Difference between revisions of "PKI Open Source History 2015"

From Dogtag
Jump to: navigation, search
(Dogtag Certificate Server 10.2.2       [03/18/2015])
(Dogtag Certificate Server 10.2.2       [03/18/2015])
Line 184: Line 184:
  
 
Additionally, this release addressed the following issues:
 
Additionally, this release addressed the following issues:
 +
 +
* Release 1
 +
** TPS rewrite: provide externalReg functionality
 +
** TPS Rewrite: Implement Secure Channel Protocol 02
  
 
<font size="+1"><b>Detailed Changes since Dogtag 10.2.1</b></font>
 
<font size="+1"><b>Detailed Changes since Dogtag 10.2.1</b></font>
Line 222: Line 226:
 
* jmagne(2)
 
* jmagne(2)
 
** 865  - NIST SP800-108 KDF -( GP Key sanity check & full feature test)
 
** 865  - NIST SP800-108 KDF -( GP Key sanity check & full feature test)
** 883  - TPS Rewrite: Implement Secure Channel Protocol 02  
+
** 883  - TPS Rewrite: Implement Secure Channel Protocol 02
 +
** Implementation of the NISTSP800 dervication feature.
 +
** Support for both scp01 cards and scp02 cards
 +
** Fixed issue with extracting the kdd from the AppletInfo class
 +
** Fixed issue with sending the KDD to the encryptData TKS servlet.
 
* mharmsen(3)
 
* mharmsen(3)
 
** 1144 - pkispawn needs option to specify ca cert for ldap
 
** 1144 - pkispawn needs option to specify ca cert for ldap

Revision as of 20:45, 19 March 2015

Open Source History (2015)

Dogtag Certificate Server 10.2.1       [01/09/2015]

Dogtag Certificate System 10.2.1 represents the second phase of Dogtag 10.2 and builds upon the bugs/features addressed by Dogtag 10.2.0. Dogtag 10.2.1 is associated with Fedora 22.

NOTE:   Due to the size, scope, and complexity of Dogtag 10.2, separate revisions of Dogtag 10.2 which incorporate a portion of the features will be released in phases over time. Each phase will likely correspond to a specific version of Fedora.

Project Name:

  • Dogtag Certificate System 10.2.1

Releases:

  • [01/09/2015] Dogtag Certificate Server 10.2.1 [32-bit & 64-bit Fedora 21] (Release 1)

Packages (Revised)

  • Release 1
    • pki-core-10.2.1-1.fc22 [01/09/2015]
    • dogtag-pki-10.2.1-1.fc22 [01/09/2015]
    • dogtag-pki-theme-10.2.1-1.fc22 [01/09/2015]
    • pki-console-10.2.1-1.fc22 [01/09/2015]

Upgrade Notes:

After running fedup, simply use yum (as necessary) to update existing packages.

Highlights since Dogtag 10.2.0

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.2.1 - page 8 (45 tickets)

Additionally, this release addressed the following issues:

  • Release 1:
    • Added CLIs to simplify generating user certificates
    • Added enhancements to KRA Python API
    • Added a man page for pki ca-profile commands
    • Added python api docs
    • Change resteasy dependencies for F22+
    • PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2
    • PKI TRAC Ticket #1205 - Outdated selinux-policy dependency.
    • Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies

Detailed Changes since Dogtag 10.2.0

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.2.0-1:  [09/06/2014] (master --> DOGTAG_10_2_0_BRANCH)
   Dogtag 10.2.1-1:  [01/09/2015] (master --> DOGTAG_10_2_1_BRANCH)
   
   Run the following command on the "DOGTAG_10_2_1_BRANCH"
   
