[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master-next] 99 commits: CI: Build custom Fedora image that has systemd installed

Timo Aaltonen gitlab at salsa.debian.org
Thu Aug 13 11:38:40 BST 2020 


Timo Aaltonen pushed to branch master-next at FreeIPA packaging / dogtag-pki


Commits:
0fa50bb9 by Dinesh Prasanth M K at 2020-07-13T15:47:32-04:00
CI: Build custom Fedora image that has systemd installed

With latest Fedora container images (starting from fedora:30) it seems
that the systemd script files have been removed. This patch builds a custom
fedora container image with systemd package installed, giving us the right
systemd-enabled environment to run PKI tests

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
cdbbb079 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Removed default max/min LDAP connections

- - - - -
43e4cd0f by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-database-show

The pki-server acme-database-show has been modified to support
LDAP database.

- - - - -
5ce46a35 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-database-mod

The pki-server acme-database-mod has been modified to support
LDAP database.

- - - - -
280c2c37 by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-issuer-show

The pki-server acme-issuer-show has been modified to support
NSS issuer.

- - - - -
6eec2d3a by Endi S. Dewata at 2020-07-13T18:30:32-05:00
Updated pki-server acme-issuer-mod

The pki-server acme-issuer-mod has been modified to support
NSS issuer.

- - - - -
6f94b0d7 by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized CA install docs

- - - - -
2bd40bdf by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized KRA install docs

- - - - -
b17883de by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized OCSP install docs

- - - - -
3b6cbc7d by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized TKS install docs

- - - - -
3b58dcda by Endi S. Dewata at 2020-07-13T20:30:26-05:00
Reorganized TPS install docs

- - - - -
f946a3e3 by Endi S. Dewata at 2020-07-14T15:16:46-05:00
Fixed podman deployment doc

- - - - -
9170acf2 by Christina Fu at 2020-07-14T16:50:31-07:00
Bug1856368- pki cli kra-key-generate request is failing

This patch fixes the issue with failed kra-key-generate from pki cli.
Investigation revealed that the underlying JSS changes where
base64encodeSingleLine call into
   Base64.getEncoder().encodeToString(bytes);
does not tolerate null parameter.
Reference: Remove code dependency on Apache Commons Codec
https://github.com/dogtagpki/jss/commit/8de4440c5652f6f1af5b4b923a15730ba84f29e1#diff-b2e907677520a5d671a037de2e60e656L376

in PKI, since the caller for generateAsymmetricKey() in KeyClient.java
deliberately passed in "null" for transWrappedSessionKey, it is
safe to just skip over the following line when transWrappedSessionKey is null:
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey, false));

the CRMF issue reported in the same bug is very likley a separate issue
and should be filed in a separate bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1856368

- - - - -
9ffb9925 by Endi S. Dewata at 2020-07-14T19:19:49-05:00
Fixed error handling in PKIRealm

In commit 9de45c2812e9eaddaeef50dd422117cf57820581 the PKIRealm was
modified to wrap all exceptions that happen during authentication
and rethrow them as RuntimeExceptions in order to preserve the stack
trace for troubleshooting.

However, because of that when a client tries to authenticate with a
revoked certificate the server incorrectly reports it as an internal
server error instead of authentication failure.

To fix the problem, the PKIRealm has been modified to modified to
handle authentication failures (e.g. EInvalidCredentials) differently
from other internal server errors (e.g. LDAP exceptions).

For authentication failures PKIRealm will return null as described
in RealmBase documentation:
https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/realm/RealmBase.html

For internal server errors it will log the stack trace and to wrap
the exception and rethrow it as RuntimeException for troubleshooting.

- - - - -
180d42e9 by Endi S. Dewata at 2020-07-15T10:18:32-05:00
Fixed ACME authorization status

The ACMEChallengeProcessor.processChallenge() has been modified
to set the authorization status to invalid if the client fails
to fulfill the challenge.

