details of a system certificate.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I7eb43b45e0e5191698b34885e35f89d06fb23e6b

- - - - -
d914137b by Endi S. Dewata at 2018-04-04T04:28:24+02:00
Added logger for pki-server cert-export

https://pagure.io/dogtagpki/issue/2449

Change-Id: Icb61a8c0c42edc61acb28a6a208fb2c96a53078b

- - - - -
b5055b24 by Endi S. Dewata at 2018-04-04T06:53:42+02:00
Refactored NSSDatabase.get_cert()

The NSSDatabase.get_cert() has been modified to accept a token
name parameter to override the default one.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Id4c63d0df7c64dafb7b650a6017960542106af45

- - - - -
8afcf0b0 by Endi S. Dewata at 2018-04-04T07:00:35+02:00
Added pretty print option for pki-server cert-show

The pki-server cert-show has been modified to provide an option
to pretty print the system certificate.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ieec52e327c3c3b25d94db6368b175cb36d4b2233

- - - - -
db745d8d by Amol Kahat at 2018-04-04T09:55:45-04:00
PKCS10Client debug messages should be displayed in debug mode

Pagure: https://pagure.io/dogtagpki/issue/2891
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1532384

Change-Id: I419bfeafb7ca2053ba2464788693dd7f33a9a26c
Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
6a43a3d6 by Endi S. Dewata at 2018-04-04T16:29:37+02:00
Updated logging in pki-server cert-create

The pki-server cert-create has been modified to use logger to
generate log messages.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Ie5ba494eaa2415982701657d1a79d25b3995cd2b

- - - - -
87e1fd13 by Endi S. Dewata at 2018-04-04T17:19:49+02:00
Refactored NSSDatabase.remove_cert()

The NSSDatabase.remove_cert() has been modified to accept a token
name parameter to override the default one.

https://pagure.io/dogtagpki/issue/2449

Change-Id: If20d2086fb5bed0b0b71f2b82aee5a3f05b8d995

- - - - -
696768b4 by Endi S. Dewata at 2018-04-04T18:08:35+02:00
Updated logging in pki-server cert-import

The pki-server cert-import has been modified to use logger to
generate log messages.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I2f9a82735916e4620f1d8f1b17123e39f0783691

- - - - -
123f0c65 by Endi S. Dewata at 2018-04-04T20:55:13+02:00
Updated logging in pki-server cert-find

The pki-server cert-find has been modified to use logger to
generate log messages.

https://pagure.io/dogtagpki/issue/2449

Change-Id: Id1ffe9cab579bf8a016a136c505bee1fa97bbef2

- - - - -
f4cb39d6 by Endi S. Dewata at 2018-04-04T23:48:33+02:00
Cleaned up pkispawn debug log

The slot dict contains only static values so it has been removed
from pkispawn debug log.

Change-Id: I809bd91335663431bddda703e28ce19da8d91916

- - - - -
89a911f2 by Endi S. Dewata at 2018-04-05T01:26:48+02:00
Added pki-server cert-del

A new pki-server cert-del has been added to remove a system
certificate from the server's NSS database.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I490bcf8e74583604106444bed2bb930308aa2009

- - - - -
9fe2d77d by Endi S. Dewata at 2018-04-05T03:04:31+02:00
Fixed pki-server cert-import

The pki-server cert-import has been modified to fail if a
certificate with the same nickname already exists in the token.

https://pagure.io/dogtagpki/issue/2449

Change-Id: If19245fd228d5826770ac624ab4b00fcf7876dd2

- - - - -
4e0aff3d by Endi S. Dewata at 2018-04-05T04:30:59+02:00
Cleaned up pki-server cert commands

The pki-server cert commands have been modified to parse cert ID
more consistently.

https://pagure.io/dogtagpki/issue/2449

Change-Id: I553a18c7a1e087c740a2b4f8c9f21ffba1ec9741

- - - - -
b1c3e7c7 by Timo Aaltonen at 2018-04-05T16:53:21+03:00
pki-tools: Add new manpages.

- - - - -
29a752fa by Timo Aaltonen at 2018-04-05T21:53:08+03:00
debian-support.diff: Fix keystore permissions.

- - - - -
89e99630 by Timo Aaltonen at 2018-04-05T23:26:54+03:00
debian-support.diff: Skip systemctl enable/disable.

- - - - -
505c5f76 by Timo Aaltonen at 2018-04-05T23:29:22+03:00
control: Add openjdk-8-jre-headless to pki-base-java depends.

- - - - -
1f6d4e1e by Endi S. Dewata at 2018-04-06T01:41:27+02:00
Moved CMake files in top-level folder

Some CMake files in the top-level folder have been moved into
cmake/Modules folder.

The PKI_FILE_LIST variable in the compose_functions is no longer
used so it has been removed.

Change-Id: Ia418566dcb3ea1ab207bb9a60c8b65f2f9479b96

- - - - -
e9ba6212 by Endi S. Dewata at 2018-04-06T01:50:09+02:00
Fixed website URL

All references to pki.fedoraproject.org have been replaced with
www.dogtagpki.org.

Change-Id: I9dbe664865cd04f37567304fce6b3875ed96f8f4

- - - - -
0c544c6a by Endi S. Dewata at 2018-04-06T02:34:39+02:00
Moved CMake files in top-level folder (part 2)

Some additional CMake files in the top-level folder have been
moved into cmake folder.

Change-Id: I5cecb9d862e399ccb41e1c382034cbbb69966a23

- - - - -
6264c841 by Endi S. Dewata at 2018-04-06T04:00:31+02:00
Moved pylint-build-scan.py into tools folder

The pylint-build-scan.py and its configuration file have been
moved into the tools folder. All references have been updated
accordingly.

Change-Id: I353b3c0bb0ffad42ac9a2b614dbecf4acd98448c

- - - - -
de36c745 by Endi S. Dewata at 2018-04-06T04:19:32+02:00
Removed unused patches folder

Change-Id: I94d9b75ed8123b72c94f9edb6774b37062690467

- - - - -
7510822a by Endi S. Dewata at 2018-04-06T07:22:04+02:00
Added verbose option for compose scripts

Change-Id: I00fe757849591568d97186ef18cbfee8749122cf

- - - - -
702d3aef by Timo Aaltonen at 2018-04-06T16:11:25+03:00
releasing package dogtag-pki version 10.6.0~beta2-2

- - - - -
56ca2dd4 by Endi S. Dewata at 2018-04-06T17:30:59+02:00
Removed unused PKI_COMPONENT_LIST in compose scripts

Change-Id: I6cdc607f95cd69c05fb48f885d18dbc647719d43

- - - - -
4bb8c553 by Endi S. Dewata at 2018-04-06T18:10:31+02:00
Fixed typo in CRMFPopClient

https://pagure.io/dogtagpki/issue/2875

Change-Id: I64921b968eca599f0de86cd3a246339667dd2462

- - - - -
889e8dd1 by Endi S. Dewata at 2018-04-06T20:05:32+02:00
Updated self cert revocation page title

https://pagure.io/dogtagpki/issue/1525

Change-Id: I43c3749af856118da257233d44dc455b1d954b38

- - - - -
31545b29 by Endi S. Dewata at 2018-04-06T22:45:31+02:00
Fixed Javadoc warnings

