[Pki-devel] test

[Matthew Harmsen]

test

___
Pki-devel mailing list
Pki-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] IMPORTANT: 'pki-devel@redhat.com' is transitioning to 'de...@lists.dogtagpki.org'

[Matthew Harmsen]

Everyone,

Effective Monday, May 17, 2021, beginning at approximately 6:00 AM EDT 
with the migration taking approximately one hour, the 
'pki-devel@redhat.com' email list will be permanently shutdown and moved 
to the 'de...@lists.dogtagpki.org' email list.


All users and previous messages will be transitioned to this new email list.

Although no additional actions are required by any user, please note 
that /*any future *//*emails to '*//*pki-devel@redhat.com*//*' will NOT 
be forwarded to the new list; please use 
'*//*de...@lists.dogtagpki.org*//*' after this date*/.


Thank you,
-- Matthew Harmsen

___
Pki-devel mailing list
Pki-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Question on cloning and replication . . .

[Matthew Harmsen]

Everyone,

I received the following from a community member who is using Dogtag and 
389:


   I have 2 questions and 1 note.

   *Note:*
   Here is an interesting thing that I noticed during CA cloning:
   When CA to be cloned has secure connection DS enabled, cloning
   process fails.
   None of docs:

 * https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_Clone
 * 
https://github.com/dogtagpki/pki/blob/DOGTAG_10_6_BRANCH/docs/installation/Installing_CA_Clone.md
 * 
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_Clone.md

   is covering this issue.
   Solution here is to use
   pki_clone_replication_master_port=389
   pki_clone_replication_clone_port=389
   pki_clone_replication_security=None
   
https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/server/etc/default.cfg#L255


   *Question 1 (sorry, bit long):*
   When CA is cloned both DS servers have *nsslapd-referral *attribute
   set in dn: *cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config* entries
   so DS on vm-users4.hostname.com 
   would have
   *dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
   nsslapd-referral:
   ldap://vm-users3.hostname.com:389/o%3Dpki-tomcat-CA
   *
   and DS on vm-users3.hostname.com 
   *dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
   nsslapd-referral:
   ldap://vm-users4.hostname.com:389/o%3Dpki-tomcat-CA
   *
   *I wonder what is the meaning of nsslapd-referral attribute?*
   **

   The reason I'm asking is that I was thinking that for replication
   over SSL maybe nsslapd-referral should be modified
   from *ldap://vm-users4.hostname.com:389/o%3Dpki-tomcat-CA
   *
   to *ldaps://vm-users4.hostname.com:636/o%3Dpki-tomcat-CA
   *
   but when I did this nsslapd-referral attribute was reverted to
   original value by DS automatically,
   *so I'm trying to make sure **if nsslapd-referral attribute should
   be left unchanged during enabling of SSL to DS replication?*

   Just in case here is a sample of all changes on both DS (hopefully,
   I didn't miss anything to have properly configured replication over
   SSL):
   vm-users4.hostname.com :
   
   dn: cn=config
   nsslapd-security: on

   dn: cn=RSA,cn=encryption,cn=config
   nsSSLPersonalitySSL: slapd-vm-users4
   nsSSLToken: internal (software)
   nsSSLActivation: on

   dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
   nsslapd-referral:
   ldap://vm-users3.hostname.com:389/o%3Dpki-tomcat-CA
   

   dn:
   
cn=cloneAgreement1-vm-users4.hostname.com-pki-tomcat,cn=replica,cn=o\3Dpki-tomcat-CA,cn=mapping
   tree,cn=config
   nsDS5ReplicaPort: 636
   nsDS5ReplicaTransportInfo: SSL


   vm-users3.hostname.com :
   
   dn: cn=config
   nsslapd-security: on

   dn: cn=RSA,cn=encryption,cn=config
   nsSSLPersonalitySSL: slapd-vm-users3
   nsSSLToken: internal (software)
   nsSSLActivation: on

   dn: cn=o\3Dpki-tomcat-CA,cn=mapping tree,cn=config
   nsslapd-referral:
   ldap://vm-users4.hostname.com:389/o%3Dpki-tomcat-CA
   

   dn:
   
cn=masterAgreement1-vm-users4.hostname.com-pki-tomcat,cn=replica,cn=o\3Dpki-tomcat-CA,cn=mapping
   tree,cn=config
   nsDS5ReplicaPort: 636
   nsDS5ReplicaTransportInfo: SSL


   *Question 2:*
   DS has so called "SSF Restrictions"
   
(https://directory.fedoraproject.org/docs/389ds/howto/howto-use-ssf-restrictions.html}
   which may be configured by setting *nsslapd-minssf* attribute in
   *cn=config* entry.
   Default value of *nsslapd-minssf* attribute is 0. W
   Minimum SSF configuration setting can be used to define the minimum
   level of encryption that is required.

   *Do you know what this means?*
   **
   *Should I be concerned?*

   By the way, when is set *nsslapd-minssf* attribute to *128*, DS
   becomes inaccessible and CA is not working.

Thanks in advance for any answers,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] DogTag SCEP refresh

[Matthew Harmsen]

On 12/5/19 6:42 AM, Martin Slouka wrote:


Hello Matthew,

I am a consultant and I help one of my customers run a Dogtag CA. They 
are missing some SCEP functionality and agreed with a developper to 
add a missing functionality. Is it possible to cooperate somehow so 
that the improvements will be merged into future releases of Dogtag?


Thanks in advance.

Regards,

  Martin Slouka


Martin,

Yes, I believe that this should be possible.

Please send this information to the Dogtag PKI Development Mailing List 
- pki-devel@redhat.com (cc'ed on this email reply), so that it may be 
reviewed, and hopefully incorporated into the Dogtag source base.


Thank you!
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Anything to worry about?

[Matthew Harmsen]

Everyone,

Per Dmitri's message:

   There are couple devel packages that are not in the errata.
   Something to worry about?
   See:
   - Builds must be attached to errata to make it into eSnap2
   (3,4,5,RC). Here's the list that
   isn't:http://pastebin.test.redhat.com/789672

Specifically, I see (rhel 8.1.0 candidate vs. pending; rhel 8.1.0 
modules-candidate vs. modules-pending):


 * esc-1.1.2-10.el8   | esc-1.1.2-7.el8
 * pcsc-lite-1.8.23-3.1.el8                                  |
   pcsc-lite-1.8.23-3.el8
 * pcsc-lite-ccid-1.4.29-3.1.el8                          |
   pcsc-lite-ccid-1.4.29-3.el8
 * 389-ds-devel-1.4-8010020190726190255.eb48df33
 * freeradius-devel-3.0-8010020190614154208.16b3ab4d
 * pki-core-devel-10.6-8010020190814232419.8ba0ffbe
 * pki-deps-devel-10.6-8010020190731203900.cdc1202b

Please reply-to-all if we need to raise an alarm on any of these.

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] No PKI meeting today

[Matthew Harmsen]

Everyone,

I have a family emergency, and need to cancel today's meeting.

-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Fwd: [dogtagpki] Issue #3040: pki-ca using existing CA

[Matthew Harmsen]

hamzah reported a new issue against the project: `dogtagpki` that you are 
following:
``
i have the following CA configuration which used to work with pki-ca 10.5.1  
package before the 13 release
[CA]
pki_admin_email=caad...@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=
pki_admin_uid=caadmin
pki_backup_password=
pki_client_database_password=
pki_client_database_purge=False
pki_client_pkcs12_password=
pki_clone_pkcs12_password=
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=
pki_security_domain_name=EXAMPLE
pki_token_password=
pki_https_port=8373
pki_http_port=8370
pki_ajp_port=8379
pki_tomcat_server_port=8375

pki_security_domain_hostname=...
pki_security_domain_https_port=8373

pki_clone=True
pki_clone_uri=https://api3.ows.bf2.yahoo.com:8373
pki_clone_replicate_schema=True
pki_security_domain_password=
pki_clone_pkcs12_path=/tmp/ca-certs.p12
pki_clone_pkcs12_password=

now am getting the error
because of the change below
https://github.com/dogtagpki/pki/commit/313c701957bedfd59f7f6368d0c37d2928d1a4a1

in the file
base/server/python/pki/server/deployment/scriptlets/configuration.py
line 403

since the code just through an exception when this 'pki_ca_signing_cert_path' 
configuration does not exist, but am using 'pki_clone_pkcs12_path' instead and 
even if i include it i still get an error
may be because am importing the CA cert twice
``

To reply, visit the link below or just reply to this email
https://pagure.io/dogtagpki/issue/3040

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Updated Dogtag packages for Fedora 27, 26, and 25 . . .

[Matthew Harmsen]

Everyone,

The following Dogtag packages have been updated on Fedora 27 (rawhide):

 * tomcatjss-7.2.3-1.fc27
   
 * dogtag-pki-10.4.7-1.fc27
   
 * dogtag-pki-theme-10.4.7-1.fc27
   
 * pki-core-10.4.7-1.fc27
   
 * pki-console-10.4.7-1.fc27
   

Additionally, these builds were used to generate their Fedora 25 and 
Fedora 26 equivalents as stored in the following COPR repos 
(https://copr.fedorainfracloud.org/coprs/g/pki/10.4/):


 * Fedora 25 and 26 (e. g. - /etc/yum.repos.d/pki-fedora.repo):

   [group_pki-10.4]
   name=Copr repo for 10.4 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.4/fedora-$releasever-$basearch/
   type=rpm-md
   skip_if_unavailable=True
   gpgcheck=1
   
gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.4/pubkey.gpg
   repo_gpgcheck=0
   enabled=1
   enabled_metadata=1

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH] 0095-Resolve-1663-Add-SCP03-support.patch

[Matthew Harmsen]

On 06/02/2017 04:44 PM, John Magne wrote:




Ticket: Resolve  #1663 Add SCP03 support .
 
 This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


Confirmed that import statements were removed by Eclipse, and that 
commented out block of code is there for future testing.


As jmagne confirmed that this had been tested (including on the 
offending machine configuration) --- ACK


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Fixed pylint errors (re-sent)

[Matthew Harmsen]

The attached patch was altered to change "args" ==> "argv" rather than 
"argv" ==> "args" since it was discovered that a number of the routines 
utilized "args" as a local variable that would have to be changed since 
if the "argv" input parameter were changed to "args".  Consequently, 
this patch converts "args" ==> "argv".


Please review the attached patch which addresses the following issues:

 * dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues
   <https://pagure.io/dogtagpki/issue/2713>

These changes were successfully compiled on a Fedora 27 machine with the 
following packages:


 * python2-2.7.13-10.fc27.x86_64
 * python3-3.6.1-7.fc27.x86_64
 * pylint-1.7.1-1.fc27.noarch

Additionally, a CA instance was installed and configured, and the 
following smoke test was run:


 * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L
 * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
   /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
   example.com" -p 8080 ca-user-add testuser --fullName "Test User"
 * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L
 * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
   /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
   example.com" -p 8080 client-cert-request uid=testuser
 * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
   /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
   example.com" -p 8080 ca-cert-request-review 7 --action approve
 * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
   /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
   example.com" -p 8080 ca-user-cert-add testuser --serial 0x7
 * sudo pki -d /root/.dogtag/pki-tomcat/ca/alias -C
   /root/.dogtag/pki-tomcat/ca/password.conf -n "PKI Administrator for
   example.com" -p 8080 client-cert-import testuser --serial 0x7
 * sudo certutil -d /root/.dogtag/pki-tomcat/ca/alias -L

From c04ad1540b09475188f535b2ca3786345ef5426f Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Thu, 1 Jun 2017 00:40:06 +0200
Subject: [PATCH] Fixed pylint issues

- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
---
 base/common/python/pki/cli/pkcs12.py   |  4 ++--
 base/common/python/pki/encoder.py  | 12 ++--
 base/server/python/pki/server/cli/audit.py |  8 
 base/server/python/pki/server/cli/ca.py| 16 
 base/server/python/pki/server/cli/db.py|  8 
 base/server/python/pki/server/cli/kra.py   | 20 ++--
 base/server/python/pki/server/cli/ocsp.py  |  4 ++--
 base/server/python/pki/server/cli/subsystem.py |  4 ++--
 base/server/python/pki/server/cli/tks.py   |  4 ++--
 base/server/python/pki/server/cli/tps.py   | 20 ++--
 base/server/python/pki/server/upgrade.py   |  2 +-
 11 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index 8934d33a7..6b99fcfbd 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -62,10 +62,10 @@ class PKCS12ImportCLI(pki.cli.CLI):
 print('  --help Show help message.')
 print()
 
-def execute(self, args):
+def execute(self, argv):
 
 try:
-opts, _ = getopt.gnu_getopt(args, 'v', [
+opts, _ = getopt.gnu_getopt(argv, 'v', [
 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
 'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite',
 'verbose', 'debug', 'help'])
diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py
index 8485ab883..d3298bc67 100644
--- a/base/common/python/pki/encoder.py
+++ b/base/common/python/pki/encoder.py
@@ -82,14 +82,14 @@ class CustomTypeEncoder(json.JSONEncoder):
 """
 # pylint: disable=E0202
 
-def default(self, obj):
+def default(self, o):
 for k, v in iteritems(TYPES):
-if isinstance(obj, v):
-return {k: obj.__dict__}
+if isinstance(o, v):
+return {k: o.__dict__}
 for t in itervalues(NOTYPES):
-if isinstance(obj, t):
-return self.attr_name_conversion(obj.__dict__, type(obj))
-return json.JSONEncoder.default(self, obj)
+if isinstance(o, t):
+return self.attr_name_conversion(o.__dict__, type(o))
+return json.JSONEncoder.default(self, o)
 
 @staticmethod
 def attr_name_conversion(attr_dict, object_class):
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
index 0833ca816..a19ca8c65 1006

[Pki-devel] [PATCH] Fixed pylint errors

[Matthew Harmsen]

Please review the attached patch which addresses the following issues:

 * dogtagpki Pagure Issue #2713 - Build failure due to Pylint issues
   <https://pagure.io/dogtagpki/issue/2713>

These changes were successfully compiled on a Fedora 27 machine with the 
following packages:


 * python2-2.7.13-10.fc27.x86_64
 * python3-3.6.1-7.fc27.x86_64
 * pylint-1.7.1-1.fc27.noarch

From f5044bb484d61a569ba7da252f88d9c87378fcc0 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Wed, 31 May 2017 22:29:24 +0200
Subject: [PATCH] Fixed pylint issues

- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
---
 base/common/python/pki/cli/__init__.py |  6 ++--
 base/common/python/pki/cli/main.py |  4 +--
 base/common/python/pki/encoder.py  | 12 
 base/server/python/pki/server/cli/instance.py  | 40 +-
 base/server/python/pki/server/cli/migrate.py   |  4 +--
 base/server/python/pki/server/cli/nuxwdog.py   |  8 +++---
 base/server/python/pki/server/cli/subsystem.py | 32 ++---
 base/server/python/pki/server/upgrade.py   |  2 +-
 base/server/sbin/pki-server|  4 +--
 9 files changed, 56 insertions(+), 56 deletions(-)

diff --git a/base/common/python/pki/cli/__init__.py b/base/common/python/pki/cli/__init__.py
index 2bed317c9..ac141ebf7 100644
--- a/base/common/python/pki/cli/__init__.py
+++ b/base/common/python/pki/cli/__init__.py
@@ -171,10 +171,10 @@ class CLI(object):
 
 return (module, module_args)
 
-def execute(self, argv):
+def execute(self, args):
 
 try:
-opts, args = getopt.getopt(argv, 'v', [
+opts, args = getopt.getopt(args, 'v', [
 'verbose', 'help'])
 
 except getopt.GetoptError as e:
@@ -199,6 +199,6 @@ class CLI(object):
 self.print_help()
 sys.exit(1)
 
-(module, module_args) = self.parse_args(argv)
+(module, module_args) = self.parse_args(args)
 
 module.execute(module_args)
diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
index f201c1d70..96101b4ff 100644
--- a/base/common/python/pki/cli/main.py
+++ b/base/common/python/pki/cli/main.py
@@ -110,12 +110,12 @@ class PKICLI(pki.cli.CLI):
 
 subprocess.check_call(cmd, stdout=stdout)
 
-def execute(self, argv):
+def execute(self, args):
 
 # append global options
 value = os.getenv('PKI_CLI_OPTIONS')
 args = shlex.split(value)
-args.extend(argv[1:])
+args.extend(args[1:])
 
 client_type = 'java'
 
diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py
index 8485ab883..d3298bc67 100644
--- a/base/common/python/pki/encoder.py
+++ b/base/common/python/pki/encoder.py
@@ -82,14 +82,14 @@ class CustomTypeEncoder(json.JSONEncoder):
 """
 # pylint: disable=E0202
 
-def default(self, obj):
+def default(self, o):
 for k, v in iteritems(TYPES):
-if isinstance(obj, v):
-return {k: obj.__dict__}
+if isinstance(o, v):
+return {k: o.__dict__}
 for t in itervalues(NOTYPES):
-if isinstance(obj, t):
-return self.attr_name_conversion(obj.__dict__, type(obj))
-return json.JSONEncoder.default(self, obj)
+if isinstance(o, t):
+return self.attr_name_conversion(o.__dict__, type(o))
+return json.JSONEncoder.default(self, o)
 
 @staticmethod
 def attr_name_conversion(attr_dict, object_class):
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index b69519d57..3acdfe74a 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -85,10 +85,10 @@ class InstanceCertExportCLI(pki.cli.CLI):
 print('  --help Show help message.')
 print()
 
-def execute(self, argv):
+def execute(self, args):
 
 try:
-opts, args = getopt.gnu_getopt(argv, 'i:v', [
+opts, args = getopt.gnu_getopt(args, 'i:v', [
 'instance=',
 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
 'append', 'no-trust-flags', 'no-key', 'no-chain',
@@ -195,10 +195,10 @@ class InstanceFindCLI(pki.cli.CLI):
 print('  --help   Show help message.')
 print()
 
-def execute(self, argv):
+def execute(self, args):
 
 try:
-opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+opts, _ = getopt.gnu_getopt(args, 'i:v', [
 'verbose', 'help'])
 
 except getopt.GetoptError as e:
@@ -255,10 +255,10 @@ class InstanceShowCLI(pki.cli.CLI):
 print('  --help   Show help message.')
 print()
 

[Pki-devel] [PATCH] Always check FIPS mode at initialization time . . .

[Matthew Harmsen]

Please review the attached patch which addresses the following bug:

 * Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn
   error <https://bugzilla.redhat.com/show_bug.cgi?id=1454603>

It was given a quick smoke test to determine if it eliminated the Python 
KeyError of 'pki_fips_mode_enabled' not being set which previously 
occurred whenever 'pki_restart_configured_instance' had been overridden 
to be False (which it is on certain FreeIPA deployments).


From 3249ddc2c19f6f5ded11823b345c9c58bae4750b Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Tue, 23 May 2017 11:46:41 -0600
Subject: [PATCH] Always check FIPS mode at installation time

- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
---
 base/server/python/pki/server/deployment/scriptlets/initialization.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
index 0e31543..4dc4e9a 100644
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
@@ -42,6 +42,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 # ALWAYS establish 'uid' and 'gid'
 deployer.identity.set_uid(deployer.mdict['pki_user'])
 deployer.identity.set_gid(deployer.mdict['pki_group'])
+# ALWAYS check FIPS mode
+deployer.fips.is_fips_enabled()
 # ALWAYS initialize HSMs (when and if present)
 deployer.hsm.initialize()
 if config.str2bool(deployer.mdict['pki_skip_installation']):
-- 
1.8.3.1

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] - Correct section headings in user deployment configuration file

[Matthew Harmsen]

Please review the attached patch for:

 * Bugzilla Bug #1447144 - CA brought down during separate KRA instance
   creation <https://bugzilla.redhat.com/show_bug.cgi?id=1447144>

Note that the Python method itself was tested in a standalone fashion 
against various sample configuration files to make certain that the only 
thing altered was an invalid section heading.


It was run against the previously modified files noted in the bug and 
made the following changes to the user deployment configuration files:


   # diff mlh_ca.cfg.orig mlh_ca.cfg
   24c24
   < [TOMCAT]
   ---
> [Tomcat]

   # diff mlh_kra.cfg.orig mlh_kra.cfg
   31c31
   < [TOMCAT]
   ---
> [Tomcat]

Application of this patch allowed the KRA to be installed successfully, 
and did not shutdown the CA.



From ca8c6ed4ce72f4ea4bf5146c03ece21a24863ca1 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Wed, 17 May 2017 12:40:57 -0600
Subject: [PATCH] Correct section headings in user deployment configuration
 file

Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation
dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance
   creation
---
 base/server/sbin/pkispawn | 33 +
 1 file changed, 33 insertions(+)

diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 9394b8e..16a664e 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -30,6 +30,7 @@ if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0:
 print("Please upgrade to at least Python 2.7.0.")
 sys.exit(1)
 try:
+import fileinput
 import ldap
 import os
 import requests
@@ -105,6 +106,8 @@ def main(argv):
 interactive = True
 parser.indent = 0
 print(log.PKISPAWN_INTERACTIVE_INSTALLATION)
+else:
+sanitize_user_deployment_cfg(config.user_deployment_cfg)
 
 # Only run this program as "root".
 if not os.geteuid() == 0:
@@ -574,6 +577,36 @@ def main(argv):
 print_final_install_information(parser.mdict)
 
 
+def sanitize_user_deployment_cfg(cfg):
+# Correct any section headings in the user's configuration file
+for line in fileinput.FileInput(cfg, inplace=1):
+# Remove extraneous leading and trailing whitespace from all lines
+line = line.strip()
+# Normalize section headings to match '/etc/pki/default.cfg'
+if line.startswith("["):
+if line.upper() == "[DEFAULT]":
+line = "[DEFAULT]"
+elif line.upper() == "[TOMCAT]":
+line = "[Tomcat]"
+elif line.upper() == "[CA]":
+line = "[CA]"
+elif line.upper() == "[KRA]":
+line = "[KRA]"
+elif line.upper() == "[OCSP]":
+line = "[OCSP]"
+elif line.upper() == "[RA]":
+line = "[RA]"
+elif line.upper() == "[TKS]":
+line = "[TKS]"
+elif line.upper() == "[TPS]":
+line = "[TPS]"
+else:
+# Notify user of the existence of an invalid section heading
+sys.stderr.write("'%s' contains an invalid section "
+ "heading called '%s'!\n" % (cfg, line))
+print(line)
+
+
 def start_logging():
 # Enable 'pkispawn' logging.
 config.pki_log_dir = config.pki_root_prefix + \
-- 
2.9.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] - Added FIPS class to pkispawn

[Matthew Harmsen]

Please review the attached patches for:

 * Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
   <https://bugzilla.redhat.com/show_bug.cgi?id=1450143>

Thanks,
-- Matt

P. S. - The patches were tested on a FIPS-enabled box, and the output 
looks similar to the following:


   pkispawn: INFO ... finalizing
   'pki.server.deployment.scriptlets.finalization'
   pkispawn: INFO ... executing 'systemctl enable
   pki-tomcatd.target'
   Created symlink from
   /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to
   /usr/lib/systemd/system/pki-tomcatd.target.
   pkispawn: INFO ... executing 'systemctl daemon-reload'
   pkispawn: INFO ... executing 'systemctl restart
   pki-tomcatd@pki-tomcat.service'
   *pkispawn: INFO ... FIPS mode is enabled on this
   operating system.*
   pkispawn: DEBUG... No connection - server may still
   be down
   pkispawn: DEBUG... No connection - exception thrown:
   ('Connection aborted.', error(111, 'Connection refused'))
   pkispawn: DEBUG... No connection - server may still
   be down
   pkispawn: DEBUG... No connection - exception thrown:
   ('Connection aborted.', error(111, 'Connection refused'))
   pkispawn: DEBUG... 1CArunning10.4.1-4.el7
   pkispawn: INFO ... rm -rf /opt/RootCA/ca
   pkispawn: INFO END spawning subsystem 'CA' of instance
   'pki-tomcat'
   pkispawn: INFO ... archiving configuration into
   '/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006'
   pkispawn: INFO ... cp -p
   /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
   /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
   pkispawn: DEBUG... chmod 660
   /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
   pkispawn: DEBUG... chown 17:17
   /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
   pkispawn: INFO ... archiving manifest into
   '/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006'
   pkispawn: INFO ... cp -p
   /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
   /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
   pkispawn: DEBUG... chmod 660
   /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
   pkispawn: DEBUG... chown 17:17
   /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006

   ==
INSTALLATION SUMMARY
   ==

  Administrator's username: caadmin
  Administrator's PKCS #12 file:
/opt/RootCA/caadmincert.p12

   *  This CA subsystem of the 'pki-tomcat' instance**
   **  has FIPS mode enabled on this operating system.**
   
   **  REMINDER:  Don't forget to update the appropriate FIPS**
   ** algorithms in server.xml in the
   'pki-tomcat' instance.**
   ***
  To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat.service

  To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat.service

  The URL for the subsystem is:
https://pki.example.com:8443/ca

  PKI instances will be enabled upon system boot

   ==

From 0669ef8f00c1d558fd46aac725694aa385d5b42b Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Mon, 15 May 2017 20:16:53 -0600
Subject: [PATCH] Added FIPS class to pkispawn

Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
---
 .../python/pki/server/deployment/__init__.py   |  2 ++
 .../python/pki/server/deployment/pkihelper.py  | 41 ++
 .../python/pki/server/deployment/pkimessages.py|  4 +++
 .../server/deployment/scriptlets/finalization.py   |  8 +++--
 base/server/sbin/pkispawn  | 10 ++
 5 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 3d719de..709fe70 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -55,6 +55,7 @@ class PKIDeployer:
 self.symlink = None
 self.war = None
 self.password = None
+self.fips = None
 self.hsm = None
 self.certutil = None
 self.modutil = None
@@ -99,6 +100,7 @@ class PKIDeployer:
 self.symlink = util.Symlink(self)
 self.wa

[Pki-devel] [PATCH] - CA installation with HSM in FIPS mode fails

[Matthew Harmsen]

Please review the attached patch for:

 * Bugizilla Bug #1450143 - CA installation with HSM in FIPS mode fails
   <https://bugzilla.redhat.com/show_bug.cgi?id=1450143>

Thanks,
-- Matt

From 20ae6dad5c8bd30eb016d7680a1ad48defff629a Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Fri, 12 May 2017 13:00:54 -0600
Subject: [PATCH] Fix CA installation with HSM in FIPS mode

Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
---
 base/server/python/pki/server/deployment/pkihelper.py | 19 ++-
 .../pki/server/deployment/scriptlets/finalization.py  |  3 ++-
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 051778d..e503bbc 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1017,11 +1017,20 @@ class Instance:
  extra=config.PKI_INDENTATION_LEVEL_2)
 raise
 
-def get_instance_status(self):
+def get_instance_status(self, secure_connection=True):
+pki_protocol = None
+pki_port = None
+if secure_connection:
+pki_protocol = "https"
+pki_port = self.mdict['pki_https_port']
+else:
+pki_protocol = "http"
+pki_port = self.mdict['pki_http_port']
+
 connection = pki.client.PKIConnection(
-protocol='https',
+protocol=pki_protocol,
 hostname=self.mdict['pki_hostname'],
-port=self.mdict['pki_https_port'],
+port=pki_port,
 subsystem=self.mdict['pki_subsystem_type'],
 accept='application/xml',
 trust_env=False)
@@ -1049,11 +1058,11 @@ class Instance:
 extra=config.PKI_INDENTATION_LEVEL_3)
 return None
 
-def wait_for_startup(self, timeout):
+def wait_for_startup(self, timeout, secure_connection=True):
 start_time = datetime.today()
 status = None
 while status != "running":
-status = self.get_instance_status()
+status = self.get_instance_status(secure_connection)
 time.sleep(1)
 stop_time = datetime.today()
 if (stop_time - start_time).total_seconds() >= timeout:
diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
index 941691c..75bb80e 100644
--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 if config.str2bool(deployer.mdict['pki_restart_configured_instance']):
 deployer.systemd.restart()
 # wait for startup
-status = deployer.instance.wait_for_startup(60)
+# (must use 'http' protocol due to potential FIPS configuration)
+status = deployer.instance.wait_for_startup(60, False)
 if status is None:
 config.pki_log.error(
 "server failed to restart",
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [Freeipa-devel] [TESTING] Please test and add karma to pki-core-10.4.0-1

[Matthew Harmsen]

On 03/17/2017 10:02 AM, Lukas Slebodnik wrote:

On (17/03/17 12:14), Martin Babinsky wrote:

A new update for Dogtag PKI (pki-core-10.4.0-1.fc25) landed it Fedora 25
updates-testing yesterday.[1]


It was also pushed to fedora26
https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cc27242c1


I have already provided negative karma as the update broke CA clone deployment
on FreeIPA replica install.

