[Pkg-freeipa-devel] certmonger: Changes to 'refs/tags/debian/0.57-1'

Juan Gregorio Hernando Rivero ghe at alioth.debian.org
Fri Jun 29 17:19:21 UTC 2012


Tag 'debian/0.57-1' created by Ghe Rivero <ghe at debian.org> at 2012-06-29 17:18 +0000

Debian release 0.57-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEABECAAYFAk/t43sACgkQZttaNibwIPeJfgCcC+CqUfCNAFsFxbwQyqxSE6tF
zxMAn3U9ItSCkq49TNz7dl0PROI8cMYC
=REc/
-----END PGP SIGNATURE-----

Changes since the dawn of time:
Ghe Rivero (6):
      Updated distribution to unstable
      Added libnspr4-dev to build-depends
      Fixed nspr4 and nss3 libs path
      Added libnss3-dev to build-depends
      Added openssl to build-depends
      Removed template from watch

Nalin Dahyabhai (1347):
      - bare skeleton
      - some ideas about the state machine
      - minimal configure script
      - don't forget the docs
      - refine the logic a bit more
      - more thoughts on what the user experience should look like
      - flesh out what we track
      - the broad-strokes goal
      - merge in the gist of the cli proposals
      - initial back-end-store interface
      - sketch out some more internal interfaces
      - add more interfaces
      - some more details
      try to clarify more
      - first pass at what should be a working minimal per-cert state machine
      - comment parts of the iterator
      - try to get the main part logic sorted
      - try to work out an initial key-generation option
      - try to finish up a skeletal implementation... not quite there yet
      - add some logging
      - cache the cert locally
      - that's not supposed to be there
      - hook up cleanup-on-exit
      - rework some linkage so that we don't use CFLAGS for a library unless
      - start prototyping a client
      - start logging some errors
      - parse key size correctly
      - check if the key was saved, as we don't expect to ever have the
      - save the key in PEM format
      - save the CSR in PEM format
      - read the CSR in PEM format
      - provide a way to free the fds list
      - don't log that we're waiting
      - do the signing out-of-process
      - save the entry on every state change
      - provided a centrl point for hard-coded defaults
      - include a timestamp on stdio logs
      - fix a couple of leaks
      - don't forget to close that file
      - user maintainer mode
      - rework the help output to only output help about the command used
      - ugh. if we're doing notification asynchronously, we need to define a
      - set the subject name as the client requested
      - flush logged messages immediately (shouldn't matter)
      - update status
      - run autoheader directly
      - actually check for NSS now
      - note that CSR formats can't hold extensions
      - add an enum value for nssdb storage
      - handle nssdb storage arguments
      - read/write nssdb storage choices correctly
      - also log generation errors
      - take a shot at supporting nssdb storage for key and csr generation
      - work in some more defaults
      Merge branch 'master' of shell.devel.redhat.com:public_git/certmonger
      - update to clear up expiration-check logic, note that we need a
      - readability fix: write the default RSA modulus in hex
      - we also need to potentially track a token name
      - we also need to allow a token name to be specified
      - locate the slot for key generation in a different way
      - get closer to making csr generation work
      - search for the key pair more accurately
      - be more specific about which key didn't want a nickname
      - if we read an empty string, set it to NULL
      - finish the basic csr generation bits
      - normalize end-of-line when we encode the csr
      - comment update
      - read back multiline values correctly
      - add a dummy submitter for nssdb storage, too
      - note crmf
      - clean up use of nss's apis
      - aaargh, signatures are encode as bitstrings, the length of the SECItem
      - the submission code isn't responsible for saving the certificate any more
      - add cert-save bits
      - add routines for saving a cert to the right storage location
      - add states for the storing-to-storage process
      - actually get signing working
      - being-saved = request
      - fix a compile warning
      - saving the cert to disk is not our responsibility
      - names for the new states
      - make the lifetime for self-signed certs build-time configurable
      - un-base64 a certificate before attempting to import it
      - populate the certificate when issuing it
      - use the build-time default lifetime
      - make both openssl and nss optional, and set up preprocessor macros and
      - make the selection of OpenSSL (files) or NSS (nssdb) something that
      - make the selection of OpenSSL (files) or NSS (nssdb) happen at runtime
      - make the selection of OpenSSL (files) or NSS (nssdb) a run-time thing
      - move selection of which library to use to generate the CSR to run-time
      - use conditionals to build (or not) the OpenSSL- and NSS-specific bits
      - fix detection of key-saved
      - correctly detect success
      - mark certs as v3
      - change the local ca type name from 'files' to 'dummy', since it also
      - fix a synatx error
      - be ready for new CA types
      - minor cleanups
      - make status updating properly async
      - note that we have new states for saving
      - fix a syntax error
      - ensure that these are always initialized
      - fix default requested subject name
      - add a wrapper for reading/refreshing cert contents
      - wire in the selection of the token for use in holding the keys
      - add missing file
      - link with talloc and tevent
      - switch to using talloc
      - handle async reading of the child output more correctly
      - don't try to talloc_strdup() a NULL pointer
      - convert the daemon to use tevent's main loop
      - oh yeah, the serial number
      - adjust some timings
      - fix a couple of error messages
      - remove unused header include
      - only save the cert to the record if it was issued
      - use a tevent-specific API rather than gettimeofday() to read the
      - add some tevent/dbus mainloop integration
      - add a header file for tdbus
      - do a blocking read of the certificate at startup
      - docs say we don't need to manually run autoheader, either
      - does anything actually do that?