- - - - -
db7b73a4 by Endi S. Dewata at 2020-07-15T10:18:32-05:00
Fixed ACME order status

The ACMEChallengeProcessor.processInvalidChallenge() has been
modified to set the order status to invalid if at least one of
the authorizations is invalid.

- - - - -
8feeea95 by Endi S. Dewata at 2020-07-15T10:49:40-05:00
Fixed LDAPDatabase.getAuthorizationByChallenge()

The LDAPDatabase.getAuthorizationByChallenge() has been
modified to return the complete authorization data such
that if the authorization is updated and saved into the
database it will not unintentionally lose data.

- - - - -
71fced30 by Endi S. Dewata at 2020-07-15T10:49:40-05:00
Removing incomplete ACME challenges

The code that finalizes ACME authorizations has been modified
to retain the completed challenge (either valid or invalid) and
remove the incomplete ones.

- - - - -
ce689dfa by Endi S. Dewata at 2020-07-15T11:40:14-05:00
Cleaned up log messages in MessageFormatInterceptor

- - - - -
d23240d0 by Endi S. Dewata at 2020-07-15T11:40:48-05:00
Fixed ACMEAuthorization.expirationTime handling

The code that uses ACMEAuthorization.expirationTime has been
modified to handle a possible null value.

- - - - -
8edae309 by Endi S. Dewata at 2020-07-15T11:40:48-05:00
Fixed ACMEOrder.expirationTime handling

The code that uses ACMEOrder.expirationTime has been modified
to handle a possible null value.

- - - - -
ec9b4485 by Endi S. Dewata at 2020-07-15T19:10:37-05:00
Updated ACME database configuration doc

- - - - -
885ba3f6 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Fixed ACME authorization expiration time

Previously the expirationTime field in ACMEAuthorization is
always set when the object is created. According to RFC 8555
the value is only required when the authorization is valid,
so the code has been updated accordingly.

- - - - -
2443d08a by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Fixed ACME order expiration time

Previously the expirationTime field in ACMEOrder is always set
when the object is created. According to RFC 8555 the value is
only required when the order is valid or pending, so the code
has been updated accordingly.

- - - - -
91889f16 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Added ACMEDatabase.removeExpiredAuthorizations()

The ACMEDatabase.removeExpiredAuthorizations() has been added
to remove expired authorization records from ACME database.

- - - - -
eec64fc4 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Added ACMEDatabase.removeExpiredOrders()

The ACMEDatabase.removeExpiredOrders() has been added to remove
expired order records from ACME database.

- - - - -
b2215b72 by Endi S. Dewata at 2020-07-16T12:30:35-05:00
Updated ACME maintenance task

The ACME maintenance task has been updated to periodically remove
expired authorization and order records from ACME database.

- - - - -
87c0aef6 by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Added silent mode for pki-server acme-database-mod

The pki-server acme-database-mod has been modified to provide
a silent mode for configuring ACME database.

- - - - -
8cee2f93 by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Added silent mode for pki-server acme-issuer-mod

The pki-server acme-issuer-mod has been modified to provide a
silent mode for configuring ACME issuer.

- - - - -
95e338ca by Endi S. Dewata at 2020-07-16T17:26:23-05:00
Updated ACME database and issuer configuration docs

The ACME database and issuer configuration docs have
been modified to use the slient mode.

- - - - -
f1e86ff0 by Endi S. Dewata at 2020-07-20T10:28:50-05:00
Refactored ACMEEngine.loadMetadata()

The ACMEEngine.loadMetadata() has been renamed into
initMetadata().

- - - - -
7eb2fc48 by Endi S. Dewata at 2020-07-20T10:29:38-05:00
Refactored ACMEEngine.loadDatabaseConfig()

The ACMEEngine.loadDatabaseConfig() has been merged into
initDatabase().

- - - - -
6772ba8e by Endi S. Dewata at 2020-07-20T10:30:22-05:00
Refactored ACMEEngine.loadValidatorsConfig()

The ACMEEngine.loadValidatorsConfig() has been merged into
initValidators().

