dogtag-pki (11.2.1-2)
[PTS] [DDPO]
NEW: VCS has unreleased changes: 11.4.3-1 > 11.2.1-2
- Git: https://salsa.debian.org/freeipa-team/dogtag-pki.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 1482752
- Browser: https://salsa.debian.org/freeipa-team/dogtag-pki
- Last scan: 2024-04-14 05:21:30+00
- Next scan: 2024-04-20 19:26:00+00
- CI pipeline status: failed
- Debian changelog in Git:
dogtag-pki (11.4.3-1) UNRELEASED; urgency=medium
* New upstream release.
* patches: Refreshed.
* patches: Drop an upstreamed patch.
* rules: Drop setting nssdb type, the default is sql now.
* Add pki-est.
* install: Updated.
* control: Bump depends on jss, tomcatjss, ldapjdk.
* control: Drop python3-distutils from build-depends. (Closes:
#1065850)
* Install systemd units only once. Thanks, Helmut Grohne! (Closes:
#1054480)
* control: Add dh-sequence-movetousr to build-depends.
-- Timo Aaltonen <tjaalton@debian.org> Tue, 07 Feb 2023 10:55:08 +0200
- This branch is 115 commits ahead of tag debian/11.2.1-1
- Git log:
commit ab0f9775c5d9557a1019390915c1414d3f9495b7
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Mar 19 14:09:41 2024 +0200
control: Add dh-sequence-movetousr to build-depends.
commit 9c0048c51524a6c56219d0779e78ad9958ffe303
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Mar 19 13:58:32 2024 +0200
Install systemd units only once. Thanks, Helmut Grohne! (Closes: #1054480)
commit e3eaf12e7c0f7550dd56dabf6f3e3dceeeb2b2d8
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Mar 19 13:46:47 2024 +0200
control: Drop python3-distutils from build-depends. (Closes: #1065850)
commit 1346f168e9bc33d4dd26c912b80a87445f69a6ab
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Thu Aug 10 11:03:10 2023 +0300
version bump
commit 1b7716c7f7404ab6172a2920494c0c37b8e2fe39
Merge: 0af21f5 0982e23
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Thu Aug 10 11:03:00 2023 +0300
Merge branch 'upstream-next' into master-next
commit 0982e23079279131794ecbb67475c4a8bd18cc6b
Author: Chris Kelley <ckelley@redhat.com>
Date: Fri Jun 16 13:50:18 2023 +0100
Updating version to v11.4.3
commit 7ce96c1feacc929ff5ab12858ede2d9784c5cad5
Author: Chris Kelley <ckelley@redhat.com>
Date: Fri Jun 16 13:49:54 2023 +0100
Introduce Packit config and upstream some spec updates
commit d7656b8bc1d6b1d04a809d17fe6e3bc7bf63dd61
Author: Chris Kelley <ckelley@redhat.com>
Date: Mon Jun 5 11:22:56 2023 +0100
Upstream some spec file changes to reduce diff
commit eda90d5f27a666a98dd43f30b18b44e893fe3efa
Author: Chris Kelley <ckelley@redhat.com>
Date: Mon Jun 5 10:54:17 2023 +0100
Updating version to v11.4.2
commit e5a606a4a3c10796acbb8ad6c2bd8112e26e87b0
Author: Christina Fu <cfu@redhat.com>
Date: Fri May 26 14:52:53 2023 -0700
Bug2190283-part2_LdapSimpleMap_Invalid_cast_warning
This patch was part of the patch that was taken out earlier.
It fixes a frivilous WARNING message:
[CRLIssuingPoint-MasterCRL] WARNING: LdapSimpleMap: crl issuer dn:...
org.mozilla.jss.netscape.security.x509.X509CRLImpl cannot be cast to java.security.cert.X509Certificate
It did not attribute to the CI break so I'm putting it back.
fixes (part2) https://bugzilla.redhat.com/show_bug.cgi?id=2190283
commit 0af21f5f41d28d22c0ae8a2bbddb4082602d8210
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue May 16 17:18:57 2023 +0300
install: Updated.
commit 2bcfe4489e2ef2868fcce7fb7225c66da5da79c9
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue May 16 17:11:56 2023 +0300
control: Bump depends on jss, tomcatjss, ldapjdk.