Change-Id: I91134abded91ad168da49ea5c17d8a29887c360d

- - - - -
f8f2e8cf by Endi S. Dewata at 2018-04-07T00:28:10+02:00
Fixed problem loading password from file in pki CLI

The MainCLI.loadPassword() has been modified to simply load a
file and return the first line as a password without parsing it
to avoid parsing issues.

https://pagure.io/dogtagpki/issue/2913

Change-Id: Ie103b3f77a956620a376b1ac93384590b062aade

- - - - -
138543e3 by Dinesh Prasanth M K at 2018-04-08T11:23:52-04:00
Redesigned CI infrastructure

The Travis CI infrastructure now directly sets Gerrit
labels instead of the TravisPy library being used.

- This avoids dependency on 3rd party libraries.
- Logs are posted directly as comments in case of failure

Change-Id: Ie399f612655f3172c065ccd626a9dd41b588ee59

- - - - -
fbc04cae by Dinesh Prasanth M K at 2018-04-08T12:40:44-04:00
Fixes minor bug in new CI

Avoid trying to delete (unexisiting) temp branch
in the official repo.

Change-Id: I0377ffddb78251f5fd62849fbaf4e83cbf7af0e1

- - - - -
889f70a6 by Timo Aaltonen at 2018-04-09T17:24:47+03:00
rules, server: Fix JAVA_HOME, create a symlink to the native jvm dir
and ship it with pki-server

- - - - -
4fd30663 by Endi S. Dewata at 2018-04-09T11:40:28-04:00
Removed unused build variables

The following variables are no longer used so they have been
removed from the build scripts:
 - version_phase
 - APPLICATION_VERSION_PHASE
 - JAVADOC_APPLICATION_VERSION

Change-Id: I63186c6aa220a2338d012c73ce6c4f40257f5f38

- - - - -
1a5cdb64 by Endi S. Dewata at 2018-04-09T18:47:12+02:00
Cleaned up RPM descriptions

The RPM descriptions in the spec templates have been simplified
to make them more readable.

Change-Id: Ib9223b12bbbf74b967e9546ecbca8304e1a4d609

- - - - -
0ad893e5 by Endi S. Dewata at 2018-04-09T23:12:43+02:00
Removed package_*_packages macros

The package_*_packages macros are no longer needed since all
RPMs in the package will always be built at the same time.

Change-Id: I51ffbf5af00f3cac7f57c1ddda261d624d297359

- - - - -
cff2f209 by Endi S. Dewata at 2018-04-10T00:52:13+02:00
Removed redundant APPLICATION_FLAVOR_* variables

The APPLICATION_FLAVOR_* variables in CMake scripts have been
replaced with BUILD_* variables.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I1096d324527fac1965213cc3cacb2df6ded22f7e

- - - - -
d023d584 by Endi S. Dewata at 2018-04-10T03:36:49+02:00
Merged pki-core build dependencies into pki-console

The BuildRequires definitions in pki-core.spec.in have been
merged into pki-console.spec.in such that the console later
can be built independently.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I9e360ea5f100316192d0bcbbe20707d6a751e462

- - - - -
67c15caa by Endi S. Dewata at 2018-04-10T05:12:39+02:00
Fixed CMake build order

The spec templates have been modified not to use _smp_mflags
macro such that build targets will be executed sequentially
which will help troubleshooting build issues.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Id073a367f560521aa62af8646725b767e4e37685

- - - - -
da4c62d5 by Timo Aaltonen at 2018-04-10T09:54:03+03:00
pki-base.postinst: Modify JAVA_HOME for installed instances on upgrade.

- - - - -
98119be0 by Timo Aaltonen at 2018-04-10T10:31:57+03:00
debian-support.diff: Revert start delay to 5s, use systemctl enable/disable.

- - - - -
8ca3605a by Timo Aaltonen at 2018-04-10T13:20:47+03:00
releasing package dogtag-pki version 10.6.0~beta2-3

- - - - -
7b645a2e by Endi S. Dewata at 2018-04-10T15:33:19+02:00
Removed pki-console build dependency

The pki-console.spec.in have been modified to build the core jar
files from its own source tarball such that the console can be
built without external dependency on pki-base-java.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ib09565686d3465cd4f4aef18ad05f23ce86343ad

- - - - -
1d193271 by Endi S. Dewata at 2018-04-10T16:36:35+02:00
Removed redundant ldapjdk.jar finders

https://pagure.io/dogtagpki/issue/2978

Change-Id: I865cf77893125a9e90f13274d01fe372eadefcea

- - - - -
419707e3 by Endi S. Dewata at 2018-04-10T16:53:11+02:00
Fixed javadoc warnings

https://pagure.io/dogtagpki/issue/2978

Change-Id: I7b0c9780006a53a233b2cf38cf209404fe3c89b8

- - - - -
d4f604e4 by Endi S. Dewata at 2018-04-10T19:18:30+02:00
Cleaned up pki-core.spec.in

The pki-core.spec.in has been modified to make it more legible.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ifd20ea3695c255983221e45c59ce900977832b42

- - - - -
1fe06842 by Endi S. Dewata at 2018-04-10T22:38:28+02:00
Cleaned up pki-console.spec.in

The pki-console.spec.in has been modified to make it more legible.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I8ddcf8485b60659e0048da9776edb5ab1af94075

- - - - -
3de520ee by Endi S. Dewata at 2018-04-11T01:39:30+02:00
Cleaned up dogtag-pki-theme.spec.in

The dogtag-pki-theme.spec.in has been modified to make it more
legible.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ia7b084c239e21b4a52aa4735e83ecfb1711f3933

- - - - -
a011d1b9 by Endi S. Dewata at 2018-04-11T03:05:43+02:00
Cleaned up dogtag-pki.spec.in

The dogtag-pki.spec.in has been modified to make it more legible.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I5fb38199dc26c14d1f53b42caa6b0c13e662aa47

- - - - -
48ac86ac by Endi S. Dewata at 2018-04-10T22:41:07-04:00
Removed esc_version macro in dogtag-pki.spec.in

The ESC dependency in dogtag-pki.spec.in has been modified to
specify the version number directly without esc_version macro.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I4bfbd14449a01b26d6811e9c948133cb0428fb8c

- - - - -
ed79cf1a by Endi S. Dewata at 2018-04-11T04:45:18+02:00
Fixed README location in dogtag-pki package

The README file in dogtag-pki package has been moved into a more
generic location in /usr/share/doc/pki folder.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I84710086dd4ac0ae25972fd520cf848c46d2cb7d

