Difference between revisions of "PKI Open Source History 2015"

From Dogtag
Jump to: navigation, search
(Dogtag Certificate Server 10.2.3       [04/25/2015])
m (Dogtag Certificate Server 10.2.3       [04/25/2015])
Line 264: Line 264:
 
     </table>
 
     </table>
  
== Dogtag Certificate Server 10.2.3 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[04/25/2015] ==
+
== Dogtag Certificate Server 10.2.3 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[04/24/2015] ==
 
Dogtag Certificate System 10.2.3 represents the fourth phase of Dogtag 10.2 and builds upon the bugs/features addressed by Dogtag 10.2.2. Like Dogtag 10.2.2, Dogtag 10.2.3 is also associated with Fedora 22.  
 
Dogtag Certificate System 10.2.3 represents the fourth phase of Dogtag 10.2 and builds upon the bugs/features addressed by Dogtag 10.2.2. Like Dogtag 10.2.2, Dogtag 10.2.3 is also associated with Fedora 22.  
  

Revision as of 01:12, 29 April 2015

Open Source History (2015)

Dogtag Certificate Server 10.2.1       [01/09/2015]

Dogtag Certificate System 10.2.1 represents the second phase of Dogtag 10.2 and builds upon the bugs/features addressed by Dogtag 10.2.0. Dogtag 10.2.1 is associated with Fedora 22.

NOTE:   Due to the size, scope, and complexity of Dogtag 10.2, separate revisions of Dogtag 10.2 which incorporate a portion of the features will be released in phases over time. Each phase will likely correspond to a specific version of Fedora.

Project Name:

  • Dogtag Certificate System 10.2.1

Releases:

  • [01/09/2015] Dogtag Certificate Server 10.2.1 [32-bit & 64-bit Fedora 21] (Release 1)

Packages (Revised)

  • Release 1
    • pki-core-10.2.1-1.fc22 [01/09/2015]
    • dogtag-pki-10.2.1-1.fc22 [01/09/2015]
    • dogtag-pki-theme-10.2.1-1.fc22 [01/09/2015]
    • pki-console-10.2.1-1.fc22 [01/09/2015]

Upgrade Notes:

After running fedup, simply use yum (as necessary) to update existing packages.

Highlights since Dogtag 10.2.0

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.2.1 - page 8 (45 tickets)

Additionally, this release addressed the following issues:

  • Release 1:
    • Added CLIs to simplify generating user certificates
    • Added enhancements to KRA Python API
    • Added a man page for pki ca-profile commands
    • Added python api docs
    • Change resteasy dependencies for F22+
    • PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2
    • PKI TRAC Ticket #1205 - Outdated selinux-policy dependency.
    • Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies

Detailed Changes since Dogtag 10.2.0

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.2.0-1:  [09/06/2014] (master --> DOGTAG_10_2_0_BRANCH)
   Dogtag 10.2.1-1:  [01/09/2015] (master --> DOGTAG_10_2_1_BRANCH)
   
   Run the following command on the "DOGTAG_10_2_1_BRANCH"
   
