[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream] 17 commits: Make JDK dependency dynamic
Timo Aaltonen
gitlab at salsa.debian.org
Tue Sep 15 13:22:01 BST 2020
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / dogtag-pki
Commits:
54715f2e by Alexander Scheel at 2020-08-21T10:39:20-04:00
Make JDK dependency dynamic
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
10e9741a by Alexander Scheel at 2020-08-21T10:39:20-04:00
Add server dependency on jaxb-api
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f909302a by Alexander Scheel at 2020-08-21T10:39:20-04:00
Add JAXB Implementation dependency for JDK11+
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
ac264424 by Alexander Scheel at 2020-08-21T10:39:20-04:00
Add Jakarta Activation dependency for JDK11+
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
1753780b by Alexander Scheel at 2020-08-21T11:14:11-04:00
Fix permissions when installing clone
When pkispawn runs, it executes as root. However, rarely is PKI
installed as root. The resulting permissions on ca.crt are 600,
preventing later pki-server migrate command from running, as it
runs as pkiuser, who doesn't have access to ca.crt. Fix the
permissions when we initially create ca.crt to be owned by pkiuser.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
c6381d1d by Alexander Scheel at 2020-08-31T12:05:00-04:00
Update javax-activation paths for Debian
As reported by Timo on IRC.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
9f9ef630 by Alexander Scheel at 2020-08-31T12:05:00-04:00
Migrate JAVA_HOME in instance configuration
When we upgrade from F32 to F33, we need to be able to upgrade JAVA_HOME
to set it to the new value. This value will also change on F32 (from a
JDK8-specific path to a generic path). This requires migration to happen
on subsystem start.
This means that the recommended way to configure JAVA_HOME to a value
OTHER then what's shipped in /usr/.../pki.conf becomes to set it in
/etc/.../pki.conf, and means that /etc/sysconfig/tomcat.conf gets
rewritten each time.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a4c9fbe5 by Alexander Scheel at 2020-08-31T12:05:00-04:00
Enforce JDK 8 source and bytecode everywhere
This will ensure that, as F33 and later releases happen, we'll continue
developing code compatible with RHEL 8 and F32.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
0a085491 by Alexander Scheel at 2020-09-02T09:43:34-04:00
Move COPR to v10.9
Because v10.9 has been branched from master and a new COPR repo has been
created, we should use it instead of the v10.10/master branch COPR repo.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
1fd3016c by Alexander Scheel at 2020-09-03T11:57:44-05:00
Keep JAVA_HOME in tomcat.conf
Despite the name tomcat.conf, this is also the main configuration file
loaded by instances. Instances (especially pkispawn) expect config to be
only the Tomcat configuration, despite loading configuration from the
environment as well. Eventually, we should migrate all of this to use
the global configuration rather than the per-instance configuration.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
dc495b0a by Alexander Scheel at 2020-09-11T12:57:12-04:00
Remove SSL configuration; rely on crypto-policies
When TLSv1.3 support landed in Fedora and RHEL, crypto-policies enabled
it everywhere including in FIPS mode. However, because we bounded the
range above by TLSv1.2, we wouldn't negotiate TLSv1.3 when communicating
with CA instances. crypto-policies should be the single source of truth
for these values, and we shouldn't limit ourselves artificially.
Instead, users should change crypto-policies to the correct policy for
their needs.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
24985cb8 by Alexander Scheel at 2020-09-11T12:57:12-04:00
Enable PHA in legacy SSLSocket
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
70f7b2b5 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Updated version number to 10.9.3
- - - - -
62123c49 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Add JAVA_VERSION for CMake
The RPM spec and CMake files have been modified to detect the
actual Java version used to build PKI and add the appropriate
libraries for that version.
