diff --git a/.gitignore b/.gitignore index 46f0f6b..0b5ce36 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,4 @@ /pki-10.9.0-a2.tar.gz /pki-10.9.0-b2.tar.gz /pki-10.9.1.tar.gz +/pki-10.9.2.tar.gz diff --git a/0001-Make-JDK-dependency-dynamic.patch b/0001-Make-JDK-dependency-dynamic.patch new file mode 100644 index 0000000..cc2d029 --- /dev/null +++ b/0001-Make-JDK-dependency-dynamic.patch @@ -0,0 +1,61 @@ +From 2ba8973d4d874bb135d52bb9288e31687903ccd3 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Thu, 20 Aug 2020 11:31:10 -0400 +Subject: [PATCH 1/4] Make JDK dependency dynamic + +Signed-off-by: Alexander Scheel +--- + pki.spec | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/pki.spec b/pki.spec +index 186a6dfbf..fbaefbc9c 100644 +--- a/pki.spec ++++ b/pki.spec +@@ -52,6 +52,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver + ################################################################################ + + %define java_home /usr/lib/jvm/jre-openjdk ++%define java_devel java-devel ++%define java_headless java-headless + + %if 0%{?fedora} && 0%{?fedora} >= 33 + %define min_java_version 1:11 +@@ -157,7 +159,7 @@ BuildRequires: make + BuildRequires: cmake >= 3.0.2 + BuildRequires: gcc-c++ + BuildRequires: zip +-BuildRequires: java-devel >= %{min_java_version} ++BuildRequires: %java_devel >= %{min_java_version} + BuildRequires: javapackages-tools + BuildRequires: redhat-rpm-config + BuildRequires: ldapjdk >= 4.22.0 +@@ -331,7 +333,7 @@ PKI consists of the following components: + + Summary: PKI Symmetric Key Package + +-Requires: java-headless >= %{min_java_version} ++Requires: %java_headless >= %{min_java_version} + Requires: jpackage-utils >= 0:1.7.5-10 + Requires: jss >= 4.7.0 + Requires: nss >= 3.38.0 +@@ -399,7 +401,7 @@ This package contains PKI client library for Python 3. + Summary: PKI Base Java Package + BuildArch: noarch + +-Requires: java-headless >= %{min_java_version} ++Requires: %java_headless >= %{min_java_version} + Requires: apache-commons-cli + Requires: apache-commons-codec + Requires: apache-commons-io +@@ -492,6 +494,7 @@ Requires: tomcat >= 1:9.0.7 + %endif + + Requires: velocity ++Requires: sudo + Requires: systemd + Requires(post): systemd-units + Requires(preun): systemd-units +-- +2.26.2 + diff --git a/0001-Support-FIPS-HSMs.patch b/0001-Support-FIPS-HSMs.patch deleted file mode 100644 index df94470..0000000 --- a/0001-Support-FIPS-HSMs.patch +++ /dev/null @@ -1,404 +0,0 @@ -From a5d1c9dab35030c839e3a2b506bd3dfcf631ccdb Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 11 Aug 2020 11:56:27 -0500 -Subject: [PATCH 1/5] Disabled AIA and cert policy extensions in ACME examples - -The ACME NSS issuer has been modified to disable the AIA and -certificate policy extensions by default since they contain -non-functional URLs that might cause certbot to generate -error messages. - -https://bugzilla.redhat.com/show_bug.cgi?id=1868233 ---- - base/acme/issuer/nss/ca_signing.conf | 9 +++++---- - base/acme/issuer/nss/sslserver.conf | 9 +++++---- - 2 files changed, 10 insertions(+), 8 deletions(-) - -diff --git a/base/acme/issuer/nss/ca_signing.conf b/base/acme/issuer/nss/ca_signing.conf -index aedcd4b0e..b9a82a2d1 100644 ---- a/base/acme/issuer/nss/ca_signing.conf -+++ b/base/acme/issuer/nss/ca_signing.conf -@@ -1,8 +1,9 @@ - basicConstraints = critical, CA:TRUE - subjectKeyIdentifier = hash --authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com - keyUsage = critical, digitalSignature, keyCertSign, cRLSign --certificatePolicies = 2.23.140.1.2.1, @cps_policy - --cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 --cps_policy.CPS.1 = http://cps.example.com -+# authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com -+ -+# certificatePolicies = 