      - incomplete implementation, but it basically works
      - oh, so that's how they get in there!
      - track a dnsName, too
      - start linking with xmlrpc-c
      - add some not-quite-working readback routines
      - add a second variable for tracking the location of the defaults file
      - start tracking the work-to-do list
      - we're going to use NSS for parsing certs and extensions, so it'll be
      - move timestamp parsing out of the files-specific code
      - list the certificate expiration date, too
      - rework the certificate parsing code a bit, making it more generic in the
      - drop some tracing log messages
      - wire in the parsing and dumping of certificate attributes
      - dump and read more attributes
      - actually tell the user when we don't know the expiration date
      - reparse the certificate when reading its parameters
      - clean up where we should be parsing extensions
      - start reading extensions from certificates
      - clarify that one item
      - add some estimates to how long things will take, spell out that the
      - note that we probably want to figure out where we come in when we're
      - settle on gplv3+ for the app, with lgplv3+ for client library that
      - make krb5 cflags and libs available
      - move the specific start function prototypes to submit-int.h
      - don't cause a double-free of cm_cert_email
      - parse subjectalternativename extensions
      - update
      - start building requested-extension values
      - parse OIDs from extendedKeyUsage into a list of numbers instead of
      - whoops, fix that compiler warning
      - build certificate extensions
      - try to populate the csr with extension values from the entry
      - handle tracking multiple email, hostname, and principal name values
      - make the friendlyname attribute a printablestring
      - move the NSS-specific functions out into their own header
      - finish work to populate CSRs with requested extensions and friendly names
      - rename free_if_entrys to free_if_entry_multi
      - the d-bus switch should happen before we make the switch to being a
      - fix the queue first
      - add a state where we re-read a just-saved certificate, so that when we
      - fixup queue handling. we haven't had a usable 64-bit libldb-devel in
      - if we fail to save the certificate to the NSSDB because the nickname's
      - report status correctly after re-attempting a save
      - connect to the bus at startup
      - note why we list a reading state here
      - try to remove keys with names that conflict with one that we're about
      - sketch out what a d-bus api might want to look like
      - try to flesh out what the D-Bus api will look like, a bit more
      - get tevent/dbus mainloop integration sorted
      - dispatch messages correctly, finally
      - start on the long road to exporting a D-Bus API
      - stub out marshal/demarshal code
      - dbus distinguishes between strings and paths on the wire
      - implement the easy set-argument functions
      - expand on the readme a bit
      - not actually a daemon yet
      - add another item
      Merge branch 'master' of git.fedorahosted.org:/git/certmonger
      - stub out some more of the marshalers, implement the simple ones
      - add some stuff to exercise argument set/get functions
      - don't take a talloc pointer on set_d
      - the regular get/append functions can do arrays, so use them for most
      - slight reorg
      - fix retrieving of array arguments
      - huh, i guess we don't actually need to send the message to parse it
      - i think this is how we send a string-to-variant dictionary across
      - move those initial variables to global scope
      restructure this so that it's easier to add stuff later
      - warning cleanup
      - clear returned pointers before doing anything, so they're zeroed even
      - parse array-of-dict_entry
      - actually free the iteration state, as promised
      - track the next tevent for an entry
      - stop using the address of the events array, in case it gets resized
      - add a way to get the number of entries
      - pass the main cm_context to the DBus functions
      - add a function to add entries at run-time
      - delegate our handler work to another function
      - try to namespace that a bit better
      - implement a few API calls to make sure everything looks right
      - start stubbing out add_request
      - add functions for parameters sss
      - new entries need to be saved to the store
      - some more easy functions
      - update the api doc to more closely reflect the known member names
      - do some renaming, start on the dbus-based client using the old one as
      - move definitions for known interfaces and whatnot to a shareable place
      - implement the client parts of add request
      - we don't do anything with usage yet, so drop it
      - drop some dead code
      - update the marshaling function we're using for request.get-cert-info
      - finish up initial "list" implementation
      - the shell of start-tracking and stop-tracking
      - add get_ssss, except with the last two being optional
      - right, fix that
      - use get_ssosos to simplify some logic
      - getcert doesn't use all of those libraries
      - finish what should be the parts of start/stop-tracking that need to
      - don't forget to free no-longer-needed dbus messages
      - break _kick into _stop_one and _start_one, and add a _restart_one
      - oh, we have a 'list' method working
      - note that the time is a time_t-style value
      - need declarations for dbus_bool_t
      - implement submission-related data
      - add a function for locating a particular entry in the dictionary
      - un-constify that search
      - check for duplicate certificate storage settings when adding
      - do something similar for the key, though it's optional
      - add get_ssosos() back
      - handle "none" key storage
      - having "default" storage for keys and certs is turning out to not make sense
      - allow not specifying a keyfile
      - fill out the rest of the new entry
      - do the actual add
      - drop some arguments that turn out to not be needed (at least, not yet)
      - case-insensitive compare with upper-case
      - fix some logic problem with strcasecmp()