- - - - -
12e21c54 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Fixed missing sslserver and subsystem certs
When installing an additional subsystem into an instance,
the deployment scriptlet has been modified to copy the
cert and request data for sslserver and subsystem certs
from the existing subsystem.
https://bugzilla.redhat.com/show_bug.cgi?id=1869893
- - - - -
e4a32051 by Endi S. Dewata at 2020-09-11T16:39:37-04:00
Added upgrade script to fix missing cert/request data
An upgrade script has been added to fix the missing sslserver
and subsystem cert/request data by copying it from another
subsystem.
https://bugzilla.redhat.com/show_bug.cgi?id=1869893
- - - - -
29b7d321 by Alexander Scheel at 2020-09-11T16:39:37-04:00
Update version number to v10.9.4
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
23 changed files:
- .classpath
- .github/workflows/required-tests.yml
- CMakeLists.txt
- base/CMakeLists.txt
- base/common/CMakeLists.txt
- base/common/share/etc/pki.conf
- base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
- base/java-tools/src/com/netscape/cmstools/HttpClient.java
- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
- base/server/CMakeLists.txt
- base/server/python/pki/server/cli/migrate.py
- base/server/python/pki/server/deployment/scriptlets/configuration.py
- base/server/python/pki/server/deployment/scriptlets/security_databases.py
- base/server/share/conf/pki.policy
- base/server/share/lib/systemd/system/pki-tomcatd-nuxwdog at .service
- base/server/share/lib/systemd/system/pki-tomcatd at .service
- + base/server/upgrade/10.9.3/01-FixMissingCertAndRequestData.py
- cmake/Modules/Java.cmake
- pki.spec
- pom.xml
- scripts/compose_pki_test_package
- tests/dogtag/dev_java_tests/run_junit_tests.sh
- tests/dogtag/pytest-ansible/provision/post_provision.yml
Changes:
=====================================
.classpath
=====================================
@@ -34,6 +34,12 @@
<classpathentry kind="lib" path="/usr/share/java/junit.jar"/>
<classpathentry kind="lib" path="/usr/share/java/ldapjdk.jar"/>
<classpathentry kind="lib" path="/usr/share/java/jaxb-api.jar"/>
+ <classpathentry kind="lib" path="/usr/share/java/jaxb/jaxb-impl.jar">
+ <attributes>
+ <attribute name="optional" value="true"/>
+ </attributes>
+ </classpathentry>
+ <classpathentry kind="lib" path="/usr/share/java/jakarta-activation/jakarta.activation.jar"/>
<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpclient.jar"/>
<classpathentry kind="lib" path="/usr/share/java/httpcomponents/httpcore.jar"/>
<classpathentry kind="lib" path="/usr/share/java/jboss-jaxrs-2.0-api.jar"/>
=====================================
.github/workflows/required-tests.yml
=====================================
@@ -29,7 +29,7 @@ jobs:
- name: Install PKI build deps
run: |
- dnf copr enable -y @pki/master
+ dnf copr enable -y @pki/10.9
dnf builddep -y --allowerasing --spec ./pki.spec
- name: Build PKI packages
@@ -55,7 +55,7 @@ jobs:
needs: build
runs-on: ubuntu-latest
env:
- COPR_REPO: "@pki/master"
+ COPR_REPO: "@pki/10.9"
container: fedora:${{ matrix.os }}
strategy:
matrix:
@@ -100,7 +100,7 @@ jobs:
BUILDDIR: /tmp/workdir
PKIDIR: /tmp/workdir/pki
LOGS: ${GITHUB_WORKSPACE}/logs.txt
- COPR_REPO: "@pki/master"
+ COPR_REPO: "@pki/10.9"
strategy:
matrix:
os: ['31', '32']
@@ -199,7 +199,7 @@ jobs:
BUILDDIR: /tmp/workdir
PKIDIR: /tmp/workdir/pki
LOGS: ${GITHUB_WORKSPACE}/logs.txt
- COPR_REPO: "@pki/master"
+ COPR_REPO: "@pki/10.9"
test_set: "test_caacl_plugin.py test_caacl_profile_enforcement.py test_cert_plugin.py test_certprofile_plugin.py test_ca_plugin.py test_vault_plugin.py"
strategy:
matrix:
=====================================
CMakeLists.txt
=====================================
@@ -31,6 +31,10 @@ if (NOT DEFINED THEME)
set(VERSION "dogtag")
endif(NOT DEFINED THEME)
+if (NOT DEFINED JAVA_VERSION)
+ set(JAVA_VERSION 11)
+endif(NOT DEFINED JAVA_VERSION)
+
string(REGEX REPLACE "^([0-9]+).*" "\\1" APPLICATION_VERSION_MAJOR ${VERSION})
string(REGEX REPLACE "^[0-9]+\\.([0-9]+).*" "\\1" APPLICATION_VERSION_MINOR ${VERSION})
string(REGEX REPLACE "^[0-9]+\\.[0-9]+\\.([0-9]+).*" "\\1" APPLICATION_VERSION_PATCH ${VERSION})
=====================================
base/CMakeLists.txt
=====================================
@@ -174,6 +174,28 @@ find_file(JAXB_API_JAR
/usr/share/java
)
+find_file(JAXB_IMPL_JAR
+ NAMES
+ jaxb-impl.jar
+ PATHS
+ /usr/share/java/jaxb
+ /usr/share/java
+)
+
+find_file(JAKARTA_ACTIVATION_JAR
+ NAMES
+ jakarta.activation.jar
+ jakarta-activation.jar
+ javax.activation.jar
+ javax-activation.jar
+ PATHS
+ /usr/share/java/jakarta-activation
+ /usr/share/java/jakarta
+ /usr/share/java/javax-activation
+ /usr/share/java/javax
+ /usr/share/java
+)
+
find_file(JSS_JAR
NAMES
jss4.jar
=====================================
base/common/CMakeLists.txt
=====================================
@@ -28,7 +28,6 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_BASE_JAR} lib/jackson-jaxrs-base.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_JSON_PROVIDER_JAR} lib/jackson-jaxrs-json-provider.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} lib/jackson-module-jaxb-annotations.jar
- COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} lib/jaxb-api.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} lib/jss4.jar
COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} lib/ldapjdk.jar
COMMAND ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar
@@ -47,6 +46,18 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${COMMONS_NET_JAR} lib/commons-net.jar
)
+if(JAVA_VERSION GREATER 10)
+ add_custom_target(pki-java11plus-lib ALL
+ COMMENT "Creating links for library required in Java 11+")
+
+ add_custom_command(
+ TARGET pki-java11plus-lib
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} lib/jaxb-api.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} lib/jaxb-impl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAKARTA_ACTIVATION_JAR} lib/jakarta.activation.jar
+ )
+endif(JAVA_VERSION GREATER 10)
+
add_custom_target(pki-man ALL
COMMENT "Creating PKI manuals")
@@ -147,7 +158,7 @@ install(
install(
DIRECTORY
- DESTINATION
+ DESTINATION
${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd.target.wants
)
=====================================
base/common/share/etc/pki.conf
=====================================
@@ -38,33 +38,6 @@ export PKI_LOGGING_CONFIG
PKI_CLI_OPTIONS=
export PKI_CLI_OPTIONS
-# SSL version ranges
-# Valid values: SSL_3_0, TLS_1_0, TLS_1_1, TLS_1_2
-SSL_STREAM_VERSION_MIN="TLS_1_0"
-export SSL_STREAM_VERSION_MIN
-
-SSL_STREAM_VERSION_MAX="TLS_1_2"
-export SSL_STREAM_VERSION_MAX
-
-SSL_DATAGRAM_VERSION_MIN="TLS_1_1"
-export SSL_DATAGRAM_VERSION_MIN
-
-SSL_DATAGRAM_VERSION_MAX="TLS_1_2"
-export SSL_DATAGRAM_VERSION_MAX
-
-# SSL default ciphers
-# This boolean parameter determines whether to enable default SSL ciphers.
-SSL_DEFAULT_CIPHERS="true"
-export SSL_DEFAULT_CIPHERS
-
-# SSL ciphers
-# This parameter lists SSL ciphers to enable/disable in addition to the default ciphers.
-# The list contains IANA-registered cipher names or hex IDs separated by white spaces.
-# https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
-# To disable a cipher, specify a "-" sign in front of the cipher name or ID.