- - - - -
0c1916ea by Endi S. Dewata at 2020-07-20T10:30:45-05:00
Refactored ACMEEngine.loadIssuerConfig()

The ACMEEngine.loadIssuerConfig() has been merged into
initIssuer().

- - - - -
3bda0a4f by Endi S. Dewata at 2020-07-20T10:31:52-05:00
Refactored ACMEEngine.loadSchedulerConfig()

The ACMEEngine.loadSchedulerConfig() has been merged into
initScheduler().

- - - - -
87ab6e3c by Endi S. Dewata at 2020-07-20T10:38:23-05:00
Refactored ACMEEngine.loadEngineConfig()

The ACMEEngine.loadEngineConfig() has been converted into
initMonitors().

- - - - -
249fae10 by Alexander Scheel at 2020-07-20T13:45:59-04:00
Fix build with CMake out-of-source build change

Fedora 33 has introduced the following change proposal:

https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds

This makes CMake do out-of-source builds by default. However, Fedora has
opted to use the %{_vpath_builddir} macro as the location of the default
build directory, instead of the more standard (in the CMake community)
build/ directory. %{_vpath_builddir} expands to %{_target_platform},
giving a per-architecture build directory.

Replace build/ references with %{_vpath_builddir} in the RPM spec. In
the future, we could move %{__make} to %cmake_build instead.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
11024cd3 by Endi S. Dewata at 2020-07-20T13:42:55-05:00
Fixed pki-server acme-metadata/database/issuer-mod commands

The pki-server acme-metadata/database/issuer-mod commands have
been modified to use PKIServer.store_properties() instead of
pki.util.store_properties() to ensure the file permission is
set correctly.

- - - - -
a3ef1aa8 by Endi S. Dewata at 2020-07-20T13:42:55-05:00
Added default ACME metadata.conf

The ACMEEngine and pki-server acme-metadata commands have
been modified to use the shared metadata.conf by default.

- - - - -
bc899bec by Endi S. Dewata at 2020-07-20T14:36:59-05:00
Added runtime dependency on systemd

The pki-server package has been modified to explicitly require
systemd as runtime dependency since systemd is no longer part
of Fedora container image:
https://docs.fedoraproject.org/en-US/minimization/

- - - - -
9ddb3832 by Alexander Scheel at 2020-07-20T15:45:07-04:00
Support JDK8 and JDK11 RPM builds

Fedora 33 is moving to Java 11 as the default JDK version:

https://fedoraproject.org/wiki/Changes/Java11

This will make JDK11 the default JDK in this release of Fedora.

We need to support a generic JAVA_HOME based on OpenJDK, so move to
/usr/lib/jvm/jre-openjdk as the JRE_HOME path. This is always provided,
regardless of whether or not the JDK or JRE is installed. Additionally,
we set the minimum Java version based on what is available on the
system.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1bc74857 by Endi S. Dewata at 2020-07-20T19:20:24-05:00
Fixed JAVA_OPTS parsing in PKISubsystem.run()

The PKISubsystem.run() parses JAVA_OPTS into a list of strings
and uses it as Java arguments. In some cases the list might
contain empty strings which can cause problems. The code has
been modified to remove empty strings from the list.

- - - - -
3de067cf by Endi S. Dewata at 2020-07-21T09:01:38-05:00
Simplified ACME LDAP database parameters

The LDAPDatabase parameters have been simplified:
- basedn -> baseDN
- internaldb.ldapconn.host,port,secureConn -> url
- internaldb.ldapauth.authtype -> authType
- internaldb.ldapauth.bindDN -> bindDN
- internaldb.ldapauth.clientCertNickname -> nickname
- password.internaldb -> bindPassword

The old basedn parameter will continue to work but it has
been deprecated.

The internaldb.ldapauth.bindPWPrompt is no longer used so
it has been removed.