It would be nice if you could test it and provide +1/-1 ASAP so that we can
push it out before it hits stable and give Matthew a change to privode fixes.


The fastest will be if it will be unpushed by fedora maintainer
Adding mharmsen to CC.

LS


Lukas and Martin,

After speaking with some members of the PKI team, I have unpushed both 
the F25 and F26 builds from Bodhi.


The following unresolved issues on cloning were documented in:

 * dogtagpki Pagure Issue #2336 - IPA Replica CA configuration failed
   Clone does not have all the required certificates
   

Was this the same cloning failure that you were seeing?

If not, please file a detailed Pagure Issue describing the failure 
complete with log attachment.


As for the vault issue, we may have an idea on this as the code in that 
area has been changing.


Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for jss-4.4.0-1

[Matthew Harmsen]

*The following updated candidate builds of jss 4.4.0 were generated:*

 * *Fedora 25:*
 o *jss-4.4.0-1.fc25
   
   *
 * *Fedora 26:*
 o *jss-4.4.0-1.fc26
   
   *
 * *Fedora 27:*
 o *jss-4.4.0-1.fc27
   *

*These builds address the following Bug:*

 * *Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+
   *

*Please provide Karma for the following builds:*

 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-155b9d81d2
   jss-4.4.0-1.fc25
   
   *
 * *Fedora 26:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-70cf2c25eb
   jss-4.4.0-1.fc26
   
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1

[Matthew Harmsen]

On 03/12/2017 11:39 PM, Matthew Harmsen wrote:


*The following updated candidate builds of ldapjdk 4.19 and tomcatjss 
7.2.0 were generated:*


  * *Fedora 25:*
  o *ldapjdk-4.19-1.fc25
<https://koji.fedoraproject.org/koji/buildinfo?buildID=867318>*
  o *tomcatjss-7.2.0-1.fc25
<https://koji.fedoraproject.org/koji/buildinfo?buildID=868071>
*
  * *Fedora 26:*
  o *ldapjdk-4.19-1.fc26
<https://koji.fedoraproject.org/koji/buildinfo?buildID=867320>*
  o *tomcatjss-7.2.0-1.fc26
<https://koji.fedoraproject.org/koji/buildinfo?buildID=868072>
*
  * *Fedora 27:*
  o *ldapjdk-4.19-1.fc27
<https://koji.fedoraproject.org/koji/buildinfo?buildID=867321>*
  o *tomcatjss-7.2.0-1.fc27
<https://koji.fedoraproject.org/koji/buildinfo?buildID=868073>
*

*These builds address the following Bugs and Pagure Issues:*

  * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no
host:port <https://bugzilla.redhat.com/show_bug.cgi?id=1382856>*
  * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19
<https://bugzilla.redhat.com/show_bug.cgi?id=1394372>*
  * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora
25+ <https://pagure.io/tomcatjss/issue/6>*

*Please provide Karma for the following builds:*

  * *Fedora 25:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15
 ldapjdk-4.19-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7
tomcatjss-7.2.0-1.fc25
<https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7>
*
  * *Fedora 26:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981
ldapjdk-4.19-1.fc26
<https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632
tomcatjss-7.2.0-1.fc26
<https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632>
*

A problem was discovered in which the tomcatjss.spec file was embedded 
inside the tomcatjss tarball; this was fixed, the tarball was
republished, all packages were rebuilt, and new builds were submitted to 
bodhi:


*The following updated candidate builds of tomcatjss 7.2.0 were 
regenerated:*


 * *Fedora 25:*
 o *tomcatjss-7.2.0-2.fc25
   <https://koji.fedoraproject.org/koji/buildinfo?buildID=868412>
   *
 * *Fedora 26:*
 o *tomcatjss-7.2.0-2.fc26
   <https://koji.fedoraproject.org/koji/buildinfo?buildID=868417>
   *
 * *Fedora 27:*
 o *tomcatjss-7.2.0-2.fc27
   <https://koji.fedoraproject.org/koji/buildinfo?buildID=868424>
   *

*Please provide Karma for the following builds:*

 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-2fc4861133
 tomcatjss-7.2.0-2.fc25
   *
 * *Fedora 26:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cd38eab18
   tomcatjss-7.2.0-2.fc26
   <https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cd38eab18>
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1

[Matthew Harmsen]

*The following updated candidate builds of ldapjdk 4.19 and tomcatjss 
7.2.0 were generated:*


 * *Fedora 25:*
 o *ldapjdk-4.19-1.fc25
   *
 o *tomcatjss-7.2.0-1.fc25
   
   *
 * *Fedora 26:*
 o *ldapjdk-4.19-1.fc26
   *
 o *tomcatjss-7.2.0-1.fc26
   
   *
 * *Fedora 27:*
 o *ldapjdk-4.19-1.fc27
   *
 o *tomcatjss-7.2.0-1.fc27
   
   *

*These builds address the following Bugs and Pagure Issues:*

 * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no
   host:port *
 * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19
   *
 * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora 25+
   *

*Please provide Karma for the following builds:*

 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15
 ldapjdk-4.19-1.fc25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7
   tomcatjss-7.2.0-1.fc25
   
   *
 * *Fedora 26:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981
   ldapjdk-4.19-1.fc26
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632
   tomcatjss-7.2.0-1.fc26
   
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] IMPORTANT: Relocation of fedorahosted.org source code repositories to github . . .

[Matthew Harmsen]

This is to notify everyone that the following source code repositories 
located onhttps://fedorahosted.org/web/  
have been relocated:


 * *nuxwdog*
 o OLD LOCATION (fedorahosted SVN repo):
 + svn co http://svn.fedorahosted.org/svn/nuxwdog
 o NEW LOCATION (GITHUB GIT repo):
 + *gitclonegit**@github**.**com:dogtagpki**/**nuxwdog**.**git*
 + 
*gitclonehttps:**//gi**thub**.**com**/dogtagpki/**nuxwdog**.**git*

 * *pki (legacy versions)*
 o OLD LOCATION (fedorahosted SVN repo):
 + svn co http://svn.fedorahosted.org/svn/pki
 o NEW LOCATION (GITHUB GIT repo):
 + 
*gitclonegit**@github**.**com:dogtagpki**/**legacy-pki.git*
 + 
*gitclonehttps:**//gi**thub**.**com**/dogtagpki/**legacy-pki**.**git*

 * *pki*
 o OLD LOCATION (fedorahosted GIT repo):
 + git clone git://git.fedorahosted.org/git/pki.git
 o NEW LOCATION (GITHUB GIT repo):
 + *gitclonegit**@github**.**com:dogtagpki**/**pki.git*
 + 
*gitclonehttps:**//gi**thub**.**com**/dogtagpki/**pki**.**git*

 * *tomcatjss*
 o OLD LOCATION (fedorahosted SVN repo):
 + svn co http://svn.fedorahosted.org/svn/tomcatjss
 o NEW LOCATION (GITHUB GIT repo):
 + *git clone g...@github.com:dogtagpki/tomcatjss.git*
 + *git clone https://github.com/dogtagpki/tomcatjss.git*

*
*

*WARNING:  THE SOURCE CODE AT THE OLD LOCATIONS IS SUBJECT TO VANISH AND 
WILL NO LONGER BE MAINTAINED!*



IMPORTANT:  For all local PKI GIT repositories that were previously 
checked out from fedorahosted.org, please follow these instuctions 
(published on http://pki.fedoraproject.org/wiki/PKI_Developers):


   To check the current GIT repository:

   *$ git config remote.origin.url
   ssh://usern...@git.fedorahosted.org/git/pki.git *

   **

   To change the GIT repository:

   *$ git config remote.origin.url
   g...@github.com:dogtagpki/pki.git*

   For all other local SVN repositories (nuxwdog, pki (legacy
   versions), or tomcatjss) that were checked out from
   fedorahosted.org, please identify any local changes,
   checkout a fresh repository from GITHUB, and manually apply
   the local changes (patches) from your old local repository
   to your newly checked out local repository.

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for pki-core-10.3.5-11

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 were generated:*

 * *Fedora 24*
 o *pki-core-10.3.5-11.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-11.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-11.fc26
   *

*These builds address the following PKI TRAC tickets:*

 * *PKI TRAC Ticket #1741 - ECDSA Certificates Generated by Certificate
   System fail NIST validation test with parameter field.
   *
 * *PKI TRAC Ticket #2450 - Unable to search certificate requests using
   the latest request ID *
 * *PKI TRAC Ticket #2534 - Automatic recovery of encryption cert - CA
   and TPS tokendb shows different certificate status
   *
 * *PKI TRAC Ticket #2564 - pki-tomcat for 10+ minutes before
   generating cert *
 * *PKI TRAC Ticket #2570 - Problem with default AJP hostname in IPv6
   environment. *
 * *PKI TRAC Ticket #2573 - CA Certificate Issuance Date displayed on
   CA website incorrect *
 * *PKI TRAC Ticket #2579 - NumberFormatException in
   LDAPProfileSubsystem *

*Please provide Karma for the following builds:*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a2898f25b1
   pki-core-10.3.5-11.fc24
   
   *
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-fe062eaff7
   pki-core-10.3.5-11.fc25
   *


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 919 Merged /pki webapps.

[Matthew Harmsen]

On 01/25/2017 04:35 PM, Endi Sukma Dewata wrote:

Previously the /pki webapp was only added if the theme was present
during installation, and there were separate webapps for /pki/admin
and /pki/js. If the theme was installed later, the /pki webapp had
to be configured manually.

To simplify the installation and to support other developments
(e.g. login banner), the /pki webapp will always be added during
installation regardless of theme, and the /pki/admin and /pki/js
webapps are merged into /pki webapp. When the theme package is
installed, it will create links in /pki webapp so the theme files
will become available without additional configuration.

An upgrade script has been added to merge the /pki webapp in
existing instances.

https://fedorahosted.org/pki/ticket/2582



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


ACK (with CAVEAT) if tested to work.

CAVEAT:  This should be separated into three separate patches (one for 
base changes, one for dogtag changes, and a separate one containing the 
spec file change) prior to check-in:


 * Patch 1:
 o base/server/python/pki/server/deployment/scriptlets/instance_layout.py
 o base/server/tomcat7/conf/Catalina/localhost/pki#admin.xml
 o base/server/tomcat7/conf/Catalina/localhost/pki#js.xml
 o base/server/tomcat7/conf/Catalina/localhost/pki.xml
 o base/server/tomcat8/conf/Catalina/localhost/pki#admin.xml
 o base/server/tomcat8/conf/Catalina/localhost/pki#js.xml
 o base/server/tomcat8/conf/Catalina/localhost/pki.xml
 o base/server/upgrade/10.4.0/02-MergePKIWebapps
 o delete mode 100644
   base/server/tomcat7/conf/Catalina/localhost/pki#admin.xml
 o delete mode 100644
   base/server/tomcat7/conf/Catalina/localhost/pki#js.xml
 o delete mode 100644
   base/server/tomcat8/conf/Catalina/localhost/pki#admin.xml
 o delete mode 100644
   base/server/tomcat8/conf/Catalina/localhost/pki#js.xml
 o create mode 100755 base/server/upgrade/10.4.0/02-MergePKIWebapps
 * Patch 2:
 o dogtag/common-ui/CMakeLists.txt
 * Patch 3:
 o specs/dogtag-pki-theme.spec

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 901 Added upgrade script to update AJP loopback address.

[Matthew Harmsen]

On 01/19/2017 01:48 PM, Endi Sukma Dewata wrote:

An upgrade script has been added to replace IPv4- and IPv6-specific
AJP loopback address with a more generic "localhost" in existing
instances.

https://fedorahosted.org/pki/ticket/2570



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


If tested to work: ACK

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 897 Added global TCP Keep-Alive option.

[Matthew Harmsen]

On 01/07/2017 12:38 AM, Endi Sukma Dewata wrote:

A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.

The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.

All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.

https://fedorahosted.org/pki/ticket/2564

Tested with standalone PKI and with IPA.



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


ACK

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for pki-core-10.3.5-9

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 were generated:*

 * *Fedora 24*
 o *pki-core-10.3.5-9.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-9.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-9.fc26
   *

*These builds address the following PKI tickets:*

 * *PKI TRAC Ticket #1517 - user-cert-add --serial CLI request to
   secure port with remote CA shows authentication failure
   *
 * *PKI TRAC Ticket #1897 - [MAN] Man page for logging configuration.
   *
 * *PKI TRAC Ticket #1920 - [MAN] Man page for PKCS #12 utilities
   *
 * *PKI TRAC Ticket #2226 - KRA installation: NullPointerException in
   ProxyRealm.findSecurityConstraints
   *
 * *PKI TRAC Ticket #2289 - [MAN] pki ca-cert-request-submit fails
   presumably because of missing authentication even if it should not
   require any *
 * *PKI TRAC Ticket #2523 - Changes to target.agent.approve.list
   parameter is not reflected in the TPS Web UI
   *
 * *PKI TRAC Ticket #2534 - Automatic recovery of encryption cert - CA
   and TPS tokendb shows different certificate status
   *
 * *PKI TRAC Ticket #2543 - Unable to install subordinate CA with HSM
   in FIPS mode *
 * *PKI TRAC Ticket #2544 - TPS throws "err=6" when attempting to
   format and enroll G Cards *
 * *PKI TRAC Ticket #2552 - pkispawn does not change default ecc key
   size from nistp256 when nistp384 is specified in spawn config
   *

*Please provide Karma for the following builds:*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-346c2e1366
 pki-core-10.3.5-9.fc24
   *
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9100653751
   pki-core-10.3.5-9.fc25
   
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH] 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch

[Matthew Harmsen]

On 12/08/2016 05:42 PM, John Magne wrote:

Simple patch will provide a fix to this issue.


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


Tested original code to confirm incorrect ECC signing curve; tested 
patched code to confirm correct ECC signing curve.


ACK

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] port to tomcat 8.5?

[Matthew Harmsen]

On 12/03/2016 04:00 AM, Timo Aaltonen wrote:

On 02.12.2016 12:01, Timo Aaltonen wrote:

Hi

   Debian recently switched to tomcat 8.5 which broke Dogtag. First issue that 
I found was that Http11Protocol is no more, need to use Http11NioProtocol. 
Fixing that it then fails with:

02-Dec-2016 11:26:05.270 SEVERE [main] 
org.apache.catalina.core.StandardService.initInternal Failed to initialize 
connector [Connector[HTTP/1.1-8443]]
  org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-8443]]
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113)
 at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
 at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.NoClassDefFoundError: 
org/apache/tomcat/util/net/ServerSocketFactory
...