-SSL_CIPHERS=""
-export SSL_CIPHERS
-
# Key wrapping parameter set
# This parameter specifies the encryption and key wrapping algorithms to use
# when storing secrets in the KRA, or creating CRMF data using CRMFPopClient.
=====================================
base/console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
=====================================
@@ -48,8 +48,6 @@ import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
import org.mozilla.jss.ssl.SSLSocket;
import org.mozilla.jss.ssl.SSLSocketListener;
-import org.mozilla.jss.ssl.SSLVersion;
-import org.mozilla.jss.ssl.SSLVersionRange;
import org.mozilla.jss.util.Password;
import org.mozilla.jss.util.PasswordCallback;
import org.mozilla.jss.util.PasswordCallbackInfo;
@@ -123,13 +121,8 @@ public class JSSConnection implements IConnection, SSLCertificateApprovalCallbac
} catch (Exception e) {
}
- SSLVersionRange streamRange = CryptoUtil.boundSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
- SSLVersionRange datagramRange = CryptoUtil.boundSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
- CryptoUtil.setSSLStreamVersionRange(streamRange.getMinVersion(), streamRange.getMaxVersion());
- CryptoUtil.setSSLDatagramVersionRange(datagramRange.getMinVersion(), datagramRange.getMaxVersion());
- CryptoUtil.setDefaultSSLCiphers();
-
s = new SSLSocket(host, port, null, 0, this, this);
+ s.enablePostHandshakeAuth(true);
s.addSocketListener(new SSLSocketListener() {
=====================================
base/java-tools/src/com/netscape/cmstools/HttpClient.java
=====================================
@@ -132,16 +132,11 @@ public class HttpClient {
SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
- SSLVersionRange streamRange = CryptoUtil.boundSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
- SSLVersionRange datagramRange = CryptoUtil.boundSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
- CryptoUtil.setSSLStreamVersionRange(streamRange.getMinVersion(), streamRange.getMaxVersion());
- CryptoUtil.setSSLDatagramVersionRange(datagramRange.getMinVersion(), datagramRange.getMaxVersion());
- CryptoUtil.setDefaultSSLCiphers();
-
sslSocket = new SSLSocket(_host, _port);
// SSLSocket.setSSLVersionRange() needs to be exposed in JSS
// sslSocket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2);
sslSocket.addHandshakeCompletedListener(listener);
+ sslSocket.enablePostHandshakeAuth(true);
CryptoToken tt = cm.getThreadToken();
System.out.println("after SSLSocket created, thread token is "+ tt.getName());
=====================================
base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
=====================================
@@ -53,8 +53,7 @@ import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.NotInitializedException;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
-import org.mozilla.jss.ssl.SSLVersion;
-import org.mozilla.jss.ssl.SSLVersionRange;
+import org.mozilla.jss.ssl.SSLSocket;
import org.mozilla.jss.util.IncorrectPasswordException;
import org.mozilla.jss.util.Password;
@@ -572,35 +571,7 @@ public class MainCLI extends CLI {
CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
manager.setThreadToken(token);
- // See default SSL configuration in /usr/share/pki/etc/pki.conf.