- - - - -
ec612dbd by Coty Sutherland at 2020-07-21T16:51:42-04:00
Fix HTTP Request formatting in AdminConnection

AdminConnection's processRequest method creates a hand-rolled HTTP
request to the remote server. This is used by PKI Console when
authenticated as an administrator. Because of the recent CVE fix in
Tomcat (CVE-2020-1935), Tomcat will no longer accept \n (Line Feed)
terminated requests and headers, and instead reject them as a bad
request. We fix this by adding the missing and required CR, per HTTP
specification.

This fixes the following exception in PKIConsole:

    java.io.IOException: 400
        at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:537)
        at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:497)
        at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:411)
        at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:788)
        at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:681)
        at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:646)
        at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:379)
        at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:128)

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0c41ac72 by Alexander Scheel at 2020-07-21T16:52:53-04:00
Support exporting CA certificate from HSM installs

When installing an installation with subsystem SSL certificate residing
on the HSM, export will fail because the NSS DB isn't opened with the
specified HSM token. When the subsystem SSL certificate resides on the
HSM, when we go to export the CA certificate, we must explicitly specify
this token.

Otherwise, subsystem startup will fail with an error like:

    systemd[1]: Starting PKI Tomcat Server topology-02-CA...
    pki-server[72759]: Enter password for NHSM6000-OCS
    pki-server[72759]: ERROR: Certificate not found: NHSM6000-OCS:Server-Cert cert-topology-02-CA
    pki-server[72759]: ERROR: Command: pki -d /etc/pki/topology-02-CA/alias -C /tmp/tmpptxlpn4k/password.txt pkcs12-export --pkcs12 /tmp/tmp1idfd1am/sslserver.p12 --password-file /tmp/tmpc5y2bhjo/password.txt --no-key NHSM6000-OCS:Server-Cert cert-topology-02-CA
    systemd[1]: pki-tomcatd at topology-02-CA.service: Control process exited, code=exited status=255
    systemd[1]: pki-tomcatd at topology-02-CA.service: Failed with result 'exit-code'.

This is related to the earlier PR enforcing certificate verification
in PKIConnection, pr-#443.

Resolves: rh-bz#1857933

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
382de723 by Dinesh Prasanth M K at 2020-07-22T13:24:25-04:00
Fix pylint issue in healthcheck

This patch fixes the pylint issue caught in our CI. This
is a regression of change introduced in freeipa-healthcheck:

https://github.com/freeipa/freeipa-healthcheck/commit/d247c6158169a4ff97cd35ac57fec4e355617c52#diff-3aa64e1b97b8e0bf584a86cbe79986c4

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
75fed9db by Dinesh Prasanth M K at 2020-07-22T13:48:47-04:00
Print the SD name when executing pki-server status

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
08370498 by Dinesh Prasanth M K at 2020-07-22T13:48:47-04:00
Fix pki-server status CLI to accept nuxwdog enabled service

This patch fixes pki-server to pick up the right systemd unit file
name if the nuxwdog is enabled on the PKI server.

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
951bad9d by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Added ACMEEngineConfig

The ACMEEngineConfig has been added to encapsulate ACME engine
configuration such as the enabled flag.

- - - - -
2a8e25fb by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Refactored ACMEPolicy

The ACMEPolicy has been moved into org.dogtagpki.acme.server.
The enableWildcardIssuance field has been moved into a new
ACMEPolicyConfig class. The wildcard property in engine.conf
has been renamed into policy.wildcard.

- - - - -
5cc193e6 by Endi S. Dewata at 2020-07-22T14:53:53-05:00
Removed hard-coded ACME validity policies

The ACMEValidityConfig has been added to encapsulate the
validity configuration of ACME objects including nonces,
authorizations, and orders.

The hard-coded validity policies for ACME nonces, valid
authorizations, pending and valid orders have been
replaced with configurable properties in engine.conf.