      - at least return an empty structure from get_defaults()
      - note that with key type "NONE", we don't return a useful location
      - try get/set_ss, too
      - pass an empty string or string array to DBus if a caller passes us NULL
      - note that it's the storage type, not the key algorithm
      - pass in the cert filename correctly
      - log the right filename in case of error
      - finish get-cert-info
      - fix a dumb error using a char pointer as a buffer
      - fix duplicate detection logic
      - fix add_entry() to allocate a new ID if there isn't one already provided
      - when iterating over requests, don't lose track of where we are
      - free the right events
      - fix a logic error picking up the client-supplied key storage info
      - tweak initialization
      - tweak 'list' output again
      - clear the events array when we initialize it
      - fix reply of add-request
      - change _done to _stop_all and reuse _start in _add
      - learn to be a daemon
      - connect to the bus before forking
      - free the context again, trying not to doesn't solve anything
      - free any previous event handler if we allocate a new one in _service_one
      - routines to read information about the private key, based heavily on
      - for parity
      - attempt to read key info at startup
      - we don't use that variable
      - fix fall-through
      - clear the next_event pointer before calling service_one
      - clean up some of the next_event tracking
      - implement deciding what to do when we add an entry
      - just keep the name of the ca in the request entry
      - document and save the client-supplied CA name
      - don't double-free callbacks
      - sort out what a CA looks like
      - rename *file* to *entry* when it's really about an entry
      - fix the prototype
      - add the simple allocation
      - allow for potential other internal types later
      - clear up variable names to better distinguish requests from CAs
      - merge some of the logic to make reading/writing CA entries easier
      - track the CA list
      - always return at least one CA entry (the internal one)
      - work it so that submission routines get a pointer to the CA record on
      - be more generic about which files we ignore
      - whoops, i think that's another case
      - fix that syntax error
      - add some CA listing routines
      - save the ID, too (whoops)
      - add a way to query which CA we'll use
      - try to assign a CA to an entry when it's added
      - read the issuer name correctly
      - add a get_nickname for requests
      - show request names rather than paths
      - share the dbus names we use with the configure script
      - okay, no client library
      - no direct references to krb5
      - add some tagging targets
      - oh, right, include a pointer to the project hosting site
      - fixups for packaging
      - add some missing requires
      - try to avoid linking to libraries more than once
      - add an init script
      - update our status
      - do chkconfig/condrestart/stop in scriptlets
      - oh, actually create the pidfile
      - yeah, we actually need to create that pidfile
      - we *do* use libkrb5 directly
      - bump devel to 0.1
      - keep the pidfile open so that we hang on to the lock
      - add a serial number field for use by internal CAs
      - fix parsing errors with quoting
      - provide a way to query the current serial number for an internal CA
      - learn to increment a string-formatted serial number
      - learn to encode a serial number as raw bits or der
      - return the list of requests from get-requests as an array of paths,
      - fix the other get_requests case
      - ipa-getcert is *just* like getcert, but with a forced -c "IPA"
      - update status, make sure i don't forget the point later
      - fix a logic problem with submission
      - drop the spec now that we have working help output
      - use -N instead of -s for requesting a subject name
      - whoops, make sure i don't forget to add introspection data
      - actually do notifications
      - fixup default definition names
      - add this before i forget again
      implement request_get_notification_info
      - define delays in config.h
      - distinguish between requested key type and size and the one we find,
      - always restart the helper on poll
      - sort out external submission
      - update status
      - get used to waiting for... ever... on no descriptor
      - fix that caption
      - make rejected-by-the-ca a proper state in an attempt to whittle down
      - also make CA-is-unreachable an explicit test
      - fixup some logic for the we're-stuck case
      - break help output up into line-by-line arrays
      - conditionalize ipa-specific help
      - oh, we'll need that script
      - yeah, get that right
      - fix retrieval of "IPA" CA entry
      - in our debug mode, turn on tevent debugging
      - try not to add duplicate descriptors
      - make sense of CA-is-unreachable errors
      bump version number again
      - try to wrap kinit and ipa cert-request
      - rework watch handling to multiplex multiple dbus watches into one tevent fd
      - clean up handlers before requeuing them
      - bump version to 0.3
      - the CSR is expected in single line base64-encoded format
      - settle on a namespace for use with DBus
      - crank down the debugging a bit
      - now that the complicated submission stuff is handled by a helper which
      - don't lose track of making lifetimes configurable. we'll need that for
      - keep track of this oid especially
      - copy extensions from the request into the generated certificate
      - add extensions from the CSR to the certificate
      - don't use empty values to build useless requested-extension values
      - update status
      - when no DNS, principal name, email, eku, or subject is requested,
      - fix thinko - talloc_asprintf() needs a context first
      - return an internal error when we fail to allocate a reply message
      - check that we actually have a CA before attempting to use it
      - actually send errors when arguments for creating a new entry are wrong
      - build introspect.sh
      - typo fix
      - part of introspection
      - add more of the introspection data