commit 6dacb1d15085ab9da7a19497ee30c714bd7e936d
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue May 16 16:54:13 2023 +0300
patches: Refreshed
commit c11a4f49467bd7ccadd11cb311a0901512a37c73
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue May 16 15:10:12 2023 +0300
version bump
commit ae9db9822654103a268fb2d181f0b27a4ea6d846
Merge: cbc8032 23c8df0
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue May 16 15:09:57 2023 +0300
Merge branch 'master-next' into m-n
commit cbc8032bf693cc9d09530ef52de8e1902bef4638
Merge: 4418546 0f07aa4
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue May 16 15:09:52 2023 +0300
Merge tag 'v11.3.0' into m-n
commit 4b2fe9306925b5aca1dd3185f98a1d2a88979301
Author: Chris Kelley <ckelley@redhat.com>
Date: Mon May 15 10:02:50 2023 +0100
Revert "Bug2190283-AddCRLServlet-SEVERE-NOT-SUPPORTED-messages"
This reverts commit bcffbf80a13d020f3c2edbf012855275be0bca6b.
commit c4f03fcc05b452b0cab3308d4468cb818ac0a251
Author: Marco Fargetta <mfargett@redhat.com>
Date: Mon May 15 11:30:39 2023 +0200
Revert "Disable OCSP direct pushing during upgrade"
This revert commit e6066a59bd7c2cff4108ace2c73177615ace4bd9.
commit 228b98b6bae7bbd44f17a689b0f77bdbe7443a5d
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu May 11 17:45:47 2023 +0200
Fix upgrade script version
commit e6066a59bd7c2cff4108ace2c73177615ace4bd9
Author: Marco Fargetta <mfargett@redhat.com>
Date: Wed May 10 15:54:27 2023 +0200
Disable OCSP direct pushing during upgrade
The direct publishing to OCSP is not working properly and a previous
commit has change the default value for the `ca.publish.rule.instance.ocsprule-<instance-<port>.enable` attribute to false. This commit add the upgrade script to set false for the existing instances during the upgrade.
There are no problems with existing instances because the communication
with OCSP was not properly working and other mechanism were in place.
Close the issue: RHCS-4085
commit bcffbf80a13d020f3c2edbf012855275be0bca6b
Author: Christina Fu <cfu@redhat.com>
Date: Thu Apr 27 16:44:29 2023 -0700
Bug2190283-AddCRLServlet-SEVERE-NOT-SUPPORTED-messages
This patch fixes the following issue:
It appears that the following parameter in ca's CS.cfg is set to true
by default:
ca.publish.rule.instance.ocsprule-ccrsa-1-rhcs10-example-com-32443.enable
which triggers the CA to attempt publishing of its CRLs directly
from CA->OCSP and causing the following SEVERE error messages:
SEVERE: CRL issuing point CN=CA Signing Certificate, nott found.
The CA->OCSP direct push of CRLs appears to not be working.
CA->ldap publishing (and ocsp pulling from ldap) is working and
should be used instead.
In addition, this patch also fixes it so that the following will no
longer appear (it has no reason to. See bug description for explanation):
[CRLIssuingPoint-MasterCRL] WARNING: LdapSimpleMap: crl issuer dn:...
org.mozilla.jss.netscape.security.x509.X509CRLImpl cannot be cast to java.security.cert.X509Certificate
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2190283
commit 44185469b7a8a9adbc3e7c88296ebc4976b00d8d
Author: Chris Kelley <ckelley@redhat.com>
Date: Fri Apr 28 22:20:17 2023 +0100
Updating version to v11.4.1
commit 2217bf6676f13512ab734e9c3d6ab0db47e968ee
Author: Chris Kelley <ckelley@redhat.com>
Date: Fri Apr 21 09:43:52 2023 +0100
Fix pylint failures in upstream CI.
The new version of pylint (pylint-2.17.2-1.fc38) in F38 causes failures
due to containing a configuration setting that will become invalid in
pylint 3. The pylintrc file is future-proofed to work with pylint 3.
overgeneral-exceptions now causes test failure rather than a warning, it
has been disabled for now as there are many failures and it could take
some time to go through them all individually and catch less general
exceptions.
commit e277607048d1850784f9996e13dfc2de02777524
Author: Chris Kelley <ckelley@redhat.com>
Date: Thu Apr 27 14:58:17 2023 +0100
Update paths for jaxb and jakarta-activation JARs
commit fd405cb468d0d83caf4dd8c40d525edca9003417
Author: Chris Kelley <ckelley@redhat.com>
Date: Thu Apr 27 11:47:40 2023 +0100
Only BuildRequires xmvn-tools on distros that have it
commit 415d7b67c8cf5d042104ca811b4ec5f4b086853e
Author: Chris Kelley <ckelley@redhat.com>
Date: Mon Apr 24 19:01:37 2023 +0100
Make use of xmvn-resolve conditional on it being installed
Drops the distro-specific code and relies only on whether xmvn is
present. The spec is updated to explicitly BuildRequires: xmvn-tools so
xmvn-resolve is there at build time for JAR resolution.