- - - - -
34c36915 by Endi S. Dewata at 2018-04-11T05:00:54+02:00
Removed pki_*_version macros in dogtag-pki.spec.in

The PKI dependencies in dogtag-pki.spec.in have been modified
to use the RPM version number directly.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I926628e00b6e4975305ae581070aec99df499b53

- - - - -
0ec550d2 by Amol Kahat at 2018-04-11T12:47:40+05:30
Added code for audit event enable, update, disable CLI.
New cli introduced:
  pki-server <subsystem>-audit-event-enable
  pki-server <subsystem>-audit-event-update
  pki-server <subsystem>-audit-event-disable

Pagure: https://pagure.io/dogtagpki/issue/2914

Change-Id: Ifc97f7b0155cd266cb44df8301df77768dc360a0
Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
38c05869 by Endi S. Dewata at 2018-04-11T19:18:42+02:00
Fixed logging for pki pkcs12-import

The pki pkcs12-import has been modified to use Python logger.

https://pagure.io/dogtagpki/issue/2977

Change-Id: I2e2a13bff5db425cc2db939926e2bc36f0b8281a

- - - - -
dcbf3837 by Endi S. Dewata at 2018-04-11T20:52:29+02:00
Fixed pki pkcs12-import with NSS SQL database

As suggested by kaie, the PKCS12Util has been modified to use
PK11Store.deleteCertOnly() instead of deleteCert() to remove
just the certificate while keeping the key in the database.

https://pagure.io/dogtagpki/issue/2977

Change-Id: If077abeb1370a53047c348a8205a1be4daaab87d

- - - - -
20f7a7ba by Endi S. Dewata at 2018-04-12T01:03:16+02:00
Updated version number to 10.6.0-1

Change-Id: Ibd5c5dffd9fde22829605f4de780e5e7f4712995

- - - - -
15a925eb by Endi S. Dewata at 2018-04-13T15:43:47+02:00
Fixed TestRunner output

The TestRunner has been modified to show the location of the
reports in the stderr if the test failed.

Change-Id: Iee833bf876798ab45a74c7449e68ddf108173af7

- - - - -
f5dbc762 by Endi S. Dewata at 2018-04-13T15:50:00+02:00
Renamed _commit macro

The _commit macro in the spec templates have been renamed into
_commit_id for clarity.

Change-Id: I3137d6f44b6a22a38b73f3cf6074dd3dc233b6cd

- - - - -
e9e59496 by Endi S. Dewata at 2018-04-13T18:22:30+02:00
Listing RPM packages built by compose scripts

The compose scripts have been modified to list the RPM packages
that have just been built.

Change-Id: Ibe57fb5f7f5a74a4328d709e6ba8205e5d20ef7c

- - - - -
7b7f60a0 by Endi S. Dewata at 2018-04-13T18:37:29+02:00
Fixed pki-javadoc build dependency

The CMake scripts and spec template has been modified such that
pki-javadoc can be built without building pki-server.

Change-Id: I9820d331485e8fac449b37cefe5feb5a004329f2

- - - - -
f67cc0f7 by Endi S. Dewata at 2018-04-13T20:57:31+02:00
Reduced pki-console build time

The pki-console.spec.in has been modified not to build the server
packages, javadoc, nor run the tests to reduce the build time.

Change-Id: I9c5ff95eb4a8743a874078fdefa323da8e686370

- - - - -
953803db by Endi S. Dewata at 2018-04-13T22:31:19+02:00
Cleaned up build logs

The CMake scripts and spec templates have been modified to show
more useful logs.

Change-Id: I61f2cb64d7ad1d54bf6e6faae96539a04cda085c

- - - - -
0e0b03ea by Endi S. Dewata at 2018-04-14T00:08:51+02:00
Suppressed unused CMake variable warnings

The spec templates have been modified to suppress warnings about
unused variables defined by CMake modules.

Change-Id: I3c28592d294f30ba9e9c4d206f1940eba76eba72

- - - - -
631df72e by Endi S. Dewata at 2018-04-14T00:46:36+02:00
Fixed warnings when building without server packages

The code that creates Python modules has been fixed such that
it doesn't generate warnings when building without the server
packages.

Change-Id: I66228b782f33cfdc23000fdc0e1f862c7c1c06f7

- - - - -
1362face by Endi S. Dewata at 2018-04-14T03:12:20+02:00
Fixed CI log messages

Change-Id: I9dab36f224df504274ca2282f1df7552af1f24e3

- - - - -
b54975f4 by Fraser Tweedale at 2018-04-13T23:56:05-04:00
Fix ACL evaluation in allow,deny mode

When `authz.evaluateOrder=allow,deny', ACL evaluation returns the
wrong result: matching allow rules deny access, and matching deny
rules allow access.

Fix the problem and improve type safety and readability by
introducing a couple of enums for ACLEntry.Type and EvaluationOrder.

CVE-2018-1080

Fixes: https://pagure.io/freeipa/issue/7453
Change-Id: Ic076ed4b90c305cda9da2c56ec90fc77b4dac039

- - - - -
d7b5ae8e by Endi S. Dewata at 2018-04-16T15:51:11-04:00
Fixed warnings about OWNER_EXECUTE permissions

The CMake scripts have been modified not to set OWNER_EXECUTE
permission on non-executable files.

Change-Id: I6808195907d1013ac0328dcd73a9266a0880f594

- - - - -
aa8ab51e by Endi S. Dewata at 2018-04-17T01:28:28+02:00
Added --without-debug option

The compose scripts have been modified to provide an option to
build without debug packages.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I664c4cb9f7c073bb9355cfc06ac83e51441d06eb

- - - - -
2e299050 by Christina Fu at 2018-04-16T20:43:52-04:00
Ticket #2940 post-ticket simple typo fix.

Change-Id: I98558f607cb611981bcafd42d6500fd26a9664be

- - - - -
16c279a1 by Endi S. Dewata at 2018-04-16T21:35:28-04:00
Build script cleanup

Change-Id: If25c1d1dfee63377ccc973176fcc4281266ee47c

- - - - -
a6b6cd07 by Endi S. Dewata at 2018-04-17T03:42:20+02:00
Added pki.spec.in

A new pki.spec.in has been added to combine all spec templates.
Initially it will contain a copy of the pki-core.spec.in. Other
spec templates will be merged later.

A new build.sh script has been added to run the build process
using the new spec template.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ie3ae44b7af76190754dab571b3757f649979f4b3

- - - - -
b63892ee by Endi S. Dewata at 2018-04-17T04:06:16+02:00
Merged pki-console.spec.in

The pki-console.spec.in has been merged into pki.spec.in.

The build.sh was also modified to provide an option to build
without the console package.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I94acad9d10a16fae6da07dd568475ddf39e9f02d

- - - - -
be8b0ff9 by Endi S. Dewata at 2018-04-17T04:57:53+02:00
Merged dogtag-pki-theme.spec.in

The dogtag-pki-theme.spec.in has been merged into pki.spec.in.

