packages/pki-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pki-core/pki-core.spec
wk333 65ef9fa987 Fix CVE-2022-2414
2023-06-28 14:16:41 +08:00

484 lines
19 KiB
RPMSpec
Raw Permalink Blame History

%define package_option() %bcond_with %1
%define _unpackaged_files_terminate_build 0
Name: pki-core
Version: 11.0.0
Release: 5
Summary: The PKI Core Package
License: GPLv2 and LGPLv2
URL: http://www.dogtagpki.org/
Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0: CVE-2022-2414.patch
BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j
BuildRequires: slf4j-jdk14 nspr-devel nss-devel >= 3.36.1 python3-lxml python3-sphinx
BuildRequires: velocity xalan-j2 xerces-j2 resteasy-jackson2-provider >= 3.0.17-1
BuildRequires: jboss-annotations-1.2-api jboss-jaxrs-2.0-api jboss-logging apache-commons-net
BuildRequires: resteasy-atom-provider >= 3.0.17-1 resteasy-client >= 3.0.17-1
BuildRequires: resteasy-jaxb-provider >= 3.0.17-1 resteasy-core >= 3.0.17-1
BuildRequires: python3 python3-devel python3-cryptography python3-ldap python3-libselinux
BuildRequires: python3-nss python3-requests >= 2.6.0 python3-six python3-libselinux
BuildRequires: python3-policycoreutils python3-ldap policycoreutils-python-utils
BuildRequires: python3 python3-devel python3-cryptography python3-lxml python3-six
BuildRequires: python3-nss python3-requests >= 2.6.0 systemd-units tomcat >= 1:9.0.7
BuildRequires: junit jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 tomcatjss >= 7.4.1
BuildRequires: apr-devel apr-util-devel cyrus-sasl-devel httpd-devel >= 2.4.2 pcre-devel
BuildRequires: systemd zlib zlib-devel nss-tools openssl golang chrpath
BuildRequires: java-1.8.0-openjdk-headless java-11-openjdk-headless
%description
Dogtag PKI is a designed enterprise software system
manage enterprise Public Key Infrastructure deployments.
%bcond_with console
%package -n pki-symkey
Summary: The PKI Symmetric Key Package
Requires: java-latest-openjdk-headless jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0
Requires: nss >= 3.38.0
Conflicts: pki-symkey < %{version} pki-javadoc < %{version}
Conflicts: pki-server-theme < %{version} pki-console-theme < %{version}
%description -n pki-symkey
The PKI Symmetric Key Java software Package provides various native
symmetric key operations of Java programs.
%package -n pki-base
Summary: The PKI Base Package
BuildArch: noarch
Requires: nss >= 3.36.1 python3-pki = %{version}
Requires(post): python3-pki = %{version}
Conflicts: pki-symkey < %{version} pki-javadoc < %{version}
Conflicts: pki-server-theme < %{version} pki-console-theme < %{version}
%description -n pki-base
The PKI Base software Package contains public and client libraries
and utilities written in Python.
%package -n python3-pki
Summary: The PKI Python 3 Package
BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}
Provides: python3-pki = %{version}
Provides: python-pki = %{version}
Requires: pki-base = %{version} python3-cryptography python3-lxml
Requires: python3-requests >= 2.6.0 python3-six python3-nss
%description -n python3-pki
This package is included in the Python 3 PKI client library .
%package -n pki-base-java
Summary: The PKI Base Java Package
BuildArch: noarch
Requires: java-latest-openjdk-headless apache-commons-cli apache-commons-codec
Requires: apache-commons-io apache-commons-lang apache-commons-logging
Requires: jakarta-commons-httpclient glassfish-jaxb-api slf4j slf4j-jdk14
Requires: jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 pki-base = %{version}
Requires: resteasy-atom-provider >= 3.0.17-1 resteasy-client >= 3.0.17-1
Requires: resteasy-jaxb-provider >= 3.0.17-1 resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1 ldapjdk >= 4.21.0
Requires: xalan-j2 xerces-j2 xml-commons-apis xml-commons-resolver
%description -n pki-base-java
The PKI Base Java software Package contains public and client
libraries and utilities written in Java.
%package -n pki-tools
Summary: The PKI Tools Package
Requires: openldap-clients nss-tools >= 3.36.1 pki-base-java = %{version}
Requires: nss-tools openssl
%description -n pki-tools
This package contains PKI executable files that can be used to help make
convert the certificate System into a more complete and powerful PKI solution.
%package -n pki-server
Summary: The PKI Server Package
BuildArch: noarch
Requires: hostname net-tools policycoreutils procps-ng openldap-clients openssl
Requires: pki-symkey = %{version} pki-tools = %{version} keyutils
Requires: policycoreutils-python-utils python3-ldap
Requires: python3-lxml python3-libselinux python3-policycoreutils
Requires: selinux-policy-targeted >= 3.13.1-159 tomcat >= 1:9.0.7 velocity
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
Requires: tomcatjss >= 7.4.1
Conflicts: freeipa-server < 4.7.1
%description -n pki-server
The PKI Server software Package contains the libraries and utilities required
by the PKI Server.
%package -n pki-ca
Summary: The PKI CA Package
BuildArch: noarch
Requires: pki-server = %{version}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-ca
Certificate authority (CA) is a required PKI subsystem, responsible for issuing,
Renew, revoke and publish certificates and compile and
Publish a certificate revocation list (CRLs).
Certificate authority can be configured as a self-signed certificate
Authorization, it is the root CA, can also act as a subordinate CA,
It obtains its own signed certificate from a public CA.
%package -n pki-kra
Summary: The PKI KRA Package
BuildArch: noarch
Requires: pki-server = %{version}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-kra
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act as
As an important archive facility. When Certificate Authority (CA), KRA stores
the private encryption key as Certificate registration process. The key file
mechanism is triggered When a user registers a PKI and creates a certificate
request. use Certificate Request Message Format (CRMF) request format, the
request is Generated for the user's private encryption key.
%package -n pki-ocsp
Summary: The PKI OCSP Package
BuildArch: noarch
Requires: pki-server = %{version}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-ocsp
Online Certificate Status Protocol (OCSP) manager is optional PKI
Can serve as a subsystem of independent OCSP services. OCSP manager
Activate to perform the tasks of an online certification authority
OCSP-compliant clients can verify certificates in real time. note
Online certificate verification agencies are often referred to as
OCSP responder.
%package -n pki-tks
Summary: The PKI TKS Package
BuildArch: noarch
Requires: pki-server = %{version}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
%description -n pki-tks
Token Key Service (TKS) is an optional PKI subsystem for management
Generate and distribute master and transmission keys
The key of the hardware token. TKS provides token-to-token security
An example of a token processing system (TPS), where security depends on
The relationship between the master key and the token key. TPS Communication
Use client authentication to perform TKS processing over SSL.
%package -n pki-tps
Summary: The PKI TPS Package
Requires: pki-server = %{version}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: nss-tools >= 3.36.1 openldap-clients
%description -n pki-tps
Token Processing System (TPS) is an optional PKI subsystem, its role is
Identity verification and processing as a registration authority (RA)
Registration request, PIN reset request and format request
Enterprise Security Client (ESC).
%package -n pki-help
Summary: Documentation for KPI
BuildArch: noarch
Provides: pki-javadoc = %{version}-%{release}
Obsoletes: pki-javadoc < %{version}-%{release}
Conflicts: pki-base < %{version} pki-symkey < %{version}
Conflicts: pki-server-theme < %{version} pki-console-theme < %{version}
%description -n pki-help
Documentation for KPI.
%if %{with console}
%package -n pki-console
Summary: The PKI Console Package
BuildArch: noarch
BuildRequires: idm-console-framework >= 1.2.0
Requires: idm-console-framework >= 1.2.0 pki-base-java = %{version}
Requires: pki-console-theme = %{version}
%description -n pki-console
The PKI console is a Java application used to manage the PKI server.
%endif
%prep
%autosetup -n pki-%{version} -p1 -S git
tar -xf %{SOURCE1}
%build
openjdk_latest_version=`rpm -qi java-latest-openjdk-headless | grep Version | cut -b 15-16`
java_home=/usr/lib/jvm/jre-${openjdk_latest_version}-openjdk
tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
if [ $tomcat_version == "9.0" ]; then
app_server=tomcat-9.0
else
app_server=tomcat-$tomcat_version
fi
# generate go-md2man
mkdir -p /home/abuild/rpmbuild/bin/
cd go-md2man-*
go build -mod=vendor -o /home/abuild/rpmbuild/bin/
cd -
mkdir -p build
cd build
%cmake \
--no-warn-unused-cli -DVERSION=%{version}-%{release} \
-DVAR_INSTALL_DIR:PATH=/var -DJAVA_HOME=${java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
-DAPP_SERVER=$app_server \
-DJAXRS_API_JAR=/usr/share/java/jboss-jaxrs-2.0-api.jar \
-DRESTEASY_LIB=/usr/share/java/resteasy \
-DNSS_DEFAULT_DB_TYPE=sql -DBUILD_PKI_CORE:BOOL=ON \
-DWITH_PYTHON2:BOOL=OFF -DWITH_PYTHON3:BOOL=ON \
-DWITH_PYTHON3_DEFAULT:BOOL=ON -DPYTHON_EXECUTABLE=%{__python3} \
-DWITH_TEST:BOOL=ON -DWITH_JAVADOC:BOOL=ON \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:OFF} -DTHEME= \
..
%install
export PATH=$PATH:/home/abuild/rpmbuild/bin/
cd build
%make_build \
VERBOSE=%{?_verbose} CMAKE_NO_VERBOSE=1 \
DESTDIR=%{buildroot} INSTALL="install -p" \
--no-print-directory \
all install
ln -sf /usr/share/java/jboss-logging/jboss-logging.jar\
%{buildroot}%{_datadir}/pki/lib/jboss-logging.jar
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar\
%{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar
ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar
ln -sf /usr/share/java/jboss-logging/jboss-logging.jar\
%{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar\
%{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar
chrpath -d %{buildroot}/%{_bindir}/tpsclient
chrpath -d %{buildroot}/%{_libdir}/tps/libtokendb.so
chrpath -d %{buildroot}/%{_libdir}/tps/libtps.so
mkdir -p %{buildroot}/etc/ld.so.conf.d
echo "%{_libdir}/tps" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%pretrans -n pki-base -p <lua>
function test(a)
if posix.stat(a) then
for f in posix.files(a) do
if f~=".." and f~="." then
return true
end
end
end
return false
end
if (test("/etc/sysconfig/pki/ca") or
test("/etc/sysconfig/pki/kra") or
test("/etc/sysconfig/pki/ocsp") or
test("/etc/sysconfig/pki/tks")) then
msg = "Unable to upgrade to PKI-10. There are PKI 9 instances\n" ..
"that will no longer work since they require Tomcat 6, and \n" ..
"Tomcat 6 is no longer available.\n\n" ..
"Please follow these instructions to migrate the instances to \n" ..
"PKI 10:\n\n" ..
"https://github.com/dogtagpki/pki/wiki/Migrating-PKI-9-to-PKI-10"
error(msg)
end
%pre -n pki-server
getent group pkiuser >/dev/null || groupadd -f -g 17 -r pkiuser
if ! getent passwd pkiuser >/dev/null ; then
if ! getent passwd 17 >/dev/null ; then
useradd -r -u 17 -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Certificate System" pkiuser
else
useradd -r -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Certificate System" pkiuser
fi
fi
exit 0
%post -n pki-base
if [ $1 -eq 1 ]
then
echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version
else
echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
/sbin/pki-upgrade --silent >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
echo >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
fi
%postun -n pki-base
if [ $1 -eq 0 ]
then
rm -f %{_sysconfdir}/pki/pki.version
fi
%post -n pki-server
echo "Upgrading PKI server configuration on `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
/sbin/pki-server upgrade --silent >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
if [ "$1" == "2" ]
then
systemctl daemon-reload
fi
%post -n pki-tps
/sbin/ldconfig
%postun -n pki-tps
/sbin/ldconfig
%files -n pki-symkey
%doc base/symkey/LICENSE
%{_jnidir}/symkey.jar
%{_libdir}/symkey/
%files -n pki-base
%doc base/common/LICENSE
%doc base/common/LICENSE.LESSER
%doc %{_datadir}/doc/pki-base/html
%dir %{_datadir}/pki
%{_datadir}/pki/VERSION
%{_datadir}/pki/pom.xml
%dir %{_datadir}/pki/etc
%{_datadir}/pki/etc/{logging.properties,pki.conf}
%dir %{_datadir}/pki/lib
%dir %{_datadir}/pki/scripts
%{_datadir}/pki/{scripts/config,upgrade/,key/templates}
%dir %{_sysconfdir}/pki
%config(noreplace) %{_sysconfdir}/pki/pki.conf
%dir %{_localstatedir}/log/pki
%{_sbindir}/pki-upgrade
%files -n pki-base-java
%doc base/common/LICENSE
%doc base/common/LICENSE.LESSER
%{_datadir}/pki/examples/java/
%{_datadir}/pki/lib/
%dir %{_javadir}/pki
%{_javadir}/pki/{pki-cmsutil.jar,pki-nsutil.jar,pki-certsrv.jar}
%files -n python3-pki
%doc base/common/LICENSE
%doc base/common/LICENSE.LESSER
%exclude %{python3_sitelib}/pki/server
%{python3_sitelib}/pki
%files -n pki-tools
%doc base/tools/LICENSE base/tools/doc/README
%{_bindir}/{pki,p7tool,revoker,setpin}