       # git --no-pager log --since "09/06/2014" --until "01/09/2015" > ../history_10.2.1
   
   and compose the following list.
  • abhishek(3)
    • 1037 - Incorrect status change in key-request-review.
    • 1150 - Fixing upstream trac ticket 1150.
    • Add a man page for profile CLI commands.
  • alee(10)
    • 1132 - Fix sub-CA installation with own security domain
    • 1157 - Added Python Client API Docs to build
    • Added idempotent 01-MoveWebApplicationContextFile migration script
    • Added missing audit event ASYMKEY_GENERATION_REQUEST to KRA CS.cfg
    • Remove pylint from rhel build
    • Fixes to spec file for RHEL build
    • Updates to some python client classes for prettier API docs.
    • Added missing .rst annotations and missing docstrings.
    • Added log file for sphinx runs.
    • Require resteasy sub modules for F22+
  • benjamin.drung@profitbricks.com (2)
    • Fix manpage errors (using lintian tool on Debian)
    • fix typo succesfully -> successfully
  • cfu(15)
    • 864 - (part 1 symkey, common) NIST SP800-108 KDF
    • 866 - (part 1 symkey, common) NIST SP800-108 KDF
    • 1110 - pkispawn (configuration) does not provide CA extensions in subordinate certificate signing requests (CSR)
    • 1158 - CMCRequest does not support internal token
    • 1173 - Directory-based renewal evaluator fails authorization
    • 1180 - RFE: show link to request record from cert display
    • 1198 - add TLS range support to server.xml by default and upgrade
    • 1198 - add TLS range support (spec file jss tomcatjss dependencies)
    • 1198 - add TLS range support to server.xml by default
    • 1206 - (java console) TLS range support: code change needed for cs when acting as client
    • BZ 871171 - (client-side code) Provide Tomcat support for TLS v1.1 and TLS v1.2
    • BZ 1151147 - issuerDN encoding correction
    • BZ 1158410 - add TLS range support to server.xml by default and upgrade
    • BZ 1158410 - add TLS range support (spec file jss tomcatjss dependencies)
    • BZ 1158410 - add TLS range support to server.xml by default
  • edewata(15)
    • 1093 - Fixed problem importing renewed system certificate.
    • 1147 - Removed profile input/output IDs from CLI output.
    • 1148 - Added client-cert-request CLI.
    • 1149 - Displaying request status in ca-cert-request-review.
    • 1151 - Added option to import user cert from CA.
    • 1152 - Added option to import client cert from CA.
    • 1226 - Added rangeUnit property to certificate profiles.
    • 1155 - Improvements for KeyClient.archive_encrypted_data().
    • 1156 - Improvements for KeyClient.archive_encrypted_data().
    • 1157 - Fixed incorrect Python API docs format.
    • 1192 - Updated JUnit JAR file name.
    • Added CLI to import/export certificates with private keys.
    • Updated KRA Python client library.
    • Fixed pylint failure on F21.
    • Cleaned up clone installation code.
  • ftweedal(5)
    • 1035 - Fix BasicConstraints min/max path length check
    • 1189 - CRL does not include Authority Key Identifier extension
    • 1221 - Decode challengePassword attribute as DirectoryString
    • Fix ECC curve name typos
    • Enable Authority Key Identifier CRL extension by default
  • jmagne(2)
    • BZ 1170867 - TPS-Installation-Failed
    • Provide standalone Pin Reset Processor.
  • mharmsen(14)
    • 1130 - Add RHEL/CentOS conditionals to spec
    • 1136 - Remove ipa-pki-theme component and old unused 'ca-ui', 'kra-ui', 'ocsp-ui', 'ra-ui', 'tks-ui', and 'tps-ui' directories
    • 1138 - Remove 'migrate' source code from master branch
    • 1139 - Remove 'selinux' code from 'master' branch
    • 1187 - mod_perl should be removed from requirements for 10.2
    • 1205 - Outdated selinux-policy dependency.
    • 1211 - New release overwrites old source tarball
    • BZ 1147924 - dogtag: syntax errors in /usr/share/pki/scripts/operations
    • BZ 1165351 - Errata TPS test fails due to dependent packages not found
    • Revised dependencies
    • Removed RA references
    • Changed Apache TPS references to Tomcat TPS references
    • Remove legacy multilib JNI_JAR_DIR logic
    • Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies
  • tjaalton@debian.org (1)
    • Fix Debian specific paths to jackson jars

Server Platforms:

Platform 10.2.1
32-bit Fedora 22 (i686)
X
64-bit Fedora 22 (x86_64)
X
32-bit Fedora 21 (i686)
X
64-bit Fedora 21 (x86_64)
X

Dogtag Certificate Server 10.2.2       [03/18/2015]

Dogtag Certificate System 10.2.2 represents the third phase of Dogtag 10.2 and builds upon the bugs/features addressed by Dogtag 10.2.1. Like Dogtag 10.2.1, Dogtag 10.2.2 is also associated with Fedora 22.

NOTE:   Due to the size, scope, and complexity of Dogtag 10.2, separate revisions of Dogtag 10.2 which incorporate a portion of the features will be released in phases over time. Each phase will likely correspond to a specific version of Fedora.

Project Name:

  • Dogtag Certificate System 10.2.2

Releases:

  • [03/18/2015] Dogtag Certificate Server 10.2.2 [32-bit & 64-bit Fedora 22] (Release 1)

Packages (Revised)

  • Release 1
    • pki-core-10.2.2-1.fc22 [03/18/2015]
    • dogtag-pki-10.2.2-1.fc22 [03/18/2015]
    • dogtag-pki-theme-10.2.1-1.fc22 [03/17/2015]
    • pki-console-10.2.2-1.fc22 [03/18/2015]

Upgrade Notes:

After running fedup, simply use yum (as necessary) to update existing packages.