The build.sh was also modified to provide an option to build
without the theme packages.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Id738b759894d18ff0e9b45378a692369197efaf2

- - - - -
64c8c982 by Endi S. Dewata at 2018-04-17T05:02:25+02:00
Merged dogtag-pki.spec.in

The dogtag-pki.spec.in has been merged into pki.spec.in.

The build.sh was also modified to provide an option to build
without the meta package.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I303143c4c4c23fea75e8f0ae78dd88794f0e908c

- - - - -
08854416 by Timo Aaltonen at 2018-04-18T00:00:03+03:00
Merge branch 'upstream-next' into master-next

- - - - -
4bdc7b04 by Timo Aaltonen at 2018-04-18T00:14:40+03:00
update changelog

- - - - -
6fccfc44 by Timo Aaltonen at 2018-04-18T00:22:13+03:00
control: Update VCS urls.

- - - - -
393a1d93 by Timo Aaltonen at 2018-04-18T00:23:49+03:00
releasing package dogtag-pki version 10.6.0-1

- - - - -
8855b2da by Endi S. Dewata at 2018-04-18T03:46:50+02:00
Added support for Tomcat 9.0

The PKIRealm and pki-server migrate CLI has been modified to
work with Tomcat 9.0.

https://pagure.io/dogtagpki/issue/2980

Change-Id: I141fc5e9f7a9971c4c6c9ac1f5577def6ca207bc

- - - - -
a6526ce5 by Timo Aaltonen at 2018-04-18T14:59:11+03:00
rules: Build everything in one pass.

- - - - -
c8eaefe3 by Timo Aaltonen at 2018-04-18T15:02:13+03:00
Fix ACL evaluation in allow,deny mode. (Closes: #893690)

- - - - -
0fc41766 by Timo Aaltonen at 2018-04-18T15:07:32+03:00
releasing package dogtag-pki version 10.6.0-2

- - - - -
9b6cc6d2 by Endi S. Dewata at 2018-04-18T20:11:31+02:00
Fixed hard-coded Java home path

The hard-coded Java home path has been modified to use RPM macro
to avoid rpmlint error.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I7265c43a59aea0ea890c433ca4505a63a2151464

- - - - -
e4f45efb by Endi S. Dewata at 2018-04-18T22:57:42+02:00
Fixed macro-in-comment warnings

The spec templates have been modified to remove macro-in-comment
warnings from rpmlint.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I2b075d120ff539d5e13befd9637b2f764e3bd5f9

- - - - -
24ba40f6 by Endi S. Dewata at 2018-04-18T23:31:07+02:00
Validating spec files with rpmlint

The build scripts have been modified to use rpmlint to validate
the spec files.

The CI script has been modified to install rpmlint in the
container.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I60a9e6b7fc316342af8aa0f101c6d1986bb3fdb2

- - - - -
5d614f38 by Dinesh Prasanth M K at 2018-04-18T19:01:43-04:00
Reorganizing CI related stuffs

- `run_task.sh` has been split into `ipa-test.sh`
  and `pki-test.sh`
- Deletion is now handled from Jenkins
- Fixed the log name for systemd
- Removed --quiet option to report pylint issues

Ticket: https://pagure.io/dogtagpki/issue/2990

Change-Id: I6fdca00419fd53ef3e0d3425268ae03cec2c749e

- - - - -
14b0d430 by Endi S. Dewata at 2018-04-18T22:03:43-04:00
Fixed unversioned-explicit-provides warnings

The spec templates have been modified to remove
unversioned-explicit-provides warnings from rpmlint.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ib5e6990e056611d762a192a6ac75048d5db2b92b

- - - - -
12ee7185 by Endi S. Dewata at 2018-04-18T22:04:05-04:00
Fixed unversioned-explicit-obsoletes warnings

The spec templates have been modified to remove
unversioned-explicit-obsoletes warnings from rpmlint.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ia4482faac041c872384fafbfe5671275ea908dc5

- - - - -
05fa5032 by Endi S. Dewata at 2018-04-18T22:04:05-04:00
Fixed missing %prep and %build sections

The dogtag-pki.spec.in has been modified to provide %prep and
%build sections to remove warnings from rpmlint.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ifedffcf2f6dd4e37816c885fe0a21989fb04c307

- - - - -
bf60c34c by Amol Kahat at 2018-04-19T12:29:51+05:30
Added "Serial No" in pki-server subsystem-cert-find CLI.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1566360
Pagure: https://pagure.io/dogtagpki/issue/2987

Change-Id: I35b29c37dc95c3415b4106c8c45d86a30f70628f
Signed-off-by: Amol Kahat <akahat at redhat.com>

- - - - -
58e6e009 by Endi S. Dewata at 2018-04-19T23:12:36+02:00
Fixed empty build dir cleanup

The build.sh has been modified to remove the empty build dirs
properly.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I2c4fe62c880ad07b550d94f8b9a885626e5b0fcb

- - - - -
e15d3747 by Endi S. Dewata at 2018-04-20T02:37:16+02:00
Cleaned up build.sh

The build.sh has been modified to use a global variable instead of
literals for project name.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I651381a8ca4d36bc3386d980fe7297ae91bdd4db

- - - - -
2d9bc471 by Endi S. Dewata at 2018-04-20T03:38:00+02:00
Added generate_rpm_spec() in build.sh

The code that generates and validates the RPM spec in build.sh
has been moved into generate_rpm_spec().

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ic3fb5917ca3923e6be69db52b402fc109b7b8fd8

- - - - -
66f875b4 by Endi S. Dewata at 2018-04-20T03:41:40+02:00
Added generate_rpm_sources() in build.sh

The code that generates the tarball in build.sh has been moved
into generate_rpm_sources().

https://pagure.io/dogtagpki/issue/2978

Change-Id: I3ac22a8f341c7df40037017a2a2acd5dd9bf9a6e

- - - - -
1dc7533b by Endi S. Dewata at 2018-04-20T19:19:01+02:00
Cleaned up build.sh

The build.sh has been modified to use simpler method to generate
the timestamp and commit ID parameters for rpmbuild.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ia9bdb4d976da966ffa909de416af2b21d264d01e

- - - - -
2110d8c2 by Christina Fu at 2018-04-20T16:12:48-04:00
Ticket #2992 servlet profileSubmitCMCSimple throws NPE

This patch addresses the issue that when auth.instance_id is not specified in
the profile, NPE is thrown.
Alternative is to add auth.instance_id value, but it's better to leave this
as manual approval only without changing the functionality.

fixes https://pagure.io/dogtagpki/issue/2992

Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d
(cherry picked from commit 203db212a3dce216687dd2aac349fe37d2e92a96)

- - - - -
b47fc4f6 by Endi S. Dewata at 2018-04-21T02:30:33+00:00
Added option to create tarball from a source tag