%{_bindir}/{sslget,tkstool,AtoB,AuditVerify}
%{_bindir}/{BtoA,CMCEnroll,CMCRequest}
%{_bindir}/{CMCResponse,CMCRevoke,p12tool}
%{_bindir}/{CMCSharedToken,CRMFPopClient,pistool}
%{_bindir}/DRMTool
%{_bindir}/ExtJoiner
%{_bindir}/{GenExtKeyUsage,GenIssuerAltNameExt}
%{_bindir}/{GenSubjectAltNameExt,HttpClient}
%{_bindir}/{KRATool,OCSPClient,PKCS10Client}
%{_bindir}/{PKCS12Export,PKICertImport}
%{_bindir}/{PrettyPrintCert,PrettyPrintCrl,TokenInfo}
%{_javadir}/pki/pki-tools.jar
%{_datadir}/pki/tools/
%{_datadir}/pki/lib/p11-kit-trust.so
%files -n pki-server
%doc base/common/THIRD_PARTY_LICENSES
%doc base/server/{LICENSE,README}
%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki
%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki/tomcat
%{_sbindir}/{pkispawn,pkidestroy,pki-server,pki-server-upgrade,pki-healthcheck}
%{python3_sitelib}/pki/server/
%{python3_sitelib}/pkihealthcheck-*.egg-info/
%config(noreplace) %{_sysconfdir}/pki/healthcheck.conf
%{_datadir}/pki/etc/tomcat.conf
%dir %{_datadir}/pki/deployment
%{_datadir}/pki/deployment/config/
%{_datadir}/pki/scripts/operations
%{_bindir}/{pkidaemon,pki-server-nuxwdog}
%dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants
%attr(644,-,-) %{_unitdir}/pki-tomcatd@.service
%attr(644,-,-) %{_unitdir}/pki-tomcatd.target
%dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants
%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service
%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target
%{_javadir}/pki/{pki-cms.jar,pki-cmsbundle.jar}
%{_javadir}/pki/{pki-cmscore.jar,pki-tomcat.jar}
%dir %{_sharedstatedir}/pki
%{_datadir}/pki/{setup/,server/}
%files -n pki-ca
%doc base/ca/LICENSE
%{_javadir}/pki/pki-ca.jar
%dir %{_datadir}/pki/ca
%{_datadir}/pki/ca/{conf/,emails/,setup/,webapps/}
%dir %{_datadir}/pki/ca/profiles
%{_datadir}/pki/ca/profiles/ca/
%files -n pki-kra
%doc base/kra/LICENSE
%{_javadir}/pki/pki-kra.jar
%dir %{_datadir}/pki/kra
%{_datadir}/pki/kra/{conf/,setup/,webapps/}
%files -n pki-ocsp
%doc base/ocsp/LICENSE
%{_javadir}/pki/pki-ocsp.jar
%dir %{_datadir}/pki/ocsp
%{_datadir}/pki/ocsp/{conf/,setup/,webapps/}
%files -n pki-tks
%doc base/tks/LICENSE
%{_javadir}/pki/pki-tks.jar
%dir %{_datadir}/pki/tks
%{_datadir}/pki/tks/{conf/,setup/,webapps/}
%files -n pki-tps
%doc base/tps/LICENSE
%{_javadir}/pki/pki-tps.jar
%dir %{_datadir}/pki/tps
%{_datadir}/pki/tps/{applets/,conf/,setup/,webapps/}
%{_bindir}/tpsclient
%{_libdir}/tps/{libtps.so,libtokendb.so}
%config(noreplace) /etc/ld.so.conf.d/*
%files -n pki-help
%{_javadocdir}/pki/
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*
%if %{with console}
%files -n pki-console
%doc base/console/LICENSE
%{_bindir}/pkiconsole
%{_javadir}/pki/pki-console.jar
%endif
%changelog
* Wed Jun 28 2023 wangkai <13474090681@163.com> - 11.0.0-5
- Fix CVE-2022-2414
* Tue Apr 18 2023 Ge Wang <wang--ge@126.com> - 11.0.0-4
- Fix EBS compile failure caused by lack of openjdk-headless
* Wed Nov 23 2022 wulei <wulei80@h-partners.com> - 11.0.0-3
- Rectify the pki-core compilation failure caused by the openjdk-latest upgrade
* Wed Aug 24 2022 wangkai <wangkai385@h-partners.com> - 11.0.0-2
- Remove rpath and enable debuginfo
* Thu Jun 16 2022 liyanan <liyanan32@h-partners.com> - 11.0.0-1
- Update to 11.0.0
* Mon Oct 11 2021 wangyue <wangyue92@huawei.com> - 10.7.3-4
- remove sslget and revoker -V option
* Fri Sep 24 2021 wutao <wutao61@huawei.com> - 10.7.3-3
- disable pki-console
* Thu Sep 23 2021 wutao <wutao61@huawei.com> - 10.7.3-2
- change link source and delete useless information
* Mon Sep 13 2021 wutao <wutao61@huawei.com> - 10.7.3-1
- Package init
Reference in New Issue View Git Blame Copy Permalink