2.23.140.1.2.1, @cps_policy -+# cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 -+# cps_policy.CPS.1 = http://cps.example.com -diff --git a/base/acme/issuer/nss/sslserver.conf b/base/acme/issuer/nss/sslserver.conf -index f9e04902b..e153c223e 100644 ---- a/base/acme/issuer/nss/sslserver.conf -+++ b/base/acme/issuer/nss/sslserver.conf -@@ -1,10 +1,11 @@ - basicConstraints = critical, CA:FALSE - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid:always --authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com - keyUsage = critical, digitalSignature, keyEncipherment - extendedKeyUsage = serverAuth, clientAuth --certificatePolicies = 2.23.140.1.2.1, @cps_policy - --cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 --cps_policy.CPS.1 = http://cps.example.com -+# authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com -+ -+# certificatePolicies = 2.23.140.1.2.1, @cps_policy -+# cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 -+# cps_policy.CPS.1 = http://cps.example.com --- -2.26.2 - - -From a48e731d0faab11929fd9bf3d54a0638bbf40a16 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Tue, 11 Aug 2020 14:41:16 -0400 -Subject: [PATCH 2/5] Start NSSCertExportCLI - -Can be tested with pki nss-cert-export - -Signed-off-by: Alexander Scheel ---- - .../com/netscape/cmstools/nss/NSSCertCLI.java | 3 +- - .../cmstools/nss/NSSCertExportCLI.java | 128 ++++++++++++++++++ - 2 files changed, 130 insertions(+), 1 deletion(-) - create mode 100644 base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java - -diff --git a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java -index 0313ffae5..2f1f8cac5 100644 ---- a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertCLI.java -@@ -12,8 +12,9 @@ public class NSSCertCLI extends CLI { - public NSSCertCLI(NSSCLI nssCLI) { - super("cert", "NSS certificate management commands", nssCLI); - -+ addModule(new NSSCertExportCLI(this)); - addModule(new NSSCertImportCLI(this)); -- addModule(new NSSCertRequestCLI(this)); - addModule(new NSSCertIssueCLI(this)); -+ addModule(new NSSCertRequestCLI(this)); - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java -new file mode 100644 -index 000000000..06150fe41 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java -@@ -0,0 +1,128 @@ -+// -+// Copyright Red Hat, Inc. -+// -+// SPDX-License-Identifier: GPL-2.0-or-later -+// -+package com.netscape.cmstools.nss; -+ -+import java.io.FileOutputStream; -+import java.nio.file.Files; -+import java.nio.file.Paths; -+import javax.net.ssl.KeyManagerFactory; -+import java.security.cert.X509Certificate; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+import org.apache.commons.io.IOUtils; -+import org.dogtagpki.cli.CommandCLI; -+import org.dogtagpki.nss.NSSDatabase; -+import org.mozilla.jss.pkcs11.PK11Cert; -+import org.mozilla.jss.netscape.security.util.Cert; -+import org.mozilla.jss.netscape.security.util.Utils; -+import org.mozilla.jss.netscape.security.x509.X509CertImpl; -+import org.mozilla.jss.provider.javax.crypto.JSSKeyManager; -+ -+import com.netscape.certsrv.client.ClientConfig; -+import com.netscape.cmstools.cli.MainCLI; -+ -+public class NSSCertExportCLI extends CommandCLI { -+ -+ public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(NSSCertExportCLI.class); -+ -+ public NSSCertExportCLI(NSSCertCLI nssCertCLI) { -+ super("export", "Export certificate", nssCertCLI); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(getFullName() + " [OPTIONS...] nickname [path]", options); -+ } -+ -+ public void createOptions() { -+ Option option = new Option(null, "format", true, "Certificate format: PEM (default), DER, RAW"); -+ option.setArgName("format"); -+ options.addOption(option); -+ -+ option = new Option(null, "with-chain", false, "Export with certificate chain from