The build.sh has been modified to provide an option to generate
the source tarball from a source tag.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ia85d1b164bfcf38b44fbc64d0ec84fed5e9c4be8

- - - - -
4874fa4a by Endi S. Dewata at 2018-04-21T02:30:33+00:00
Added automatic patch generation in build.sh

The build.sh has been modified to generate a patch for all
changes since the specified source tag.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I25ea186eaa379062e5814ce0856394346cdf17b0

- - - - -
e326be6f by Endi S. Dewata at 2018-04-23T16:42:25+02:00
Added option to build without base packages

The build.sh has been modified to provide an option to build
without the base packages.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I2799f4621f9266b559daf8dd353a27cb6f3ec01c

- - - - -
ba1a2d32 by Endi S. Dewata at 2018-04-23T18:42:05+02:00
Moved folder creation into CMake script

The code that creates /var/log/pki and /var/lib/pki folder has
been moved from spec files into the CMake scripts.

https://pagure.io/dogtagpki/issue/2978

Change-Id: If01558aa9eea6bee483316ee05345627b0343996

- - - - -
dea3f000 by Endi S. Dewata at 2018-04-23T21:33:20+02:00
Removed CryptoToken.login() invocation in SigningUnit.init().

The SigningUnit.init() has been removed to no longer call redundant
CryptoToken.login() since token login is already done in TomcatJSS.

Due to these changes, the jss.password parameter in CS.cfg is no
longer supported.

Change-Id: I0933e41b3a61531ac36f4c925a238c47d82e7ad0

- - - - -
76912e2e by Endi S. Dewata at 2018-04-24T06:09:21+02:00
Fixed token name normalization in pki-server subsystem-cert-validate

The pki-server subsystem-cert-validate has been modified to
normalize cert token name before calling pki client-cert-validate.
This way "Internal Key Storage Token" will be considered as an
internal token and no longer specified as a parameter.

https://pagure.io/dogtagpki/issue/2997

Change-Id: I452d8e4b404086c3add6b52a9aa2acd2993d7e97

- - - - -
a8e7f8c8 by Endi S. Dewata at 2018-04-24T22:10:30+02:00
Added description for token name normalization

https://pagure.io/dogtagpki/issue/2997

Change-Id: I941e2bf20494100f804f2b5b753e4e4ab5e4c676

- - - - -
30e1c5fc by Endi S. Dewata at 2018-04-24T22:40:04+02:00
Added --without <package> option for each subsystem

The pki.spec.in has been modified to provide --without <package>
options for CA, KRA, OCSP, TKS, and TPS.

https://pagure.io/dogtagpki/issue/2978

Change-Id: Ic43757be5cc2a74a2249d918dbca46ea1e0a6e2d

- - - - -
dd1d41f1 by Timo Aaltonen at 2018-04-25T10:00:12+03:00
control: Add conflicts on libtomcat7-java to pki-server.

- - - - -
a9369557 by Endi S. Dewata at 2018-04-25T20:01:30+02:00
Cleaned up build.sh

https://pagure.io/dogtagpki/issue/2978

Change-Id: I3002bec921f195f0c919a89c53590df2e76d04aa

- - - - -
3c71a3d4 by Endi S. Dewata at 2018-04-26T01:16:13+02:00
Fixed pki-symkey dependencies

The pki-server package has been modified to depend on pki-symkey.
All packages that depend on pki-server have been modified to no
longer depend on pki-symkey directly.

https://pagure.io/dogtagpki/issue/2972

Change-Id: Ic35e6cb677366b313bcfde83c80c270932638624

- - - - -
30caec50 by Endi S. Dewata at 2018-04-26T01:17:51+02:00
Cleaned up spec templates

The spec templates have been modified to use a minimum version
instead of exact version for dependencies on other PKI packages.

https://pagure.io/dogtagpki/issue/2972

Change-Id: Ibe40f9519707af84b3ea1ba31e917c784b023951

- - - - -
f0d60833 by Endi S. Dewata at 2018-04-26T04:03:25+02:00
Removed obsolete resolveHosts attributes

The server.xml templates have been modified to remove the
obsolete resolveHosts attributes.

https://pagure.io/dogtagpki/issue/2986

Change-Id: I2b9adf2dbc23b14d5b6033621f9278b40d44936f

- - - - -
8d3bdc96 by Endi S. Dewata at 2018-04-26T05:25:28+02:00
Removed warnings in CustomComboBoxModel

Change-Id: If7848e9823db41f743131c747bbf91c57ae15c8f

- - - - -
276e656d by Endi S. Dewata at 2018-04-26T05:30:37+02:00
Removed warnings in CMSRemoteClassLoader

Change-Id: Ib1ef1d2e5f9783e43d7399a0a96f485a814d0310

- - - - -
4ed9c908 by Endi S. Dewata at 2018-04-26T05:45:22+02:00
Removed warnings in CMSTableModel

Change-Id: I4e1855e42c61b3fee68f11c49041b6cdc98fa1ae

- - - - -
a5b7813f by Endi S. Dewata at 2018-04-26T06:20:51+02:00
Removed warnings in CMSTaskModel

Change-Id: Id52f1a347d46ebfc7b2077347ccf9b544c21f2ce

- - - - -
335f4b3b by Endi S. Dewata at 2018-04-26T06:41:03+02:00
Removed warnings in Console

Change-Id: Ifbd5b8b92263531001aa485d4689a6a062c0f085

- - - - -
98e48014 by Endi S. Dewata at 2018-04-26T15:58:32+02:00
Removed warnings in MessageFormatter

Change-Id: I4c82c22089dddedefc9a8094a684b70710b36d80

- - - - -
547d6427 by Endi S. Dewata at 2018-04-26T16:00:14+02:00
Removed warnings in ProfileDataTable

Change-Id: Ia14bb79e1b4a6bedd8251ac5b74d8fe5f5e4942a

- - - - -
ca66f8f8 by Endi S. Dewata at 2018-04-26T16:02:59+02:00
Removed warnings in UIMapperRegistry

Change-Id: I2df5cd8fd37bab91ff29467473ec4d3a248adba0

- - - - -
67bc4506 by Endi S. Dewata at 2018-04-26T16:04:11+02:00
Removed warnings in CRMFPopClient

Change-Id: Id248a6bf74f46e00dd53503d93d279e3285835a9

- - - - -
f6dcf396 by Endi S. Dewata at 2018-04-26T16:14:41+02:00
Removed warnings in CMSCRLFormatPanel

Change-Id: I1d55348aa01e77fd471ed5e8d20bd529e38dbc03

- - - - -
6181d206 by Endi S. Dewata at 2018-04-26T16:39:44+02:00
Removed warnings in ACIDialog

Change-Id: Ie6f37f7315945a151fc6adeeec27c1696bbcef45

- - - - -
77305651 by Endi S. Dewata at 2018-04-26T17:05:25+02:00
Removed warnings in ACLEditDialog