I see Fedora is still at 8.0, so no-one has tried 8.5 yet?

Looks like tomcat 8.5 breaks the build as well for both dogtag
and tomcatjss. Debian freeze is in Jan 5th, this needs to be fixed well
before x-mas just to be on the safe side :/

dogtag build log: http://pastebin.com/gabUtiTy
tomcatjss build log: http://pastebin.com/3qrh5Eqp




Timo,

I just looked in Bodhi, and the latest version of Tomcat in Fedora is 
8.0.39 (currently in testing).


What version of Tomcat were you using previously from which you upgraded?

Also, does Debian use JBoss?  If so, does Tomcat 8.5 work with that?

-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 868-871 Added man pages for logging configuration

[Matthew Harmsen]

On 11/17/2016 03:23 PM, Endi Sukma Dewata wrote:
Attached are patches to clean up and to add man pages for the logging 
configuration.




___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


ACK (presuming customization and troubleshooting have been tested) with 
the following caveats:


 * pki-edewata-0868-Removed-unused-subsystem-logging.properties.patch
 o This patch needs to be split into two separate and distinct patches:
 + patch 1 contains base/ca and base/kra changes
 + patch 2 contains base/ocsp, base/tks, and base/tps changes
 * pki-edewata-0869-Updated-logging.properties.patch
 o fine as is
 * pki-edewata-0870-Updated-log4j.properties.patch
 o fine as is
 * pki-edewata-0871-Added-man-pages-for-logging-configuration.patch
 o suggest adding a CUSTOMIZATION section header to the
   pki-logging.5 man page:
 + .SH CUSTOMIZATION

   To customize the logging configuration, copy the default
   logging configuration file into /etc/pki/logging.properties,
   then change the configuration as needed.
 o similarly, I suggest adding the following headers (or something
   similar) to the pki-server-logging.5 man page:
 + .SH CUSTOMIZATION

   To customize JUL configuration, replace the link with a copy
   of the default configuration:
 + .SH TROUBLESHOOTING

   To troubleshoot RESTEasy issues add the following line
   (unless Log4j is installed in Tomcat classpath):
 + .SH TOMCAT LOGGING

   .SS Log4j
 + .SH PKI LOGGING

   .SS Internal Logging
 * Add a separate check-in to 'pki/specs/pki-core.spec' to include the
   man pages in their appropriate RPMS:
 o %files -n pki-base
   ...
   %{_sbindir}/pki-upgrade
   *%{_mandir}/man5/pki-logging.5.gz*
   %{_mandir}/man8/pki-upgrade.8.gz
   ...
 o %files -n pki-server
   ...
   %{_mandir}/man5/pki_default.cfg.5.gz
   *%{_mandir}/man5/pki-server-logging.5.gz**
   *%{_mandir}/man8/pki-server-upgrade.8.gz

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for pki-core-10.3.5-8

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 were generated:*

 * *Fedora 24*
 o *pki-core-10.3.5-8.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-8.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-8.fc26
   *

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also 
updated:*


 *

   
https://copr.fedorainfracloud.org/coprs/g/pki/epel-7.3/repo/epel-7/group_pki-epel-7.3-epel-7.repo

   [group_pki-epel-7.3]
   name=Copr repo for epel-7.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/epel-7-$basearch/
   type=rpm-md
   skip_if_unavailable=True
   gpgcheck=1
   
gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/pubkey.gpg
   repo_gpgcheck=0
   enabled=1
   enabled_metadata=1

*These builds address the following PKI tickets:*

 * *PKI TRAC Ticket #850 - JSS certificate validation function does not
   pass up exact errors from NSS *
 * *PKI TRAC Ticket #1247 - Better error message when try to renew a
   certificate that expires outside renewal grace period
   *
 * *PKI TRAC Ticket #1536 - CA EE: Submit caUserCert request without
   uid does not show proper error message
   *
 * *PKI TRAC Ticket #2460 - Typo in comment line of
   UserPwdDirAuthentication.java
   *
 * *PKI TRAC ticket #2486 - Automatic recovery of encryption cert is
   not working when a token is physically damaged and a temporary token
   is issued *
 * *PKI TRAC Ticket #2498 - Token format with external reg fails when
   op.format.externalRegAddToToken.revokeCert=true
   *
 * *PKI TRAC Ticket #2500 - Problems with FIPS mode
   *
 * *PKI TRAC Ticket #2510 - PIN_RESET policy is not giving expected
   results when set on a token *
 * *PKI TRAC Ticket #2513 - TPS token enrollment fails to
   setupSecureChannel when TPS and TKS security db is on fips mode.
   *

*Please provide Karma for the following builds:*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-393715962d
   pki-core-10.3.5-8.fc24
   
   *
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-d0eb45e120
   pki-core-10.3.5-8.fc25
   
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] Karma Requests for pki-core-10.3.5-7 and pki-console-10.3.5-2

[Matthew Harmsen]

On 10/11/2016 01:12 PM, Matthew Harmsen wrote:
*The following updated candidate builds of pki-core 10.3.5 and 
pki-console 10.3.5 were generated:*


  * *Fedora 24*
  o *pki-core-10.3.5-7.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=808527>*
  o *pki-console-10.3.5-2.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=808789>
*
  * *Fedora 25*
  o *pki-core-10.3.5-7.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=808568>*
  o *pki-console-10.3.5-2.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=808800>
*
  * *Fedora 26*
  o *pki-core-10.3.5-7.fc26 (still working on build issues
encountered on rawhide)*


 * *pki-core-10.3.5-7.fc26
   <http://koji.fedoraproject.org/koji/buildinfo?buildID=808686>**
   *


  o *pki-console-10.3.5-2.fc26
<http://koji.fedoraproject.org/koji/buildinfo?buildID=808812>*

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were 
also updated:*


  * 
*https://copr.fedorainfracloud.org/coprs/g/pki/epel-7.3/repo/epel-7/group_pki-epel-7.3-epel-7.repo*

<https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo>

[group_pki-epel-7.3]
name=Copr repo for epel-7.3 owned by @pki

baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1

gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

*These builds address the following PKI tickets:*

  * PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu)
<https://fedorahosted.org/pki/ticket/1527>
  * PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to
enroll a single user on multiple tokens. (jmagne)
<https://fedorahosted.org/pki/ticket/1664>
  * PKI TRAC Ticket #2463 - Troubleshooting improvements (edewata)
<https://fedorahosted.org/pki/ticket/2463>
  o potentially more to come in future releases
  * PKI TRAC Ticket #2466 - two-step externally-signed CA installation
fails due to missing AuthorityID (ftweedal)
<https://fedorahosted.org/pki/ticket/2466>
  * PKI TRAC Ticket #2475 - Multiple host authority entries created
(ftweedal) <https://fedorahosted.org/pki/ticket/2475>
  * PKI TRAC Ticket #2476 - Dogtag Miscellaneous Minor Changes
(edewata) <https://fedorahosted.org/pki/ticket/2476>
  o potentially more to come in future releases
  * PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find
openssl as a dependency package (mharmsen)
<https://fedorahosted.org/pki/ticket/2478>
  * PKI TRAC Ticket #2483 - Unable to read an encrypted email using
renewed tokens (jmagne) <https://fedorahosted.org/pki/ticket/2483>
  * PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the
cert serial number and key id on the ldap user mismatches (cfu)
<https://fedorahosted.org/pki/ticket/2496>
  * PKI TRAC Ticket #2497 - KRA installation failed against
externally-signed CA with partial certificate chain (edewata)
<https://fedorahosted.org/pki/ticket/2497>
  * PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in
multiple jar files (edewata)
<https://fedorahosted.org/pki/ticket/2505>

*Please provide Karma for the following builds:*

  * *Fedora 24*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-76fae7b25f
pki-core-10.3.5-7.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-76fae7b25f>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-a9e6c42783
pki-console-10.3.5-2.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-a9e6c42783>*
  * *Fedora 25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3496056579
   pki-core-10.3.5-7.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-70b3b8b697
pki-console-10.3.5-2.fc25
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-70b3b8b697>
*



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for pki-core-10.3.5-7 and pki-console-10.3.5-2

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 and 
pki-console 10.3.5 were generated:*


 * *Fedora 24*
 o *pki-core-10.3.5-7.fc24
   *
 o *pki-console-10.3.5-2.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-7.fc25
   *
 o *pki-console-10.3.5-2.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-7.fc26 (still working on build issues
   encountered on rawhide)*
 o *pki-console-10.3.5-2.fc26
   *

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also 
updated:*


 * 
*https://copr.fedorainfracloud.org/coprs/g/pki/epel-7.3/repo/epel-7/group_pki-epel-7.3-epel-7.repo*
   



   [group_pki-epel-7.3]
   name=Copr repo for epel-7.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/epel-7-$basearch/
   type=rpm-md
   skip_if_unavailable=True
   gpgcheck=1
   
gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/pubkey.gpg
   repo_gpgcheck=0
   enabled=1
   enabled_metadata=1

*These builds address the following PKI tickets:*

 * PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu)
   
 * PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll
   a single user on multiple tokens. (jmagne)
   
 * PKI TRAC Ticket #2463 - Troubleshooting improvements (edewata)
   
 o potentially more to come in future releases
 * PKI TRAC Ticket #2466 - two-step externally-signed CA installation
   fails due to missing AuthorityID (ftweedal)
   
 * PKI TRAC Ticket #2475 - Multiple host authority entries created
   (ftweedal) 
 * PKI TRAC Ticket #2476 - Dogtag Miscellaneous Minor Changes (edewata)
   
 o potentially more to come in future releases
 * PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find
   openssl as a dependency package (mharmsen)
   
 * PKI TRAC Ticket #2483 - Unable to read an encrypted email using
   renewed tokens (jmagne) 
 * PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the
   cert serial number and key id on the ldap user mismatches (cfu)
   
 * PKI TRAC Ticket #2497 - KRA installation failed against
   externally-signed CA with partial certificate chain (edewata)
   
 * PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in
   multiple jar files (edewata) 

*Please provide Karma for the following builds:*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-76fae7b25f
   pki-core-10.3.5-7.fc24
   *
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-a9e6c42783
   pki-console-10.3.5-2.fc24
   *
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3496056579
   pki-core-10.3.5-7.fc25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-70b3b8b697
   pki-console-10.3.5-2.fc25
   
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for pki-core-10.3.5-6

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 on Fedora 
24, 25, and 26 (rawhide) consist of the following:

*

  * *Fedora 24*
  o *pki-core-10.3.5-5.fc24

*


 * *pki-core-10.3.5-6.fc24
   *


  o **
  * *Fedora 25*
  o *pki-core-10.3.5-5.fc25
*


 o *pki-core-10.3.5-6.fc25
   *


  o **
  * *Fedora 26*
  o *pki-core-10.3.5-5.fc26
*


 o *pki-core-10.3.5-6.fc26
   **
   *

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were 
also updated:*


  * 
*https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo*



[group_pki-10.3.3]
name=Copr repo for 10.3.3 owned by @pki

baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
skip_if_unavailable=True
gpgcheck=1

gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
enabled=1
enabled_metadata=1

*These builds address the following PKI tickets:
*

  * PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA
deletion 
  * PKI TRAC Ticket #2346 - Dogtag 10.3.6: Miscellaneous Enhancements

  * PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA
entry deleted 
  * PKI TRAC Ticket #2444 - Authority entry without entryUSN is
skipped even if USN plugin enabled

  * PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique
per instance name (for shared HSM)

  * PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs

  * PKI TRAC Ticket #2449 - Unable to create system certificates in
different tokens 


 * *REVOKES PATCH FOR **PKI TRAC Ticket #2449 - Unable to create system
   certificates in different tokens
   *


*Please provide Karma for the following builds:
*

  * *Fedora 24*
  o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-994f943797pki-core-10.3.5-5.fc24
*


 o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b06393ae4**pki-core-10.3.5-6.fc24*


  * *Fedora 25*
  o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-d363d36e22pki-core-10.3.5-5.fc25
*


 o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-734ba29899**pki-core-10.3.5-6.fc25**
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for pki-core-10.3.5-5

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 on Fedora 24, 
25, and 26 (rawhide) consist of the following:

*

 * *Fedora 24*
 o *pki-core-10.3.5-5.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-5.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-5.fc26
   *

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also 
updated:*


 * 
*https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo*
   



   [group_pki-10.3.3]
   name=Copr repo for 10.3.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
   enabled=1
   enabled_metadata=1

*These builds address the following PKI tickets:
*

 * PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA
   deletion 
 * PKI TRAC Ticket #2346 - Dogtag 10.3.6: Miscellaneous Enhancements
   
 * PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA
   entry deleted 
 * PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped
   even if USN plugin enabled 
 * PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique
   per instance name (for shared HSM)
   
 * PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs
   
 * PKI TRAC Ticket #2449 - Unable to create system certificates in
   different tokens 

*Please provide Karma for the following builds:
*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-994f943797
   pki-core-10.3.5-5.fc24*
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-d363d36e22
   pki-core-10.3.5-5.fc25
   *

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Requests for pki-core-10.3.5-3

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 on Fedora 24, 
25, and 26 (rawhide) consist of the following:*


 * *Fedora 24*
 o *pki-core-10.3.5-3.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-3.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-3.fc26
   
   *

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also 
updated:

*

 * 
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo

   [group_pki-10.3.3]
   name=Copr repo for 10.3.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
   enabled=1
   enabled_metadata=1

*These builds address the following PKI tickets:
*

 * PKI TRAC Ticket #690 - pki-tools man pages --- CMCEnroll
   
 * PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error
   message "PKIException: LDAP error (21): error result"
   
 * PKI TRAC Ticket #2429 - [RFE] TPS UI: profile property needs to be
   added one by one can we add in bulk
   
 * PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
   
 * PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected
   
 * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
   
 o include JSS cert validation error message in selftest log
 o add debug messages to ConfigurationUtils.handleCerts()
 o apply RFC 7468 
   Headers/Trailers to PKI tools
 * PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from
   TPSUI pem format with/without header works while pkcs7 with header
   is not allowed 
 * PKI TRAC Ticket #2440 - Optional CA signing CSR for migration
   

*Please provide Karma for the following builds:
*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e
   pki-core-10.3.5-1.fc24 + resteasy-3.0.17-3.fc24
   *
 + *IMPORTANT:  This combination build MUST be pushed first
   since pki-core-10.3.5-3.fc24 DEPENDS upon resteasy-3.0.17!!!
   *
 o *https://bodhi.fedoraproject.org/updates/pki-core-10.3.5-3.fc24
   pki-core-10.3.5-3.fc24
   
   *
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-456eb9f4b7
   pki-core-10.3.5-3.fc25
   *


*
*

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] CMCEnroll man page + (proposed) HEADER/FOOTER changes

[Matthew Harmsen]

Please review the following patches which add a CMCEnroll man page AND 
proposes code changes to the command line tools to allow them to used 
the preferred RFC 7468 HEADERS and TRAILERS (see 
https://www.rfc-editor.org/rfc/rfc7468.txt):


 * PKI TRAC Ticket #690 - [MAN] pki-tools man pages
   <https://fedorahosted.org/pki/ticket/690>
 * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
   <https://fedorahosted.org/pki/ticket/2436>

The first patch contains all of the code changes, and the second patch 
simply contains the associated spec file change.