NSS DB"); -+ option.setArgName("with-chain"); -+ options.addOption(option); -+ } -+ -+ public void execute(CommandLine cmd) throws Exception { -+ -+ String[] cmdArgs = cmd.getArgs(); -+ String nickname = null; -+ String path = null; -+ -+ if (cmdArgs.length < 1) { -+ throw new Exception("Missing required positional argument: nickname"); -+ } -+ nickname = cmdArgs[0]; -+ -+ if (cmdArgs.length >= 2) { -+ path = cmdArgs[1]; -+ } -+ -+ String format = cmd.getOptionValue("format", "PEM").toUpperCase(); -+ boolean chain = cmd.hasOption("with-chain"); -+ -+ if (!format.equals("PEM") && !format.equals("DER") && !format.equals("RAW")) { -+ throw new Exception("Unknown type of output format: " + format); -+ } -+ -+ if (chain && format.equals("DER")) { -+ throw new Exception("Unable to write chain of DER-encoded certificates; use PEM instead."); -+ } -+ -+ MainCLI mainCLI = (MainCLI) getRoot(); -+ mainCLI.init(); -+ -+ X509Certificate[] certs; -+ -+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS"); -+ JSSKeyManager km = (JSSKeyManager) kmf.getKeyManagers()[0]; -+ -+ if (chain) { -+ certs = km.getCertificateChain(nickname); -+ } else { -+ certs = new X509Certificate[] { -+ (PK11Cert) km.getCertificate(nickname) -+ }; -+ } -+ -+ byte[] output = null; -+ -+ if (format.equals("RAW")) { -+ StringBuffer buffer = new StringBuffer(); -+ for (X509Certificate cert : certs) { -+ buffer.append(cert.toString()); -+ } -+ -+ output = buffer.toString().getBytes(); -+ } else if (format.equals("PEM")) { -+ StringBuffer buffer = new StringBuffer(); -+ -+ for (X509Certificate cert : certs) { -+ byte[] encoded = cert.getEncoded(); -+ buffer.append(Cert.HEADER); -+ buffer.append("\r\n"); -+ buffer.append(Utils.base64encodeMultiLine(encoded)); -+ buffer.append(Cert.FOOTER); -+ buffer.append("\r\n\r\n"); -+ } -+ -+ output = buffer.toString().getBytes(); -+ } else if (format.equals("DER")) { -+ for (X509Certificate cert : certs) { -+ output = cert.getEncoded(); -+ } -+ } -+ -+ if (path == null) { -+ System.out.println(new String(output)); -+ } else { -+ try (FileOutputStream fos = new FileOutputStream(path)) { -+ fos.write(output); -+ } -+ } -+ } -+} --- -2.26.2 - - -From 0c6b6e916420faa583a25a12621100a35bba1b57 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Tue, 11 Aug 2020 15:16:01 -0400 -Subject: [PATCH 3/5] Fix export on FIPS-enabled HSMs - -Signed-off-by: Alexander Scheel ---- - base/common/python/pki/nssdb.py | 70 +++++++++++++++++---------------- - 1 file changed, 37 insertions(+), 33 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 599cd9895..ff2af4a40 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -1351,6 +1351,38 @@ class NSSDatabase(object): - epoch = datetime.datetime.utcfromtimestamp(0) - return (date - epoch).total_seconds() * 1000 - -+ def export_cert_from_db(self, -+ nickname, -+ output_file, -+ include_chain=False, -+ output_format=None): -+ cmd = [ -+ 'pki', -+ '-d', self.directory -+ ] -+ -+ if self.password_file: -+ cmd.extend(['-C', self.password_file]) -+ -+ if self.token: -+ cmd.extend(['--token', self.token]) -+ full_name = self.token + ':' + nickname -+ else: -+ full_name = nickname -+ -+ cmd.extend(['nss-cert-export']) -+ -+ if include_chain: -+ cmd.extend(['--with-chain']) -+ -+ if output_format: -+ cmd.extend(['--format', output_format]) -+ -+ cmd.extend([full_name, output_file]) -+ -+ logger.debug('Command: %s', ' '.join(map(str, cmd))) -+ subprocess.check_call(cmd) -+ - def export_cert(self, - nickname, - pkcs12_file, -@@ -1752,39 +1784,11 @@ class NSSDatabase(object): - shutil.rmtree(tmpdir) - - def extract_ca_cert(self, ca_path, nickname): -- tmpdir = tempfile.mkdtemp() -- -- try: -- p12_file = os.path.join(tmpdir, "sslserver.p12") -- password = pki.generate_password() -- -- # Build a