Resolves: #2188716
commit 58730a52732224a1fc28a0919d7007cc39f50261
Author: Chris Kelley <ckelley@redhat.com>
Date: Wed Apr 19 22:31:53 2023 +0100
Updating version to v11.4.0
commit 1c49e9983f65a23db7c7ccf2c0b77f0c4e10022c
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 19 09:48:20 2023 -0500
Publish to GitHub Maven registry
A new job has been added to build PKI with Maven and publish
the artifacts to GitHub Maven registry. Currently the tests
have to be disabled due to missing JSS shared libraries. The
group ID and artifact ID have been renamed to follow a more
commonly used pattern.
commit 123f0cd93d896a9aafcd7886a88ce018e81bf422
Author: Chris Kelley <ckelley@redhat.com>
Date: Wed Apr 19 15:04:54 2023 +0100
Fix adding user in TPS UI
Various things were not displaying correctly as well due to incorrect
JSON mappings, so that is fixed too.
Resolves: #2027712
commit ad927437a0c77529169e5db656550c071fd51cf4
Author: Chris Kelley <ckelley@redhat.com>
Date: Thu Apr 13 23:44:30 2023 +0100
Restore certificate search functionality to the TPS UI
With bug #2008162 the newly enforced token profile separation breaks the
Home -> Certificates page as it does not provide a tokenID to the
server.
Now, if the server receives no tokenID, we return all certs that match
the search filter that are allowed for the authorised profiles.
Resolves: #2049901
commit b6a9338fd7f9aa2be14e6991160927f93dc335a4
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 16:44:00 2023 -0500
Add DirAclAuthz.loadACLs()
The code that loads ACL resources from LDAP into memory
in DirAclAuthz has been moved into loadACLs().
commit da188dc2bc46485c12c619f2dc674b1b4737dbbe
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 18:01:56 2023 -0500
Convert AAclAuthz.mACLs into Map
commit b22f12e934f31c0af21165a10fdb5581220d24b7
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 18:00:11 2023 -0500
Replace AAclAuthz.aclResElements() with getACLs()
commit 8493927137b1a6127582c22d346347d27665a2f5
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 17:57:14 2023 -0500
Update AAclAuthz.getTargetNames() to return Set
commit b85bcc47d06b2085e534976313c2a71965ea5713
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 17:53:06 2023 -0500
Update AuthzManager.getACLs() to return Collection
commit 7a5ace604763b6e547156f6dc90717624dfa1dac
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 17:40:54 2023 -0500
Merge ServletUtils into CAProcessor
commit 6b2f3c9a68c8de5ff728cad6da0e5a32bc097fe1
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 17:31:05 2023 -0500
Add AuthorizationConfig.getSourceType()
The code that returns authz.sourceType config param has been
merged into AuthorizationConfig.getSourceType().
commit f84e44495d0b7267f7e36a6766fc5f0eaaa83725
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Apr 18 17:06:36 2023 -0500
Add AuthzSubsystem.addACLInfo()
The code that adds ACL info into authorization manager has been
merged into AuthzSubsystem.addACLInfo().
commit eff9bfe633143e51bebd5742aa3233ed8092cd10
Author: Chris Kelley <ckelley@redhat.com>
Date: Fri Apr 14 16:41:46 2023 +0100
Code clean up in CryptoUtil
* Access static method in a static fashion
* Hide implicit public constructor
* Combine identical catch blocks
* Use try-with-resources where appropriate
* Don't create variables just to return them
* Put array designator on the type
* Remove unnecessary boolean literal and logical jumps
* Reorder modifiers to match the JLS
* Remove double-brace initialization
commit 3517d4d5d0791afd411e728f10fb9446d02870d9
Author: Chris Kelley <ckelley@redhat.com>
Date: Fri Apr 14 15:17:14 2023 +0100
Remove code in web UI to retrieve Links from requests
Some time ago we removed the Link objects from server-side classes.
Therefore, there is nothing to retrieve so these redundant methods can
also be removed.
commit 0270f3aa981970014574429d4abc50907110830d
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu Apr 13 15:27:46 2023 +0200
Fix maven compile
The commit incluide:
- update JSS version
- modify the tomcatjss dependecy to the correct module
- add flatten plugin to fix the installation phase using the `revision`
property
If the dependency are installed (**jss**, **tomcatjss** and
**ldap-sdk**) with `mvn install` then `pki` can be compiled with maven.
The only problem is that the test are not correctly configured so for
now the compile has been executed with the option `mvn package
-Dmaven.test.skip=true`.
commit 65d2796d740e4760c5b41c2befdb7f04f19c6d51
Author: Endi S. Dewata <edewata@redhat.com>
Date: Thu Apr 13 12:52:17 2023 -0500
Remove obsolete references to jss-symkey.jar
The jss-symkey.jar has been merged into jss.jar in JSS 5.4
so all references to the file needs to be removed.
commit 7b9c3ad98f799e0b76f9b4a9e47d7d5a97813d15
Author: Endi S. Dewata <edewata@redhat.com>
Date: Thu Apr 13 12:51:14 2023 -0500
Remove obsolete references to pki-symkey
commit af67477e95b80b60277bd68f87d766e1382fb1df
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 17:45:21 2023 -0500
Update ListCerts to use @WebServlet
commit 7d6e23f617e33ac406430d5fec71e55ccaac8205
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 17:43:16 2023 -0500
Update ListCertsAgent to use @WebServlet
commit ce8d0f8ddab090509d1384941fb573bbb91d71d8
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 17:33:51 2023 -0500
Update SrchCerts to use @WebServlet
commit 5095dfaf6010ff5e2cd60e60be0a63ff46d3d2f7
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 17:31:38 2023 -0500
Update SrchCertsAgent to use @WebServlet
commit b714a90a751d98ed5e145d1fb4cff2a0d1621435
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 17:26:16 2023 -0500
Update CAGetStats to use @WebServlet
commit 6b9c014edfe19f34b38a530178e1b374db6d081f
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 17:07:47 2023 -0500
Update ProfileSelectServlet to use @WebServlet
commit 751d92066e694935494547dd6afba176a0fc2008
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 17:04:28 2023 -0500
Update ProfileSelectAgentServlet to use @WebServlet
commit d508088f774d4b3f9cae1e92126679530d4c8f89
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:56:21 2023 -0500
Update GetCertFromRequest to use @WebServlet
commit 9ebe43bcbc7ef029bcf39a0755f007155ca955fb
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:52:04 2023 -0500
Update GetCertFromRequestAgent to use @WebServlet
commit ba6df570eb74e33963ad8d31dd9cb713993826b4
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:48:12 2023 -0500
Update DisplayCertFromRequest to use @WebServlet
commit b73c611313fd645f41fcef64604189a0b3a9b81a
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:45:29 2023 -0500
Update DisplayCertFromRequestAgent to use @WebServlet
commit 788f65b790ed1a27981ca4f8cc1fde675614611e
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:35:27 2023 -0500
Update UpdateDir to use @WebServlet
commit 2b0248e0dea1b15ab4d01d88e51161ca32072a6b
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:35:26 2023 -0500
Update CAGetOCSPInfo to use @WebServlet
commit 357b6728303963cfde8446cd0dcde002d5560c30
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:35:24 2023 -0500
Update EnrollServlet to use @WebServlet
commit 8b66b7170ab61bf807e569d4be49076c3369457e
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:35:22 2023 -0500
Update CertBasedEnrollServlet to use @WebServlet
commit 2d264a68590f84054dc11155f0b8ccd92dae17ff
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:35:21 2023 -0500
Update BulkIssuanceServlet to use @WebServlet
commit 504c3cde6fdbd8578cdecbc9a9051cff9ac03b3f
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:35:20 2023 -0500
Update AdminEnrollServlet to use @WebServlet
commit abc290a2022d247a319ea3c3caa2e1ce38b9c793
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:35:19 2023 -0500
Update CAJobsAdminServlet to use @WebServlet
commit 03c15fe4130b1c142fba510f7b460bb3428bbd52
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 14:43:07 2023 -0500
Update IPA tests
The IPA test workflow has been modified to build ipa-runner
image separately from the main build workflow. This way the
non-IPA test workflows can start the test earlier because
they don't need to wait for ipa-runner to be built anymore.
