Fix CMake PKI_CMSBUNDLE_JAR variable type #12
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There is only CACHE Variable with INTERNAL type.
amolkahat
pushed a commit
to amolkahat/pki
that referenced
this pull request
Jan 18, 2018
A new pki-server cert-export CLI has been added to export a system certificate with its key and certificate chain into a PKCS dogtagpki#12 file. This is needed to export the SSL server certificate to be used by Tomcat's built-in SSL connector. https://pagure.io/dogtagpki/issue/2560 Change-Id: Ic10af305bfb25c21641e78ef615533f70f9799b1
amolkahat
pushed a commit
to amolkahat/pki
that referenced
this pull request
Jan 18, 2018
…llation. The deployment tool has been modified to generate a PKCS dogtagpki#12 file that contains the admin certificate for KRA/OCSP installation with external certificates. https://pagure.io/dogtagpki/issue/2873 Change-Id: Ide6b08ba8f2121b4cdf21208c32d745534893f0f
mharmsen99
pushed a commit
that referenced
this pull request
Feb 28, 2018
A new PKITrustManager has been added to validate incoming SSL client certificate against trusted CA certificates. The class also depends on pki-nsutil.jar and pki-cmsutil.jar so they have been moved into the commons/lib folder. The pki-server http-connector-mod CLI has been modified to remove the options for trustore file and password since the connector is now configured using the trust manager instead of PKCS #12 file. https://pagure.io/dogtagpki/issue/203 Change-Id: I00d88f43d9952f9de6e72fe4cf4f42d1b8f31178
mharmsen99
pushed a commit
that referenced
this pull request
Mar 3, 2018
The pkihelper.py has been modified such that if a PKCS #12 file is provided using pki_clone_pkcs12_path parameter, it will only be imported once by security_database.py, and it will not be imported again by the configuration servlet. Change-Id: I8ecd1dfda6fe9dda402c20ab4caa5ecd288bee88
mharmsen99
pushed a commit
that referenced
this pull request
Mar 5, 2018
Previously PKCS12Util.loadCertFromNSS() would load a certificate from NSS database and import it into PKCS #12 with a nickname from the NSS database. The method has been modified provide an optional parameter to import the certificate with a different nickname. https://pagure.io/dogtagpki/issue/203 Change-Id: Ied6b4b341961b80ae0329ee2cf6c71c977220673
mharmsen99
pushed a commit
that referenced
this pull request
Mar 5, 2018
A new NSSDatabase.export_cert() method has been added which is similar to export_pkcs12(), but it only exports one certificate into a PKCS #12 file, and also provides an optional parameter to use a different nickname. https://pagure.io/dogtagpki/issue/203 Change-Id: Ia9764cc874c253113ac362f2b2ce5beb93e7a0e9
mharmsen99
pushed a commit
that referenced
this pull request
Mar 5, 2018
The pki-server cert-export has been modified to provide an option to export a system certificate into PKCS #12 with a different nickname. https://pagure.io/dogtagpki/issue/203 Change-Id: Icf242524ae5c2bc35265119c9c3999ca760bfe81
mharmsen99
pushed a commit
that referenced
this pull request
Mar 6, 2018
Previously PKCS12Util.loadKeyInfoFromNSS() would load a key from NSS database and import it into PKCS #12 with the certificate's nickname in NSS database. The method been modified to provide an optional parameter to import the key with a different nickname. https://pagure.io/dogtagpki/issue/203 Change-Id: Ife0f436879766ed2a1a62ff7c22a0792393e5f53
mharmsen99
pushed a commit
that referenced
this pull request
Mar 9, 2018
The operations script has been modified such that if nuxwdog is disabled, it will export the SSL server certificate into a PKCS #12 keystore with a random password. The PKCS #12 keystore will be used by Tomcat's built-in HTTP NIO connector later. https://pagure.io/dogtagpki/issue/203 Change-Id: Ib79bfd3fabb7b4931842901fb6a46bf299f31f1e
mharmsen99
pushed a commit
that referenced
this pull request
Mar 9, 2018
The server.xml has been modified to use Tomcat's built-in HTTP NIO connector with SSL server certificate in a PKCS #12 keystore by default. The pki-server migrate tool has been modified to automatically convert existing instances to use the HTTP NIO connector. The pki-server http-connector tool has been modified to configure the SSL server certificate friendly name in the PKCS #12 keystore. https://pagure.io/dogtagpki/issue/203 Change-Id: I1966aea3c04b95f750607856663b37ab6381126d
edewata
added a commit
to edewata/pki
that referenced
this pull request
Jun 25, 2018
The pki-server migrate CLI has been modified to configure the HTTP Connector with PKCS dogtagpki#11 keystore instead of PKCS dogtagpki#12 file. https://pagure.io/dogtagpki/issue/3024 Change-Id: I0c928c48bcb8d5ed09e3de27078f8ca333b2a228
edewata
added a commit
to edewata/pki
that referenced
this pull request
Jun 26, 2018
The operations script has been modified to no longer export the SSL server cert into a PKCS dogtagpki#12 file since the HTTP connector will now use a PKCS dogtagpki#11 keystore instead. https://pagure.io/dogtagpki/issue/3024 Change-Id: I9289c00a1ebfa4b1cf4d1738e9c2a3507d36da77
frasertweedale
added a commit
to frasertweedale/pki
that referenced
this pull request
Aug 6, 2018
Restore the 3DES PKCS dogtagpki#12 key recovery code path, alongside the new AES variant, which is broken on Thales nethsm. Add the 'kra.legacyPKCS12' config for selecting which version to use, with the default value of 'true' (i.e., use 3DES). Part of: https://pagure.io/dogtagpki/issue/2728 Change-Id: Ic02fe8ba3a4c2c049913ff48d3f6dfdc830b4360
frasertweedale
added a commit
to frasertweedale/pki
that referenced
this pull request
Aug 6, 2018
Commit 633c7c6 changed the PKCS dogtagpki#12 file handing to never deal with raw private key material. PKCS12Util.addKeyBag() was changed to export the PrivateKey handle, or fail. This change missed this case where a PKCS dogtagpki#12 file is loaded from file, possibly modified, then written back to a file, without involving an NSSDB. One example is pkcs12-cert-del which deletes a certificate and associated key from a PKCS dogtagpki#12 file. Fix the PKCS12Util.addKeyBag() method to use the stored EncryptedPricateKeyInfo if available, otherwise export the PrivateKey handle. Fixes: https://pagure.io/dogtagpki/issue/2741 Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
frasertweedale
added a commit
to frasertweedale/pki
that referenced
this pull request
Aug 6, 2018
The KRA has two private key recovery code paths: one dealing with keys wrapped to the storage key, and one dealing with symmetrically encrypted keys. Each has a separate function for constructing a PKCS dogtagpki#12 file for the recovered key. This commit updates the PKCS dogtagpki#12 generation for encrypted keys to use AES encryption. From the KRA recovery process we start with a byte[] of PrivateKeyInfo. The previous procedure used EncryptedPrivateKeyInfo.createPBE(), the encryption algorithm being PBEAlgorithm.PBE_SHA1_DES3_CBC. This commit changes the procedure to use AES, using the new EncryptedPrivateKeyInfo.createPBES2() JSS method and AES_128_CBC_PAD. The old codepath is retained and selected by the kra.legacyPKCS12 CMS config. It is needed if the token/HSM does not support the CKM_PKCS5_PBKD2 PKCS dogtagpki#11 mechanism. Fixes: https://pagure.io/dogtagpki/issue/2664 Change-Id: Ie292147caab357679b2be5cf3b6cd739e5bed8e0
frasertweedale
added a commit
to frasertweedale/pki
that referenced
this pull request
Aug 6, 2018
For compatibility with OpenSSL and NSS >= 3.31, the passphrase must not be BMPString-encoded when non-PKCS dogtagpki#12 PBE schemes such as PBES2. Fixes: https://pagure.io/dogtagpki/issue/2809 Change-Id: Ic78ad337ac0b9b2f5d2e75581cc0ee55e6d82782
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 28, 2018
…llation. The deployment tool has been modified to generate a PKCS dogtagpki#12 file that contains the admin certificate for KRA/OCSP installation with external certificates. https://pagure.io/dogtagpki/issue/2873 Change-Id: Ide6b08ba8f2121b4cdf21208c32d745534893f0f
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 28, 2018
The import_ca_signing_cert() has been modified not to fail if pki_ca_signing_cert_path is missing since the certificate can also be provided via a PKCS dogtagpki#12 file. https://pagure.io/dogtagpki/issue/3053 Change-Id: Idde1850744391162495599067c840c47ef47de69
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 29, 2018
The import_system_cert() has been modified not to fail if certificate path is missing since the certificate can also be provided via a PKCS dogtagpki#12 file. https://pagure.io/dogtagpki/issue/3053 Change-Id: I64804502fc654c93dbd5f6569b2c8a433746b4a1
edewata
added a commit
that referenced
this pull request
Aug 29, 2018
The import_system_cert() has been modified not to fail if certificate path is missing since the certificate can also be provided via a PKCS #12 file. https://pagure.io/dogtagpki/issue/3053 Change-Id: I64804502fc654c93dbd5f6569b2c8a433746b4a1
edewata
added a commit
to edewata/pki
that referenced
this pull request
Sep 8, 2018
The import_ca_signing_cert() has been modified not to fail if pki_ca_signing_cert_path is missing since the certificate can also be provided via a PKCS dogtagpki#12 file. https://pagure.io/dogtagpki/issue/3053 Change-Id: Idde1850744391162495599067c840c47ef47de69
edewata
added a commit
to edewata/pki
that referenced
this pull request
Sep 10, 2018
The import_ca_signing_cert() has been modified not to fail if pki_ca_signing_cert_path is missing since the certificate can also be provided via a PKCS dogtagpki#12 file. https://pagure.io/dogtagpki/issue/3053 Change-Id: Idde1850744391162495599067c840c47ef47de69
edewata
added a commit
to edewata/pki
that referenced
this pull request
Sep 11, 2018
The pki-server ca-cert-chain-export and pki-server <subsystem>-clone-prepare commands have been modified to handle PKCS dogtagpki#12 passwords as binaries. Change-Id: I4a5f25841a25573b017a15b35d45e7a6ea554926
edewata
added a commit
that referenced
this pull request
Sep 11, 2018
The pki-server ca-cert-chain-export and pki-server <subsystem>-clone-prepare commands have been modified to handle PKCS #12 passwords as binaries. Change-Id: I4a5f25841a25573b017a15b35d45e7a6ea554926
edewata
added a commit
to edewata/pki
that referenced
this pull request
Sep 27, 2018
Previously PKCS12Util used the same ID to link a cert to its key in the PKCS dogtagpki#12 file that it generated. This could become a problem if there are multiple certs are using the same key or if there are keys without certs. To solve the issue, a separated key ID field has been added into PKCSCertInfo which will be used to link the cert to its key. The cert ID will contain the SHA-1 hash of the certificate. The key ID will contain the NSS key ID.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Sep 27, 2018
Previously PKCS12Util used the same ID to link a cert to its key in the PKCS dogtagpki#12 file that it generated. This could become a problem if there are multiple certs using the same key or if there are keys without certs. To solve the issue, a separated key ID field has been added into PKCSCertInfo which will be used to link the cert to its key. The cert ID will contain the SHA-1 hash of the certificate. The key ID will contain the NSS key ID.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Sep 27, 2018
Previously PKCS12Util used the same ID to link a cert to its key in the PKCS dogtagpki#12 file that it generated. This could become a problem if there are multiple certs using the same key or if there are keys without certs. To solve the issue, a separated key ID field has been added into PKCSCertInfo which will be used to link the cert to its key. The cert ID will contain the SHA-1 hash of the certificate. The key ID will contain the NSS key ID.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Oct 1, 2018
Previously PKCS12Util used the same ID to link a cert to its key in the PKCS dogtagpki#12 file that it generated. This could become a problem if there are multiple certs using the same key or if there are keys without certs in the PKCS dogtagpki#12 file. To solve the issue, a separated key ID field has been added into PKCSCertInfo which will be used to link the cert to its key. The cert ID will contain the SHA-1 hash of the certificate and the key ID will contain the NSS key ID.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Oct 1, 2018
Previously PKCS12Util used the same ID to link a cert to its key in the PKCS dogtagpki#12 file that it generated. This could become a problem if there are multiple certs using the same key or if there are keys without certs in the PKCS dogtagpki#12 file. To solve the issue, a separated key ID field has been added into PKCSCertInfo which will be used to link the cert to its key. The cert ID will contain the SHA-1 hash of the certificate and the key ID will contain the NSS key ID.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 7, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 8, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 8, 2024
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 8, 2024
The test for HTTPS connector with PKCS dogtagpki#12 file has been updated to create a CA signing cert, a short-lived SSL server cert, then test cert validation using PKI CLI under various scenarios. This test is similar to the one for HTTPS connector with NSS database.
edewata
added a commit
that referenced
this pull request
Aug 8, 2024
The test for HTTPS connector with PKCS #12 file has been updated to create a CA signing cert, a short-lived SSL server cert, then test cert validation using PKI CLI under various scenarios. This test is similar to the one for HTTPS connector with NSS database.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL is added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages genereated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL is added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages genereated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL is added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages genereated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL is added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages genereated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL is added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages genereated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL has been added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages genereated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory to prevent regressions.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL has been added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages generated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory to prevent regressions.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 21, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL has been added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages generated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory to prevent regressions.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 23, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL has been added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages generated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory to prevent regressions.
edewata
added a commit
to edewata/pki
that referenced
this pull request
Aug 23, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL has been added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages generated by JSSTrustManager. The test for HTTPS connector with PKCS dogtagpki#12 file will continue to use the blocking socket factory to prevent regressions.
edewata
added a commit
that referenced
this pull request
Aug 23, 2024
The NonBlockingSocketFactory has been added to provide a non-blocking socket factory for PKIConnection. Eventually it will replace the DefaultSocketFactory once the support for OCSP and CRL has been added into JSSTrustManager. The test for HTTPS connector with NSS has been updated to use the non-blocking socket factory and validate the new error messages generated by JSSTrustManager. The test for HTTPS connector with PKCS #12 file will continue to use the blocking socket factory to prevent regressions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently PKI_CMSBUNDLE_JAR variable is defined as NORMAL, but with TYPE INTERNAL.
Therefore, in my case, it equals to
'/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/dist/pki-cmsbundle.jarINTERNALpki-cmsbundle jar file'There are messages like below while building:
cd /usr/src/RPM/BUILD/pki-core-10.5.3/base/server/test && /usr/lib/jvm/java/bin/javac -encoding UTF-8 -cp :/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/dist/pki-nsutil.jar:/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/dist/pki-cmsutil.jar:/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/dist/pki-certsrv.jar:/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/dist/pki-cms.jar:/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/dist/pki-cmscore.jar:PKI_CMSBUNDLE_JAR-NOTFOUND:/usr/share/java/ldapjdk.jar:/usr/share/java/servlet.jar:/usr/share/java/velocity.jar:/usr/share/java/xalan-j2.jar:/usr/share/java/xerces-j2.jar:/usr/lib/java/jss4.jar:/usr/share/java/commons-codec.jar:/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/dist/symkey.jar:/usr/share/java/hamcrest/core.jar:/usr/share/java/junit.jar:/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/test/classes -d /usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/test/classes @/usr/src/RPM/BUILD/pki-core-10.5.3/BUILD/base/server/test/pki-server-test-classes.filesCMake version:
I guess there is a typo and variable should be a CACHE INTERNAL type.