- - - - -
a93a65be by Alexander Scheel at 2020-07-22T17:02:50-04:00
Re-fix sanitization in CMSTemplate

When fixing CVE-2019-10179 originally in
8884b4344225bd6656876d9e2a58b3268e9a899b,
I had switched to Apache Commons Lang2's
sanitization framework. However, I didn't
enable the HTML sanitization necessary to
fix this CVE.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
db703d1d by Endi S. Dewata at 2020-07-22T18:44:10-05:00
Added sample ACME database URLs

- - - - -
6e108331 by Endi S. Dewata at 2020-07-22T19:48:35-05:00
Fixed ACME scheduler

The ACMEScheduler has been modified to no longer throw a
RuntimeException if a task execution fails such that the
task will be executed again in the next scheduled time.

- - - - -
eb213bd0 by Endi S. Dewata at 2020-07-23T12:58:06-05:00
Add sample PKI issuer URL and profile

- - - - -
8c41352a by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Updated ACME install doc

- - - - -
6f18a954 by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Fixed InMemoryDatabase.getOrdersByAuthorizationAndStatus()

The InMemoryDatabase.getOrdersByAuthorizationAndStatus() has
been modified to use String.equals() to compare order status.

- - - - -
40bd67c3 by Endi S. Dewata at 2020-07-23T12:58:16-05:00
Updated pki-server acme-database/issuer-mod

The pki-server acme-database/issuer-mod commands have been
modified to load the database.conf/issuer.conf template if
the database/issuer type was changed.

- - - - -
f2641150 by Endi S. Dewata at 2020-07-23T20:35:53-05:00
Fixed PKIServerFactory.create()

The PKIServerFactory.create() has been modified to check
whether the /etc/sysconfig/<instance> file exists before
trying to open it.

- - - - -
28e19202 by Endi S. Dewata at 2020-07-23T20:44:00-05:00
Reorganized PKI server install docs

- - - - -
41b0226a by Endi S. Dewata at 2020-07-27T17:12:24-05:00
Updated log messages in PostgreSQLDatabase

- - - - -
46a66d65 by Endi S. Dewata at 2020-07-27T17:12:33-05:00
Reorganized ACME deployment on OpenShift doc

- - - - -
bf225105 by Alexander Scheel at 2020-07-28T14:52:20-04:00
Add TPS auditor

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9da92ed3 by Alexander Scheel at 2020-07-28T14:54:12-04:00
Move PrettyPrint{Cert,Crl} to PKI_LIB classpath

JDK since v1.6 supports passing a directory with a glob (*) after it to
include all JARs in that given directory on the classpath. That is the
mechanism used by pki_java_command_wrapper.in which we should reuse for
the two CLIs which don't use that wrapper.

Resolves: rh-bz#1854043

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
fd522210 by Dinesh Prasanth M K at 2020-07-29T15:31:10-04:00
CI: Collect journalctl logs always during IPA tests

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
c8c55f98 by Endi S. Dewata at 2020-07-29T16:45:07-05:00
Added openshift-acme deployment doc

A new doc has been added for deploying openshift-acme with
PKI ACME responder as the certificate issuer.

- - - - -
a0a06387 by Endi S. Dewata at 2020-07-29T17:45:10-05:00
Fixed CAInfoService.getKRAInfoClient()

The CAInfoService.getKRAInfoClient() and
CAService.getConnector() have been modified to use the
client certificate specified in the CA's KRA connector to
access KRA. If the client certificate is missing, it will
use the subsystem certificate instead.

The CAInfoService has also been modified to propagate
any exception during the above operation to the caller.

https://bugzilla.redhat.com/show_bug.cgi?id=1861911

- - - - -
03801285 by Endi S. Dewata at 2020-07-29T22:18:44-05:00
Reorganized ACME user doc

- - - - -
7b184486 by 06shalini at 2020-07-30T20:59:57+05:30
Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages (#393)

* Changes done to run the upstream pytest-ansible tests on Fedora32 and with latest packages

- Changes includes:
- Change in .gitlab_ci.yml to spawn instance by using latest osp_provision.py
   [with PSI resource issues].
- Change in .gitlab_ci.yml to use Fedora 32 image.
- Addition of post_provision.yml to get latest repo.

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

* Code cleanup of osp_provision.py

Signed-off-by: Shalini Khandelwal <skhandel at redhat.com>

Co-authored-by: Shalini Khandelwal <skhandel at redhat.com>
- - - - -
23ae8b29 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Refactored ACMEPolicyConfig

The retention policies in ACMEPolicyConfig have been moved
into ACMERetentionConfig. The configuration properties have
been renamed into policy.retention.<name>.<param>. The
ACMEValidityConfig has been renamed into ACMERetention.

- - - - -
64b37227 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policies for ACME authorizations

The ACME responder has been modified to support retention
policies for pending and invalid authorizations.

- - - - -
769069bb by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policies for ACME orders

The ACME responder has been modified to support retention
policies for invalid, ready, and processing orders.

- - - - -
64a83f58 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added ACMEDatabase.removeExpiredCertificates()

The ACMEDatabase.removeExpiredCertificates() has been added
to remove expired certificates from ACME database.

- - - - -
0c1cac72 by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added ACMECertificate

The ACMECertificate has been added to encapsulate certificate
records in ACME database.

- - - - -
d3957e6c by Endi S. Dewata at 2020-07-30T10:58:42-05:00
Added retention policy for ACME certificates

The ACME responder has been modified to support retention policy
for certificate records in ACME database.

- - - - -
4bbb201c by Stanislav Levin at 2020-07-30T10:59:56-05:00
Add missing required targets for pki-acme-classes target

Parallel build fails because of the races caused by the missing
(not yet built) jars.

Fixes: https://pagure.io/dogtagpki/issue/3196
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
0cff9cd5 by Stanislav Levin at 2020-07-30T13:08:14-05:00
Fix instance nssdb directory ownership

There was a typo in code which sets the ownership
of NSSdb directory and its content. This results
in the group with the same gid as pkiuser uid
can control this directory.

Fixes: https://pagure.io/dogtagpki/issue/3195
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
34807cb7 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Refactored PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS

The PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS has been
replaced with pki.server.DEFAULT_LINK_MODE.

- - - - -
0aeacb09 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Updated log messages in PKIInstance

- - - - -
268c08ea by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Reorganized ACME Podman doc

- - - - -
a287c3a0 by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Reorganized ACME install doc

- - - - -
e4c35cbc by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Updated links to ACME config doc

- - - - -
fc95262d by Endi S. Dewata at 2020-07-30T16:33:20-05:00
Restored ACME tech preview notification

- - - - -
bedf1adc by Endi S. Dewata at 2020-07-30T22:06:05-05:00
Renamed value field in ACMENonce

The value field in ACMENonce has been renamed to id
for consistency.

- - - - -
183558fa by Endi S. Dewata at 2020-07-30T22:11:52-05:00
Renamed nonce value variables in ACMEDatabase

The nonce value variables in ACMEDatabase have been renamed
to nonceID for consistency.

- - - - -
63368b0f by Endi S. Dewata at 2020-07-30T22:11:57-05:00
Renamed nonce value column/attribute in ACME database

The nonce value column/attribute in ACME database
has been renamed to id for consistency.

- - - - -
a1235c3e by jmagne at 2020-07-31T10:20:48-07:00
Address Bug 1462291 - CRL autoupdate from CS.cfg (#503)

This fix allows the admin to request that a change to this crl CS.cfg setting:

ca.crl.MasterCRL.autoUpdateInterval=xxx

This fix will allow the system to attempt to use the new value of auto update
immediately. The previous longstanding behavior was to have the new interval take affect,
AFTER the currently scheduled nextUpdate time.

What this fix does is allow the use of a new CS.cfg parameter:

ca.crl.MasterCRL.autoUpdateInterval.effectiveAtStart=true

This parameter must be inserted before a restart to allow this behavior to take place at all.
Without the param everything should be working as normal.