      - be callable by our unique name, too (d-feet is very useful)
      - add argument information to everything
      - update status
      - oh, fixed that already
      - add a state for "i'm trying to submit to a CA, but i don't know which
      - allow introspection
      - bump version to 0.4
      - conform more closely with fedora guidelines
      - packaging cleanups
      - make the docs match the implementation
      - add a 'list-cas' command
      - make sure we mark empty lists with that required initial space
      - whitespace cleanup
      - whitespace cleanup
      - base log destination on whether or not we fork, so that -d0 works as expected
      - learn to translate from (sort of) descriptive labels to numeric OIDs
      - make most strings for translation, even though we don't translate yet
      - whitespace cleanup
      - don't forget the context there
      - try to resolve OID names to numbers before converting, and log an
      - don't find an empty item in a list
      - don't encode any principal names more than once
      - add more to the todo list
      - make the lifetime of self-signed certificates configurable
      - update
      - start working on the serial numbers
      - make cm_store_increment_serial always return an unsigned integer
      - as before
      - set serial numbers on self-signed certificates
      - add basicConstraints (critical=true,ca=false) to self-signed certificates
      - understand "id-ms-kp-sc-logon"
      - notes to self
      - add basic constraints even if there are no requested attributes
      - a little more detail on what we mean when there's no matching CA
      - update package changelog notes
      - fix a syntax error
      - export requested email/hostname/principal name in the environment
      - incorporate a principal name when we can
      - use talloc_steal() instead of talloc_reparent(), which requires a very
      - tweaks
      - fix syntax error
      - tweak so that we can try to figure out what the error was
      - make start-tracking and stop-tracking work as intended
      - give the optional-parameter response functions a workout
      - make the date for 0.5 right
      - add introspection data for the new modify function
      - make stopping safe to do multiple times
      - errors saving are a problem
      - implement entry and ca deletion
      - learn to remove an entry
      - implement base::remove_request
      - when told to stop-tracking, just remove the whole request
      - stop-tracking really makes us stop caring now
      - bump development version to 0.6
      - if we can't find a key with the nickname, check if there's a cert with
      - update
      - clean up help output just a bit
      - add a short certmonger man page
      - package the man page(s)
      - fix some inconsistencies in the formatting of help output
      - let the client try to set the request nickname, too
      - reorganize start/stop-tracking so that it makes more sense
      - move see-also to the end
      - remove the -e option -- why wouldn't we be tracking it?
      - fallout from making tracking implicitly part of whether or not we know
      - updates
      - use "refresh" instead of "renew"
      - man pages. some of them, anyway.
      - add/cleanup/consistentify man pages
      - implement -i for 'request'
      - and i actually have to fix that syntax
      - whoops, describe the new version
      - fix method names, because DBus doesn't let use use hyphens in method
      - there's little reason to use one variable to hold the CSR and a cookie
      - updates
      - check for and reject duplicate nicknames
      - tweak error messages
      - factor out the key-reading from the info-producing
      - factor out the search for the private key
      - don't overwrite the template subject with the template hostname
      - use key-location routines from keyreadi-n rather than our own
      - reuse keyiread-n's code for locating keys
      - gotta start somewhere
      - more more more
      - okay, that's more or less right, i think.
      - update to 0.7
      - add a generic subprocess handler to settle around
      - add the new files
      - fix typo in comment
      - switch to common subprocess code
      - don't ask for an fd we'll supply
      - switch to a common subprocess runner
      - move to using the common subprocess support
      - encode a windows UPN correctly (i.e., don't wrap it in an extra
      - move to shared code for running subprocesses
      - be mindful about freeing the arena
      - clean exit
      - don't forget to free the arena
      - default template settings don't make a lot of sense when NSS will
      - doc where we keep requests
      - make it possible to change a nickname
      - offer to rename requests during start-tracking, and make the flag for
      - free the old nickname before replacing it
      - don't try to fclose() NULL
      - revert the last change
      - harness a netlink socket to restart any requests in NEED_TO_SUBMIT
      - set close-on-exec on our netlink socket
      - don't try to watch a netlink socket if we failed to create one
      - start providing tools to test specific functions
      - add an exercise for reading key info
      - make log_none the default method
      - note why we got back to CSR generation
      - take re-enroll and rekey-and-resubmit off the table -- resubmit's the
      - handle modify "CA"
      - more tracing
      - add a 'resubmit' command
      - note that we can change the request nickname, too
      - handle changing the template subject/eku/principal/hostname/email
      - put of restarting submissions until some time after we stop getting
      - update status
      - begin tests
      - hook in tests
      - be more careful about using nicknames from possibly-underspecified entries
      - set logging
      - change the order to be more symmetric
      - include these in the tarball
      - fixes for 'make distcheck'
      - don't leak a key reference when we look up a key using a certificate
      - add a csrgen helper
      - be more careful about not including empty extension requests
      - compare generated CSRs based on the same key
      - don't bother generating the key with openssl before we do it ourselves
      - comments
      - oh mock, how you mock me
      - print a useful message when we resubmit and the user didn't specify