chain containing the certificate we're trying to -- # export. OpenSSL gets confused if we don't have a key for -- # the end certificate: rh-bz#1246371 -- self.export_pkcs12(p12_file, pkcs12_password=password, -- nicknames=[nickname], include_key=False, -- include_chain=True) -- -- # This command is similar to the one from server/__init__.py. -- # However, to work during the initial startup, we do not -- # specify the cacerts option! This ensures we always get -- cmd_export_ca = [ -- 'openssl', 'pkcs12', -- '-in', p12_file, -- '-out', ca_path, -- '-nodes', '-nokeys', -- '-passin', 'pass:' + password -- ] -- -- # Remove CA.crt prior to starting; openssl gets annoyed otherwise. -- if os.path.exists(ca_path): -- os.remove(ca_path) -- -- res_ca = subprocess.check_output(cmd_export_ca, -- stderr=subprocess.STDOUT).decode('utf-8') -- logger.debug('Result of CA cert export: %s', res_ca) -- finally: -- shutil.rmtree(tmpdir) -+ # Build a chain containing the certificate we're trying to -+ # export. OpenSSL gets confused if we don't have a key for -+ # the end certificate: rh-bz#1246371 -+ self.export_cert_from_db(nickname, ca_path, include_chain=True, -+ output_format="PEM") - - @staticmethod - def __generate_key_args(key_type=None, key_size=None, curve=None): --- -2.26.2 - - -From 2df13c4195e8e6b184294888b2c6376043047e33 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 11 Aug 2020 19:39:39 -0500 -Subject: [PATCH 4/5] Fixed cert nickname in NSSDatabase.export_cert_from_db() - -The NSSDatabase.export_cert_from_db() has been modified to -no longer prepend the token name to the cert nickname since -the cert nickname obtained from serverCertNick.conf already -contains the token name. ---- - base/common/python/pki/nssdb.py | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index ff2af4a40..c7ce89336 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -1366,9 +1366,6 @@ class NSSDatabase(object): - - if self.token: - cmd.extend(['--token', self.token]) -- full_name = self.token + ':' + nickname -- else: -- full_name = nickname - - cmd.extend(['nss-cert-export']) - -@@ -1378,7 +1375,7 @@ class NSSDatabase(object): - if output_format: - cmd.extend(['--format', output_format]) - -- cmd.extend([full_name, output_file]) -+ cmd.extend([nickname, output_file]) - - logger.debug('Command: %s', ' '.join(map(str, cmd))) - subprocess.check_call(cmd) --- -2.26.2 - - -From eb28b09fb030fe5df2b6b4cfa16338ddd0325b30 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 11 Aug 2020 20:07:56 -0500 -Subject: [PATCH 5/5] Removed blank lines in pki nss-cert-export output - -The pki nss-cert-export has been modified to remove the extra -blank lines between certs and at the end of the output. ---- - .../src/com/netscape/cmstools/nss/NSSCertExportCLI.java | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java -index 06150fe41..9aaf83a30 100644 ---- a/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/nss/NSSCertExportCLI.java -@@ -107,7 +107,7 @@ public class NSSCertExportCLI extends CommandCLI { - buffer.append("\r\n"); - buffer.append(Utils.base64encodeMultiLine(encoded)); - buffer.append(Cert.FOOTER); -- buffer.append("\r\n\r\n"); -+ buffer.append("\r\n"); - } - - output = buffer.toString().getBytes(); -@@ -118,7 +118,8 @@ public class NSSCertExportCLI extends CommandCLI { - } - - if (path == null) { -- System.out.println(new String(output)); -+ System.out.print(new String(output)); -+ System.out.flush(); - } else { - try (FileOutputStream fos = new FileOutputStream(path)) { - fos.write(output); --- -2.26.2 - diff --git a/0002-Add-server-dependency-on-jaxb-api.patch b/0002-Add-server-dependency-on-jaxb-api.patch new file mode 100644 index 0000000..a598d2e --- /dev/null +++ b/0002-Add-server-dependency-on-jaxb-api.patch @@ -0,0 +1,25 @@ +From 55e82e4a31b93e0cf3e3e98533145f5f52c716fd Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Thu, 6 Aug 2020 18:31:13 -0400 +Subject: [PATCH 2/4] Add server dependency on jaxb-api + +Signed-off-by: Alexander Scheel +--- + base/server/CMakeLists.txt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt +index 8f83aed91..64e66c9fc 100644 +--- a/base/server/CMakeLists.txt ++++ b/base/server/CMakeLists.txt +@@ -97,6 +97,7 @@ add_custom_command( + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_BASE_JAR} common/lib/jackson-jaxrs-base.