Highlights since Dogtag 10.2.1

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.2.2 - page 8 (32 tickets) including 3 duplicates, 4 fixed in previous versions, 1 invalid, 1 release task, 4 won't fix, and 3 works for me

The primary purposes of this release addressed the following issues:

  • Release 1
    • TPS rewrite: provide externalReg functionality
    • NIST SP800-108 KDF -( GP Key sanity check & full feature test)
    • TPS Rewrite: Implement Secure Channel Protocol 02

Detailed Changes since Dogtag 10.2.1

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.2.1-1:  [01/09/2015] (master --> DOGTAG_10_2_1_BRANCH)
   Dogtag 10.2.2-1:  [03/18/2015] (master --> DOGTAG_10_2_2_BRANCH)
   
   Run the following command on the "DOGTAG_10_2_2_BRANCH"
   
       # git --no-pager log --since "01/09/2015" --until "03/18/2015" > ../history_10.2.2
   
   and compose the following list.
  • alee(2)
    • 1305 - CRL publishing fails after Java heap out of memory error
    • 1306 - [RFE] Add granularity to token termination in TPS
  • cfu(3)
    • 822 - rhcs81 caManualRenewal with original profile modified for empty params.name creates root CA subject DN
    • 1028 - Phase1:TPS rewrite: provide externalReg functionality
    • 1308 - [RFE] Provide ability to perform off-card key generation for non-encryption token keys
  • edewata(12)
    • 703 - Fixed pylint
    • 745 - Service should not start if selftest fails
    • 915 - Enhance EBaseException class to suport the "cause" exception.
    • 1074 - CLI for CRMF Command-Line Utilities
    • 1164 - Refactored LDAPDatabase.createFilter().
    • 1183 - Starting/stopping individual subsystems
    • 1202 - Refactored OCSPClient.
    • 1235 - Fixed problem cloning Dogtag 10.1.x to 10.2.x.
    • 1252 - Missing python-lxml build dependency
    • 1254 - Simplifying resteasy/jackson dependencies on Fedora 22 Packaging
    • 1255 - Restart fails after upgrade
    • 1281 - CMake scripts have been updated to work on both F21 and F22.
  • ftweedal(1)
    • 1174 - RFE: support external authorization LDAP server
  • jmagne(6)
    • 865 - NIST SP800-108 KDF -( GP Key sanity check & full feature test)
    • 883 - TPS Rewrite: Implement Secure Channel Protocol 02
    • Implementation of the NISTSP800 derivation feature.
    • Support for both scp01 cards and scp02 cards
    • Fixed issue with extracting the kdd from the AppletInfo class
    • Fixed issue with sending the KDD to the encryptData TKS servlet.
  • mharmsen(6)
    • 1144 - pkispawn needs option to specify ca cert for ldap
    • 1211 - New release overwrites old source tarball
    • 1284 - pkispawn URL redirect issue
    • Fixed developer scripts for Fedora 21 and Fedora 22
    • Fixed CMake issue (Fedora 22)
    • Fixes for pylint 1.3 (Fedora 21) --> 1.4 (Fedora 22)

Server Platforms:

Platform 10.2.2
32-bit Fedora 22 (i686)
X
64-bit Fedora 22 (x86_64)
X

Dogtag Certificate Server 10.2.3       [04/24/2015]

Dogtag Certificate System 10.2.3 represents the fourth phase of Dogtag 10.2 and builds upon the bugs/features addressed by Dogtag 10.2.2. Like Dogtag 10.2.2, Dogtag 10.2.3 is also associated with Fedora 22.

NOTE:   Due to the size, scope, and complexity of Dogtag 10.2, separate revisions of Dogtag 10.2 which incorporate a portion of the features will be released in phases over time. Each phase will likely correspond to a specific version of Fedora.

Project Name:

  • Dogtag Certificate System 10.2.3

Releases:

  • [04/24/2015] Dogtag Certificate Server 10.2.3 [32-bit & 64-bit Fedora 22] (Release 1)

Packages (Revised)

  • Release 1
    • pki-core-10.2.3-2.fc22 [04/24/2015]
    • dogtag-pki-10.2.3-2.fc22 [04/24/2015]
    • dogtag-pki-theme-10.2.3-2.fc22 [04/24/2015]
    • pki-console-10.2.3-1.fc22 [04/24/2015]

Upgrade Notes:

After running fedup, simply use yum (as necessary) to update existing packages.

Highlights since Dogtag 10.2.2

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.2.3 - pages 8-9 (31 tickets) including 4 duplicates, 2 invalid, 1 release task, 2 won't fix, and 1 works for me

The primary purposes of this release continued addressing the following issues:

  • Release 1
    • TPS rewrite: provide externalReg functionality
    • NIST SP800-108 KDF -( GP Key sanity check & full feature test)
    • TPS Rewrite: Implement Secure Channel Protocol 02

Detailed Changes since Dogtag 10.2.2

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.2.2-1:  [03/18/2015] (master --> DOGTAG_10_2_2_BRANCH)
   Dogtag 10.2.3-1:  [04/24/2015] (master --> DOGTAG_10_2_3_BRANCH)
   
   Run the following command on the "DOGTAG_10_2_3_BRANCH"
   