From ebfb6a5c8288f87e7fbd2d4650afc2e7383f6865 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Thu, 18 Aug 2016 18:31:42 -0600
Subject: [PATCH] pki-tools CMCEnroll man page plus HEADER/FOOTER changes

* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
  - CMCEnroll
* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
---
 base/java-tools/man/man1/CMCEnroll.1   | 570 +
 .../src/com/netscape/cmstools/CMCEnroll.java   |  13 +-
 .../src/com/netscape/cmstools/CMCRequest.java  |   4 +-
 .../src/com/netscape/cmstools/CMCRevoke.java   |  11 +-
 .../src/com/netscape/cmstools/CRMFPopClient.java   |   8 +-
 .../src/com/netscape/cmstools/PKCS10Client.java|  11 +-
 6 files changed, 599 insertions(+), 18 deletions(-)
 create mode 100644 base/java-tools/man/man1/CMCEnroll.1

diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1
new file mode 100644
index 000..405a1af
--- /dev/null
+++ b/base/java-tools/man/man1/CMCEnroll.1
@@ -0,0 +1,570 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH CMCEnroll 1 "July 20, 2016" "version 10.3" "PKI CMC Enrollment Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nhdisable hyphenation
+.\" .hyenable hyphenation
+.\" .ad l  left justify
+.\" .ad b  justify to both left and right margins
+.\" .nfdisable filling
+.\" .fienable filling
+.\" .brinsert line break
+.\" .sp insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+CMCEnroll \- Used to sign a certificate request with an agent's certificate.
+
+.SH SYNOPSIS
+.PP
+\fBCMCEnroll -d  -n  -r  -p \fP
+
+.SH DESCRIPTION
+.PP
+The Certificate Management over Cryptographic Message Syntax (CMC) Enrollment utility, \fBCMCEnroll\fP, provides a command-line utility used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users.
+.PP
+\fBCMCEnroll\fP takes a standard PKCS #10 certificate request and signs it with an agent certificate. The output is also a certificate request which can be submitted through the appropriate profile.
+
+.SH OPTIONS
+.PP
+The following parameters are mandatory:
+.PP
+\fBNote:\fP
+Surround values that include spaces with quotation marks.
+.TP
+.B -d 
+The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files associated with the agent certificate. This is usually the agent's personal directory, such as their browser certificate database in the home directory.
+
+.TP
+.B -n 
+The nickname of the agent certificate that is used to sign the request.
+
+.TP
+.B -r 
+The filename of the certificate request.
+
+.TP
+.B -p 
+The password to the NSS certificate database which contains the agent certificate, given in \fB-d \fP.
+
+.SH EXAMPLES
+.PP
+Signed requests must be submitted to the CA to be processed.
+.PP
+\fBNote:\fP For this example to work automatically, the \fBCMCAuth\fP plug-in must be enabled on the CA server (which it is by default).
+.TP
+(1) Create a PKCS #10 certificate request using a tool like \fBcertutil\fP:
+.IP
+.nf
+# cd ~/.mozilla/firefox/
+
+# certutil -d . -L
+Certificate Nickname Trust Attributes
+ SSL,S/MIME,JAR/XPI
+
+Google Internet Authority G2 ,,   
+COMODO RSA Domain Validation Secure Server CA,,   
+pki.example.com  ,,   
+DigiCert SHA2 Secure Server CA   ,,   
+DigiCert SHA2 Extended Validation Server CA  ,,   
+COMODO RSA Extended Validation Secure Server CA 2,,   
+Symantec Class 3 Secure Server CA - G4   ,,   
+Go Daddy Secure Certificate Authority - G2   ,,   
+Oracle SSL CA - G2   ,,   
+GeoTrust EV SSL CA - G4  

[Pki-devel] Updated External EPEL CentOS 7 COPR builds are now available . . .

[Matthew Harmsen]

An updated external EPEL CentOS 7 COPR repo is now available which 
contains the latest Dogtag 10.3.3-5, tomcatjss, and jss builds:


 * 
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo

   [group_pki-10.3.3]
   name=Copr repo for 10.3.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
   enabled=1
   enabled_metadata=1

-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [Freeipa-devel] Karma Requests for Dogtag 10.3.5-1 and ldapjdk

[Matthew Harmsen]

On 08/10/2016 10:59 AM, Ben Lipton wrote:

On 08/10/2016 12:21 PM, Matthew Harmsen wrote:


*The following candidate builds of Dogtag 10.3.5 and ldapjdk on 
Fedora 24, 25, and 26 (rawhide) consist of the following:*


  * *Fedora 24:*
  o *dogtag-pki-10.3.5-1.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=789787>*
  o *dogtag-pki-theme-10.3.5-1.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=789738>*
  o *pki-core-10.3.5-1.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=789739>*
  o *pki-console-10.3.5-1.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=789777>*
  o *ldapjdk-4.18-19.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790485>*
  * *Fedora 25:*
  o *dogtag-pki-10.3.5-1.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790490>*
  o *dogtag-pki-theme-10.3.5-1.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790486>*
  o *pki-core-10.3.5-1.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790492>*
  o *pki-console-10.3.5-1.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790497>*
  o *ldapjdk-4.18-19.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790487>*
  * *Fedora 26 (rawhide):*
  o *dogtag-pki-10.3.5-1.fc26
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790491>*
  o *dogtag-pki-theme-10.3.5-1.fc26
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790488>*
  o *pki-core-10.3.5-1.fc26
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790496>*
  o *pki-console-10.3.5-1.fc26
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790520>*
  o *ldapjdk-4.18-19.fc26
<http://koji.fedoraproject.org/koji/buildinfo?buildID=790489>*

*Please provide Karma for the following builds:*

  * *Fedora 24:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee
dogtag-pki-10.3.5-1.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-059eb8aaee>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f
dogtag-pki-theme-10.3.5-1.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-9f1baf574f>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e
pki-core-10.3.5-1.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7
pki-console-10.3.5-1.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-dd16599bc7>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39
ldapjdk-4.18-19.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-1835df9b39>
*
  * *Fedora 25:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-85261e13c5
   dogtag-pki-10.3.5-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f0224b152
   dogtag-pki-theme-10.3.5-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60
pki-core-10.3.5-1.fc25
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a384ead60>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1
pki-console-10.3.5-1.fc25
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-849cbeecb1>*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601
ldapjdk-4.18-19.fc25
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-3f6bc9b601>
*



On Fedora 24 I am unable to upgrade to these packages without manual 
intervention:

[root@vm freeipa]# dnf update --allowerasing --best
Last metadata expiration check: 2:08:29 ago on Wed Aug 10 16:38:24 2016.
Error: nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
package pki-tools-10.3.5-1.fc24.x86_64 requires pki-base-java = 
10.3.5-1.fc24, but none of the providers can be installed.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch.
nothing provides resteasy-atom-provider >= 3.0.17-1 needed by 
pki-base-java-10.3.5-1.fc24.noarch

[root@vm freeipa]# rpm -q resteasy-atom-provider
resteasy-atom-provider-3.0.6-11.fc24.noarch

Am I doing something wrong, or does the new resteasy need to be added 
back to testing? 
(https://bodhi.fedoraproject.org/updates/FEDORA-2016-d80872c309)


Ben


Ben,

No, the resteasy 3.0.17 builds received bad karma because they were 
utilized with an incompatible pki-core 10.3.3 as used

Re: [Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use

[Matthew Harmsen]

On 08/03/2016 10:19 PM, Ade Lee wrote:

ACK

On Wed, 2016-07-27 at 11:32 +1000, Fraser Tweedale wrote:

Hi team,

The attached patch fixes https://fedorahosted.org/pki/ticket/2420.

Thanks,
Fraser
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


Fraser,

Please check this into the 'master' branch as we are planning to start 
creating new builds on Monday, August 8, 2016.


-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Added python-urllib3 dependency

[Matthew Harmsen]

Please review this patch which addresses the following ticket:

 * PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
   <https://fedorahosted.org/pki/ticket/2431>

-- Matt

From b04707631a362581804574edd0641a3fdbc16565 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Fri, 5 Aug 2016 14:34:57 -0600
Subject: [PATCH] Added python-urllib3 dependency

* PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
---
 specs/pki-core.spec | 12 
 1 file changed, 12 insertions(+)

diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index fac7192..c206b27 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -156,6 +156,11 @@ BuildRequires:python3-flake8
 BuildRequires:python-nss
 BuildRequires:python-requests
 BuildRequires:python-six
+%if 0%{?rhel}
+BuildRequires:python-urllib3
+%else
+BuildRequires:python2-urllib3
+%endif
 BuildRequires:libselinux-python
 BuildRequires:policycoreutils-python
 %if 0%{?fedora} >= 23
@@ -182,6 +187,7 @@ BuildRequires:  python3-devel
 BuildRequires:  python3-nss
 BuildRequires:  python3-requests
 BuildRequires:  python3-six
+BuildRequires:  python3-urllib3
 %endif  # with_python3
 BuildRequires:  python-devel
 
@@ -338,6 +344,11 @@ Conflicts:freeipa-server < 3.0.0
 Requires: python-nss
 Requires: python-requests >= 1.1.0-3
 Requires: python-six
+%if 0%{?rhel}
+Requires: python-urllib3
+%else
+Requires: python2-urllib3
+%endif
 
 %description -n   pki-base
 The PKI Framework contains the common and client libraries and utilities
@@ -424,6 +435,7 @@ Requires: pki-base = %{version}-%{release}
 Requires: python3-nss
 Requires: python3-requests
 Requires: python3-six
+Requires: python3-urllib3
 
 %description -n   pki-base-python3
 This package contains PKI client library for Python 3.
-- 
1.8.3.1

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-tools man pages

[Matthew Harmsen]

Please review the following patch which includes a batch of man pages for:

 * PKI TRAC Ticket #690 - [MAN] pki-tools man pages
   <https://fedorahosted.org/pki/ticket/690>

which includes new man pages for the following:

 * AtoB
 * BtoA
 * KRATool
 * PrettyPrintCert
 * PrettyPrintCrl

I have also included the patch for the spec file which adds a 
compatibility symlink from DRMTool.1.gz -> KRATool.1.gz, and packaging 
for the AuditVerify.1.gz tool.


-- Matt

P. S. - I am currently at work on the man pages for the various CMC tools.

From 8b91b1531812c9ecbd25ac54c97edb2e29b4f12c Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Fri, 22 Jul 2016 20:43:48 -0600
Subject: [PATCH] pki-tools man pages

* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
  - AtoB,
  - BtoA,
  - KRATool,
  - PrettyPrintCert, and
  - PrettyPrintCrl
---
 base/java-tools/man/man1/AtoB.1|  56 
 base/java-tools/man/man1/BtoA.1|  56 
 base/java-tools/man/man1/KRATool.1 | 459 +
 base/java-tools/man/man1/PrettyPrintCert.1 | 204 +
 base/java-tools/man/man1/PrettyPrintCrl.1  | 141 +
 5 files changed, 916 insertions(+)
 create mode 100644 base/java-tools/man/man1/AtoB.1
 create mode 100644 base/java-tools/man/man1/BtoA.1
 create mode 100644 base/java-tools/man/man1/KRATool.1
 create mode 100644 base/java-tools/man/man1/PrettyPrintCert.1
 create mode 100644 base/java-tools/man/man1/PrettyPrintCrl.1

diff --git a/base/java-tools/man/man1/AtoB.1 b/base/java-tools/man/man1/AtoB.1
new file mode 100644
index 000..6b7d6f0
--- /dev/null
+++ b/base/java-tools/man/man1/AtoB.1
@@ -0,0 +1,56 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH AtoB 1 "July 20, 2016" "version 10.3" "PKI ASCII to Binary Conversion Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nhdisable hyphenation
+.\" .hyenable hyphenation
+.\" .ad l  left justify
+.\" .ad b  justify to both left and right margins
+.\" .nfdisable filling
+.\" .fienable filling
+.\" .brinsert line break
+.\" .sp insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+AtoB  \- Convert ASCII base-64 encoded data to binary base-64 encoded data.
+
+.SH SYNOPSIS
+.PP
+\fBAtoB  \fP
+
+.SH DESCRIPTION
+.PP
+The \fBAtoB\fP command provides a command-line utility used to convert ASCII base-64 encoded data to binary base-64 encoded data.
+
+.SH OPTIONS
+.PP
+The following parameters are mandatory:
+.TP
+.B 
+Specifies the path and file to the base-64 encoded ASCII data.
+
+.TP
+.B 
+Specifies the path and file where the utility should write the binary output.
+
+.SH EXAMPLES
+.PP
+This example command takes the base-64 ASCII data in the \fBascii_data.pem\fP file and writes the binary equivalent of the data to the \fBbinary_data.der\fP file:
+.IP
+.nf
+AtoB ascii_data.pem binary_data.der
+.if
+
+.SH AUTHORS
+Matthew Harmsen <mharm...@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR BtoA(1), pki(1)
diff --git a/base/java-tools/man/man1/BtoA.1 b/base/java-tools/man/man1/BtoA.1
new file mode 100644
index 000..0d1ad1f
--- /dev/null
+++ b/base/java-tools/man/man1/BtoA.1
@@ -0,0 +1,56 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH BtoA 1 "July 20, 2016" "version 10.3" "PKI Binary to ASCII Conversion Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nhdisable hyphenation
+.\" .hyenable hyphenation
+.\" .ad l  left justify
+.\" .ad b  justify to both left and right margins
+.\" .nfdisable filling
+.\" .fienable filling
+.\" .brinsert line break
+.\" .sp insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+BtoA  \- Convert binary base-64 encoded data to ASCII base-64 encoded data.
+
+.SH SYNOPSIS
+.PP
+\fBBtoA  \fP
+
+.SH DESCRIPTION
+.PP
+The \fBBtoA\fP command provides a command-line utility used to convert binary base-64 encoded data to ASCII base-64 encoded data.
+
+.SH OPTIONS
+.PP
+The following parameters are mandatory:
+.TP
+.B 
+Specifies the path and file to the base-64 encoded binary data.
+
+.TP
+.

