master

分支 (20)

标签 (12)

管理

管理

master

openEuler-22.03-LTS-SP3

openEuler-24.03-LTS

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP1

openEuler-24.09

openEuler-22.03-LTS-SP4

openEuler-20.03-LTS-SP4

openEuler-23.09

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-23.03

openEuler-22.03-LTS-SP1

openEuler-22.09

openEuler-20.03-LTS-Next

openEuler-20.03-LTS-SP2

20.09

openEuler-20.09

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-20.03-LTS-SP3-release

openEuler-20.09-20200928

pki-core
/
pki-core.spec

%undefine __cmake_in_source_build
%define package_option() %bcond_with %1
%define _unpackaged_files_terminate_build 0

Name:                pki-core
Version:             11.0.0
Release:             9
Summary:             The PKI Core Package
License:             GPLv2 and LGPLv2
URL:                 https://www.dogtagpki.org/
Source0:             https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz
Source1:             https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz

Patch0001: 	0001-Disable-access-to-external-entities-when-parsing-XML.patch
Patch3000: 	backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch

BuildRequires:       make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
BuildRequires:       ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
BuildRequires:       apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j
BuildRequires:       slf4j-jdk14 nspr-devel nss-devel >= 3.36.1 python3-lxml python3-sphinx
BuildRequires:       velocity xalan-j2 xerces-j2 resteasy-jackson2-provider >= 3.0.17-1
BuildRequires:       jboss-annotations-1.2-api jboss-jaxrs-2.0-api jboss-logging apache-commons-net
BuildRequires:       resteasy-atom-provider >= 3.0.17-1 resteasy-client >= 3.0.17-1
BuildRequires:       resteasy-jaxb-provider >= 3.0.17-1 resteasy-core >= 3.0.17-1
BuildRequires:       python3 python3-devel python3-cryptography python3-ldap python3-libselinux
BuildRequires:       python3-nss python3-requests >= 2.6.0 python3-six python3-libselinux
BuildRequires:       python3-policycoreutils python3-ldap policycoreutils-python-utils
BuildRequires:       python3 python3-devel python3-cryptography python3-lxml python3-six
BuildRequires:       python3-nss python3-requests >= 2.6.0  systemd-units tomcat >= 1:9.0.7
BuildRequires:       junit jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 tomcatjss >= 7.4.1
BuildRequires:       apr-devel apr-util-devel cyrus-sasl-devel httpd-devel >= 2.4.2 pcre-devel
BuildRequires:       systemd zlib zlib-devel nss-tools openssl golang chrpath
%description
Dogtag PKI is a designed  enterprise software system
manage enterprise Public Key Infrastructure deployments.

%bcond_with console

%package -n          pki-symkey
Summary:             The PKI Symmetric Key Package
Requires:            java-latest-openjdk-headless jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0
Requires:            nss >= 3.38.0
Conflicts:           pki-symkey < %{version} pki-javadoc < %{version}
Conflicts:           pki-server-theme < %{version} pki-console-theme < %{version}
%description -n      pki-symkey
The PKI Symmetric Key Java software  Package provides  various native
symmetric key operations of  Java programs.

%package -n          pki-base
Summary:             The PKI Base Package
BuildArch:           noarch
Requires:            nss >= 3.36.1 python3-pki = %{version}
Requires(post):      python3-pki = %{version}
Conflicts:           pki-symkey < %{version} pki-javadoc < %{version}
Conflicts:           pki-server-theme < %{version} pki-console-theme < %{version}
%description -n      pki-base
The PKI Base  software Package contains public and client libraries
and utilities written in Python.

%package -n          python3-pki
Summary:             The PKI Python 3 Package
BuildArch:           noarch
Obsoletes:           pki-base-python3 < %{version}
Provides:            pki-base-python3 = %{version}
Provides:            python3-pki = %{version}
Provides:            python-pki = %{version}
Requires:            pki-base = %{version} python3-cryptography python3-lxml
Requires:            python3-requests >= 2.6.0 python3-six python3-nss
%description -n      python3-pki
This package is included in the Python 3 PKI client library .

%package -n          pki-base-java
Summary:             The PKI Base Java Package
BuildArch:           noarch
Requires:            java-latest-openjdk-headless apache-commons-cli apache-commons-codec
Requires:            apache-commons-io apache-commons-lang apache-commons-logging
Requires:            jakarta-commons-httpclient glassfish-jaxb-api slf4j slf4j-jdk14
Requires:            jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0 pki-base = %{version}
Requires:            resteasy-atom-provider >= 3.0.17-1 resteasy-client >= 3.0.17-1
Requires:            resteasy-jaxb-provider >= 3.0.17-1 resteasy-core >= 3.0.17-1
Requires:            resteasy-jackson2-provider >= 3.0.17-1 ldapjdk >= 4.21.0
Requires:            xalan-j2 xerces-j2 xml-commons-apis xml-commons-resolver
%description -n      pki-base-java
The PKI Base Java  software Package contains public and client
libraries and utilities written in Java.

%package -n          pki-tools
Summary:             The PKI Tools Package
Requires:            openldap-clients nss-tools >= 3.36.1 pki-base-java = %{version}
Requires:            nss-tools openssl
%description -n      pki-tools
This package contains PKI executable files that can be used to help make
convert the certificate System into a more complete and powerful PKI solution.

%package -n          pki-server
Summary:             The PKI Server Package
BuildArch:           noarch
Requires:            hostname net-tools policycoreutils procps-ng openldap-clients openssl
Requires:            pki-symkey = %{version} pki-tools = %{version} keyutils
Requires:            policycoreutils-python-utils python3-ldap
Requires:            python3-lxml python3-libselinux python3-policycoreutils
Requires:            selinux-policy-targeted >= 3.13.1-159 tomcat >= 1:9.0.7 velocity
Requires(post):      systemd-units
Requires(preun):     systemd-units
Requires(postun):    systemd-units
Requires(pre):       shadow-utils
Requires:            tomcatjss >= 7.4.1
Conflicts:           freeipa-server < 4.7.1
%description -n      pki-server
The PKI Server software Package contains the libraries and utilities required
by the PKI Server.

%package -n          pki-ca
Summary:             The  PKI CA Package
BuildArch:           noarch
Requires:            pki-server = %{version}
Requires(post):      systemd-units
Requires(preun):     systemd-units
Requires(postun):    systemd-units
%description -n      pki-ca
Certificate authority (CA) is a required PKI subsystem, responsible for issuing,
Renew, revoke and publish certificates and compile and
Publish a certificate revocation list (CRLs).
Certificate authority can be configured as a self-signed certificate
Authorization, it is the root CA, can also act as a subordinate CA,
It obtains its own signed certificate from a public CA.

%package -n          pki-kra
Summary:             The PKI KRA Package
BuildArch:           noarch
Requires:            pki-server = %{version}
Requires(post):      systemd-units
Requires(preun):     systemd-units
Requires(postun):    systemd-units
%description -n      pki-kra
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act as
As an important archive facility. When Certificate Authority (CA), KRA stores
the private encryption key as Certificate registration process. The key file
mechanism is triggered When a user registers a PKI and creates a certificate
request. use Certificate Request Message Format (CRMF) request format, the
request is Generated for the user's private encryption key.

%package -n          pki-ocsp
Summary:             The PKI OCSP Package
BuildArch:           noarch
Requires:            pki-server = %{version}
Requires(post):      systemd-units
Requires(preun):     systemd-units
Requires(postun):    systemd-units
%description -n      pki-ocsp
Online Certificate Status Protocol (OCSP) manager is optional PKI
Can serve as a subsystem of independent OCSP services. OCSP manager
Activate to perform the tasks of an online certification authority
OCSP-compliant clients can verify certificates in real time. note
Online certificate verification agencies are often referred to as
OCSP responder.

%package -n          pki-tks
Summary:             The PKI TKS Package
BuildArch:           noarch
Requires:            pki-server = %{version}
Requires(post):      systemd-units
Requires(preun):     systemd-units
Requires(postun):    systemd-units
%description -n      pki-tks
Token Key Service (TKS) is an optional PKI subsystem for management
Generate and distribute master and transmission keys
The key of the hardware token. TKS provides token-to-token security
An example of a token processing system (TPS), where security depends on
The relationship between the master key and the token key. TPS Communication
Use client authentication to perform TKS processing over SSL.

%package -n          pki-tps
Summary:             The PKI TPS Package
Requires:            pki-server = %{version}
Requires(post):      systemd-units
Requires(preun):     systemd-units
Requires(postun):    systemd-units
Requires:            nss-tools >= 3.36.1 openldap-clients
%description -n      pki-tps
Token Processing System (TPS) is an optional PKI subsystem, its role is
Identity verification and processing as a registration authority (RA)
Registration request, PIN reset request and format request
Enterprise Security Client (ESC).

%package -n          pki-help
Summary:             Documentation for KPI
BuildArch:           noarch
Provides:            pki-javadoc = %{version}-%{release}
Obsoletes:           pki-javadoc < %{version}-%{release}
Conflicts:           pki-base < %{version} pki-symkey < %{version}
Conflicts:           pki-server-theme < %{version} pki-console-theme < %{version}
%description -n      pki-help
Documentation for KPI.

%if %{with console}
%package -n          pki-console
Summary:             The PKI Console Package
BuildArch:           noarch
BuildRequires:       idm-console-framework >= 1.2.0
Requires:            idm-console-framework >= 1.2.0 pki-base-java = %{version}
Requires:            pki-console-theme = %{version}
%description -n      pki-console
The PKI console is a Java application used to manage the PKI server.
%endif

%prep
%autosetup -n pki-%{version} -p1 -S git
tar -xf %{SOURCE1}

%build
openjdk_latest_version=`rpm -qi java-latest-openjdk-headless | grep Version | cut -b 15-16`
java_home=/usr/lib/jvm/jre-${openjdk_latest_version}-openjdk

tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
if [ $tomcat_version == "9.0" ]; then
    app_server=tomcat-9.0
else
    app_server=tomcat-$tomcat_version
fi
# generate go-md2man
mkdir -p ${HOME}/rpmbuild/bin/
cd go-md2man-*
go build -mod=vendor -o ${HOME}/rpmbuild/bin/
cd -

export PATH=$PATH:${HOME}/rpmbuild/bin/
%cmake \
    --no-warn-unused-cli -DVERSION=%{version}-%{release} \
    -DVAR_INSTALL_DIR:PATH=/var -DJAVA_HOME=${java_home} \
    -DJAVA_LIB_INSTALL_DIR=%{_jnidir}  -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
    -DAPP_SERVER=$app_server \
    -DJAXRS_API_JAR=/usr/share/java/jboss-jaxrs-2.0-api.jar \
    -DRESTEASY_LIB=/usr/share/java/resteasy \
    -DNSS_DEFAULT_DB_TYPE=sql -DBUILD_PKI_CORE:BOOL=ON \
    -DWITH_PYTHON2:BOOL=OFF -DWITH_PYTHON3:BOOL=ON \
    -DWITH_PYTHON3_DEFAULT:BOOL=ON -DPYTHON_EXECUTABLE=%{__python3} \
    -DWITH_TEST:BOOL=ON -DWITH_JAVADOC:BOOL=ON \
    -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:OFF} -DTHEME=

%cmake_build

%install
export PATH=$PATH:${HOME}/rpmbuild/bin/
%cmake_install

    ln -sf /usr/share/java/jboss-logging/jboss-logging.jar\
    %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar
    ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar\
    %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar
    ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar
    ln -sf /usr/share/java/jboss-logging/jboss-logging.jar\
    %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar
    ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar\
    %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar

chrpath -d %{buildroot}/%{_bindir}/tpsclient
chrpath -d %{buildroot}/%{_libdir}/tps/libtokendb.so
chrpath -d %{buildroot}/%{_libdir}/tps/libtps.so
mkdir -p %{buildroot}/etc/ld.so.conf.d
echo "%{_libdir}/tps" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf

%pretrans -n pki-base -p <lua>
function test(a)
    if posix.stat(a) then
        for f in posix.files(a) do
            if f~=".." and f~="." then
                return true
            end
        end
    end
    return false
end
if (test("/etc/sysconfig/pki/ca") or
    test("/etc/sysconfig/pki/kra") or
    test("/etc/sysconfig/pki/ocsp") or
    test("/etc/sysconfig/pki/tks")) then
   msg = "Unable to upgrade to PKI-10.  There are PKI 9 instances\n" ..
         "that will no longer work since they require Tomcat 6, and \n" ..
         "Tomcat 6 is no longer available.\n\n" ..
         "Please follow these instructions to migrate the instances to \n" ..
         "PKI 10:\n\n" ..
         "https://github.com/dogtagpki/pki/wiki/Migrating-PKI-9-to-PKI-10"
   error(msg)
end

%pre -n pki-server
getent group pkiuser >/dev/null || groupadd -f -g 17 -r pkiuser
if ! getent passwd pkiuser >/dev/null ; then
    if ! getent passwd 17 >/dev/null ; then
      useradd -r -u 17 -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Certificate System" pkiuser
    else
      useradd -r -g pkiuser -d /usr/share/pki -s /sbin/nologin -c "Certificate System" pkiuser
    fi
fi
exit 0

%post -n pki-base
if [ $1 -eq 1 ]
then
    echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version
else
    echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
    /sbin/pki-upgrade --silent >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
    echo >> /var/log/pki/pki-upgrade-%{version}.log 2>&1
fi

%postun -n pki-base
if [ $1 -eq 0 ]
then
    rm -f %{_sysconfdir}/pki/pki.version
fi

%post -n pki-server
echo "Upgrading PKI server configuration on `/bin/date`." >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
/sbin/pki-server upgrade --silent >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
if [ "$1" == "2" ]
then
    systemctl daemon-reload
fi

%post -n pki-tps
/sbin/ldconfig

%postun -n pki-tps
/sbin/ldconfig

%files -n pki-symkey
%doc base/symkey/LICENSE
%{_jnidir}/symkey.jar
%{_libdir}/symkey/

%files -n pki-base
%doc base/common/LICENSE
%doc base/common/LICENSE.LESSER
%doc %{_datadir}/doc/pki-base/html
%dir %{_datadir}/pki
%{_datadir}/pki/VERSION
%{_datadir}/pki/pom.xml
%dir %{_datadir}/pki/etc
%{_datadir}/pki/etc/{logging.properties,pki.conf}
%dir %{_datadir}/pki/lib
%dir %{_datadir}/pki/scripts
%{_datadir}/pki/{scripts/config,upgrade/,key/templates}
%dir %{_sysconfdir}/pki
%config(noreplace) %{_sysconfdir}/pki/pki.conf
%dir %{_localstatedir}/log/pki
%{_sbindir}/pki-upgrade

%files -n pki-base-java
%doc base/common/LICENSE
%doc base/common/LICENSE.LESSER
%{_datadir}/pki/examples/java/
%{_datadir}/pki/lib/
%dir %{_javadir}/pki
%{_javadir}/pki/{pki-cmsutil.jar,pki-nsutil.jar,pki-certsrv.jar}

%files -n python3-pki
%doc base/common/LICENSE
%doc base/common/LICENSE.LESSER
%exclude %{python3_sitelib}/pki/server
%{python3_sitelib}/pki

%files -n pki-tools
%doc base/tools/LICENSE base/tools/doc/README
%{_bindir}/{pki,p7tool,revoker,setpin}
%{_bindir}/{sslget,tkstool,AtoB,AuditVerify}
%{_bindir}/{BtoA,CMCEnroll,CMCRequest}
%{_bindir}/{CMCResponse,CMCRevoke,p12tool}
%{_bindir}/{CMCSharedToken,CRMFPopClient,pistool}
%{_bindir}/DRMTool
%{_bindir}/ExtJoiner
%{_bindir}/{GenExtKeyUsage,GenIssuerAltNameExt}
%{_bindir}/{GenSubjectAltNameExt,HttpClient}
%{_bindir}/{KRATool,OCSPClient,PKCS10Client}
%{_bindir}/{PKCS12Export,PKICertImport}
%{_bindir}/{PrettyPrintCert,PrettyPrintCrl,TokenInfo}
%{_javadir}/pki/pki-tools.jar
%{_datadir}/pki/tools/
%{_datadir}/pki/lib/p11-kit-trust.so

%files -n pki-server
%doc base/common/THIRD_PARTY_LICENSES
%doc base/server/{LICENSE,README}
%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki
%attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki/tomcat
%{_sbindir}/{pkispawn,pkidestroy,pki-server,pki-server-upgrade,pki-healthcheck}
%{python3_sitelib}/pki/server/
%{python3_sitelib}/pkihealthcheck-*.egg-info/
%config(noreplace) %{_sysconfdir}/pki/healthcheck.conf
%{_datadir}/pki/etc/tomcat.conf
%dir %{_datadir}/pki/deployment
%{_datadir}/pki/deployment/config/
%{_datadir}/pki/scripts/operations
%{_bindir}/{pkidaemon,pki-server-nuxwdog}
%dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants
%attr(644,-,-) %{_unitdir}/[email protected]
%attr(644,-,-) %{_unitdir}/pki-tomcatd.target
%dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants
%attr(644,-,-) %{_unitdir}/[email protected]
%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target
%{_javadir}/pki/{pki-cms.jar,pki-cmsbundle.jar}
%{_javadir}/pki/{pki-cmscore.jar,pki-tomcat.jar}
%dir %{_sharedstatedir}/pki
%{_datadir}/pki/{setup/,server/}

%files -n pki-ca
%doc base/ca/LICENSE
%{_javadir}/pki/pki-ca.jar
%dir %{_datadir}/pki/ca
%{_datadir}/pki/ca/{conf/,emails/,setup/,webapps/}
%dir %{_datadir}/pki/ca/profiles
%{_datadir}/pki/ca/profiles/ca/

%files -n pki-kra
%doc base/kra/LICENSE
%{_javadir}/pki/pki-kra.jar
%dir %{_datadir}/pki/kra
%{_datadir}/pki/kra/{conf/,setup/,webapps/}

%files -n pki-ocsp
%doc base/ocsp/LICENSE
%{_javadir}/pki/pki-ocsp.jar
%dir %{_datadir}/pki/ocsp
%{_datadir}/pki/ocsp/{conf/,setup/,webapps/}

%files -n pki-tks
%doc base/tks/LICENSE
%{_javadir}/pki/pki-tks.jar
%dir %{_datadir}/pki/tks
%{_datadir}/pki/tks/{conf/,setup/,webapps/}

%files -n pki-tps
%doc base/tps/LICENSE
%{_javadir}/pki/pki-tps.jar
%dir %{_datadir}/pki/tps
%{_datadir}/pki/tps/{applets/,conf/,setup/,webapps/}
%{_bindir}/tpsclient
%{_libdir}/tps/{libtps.so,libtokendb.so}
%config(noreplace) /etc/ld.so.conf.d/*

%files -n pki-help
%{_javadocdir}/pki/
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*

%if %{with console}
%files -n pki-console
%doc base/console/LICENSE
%{_bindir}/pkiconsole
%{_javadir}/pki/pki-console.jar
%endif

%changelog
* Thu Nov 14 2024 Funda Wang <[email protected]> - 11.0.0-9
- adopt to new cmake macro
- force out-of-source build

* Sun Oct 13 2024 liningjie <[email protected]> - 11.0.0-8
- Fix CVE-2023-4727

* Thu Apr 11 2024 liyanan <[email protected]> - 11.0.0-7
- Replace unrecognized macros

* Tue Sep 19 2023 Jia Chao <[email protected]> - 11.0.0-6
- Fix: use ${HOME} replace hard code '/home/abuild'.

* Thu Dec 01 2022 xu_ping <[email protected]> - 11.0.0-5
- remove unuse buildrequires git packages

* Wed Nov 23 2022 wulei <[email protected]> - 11.0.0-4
- Rectify the pki-core compilation failure caused by the openjdk-latest upgrade

* Wed Aug 24 2022 wangkai <[email protected]> - 11.0.0-3
- Remove rpath and enable debuginfo

* Fri Jul 15 2022 yinyongkang <[email protected]> - 11.0.0-2
- Type:CVE
- ID:CVE-2022-2414
- SUG:NA
- DESC:Fix CVE-2022-2414

* Thu Jun 16 2022 liyanan <[email protected]> - 11.0.0-1
- Update to 11.0.0

* Mon Oct 11 2021 wangyue <[email protected]> - 10.7.3-4
- remove sslget and revoker -V option

* Fri Sep 24 2021 wutao <[email protected]> - 10.7.3-3
- disable pki-console

* Thu Sep 23 2021 wutao <[email protected]> - 10.7.3-2
- change link source and delete useless information

* Mon Sep 13 2021 wutao <[email protected]> - 10.7.3-1
- Package init