-
- String streamVersionMin = System.getenv("SSL_STREAM_VERSION_MIN");
- String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX");
-
- SSLVersionRange streamRange = CryptoUtil.boundSSLStreamVersionRange(
- streamVersionMin == null ? SSLVersion.TLS_1_0 : SSLVersion.valueOf(streamVersionMin),
- streamVersionMax == null ? SSLVersion.TLS_1_2 : SSLVersion.valueOf(streamVersionMax)
- );
- CryptoUtil.setSSLStreamVersionRange(streamRange.getMinVersion(), streamRange.getMaxVersion());
-
- String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN");
- String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX");
-
- SSLVersionRange datagramRange = CryptoUtil.boundSSLDatagramVersionRange(
- datagramVersionMin == null ? SSLVersion.TLS_1_1 : SSLVersion.valueOf(datagramVersionMin),
- datagramVersionMax == null ? SSLVersion.TLS_1_2 : SSLVersion.valueOf(datagramVersionMax)
- );
- CryptoUtil.setSSLDatagramVersionRange(datagramRange.getMinVersion(), datagramRange.getMaxVersion());
-
- String defaultCiphers = System.getenv("SSL_DEFAULT_CIPHERS");
- if (defaultCiphers == null || Boolean.parseBoolean(defaultCiphers)) {
- CryptoUtil.setDefaultSSLCiphers();
- } else {
- CryptoUtil.unsetSSLCiphers();
- }
-
- String ciphers = System.getenv("SSL_CIPHERS");
- CryptoUtil.setSSLCiphers(ciphers);
+ SSLSocket.enablePostHandshakeAuthDefault(true);
initialized = true;
}
=====================================
base/server/CMakeLists.txt
=====================================
@@ -116,6 +116,18 @@ add_custom_command(
COMMAND ${CMAKE_COMMAND} -E create_symlink ${COMMONS_NET_JAR} common/lib/commons-net.jar
)
+if(JAVA_VERSION GREATER 10)
+ add_custom_target(pki-server-java11plus-lib ALL
+ COMMENT "Creating links for server library required in Java 11+")
+
+ add_custom_command(
+ TARGET pki-server-java11plus-lib
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} common/lib/jaxb-api.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} common/lib/jaxb-impl.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAKARTA_ACTIVATION_JAR} common/lib/jakarta.activation.jar
+ )
+endif(JAVA_VERSION GREATER 10)
+
# Create /usr/share/pki/server/webapps/pki/WEB-INF/lib. This can be customized for different platforms in RPM spec.
add_custom_target(pki-server-webapp-lib ALL
=====================================
base/server/python/pki/server/cli/migrate.py
=====================================
@@ -119,6 +119,7 @@ class MigrateCLI(pki.cli.CLI):
self.migrate_nssdb(instance)
self.migrate_tomcat(instance, tomcat_version)
self.migrate_subsystems(instance, tomcat_version)
+ self.migrate_service(instance)
def migrate_nssdb(self, instance):
@@ -601,3 +602,45 @@ class MigrateCLI(pki.cli.CLI):
os.symlink(source, dest)
os.lchown(dest, instance.uid, instance.gid)
+
+ def migrate_service(self, instance):
+ self.migrate_service_java_home(instance)
+
+ def migrate_service_java_home(self, instance):
+ # When JAVA_HOME in the Tomcat service config differs from the
+ # value in /usr/share/pki/etc/pki.conf, update the value in
+ # the service config.
+
+ if "JAVA_HOME" not in os.environ or not os.environ["JAVA_HOME"]:
+ logger.debug("Refusing to migrate JAVA_HOME with missing environment variable")
+ return
+
+ java_home = os.environ['JAVA_HOME']
+
+ # Update in /etc/sysconfig/<instance>
+ result = self.update_java_home_in_config(instance.service_conf, java_home)
+ self.write_config(instance.service_conf, result)
+
+ # Update in /etc/pki/<instance>/tomcat.conf
+ result = self.update_java_home_in_config(instance.tomcat_conf, java_home)
+ self.write_config(instance.tomcat_conf, result)
+
+ def update_java_home_in_config(self, path, java_home):
+ result = []
+
+ target = "JAVA_HOME="
+
+ with open(path, 'r') as conf_fp:
+ for line in conf_fp:
+ if not line.startswith(target):
+ result.append(line)
+ else:
+ new_line = target + '"' + java_home + '"\n'
+ result.append(new_line)
+
+ return result
+
+ def write_config(self, path, output):
+ with open(path, 'w') as conf_fp:
+ for line in output:
+ print(line, end='', file=conf_fp)
=====================================
base/server/python/pki/server/deployment/scriptlets/configuration.py
=====================================
@@ -568,6 +568,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
instance = self.instance
instance.load()
+ subsystems = instance.get_subsystems()
subsystem = instance.get_subsystem(deployer.mdict['pki_subsystem'].lower())
# configure internal database
@@ -654,6 +655,35 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
self.validate_system_certs(deployer, nssdb, subsystem)
+ elif len(subsystems) > 1:
+
+ for s in subsystems:
+
+ # find a subsystem that is already installed
+ if s.name == subsystem.name:
+ continue
+
+ # import cert/request data from the existing subsystem
+ # into the new subsystem being installed
+
+ logger.info('Importing sslserver cert data from %s', s.type)
+ subsystem.config['%s.sslserver.cert' % subsystem.name] = \
+ s.config['%s.sslserver.cert' % s.name]
+
+ logger.info('Importing subsystem cert data from %s', s.type)
+ subsystem.config['%s.subsystem.cert' % subsystem.name] = \
+ s.config['%s.subsystem.cert' % s.name]
+
+ logger.info('Importing sslserver request data from %s', s.type)
+ subsystem.config['%s.sslserver.certreq' % subsystem.name] = \
+ s.config['%s.sslserver.certreq' % s.name]
+
+ logger.info('Importing subsystem request data from %s', s.type)
+ subsystem.config['%s.subsystem.certreq' % subsystem.name] = \
+ s.config['%s.subsystem.certreq' % s.name]
