[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 26 commits: Use %{_jvmdir} macro to define java_home in SPEC file
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Mon Nov 21 08:38:31 GMT 2022
Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki
Commits:
bcda2aa2 by Chris Kelley at 2022-01-20T16:41:28+00:00
Use %{_jvmdir} macro to define java_home in SPEC file
- - - - -
5e50093f by Endi S. Dewata at 2022-02-02T10:53:21-06:00
Exclude .git folder from Eclipse project
- - - - -
a907bbe7 by Endi S. Dewata at 2022-02-02T11:27:16-06:00
Update SCEP test
The SCEP test has been updated to use the pre-built SSCEP
package from the COPR repository.
- - - - -
cd3d9df7 by Endi S. Dewata at 2022-02-02T11:27:16-06:00
Fix pki-healthcheck for clones
Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
was trying to check KRA clone status by retrieving a key using
the subsystem cert. This operation did not work since the user
associated with the cert did not have access to the keys. The
code has been changed to get the status from GetStatus service
instead. The original code might be moved into IPA later so it
could run with IPA's RA agent credentials which would allow
access to the keys.
Previously the ClonesPlugin.contact_subsystem_using_sslget()
used sslget to call GetStatus service and returned the entire
output which was then incorrectly processed in XML format. The
method has been renamed to get_status() and changed to use
PKIConnection and process the response in either JSON or XML
format, then only return the subsystem status. All callers
have been updated accordingly.
The ClonesPlugin.contact_subsystem_using_pki() is no longer
used so it has been removed.
- - - - -
1789b74a by Endi S. Dewata at 2022-02-02T13:41:06-06:00
Update pki-healthcheck tests
- - - - -
7431b7be by Endi S. Dewata at 2022-02-02T16:12:38-06:00
Fix typo in ClonesPlugin.get_status()
- - - - -
ee53a9b0 by Christina Fu at 2022-02-11T10:38:47-08:00
B1996141-subCA-adjustValidity
The CAValidityDefault is used by the profile caCMCcaCert during
subCA creation when using the CMC enrollment method.
While pkispawn auto-enrollment for subCA uses non CMC methods which
allows for use of the installAdjustValidity parameter to adjust
the notAfter date to match that of the signing CA's, the CAValidityDefault
does not.
This patch reads the bypassCAnotafter parameter in the CAValidityDefault
plugin so that by default the notAfter date will not supercede that of
the signing CA's.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1996141
- - - - -
f0de8cc3 by Endi S. Dewata at 2022-02-21T15:54:05-06:00
Use Java 17 for Fedora 36
- - - - -
eb8c180d by Endi S. Dewata at 2022-02-22T09:32:30-06:00
Add test for CA profiles
- - - - -
8ec59aa6 by Chris Kelley at 2022-03-29T07:14:29+01:00
Update Version to 11.0.4
- - - - -
778e91f4 by Christina Fu at 2022-04-12T14:47:40-07:00
Bug2074631-p12 password
This patch comments out debug lines containing auditContext.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2074631
- - - - -
71ac05dd by Chris Kelley at 2022-05-05T07:32:08+01:00
Use SHA-256 for authentication methods
- - - - -
44e8eb96 by Chris Kelley at 2022-05-06T07:21:25+01:00
Update version to v11.0.5
- - - - -
4551594a by Chris Kelley at 2022-07-14T15:54:44+01:00
Disable access to external entities when parsing XML
This reduces the vulnerability of XML parsers to XXE (XML external
entity) injection.
The best way to prevent XXE is to stop using XML altogether, which we do
plan to do. Until that happens I consider it worthwhile to tighten the
security here though.
- - - - -
9706cdc2 by Timo Aaltonen at 2022-07-28T10:04:36+03:00
Merge branch 'upstream'
- - - - -
192c7775 by Christina Fu at 2022-08-05T19:07:29+01:00
Bug2070766-caServerKeygen_DirUserCert subject constraints
This patch replaces input of cert subject to that of the auth token.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2070766
- - - - -
120aaadf by Christina Fu at 2022-08-05T19:09:10+01:00
Bug2070766 - upgrade-caServerKeygen_DirUserCert-profile
This patch provides the upgrade script to change the profile
caServerKeygen_DirUserCert.cfg in an existing ca instance.
fix 2 for bug https://bugzilla.redhat.com/show_bug.cgi?id=2070766
- - - - -
97302f48 by Timo Aaltonen at 2022-08-19T11:05:45+03:00
version bump
- - - - -
1a62a722 by Timo Aaltonen at 2022-08-19T11:08:25+03:00
patches: Disable access to external entities when parsing XML. (Closes: #1014957)
- - - - -
140de462 by jmagne at 2022-08-31T10:04:37-07:00
Fix Bug 2122409 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled (#4129)
This fix allows the "pki kra-key" cmds the ability to specify OAEP wrapping of the sesssion key before sending the request to the server.
Ex:
pki -d . -v -oaep -n "PKI KRA Administrator for CA RSA" -h test.host.com -p 19443 kra-key-archive --clientKeyID ID-1 --passphrase 1234
This example will archive the key using oaep to wrap the session key before sending to the server. If the server / kra is configured to use oaep
instead of pkcs1, the operation will be successful.
There will be a similiar "-oaep" switch available fo the kra-key-retrieve cmd as well.
- - - - -
b7f85da5 by Marco Fargetta at 2022-09-28T10:57:37+02:00
Limit the group membership add to existing users (#4172)
Fix the bug https://bugzilla.redhat.com/show_bug.cgi?id=2070335
- - - - -
56b5dcba by Chris Kelley at 2022-09-30T06:32:42+01:00
Update version to v11.0.6
- - - - -
3f5b5c65 by Timo Aaltonen at 2022-11-21T10:07:48+02:00
Merge branch 'upstream'
- - - - -
75722f22 by Timo Aaltonen at 2022-11-21T10:08:28+02:00
version bump
- - - - -
1d63a8a7 by Timo Aaltonen at 2022-11-21T10:11:42+02:00
control: Fix pki-base-java to depend on default-jre-headless instead of a versioned one, it shouldn't be necessary to hardcode it anymore. (Closes: #1024462)
- - - - -
cc2c15cb by Timo Aaltonen at 2022-11-21T10:17:18+02:00
drop upstreamed patch
- - - - -
30 changed files:
- .github/workflows/acme-tests.yml
- .github/workflows/ca-tests.yml
- .github/workflows/kra-tests.yml
- .github/workflows/ocsp-tests.yml
- .github/workflows/tks-tests.yml
- .github/workflows/tps-tests.yml
- .project
- base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
- base/ca/src/main/java/com/netscape/ca/CAService.java
- base/ca/src/main/java/com/netscape/cms/profile/def/CAValidityDefault.java
- base/ca/src/main/java/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
- base/ca/src/main/java/com/netscape/cms/servlet/processors/CAProcessor.java
- base/common/src/main/java/com/netscape/certsrv/account/Account.java
- base/common/src/main/java/com/netscape/certsrv/base/PKIException.java
- base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertData.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java
- base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java
- base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java
- base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java
- base/common/src/main/java/com/netscape/certsrv/key/KeyClient.java
- base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java
- base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java
- base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/e9eddf60516fc3c248a05705685f8fc73f49d4c7...cc2c15cb73cbf691dbe4545c4c1a629263f564cf
--
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/e9eddf60516fc3c248a05705685f8fc73f49d4c7...cc2c15cb73cbf691dbe4545c4c1a629263f564cf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20221121/c79ca3dd/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list