commit 1915f3b4b9f697b2f67ccc55963040a39d026940
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Apr 12 16:34:01 2023 -0500
Add new servlets for CA
Some new servlets have been added to provide a separate class
for each servlet in CA's web.xml.
commit 23c8df0bfc4bd1b276a9bd4a5117f14e67bcad8f
Merge: ba5fd4b 88281b3
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Wed Feb 15 16:55:40 2023 +0200
Merge branch 'master' into m
commit 88281b363e2ffc1816b4213fa051c4529b80f118
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Feb 10 08:59:02 2023 +0200
releasing package dogtag-pki version 11.2.1-2
commit ba5fd4b3b01f5d84862425a5e81aea0468fc5a2c
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Feb 10 08:55:00 2023 +0200
install: Updated.
commit 698ef361dd837d6b3780820727f8f8ac2c2518bf
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Feb 10 08:54:16 2023 +0200
Add pki-est.
commit 7a3254665e682f96d2d691c05a0f51d78a821d54
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Feb 7 11:46:38 2023 +0200
rules: Drop setting nssdb type, the default is sql now.
commit 8e80076570bd9d5907adddffa2c2b9b08db7250e
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Feb 7 11:40:46 2023 +0200
patches: Drop an upstreamed patch.
commit c413afedb17f0145da4a5f30260315a6a5eab894
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Feb 7 11:40:21 2023 +0200
patches: Refreshed.
commit b070122c9274abe7f31436a167a5408c0297c014
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Feb 7 10:55:24 2023 +0200
version bump
commit d6ff48051792f495b16d20ef0df0a3a552c22fd4
Merge: c0352a1 e9df9ee
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Feb 7 10:54:59 2023 +0200
Merge branch 'master-next' into m
commit c0352a12b779715dccbb5dcf7492cd2fe75bba20
Merge: 0f07aa4 6beb1bd
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Tue Feb 7 10:54:50 2023 +0200
Merge tag 'v11.2.1' into m
commit 0f07aa4f11479f1a914d13640c35e43697a2c812
Author: Chris Kelley <ckelley@redhat.com>
Date: Mon Jan 30 09:08:35 2023 +0000
Updating version to v11.3.0
commit e855211c39b42926e0f70bb1e51c55a1891e771c
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu Jan 19 20:03:21 2023 +0100
Add fapolicy rules to allow execution of generated java code
When fapolicy daemon is running the default rules deny the execution of
java code from not trusted sources. This deny also the execution of some
code generated inside the instance `work` folder.
This is the case when FIPS is enabled and DISA STIG profile is applied.
To solve the problem a custom rule is applied during the installation.
Solve the BugĀ 2091993
commit b725efe74ce818e7fdecbc256274f3cf223f4ee6
Author: Christina Fu <cfu@redhat.com>
Date: Thu Jan 19 10:16:23 2023 +0000
Add authorization to limit setTokenStatus to allowed admins
This patch adds authorization to limit setTokenStatus to admins
allowed for the token type in question.
If a token is not associated with a keyType/profile, then the admin
must have the ALL_PROFILES prvilege.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153
commit ab1806b968a3254c37648479714d8af9f0fb5d78
Author: Chris Kelley <ckelley@redhat.com>
Date: Wed Jan 11 14:46:28 2023 +0000
Modify csconfig.py checks to allow for N certs with same nickname
Currently the base64 blob from nssdb is directly compared with a
cert from the CA subsystem, this fails if their are multiple certs
with the same nickname. As this is an allowable state, the tests
are modified to break the base64 blob into individual certs.
commit cc845b189dd08a8cda64c8a00d4fd850b38dccb1
Author: Marco Fargetta <mfargett@redhat.com>
Date: Tue Dec 20 17:57:50 2022 +0100
Remove XML from CAInfo and KRAInfo, and move OAEP config to subsystem
commit 34a176f27f9f852b17d9b2d22a43729a3a1d02e0
Author: Marco Fargetta <mfargett@redhat.com>
Date: Mon Dec 19 19:34:11 2022 +0100
Add CI test for KRA started with OAEP
The new pkispawn parameter `pki_use_oaep_rsa_keywrap` allows to create
`CA` and `KRA` subsystems with `RSA_OAEP` padding enabled.
This CI test verify that OAEP is enabled according to the parameter and
additionally performs all the basic tests for `KRA` subsystem but with
`RSA_OAEP` enabled.
commit 7f47c90785a0df0f9a74602361a8b48eff02b043
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu Dec 15 11:12:28 2022 +0100
Fix keyWrap.useOAEP configuration and other improvement
Complete the management of the 'OAEP' configuration in pkispawn and
solve several SonarClous issue
commit 6b603f4358b19ed0e94c2ad8dc90b98cf4f14e7d
Author: Jack Magne <jmagne@localhost.localdomain>
Date: Wed Sep 21 11:00:28 2022 -0700
Fix: Bug 2122409 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled
The purpose of this patch is to continue the improvement of this bug in 2 ways:
1. Create a pikspawn variable to cause pkispawn to create a subsystem configured for oaep
pki_use_oaep_rsa_keywrap=True, the default is False.
2. Improve the rest calls for kra info and ca info to provide info on whether the ca or kra is using OAEP.
For the Ca, we print out oaep info for both the local CA config and the CA's corresponding KRA.
Ex:
KRA info:
https://localhost.localdomain:28443/kra/rest/info
<KRAInfo>
<Attributes/>
<ArchivalMechanism>keywrap</ArchivalMechanism>
<RecoveryMechanism>keywrap</RecoveryMechanism>
<EncryptionAlgorithm>AES/CBC/PKCS5Padding</EncryptionAlgorithm>
<WrapAlgorithm>AES KeyWrap/Padding</WrapAlgorithm>
<RsaPublicKeyWrapAlgorithm>RSA_OAEP</RsaPublicKeyWrapAlgorithm>
</KRAInfo>
Note the new value for RsaPublicKeyWrapAlgorithm.
CA info:
https://localhost.localdomain:8443/ca/rest/info
<CAInfo>
<Attributes/>
<ArchivalMechanism>keywrap</ArchivalMechanism>
<EncryptionAlgorithm>AES/CBC/PKCS5Padding</EncryptionAlgorithm>
<WrapAlgorithm>AES KeyWrap/Padding</WrapAlgorithm>
<RsaPublicKeyWrapAlgorithm>RSA_OAEP</RsaPublicKeyWrapAlgorithm>
<CaRsaPublicKeyWrapAlgorithm>RSA_OAEP</CaRsaPublicKeyWrapAlgorithm>
</CAInfo>
The value CARsaPublicKeyWrapAlgorithm simply relfects the CA's CS.cfg oaep value.
The value RsaPublicKeyWrapAlgorithm is part of the info obtained from this CS's KRA subsystem.
This info can be used by interested clients to see if OAEP is in use with the givne KRA or CA.
commit 597653d62a0d807bf9a66c8ba03fadf1549c9fc0
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Dec 7 21:27:58 2022 +0700
Call apt-get update before apt-get install
Some tests were failing during apt-get install:
$ sudo apt-get -y install libxml2-utils
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
libxml2-utils
0 upgraded, 1 newly installed, 0 to remove and 9 not upgraded.
Need to get 40.2 kB of archives.
After this operation, 206 kB of additional disk space will be used.
Ign:1 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxml2-utils amd64 2.9.13+dfsg-1ubuntu0.1
Err:1 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxml2-utils amd64 2.9.13+dfsg-1ubuntu0.1
404 Not Found [IP: 52.147.219.192 80]
E: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.9.13%2bdfsg-1ubuntu0.1_amd64.deb 404 Not Found [IP: 52.147.219.192 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
The tests have been updated to call apt-get update first.
commit 075ef3c8e3e787b39de5712b9ddc122f65d07f32
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Dec 6 09:30:05 2022 +0700
Add test for lightweight CA
A new test has been added to test basic lightweight CA
operations. The test will install a CA, then create a
lightweight CA, and perform an enrollment against it.
The issued cert should be signed by the lightweight CA.
commit dc9b536da6b72fc5000244793399f48f482934f0
Author: Endi S. Dewata <edewata@redhat.com>
Date: Tue Dec 6 02:23:24 2022 +0700
Update COPR repo to @pki/11.3
commit 182400a58cce0c313c55f6fb30bbde01a1c677ce
Author: Endi S. Dewata <edewata@redhat.com>
Date: Mon Dec 5 14:11:45 2022 +0700
Add test for CA clone with HSM
A new test has been added to verify CA cloning with HSM.
In this case the HSM will be cloned first, then the CA
clone will be installed with the certs and keys already
existing in the HSM clone.
Currently there is a discrepancy between the primary CA
and the clones on number of certs in the internal token,
but it doesn't seem to be affecting the functionality.
This will require further investigation.
commit a5294ffc0f84099cb92d8ce2e3f8fc506ae9578a
Author: Endi S. Dewata <edewata@redhat.com>
Date: Mon Dec 5 09:09:51 2022 +0700
Update cloning examples and tests
The cloning examples have been updated to no longer include the
PKCS #12 params by default such that they can be used with other
methods which do not use a PKCS #12 file. The cloning tests with
PKCS #12 file have been modified to provide the required params
for this method.
commit db21c5b8c4a3264487252434020b0f19228dece4
Author: Endi S. Dewata <edewata@redhat.com>
Date: Thu Dec 1 12:41:26 2022 +0700
Use DS container in CI tests
The ds-container-create.sh has been modified such that most
tests will use a DS container which is about 30-60 seconds
faster to create than a regular DS server.
For now tests for secure DS connection will continue to use
a regular DS server, but in the future they may be updated
to use a DS container as well.
commit ed0946252840b6a0d44c1b781d1aa15a5aaef9cb
Author: Endi S. Dewata <edewata@redhat.com>
Date: Thu Dec 1 14:32:34 2022 +0700
Update basic TPS test
The basic TPS test has been updated to run ldapadd in PKI
container instead of in DS container since the input files
are provided by PKI.
commit ca90e3238cc1a3999b9e5557f68d6d00e6e7f3e5
Author: Endi S. Dewata <edewata@redhat.com>
Date: Wed Nov 30 22:25:31 2022 +0700
Fix pki.spec to allow optional theme
commit e80920e79afe83c06e576acdd50566c169b5e3c0
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu Nov 24 13:50:17 2022 +0100
Fix padding for the unwrap
commit 0b2423f4cd139dce9813bc712cf1ae8d7628f28d
Author: Marco Fargetta <mfargett@redhat.com>
Date: Tue Nov 22 19:07:01 2022 +0100
Replace the SymKey clone with wrap and unwrap
commit 042ca7a4aa078edbb4dc1295aa5cf4cd72880d85
Author: Marco Fargetta <mfargett@redhat.com>
Date: Wed Nov 9 10:57:06 2022 +0100
Fix SonarCloud several code smell
commit 38e36d27f6e9c3654bf7cd76899756621f6fe223
Author: Marco Fargetta <mfargett@redhat.com>
Date: Tue Nov 8 18:48:18 2022 +0100
Move the symmetric key to wrap the reponse
commit 27acea80205fc2b4e113d82ac492b14fbbaed6b1
Author: Marco Fargetta <mfargett@redhat.com>
Date: Wed Nov 2 12:44:55 2022 +0100
In case of OAEP move the secret key instead of clone
commit 31068a42450ba4142c12d996801bc792d9f7f145
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu Oct 27 17:49:45 2022 +0200
Fix key length for padding algorithms
commit 0c6398ae7f52e65babda6195c11dc994f06fff81
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu Sep 15 15:05:35 2022 +0200
Fix key length
commit 2ffc5e4dd75c41e0f847fdd47d068ebaab6d4145
Author: Marco Fargetta <mfargett@redhat.com>
Date: Wed Sep 7 15:32:56 2022 +0200
ADd rsaes_oaep among the key wrapping algorithms
commit 1d7827c3976e0f344fe73a3223bc564a3419a1fc
Author: Marco Fargetta <mfargett@redhat.com>
Date: Fri Sep 2 10:57:57 2022 +0200
Tidyup CRSEnrollment
commit 2a8e2182bf8a426689b5b2def5160670655297d7
Author: Marco Fargetta <mfargett@redhat.com>
Date: Wed Aug 31 10:56:54 2022 +0200
Add OAEP parameters
commit 4c3ca8f24acc23a65472af0a0f54d2afed380bd5
Author: Marco Fargetta <mfargett@redhat.com>
Date: Thu Aug 25 15:35:20 2022 +0200
Add AES in SCEP protocol
Following the SCEP specs (https://www.rfc-editor.org/rfc/rfc8894.txt)
the AES support has been introduced for encrypting certificate massage.
Fix #3324