+
+ break
+
else: # self-signed CA
# To be implemented in ticket #1692.
=====================================
base/server/python/pki/server/deployment/scriptlets/security_databases.py
=====================================
@@ -198,10 +198,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Export CA certificate to PEM file; same command as in
# PKIServer.setup_cert_authentication().
# openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes -nokeys
+ pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt')
cmd_export_ca = [
'openssl', 'pkcs12',
'-in', pki_clone_pkcs12_path,
- '-out', os.path.join(pki_server_database_path, 'ca.crt'),
+ '-out', pki_ca_crt_path,
'-nodes',
'-nokeys',
'-passin', 'pass:' + pki_clone_pkcs12_password
@@ -210,6 +211,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
stderr=subprocess.STDOUT).decode('utf-8')
logger.debug('Result of CA certificate export: %s', res_ca)
+ # At this point, we're running as root. However, the subsystem
+ # will eventually start up as non-root and will attempt to do a
+ # migration. If we don't fix the permissions now, migration will
+ # fail and subsystem won't start up.
+ pki.util.chmod(pki_ca_crt_path, 0o644)
+ pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'],
+ deployer.mdict['pki_gid'])
+
ca_cert_path = deployer.mdict.get('pki_cert_chain_path')
if ca_cert_path and os.path.exists(ca_cert_path):
destination = os.path.join(instance.nssdb_dir, "ca.crt")
=====================================
base/server/share/conf/pki.policy
=====================================
@@ -48,6 +48,14 @@ grant codeBase "file:/usr/share/java/jaxb-api.jar" {
permission java.security.AllPermission;
};
+grant codeBase "file:/usr/share/java/jaxb/jaxb-impl.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:/usr/share/java/jakarta-activation/jakarta.activation.jar" {
+ permission java.security.AllPermission;
+};
+
grant codeBase "file:/usr/share/java/jaxme/jaxmeapi.jar" {
permission java.security.AllPermission;
};
=====================================
base/server/share/lib/systemd/system/pki-tomcatd-nuxwdog at .service
=====================================
@@ -10,6 +10,8 @@ Environment="NAME=%i"
Environment="STARTED_BY_SYSTEMD=1"
Environment="WD_PIPE_NAME=%i"
EnvironmentFile=-/etc/sysconfig/%i
+EnvironmentFile=/usr/share/pki/etc/pki.conf
+EnvironmentFile=/etc/pki/pki.conf
ExecStartPre=+/usr/bin/setfacl -m u:pkiuser:wx /run/systemd/ask-password
ExecStartPre=/usr/bin/pki-server-nuxwdog
=====================================
base/server/share/lib/systemd/system/pki-tomcatd at .service
=====================================
@@ -8,6 +8,8 @@ EnvironmentFile=/usr/share/pki/etc/tomcat.conf
EnvironmentFile=/etc/tomcat/tomcat.conf
Environment="NAME=%i"
EnvironmentFile=-/etc/sysconfig/%i
+EnvironmentFile=/usr/share/pki/etc/pki.conf
+EnvironmentFile=/etc/pki/pki.conf
ExecStartPre=/usr/sbin/pki-server upgrade %i
ExecStartPre=/usr/sbin/pki-server migrate %i
=====================================
base/server/upgrade/10.9.3/01-FixMissingCertAndRequestData.py
=====================================
@@ -0,0 +1,76 @@
+# Authors:
+# Endi S. Dewata <edewata at redhat.com>
+#
+# Copyright Red Hat, Inc.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+from __future__ import absolute_import
+import logging
+
+import pki
+
+logger = logging.getLogger(__name__)
+
+
