%define package_option() %bcond_with %1 %define debug_package %{nil} %define _unpackaged_files_terminate_build 0 %define java_devel java-18-openjdk-devel %define java_headless java-18-openjdk-headless %define java_home /usr/lib/jvm/jre-18-openjdk Name: pki-core Version: 11.0.0 Release: 1 Summary: The PKI Core Package License: GPLv2 and LGPLv2 URL: http://www.dogtagpki.org/ Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j BuildRequires: slf4j-jdk14 nspr-devel nss-devel >= 3.36.1 python3-lxml python3-sphinx BuildRequires: velocity xalan-j2 xerces-j2 resteasy-jackson2-provider >= 3.0.17-1 BuildRequires: jboss-annotations-1.2-api jboss-jaxrs-2.0-api jboss-logging apache-commons-net BuildRequires: resteasy-atom-provider >= 3.0.17-1 resteasy-client >= 3.0.17-1 BuildRequires: resteasy-jaxb-provider >= 3.0.17-1 resteasy-core >= 3.0.17-1 BuildRequires: python3 python3-devel python3-cryptography python3-ldap python3-libselinux BuildRequires: python3-nss python3-requests >= 2.6.0 python3-six python3-libselinux BuildRequires: python3-policycoreutils python3-ldap policycoreutils-python-utils BuildRequires: python3 python3-devel python3-cryptography python3-lxml python3-six BuildRequires: python3-nss python3-requests >= 2.6.0 systemd-units tomcat >= 1:9.0.7 BuildRequires: junit jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 tomcatjss >= 7.4.1 BuildRequires: apr-devel apr-util-devel cyrus-sasl-devel httpd-devel >= 2.4.2 pcre-devel BuildRequires: systemd zlib zlib-devel nss-tools openssl golang %description Dogtag PKI is a designed enterprise software system manage enterprise Public Key Infrastructure deployments. %bcond_with console %package -n pki-symkey Summary: The PKI Symmetric Key Package Requires: java-latest-openjdk-headless jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 Requires: nss >= 3.38.0 Conflicts: pki-symkey < %{version} pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} pki-console-theme < %{version} %description -n pki-symkey The PKI Symmetric Key Java software Package provides various native symmetric key operations of Java programs. %package -n pki-base Summary: The PKI Base Package BuildArch: noarch Requires: nss >= 3.36.1 python3-pki = %{version} Requires(post): python3-pki = %{version} Conflicts: pki-symkey < %{version} pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} pki-console-theme < %{version} %description -n pki-base The PKI Base software Package contains public and client libraries and utilities written in Python. %package -n python3-pki Summary: The PKI Python 3 Package BuildArch: noarch Obsoletes: pki-base-python3 < %{version} Provides: pki-base-python3 = %{version} %{?python_provide:%python_provide python3-pki} Requires: pki-base = %{version} python3-cryptography python3-lxml Requires: python3-requests >= 2.6.0 python3-six python3-nss %description -n python3-pki This package is included in the Python 3 PKI client library . %package -n pki-base-java Summary: The PKI Base Java Package BuildArch: noarch Requires: java-latest-openjdk-headless apache-commons-cli apache-commons-codec Requires: apache-commons-io apache-commons-lang apache-commons-logging Requires: jakarta-commons-httpclient glassfish-jaxb-api slf4j slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 pki-base = %{version} Requires: resteasy-atom-provider >= 3.0.17-1 resteasy-client >= 3.0.17-1 Requires: resteasy-jaxb-provider >= 3.0.17-1 resteasy-core >= 3.0.17-1 Requires: resteasy-jackson2-provider >= 3.0.17-1 ldapjdk >= 4.21.0 Requires: xalan-j2 xerces-j2 xml-commons-apis xml-commons-resolver %description -n pki-base-java The PKI Base Java software Package contains public and client libraries and utilities written in Java. %package -n pki-tools Summary: The PKI Tools Package Requires: openldap-clients nss-tools >= 3.36.1 pki-base-java = %{version} Requires: nss-tools openssl %description -n pki-tools This package contains PKI executable files that can be used to help make convert the certificate System into a more complete and powerful PKI solution. %package -n pki-server Summary: The PKI Server Package BuildArch: noarch Requires: hostname net-tools policycoreutils procps-ng openldap-clients openssl Requires: pki-symkey = %{version} pki-tools = %{version} keyutils Requires: policycoreutils-python-utils python3-ldap Requires: python3-lxml python3-libselinux python3-policycoreutils Requires: selinux-policy-targeted >= 3.13.1-159 tomcat >= 1:9.0.7 velocity Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils Requires: tomcatjss >= 7.4.1 Conflicts: freeipa-server < 4.7.1 %description -n pki-server The PKI Server software Package contains the libraries and utilities required by the PKI Server. %package -n pki-ca Summary: The PKI CA Package BuildArch: noarch Requires: pki-server = %{version} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units %description -n pki-ca Certificate authority (CA) is a required PKI subsystem, responsible for issuing, Renew, revoke and publish certificates and compile and Publish a certificate revocation list (CRLs). Certificate authority can be configured as a self-signed certificate Authorization, it is the root CA, can also act as a subordinate CA, It obtains its own signed certificate from a public CA. %package -n pki-kra Summary: The PKI KRA Package BuildArch: noarch Requires: pki-server = %{version} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units %description -n pki-kra The Key Recovery Authority (KRA) is an optional PKI subsystem that can act as As an important archive facility. When Certificate Authority (CA), KRA stores the private encryption key as Certificate registration process. The key file mechanism is triggered When a user registers a PKI and creates a certificate request. use Certificate Request Message Format (CRMF) request format, the request is Generated for the user's private encryption key. %package -n pki-ocsp Summary: The PKI OCSP Package BuildArch: noarch Requires: pki-server = %{version} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units %description -n pki-ocsp Online Certificate Status Protocol (OCSP) manager is optional PKI Can serve as a subsystem of independent OCSP services. OCSP manager Activate to perform the tasks of an online certification authority OCSP-compliant clients can verify certificates in real time. note Online certificate verification agencies are often referred to as OCSP responder. %package -n pki-tks Summary: The PKI TKS Package BuildArch: noarch Requires: pki-server = %{version} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units %description -n pki-tks Token Key Service (TKS) is an optional PKI subsystem for management Generate and distribute master and transmission keys The key of the hardware token. TKS provides token-to-token security An example of a token processing system (TPS), where security depends on The relationship between the master key and the token key. TPS Communication Use client authentication to perform TKS processing over SSL. %package -n pki-tps Summary: The PKI TPS Package Requires: pki-server = %{version} Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Requires: nss-tools >= 3.36.1 openldap-clients %description -n pki-tps Token Processing System (TPS) is an optional PKI subsystem, its role is Identity verification and processing as a registration authority (RA) Registration request, PIN reset request and format request Enterprise Security Client (ESC). %package -n pki-help Summary: Documentation for KPI BuildArch: noarch Provides: pki-javadoc = %{version}-%{release} Obsoletes: pki-javadoc < %{version}-%{release} Conflicts: pki-base < %{version} pki-symkey < %{version} Conflicts: pki-server-theme < %{version} pki-console-theme < %{version} %description -n pki-help Documentation for KPI. %if %{with console} %package -n pki-console Summary: The PKI Console Package BuildArch: noarch BuildRequires: idm-console-framework >= 1.2.0 Requires: idm-console-framework >= 1.2.0 pki-base-java = %{version} Requires: pki-console-theme = %{version} %description -n pki-console The PKI console is a Java application used to manage the PKI server. %endif %prep %autosetup -n pki-%{version} -p1 -S git tar -xf %{SOURCE1} %build tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'` if [ $tomcat_version == "9.0" ]; then app_server=tomcat-9.0 else app_server=tomcat-$tomcat_version fi # generate go-md2man mkdir -p /home/abuild/rpmbuild/bin/ cd go-md2man-* go build -mod=vendor -o /home/abuild/rpmbuild/bin/ cd - mkdir -p build cd build %cmake \ --no-warn-unused-cli -DVERSION=%{version}-%{release} \ -DVAR_INSTALL_DIR:PATH=/var -DJAVA_HOME=%{java_home} \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ -DAPP_SERVER=$app_server \ -DJAXRS_API_JAR=/usr/share/java/jboss-jaxrs-2.0-api.jar \ -DRESTEASY_LIB=/usr/share/java/resteasy \ -DNSS_DEFAULT_DB_TYPE=sql -DBUILD_PKI_CORE:BOOL=ON \ -DWITH_PYTHON2:BOOL=OFF -DWITH_PYTHON3:BOOL=ON \ -DWITH_PYTHON3_DEFAULT:BOOL=ON -DPYTHON_EXECUTABLE=%{__python3} \ -DWITH_TEST:BOOL=ON -DWITH_JAVADOC:BOOL=ON \ -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:OFF} -DTHEME= \ .. %install export PATH=$PATH:/home/abuild/rpmbuild/bin/ cd build %make_build \ VERBOSE=%{?_verbose} CMAKE_NO_VERBOSE=1 \ DESTDIR=%{buildroot} INSTALL="install -p" \ --no-print-directory \ all install ln -sf /usr/share/java/jboss-logging/jboss-logging.jar\ %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar\ %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar ln -sf /usr/share/java/jboss-logging/jboss-logging.jar\ %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar\ %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar %pretrans -n pki-base -p function test(a) if posix.stat(a) then for f in posix.files(a) do if f~=".." and f~="." then return true end end end return false end if (test("/etc/sysconfig/pki/ca") or test("/etc/sysconfig/pki/kra") or test("/etc/sysconfig/pki/ocsp") or test("/etc/sysconfig/pki/tks")) then msg = "Unable to upgrade to PKI-10. There are PKI 9 instances\n" .. "that will no longer work since they require Tomcat 6, and \n" .. "Tomcat 6 is no longer available.\n\n" .. "Please follow these instructions to migrate the instances to \n" .. "PKI 10:\n\n" .. "https://github.com/dogtagpki/pki/wiki/Migrating-PKI-9-to-PKI-10" error(msg) end %pre -n pki-server getent group pkiuser >/dev/null || groupadd -f -g 17 -r pkiuser if ! getent passwd pkiuser >/dev/null ; then if ! getent passwd 17 >/dev/null ; then useradd -r -u 17 -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Certificate System" pkiuser else useradd -r -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Certificate System" pkiuser fi fi exit 0 %post -n pki-base if [ $1 -eq 1 ] then echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version else echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 /sbin/pki-upgrade --silent >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 echo >> /var/log/pki/pki-upgrade-%{version}.log 2>&1 fi %postun -n pki-base if [ $1 -eq 0 ] then rm -f %{_sysconfdir}/pki/pki.version fi %post -n pki-server echo "Upgrading PKI server configuration on `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 /sbin/pki-server upgrade --silent >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1 if [ "$1" == "2" ] then systemctl daemon-reload fi %files -n pki-symkey %doc base/symkey/LICENSE %{_jnidir}/symkey.jar %{_libdir}/symkey/ %files -n pki-base %doc base/common/LICENSE %doc