      - add a way to force the notBefore time on self-signed certificates
      - drop the redundant "OK" and extra newline
      - regenerate the signature in the request after we add things to it
      - we handle failures ourselves
      - give more info on failure
      - add a CSR submission harness
      - DER means the default values are omitted, so basicConstraints becomes
      - set the certificate version to 3
      - also log when we set the serial number
      - save whatever changes we've made to the entry file
      - yeah, we don't really care about the serial number so much any more
      - add a check for self-signing
      - we can parse the args right from our own request, works as well
      - wire in the diagnostic on setting and method call parsing arguments
      - don't prefix "00" when the serial number starts with "0" -- it's not necessary
      - print results in an order that makes sense
      - wire in check of correct incrementing of serial numbers
      - add a netlink watcher
      - check that we know how to save a certificate to its storage
      - add a quick check to make sure that we can read in cert parameters
      - try to upper-case the attribute type to get openssl to like it better
      - update the certificate with one that has a real issuer and subject
      - add wrappers for oid dictionary stuff
      - add some more OIDs
      - add some more OIDs
      - add regression test and exercise of OID lookup
      - no, don't want to connect to the X server
      - whoops, need these
      - include more tests in the tarballs
      - handle srcdir != builddir when running tests
      - modify cm_iterate() so that it doesn't need a context
      - work up a way to walk the state machine
      - walk the list of states correctly
      - don't bother trying to read from underspecified locations
      - log why we tried to open the file when noting that we couldn't
      - put a newline between the newly-base64-reencoded certificate and the
      - don't complain about ENOENT
      - don't complain about ENOENT
      - don't complain about ENOENT
      - read the certificate, too
      - check that we actually read the certificate itself, too
      - pad the hour part of a timestamp
      - add a separate need-to-notify state
      - add a separate need-to-notify state
      - add notify-method of 'stdout'
      - add notify-method of 'stdout'
      - exercise the per-request state machine
      - dump more information
      - add a way to filter messages
      - only resubmit on routing changes
      - add a sanity check
      - eek!
      - add a ca-unreachable state for testability, and rename rejected to ca-rejected
      - only pass in a CA if it matches what the client's configured to use
      - use the passed-in descriptor for the helper's stdout
      - add a "the CA's working on it" state
      - handle the no-keys case somewhat better
      - run some external enrollment helpers, too
      - don't expect duplicate "SUBMITTING" status
      - check the source of netlink updates
      - mark development as 0.9
      - sanity-check a new entry nickname or a new CA name before making any
      - add -I for changing the nickname for the submission request at resubmit-time
      - when we change a request's nickname, the object path changes, so we
      - redirect stderr for an individual test to devnull so that we don't
      - create and fix some warnings
      - call this 0.10
      - fix the buildrequires for xmlrpc-c
      - split out exit status info into a separate header
      - take a stab at certmaster
      Merge branch 'master' of git.fedorahosted.org:/git/certmonger
      - add a function for parsing command lines
      - make the environment variable names known
      - parse the specified command for arguments
      - add a status for 'unconfigured'
      - if we were unconfigured, just wait and try again much later
      - add a ca-client-was-unconfigured result
      - take the server uri and method from arguments, returning "unconfigured" if we didn't get both
      - nuke would-be duplicates
      - some help output (for me, at least)
      - be able to set up an in-memory ccache
      - stpcpy isn't portable
      - more on submission
      - fix help output example for specifying keytab location
      - do the CSR fixup for IPA internally
      - add arbitrary dictionary support, sort of
      - try to encode true/false values as booleans
      - one more note
      - this should fix xmlrpc-c detection on older releases
      - make the tests work with slightly-older automake
      - another attempt to make older automake happier
      - need these for the tests
      - a troubleshooting note
      - break the setting-up-a-ccache bits into a separate function
      - break up the xmlrpc work into pieces
      - make sure we get out of that loop
      - move declarations for new functions out
      - sort out parsing of results
      - redirect stdin/stderr to /dev/null
      - print error info to stderr
      - only try to interpret results if we got them
      - add the submit-x stuff to the library
      - break out reading-the-csr
      - the certmaster helper's done, more or less
      - also print help output in event of an empty CSR
      - add the ipa client, until it gets some more testing
      - make compilation of the ipa and certmaster submitters conditional
      - ensure there's always a certmaster CA entry
      - add config file parsing from John and Rob
      - defaults from configuration files
      - try for forwardable creds
      - be more tolerant of results not coming back as arrays
      - convert the base64 to PEM for output
      - only throw an error if we can't read the host from the configuration
      - warn that IPA requires a principal name
      - update for 2.0's configuration layout
      - reconnect on disconnect
      - add a sanity check on CA path names
      - don't forget that we need to provide a cookie when telling the client
      - man page updates
      - bundle and build the new man pages
      - fix the prototype
      - correct some compile warnings
      - fix netlink detection on Fedora 11
      - get rid of the attempt at a shell script submission helper
      - trap the details of a fault that hits when we try to talk to the server