+class FixMissingCertAndRequestData(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+ def __init__(self):
+ super(FixMissingCertAndRequestData, self).__init__()
+ self.message = 'Fix missing SSL server and subsystem cert/request data'
+
+ def upgrade_instance(self, instance):
+
+ subsystems = instance.get_subsystems()
+
+ # there should be at least a source and a target
+ if len(subsystems) < 2:
+ return
+
+ logger.info('Finding a subsystem that has the cert/request data')
+ source = self.find_source_subsystem(subsystems)
+
+ # fix all subsystems other than the source
+ for subsystem in subsystems:
+
+ if subsystem.name == source.name:
+ continue
+
+ logger.info('Importing cert/request data into %s subsystem', subsystem.name)
+ self.backup(subsystem.cs_conf)
+
+ subsystem.config['%s.sslserver.cert' % subsystem.name] = \
+ source.config['%s.sslserver.cert' % source.name]
+
+ subsystem.config['%s.subsystem.cert' % subsystem.name] = \
+ source.config['%s.subsystem.cert' % source.name]
+
+ subsystem.config['%s.sslserver.certreq' % subsystem.name] = \
+ source.config['%s.sslserver.certreq' % source.name]
+
+ subsystem.config['%s.subsystem.certreq' % subsystem.name] = \
+ source.config['%s.subsystem.certreq' % source.name]
+
+ subsystem.save()
+
+ def find_source_subsystem(self, subsystems):
+
+ # check each subsystem
+ for subsystem in subsystems:
+
+ if not subsystem.config.get('%s.sslserver.cert' % subsystem.name):
+ continue
+
+ if not subsystem.config.get('%s.subsystem.cert' % subsystem.name):
+ continue
+
+ if not subsystem.config.get('%s.sslserver.certreq' % subsystem.name):
+ continue
+
+ if not subsystem.config.get('%s.subsystem.certreq' % subsystem.name):
+ continue
+
+ # if the subsystem has the cert/request data, use it as the source
+ return subsystem
+
+ raise Exception('Unable to find source subsystem')
=====================================
cmake/Modules/Java.cmake
=====================================
@@ -84,6 +84,8 @@ function(javac target)
-encoding UTF-8
-cp ${native_classpath}
-d ${output_dir}
+ -source 1.8
+ -target 1.8
@${file_list}
WORKING_DIRECTORY
${source_dir}
=====================================
pki.spec
=====================================
@@ -12,7 +12,7 @@ License: GPLv2 and LGPLv2
# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase.
# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase.
-Version: 10.9.2
+Version: 10.9.4
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1
@@ -52,6 +52,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
################################################################################
%define java_home /usr/lib/jvm/jre-openjdk
+%define java_devel java-devel
+%define java_headless java-headless
%if 0%{?fedora} && 0%{?fedora} >= 33
%define min_java_version 1:11
@@ -157,7 +159,7 @@ BuildRequires: make
BuildRequires: cmake >= 3.0.2
BuildRequires: gcc-c++
BuildRequires: zip
-BuildRequires: java-devel >= %{min_java_version}
+BuildRequires: %java_devel >= %{min_java_version}
BuildRequires: javapackages-tools
BuildRequires: redhat-rpm-config
BuildRequires: ldapjdk >= 4.22.0
@@ -331,7 +333,7 @@ PKI consists of the following components:
Summary: PKI Symmetric Key Package
-Requires: java-headless >= %{min_java_version}
+Requires: %java_headless >= %{min_java_version}
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.7.0
Requires: nss >= 3.38.0
@@ -399,7 +401,7 @@ This package contains PKI client library for Python 3.
Summary: PKI Base Java Package
BuildArch: noarch
-Requires: java-headless >= %{min_java_version}
+Requires: %java_headless >= %{min_java_version}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
@@ -425,6 +427,11 @@ Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
+%if 0%{?fedora} && 0%{?fedora} >= 33
+Requires: jaxb-impl >= 2.3.3
+Requires: jakarta-activation >= 1.2.2
+%endif
+
Requires: xalan-j2
Requires: xerces-j2
Requires: xml-commons-apis
@@ -492,6 +499,7 @@ Requires: tomcat >= 1:9.0.7
%endif
Requires: velocity
+Requires: sudo
Requires: systemd
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -806,6 +814,13 @@ This package contains PKI test suite.
%build
################################################################################
+# get Java <major>.<minor> version number
+java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | sed -n 's/ *java.version *= *\([0-9]\+\.[0-9]\+\).*/\1/p'`
+
+# if <major> == 1, get <minor> version number
+# otherwise get <major> version number
+java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
+
# get Tomcat <major>.<minor> version number
tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
@@ -815,11 +830,17 @@ else
app_server=tomcat-$tomcat_version
fi
+%if 0%{?rhel}
+%{__mkdir_p} build
+cd build
+%endif
+
%cmake \
--no-warn-unused-cli \
-DVERSION=%{version}-%{release} \
-DVAR_INSTALL_DIR:PATH=/var \
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
+ -DJAVA_VERSION=%{java_version} \
-DJAVA_HOME=%java_home \
-DPKI_JAVA_PATH=%java \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
@@ -837,9 +858,15 @@ fi
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
-DTHEME=%{?with_theme:%{vendor_id}} \
+%if 0%{?rhel}
+ ..
+%else
-B %{_vpath_builddir}
+%endif
+%if 0%{?fedora}
cd %{_vpath_builddir}
+%endif
# Do not use _smp_mflags to preserve build order
%{__make} \
@@ -854,7 +881,11 @@ cd %{_vpath_builddir}
%install
################################################################################
+%if 0%{?rhel}
+cd build
+%else
cd %{_vpath_builddir}
+%endif
%{__make} \
VERBOSE=%{?_verbose} \
=====================================
pom.xml
=====================================
@@ -80,6 +80,18 @@
<scope>runtime</scope>
</dependency>
+ <dependency>
+ <groupId>com.sun.xml.bind</groupId>
+ <artifactId>jaxb-impl</artifactId>
+ <version>2.3.3</version>
+ </dependency>
+
+ <dependency>
+ <groupId>jakarta.activation</groupId>
+ <artifactId>jakarta.activation-api</artifactId>
+ <version>1.2.2</version>
+ </dependency>
+
<dependency>
<groupId>org.jboss.spec.javax.annotation</groupId>
<artifactId>jboss-annotations-api_1.2_spec</artifactId>
=====================================
scripts/compose_pki_test_package
=====================================
@@ -118,6 +118,8 @@ CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-mcc.jar
CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar
+CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar
+CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-activation/jakarta.activation.jar
CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar
CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar
CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar
=====================================
tests/dogtag/dev_java_tests/run_junit_tests.sh
=====================================
@@ -54,6 +54,7 @@ run_dev_junit_tests() {
CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar
CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar
+ CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-activation/jakarta.activation.jar
CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar
CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar
CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar
=====================================
tests/dogtag/pytest-ansible/provision/post_provision.yml
=====================================
@@ -11,5 +11,5 @@
when: ansible_distribution == "Fedora"
- name: set PKI master copr repo
- shell: dnf copr enable @pki/master -y
+ shell: dnf copr enable @pki/10.9 -y
when: ansible_distribution == "Fedora"
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/a6bf086a606542e1a0a7c4f832e75d64c4e906b4...29b7d32146a7bafa2fbcafe5630e140a359f98d2
--
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/a6bf086a606542e1a0a7c4f832e75d64c4e906b4...29b7d32146a7bafa2fbcafe5630e140a359f98d2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200915/2ccc3806/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list