Change-Id: I1f87ef186c711aa5d546c0428ff56516ba925ddf

- - - - -
35f37ef7 by Endi S. Dewata at 2018-04-26T17:14:00+02:00
Removed warnings in UserListDialog

Change-Id: I9d4a10964217cf17284a1f22a750cd4d1d046fba

- - - - -
aba4a8bd by Endi S. Dewata at 2018-04-26T17:20:49+02:00
Removed warnings in UserEditor

Change-Id: Icd662b321c756e2eb5e3e0c413d760126b0c0580

- - - - -
ae91788b by Endi S. Dewata at 2018-04-26T21:26:02+02:00
Added options to build select packages

The build.sh has been modified to provide --with-pkgs=<list>
to build specified packages only, and --without-pkgs=<list> to
build everything except the specified packages.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I28b086e11fd5f48704ba750fe00e67ec49a4d955

- - - - -
a8f5e0ea by Endi S. Dewata at 2018-04-26T23:21:25+02:00
Added build option to change the distribution name

The build.sh has been modified to provide a --dist=<name> option
to change the default distribution name (e.g. fc28).

https://pagure.io/dogtagpki/issue/2978

Change-Id: I6a8392c0c03d398a9088228f065517208d54a810

- - - - -
45b9f76c by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in CMSCAConnectorPanel

Change-Id: I02c57d32f2c3135420144937308278278f6b12e2

- - - - -
6152e93d by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in CMSCRLIPPanel

Change-Id: I080cebf5818220dac4d99a5131b38afb80461ce5

- - - - -
4f1451da by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in CMSKRAPasswdPanel

Change-Id: Iec29d4469fe857223735c03300bd3b0f54e2be8f

- - - - -
ec7f1a3b by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in CMSRAConnectorPanel

Change-Id: I0a2adf7eb2dc4884fb2f647f5a7a9d4e12de6df8

- - - - -
1dd87a3b by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in ProfilePolicySelectionDialog

Change-Id: I4c28fc22252d79730d6343aa82d149b88239d5ad

- - - - -
6fbbb923 by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in CertManagementDialog

Change-Id: Ib0a96e59b326a85a252a972deb6b35f9eccc173d

- - - - -
e01d941e by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in GroupEditor

Change-Id: I1e37ec0f589e948a373f639c66dedc7d5a1e6603

- - - - -
da726268 by Endi S. Dewata at 2018-04-26T22:59:42+00:00
Removed warnings in PluginSelectionDialog

Change-Id: I6717e6a403f234ea9c4a21e44dbb2ab98d7b49c6

- - - - -
1ac8687a by Endi S. Dewata at 2018-04-27T05:05:15+02:00
Removed legacy Tomcat JK/JK2 files

https://pagure.io/dogtagpki/issue/773

Change-Id: I8ce3329826b45fd2e460fc58842fc618bd0fd8cc

- - - - -
6a08c251 by Endi S. Dewata at 2018-04-27T05:17:54+02:00
Removed warnings in PolicyRuleOrderDialog

Change-Id: Id0c8888ed666c26f532059c891d7d6914124336d

- - - - -
1c5f54d0 by Endi S. Dewata at 2018-04-27T05:29:34+02:00
Removed warnings in AbstractCipherPreference

Change-Id: Ia25508b0b849542e88aff49f25912af755840842

- - - - -
b7a2fe6c by Endi S. Dewata at 2018-04-27T05:52:27+02:00
Removed warnings in AuthImplTab

Change-Id: I935ef1a8d7b769fcb04067cf3d551451e0889ff3

- - - - -
5edf0333 by Endi S. Dewata at 2018-04-27T06:02:34+02:00
Removed warnings in CMSStart

Change-Id: Ic78afc514a3dc02ed9e7ab6c16155fb9bf874d81

- - - - -
62d725e8 by Endi S. Dewata at 2018-04-27T18:00:56+02:00
Added support for relative path for build.sh working directory.

The build.sh has been modified to convert a relative path for
working directory into an absolute path.

https://pagure.io/dogtagpki/issue/2978

Change-Id: I6d543e65c931a46eaf895f76f4578e374a9577b7

- - - - -
f9a48a40 by Christian Heimes at 2018-04-30T10:42:23+02:00
Pass keystroke commands as bytes

In Python 3, subprocess.communicate() requires bytes as input. Convert
two keystroke inputs from str to ASCII bytes.

Fixes: https://pagure.io/dogtagpki/issue/3005
Change-Id: Ifd00804177f86cf550c93ac1ba5861cd8fa17c81
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
22abe1c4 by Christian Heimes at 2018-04-30T14:13:46+00:00
pki-server validate: write password as bytes

The ``pki-server subsystem-cert-validate`` was failing with a bytes
TypeError. os.write() takes a fd and bytes-like object, but a password
text string was passed to os.write(). The password is now encoded from
text to UTF-8 bytes.

Fixes: https://pagure.io/dogtagpki/issue/3007
Change-Id: I5a4ea3be92ccae4dcf5eabd6168907a148e390c0
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
16f3197a by Christian Heimes at 2018-04-30T21:03:56+02:00
Convert certs to text for JSON serialization

Under Python 3, nssdb.get_cert() returns bytes. The serialized certificate
is hold by SystemCertData.cert attribute. Later on, the ConfigurationRequest
data structure with multiple SystemCertData instances is serialized to
JSON. But JSON doesn't support serialization of bytes, which results in
a TypeError.

The code now converts the cert to text before it gets assigned to
SystemCertData.cert.

Fixes: https://pagure.io/dogtagpki/issue/3008
Change-Id: I16632415de7aa6f7ab77f1351e656464931662f6
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
d3b007d5 by Endi S. Dewata at 2018-05-01T01:32:00+02:00
Consolidated cacertnickname literals.

The cacertnickname literals have been consolidated into
ISigningUnit.PROP_CA_CERT_NICKNAME constants.

Change-Id: I7ac4a0321e0384d88921f77f7549a132ade514e1

- - - - -
915defc9 by Endi S. Dewata at 2018-05-01T03:49:03+02:00
Refactored instance registry creation

The code that creates instance registry has been moved into instance_layout.py.

Change-Id: I63a20cd4ed4c554371d56e2745a4849fc81561f7

- - - - -
6d5f1eb5 by Endi S. Dewata at 2018-05-01T05:11:28+02:00
Refactored server.xml creation

The code that copies and customizes server.xml has been moved
into instance_layout.py.

Change-Id: I741060a4150c2d029c264bcd31d757c099361690

- - - - -
267b9973 by Endi S. Dewata at 2018-05-01T05:11:54+02:00
Refactored subsystem customization

The code that copies and customizes subsystem configuration files
has been moved into subsystem_layout.py.

Change-Id: Iada2556e33f2b4d19afd369a6c93f54085b6a6cc

- - - - -
db0fd238 by Endi S. Dewata at 2018-05-01T17:05:36+02:00
Renamed ASubsystem to BaseSubsystem

The ASubsystem has been renamed BaseSubsystem and cleaned up
so it can be used as the base class for all subsystems. The
UGSubsystem has been modified to extend the BaseSubsystem.

Change-Id: Ib51966dd2c68b6f1cc21d08a8d813250a9229137

- - - - -
de8c38bf by Endi S. Dewata at 2018-05-01T17:10:41+02:00
Refactored UGSubsystem

The UGSubsystem has been modified to extend the BaseSubsystem.
Some method/field definitions have become redundant so they have
been removed.

Change-Id: I3e96df57a6cbabe0f6a9525a6978a8b43c0446cb

- - - - -
e980a79b by Endi S. Dewata at 2018-05-01T17:41:09+02:00
Added enabled flag in BaseSubsystem

The BaseSubsystem has been modified to add an enabled flag with
its setter/getter methods. The flag is set to true by default.

Change-Id: Ie382838b46efc7a983bb08d6bc59605890987737

- - - - -
7a5d62b9 by Endi S. Dewata at 2018-05-01T18:46:28+02:00
Fixed exception handling in UGSubsystem

The UGSubsystem has been modified such that it will be enabled
only after database initialization.

https://pagure.io/dogtagpki/issue/1334

Change-Id: Ifaa20e2903a0d3dbf71435379003397b30dcc5a1

- - - - -
ecdd5ad1 by Endi S. Dewata at 2018-05-01T23:48:32+02:00
Refactored dynamic subsystems in CMSEngine

The array of dynamic subsystems in CMSEngine has been converted
into a Map to simplify its usage.

https://pagure.io/dogtagpki/issue/1334

Change-Id: I842d347900f63650c0461a375e504d71e3267ddd

- - - - -
c5905ab0 by Endi S. Dewata at 2018-05-02T01:34:41+02:00
Refactored CMSEngine initialization

The CMSEngine has been modified to be invoked directly during
initialization instead of indirectly using CMS wrapper methods.

https://pagure.io/dogtagpki/issue/1334

Change-Id: I95d027c7d91e1cfd621328adcea61b4dcd68246f

- - - - -
143dde47 by Endi S. Dewata at 2018-05-02T02:57:17+02:00
Updated loggers in CMSEngine

The CMSEngine has been updated to use SLF4J loggers.

Change-Id: Ie0fd3b713703477d7a55b70ca9592fd8db9e09ae

- - - - -
d3af8567 by Endi S. Dewata at 2018-05-02T04:21:12+02:00
Updated loggers in CertificateAuthority

The CertificateAuthority has been updated to use SLF4J loggers.

Change-Id: Iaaf4a377e17d65e1053d976a340550a5d30e9a17

- - - - -
fbbf9967 by Endi S. Dewata at 2018-05-02T05:16:32+02:00
Added debug messages for CA signing cert parsing

The CertificateAuthority has been modified to provide additional
debug messages around the code that parses the CA signing cert.

Change-Id: I9a1a094031ca1c8e558fc2d5007c94cdc75cb1fe

- - - - -
0817e99a by Christian Heimes at 2018-05-02T10:49:35+00:00
Fix more bytes/str issues in cert handling

The deployer script wrote ca.signing.cert as b'data' to CS.cfg. The bug
broke external CA feature. Certs are now serialized to disk or JSON as ASCII
base64-encoded cert string.

To catch similar mistakes in the future, The config writer for CS.cfg now
ensures that only supported value types are written to disk. If the value
is neither None, text string, or integer, a TypeError is raised.

Fixes: https://pagure.io/dogtagpki/issue/3005
Change-Id: Id1a4175ed8787e7e9ab15fa9b61f643a401a9af1
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
383d53e4 by Christian Heimes at 2018-05-02T15:56:51+02:00
Config: Write None value as empty value

None value is no longer written as string 'None'. Instead a key with
None value is written as "key=".

Change-Id: Ia38aa80891a3fad4f08db6c74e845293719aa102
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
752d1a63 by Endi S. Dewata at 2018-05-02T15:04:02+00:00
Updated loggers in CMS class

The CMS class has been modified to use SLF4J loggers.

Change-Id: I02f0dc67bfbfec547d982efd1c4c6d0ea1bf0062

- - - - -
14153b80 by Endi S. Dewata at 2018-05-02T17:07:36+02:00
Moved CMS.main() into PKIServer class

The CMS.main() has been moved into a new PKIServer class
for future use.

Change-Id: I96b6e92d26f308036d715eeef59a004b564bee23

- - - - -
3a614568 by Endi S. Dewata at 2018-05-02T17:28:01+02:00
Refactored CMS.start()

The code in CMS.start() has been moved into CMSStartServlet and
PKIServer to provide better control and to fix dependency issue.

Change-Id: I3a08849484910161218d4f9edce4ba1830141368

- - - - -
ebedc553 by Endi S. Dewata at 2018-05-02T20:06:10+02:00
Cleaned up CMSEngine.setServerCertNickname()

The obsolete comment in CMSEngine.setServerCertNickname()
has been removed.

Change-Id: Ibf3dddacfcc1675bf39221f51a7f078ba0925884

- - - - -
4fbc7567 by Endi S. Dewata at 2018-05-02T20:14:11+02:00
Moved SubsystemInfo into separate file

The SubsystemInfo class has been moved out of CMSEngine.java
into SubsystemInfo.java.

Change-Id: If444f5064e64c852cc778bff77368503e18f7cd4

- - - - -
28e04de4 by Endi S. Dewata at 2018-05-02T22:12:40+02:00
Refactored CMSEngine.loadDynSubsystems()

The CMSEngine.loadDynSubsystems() has been renamed into
loadSubsystems() to handle all subsystem loading.

Change-Id: Id1011ca757d13d79208164eb7c4af37b9d2a38b4

- - - - -
cb77d9d1 by Endi S. Dewata at 2018-05-02T22:21:22+02:00
Added CMSEngine.initSubsystems()

The code that initializes all subsystems has been moved into a
new CMSEngine.initSubsystems().

Change-Id: I30f0416685d87e76e2e4113b7a2e2258a2988f56

- - - - -
adf4cc91 by Endi S. Dewata at 2018-05-02T22:41:05+02:00
Refactored static subsystems in CMSEngine

The code that loads the static subsystems has been moved into
CMSEngine.loadSubsystems().

Change-Id: Ida36e58730736dcec046875fa01430c9e70f46a0

- - - - -
2c25dc7d by Endi S. Dewata at 2018-05-03T01:16:33+02:00
Refactored final subsystems in CMSEngine

The code that loads the final subsystems has been moved into
CMSEngine.loadSubsystems().

Change-Id: If78f45da725fd557bb9b04cc20c7d7a3b8078c21

- - - - -
2aef7573 by Endi S. Dewata at 2018-05-03T05:51:09+02:00
Added option to specify CMSEngine class

The CMSStartServlet has been modified to support a parameter
to specify a different CMSEngine class.