Re: [Pki-devel] [PATCH 0010] Added instance and subsystem validation for pki-server subsystem-* commands.

[Matthew Harmsen]

On 07/06/2016 09:30 AM, Endi Sukma Dewata wrote:

On 7/2/2016 12:48 AM, Abhijeet Kasurde wrote:

Hi All,

Please review the patch.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295


Thanks! Pushed to master under this ticket:
https://fedorahosted.org/pki/ticket/2399


Abhijeet,

Since we are now on the 10.3.5 milestone, please begin referencing the 
following bug:


 * Bugzilla Bug #1353245 - Dogtag 10.3.5: Miscellaneous Enhancements
   

This was cloned from PKI TRAC Ticket #2399 - Dogtag 10.3.5: 
Miscellaneous Enhancements  
which Endi correctly identified; I have added the check-in hash to both 
the bug and the ticket.


Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Request for Dogtag 10.3.3-3 on Fedora 24

[Matthew Harmsen]

The following candidate build of Dogtag 10.3.3-3 for Fedora 24 consists 
of the following:


 * pki-core-10.3.3-3.fc24
   

Please provide Karma for this build in Bodhi located at:

 * https://bodhi.fedoraproject.org/updates/FEDORA-2016-af639eaba8
   pki-core-10.3.3-3.fc24

Additionally, the following build has been provided for Fedora 25 (rawhide):

 * pki-core-10.3.3-3.fc25
   

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [Patch] Add HSM information

[Matthew Harmsen]

Please review the attached patch which addresses the following ticket:

 * PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to
   'pki_default.cfg' & 'pkispawn' man pages
   <https://fedorahosted.org/pki/ticket/1405>

This ticket adds text to the pki_default.cfg.5 and pkispawn.8 man pages 
to more adequatey describe the

use of hardware security modules (HSM) with PKI subsystems.

From 4d7daa7ba5116ceb19c1df71ce749c3db7944f49 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Fri, 1 Jul 2016 14:45:57 -0600
Subject: [PATCH] Add HSM information

- PKI TRAC Ticket #1405 - Add additional HSM details to 'pki_default.cfg' &
  'pkispawn' man pages
---
 base/server/man/man5/pki_default.cfg.5 |   8 +-
 base/server/man/man8/pkispawn.8| 173 +
 2 files changed, 180 insertions(+), 1 deletion(-)

diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
index 550e2aa..aaf7b53 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -184,7 +184,10 @@ Location for the PKCS #12 file containing the administrative user's certificate
 .B pki_backup_keys, pki_backup_password
 .IP
 Set to True to back up the subsystem certificates and keys to a PKCS #12 file.  This file will be located in \fI/var/lib/pki//alias\fP.  pki_backup_password is the password of the PKCS#12 file.
-  
+.TP
+\fBImportant:\fP
+Since HSM keys are stored in the HSM (hardware), they cannot be backed up to a PKCS #12 file (software).  Therefore, if \fBpki_hsm_enable\fP is set to True, \fBpki_backup_keys\fP should be set to False and \fBpki_backup_password\fP should be left unset (the default values in \fB/etc/pki/default.cfg\fP).  Failure to do so will result in \fBpkispawn\fP reporting this error and exiting.
+
 .SS CLIENT DIRECTORY PARAMETERS
 .TP
 .B pki_client_dir
@@ -295,6 +298,9 @@ Installs a clone, rather than original, subsystem.
 .IP
 Location and password of the PKCS #12 file containing the system certificates for the master subsystem being cloned.  This file should be readable by the user that the Certificate Server is running as (default of pkiuser), and have the correct selinux context (pki_tomcat_cert_t).  This can be achieved by placing the file in \fI/var/lib/pki//alias\fP.
 .TP
+\fBImportant:\fP
+Since HSM keys are stored in the HSM (hardware), they cannot be copied to a PKCS #12 file (software).  For the case of clones using an HSM, this means that the HSM keys must be shared between the master and its clones.  Therefore, if \fBpki_hsm_enable\fP is set to True, both \fBpki_clone_pkcs12_path\fP and \fBpki_clone_pkcs12_password\fP should be left unset (the default values in \fB/etc/pki/default.cfg\fP).  Failure to do so will result in \fBpkispawn\fP reporting this error and exiting.
+.TP
 .B pki_clone_setup_replication
 .IP
 Defaults to True.  If set to False, the installer does not set up replication agreements from the master to the clone as part of the subsystem configuration.  In this case, it is expected that the top level suffix already exists, and that the data has already been replicated.  This option is useful if you want to use other tools to create and manage your replication topology, or if the baseDN is already replicated as part of a top-level suffix.
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 3ad6fdb..3678cff 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -756,6 +756,179 @@ conn.tks1.tksSharedSymKeyName=sharedSecret
 .PP
 Finally, restart the TPS instance.
 
+.SS Installing a CA, KRA, OCSP, TKS, or TPS using a Hardware Security Module (HSM)
+.BR
+.PP
+This section provides sample \fBmyconfig.txt\fP files when an HSM is being utilized in a shared PKI instance.
+
+.PP
+For this example, assume that a new CA instance has been installed by
+executing the following command:
+.IP
+\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR
+.PP
+where \fImyconfig.txt\fP contains the following text:
+.IP
+.nf
+[DEFAULT]
+pki_admin_password=\fISecret123\fP
+pki_client_pkcs12_password=\fISecret123\fP
+pki_ds_password=\fISecret123\fP
+# Optionally keep client databases
+pki_client_database_purge=False
+# Provide HSM parameters
+pki_hsm_enable=True
+pki_hsm_libfile=
+pki_hsm_modulename=
+pki_token_name=
+pki_token_password=
+# Provide PKI-specific HSM token names
+pki_audit_signing_token=
+pki_ssl_server_token=
+pki_subsystem_token=
+[CA]
+# Provide CA-specific HSM token names
+pki_ca_signing_token=
+pki_ocsp_signing_token=
+.if
+
+.PP
+To install a shared KRA in the same instance used by the CA execute
+the following command:
+.IP
+\x'-1'\fBpkispawn \-s KRA \-f myconfig.txt\fR
+.PP
+where \fImyconfig.txt\fP contains the following text:
+.IP
+.nf
+[DEFAULT]
+pki_admin_password=\fISecret123\fP
+pki_client_database_password=\fISecret123\fP
+pki_client_pkcs12_password=\fISecret123\fP
+pki_ds_pass

Re: [Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch

[Matthew Harmsen]

On 06/24/2016 06:23 PM, John Magne wrote:

Generting Symmetric key fails with key-generate when --usages verify is passed
 
 Ticket #1114
 
 Minor adjustment to the man page for the key management commands to say

 which usages are appropriate for sym keys and those appropriate for asym 
keys.
 



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Normalize default softokn name

[Matthew Harmsen]

Please review the attached patch which addresses the following ticket:

 * PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider
   normalizing it to "internal" <https://fedorahosted.org/pki/ticket/2311>

A brief smoke test of this patch worked successfully.

From 709f1867316a21040acadcbe427de554e6b4de29 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@pki.usersys.redhat.com>
Date: Fri, 24 Jun 2016 14:39:59 -0600
Subject: [PATCH] Normalize default softokn name

- PKI TRAC Ticket #2311 - When pki_token_name=Internal,
  consider normalizing it to "internal"
---
 base/server/python/pki/server/deployment/pkiparser.py | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index b1fc213..dc5d7f6 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -1181,6 +1181,11 @@ class PKIConfigParser:
 # self.mdict['pki_clone_pkcs12_path']
 # self.mdict['pki_clone_uri']
 # self.mdict['pki_security_domain_https_port']
+#
+# The following variables are established via the specified PKI
+# deployment configuration file and potentially "normalized"
+# below:
+#
 # self.mdict['pki_token_name']
 #
 # The following variables are established via the specified PKI
@@ -1191,6 +1196,11 @@ class PKIConfigParser:
 # self.mdict['pki_issuing_ca']
 #
 
+# if the case insensitive softokn name is the 'default' value
+if (self.mdict['pki_token_name'].lower() == "internal"):
+# always normalize 'default' softokn name
+self.mdict['pki_token_name'] = "internal"
+
 # if security domain user is not defined
 if not len(self.mdict['pki_security_domain_user']):
 
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Updated External EPEL CentOS 7 COPR builds are now available . . .

[Matthew Harmsen]

An updated external EPEL CentOS 7 COPR repo is now available which contains 
Dogtag 10.3.3 builds:

 *

   
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo

   [group_pki-10.3.3]
   name=Copr repo for 10.3.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
   enabled=1
   enabled_metadata=1

-- Matt


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Request for Dogtag 10.3.3 on Fedora 24

[Matthew Harmsen]

The following candidate builds of Dogtag 10.3.3 for Fedora 24 consist of 
the following:


 * dogtag-pki-10.3.3-1.fc24
   
 * dogtag-pki-theme-10.3.3-1.fc24
   
 * pki-core-10.3.3-1.fc24
   
 * pki-console-10.3.3-1.fc24
   

Please provide Karma for these builds in Bodhi located at:

 * https://bodhi.fedoraproject.org/updates/FEDORA-2016-f79d05d2c4
   dogtag-pki-10.3.3-1.fc24
   
 * https://bodhi.fedoraproject.org/updates/FEDORA-2016-a4e6c2b81f
   dogtag-pki-theme-10.3.3-1.fc24
   
 * https://bodhi.fedoraproject.org/updates/FEDORA-2016-bc6bc7b4dc
   pki-core-10.3.3-1.fc24
   
 * https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c3e450b6b
   pki-console-10.3.3-1.fc24
   

Additionally, the following builds have been provided for Fedora 25 
(rawhide):


 * dogtag-pki-10.3.3-1.fc25
   
 * dogtag-pki-theme-10.3.3-1.fc25
   

Unfortunately, Dogtag 10.3.3 is currently broken on Fedora 24 (rawhide) 
due to the following issue:


 * PKI TRAC Ticket #2373 - Fedora 25: RestEasy 3.0.6 ==> 3.0.17 breaks
   pki-core 

which prohibits building:

 * pki-core-10.3.3-1.fc25
 * pki-console-10.3.3-1.fc25 (which depends on
   pki-java-base-10.3.3-1.fc25 that is a part of the
   pki-core-10.3.3-1.fc25 package)

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] Karma Request for Dogtag 10.3.2 on Fedora 24

[Matthew Harmsen]

On 06/13/2016 09:43 AM, Matthew Harmsen wrote:

Everyone,

Please, note the updated builds of pki-core.


Sorry, more updated builds.



Thanks,
-- Matt

On 06/10/2016 11:39 AM, Matthew Harmsen wrote:
The following candidate builds of Dogtag 10.3.2 for Fedora 24 consist 
of the following:


  * dogtag-pki-theme-10.3.2-2.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771454>
  * dogtag-pki-10.3.2-1.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771116>



 * dogtag-pki-10.3.2-2.fc24
   <http://koji.fedoraproject.org/koji/buildinfo?buildID=772927>



  * pki-core-10.3.2-3.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771456>


  * pki-core-10.3.2-4.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=772363>


  * pki-console-10.3.2-2.fc24
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771458>



 * pki-console-10.3.2-3.fc24
   <http://koji.fedoraproject.org/koji/buildinfo?buildID=772929>



Please provide Karma for these builds in Bodhi located at:

  * dogtag-pki-theme-10.3.2-2.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-f6fe5ce83d>
  * dogtag-pki-10.3.2-1.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-2780618f1b>



 * dogtag-pki-10.3.2-2.fc24
   <https://bodhi.fedoraproject.org/updates/FEDORA-2016-ab742018e2>



  * pki-core-10.3.2-3.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-c249f3f963>


  * pki-core-10.3.2-4.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-e8c5c05281>


  * pki-console-10.3.2-2.fc24
<https://bodhi.fedoraproject.org/updates/FEDORA-2016-105239136d>



 * pki-console-10.3.2-3.fc24
   <https://bodhi.fedoraproject.org/updates/FEDORA-2016-ca03a77311>


Additionally, the following builds have been provided for Fedora 25 
(rawhide):


  * dogtag-pki-theme-10.3.2-2.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771455>
  * dogtag-pki-10.3.2-1.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771120>



 * dogtag-pki-10.3.2-2.fc25
   <http://koji.fedoraproject.org/koji/buildinfo?buildID=772928>



  * pki-core-10.3.2-3.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771478>


  * pki-core-10.3.2-4.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=772364>


  * pki-console-10.3.2-2.fc25
<http://koji.fedoraproject.org/koji/buildinfo?buildID=771463>



 * pki-console-10.3.2-3.fc25
   <http://koji.fedoraproject.org/koji/buildinfo?buildID=772930>



Thanks,
-- Matt





___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH] 0070-Fix-coverity-warnings-for-tkstool.patch

[Matthew Harmsen]

On 06/06/2016 05:39 PM, John Magne wrote:

Fix attached.


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK

Personally, I always prefer the use of enclosing braces "{ . . . }" 
after a conditional even when it only has one line.
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Updated External EPEL CentOS 7 COPR builds are now available . . .

[Matthew Harmsen]

An updated external EPEL CentOS 7 COPR repo is available now available which 
contains Dogtag 10.3.1 builds:

 *

   
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.1/repo/epel-7/group_pki-10.3.1-epel-7.repo

   [group_pki-10.3.1]
   name=Copr repo for 10.3.1 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.1/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.1/pubkey.gpg
   enabled=1
   enabled_metadata=1

-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Request for Dogtag 10.3.1 on Fedora 24

[Matthew Harmsen]

The following candidate builds of Dogtag 10.3.1 for Fedora 24 (final) 
consist of the following:


 * dogtag-pki-theme-10.3.1-1.fc24
   
 * dogtag-pki-10.3.1-1.fc24
   
 * pki-core-10.3.1-1.fc24
   
 * pki-console-10.3.1-1.fc24
   

Please provide Karma for these builds in Bodhi located at:

 * dogtag-pki-theme-10.3.1-1.fc24
   
 * dogtag-pki-10.3.1-1.fc24
   
 * pki-core-10.3.1-1.fc24
   
 * pki-console-10.3.1-1.fc24
   

Additionally, the following builds have been provided for Fedora 25 
(rawhide):


 * dogtag-pki-theme-10.3.1-1.fc25
   
 * dogtag-pki-10.3.1-1.fc25
   
 * pki-core-10.3.1-1.fc25
   
 * pki-console-10.3.1-1.fc25
   

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Detect inability to submit ECC CSR on Chrome

[Matthew Harmsen]

Please review this "detection" patch for the following ticket:

 * PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert
   Requests <https://fedorahosted.org/pki/ticket/2306>

The ticket will not be closed, but simply moved to a later milestone.