      - log the helper output if it looks like a single-line error
      - try to interpret the fault code when the server gives us one
      - add a spot to store a CA-reported error
      - if we got a short error, save it
      - check exit status before claiming we saved a cookie
      - truncate the pidfile when we open it
      - note when we go to need-guidance state
      - take only the first line for status
      - don't assume that the config files we're attempting to read are there,
      - add error messages to the scripts
      - print an error if we got one
      - report more errors
      - clear any old CA errors when we restart submission
      - report the CA-reported error to clients that ask us about status
      - prepare for 0.12
      - update status
      - define pkglibexecdir because automake didn't always used to, and it
      - conditionalize the init script location for older releases
      - conditionalize init script locations again
      - make sure there's room for all three
      - count correctly
      - be more specific about names when we have problems setting up a ccache
      - note that we're using "host" by default
      - tag 0.12
      - correct a typo
      - default to renewing certificates by default
      - note that the request ID is an ID
      - add some for-the-wiki docs, with some horrible Unicode art just for fun
      - prepare for 0.13 since we're changing a default here
      - we don't have any LGPL components, just GPL ones
      - reword that
      - note that we might get some output in error cases
      - expand on type information
      - set the request ID correctly when in start-tracking
      - make sure that we don't allow request nicknames that can't be used as
      - match the docs: make 'request' ask for auto-renewal by default
      - read the server URI from /etc/ipa/default.conf, per guidance from rcritten
      - be ready for when IPA starts wrapping the result set in another struct
      - check key and certificate location at add-time to make sure they're
      - only pass absolute paths to the service
      - list 'resubmit' as one of our commands in the synopsis section
      - start getting ready to tag 0.14
      - sort the list of ttl values when we read it
      - force new entries to use the default monitoring TTL values
      - flush the pid file to disk, since we're keeping it open
      - fix the other case
      - go ahead and close the pidfile at startup
      - strip off any final '/' in directory names that the client passes to
      - mark this as 0.15
      - some more clean up of our handling of directory paths
      - set the umask at daemon startup
      - fix the section number in headers
      - define more rpmbuild directories to our temporary
      - fix some sloppiness wrt mentioning the public and private keys (kashyapc)
      Merge branch 'master' of git.fedorahosted.org:/git/certmonger
      - drop an unused variable
      - call this 0.17
      - make the D-Bus configuration file (noreplace) (#541072)
      - allow specifying a directory for storage, either with or without a
      - incorporate cflags and libraries using make variables, not autoconf variables
      - work around xmlrpc-c-config not listing all of the libraries we
      - handle either sql: or dbm: as a type of NSS database (see
      - don't worry so much if we can't determine a default realm
      - suppress additional messages when we're in the same state more than once
      - update copyright
      - more clearly sort read vs. read-write
      - initialize a key store before using it, if we have to
      - initialize the internal slots when we go to save certificates
      - clean up the test a bit; remove the database before checking on certsave
      - oh, didn't actually need to do anything before saving to the cert db
      - check that we can add to an already-initialized database
      - add record-keeping for PIN values and PIN files
      - log in to the key slot if we need to
      - eliminate the separate NSS-specific convenience library
      - log warnings when we have problems reading a PIN file
      - openssl versions may need NSS headers
      - split up pin headers
      - remove duplicates
      - finish wiring PIN callbacks to the OpenSSL-specific functions
      - wire up PIN callbacks to places where we log in to the key store
      - actually specify a cipher to use when encrypting generated keys
      - this should let us create encrypted databases
      - learn to initialize databases right
      - don't corrupt the heap by returning talloc data where prmem is needed
      - initialize the database with the right pin
      - clear up that loop
      - don't specify encryption when writing the key if we don't have a PIN to use
      - rework our search for the key so that, when we don't have a token
      - test handling of encrypted storage
      - well, we can create databases now
      - drop references to a cert PIN, because we don't encrypt them anyway
      - let a client tell us about PINs
      - wire in pin-setting options for the command-line client
      - when searching for a key, if we find a key, don't also look for certs
      - rework the method of walking the database for the certificate
      - update status -> pin files work now
      - get ready to call this 0.18
      - doc tweak
      - be ready for an eventual rhel6
      - move the hard-coded algorithm preferences to a common location
      - start working on making the preferred ciphers and hashes configurable
      - note dbm and sql both work
      - add API for reading back the PIN or the PIN file for a request
      - note that modify can update PIN info
      - add a state for "i tried to generate a key, but couldn't authenticate
      - read the newest of possibly multiple certs with the same nickname
      - add a proper OpenSSL prompter callback
      - add "can't access key store" checking
      - oops, fix inverted logic error
      - fix the OpenSSL callback
      - check for arguments correctly
      - warn when we need a PIN
      - sloppy marge
      - make the design docs and the state machine agree
      - figure out that newly-added-start-reading-keyi isn't "stuck"
      - start stubbing out need-a-pin states
      - add basic understanding for the new need-pin states
      - figure out reset states for need-pin states