After changing the CS.cfg value, the server must be restarted.

At this point the delay time for the next update will be calculated based on the new auto update interval.

Previously the code would simply ignore the new calculated value and take whatever is already encoded into the
"nextUpdate" field of the crl.

This fix allows the new value to be accepted. Here are some caveats on how this thing behaves:

1. If the autoUpdate interval is made smaller , this thing works as expected, having the next update take place
in roughly the amount of time in the new interval.

2. If making the interval smaller, makes the calculated next update in the past, the update will occur now and then the
nextUpdate will be calculated with the new schedule..

3. If the admin makes the autoUpdate interval larger, the behavior is a little different.
Due to the fact that the calculations made with the new interval, is based off of starting with the time stamp
for "yesterday" or the very first daily update from yesterday, the new nextUPdate time calculated may be less
than simply adding the the new interval to the last update.

This fix was coded by allowing the current very comnplicated algorithm to calculate the nextUpdate do it's thing
while at the end of the process, this code simply chooses what is calculated instead of what is already encoded within
the crl's nextUpdate field.

Therefore if the new param is never set, nothing changes. This param should be used with care.

If the agent goes to the display crl page, the new value can easily be viewed as well as the debug log.

4. After the operation takes place the flag inside the server will be cleared and this feature will no longer
be attempted while the server is running.

5. The admin must clear the schedulUpdated setting before the restart to assure normal operation after the next restart.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
607407e2 by Christina Fu at 2020-07-31T11:40:54-07:00
Bug1805541 Doc for Certificate Transparency with embedded SCT

Created CertificateTransparency.adoc which provides documentation for
the Certificate Transparency feature for the RHCS Administrator's guide.

https://bugzilla.redhat.com/show_bug.cgi?id=1805541

- - - - -
7b6b6aa8 by Christina Fu at 2020-07-31T16:39:21-07:00
CertificateTransparency.adoc default mode is "disabled" instead of "enabled"

- - - - -
0932b0ea by jmagne at 2020-07-31T17:02:54-07:00
Resolve: Bug 1454922 - [RFE] Need Ability to set the CRL This Update to be a Future Date when Generating a CRL. (#504)

This fix allows the admin to request this feature only by using the command line sslget utility to make such a request.

The result will be haviing the "thisUpdate" field of the generated crl set to some arbitrary date in the future.
The nextUpdate field will be calculated as normal by calculating that as an offset to the future thisUpdate value requested.

There is also a new CS.cfg value designed to simply disallow the use of the feature whateover:

ca.crl.MasterCRL=forbidFutureThisUpdateValue=true (which is by default)  will ignore any attempts to use this feature.

This feature does not as of yet support the GUI and will ONLY be available when ussing sslget to request a CRL update on demand.

Also there is a parameter to sslget that will allow the user to erase or cancel the whole custom future thisUpdate and
return crl processing to normal. Examples to follow:

Example 1, request an updated CRL with a custom future thisUpdateValue:

sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&customFutureThisUpdateDateValue=2020:9:22:13:0:0"  -v -d . -p ""  -r /ca/agent/ca/updateCRL localhost.localdomain:8443

Note the param for this feature is customFutureThisUpdateDateValue=<date>
The date format is this: 2020:9:22:13:0:0

The linux date utility can be used to make a date in this format. It's simply
year,month,day, hour, min ,sec, with min and sec optional.
The month is based on 1, with Jan = 1.

Example 2: clear the whole future thisUpdate an get back to normal:

sslget -n "PKI Administrator for localhost.localdomain" -e "crlIssuingPoint=MasterCRL&signatureAlgorithm&waitForUpdate=true&clearCRLCache=true&cancelCurCustomFutureThisUpdateValue=true"  -v -d . -p ""  -r /ca/agent/ca/updateCRL localhost.localdomain:8443

This will erase the current custom future thisUpdate and calculate the nextUpdate based on the actual current time.