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_JSON_PROVIDER_JAR} common/lib/jackson-jaxrs-json-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} common/lib/jackson-module-jaxb-annotations.jar ++ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} common/lib/jaxb-api.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} common/lib/jss4.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} common/lib/ldapjdk.jar + COMMAND ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-cmsutil.jar +-- +2.26.2 + diff --git a/0003-Add-JAXB-Implementation-dependency-for-JDK11.patch b/0003-Add-JAXB-Implementation-dependency-for-JDK11.patch new file mode 100644 index 0000000..30e0497 --- /dev/null +++ b/0003-Add-JAXB-Implementation-dependency-for-JDK11.patch @@ -0,0 +1,153 @@ +From 5971bd813096e4fa994547a691a3b5bf7b3427dd Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 19 Aug 2020 15:24:59 -0400 +Subject: [PATCH 3/4] Add JAXB Implementation dependency for JDK11+ + +Signed-off-by: Alexander Scheel +--- + .classpath | 1 + + base/CMakeLists.txt | 8 ++++++++ + base/common/CMakeLists.txt | 3 ++- + base/server/CMakeLists.txt | 1 + + base/server/share/conf/pki.policy | 4 ++++ + pki.spec | 1 + + pom.xml | 6 ++++++ + scripts/compose_pki_test_package | 1 + + tests/dogtag/dev_java_tests/run_junit_tests.sh | 1 + + 9 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/.classpath b/.classpath +index 04168f05a..ae7f001a0 100644 +--- a/.classpath ++++ b/.classpath +@@ -34,6 +34,7 @@ + + + ++ + + + +diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt +index 5f94170ac..2fef383ec 100644 +--- a/base/CMakeLists.txt ++++ b/base/CMakeLists.txt +@@ -174,6 +174,14 @@ find_file(JAXB_API_JAR + /usr/share/java + ) + ++find_file(JAXB_IMPL_JAR ++ NAMES ++ jaxb-impl.jar ++ PATHS ++ /usr/share/java/jaxb ++ /usr/share/java ++) ++ + find_file(JSS_JAR + NAMES + jss4.jar +diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt +index 4c21bb4aa..4fb3e30b5 100644 +--- a/base/common/CMakeLists.txt ++++ b/base/common/CMakeLists.txt +@@ -29,6 +29,7 @@ add_custom_command( + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_JSON_PROVIDER_JAR} lib/jackson-jaxrs-json-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} lib/jackson-module-jaxb-annotations.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} lib/jaxb-api.jar ++ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} lib/jaxb-impl.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} lib/jss4.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} lib/ldapjdk.jar + COMMAND ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar +@@ -147,7 +148,7 @@ install( + + install( + DIRECTORY +- DESTINATION ++ DESTINATION + ${SYSTEMD_ETC_INSTALL_DIR}/pki-tomcatd.target.wants + ) + +diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt +index 64e66c9fc..7053ac208 100644 +--- a/base/server/CMakeLists.txt ++++ b/base/server/CMakeLists.txt +@@ -98,6 +98,7 @@ add_custom_command( + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXRS_JSON_PROVIDER_JAR} common/lib/jackson-jaxrs-json-provider.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} common/lib/jackson-module-jaxb-annotations.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} common/lib/jaxb-api.jar ++ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} common/lib/jaxb-impl.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} common/lib/jss4.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} common/lib/ldapjdk.jar + COMMAND ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-cmsutil.jar +diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy +index 9d66f9d51..2fbcaef90 100644 +--- a/base/server/share/conf/pki.policy ++++ b/base/server/share/conf/pki.policy +@@ -48,6 +48,10 @@ grant codeBase "file:/usr/share/java/jaxb-api.jar" { + permission java.security.AllPermission; + }; + ++grant codeBase "file:/usr/share/java/jaxb/jaxb-impl.jar" { ++ permission java.security.AllPermission; ++}; ++ + grant codeBase "file:/usr/share/java/jaxme/jaxmeapi.jar" { + permission java.security.AllPermission; + }; +diff --git a/pki.spec b/pki.spec +index fbaefbc9c..8d931a8a7 100644 +--- a/pki.spec ++++ b/pki.spec +@@ -423,6 +423,7 @@ Requires: resteasy >= 3.0.26 + Requires: resteasy-atom-provider >= 3.0.17-1 + Requires: resteasy-client >= 3.0.17-1 + Requires: resteasy-jaxb-provider >= 3.0.17-1 ++Requires: jaxb-impl + Requires: resteasy-core >= 3.0.17-1 + Requires: resteasy-jackson2-provider >= 3.0.17-1 + %endif +diff --git a/pom.xml b/pom.xml +index 731d41cbe..35644e20e 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -80,6 +80,12 @@ + runtime + + ++ ++ com.sun.xml.bind ++ jaxb-impl ++ 2.3.3 ++ ++ + + org.jboss.spec.javax.annotation + jboss-annotations-api_1.2_spec +diff --git a/scripts/compose_pki_test_package b/scripts/compose_pki_test_package +index 1642cd8d9..f6de770e1 100755 +--- a/scripts/compose_pki_test_package ++++ b/scripts/compose_pki_test_package +@@ -118,6 +118,7 @@ CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-mcc.jar + CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar ++CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar + CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar + CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar + CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar +diff --git a/tests/dogtag/dev_java_tests/run_junit_tests.sh b/tests/dogtag/dev_java_tests/run_junit_tests.sh +index 4544c1496..317958ccc 100644 +--- a/tests/dogtag/dev_java_tests/run_junit_tests.sh ++++ b/tests/dogtag/dev_java_tests/run_junit_tests.sh +@@ -54,6 +54,7 @@ run_dev_junit_tests() { + CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar ++ CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar + CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar + CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar + CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar +-- +2.26.2 + diff --git a/0004-Add-Jakarta-Activation-dependency-for-JDK11.patch b/0004-Add-Jakarta-Activation-dependency-for-JDK11.patch new file mode 100644 index 0000000..977a087 --- /dev/null +++ b/0004-Add-Jakarta-Activation-dependency-for-JDK11.patch @@ -0,0 +1,160 @@ +From 17af4157bb51efe829314d3bdd9efedd14667d26 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Thu, 20 Aug 2020 08:47:58 -0400 +Subject: [PATCH 4/4] Add Jakarta Activation dependency for JDK11+ + +Signed-off-by: Alexander Scheel +--- + .classpath | 1 + + base/CMakeLists.txt | 14 ++++++++++++++ + base/common/CMakeLists.txt | 1 + + base/server/CMakeLists.txt | 1 + + base/server/share/conf/pki.policy | 4 ++++ + pki.spec | 6 +++++- + pom.xml | 6 ++++++ + scripts/compose_pki_test_package | 1 + + tests/dogtag/dev_java_tests/run_junit_tests.sh | 2 +- + 9 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/.classpath b/.classpath +index ae7f001a0..078d3a403 100644 +--- a/.classpath ++++ b/.classpath +@@ -35,6 +35,7 @@ + + + ++ + + + +diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt +index 2fef383ec..8a19f9c71 