-- Matt

From 6a8e4cd874c54e5e2aa9bf36622bca8a575c203e Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Fri, 13 May 2016 16:41:16 -0600
Subject: [PATCH] Detect inability to submit ECC CSR on Chrome

- PKI TRAC Ticket #2306 - Chrome Can Not Submit EC Client Cert Requests
---
 base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
index 18a0b21..a683867 100644
--- a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
+++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
@@ -147,6 +147,11 @@ function getKeyGenDisabledWarning() {
  document.write('');
 }
 
+function getChromeECCSupportWarning() {
+ document.write('  Warning: Currently, this profile is unable to successfully construct an ECC certificate request on Chrome.At this time, please use Firefox to generate ECC certificate requests. ');
+ document.write('');
+}
+
 function getKeyStrengthTableForKeyGen() {
 
   document.writeln("  KeyGen Key Strength InfoKey Type   High Grade   Medium Grade  ");
@@ -871,6 +876,12 @@ for (var m = 0; m < inputPluginListSet.length; m++) {
   getKeyGenDisabledWarning();
 }
 
+if (browserName == "Chrome") {
+  // PKI TRAC Ticket #2306 - Chrome Can Not Submit EC
+  // Client Cert Requests
+  getChromeECCSupportWarning();
+}
+
 getKeyStrengthTableForKeyGen();
 
 var keyTypesOptions = getKeyTypesOptionsForKeyGen();
-- 
1.8.3.1

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Added Chrome keygen warning

[Matthew Harmsen]

While testing chrome, we discovered that (a) keygen would soon not be 
supported:


 * 
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/pX5NbX0Xack

(b) although keygen is still supported, it has been disabled by default 
with a workaround provided to re-enable it:


 * 
https://support.quovadisglobal.com/kb/a470/deprecation-of-keygen-tag-in-chrome-chromium-browsers.aspx

Please review the attached patch which supplies a warning message and 
instructions on how to re-enable keygen

on Chrome browsers that support this:

 * PKI TRAC #2323 - Firefox Warning appears in EE page launched from
   within Chrome <https://fedorahosted.org/pki/ticket/2323>

Additionally, an attempt was made to identify the case when KeyGen would 
not be available on Firefox and Chrome.


-- Matt

From 6d4d411c517be7a70015da1665906716aa3bdb84 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Thu, 12 May 2016 16:14:17 -0600
Subject: [PATCH] Added Chrome keygen warning

- PKI TRAC Ticket #2323 - Firefox Warning appears in EE page launched from
  within Chrome
---
 .../shared/webapps/ca/ee/ca/ProfileSelect.template | 110 -
 1 file changed, 107 insertions(+), 3 deletions(-)

diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
index 01b94ab..268db08 100644
--- a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
+++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
@@ -47,6 +47,61 @@ var key = new Object();
 key.type = "EC";
 keyList[1] = key;
 
+// Obtain browser name and version information
+// (credit: 'http://www.javascripter.net/faq/browsern.htm')
+var nAgt = navigator.userAgent;
+var browserName  = navigator.appName;
+var fullVersion  = ''+parseFloat(navigator.appVersion);
+var majorVersion = parseInt(navigator.appVersion, 10);
+var nameOffset,verOffset,ix;
+if ((verOffset = nAgt.indexOf("OPR/")) != -1) {
+   browserName = "Opera";
+   fullVersion = nAgt.substring(verOffset + 4);
+} else if ((verOffset = nAgt.indexOf("Opera")) != -1) {
+   browserName = "Opera";
+   fullVersion = nAgt.substring(verOffset + 6);
+   if ((verOffset = nAgt.indexOf("Version")) != -1) {
+  fullVersion = nAgt.substring(verOffset + 8);
+   }
+} else if ((verOffset = nAgt.indexOf("MSIE")) != -1) {
+   browserName = "Microsoft Internet Explorer";
+   fullVersion = nAgt.substring(verOffset + 5);
+} else if ((verOffset = nAgt.indexOf("Chrome")) != -1) {
+   browserName = "Chrome";
+   fullVersion = nAgt.substring(verOffset + 7);
+} else if ((verOffset = nAgt.indexOf("Safari")) != -1) {
+   browserName = "Safari";
+   fullVersion = nAgt.substring(verOffset + 7);
+   if ((verOffset = nAgt.indexOf("Version")) != -1) {
+  fullVersion = nAgt.substring(verOffset + 8);
+   }
+} else if ((verOffset = nAgt.indexOf("Firefox")) != -1) {
+   browserName = "Firefox";
+   fullVersion = nAgt.substring(verOffset + 8);
+} else if ((nameOffset = nAgt.lastIndexOf(' ') + 1) <
+   (verOffset = nAgt.lastIndexOf('/'))) {
+   browserName = nAgt.substring(nameOffset, verOffset);
+   fullVersion = nAgt.substring(verOffset + 1);
+   if (browserName.toLowerCase() == browserName.toUpperCase()) {
+  browserName = navigator.appName;
+   }
+}
+
+// trim the fullVersion string at semicolon/space if present
+if ((ix = fullVersion.indexOf(";")) != -1) {
+   fullVersion = fullVersion.substring(0, ix);
+}
+if ((ix = fullVersion.indexOf(" ")) != -1) {
+   fullVersion=fullVersion.substring(0, ix);
+}
+
+majorVersion = parseInt(''+fullVersion, 10);
+if (isNaN(majorVersion)) {
+   fullVersion  = ''+parseFloat(navigator.appVersion);
+   majorVersion = parseInt(navigator.appVersion, 10);
+}
+
+
 function isIE() {
if ( "ActiveXObject" in window ) {
  return true;
@@ -62,12 +117,37 @@ function isIE() {
return false;
  }
 
+function isKeyGenSupported() {
+   // var keygen = document.createElement("KEYGEN");
+   var keygen = document.createElement("KEYGEN");
+   if ((typeof(keygen) == "object") &&
+   (typeof(keygen.name) == "undefined")) {
+   // Firefox
+   return true;
+   } else if ((typeof(keygen) == "object") &&
+  (typeof(keygen.name) == "string")) {
+   // Chrome
+   return true;
+   }
+   return false;
+}
+
 function getIE11Warning() {
  document.write('  Warning: Internet Explore Version 11 is not currently supported for certain enrollment operations. Please use an earlier version of the browser.   ');
  document.write('');
 }
 
 
+function getNoKeyGenWarning() {
+ document.write('  Warning: This version of ' + browserName + ' no longer supports the keygen tag used to facilitate

Re: [Pki-devel] [PATCH] 743 Fixed install-only message in external CA case.

[Matthew Harmsen]

On 05/11/2016 02:01 PM, Endi Sukma Dewata wrote:

Previously, in external CA case if pkispawn was executed with
pki_skip_configuration=True, it would stop the execution before
the step 1 was fully completed (i.e. generating CSR), but it would
incorrectly show a message indicating the CSR has been generated.

The code that displays the installation summary has been fixed to
check for pki_skip_configuration first before checking for external
CA case to ensure that it displays the appropriate message for each
step.

The code that generates the Tomcat instance systemd service link
was moved into instance_layout.py to avoid redundant executions.

The pkispawn and pkidestroy have also be modified to remove
redundant log of deployment parameters in master dictionary.



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 730 Fixed duplicate executions of finalization scriptlet.

[Matthew Harmsen]

On 04/29/2016 10:32 AM, Endi Sukma Dewata wrote:

On 4/29/2016 11:12 AM, Endi Sukma Dewata wrote:

Previously the finalization scriptlet was always executed in each
pkispawn execution. In multi-step installations (e.g. external CA,
standalone, or installation/configuration-only mode) some of the
code in the scriptlet such as enabling systemd service, restarting
the service, and purging client database will be redundant.

Now the scriptlet has been modified to execute only in the final
step of the installation. The code that archives the deployment
and manifest files has been moved into pkispawn to ensure that it
is always executed in each pkispawn execution.

For clarity the method that displays the installation summary has
been broken up into separate methods for standalone step 1,
installation-only mode, and configuration-only/full installation.


New patch attached fixing a pylint issue.



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Incorrect clone installation summary

[Matthew Harmsen]

Please review the attached patch which addresses:

 * PKI TRAC Ticket #856 - Incorrect clone installation summary
   <https://fedorahosted.org/pki/ticket/856>

The patch was tested by installing a 'pki-tomcat' CA master:

   ==
INSTALLATION SUMMARY
   ==

  Administrator's username: caadmin
  Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
  Administrator's certificate database:
/root/.dogtag/pki-tomcat/ca/alias

  To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat.service

  To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat.service

  The URL for the subsystem is:
https://pki.example.com:8443/ca

  PKI instances will be enabled upon system boot

   ==

and a 'pki-tomcat-ca-clone' CA clone on the same machine 
('pki.example.com'):


   ==
INSTALLATION SUMMARY
   ==

  Administrator's username: caadmin

  This CA subsystem of the 'pki-tomcat-ca-clone' instance
  is a clone.

  To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat-ca-clone.service

  To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat-ca-clone.service

  The URL for the subsystem is:
https://pki.example.com:17443/ca

  PKI instances will be enabled upon system boot

   ==

From a1cea7368bb4232092adce1f31b25fcbd55de6de Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@pki.usersys.redhat.com>
Date: Wed, 27 Apr 2016 15:26:36 -0600
Subject: [PATCH] Fixed incorrect clone installation summary

- PKI TRAC Ticket #856 - Incorrect clone installation summary
---
 base/server/sbin/pkispawn | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index caa5e9b..594d783 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -704,8 +704,14 @@ def print_install_information(mdict):
 print()
 print("  Administrator's certificate nickname:\n%s"
   % mdict['pki_admin_nickname'])
+if not config.str2bool(mdict['pki_clone']):
 print("  Administrator's certificate database:\n%s"
   % mdict['pki_client_database_dir'])
+else:
+print()
+print("  This %s subsystem of the '%s' instance\n"
+  "  is a clone." %
+  (config.pki_subsystem, mdict['pki_instance_name']))
 print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name'])
 print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name'])
 if (((config.pki_subsystem == "KRA" or
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Removed pkidaemon support of apache instances

[Matthew Harmsen]

Please review the attached patch which addresses:

 * PKI TRAC Ticket #2248 - support only tomcat instances
   <https://fedorahosted.org/pki/ticket/2248>

The ability to start, stop , and restart instances was tested using 
systemctl on Fedora 23.


Additionally, the scenario described in the revised man page was tested 
to show that pkidaemon works as advertised.


From 0848658bd60df4d64302f30fa0a1a15fe11c5282 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@pki.usersys.redhat.com>
Date: Tue, 26 Apr 2016 16:43:15 -0600
Subject: [PATCH] Removed pkidaemon support of apache instances

- PKI TRAC Ticket #2248 - support only tomcat instances
---
 base/server/man/man1/pkidaemon.1   |  26 +-
 base/server/scripts/operations | 272 -
 base/server/scripts/pkidaemon  |  12 +-
 .../systemd/system/pki-tomcatd-nuxwdog@.service|   2 +-
 .../share/lib/systemd/system/pki-tomcatd@.service  |   2 +-
 5 files changed, 59 insertions(+), 255 deletions(-)

diff --git a/base/server/man/man1/pkidaemon.1 b/base/server/man/man1/pkidaemon.1
index 35c04e5..d195f36 100644
--- a/base/server/man/man1/pkidaemon.1
+++ b/base/server/man/man1/pkidaemon.1
@@ -19,7 +19,7 @@
 
 .SH SYNOPSIS
 .nf
-\fBpkidaemon {start|status} instance-type [instance-name]\fR
+\fBpkidaemon {start|status} [instance-name]\fR
 .fi
 .TP
 \fBNote:\fP Although this tool currently resides in the \fB/usr/bin\fP directory, proper use of it requires it to be run with super user privileges.
@@ -29,8 +29,6 @@
 The \fBpkidaemon\fR command with the 'status' argument provides a way to display the status of all existing PKI instances on a machine.  Optionally, an individual PKI instance may be specified by using an optional \fB[instance-name]\fP.
 .PP
 The \fBpkidaemon\fR 'start' argument is currently only used internally by the systemctl scripts.
-.PP
-Currently, although the \fBpkidaemon\fR 'instance-type' argument states that it can be either \fBapache\fP or \fBtomcat\fP, only the \fBtomcat\fP argument will yield useful details.
 
 .SH OPTIONS
 As stated above, the only optional argument to \fBpkidaemon\fR is \fB[instance-name]\fP.  If a valid instance name is specified, only the status of that instance will be displayed.
@@ -44,7 +42,7 @@ For the OCSP 'Unsecure URL' and the OCSP 'Secure EE URL' which both specify a st
 .SS Listing the status of all local PKI instances on this machine:
 .BR
 .PP
-\fB# pkidaemon status tomcat\fR
+\fB# pkidaemon status\fR
 
 REPORT STATUS OF 'tomcat' INSTANCE(S):
 
@@ -58,7 +56,7 @@ Status for pki-tomcat: pki-tomcat is running ..
 PKI Console Command = pkiconsole https://pki.example.com:8443/ca
 Tomcat Port = 8005 (for shutdown)
 
-[DRM Status Definitions]
+[KRA Status Definitions]
 Secure Agent URL= https://pki.example.com:8443/kra/agent/kra
 Secure Admin URL= https://pki.example.com:8443/kra/services
 PKI Console Command = pkiconsole https://pki.example.com:8443/kra
@@ -81,9 +79,9 @@ Status for pki-tomcat: pki-tomcat is running ..
 [TPS Status Definitions]
 Unsecure URL= http://pki.example.com:8080/tps
 Secure URL  = https://pki.example.com:8443/tps
-Tomcat Port = 8005 (for shutdown)
 Unsecure PHONE HOME = http://pki.example.com:8080/tps/phoneHome
 Secure PHONE HOME   = https://pki.example.com:8443/tps/phoneHome
+Tomcat Port = 8005 (for shutdown)
 
 [CA Configuration Definitions]
 PKI Instance Name:   pki-tomcat
@@ -96,10 +94,10 @@ Status for pki-tomcat: pki-tomcat is running ..
 URL:   https://pki.example.com:8443
 
 
-[DRM Configuration Definitions]
+[KRA Configuration Definitions]
 PKI Instance Name:   pki-tomcat
 
-PKI Subsystem Type:  DRM
+PKI Subsystem Type:  KRA
 
 Registered PKI Security Domain Information:
 
@@ -166,7 +164,7 @@ FINISHED REPORTING STATUS OF 'tomcat' INSTANCE(S).
 .SS Listing the status of the PKI instance named 'pki-tomcat':
 .BR
 .PP
-\fB# pkidaemon status tomcat pki-tomcat\fR
+\fB# pkidaemon status pki-tomcat\fR
 
 Status for pki-tomcat: pki-tomcat is running ..
 