       # git --no-pager log --since "03/18/2015" --until "04/24/2015" > ../history_10.2.3
   
   and compose the following list.
  • alee (4)
    • 1230 - implement code using nuxwdog for cs9 (phase 1)
      • Add nuxwdog functionality to Dogtag
      • changes to CS.cfg, server.xml and tomcat.conf to support nuxwdog
      • Added pki-server-nuxwdog tool to create config file for nuxwdog
      • Remove duplicate prompt on nuxwdog startup
    • Add back the getPassword(tag) code to handle old tomcatjss interface
    • Fix some javadoc errors that prevent F23 build
    • Add conditional to disable doclint for javadocs on java >= 1.8
  • cfu (5)
    • 443 - SCEP: Invalid OID in CertRep signerInfo when using SHA-2 (Bugzilla Bug #824624 - fixed in JSS)
    • 1028 - TPS rewrite: provide externalReg functionality (phase 2)
    • 1296 - RHCS 9.0 theme
      • Parameterized TKS
    • 1316 - Allow adding SAN to server cert during the install process Usage
    • 1339 - doRevoke error string doesn't clear after failure (Bugzilla Bug #1150142)
  • edewata (14)
    • 499 - Direct web application deployment
      • Added direct deployment for all subsystems.
      • Added direct deployment for theme.
      • Moved CSS files to theme package.
      • Moved fonts and images to theme package.
      • Fixed problem deploying without theme.
    • 802 - Added upgrade script to fix instance work folder ownership.
    • 936 - Added bulk property editor in TPS UI.
    • 1164 - Added interface to show TPS token certificates.
    • 1264 - Added support for Tomcat 8.
      • Added server migration command.
    • 1270 - Fixed problem with TPS profile default status.
    • 1273 - Fixed problem deleting newly created TPS profiles.
    • 1274 - Fixed incorrect link in TPS UI.
    • 1292 - TPS UI: No Approve button when logged in as agent user
      • Customized TPS UI menu based on user roles.
      • Fixed TPS REST services.
      • Fixed action menu in TPS UI.
    • 1293 - Fixed missing port error during installation.
    • 1296 - RHCS 9.0 theme
      • Parameterized /ca/agent/header, ca/ee/ca/index.html, ROOT's index.jsp, services.template (all subsystems)
      • Moved color settings to CSS.
      • Parameterized CA templates.
    • 1332 - Fixed problem upgrading to F22.
    • 1343 - Simplified login response formats
    • modified code to fix tomcatjss and python-sphinx issues.
  • ftweedal (1)
    • 1220 - Improvement for ProfileSubsystem.isProfileEnable()
      • Add schema for LDAP-based profiles
      • Add LDAPConfigStore class
      • Add LDAPProfileSubsystem to store profiles in LDAP
      • Add ability to enable/disable dynamic subsystems
      • Import profiles when spawning CA instance
      • Update pki-profile CLI commands to work with "raw" format
      • Monitor database for changes to LDAP profiles.
      • Add pkispawn config option for ldap profiles
      • Remove unneeded collection from profile subsystems
      • Consolidate profile persistent search try/catch blocks
      • Chain InvocationTargetException thrown during PKCS10Attribute decoding
      • Remove unused RequestSubsystem constructor
      • Remove duplicate getRequestQueue code
      • Fix incorrect class name in debug message
      • Remove unneeded class EnrollProfileContext
      • Only read pki_profiles_in_ldap when spawning CA instance
      • Enumerate profiles in order of discovery
  • jmagne (2)
    • 1296 - RHCS 9.0 theme
      • Parameterized OCSP
    • Bugzilla Bug #1186896 - NIST SP800-108 KDF
      • add sanity checking
      • remove harmful bit of sanity checking
  • mharmsen (9)
    • 1200 - Add HSM passwords to pkispawn
    • 1296 - RHCS 9.0 theme
      • Parameterized KRA
      • Added missing "logo" theme properties to OCSP and TKS "ports.template".
      • Fixed minor UI inconsistencies.
    • 1313 - Create 'redhat-pki' meta-package
    • 1315 - pki-tomcatd fails to start on system boot
    • 1319 - Invalid upgrade script in 10.2.1
    • 1340 - pkidestroy should not remove /var/lib/pki
    • 1346 - pkispawn should have an HSM library option
    • Changed runtime requirement from "nuxwdog" to "nuxwdog-java-client".
    • Restored requirement for 'jss-javadocs' to meta packages

Server Platforms:

Platform 10.2.3
32-bit Fedora 22 (i686)
X
64-bit Fedora 22 (x86_64)
X
32-bit Fedora 23 (i686)
X
64-bit Fedora 23 (x86_64)
X