base/common/LICENSE.LESSER %doc %{_datadir}/doc/pki-base/html %dir %{_datadir}/pki %{_datadir}/pki/VERSION %{_datadir}/pki/pom.xml %dir %{_datadir}/pki/etc %{_datadir}/pki/etc/{logging.properties,pki.conf} %dir %{_datadir}/pki/lib %dir %{_datadir}/pki/scripts %{_datadir}/pki/{scripts/config,upgrade/,key/templates} %dir %{_sysconfdir}/pki %config(noreplace) %{_sysconfdir}/pki/pki.conf %dir %{_localstatedir}/log/pki %{_sbindir}/pki-upgrade %files -n pki-base-java %doc base/common/LICENSE %doc base/common/LICENSE.LESSER %{_datadir}/pki/examples/java/ %{_datadir}/pki/lib/ %dir %{_javadir}/pki %{_javadir}/pki/{pki-cmsutil.jar,pki-nsutil.jar,pki-certsrv.jar} %files -n python3-pki %doc base/common/LICENSE %doc base/common/LICENSE.LESSER %exclude %{python3_sitelib}/pki/server %{python3_sitelib}/pki %files -n pki-tools %doc base/tools/LICENSE base/tools/doc/README %{_bindir}/{pki,p7tool,revoker,setpin} %{_bindir}/{sslget,tkstool,AtoB,AuditVerify} %{_bindir}/{BtoA,CMCEnroll,CMCRequest} %{_bindir}/{CMCResponse,CMCRevoke,p12tool} %{_bindir}/{CMCSharedToken,CRMFPopClient,pistool} %{_bindir}/DRMTool %{_bindir}/ExtJoiner %{_bindir}/{GenExtKeyUsage,GenIssuerAltNameExt} %{_bindir}/{GenSubjectAltNameExt,HttpClient} %{_bindir}/{KRATool,OCSPClient,PKCS10Client} %{_bindir}/{PKCS12Export,PKICertImport} %{_bindir}/{PrettyPrintCert,PrettyPrintCrl,TokenInfo} %{_javadir}/pki/pki-tools.jar %{_datadir}/pki/tools/ %{_datadir}/pki/lib/p11-kit-trust.so %files -n pki-server %doc base/common/THIRD_PARTY_LICENSES %doc base/server/{LICENSE,README} %attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki %attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki/tomcat %{_sbindir}/{pkispawn,pkidestroy,pki-server,pki-server-upgrade,pki-healthcheck} %{python3_sitelib}/pki/server/ %{python3_sitelib}/pkihealthcheck-*.egg-info/ %config(noreplace) %{_sysconfdir}/pki/healthcheck.conf %{_datadir}/pki/etc/tomcat.conf %dir %{_datadir}/pki/deployment %{_datadir}/pki/deployment/config/ %{_datadir}/pki/scripts/operations %{_bindir}/{pkidaemon,pki-server-nuxwdog} %dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants %attr(644,-,-) %{_unitdir}/pki-tomcatd@.service %attr(644,-,-) %{_unitdir}/pki-tomcatd.target %dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target %{_javadir}/pki/{pki-cms.jar,pki-cmsbundle.jar} %{_javadir}/pki/{pki-cmscore.jar,pki-tomcat.jar} %dir %{_sharedstatedir}/pki %{_datadir}/pki/{setup/,server/} %files -n pki-ca %doc base/ca/LICENSE %{_javadir}/pki/pki-ca.jar %dir %{_datadir}/pki/ca %{_datadir}/pki/ca/{conf/,emails/,setup/,webapps/} %dir %{_datadir}/pki/ca/profiles %{_datadir}/pki/ca/profiles/ca/ %files -n pki-kra %doc base/kra/LICENSE %{_javadir}/pki/pki-kra.jar %dir %{_datadir}/pki/kra %{_datadir}/pki/kra/{conf/,setup/,webapps/} %files -n pki-ocsp %doc base/ocsp/LICENSE %{_javadir}/pki/pki-ocsp.jar %dir %{_datadir}/pki/ocsp %{_datadir}/pki/ocsp/{conf/,setup/,webapps/} %files -n pki-tks %doc base/tks/LICENSE %{_javadir}/pki/pki-tks.jar %dir %{_datadir}/pki/tks %{_datadir}/pki/tks/{conf/,setup/,webapps/} %files -n pki-tps %doc base/tps/LICENSE %{_javadir}/pki/pki-tps.jar %dir %{_datadir}/pki/tps %{_datadir}/pki/tps/{applets/,conf/,setup/,webapps/} %{_bindir}/tpsclient %{_libdir}/tps/{libtps.so,libtokendb.so} %files -n pki-help %{_javadocdir}/pki/ %{_mandir}/man1/* %{_mandir}/man5/* %{_mandir}/man8/* %if %{with console} %files -n pki-console %doc base/console/LICENSE %{_bindir}/pkiconsole %{_javadir}/pki/pki-console.jar %endif %changelog * Thu Jun 16 2022 liyanan - 11.0.0-1 - Update to 11.0.0 * Mon Oct 11 2021 wangyue - 10.7.3-4 - remove sslget and revoker -V option * Fri Sep 24 2021 wutao - 10.7.3-3 - disable pki-console * Thu Sep 23 2021 wutao - 10.7.3-2 - change link source and delete useless information * Mon Sep 13 2021 wutao - 10.7.3-1 - Package init