      - establish a holding pattern for need-pin states
      Merge branch 'master' of git.fedorahosted.org:/git/certmonger
      - if we get a ca-rejected or ca-unconfigured error during submission,
      - be more consistent about timings
      - there's no reason to try again when we don't know which CA to contact
      - up the default self-signed lifetime from 30 days to 1 year
      - track certificate not-before date, and don't notify until at least an
      - fix that test
      - keep track of which token holds the key
      - don't forget a copyright date update
      - prune older versions of our certificate from the NSS database
      - replace issued/expiration terms with not-before/not-after, because we
      - only prune an old cert if *both* its not-before and not-after are
      - after reading the token name, free the slot info
      - quote the certificate token's name, too
      - record the name of the token that contained the certificate if we
      - store the token name if we get one
      - record the location of our configuration files
      - add more APIs for reading from a more traditional configuration file
      - deal with a file rename
      - work out more reading of preferences
      - compensate for a file rename
      - get used to not-before/not-after instead of issued/expiration
      - provide an empty configuration file for the tests
      - force our notification to use stdout
      - use a configuration file to read preferences for things
      - make the config file not be world-readable by default
      - this should work now
      - make config file parsing use the same logging functions as everything else
      - quiet some compiler warnings
      - fix an uninitialized variable that was breaking tests
      - add a tool for running certutil without a controlling tty
      - add the ability to add an array of strings as an argument
      - if we're retrying, don't return a password
      - we don't use that setting any more
      - reintroduce the concept of certificate PINs, for reading them back
      - use the cert pin when we start to read the certificate
      - initialize the database pin if we need to do that
      - initialize the database PIN correctly
      - get ready for upcoming changes to ipa
      - woo, more tests
      - whoops, we don't capture that line of output
      - tag 0.19
      - oops, need this, too
      - wait longer in between state transitions that don't have to happen immediately
      - note some longer-term plans for CAs
      - initialize the library correctly
      - tweak the "you must use -K when you use -N" error message for ipa-getcert (#579542)
      - initial gettext setup
      - tell gettext which version it is
      - don't need that
      - need dos2unix, too
      - remove a duplicate message
      - finish setting up for translations
      - make the default syslog destination in the certmonger.conf(5) man page
      - clean up lifetime parsing code and give it some testing
      - test some overflow cases
      - fix preprocessing of the default TTL list so that it shows up in the
      - get rid of a race in the test
      - don't leave "notifying" state until we're done notifying
      - bodge the "stdout" notification method to try to make sure that its
      - clarify what "it" is when recommending it not be changed
      - add a couple of comments
      - move the validity period for certificates, which is configuration and
      - adjust for where we set validity period now
      - substitute the installation sbindir as our path
      - return 2 when we don't understand the argument (Jenny Galipeau)
      - fix a formatting error
      - fix default-settings logic
      - pull out run-time flipping defaults, and just apply them when a
      - dwalsh already has policy written; apparently it was pretty
      - tag 0.20
      - getcert/*-getcert: relay the desired CA to the local service, whether
      - move read_csr_from_file to a separate file
      - also be ready to check for libxml2 and libcurl independently
      - change that. why not?
      - the rough shell of talking to dogtag
      - finish the http client bits
      - offer to read the submitter name from the configuration file
      - no need to list the quot variants twice
      - add "strip the header and footer" variation
      - add some logic to try to figure out what dogtag tells us
      - add some notes on how dogtag and clients interact so that i don't lose them
      - flesh out the default certmonger.conf so that people can get a
      - properly handle the case where neither the certmaster nor minion
      - probably should use getBySerial instead of displayBySerial
      - remove unused variable
      - remove duplicates from the list of principal names that we read from a
      - remove duplicate email and hostname values, too
      - don't expect a duplicate principal name value
      - fix a typo
      - use xpath to pull out parts of an xml response
      - tag 0.22
      whoops, fix the .spec file and retag
      - fix a couple of compiler warnings
      - explicitly check and error out of the result of attempting to obtain
      - tag 0.23
      - parse week (w) as an interval size
      - note the units that can be factored into validity period
      - assume that time without units is seconds
      - note that we default to assuming seconds
      - try weeks and unitless time specifications
      - try unit-specified time in combination with unit-not-specified, though
      - note which files are consulted for configuration data
      - be more careful about taking a lock on the pidfile, and don't modify
      - tag 0.24
      Merge branch 'master' of git.fedorahosted.org:/git/certmonger
      - open the pid file only after successfully connecting to D-Bus
      - yeah, that dependency may have to be removed
      - fix start/stop logic in case of manual startup or unexpected exit (still
      Merge branch 'master' of git.fedorahosted.org:/git/certmonger
      - don't forget that we actually call into libxml now
      - make the definition of the WITH_CURL_AND_XML conditional unconditional
      - recreate the subsys lock whenever we're called to start and we're
      - nitpick formatting
      - teach getcert's start-tracking mode about the -p and -P flags, so that
      - fix logic bug detecting whether or not we ever failed to log in to a token
      - expect us to correctly detect a locked database
      - note some changes
      - rename from certmonger.pot
      - regenerate
      - whoops, that newline doesn't belong there
      - add a bug number to the changelog entry
      - update last-translator, which gettext requires to be set to a
      - double-check that the nicknames of keys we get back from
      - take another stab at cleaning up private key list traversal
      - don't quibble about tokens named "NSS User Private Key and Certificate
      - add the scheme to the entry config files when running these tests
      - fix a typo
      - teach "start-tracking" about the -U, -K, -E, and -D options that
      - the first time we look at a certificate, if we don't have template
      - jdennis notes that rhcs 8.0 provides the info we need to actually interact
      - no, not going to teach 'getcert' to generate keys
      - note that it's a command, which can include arguments
      - handle ssoas
      - exercise the ssoas signature a bit
      - fix addition of known CAs
      - implement (add/remove)_known_ca
      - now just report template information when we're asked for it, since we
      - update
      - tag 0.25
      - tag 0.25
      - okay, sneak in a date change
      - when canceling a submission request that's being handled by a helper,
      - tag 0.26
      - check for api differences between krb5 implementations
      - use wrappers for apis that are different between kerberos implementations
      - use wrappers for apis that are different between kerberos implementations
      - add some missing preprocessor includes
      - don't check for krb5_princ_realm, which exists in both of the
      - just assume that if we have krb5_princ_component, we should use
      - just assume that if we have krb5_princ_component, we should use krb5_princ_realm
      - fixup includes so that we don't pull in every openssl header
      - settle for libcrypto if we can, since we don't actually need libssl
      - oh wait, we did certmaster already
      - check if NSS supports "sql:" databases
      - also check if 'dbm:' works as a prefix
      - use a temporary directory for the database tests
      - break out dbm: and sql: tests into their own tests, and don't bother
      - tweak formatting a bit
      - fixup the cleanup of certutil output for EL5
      - use PEM_write_PKCS8PrivateKey() instead of PEM_write_PrivateKey() to get
      - whoops, we actually use dbus-launch, too
      - dist the config file for the tests
      - okay, call this 0.27
      - configure the certificate lifetime properly
      - handle PRTime values correctly so that we don't truncate them to
      - tag 0.28
      - fix integer size mistakes in using DBus
      - fix dist so that it includes all of the newer tests
      - use distcheck rather than dist for a new release
      Merge branch 'master' of git.fedorahosted.org:/git/certmonger
      - update to 0.29
      - tell libc that we don't know what's going on with DST at the target
      - tag 0.30
      - comment why we made that change
      - be more careful about freeing no-longer-needed keytab/principal/contexts
      - try to SIGHUP the messagebus daemon at first install so that it'll
      - add an explicit dependency on the "dbus" package, to try to ensure
      - add cm_submit_uuid_new() to wrap UUID generation
      - generate subject- and issuer-unique-id values for self-signed certs
      - move submit-u into libcm_a to make uuid available
      - turn on use of UUIDs when self-signing
      - force a fixed unique ID when we self-sign so that we can compare one
      - okay, actually set that last bit
      - set the uuid bit correctly
      - tag 0.31
      - refresh pot files
      - turn off populating unique IDs by default, tag 0.32
      - guess a non-default value for the language team name
      - try to be more flexible about where we look for uuid.h
      - depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's
      always log errors when we can't connect to the bus
      pass through, but don't do much else with "rdb" and "extern" as a database location
      don't bother checking if ku_string is NULL a second time (D10052)
      spit out an error if we can't shut down NSS in the child (D10051)
      don't bother checking if s is NULL a second time (D10053)
      remove a couple of empty default: parts of switch statements that should
      don't check for a match on the token names if the current token has no
      handle the should-never-happen case where p is NULL (D10057)
      only try to add a default serial number if we are going to return a
      don't bother comparing the configured token name with the token's name
      log a warning when we can't find the named cert
      log when we can't find the key's token (D10059)
      add a double-check that the netlink socket fd isn't < 0 (D10061)
      only call getenv() once (D10062)
      - correctly check for errors parsing cm_cert (D10063)
      - fix format string logging error
      be sure the csr isn't null before parsing it (D10064)
      - fix a format warning
      don't depend on recvfrom() to return EBADF if we close the netlink socket
      - don't deref the possibly-null pointer if we don't need to (D10069)
      - tweak some docs and tag 0.33
      - rebuild
      - explicitly note the number of requests we're tracking in the output of "getcert list" (#652049)
      try to offer some suggestions when we get certain specific errors back in "getcert" (#652047)
      also recommend making sure the service is running on DBUS_ERROR_NAME_HAS_NO_OWNER
      fix the logic for that check
      - actually bump the version
      - pull in fedora .spec file
      - dos2unix output format changed, yay
      - work with both old and new dos2unix
      - when we use certutil to create keys, run it under expect
      - copy the current run's log in when it finishes
      - create databases and run certutil non-interactively
      - run certutil non-interactively
      - tag 0.35
      - fix a self-test that broke because one-year-from-now is now a day's worth
      - update notes
      - api's been stable for a while
      - fix a copy-paste error describing the -k option
      - add transifex configuration



More information about the Pkg-freeipa-devel mailing list