Change-Id: Ic882b34846518dbb563cbf0fdcfaecdd1ead0943

- - - - -
431a9e48 by Endi S. Dewata at 2018-05-03T05:53:10+02:00
Cleaned up CMSEngine

Unused methods in CMSEngine have been removed. Some debug
messages have been updated as well.

Change-Id: I74f89c59b4341e92b6f5109e261974dcf265c0b1

- - - - -
2eb39162 by Endi S. Dewata at 2018-05-03T05:53:58+02:00
Added CAEngine

A new CAEngine class has been added to customize the CMSEngine
behavior for CA.

Change-Id: I9cef80f3442678a3854d167c88812f7bdf532e99

- - - - -
782b5772 by Endi S. Dewata at 2018-05-03T05:55:36+02:00
Fixed error handling in CrossCertPairSubsystem

The CAEngine has been modified to enable CrossCertPairSubsystem
only after database initialization to prevent errors.

https://pagure.io/dogtagpki/issue/1334

Change-Id: Ia9f24dc2fb5ff85738463601767b32723811d512

- - - - -
9c4b16b8 by Timo Aaltonen at 2018-05-03T12:20:41+03:00
rules: Replace setting DEB_BUILD_ARCH with including architecture.mk.

- - - - -
ecf49541 by Timo Aaltonen at 2018-05-03T12:21:08+03:00
control: Update maintainer address.

- - - - -
fa8028ae by Timo Aaltonen at 2018-05-03T12:42:09+03:00
Bump debhelper to 11.

- - - - -
db6bab34 by Timo Aaltonen at 2018-05-03T12:42:36+03:00
control: Bump policy to 4.1.4.

- - - - -
c239b4b0 by Timo Aaltonen at 2018-05-03T13:44:36+03:00
control: Update dogtag-pki description to mentoin that it's a metapackage.

- - - - -
eb2e4189 by Timo Aaltonen at 2018-05-03T13:57:52+03:00
control: Add pki-tools to pki-base-java depends. (Closes: #891370)

- - - - -
370b69d9 by Endi S. Dewata at 2018-05-03T16:36:19+02:00
Delaying CA subsystem initialization during installation

The server has been modified to delay CertificateAuthority
subsystemm initialization until after database initialization
to prevent errors.

https://pagure.io/dogtagpki/issue/1334

Change-Id: Ice3d1d16b5cb7547b313518521b3949b00dd7442

- - - - -
1b005453 by Endi S. Dewata at 2018-05-03T17:19:52+02:00
Updated loggers in DBSubsystem

The DBSubsystem has been modified to use SLF4J loggers.

Change-Id: I9d8141efd05e728a755c99da018a875e843e626b

- - - - -
6da60ac7 by Endi S. Dewata at 2018-05-03T18:04:58+02:00
Updated version number to 10.6.1

Change-Id: Iaf5769fc13e7ee9c0c10272ad4e358e86c4352c9

- - - - -
592b4d0a by Endi S. Dewata at 2018-05-03T18:26:41+02:00
Fixed build dependency on git

The spec templates have been updated to require and use git to
apply patches.

Change-Id: Ic216f9842a507fdb795293478157a54a0dd42f9b

- - - - -
ede20176 by Dinesh Prasanth M K at 2018-05-03T21:50:52+02:00
Added F28 matrix

- Travis is configured with 3 parallel jobs.
- Tests against F28 and F27 simultaneously.
- Uses a single image rather than 2.
- Disabled rpmlint due to failures in F28

Note: ipa-test has been disabled in F28

Change-Id: Iec4edec81345df52bf58a2e2890a7cdcafe803ef

- - - - -
a390b7bf by Endi S. Dewata at 2018-05-04T00:48:56+02:00
Updated NSS dependencies.

The spec templates have been modified to require NSS 3.36.1
on all platforms.

Change-Id: I1001e85ad180902ea8727764fceb7da302bbcae2

- - - - -
ed08e351 by Endi S. Dewata at 2018-05-04T05:04:32+02:00
Updated Tomcat dependencies

The spec templates have been updated to require Tomcat 9.0.7
on Fedora 29.

Change-Id: I20ea698e99675d703360cce96f666b3629f31188

- - - - -
2a972ab8 by Timo Aaltonen at 2018-05-04T15:35:47+03:00
tests: Improve logging, fail properly.

- - - - -
06f1a6e1 by Timo Aaltonen at 2018-05-04T15:36:20+03:00
Merge branch 'upstream'

- - - - -
6b36e447 by Timo Aaltonen at 2018-05-04T15:47:10+03:00
bump the version

- - - - -
abb50340 by Timo Aaltonen at 2018-05-20T11:33:01+03:00
changelog: fix a typo

- - - - -
5a9e20ad by Timo Aaltonen at 2018-05-20T11:38:41+03:00
drop cve fix, applied upstream

- - - - -
e7620cec by Timo Aaltonen at 2018-05-20T14:29:13+03:00
fix pki-tools dep

- - - - -
71e89e92 by Timo Aaltonen at 2018-05-20T14:32:15+03:00
fix debhelper 11 compat, use dh_installsystemd

- - - - -
0fec6b8c by Timo Aaltonen at 2018-05-20T14:47:22+03:00
releasing package dogtag-pki version 10.6.1-1

- - - - -


30 changed files:

- .classpath
- .gitignore
- .travis.yml
- .travis/00-init
- + .travis/01-install-dependencies
- .travis/10-compose-rpms
- .travis/20-install-rpms
- + .travis/global_variables
- + .travis/init_task.sh
- .travis_run_task.sh → .travis/ipa-test.sh
- .test_runner_config.yaml → .travis/ipa-test.yaml
- + .travis/pki-test.sh
- .travis/py3rewrite
- + .travis/set_gerrit_message.sh
- CMakeLists.txt
- README
- base/CMakeLists.txt
- base/ca/CMakeLists.txt
- base/ca/functional/src/com/netscape/cms/servlet/test/CATest.java
- base/ca/shared/conf/CS.cfg
- + base/ca/shared/conf/ECadminCert.profile
- + base/ca/shared/conf/ECserverCert.profile
- + base/ca/shared/conf/ECsubsystemCert.profile
- − base/ca/shared/conf/jk2.manifest
- − base/ca/shared/conf/jk2.properties
- − base/ca/shared/conf/jkconf.ant.xml
- − base/ca/shared/conf/jkconfig.manifest
- − base/ca/shared/conf/server-minimal.xml
- base/ca/shared/conf/serverCert.profile
- − base/ca/shared/conf/shm.manifest


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/60c59e56ea0d43c698d986d157d45b96094b8800...0fec6b8c3db6f352243b1c2b160afe6e8f7862f6

---
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/compare/60c59e56ea0d43c698d986d157d45b96094b8800...0fec6b8c3db6f352243b1c2b160afe6e8f7862f6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180520/15fa65f5/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list