100644 +--- a/base/CMakeLists.txt ++++ b/base/CMakeLists.txt +@@ -182,6 +182,20 @@ find_file(JAXB_IMPL_JAR + /usr/share/java + ) + ++find_file(JAKARTA_ACTIVATION_JAR ++ NAMES ++ jakarta.activation.jar ++ jakarta-activation.jar ++ jaxb.activation.jar ++ jaxb-activation.jar ++ PATHS ++ /usr/share/java/jakarta-activation ++ /usr/share/java/jakarta ++ /usr/share/java/jaxb-activation ++ /usr/share/java/jaxb ++ /usr/share/java ++) ++ + find_file(JSS_JAR + NAMES + jss4.jar +diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt +index 4fb3e30b5..4e9d44255 100644 +--- a/base/common/CMakeLists.txt ++++ b/base/common/CMakeLists.txt +@@ -30,6 +30,7 @@ add_custom_command( + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} lib/jackson-module-jaxb-annotations.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} lib/jaxb-api.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} lib/jaxb-impl.jar ++ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAKARTA_ACTIVATION_JAR} lib/jakarta.activation.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} lib/jss4.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} lib/ldapjdk.jar + COMMAND ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar +diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt +index 7053ac208..04f537436 100644 +--- a/base/server/CMakeLists.txt ++++ b/base/server/CMakeLists.txt +@@ -99,6 +99,7 @@ add_custom_command( + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JACKSON2_JAXB_ANNOTATIONS_JAR} common/lib/jackson-module-jaxb-annotations.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_API_JAR} common/lib/jaxb-api.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAXB_IMPL_JAR} common/lib/jaxb-impl.jar ++ COMMAND ${CMAKE_COMMAND} -E create_symlink ${JAKARTA_ACTIVATION_JAR} common/lib/jakarta.activation.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${JSS_JAR} common/lib/jss4.jar + COMMAND ${CMAKE_COMMAND} -E create_symlink ${LDAPJDK_JAR} common/lib/ldapjdk.jar + COMMAND ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-cmsutil.jar +diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy +index 2fbcaef90..460fff0bb 100644 +--- a/base/server/share/conf/pki.policy ++++ b/base/server/share/conf/pki.policy +@@ -52,6 +52,10 @@ grant codeBase "file:/usr/share/java/jaxb/jaxb-impl.jar" { + permission java.security.AllPermission; + }; + ++grant codeBase "file:/usr/share/java/jakarta-activation/jakarta.activation.jar" { ++ permission java.security.AllPermission; ++}; ++ + grant codeBase "file:/usr/share/java/jaxme/jaxmeapi.jar" { + permission java.security.AllPermission; + }; +diff --git a/pki.spec b/pki.spec +index 8d931a8a7..e29b6d12f 100644 +--- a/pki.spec ++++ b/pki.spec +@@ -423,11 +423,15 @@ Requires: resteasy >= 3.0.26 + Requires: resteasy-atom-provider >= 3.0.17-1 + Requires: resteasy-client >= 3.0.17-1 + Requires: resteasy-jaxb-provider >= 3.0.17-1 +-Requires: jaxb-impl + Requires: resteasy-core >= 3.0.17-1 + Requires: resteasy-jackson2-provider >= 3.0.17-1 + %endif + ++%if 0%{?fedora} && 0%{?fedora} >= 33 ++Requires: jaxb-impl >= 2.3.3 ++Requires: jakarta-activation >= 1.2.2 ++%endif ++ + Requires: xalan-j2 + Requires: xerces-j2 + Requires: xml-commons-apis +diff --git a/pom.xml b/pom.xml +index 35644e20e..34af3c121 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -86,6 +86,12 @@ + 2.3.3 + + ++ ++ jakarta.activation ++ jakarta.activation-api ++ 1.2.2 ++ ++ + + org.jboss.spec.javax.annotation + jboss-annotations-api_1.2_spec +diff --git a/scripts/compose_pki_test_package b/scripts/compose_pki_test_package +index f6de770e1..b8c39c682 100755 +--- a/scripts/compose_pki_test_package ++++ b/scripts/compose_pki_test_package +@@ -119,6 +119,7 @@ CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar ++CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-activation/jakarta.activation.jar + CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar + CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar + CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar +diff --git a/tests/dogtag/dev_java_tests/run_junit_tests.sh b/tests/dogtag/dev_java_tests/run_junit_tests.sh +index 317958ccc..76efd757b 100644 +--- a/tests/dogtag/dev_java_tests/run_junit_tests.sh ++++ b/tests/dogtag/dev_java_tests/run_junit_tests.sh +@@ -54,7 +54,7 @@ run_dev_junit_tests() { + CLASSPATH=$CLASSPATH:/usr/share/java/idm-console-nmclf.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-commons-httpclient.jar + CLASSPATH=$CLASSPATH:/usr/share/java/jaxb-api.jar +- CLASSPATH=$CLASSPATH:/usr/share/java/jaxb/jaxb-impl.jar ++ CLASSPATH=$CLASSPATH:/usr/share/java/jakarta-activation/jakarta.activation.jar + CLASSPATH=$CLASSPATH:/usr/share/java/ldapjdk.jar + CLASSPATH=$CLASSPATH:/usr/share/java/apache-commons-lang.jar + CLASSPATH=$CLASSPATH:/usr/share/java/istack-commons-runtime.jar +-- +2.26.2 + diff --git a/pki-core.spec b/pki-core.spec index e687ac1..54e9999 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -10,8 +10,10 @@ URL: http://www.dogtagpki.org/ # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPLv2 and LGPLv2 -Version: 10.9.1 -Release: 2%{?_timestamp}%{?_commit_id}%{?dist} +# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase. +# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase. +Version: 10.9.2 +Release: 1%{?_timestamp}%{?_commit_id}%{?dist} #global _phase -a1 # To create a tarball from a version tag: @@ -29,7 +31,11 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -Patch1: 0001-Support-FIPS-HSMs.patch +Patch1: 0001-Make-JDK-dependency-dynamic.patch +Patch2: 0002-Add-server-dependency-on-jaxb-api.patch +Patch3: 0003-Add-JAXB-Implementation-dependency-for-JDK11.patch +Patch4: 0004-Add-Jakarta-Activation-dependency-for-JDK11.patch + ################################################################################ # NSS @@ -52,15 +58,13 @@ Patch1: 0001-Support-FIPS-HSMs.patch ################################################################################ %define java_home /usr/lib/jvm/jre-openjdk +%define java_devel java-devel +%define java_headless java-headless %if 0%{?fedora} && 0%{?fedora} >= 33 -%define min_java_version 1:1.8.0 -%define java_devel java-1.8.0-openjdk-devel -%define java_headless java-1.8.0-openjdk-headless +%define min_java_version 1:11 %else %define min_java_version 1:1.8.0 -%define java_devel java-devel -%define java_headless java-headless %endif ################################################################################ @@ -431,6 +435,11 @@ Requires: resteasy-core >= 3.0.17-1 Requires: resteasy-jackson2-provider >= 3.0.17-1 %endif +%if 0%{?fedora} && 0%{?fedora} >= 33 +Requires: jaxb-impl >= 2.3.3 +Requires: jakarta-activation >= 1.2.2 +%endif + Requires: xalan-j2 Requires: xerces-j2 Requires: xml-commons-apis @@ -1326,6 +1335,12 @@ fi ################################################################################ %changelog +* Tue Aug 18 2020 Dogtag PKI Team - 10.9.2-1 +- Second attempt at JDK11 Support + +* Tue Aug 18 2020 Dogtag PKI Team - 10.9.1-3 +- Force JDK8 at runtime as well + * Tue Aug 18 2020 Dogtag PKI Team - 10.9.1-2 - Rebuilt to fix packaging issues introduced upstream diff --git a/sources b/sources index 2946ba0..9e59d80 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (pki-10.9.1.tar.gz) = afe814aee95e778afd84243903d9fcd05e31cb038d4289607115f9cc90ec666aaf4aab3b7f93dc54366762c96f54c8bbd9b60b486daef84280072041667d9b6a +SHA512 (pki-10.9.2.tar.gz) = 5c58af62d3a5113daee66cb538e41b0e1ec1c8303cf9a53e5f088e1a0228bd8f839d7708abae25051a449bd00ebd8246f2015e63c04a32bb9674b40c6c36c902