       # git --no-pager log --since "09/06/2014" --until "01/09/2015" > ../history_10.2.1
   
   and compose the following list.
  • abhishek(3)
    • 1037 - Incorrect status change in key-request-review.
    • 1150 - Fixing upstream trac ticket 1150.
    • Add a man page for profile CLI commands.
  • alee(10)
    • 1132 - Fix sub-CA installation with own security domain
    • 1157 - Added Python Client API Docs to build
    • Added idempotent 01-MoveWebApplicationContextFile migration script
    • Added missing audit event ASYMKEY_GENERATION_REQUEST to KRA CS.cfg
    • Remove pylint from rhel build
    • Fixes to spec file for RHEL build
    • Updates to some python client classes for prettier API docs.
    • Added missing .rst annotations and missing docstrings.
    • Added log file for sphinx runs.
    • Require resteasy sub modules for F22+
  • benjamin.drung@profitbricks.com (2)
    • Fix manpage errors (using lintian tool on Debian)
    • fix typo succesfully -> successfully
  • cfu(15)
    • 864 - (part 1 symkey, common) NIST SP800-108 KDF
    • 866 - (part 1 symkey, common) NIST SP800-108 KDF
    • 1110 - pkispawn (configuration) does not provide CA extensions in subordinate certificate signing requests (CSR)
    • 1158 - CMCRequest does not support internal token
    • 1173 - Directory-based renewal evaluator fails authorization
    • 1180 - RFE: show link to request record from cert display
    • 1198 - add TLS range support to server.xml by default and upgrade
    • 1198 - add TLS range support (spec file jss tomcatjss dependencies)
    • 1198 - add TLS range support to server.xml by default
    • 1206 - (java console) TLS range support: code change needed for cs when acting as client
    • BZ 871171 - (client-side code) Provide Tomcat support for TLS v1.1 and TLS v1.2
    • BZ 1151147 - issuerDN encoding correction
    • BZ 1158410 - add TLS range support to server.xml by default and upgrade
    • BZ 1158410 - add TLS range support (spec file jss tomcatjss dependencies)
    • BZ 1158410 - add TLS range support to server.xml by default
  • edewata(15)
    • 1093 - Fixed problem importing renewed system certificate.
    • 1147 - Removed profile input/output IDs from CLI output.
    • 1148 - Added client-cert-request CLI.
    • 1149 - Displaying request status in ca-cert-request-review.
    • 1151 - Added option to import user cert from CA.
    • 1152 - Added option to import client cert from CA.
    • 1226 - Added rangeUnit property to certificate profiles.
    • 1155 - Improvements for KeyClient.archive_encrypted_data().
    • 1156 - Improvements for KeyClient.archive_encrypted_data().
    • 1157 - Fixed incorrect Python API docs format.
    • 1192 - Updated JUnit JAR file name.
    • Added CLI to import/export certificates with private keys.
    • Updated KRA Python client library.
    • Fixed pylint failure on F21.
    • Cleaned up clone installation code.
  • ftweedal(5)
    • 1035 - Fix BasicConstraints min/max path length check
    • 1189 - CRL does not include Authority Key Identifier extension
    • 1221 - Decode challengePassword attribute as DirectoryString
    • Fix ECC curve name typos
    • Enable Authority Key Identifier CRL extension by default
  • jmagne(2)
    • BZ 1170867 - TPS-Installation-Failed
    • Provide standalone Pin Reset Processor.
  • mharmsen(14)
    • 1130 - Add RHEL/CentOS conditionals to spec
    • 1136 - Remove ipa-pki-theme component and old unused 'ca-ui', 'kra-ui', 'ocsp-ui', 'ra-ui', 'tks-ui', and 'tps-ui' directories
    • 1138 - Remove 'migrate' source code from master branch
    • 1139 - Remove 'selinux' code from 'master' branch
    • 1187 - mod_perl should be removed from requirements for 10.2
    • 1205 - Outdated selinux-policy dependency.
    • 1211 - New release overwrites old source tarball
    • BZ 1147924 - dogtag: syntax errors in /usr/share/pki/scripts/operations
    • BZ 1165351 - Errata TPS test fails due to dependent packages not found
    • Revised dependencies
    • Removed RA references
    • Changed Apache TPS references to Tomcat TPS references
    • Remove legacy multilib JNI_JAR_DIR logic
    • Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies
  • tjaalton@debian.org (1)
    • Fix Debian specific paths to jackson jars

Server Platforms:

Platform 10.2.1
32-bit Fedora 22 (i686)
X
64-bit Fedora 22 (x86_64)
X

Dogtag Certificate Server 10.2.2       [03/18/2015]

Dogtag Certificate System 10.2.2 represents the third phase of Dogtag 10.2 and builds upon the bugs/features addressed by Dogtag 10.2.1. Like Dogtag 10.2.1, Dogtag 10.2.2 is also associated with Fedora 22.

NOTE:   Due to the size, scope, and complexity of Dogtag 10.2, separate revisions of Dogtag 10.2 which incorporate a portion of the features will be released in phases over time. Each phase will likely correspond to a specific version of Fedora.

Project Name:

  • Dogtag Certificate System 10.2.2

Releases:

  • [03/18/2015] Dogtag Certificate Server 10.2.2 [32-bit & 64-bit Fedora 22] (Release 1)

Packages (Revised)

  • Release 1
    • pki-core-10.2.2-1.fc22 [03/18/2015]
    • dogtag-pki-10.2.2-1.fc22 [03/18/2015]
    • dogtag-pki-theme-10.2.1-1.fc22 [03/17/2015]
    • pki-console-10.2.2-1.fc22 [03/18/2015]

Upgrade Notes:

After running fedup, simply use yum (as necessary) to update existing packages.

Highlights since Dogtag 10.2.1

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.2.2 - page 8 (32 tickets) including 3 duplicates, 4 fixed in previous versions, 1 invalid, 1 release task, 4 won't fix, and 3 works for me

Additionally, this release addressed the following issues:

  • Release 1
    • TPS rewrite: provide externalReg functionality
    • TPS Rewrite: Implement Secure Channel Protocol 02

Detailed Changes since Dogtag 10.2.1

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.2.1-1:  [01/09/2015] (master --> DOGTAG_10_2_1_BRANCH)
   Dogtag 10.2.2-1:  [03/18/2015] (master --> DOGTAG_10_2_2_BRANCH)
   
   Run the following command on the "DOGTAG_10_2_2_BRANCH"
   
       # git --no-pager log --since "01/09/2015" --until "03/18/2015" > ../history_10.2.2
   
   and compose the following list.
  • alee(2)
    • 1305 - CRL publishing fails after Java heap out of memory error
    • 1306 - [RFE] Add granularity to token termination in TPS
  • cfu(3)
    • 822 - rhcs81 caManualRenewal with original profile modified for empty params.name creates root CA subject DN
    • 1028 - Phase1:TPS rewrite: provide externalReg functionality
    • 1308 - [RFE] Provide ability to perform off-card key generation for non-encryption token keys
  • edewata(12)
    • 703 - Fixed pylint
    • 745 - Service should not start if selftest fails
    • 915 - Enhance EBaseException class to suport the "cause" exception.
    • 1074 - CLI for CRMF Command-Line Utilities
    • 1164 - Refactored LDAPDatabase.createFilter().
    • 1183 - Starting/stopping individual subsystems
    • 1202 - Refactored OCSPClient.
    • 1235 - Fixed problem cloning Dogtag 10.1.x to 10.2.x.
    • 1252 - Missing python-lxml build dependency
    • 1254 - Simplifying resteasy/jackson dependencies on Fedora 22 Packaging
    • 1255 - Restart fails after upgrade
    • 1281 - CMake scripts have been updated to work on both F21 and F22.
  • ftweedal(1)
    • 1174 - RFE: support external authorization LDAP server
  • jmagne(2)
    • 865 - NIST SP800-108 KDF -( GP Key sanity check & full feature test)
    • 883 - TPS Rewrite: Implement Secure Channel Protocol 02
    • Implementation of the NISTSP800 dervication feature.
    • Support for both scp01 cards and scp02 cards
    • Fixed issue with extracting the kdd from the AppletInfo class
    • Fixed issue with sending the KDD to the encryptData TKS servlet.
  • mharmsen(3)
    • 1144 - pkispawn needs option to specify ca cert for ldap
    • 1211 - New release overwrites old source tarball
    • 1284 - pkispawn URL redirect issue

Server Platforms:

Platform 10.2.2
32-bit Fedora 22 (i686)
X
64-bit Fedora 22 (x86_64)
X