This fix was done without affecting the complex calculations made to calculate update frequency. This only allows one, if they desire, to set thisUpdate to some futuristic time.

If a future thisUpdate time is chosen as in Ex 1, the nextUpdate time will be chosen based on that future date.

The Agent GUI can be used to display the CRL will reflect the new thisUpdate and nextUpdate values.

Co-authored-by: Jack Magne <jmagne at localhost.localdomain>
- - - - -
55d8a652 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed PostgreSQL ACME database time zone (part 1)

The PostgreSQLDatabase has been modified to store timestamps
in UTC time zone.

- - - - -
880a02d9 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed PostgreSQL ACME database time zone (part 2)

The PostgreSQL ACME database has been modified to use
timestamps with time zone.

- - - - -
2a0a2fce by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Fixed LDAP ACME database time zone

The LDAPDatabase ACME has been modified to store timestamps
in UTC time zone.

- - - - -
4cfd4cc1 by Endi S. Dewata at 2020-07-31T19:46:29-05:00
Cleaned up PostgreSQLDatabase

The PostgreSQLDatabase has been modified to call connect()
only in public methods implementing LDAPDatabase.

- - - - -
b047c132 by Endi S. Dewata at 2020-07-31T21:16:44-05:00
Updated version number to 10.9.0-1

- - - - -
c5db17c8 by Dinesh Prasanth M K at 2020-08-06T12:38:16-04:00
Fix Secure connection issue when server is down

When the PKI server is down, the server is temporarily
brought up using a temporary SSL server cert. This cert
needs to be trusted to enable secure connection.

This patch:

* allows passes instance's nssdb as the client nssdb to
  trust the SSL server created during cert-fix (offline
  cert renewal process).
* Gets the hostname using socket instead of from env
  variable

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
f4b72edb by Endi S. Dewata at 2020-08-06T11:55:45-05:00
Updated version number to 10.9.1

- - - - -
0522193e by Timo Aaltonen at 2020-08-13T13:35:38+03:00
Merge branch 'upstream-next' into master-next

- - - - -
fbf3dcc4 by Timo Aaltonen at 2020-08-13T13:38:10+03:00
bump the release

- - - - -


30 changed files:

- .github/workflows/required-tests.yml
- CMakeLists.txt
- base/acme/CMakeLists.txt
- base/acme/conf/engine.conf
- base/acme/database/ldap/database.conf
- base/acme/database/ldap/schema.ldif
- base/acme/database/postgresql/create.sql
- base/acme/database/postgresql/statements.conf
- + base/acme/src/main/java/org/dogtagpki/acme/ACMECertificate.java
- base/acme/src/main/java/org/dogtagpki/acme/ACMENonce.java
- base/acme/src/main/java/org/dogtagpki/acme/database/ACMEDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/InMemoryDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/LDAPDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/database/PostgreSQLDatabase.java
- base/acme/src/main/java/org/dogtagpki/acme/issuer/NSSIssuer.java
- base/acme/src/main/java/org/dogtagpki/acme/scheduler/ACMEMaintenanceTask.java
- base/acme/src/main/java/org/dogtagpki/acme/scheduler/ACMEScheduler.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEAccountService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEAuthorizationService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMECertificateService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEChallengeProcessor.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEChallengeService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEEngine.java
- + base/acme/src/main/java/org/dogtagpki/acme/server/ACMEEngineConfig.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEEngineConfigFileSource.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEFinalizeOrderService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMENewAccountService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMENewNonceService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMENewOrderService.java
- base/acme/src/main/java/org/dogtagpki/acme/server/ACMEOrderService.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/1adc82257e6015af3ace7de8faa868db8ccc6310...fbf3dcc4a57dd052b15b805597baec05af07ef23

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/1adc82257e6015af3ace7de8faa868db8ccc6310...fbf3dcc4a57dd052b15b805597baec05af07ef23
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200813/c5e27a1f/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list