@@ -178,7 +176,7 @@ Status for pki-tomcat: pki-tomcat is running ..
 PKI Console Command = pkiconsole https://pki.example.com:8443/ca
 Tomcat Port = 8005 (for shutdown)
 
-[DRM Status Definitions]
+[KRA Status Definitions]
 Secure Agent URL= https://pki.example.com:8443/kra/agent/kra
 Secure Admin URL= https://pki.example.com:8443/kra/services
 PKI Console Command = pkiconsole https://pki.example.com:8443/kra
@@ -201,9 +199,9 @@ Status for pki-tomcat: pki-tomcat is running ..
 [TPS Status Definitions]
 Unsecure URL= http://pki.example.com:8080/tps
 Secure URL  = https://pki.example.com:8443/tps
-   

Re: [Pki-devel] Trac; add "Lightweight CAs" feature?

[Matthew Harmsen]

On 04/20/2016 10:54 PM, Fraser Tweedale wrote:

Hi all,

Could someone with the relevant permissions please add a
"Lightweight CAs" feature to the pki trac?  There's a substantial
quantity of outstanding tickets for this feature so it would be good
to have something more formal than the summary by which to group
them.

Thanks,
Fraser

Done.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma request for Dogtag 10.2.6 on Fedora 23

[Matthew Harmsen]

The following five tickets have been addressed in Fedora 23:

 * PKI TRAC Ticket #2022 - pkispawn ignores 3rd party CA certs in
   pki_clone_pkcs12_path 
 * PKI TRAC Ticket #2253 - Some password/pin fields have no '%' escape
   
 * PKI TRAC Ticket #2252 - ipa-kra-install fails when using pki-kra
   10.2.x 
 * PKI TRAC Ticket #2257 - PKCS #12 backup does not contain trust
   attributes. 
 * PKI TRAC Ticket #2216 - Python 3: unorderable types: PKISubsystem()
   

by the following build:

 * pki-core-10.2.6-18.fc23
   

Please provide Karma for this build in Bodhi located at:

 * pki-core-10.2.6-18.fc23
   

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Karma Request for Dogtag 10.2.6 in Fedora 22 and Fedora 23

[Matthew Harmsen]

Everyone,

New builds have been created to address the following issues on Fedora 22:

 * Bugzilla Bug #1245786 - Build failure on F23 (backported to F22 to
   coincide with Tomcat version change to 7.0.68)
   

and Fedora 23:

 * Modify dnsdomainname test in pkispawn
 * Fix to allow building pki-core against Tomcat 8.0.32

Please provide Karma for the following Dogtag 10.2.6 packages in Fedora 
22 (note that the tomcat package should be applied for a successful test):


 * tomcat-7.0.68-3.fc22
   
 * tomcatjss-7.1.2-2.fc22
   
 * pki-core-10.2.6-12.fc22
   

and Fedora 23 (note that the tomcat package should be applied for a 
successful test):


 * tomcat-8.0.32-5.fc23
   
 * pki-core-10.2.6-16.fc23
   

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCHES] Updated tomcatjss and pki-core to work with Tomcat 7.0.68 on F22

[Matthew Harmsen]

Everyone,

Bodhi contains a proposed Fedora 22 update to Tomcat 7.0.68:

 * tomcat-7.0.68-3.fc22
   <https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6651efbaf>

This required changes to both tomcatjss (attached) and pki-core (attached).

These changes are specific to the Fedora 22 platform only; they have 
only been tested out via a Dogtag CA, not yet on FreeIPA, and require 
all of the following packages to be installed:


 * pki-base-10.2.6-12.fc22.noarch
 * pki-ca-10.2.6-12.fc22.noarch
 * pki-server-10.2.6-12.fc22.noarch
 * pki-tools-10.2.6-12.fc22.x86_64
 * tomcat-jsp-2.2-api-7.0.68-3.fc22.noarch
 * tomcat-servlet-3.0-api-7.0.68-3.fc22.noarch
 * tomcat-7.0.68-3.fc22.noarch
 * tomcat-lib-7.0.68-3.fc22.noarch
 * tomcat-el-2.2-api-7.0.68-3.fc22.noarch
 * tomcatjss-7.1.2-2.fc22.noarch

-- Matt
--- src/org/apache/tomcat/util/net/jss/JSSSupport.java	2015-04-20 12:34:46.0 -0600
+++ src/org/apache/tomcat/util/net/jss/JSSSupport.java	2015-08-05 15:10:53.0 -0600
@@ -97,6 +97,10 @@ class JSSSupport implements SSLSupport {
 return null;
 }
 
+public String getProtocol() throws IOException {
+return null;
+}
+
 public String getSessionId() throws IOException {
 return null;
 }
3c3
< Release:  1%{?dist}
---
> Release:  2%{?dist}
24a25,27
> %if 0%{?fedora} == 22
> BuildRequires:tomcat >= 7.0.68
> %else
26a30
> %endif
38a43,45
> %if 0%{?fedora} == 22
> Requires: tomcat >= 7.0.68
> %else
40a48,50
> %endif
> 
> Patch1:   tomcatjss-Build-Tomcat-7.0.68.patch
63a74
> %patch1 -p0
93a105,108
> * Wed Mar 16 2016 Endi Sukma Dewata <edew...@redhat.com> 7.1.2-2
> - Bugzilla Bug #1245786 - Build failure on F23 (backported to F22 to
>   coincide with Tomcat version change to 7.0.68)
> 
From 1f1d642e207b3610c0a418653eed6d2855ca13a8 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@pki.usersys.redhat.com>
Date: Tue, 15 Mar 2016 17:43:10 -0600
Subject: [PATCH] Build using tomcat 7.0.68 on F22

---
 base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java | 5 +
 1 file changed, 5 insertions(+)

diff --git a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
index 094c056..c5e845b 100644
--- a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
+++ b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
@@ -60,6 +60,11 @@ public class ProxyRealm implements Realm {
 }
 
 @Override
+public Principal authenticate(String username) {
+return realm.authenticate(username);
+}
+
+@Override
 public Principal authenticate(String username, String password) {
 return realm.authenticate(username, password);
 }
-- 
2.5.0

43c43
< Release:  11%{?dist}
---
> Release:  12%{?dist}
126a127,129
> %if 0%{?fedora} == 22
> BuildRequires:tomcatjss >= 7.1.2-2
> %else
129a133
> %endif
204a209,210
> ## pki-core-10.2.6-12
> Patch42:  pki-core-Build-using-tomcat-7.0.68-on-F22.patch
397c403,406
< Requires: tomcat-servlet-3.1-api
---
> Requires: tomcat-servlet-3.1-api >= 8.0.32
> %else
> %if 0%{?fedora} == 22
> Requires: tomcat-servlet-3.0-api >= 7.0.68
399d407
< %if 0%{?fedora} >= 22
458d465
< Requires: tomcat >= 7.0.47
460,462c467,476
< Requires: tomcat-el-3.0-api
< Requires: tomcat-jsp-2.3-api
< Requires: tomcat-servlet-3.1-api
---
> Requires: tomcat >= 8.0.32
> Requires: tomcat-el-3.0-api >= 8.0.32
> Requires: tomcat-jsp-2.3-api >= 8.0.32
> Requires: tomcat-servlet-3.1-api >= 8.0.32
> %else
> %if 0%{?fedora} == 22
> Requires: tomcat >= 7.0.68
> Requires: tomcat-el-2.2-api >= 7.0.68
> Requires: tomcat-jsp-2.2-api >= 7.0.68
> Requires: tomcat-servlet-3.0-api >= 7.0.68
463a478
> Requires: tomcat >= 7.0.47
468a484
> %endif
481a498,500
> %if 0%{?fedora} == 22
> Requires: tomcatjss >= 7.1.2-2
> %else
484a504
> %endif
748a769
> %patch42 -p1
1097a1119,1121
> * Wed Mar 16 2016 Dogtag Team <pki-devel@redhat.com> 10.2.6-12
> - Changes due to F22 Tomcat version change to 7.0.68
> 
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Determine supported javadoc options

[Matthew Harmsen]

Please review the attached patch which addresses the following PKI ticket:

 * PKI TRAC #2040 - Determine supported javadoc options
   <https://fedorahosted.org/pki/ticket/2040>

The patch has been tested successfully with the following four build 
scenarios:


   ...
   -- Java_VERSION_STRING = '1.7.0_95'
   -- Javac_VERSION_OUTPUT = 'javac 1.7.0_95'
   -- Javadoc_VERSION_MINOR = '7'
   ...
   ... /bin/javadoc ... -doctitle 'PKI Javadoc' -author -use
   -version -sourcepath ...
   ...


   ...
   -- Java_VERSION_STRING = '1.7.0_95'
   -- Javac_VERSION_OUTPUT = 'javac 1.8.0_71'
   -- Javadoc_VERSION_MINOR = '8'
   ...
   ... /bin/javadoc ... -doctitle 'PKI Javadoc' -author -use
   -version -Xdoclint:none -sourcepath ...
   ...


   ...
   -- Java_VERSION_STRING = '1.8.0_71'
   -- Javac_VERSION_OUTPUT = 'javac 1.7.0_95'
   -- Javadoc_VERSION_MINOR = '7'
   ...
   ... /bin/javadoc ... -doctitle 'PKI Javadoc' -author -use
   -version -sourcepath ...
   ...


   ...
   -- Java_VERSION_STRING = '1.8.0_71'
   -- Javac_VERSION_OUTPUT = 'javac 1.8.0_71'
   -- Javadoc_VERSION_MINOR = '8'
   ...
   ... /bin/javadoc ... -doctitle 'PKI Javadoc' -author -use
   -version -Xdoclint:none -sourcepath ...
   ...


From b6671be1d72ac60a21ce1e86d91d24c5015097dd Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Thu, 18 Feb 2016 17:14:09 -0700
Subject: [PATCH] Fix to determine supported javadoc options

- PKI TRAC Ticket #2040 - Determine supported javadoc options
---
 base/javadoc/CMakeLists.txt | 57 +++--
 1 file changed, 55 insertions(+), 2 deletions(-)

diff --git a/base/javadoc/CMakeLists.txt b/base/javadoc/CMakeLists.txt
index fa524be..1d088bb 100644
--- a/base/javadoc/CMakeLists.txt
+++ b/base/javadoc/CMakeLists.txt
@@ -1,9 +1,62 @@
 project(pki-javadoc)
 
+# It is important to identify the version of 'javadoc' being utilized since
+# different versions support different options.
+#
+# While 'cmake' contains numerous built-in references to the 'java' version,
+# it contains no built-in references to either the 'javac' or 'javadoc'
+# versions, and unfortunately, the specified version of 'java' may be
+# different from the specified versions of 'javac' and 'javadoc'.
+#
+# Additionally, although 'javadoc' contains no command-line option to identify
+# its version, it is important to note that 'javadoc' is supplied by the same
+# package that supplies 'javac', and although multiple versions of these
+# executables could co-exist on the same system, it is relatively safe to
+# assert that the currently specified 'javac' and 'javadoc' will be the same
+# version.
+#
+# As an example in support of this assertion, on systems which utilize
+# '/usr/sbin/alternatives', setting the 'javac' version will also
+# automatically set the 'javadoc' version to match the 'javac' version, and
+# 'usr/sbin/alternatives' cannot be used to set a specific 'javadoc' version.
+#
+# Therefore, regardless of the 'java' version, this 'CMakeLists.txt' file will
+# programmatically utilize the invoked 'javac' version information (output is
+# to stderr) in order to correctly identify the supported 'javadoc' options:
+#
+# # javac -version 2>&1 | awk -F \. '{printf $2}'
+#
+# NOTE:  Used 'cut' instead of 'awk' due to 'cmake' parsing limitations:
+#
+# # javac -version 2>&1 | cut -f2 -d.
+#
+message( STATUS "Java_VERSION_STRING = '${Java_VERSION_STRING}'" )
+execute_process(
+COMMAND
+javac -version
+ERROR_VARIABLE
+Javac_VERSION_OUTPUT
+OUTPUT_VARIABLE
+Javac_VERSION_OUTPUT
+ERROR_STRIP_TRAILING_WHITESPACE
+OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+message( STATUS "Javac_VERSION_OUTPUT = '${Javac_VERSION_OUTPUT}'" )
+execute_process(
+COMMAND
+echo ${Javac_VERSION_OUTPUT}
+COMMAND
+cut -f2 -d.
+OUTPUT_VARIABLE
+Javadoc_VERSION_MINOR
+OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+message( STATUS "Javadoc_VERSION_MINOR = '${Javadoc_VERSION_MINOR}'" )
+
 set(doclintstr "")
-if(${Java_VERSION_MINOR} VERSION_EQUAL 8 OR ${Java_VERSION_MINOR} VERSION_GREATER 8)
+if(NOT (${Javadoc_VERSION_MINOR} LESS 8))
 set(doclintstr "-Xdoclint:none")
-endif(${Java_VERSION_MINOR} VERSION_EQUAL 8 OR ${Java_VERSION_MINOR} VERSION_GREATER 8)
+endif(NOT (${Javadoc_VERSION_MINOR} LESS 8))
 
 javadoc(pki-javadoc
 SOURCEPATH
-- 
1.8.3.1

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 668 Fixed installation summary for existing CA.

[Matthew Harmsen]

On 01/22/2016 08:56 AM, Endi Sukma Dewata wrote:

The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.

https://fedorahosted.org/pki/ticket/456



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel