packages/pki-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:1cad84768920e93fc0babab656a61a2208baabb3
Branches Tags
packages:main
...
compare: packages:e78b2ddfe83aaecfcdd71aae5ffdb65d5ae5ed2e
Branches Tags
packages:main

10 Commits
1cad847689 ... e78b2ddfe8

Author SHA1 Message Date
openeuler-ci-bot
e78b2ddfe8
!38 Fix EulerMaker build failure 
From: @wang--ge 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
 2023-10-17 07:32:04 +00:00
wang--ge
19d3b9deda fix EulerMaker build failure 2023-10-17 11:32:19 +08:00
openeuler-ci-bot
ee8f14340a
!32 Fix CVE-2022-2414 
From: @wk333 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
 2023-06-28 07:58:47 +00:00
wk333
c913083ff6 Fix CVE-2022-2414 2023-06-28 11:32:20 +08:00
openeuler-ci-bot
b91392fd40 !17 [sync] PR-16: remove sslget and revoker -V option 
From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-10-11 11:45:29 +00:00
wang_yue111
2d23dd4b4d remove sslget and revoker -V option 
(cherry picked from commit b7e771850e3d944dc4196ce7537028dc95c897dd)
 2021-10-11 19:04:47 +08:00
openeuler-ci-bot
275130946a !11 [sync] PR-10: disable pki-console 
From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-09-24 08:45:01 +00:00
jackie_wu
44c6d5b1d5 disable pki-console 
(cherry picked from commit b9d9291a4bb60759fe516eb6b69bba52f383aab7)
 2021-09-24 15:34:42 +08:00
openeuler-ci-bot
59f96798d5 !9 [sync] PR-8: change link source 
From: @openeuler-sync-bot
Reviewed-by: @small_leek,@small_leek
Signed-off-by: @small_leek
 2021-09-24 07:24:21 +00:00
jackie_wu
f5804631b3 change link source 
(cherry picked from commit 8b25a59da8622591d4e253e22bd497f48a218455)
 2021-09-23 19:13:26 +08:00
4 changed files with 319 additions and 9 deletions
Show Stats Expand all files Collapse all files

144
CVE-2022-2414.patch Normal file
View File

@ -0,0 +1,144 @@
From 1fe34b30ed12710f6ea4c2fae4686f36dd4ef705 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Fri, 10 Jun 2022 17:25:07 +0100
Subject: [PATCH] Disable access to external entities when parsing XML
Origin: https://github.com/dogtagpki/pki/commit/1fe34b30ed12710f6ea4c2fae4686f36dd4ef705
This reduces the vulnerability of XML parsers to XXE (XML external
entity) injection.
The best way to prevent XXE is to stop using XML altogether, which we do
plan to do. Until that happens I consider it worthwhile to tighten the
security here though.
---
.../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
.../cmscore/src/com/netscape/cmscore/apps/ServerXml.java | 1 +
base/test/src/com/netscape/test/TestListener.java | 5 ++++-
base/util/src/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
4 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index 2090fec357a..6931fa5c5f5 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -24,6 +24,7 @@
import java.util.Locale;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
@@ -640,7 +641,10 @@ public static void main(String args[]) throws Exception {
XMLObject xmlObject = convertDomainInfoToXMLObject(before);
Document document = xmlObject.getDocument();
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java b/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
index 59a06ba39ba..2886291af2d 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
@@ -40,6 +40,7 @@ public static ServerXml load(String filename) throws Exception {
ServerXml serverXml = new ServerXml();
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(filename);
diff --git a/base/test/src/com/netscape/test/TestListener.java b/base/test/src/com/netscape/test/TestListener.java
index 96c4c906892..d55458716fe 100644
--- a/base/test/src/com/netscape/test/TestListener.java
+++ b/base/test/src/com/netscape/test/TestListener.java
@@ -10,6 +10,7 @@
import java.util.Date;
import java.util.TimeZone;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -22,7 +23,6 @@
import org.junit.runner.Result;
import org.junit.runner.notification.Failure;
import org.junit.runner.notification.RunListener;
-
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
@@ -64,9 +64,12 @@ public TestListener() throws Exception {
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
docBuilder = docBuilderFactory.newDocumentBuilder();
transFactory = TransformerFactory.newInstance();
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
trans = transFactory.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");
diff --git a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
index a7715ec9908..d8e0f413325 100644
--- a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
+++ b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
@@ -25,6 +25,7 @@
import java.io.StringWriter;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -56,6 +57,7 @@ public XMLObject() throws ParserConfigurationException {
public XMLObject(InputStream s)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(s);
}
@@ -63,6 +65,7 @@ public XMLObject(InputStream s)
public XMLObject(File f)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(f);
}
@@ -159,6 +162,8 @@ public Vector<String> getValuesFromContainer(Node container, String tagname) {
public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(bos);
@@ -169,6 +174,8 @@ public byte[] toByteArray() throws TransformerConfigurationException, Transforme
public void output(OutputStream os)
throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(os);
@@ -177,6 +184,8 @@ public void output(OutputStream os)
public String toXMLString() throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
StreamResult dest = new StreamResult(new StringWriter());

44
pki-core.spec
View File

@ -4,13 +4,17 @@
Name: pki-core
Version: 10.7.3
Release: 1
Release: 6
Summary: The PKI Core Package
License: GPLv2 and LGPLv2
URL: http://www.dogtagpki.org/
Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-%{version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch1: 0001-Fix-URL-redirection-for-KRA-and-OCSP-web-UI-241.patch
Patch2: remove-sslget-V-option.patch
Patch3: remove-revoker-V-option.patch
Patch4: CVE-2022-2414.patch
BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-1.8.0-openjdk-devel
BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j
@ -31,6 +35,8 @@ BuildRequires: systemd zlib zlib-devel nss-tools openssl golang
Dogtag PKI is a designed enterprise software system
manage enterprise Public Key Infrastructure deployments.
%bcond_with console
%package -n pki-symkey
Summary: The PKI Symmetric Key Package
Requires: java-1.8.0-openjdk-headless jpackage-utils >= 0:1.7.5-10 jss >= 4.6.0
@ -57,7 +63,8 @@ Summary: The PKI Python 3 Package
BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}
%{?python_provide:%python_provide python3-pki}
Provides: python3-pki = %{version}
Provides: python-pki = %{version}
Requires: pki-base = %{version} python3-cryptography python3-lxml
Requires: python3-requests >= 2.6.0 python3-six python3-nss
%description -n python3-pki
@ -187,6 +194,7 @@ Conflicts: pki-server-theme < %{version} pki-console-theme < %{version
%description -n pki-help
Documentation for KPI.
%if %{with console}
%package -n pki-console
Summary: The PKI Console Package
BuildArch: noarch
@ -195,6 +203,7 @@ Requires: idm-console-framework >= 1.2.0 pki-base-java = %{version}
Requires: pki-console-theme = %{version}
%description -n pki-console
The PKI console is a Java application used to manage the PKI server.
%endif
%prep
%autosetup -n pki-%{version} -p1 -S git
@ -208,9 +217,9 @@ else
app_server=tomcat-$tomcat_version
fi
# generate go-md2man
mkdir -p /home/abuild/rpmbuild/bin/
mkdir -p ~/rpmbuild/bin/
cd go-md2man-*
go build -mod=vendor -o /home/abuild/rpmbuild/bin/
go build -mod=vendor -o ~/rpmbuild/bin/
cd -
mkdir -p build
cd build
@ -226,11 +235,11 @@ cd build
-DWITH_PYTHON2:BOOL=OFF -DWITH_PYTHON3:BOOL=ON \
-DWITH_PYTHON3_DEFAULT:BOOL=ON -DPYTHON_EXECUTABLE=%{__python3} \
-DWITH_TEST:BOOL=ON -DWITH_JAVADOC:BOOL=ON \
-DBUILD_PKI_CONSOLE:BOOL=ON -DTHEME= \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:OFF} -DTHEME= \
..
%install
export PATH=$PATH:/home/abuild/rpmbuild/bin/
export PATH=$PATH:~/rpmbuild/bin/
cd build
%make_build \
VERBOSE=%{?_verbose} CMAKE_NO_VERBOSE=1 \
@ -262,12 +271,12 @@ if (test("/etc/sysconfig/pki/ca") or
test("/etc/sysconfig/pki/kra") or
test("/etc/sysconfig/pki/ocsp") or
test("/etc/sysconfig/pki/tks")) then
msg = "Unable to upgrade to Fedora 20. There are PKI 9 instances\n" ..
msg = "Unable to upgrade to PKI-10. There are PKI 9 instances\n" ..
"that will no longer work since they require Tomcat 6, and \n" ..
"Tomcat 6 is no longer available in Fedora 20.\n\n" ..
"Tomcat 6 is no longer available.\n\n" ..
"Please follow these instructions to migrate the instances to \n" ..
"PKI 10:\n\n" ..
"http://www.dogtagpki.org/wiki/Migrating_PKI_9_Instances_to_PKI_10"
"https://github.com/dogtagpki/pki/wiki/Migrating-PKI-9-to-PKI-10"
error(msg)
end
@ -423,11 +432,28 @@ fi
%{_mandir}/man5/*
%{_mandir}/man8/*
%if %{with console}
%files -n pki-console
%doc base/console/LICENSE
%{_bindir}/pkiconsole
%{_javadir}/pki/pki-console.jar
%endif
%changelog
* Tue Oct 17 2023 Ge Wang <wang__ge@126.com> - 10.7.3-6
- Fix EulerMaker build failure caused by build root difference
* Wed Jun 28 2023 wangkai <13474090681@163.com> - 10.7.3-5
- Fix CVE-2022-2414
* Mon Oct 11 2021 wangyue <wangyue92@huawei.com> - 10.7.3-4
- remove sslget and revoker -V option
* Fri Sep 24 2021 wutao <wutao61@huawei.com> - 10.7.3-3
- disable pki-console
* Thu Sep 23 2021 wutao <wutao61@huawei.com> - 10.7.3-2
- change link source and delete useless information
* Mon Sep 13 2021 wutao <wutao61@huawei.com> - 10.7.3-1
- Package init

78
remove-revoker-V-option.patch Normal file
View File

@ -0,0 +1,78 @@
From d39e6a872df75ca34d6960f0f1294f84e1290ea4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 11 Oct 2021 15:42:09 +0800
Subject: [PATCH] 2
---
base/native-tools/src/revoker/revoker.c | 39 ++++++++++---------------
1 file changed, 15 insertions(+), 24 deletions(-)
diff --git a/base/native-tools/src/revoker/revoker.c b/base/native-tools/src/revoker/revoker.c
index b7ff4ea..89ad2ad 100644
--- a/base/native-tools/src/revoker/revoker.c
+++ b/base/native-tools/src/revoker/revoker.c
@@ -94,8 +94,6 @@ int getopt(int ac, char * const av[], const char * opts);
#endif /* XP_PC */
/*end secopt.h*/
-#define VERSIONSTRING "$Revision$ ($Date$)"
-
#ifndef PORT_Sprintf
#define PORT_Sprintf sprintf
#endif
@@ -137,21 +135,20 @@ static void
Usage(const char *progName)
{
fprintf(stderr,
- "Usage: %s -s serialNum -n rsa_nickname [-p password | -w pwfile ] [-d dbdir] \n"
- " [-v] [-V] [-u] [-r reasoncode] [-i numberOfHours] hostname[:port]\n"
- " serialNum: List of serial numbers to revoke, in hex, e.g. '0x31' or '0x44,0x643,0x22'\n"
- " reasoncode: integer from 0 to 6, as follows\n"
- " 0 = Unspecified (default)\n"
- " 1 = Key compromised\n"
- " 2 = CA key compromised\n"
- " 3 = Affiliation changed\n"
- " 4 = Certificate superseded\n"
- " 5 = Cessation of operation\n"
- " 6 = Certificate is on hold\n"
- " -u : unrevoke (take off hold)\n"
- " -v : verbose\n"
- " -V : report version information\n",
- progName);
+ "Usage: %s -s serialNum -n rsa_nickname [-p password | -w pwfile ] [-d dbdir] \n"
+ " [-v] [-u] [-r reasoncode] [-i numberOfHours] hostname[:port]\n"
+ " serialNum: List of serial numbers to revoke, in hex, e.g. '0x31' or '0x44,0x643,0x22'\n"
+ " reasoncode: integer from 0 to 6, as follows\n"
+ " 0 = Unspecified (default)\n"
+ " 1 = Key compromised\n"
+ " 2 = CA key compromised\n"
+ " 3 = Affiliation changed\n"
+ " 4 = Certificate superseded\n"
+ " 5 = Cessation of operation\n"
+ " 6 = Certificate is on hold\n"
+ " -u : unrevoke (take off hold)\n"
+ " -v : verbose\n",
+ progName);
exit(1);
}
@@ -745,15 +742,9 @@ main(int argc, char **argv)
progName = progName ? progName + 1 : tmp;
- while ((optchar = getopt(argc, argv, "Vd:n:p:s:r:i:w:uv")) != -1) {
+ while ((optchar = getopt(argc, argv, "d:n:p:s:r:i:w:uv")) != -1) {
switch(optchar) {
-/* Version */
- case 'V':
- printf("%s\n",VERSIONSTRING);
- PR_Cleanup();
- return 0;
-
/* Directory which holds NSS database */
case 'd':
dir = optarg;
--
2.23.0

62
remove-sslget-V-option.patch Normal file
View File

@ -0,0 +1,62 @@
From bf0fc39a800136fc25c4dca488c6058178bd74ab Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 18 Feb 2020 15:59:12 -0500
Subject: [PATCH] Remove sslget -V option
Since we haven't used SVN in a while, $Revision$ and $Date$
no longer update. Remove the -V option instead of passing in
a valid version number.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
base/native-tools/src/sslget/sslget.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)
diff --git a/base/native-tools/src/sslget/sslget.c b/base/native-tools/src/sslget/sslget.c
index 4f3ebc4500..f115b21347 100644
--- a/base/native-tools/src/sslget/sslget.c
+++ b/base/native-tools/src/sslget/sslget.c
@@ -96,8 +96,6 @@ int getopt(int ac, char * const av[], const char * opts);
#endif /* XP_PC */
/*end secopt.h*/
-#define VERSIONSTRING "$Revision$ ($Date$)"
-
#ifndef PORT_Sprintf
#define PORT_Sprintf sprintf
#endif
@@ -140,12 +138,11 @@ static void
Usage(const char *progName)
{
fprintf(stderr,
- "Usage: %s [-n nickname] [-p password | -w pwfile ] [-d dbdir] \n"
- " [-e post] [-v] [-V] -r url hostname[:port]\n"
- " -n : nickname or hsm:nickname\n"
- " -v : verbose\n"
- " -V : report version information\n",
- progName);
+ "Usage: %s [-n nickname] [-p password | -w pwfile ] [-d dbdir] \n"
+ " [-e post] [-v] -r url hostname[:port]\n"
+ " -n : nickname or hsm:nickname\n"
+ " -v : verbose\n",
+ progName);
exit(1);
}
@@ -823,15 +820,9 @@ main(int argc, char **argv)
progName = progName ? progName + 1 : tmp;
- while ((optchar = getopt(argc, argv, "Vd:e:n:p:r:w:v")) != -1) {
+ while ((optchar = getopt(argc, argv, "d:e:n:p:r:w:v")) != -1) {
switch(optchar) {
-/* Version */
- case 'V':
- printf("%s\n",VERSIONSTRING);
- PR_Cleanup();
- return 0;
-
/* Directory which holds NSS database */
case 'd':
dir = optarg;