Skip to content

CentOS 7 - Updates for x86_64: system environment/daemons: pki-kra

pki-kra - Certificate System - Key Recovery Authority

Website: http://pki.fedoraproject.org/
License: GPLv2
Vendor: CentOS
Description:
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
as a key archival facility.  When configured in conjunction with the
Certificate Authority (CA), the KRA stores private encryption keys as part of
the certificate enrollment process.  The key archival mechanism is triggered
when a user enrolls in the PKI and creates the certificate request.  Using the
Certificate Request Message Format (CRMF) request format, a request is
generated for the user's private encryption key.  This key is then stored in
the KRA which is configured to store keys in an encrypted format that can only
be decrypted by several agents requesting the key at one time, providing for
protection of the public encryption keys for the users in the PKI deployment.

Note that the KRA archives encryption keys; it does NOT archive signing keys,
since such archival would undermine non-repudiation properties of signing keys.

This package is one of the top-level java-based Tomcat PKI subsystems
provided by the PKI Core used by the Certificate System.


==================================
||  ABOUT "CERTIFICATE SYSTEM"  ||
==================================

Certificate System (CS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.

PKI Core contains ALL top-level java-based Tomcat PKI components:

  * pki-symkey
  * pki-base
  * pki-base-python2 (alias for pki-base)
  * pki-base-python3
  * pki-base-java
  * pki-tools
  * pki-server
  * pki-ca
  * pki-kra
  * pki-ocsp
  * pki-tks
  * pki-tps
  * pki-javadoc

which comprise the following corresponding PKI subsystems:

  * Certificate Authority (CA)
  * Key Recovery Authority (KRA)
  * Online Certificate Status Protocol (OCSP) Manager
  * Token Key Service (TKS)
  * Token Processing Service (TPS)

Python clients need only install the pki-base package.  This
package contains the python REST client packages and the client
upgrade framework.

Java clients should install the pki-base-java package.  This package
contains the legacy and REST Java client packages.  These clients
should also consider installing the pki-tools package, which contain
native and Java-based PKI tools and utilities.

Certificate Server instances require the fundamental classes and
modules in pki-base and pki-base-java, as well as the utilities in
pki-tools.  The main server classes are in pki-server, with subsystem
specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.

Finally, if Certificate System is being deployed as an individual or
set of standalone rather than embedded server(s)/service(s), it is
strongly recommended (though not explicitly required) to include at
least one PKI Theme package:

  * dogtag-pki-theme (Dogtag Certificate System deployments)
    * dogtag-pki-server-theme
  * redhat-pki-server-theme (Red Hat Certificate System deployments)
    * redhat-pki-server-theme
  * customized pki theme (Customized Certificate System deployments)
    * <customized>-pki-server-theme

  NOTE:  As a convenience for standalone deployments, top-level meta
         packages may be provided which bind a particular theme to
         these certificate server packages.

Packages

pki-kra-10.5.18-16.el7_9.noarch [310 KiB] Changelog by Dogtag Team (2021-08-09):
- ##########################################################################
- # RHEL 7.9 (Batch Update 8):
- ##########################################################################
- Bugzilla Bug 1958277 - PKCS10Client EC Attribute Encoding [cfu]
- Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500:
  Non-2xx response from CA REST API: 500 [ftweedale, ckelley]
- ##########################################################################
- # RHCS 9.7 (Batch Update 8):
- ##########################################################################
- Bugzilla Bug 1959937 - TPS Allowing Token Transactions while
  the CA is Down [cfu]
- Bugzilla Bug 1979710 - TPS Not properly enforcing Token Profile
  Separation [cfu]
pki-kra-10.5.18-15.el7_9.noarch [309 KiB] Changelog by Dogtag Team (2021-06-25):
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1905374 - restrict EE profile list and enrollment submission
  per LDAP group without immediate issuance [rhel-7.9.z] (cfu)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7)
pki-kra-10.5.18-14.el7_9.noarch [309 KiB] Changelog by Dogtag Team (2021-05-13):
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1911472 - Revoke via REST API not working when Agent
  certificate not issued by CA [rhel-7.9.z] (cfu)
- Bugzilla Bug 1914587 - RHEL IPA PKI - Failed to read product version
  String.java.io.FileNotFoundException (ckelley)
- Bugzilla Bug 1942687 - TPS not populating Token Policy, or switching
  PIN_RESET=YES to NO [rhel-7.9.z] (jmagne)
- Bugzilla Bug 1955633 - Recovery of Keys migrated to latest version of KRA
  fail to recover and result in Null Point Exception [rhel-7.9.z] (jmagne)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
  pki-console to 10.5.18 in RHCS 9.7 (Batch Update 6)
pki-kra-10.5.18-12.el7_9.noarch [307 KiB] Changelog by Dogtag Team (2021-02-24):
- Change variable 'TPS' to 'tps'
- ##########################################################################
- # RHEL 7.9:
- ##########################################################################
- Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates
  profiles, audit for IPA (edewata)
- ##########################################################################
- # Backported CVEs (ascheel):
- ##########################################################################
- Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token
  parameters in TPS resulting in stored XSS [certificate_system_9-default]
  (edewata, ascheel)
- Bugzilla Bug 1725128 - CVE-2019-10178 pki-core: stored Cross-site
  scripting (XSS) in the pki-tps web Activity tab
  [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1791100 - CVE-2020-1696 pki-core: Stored XSS in TPS profile
  creation [certificate_system_9-default] (edewata, ascheel)
- Bugzilla Bug 1724688 - CVE-2019-10146 pki-core: Reflected Cross-Site
  Scripting in 'path length' constraint field in CA's Agent page
  [rhel-7.9.z] (dmoluguw, ascheel)
- Bugzilla Bug 1789843 - CVE-2019-10221 pki-core: reflected cross site
  scripting in getcookies?url= endpoint in CA [rhel-7.9.z]
  (dmoluguw, ascheel)
- Bugzilla Bug 1724713 - CVE-2019-10179 pki-core: pki-core/pki-kra:
  Reflected XSS in recoveryID search field at KRA's DRM agent page in
  authorize recovery tab [rhel-7.9.z] (ascheel)
- Bugzilla Bug 1798011 - CVE-2020-1721 pki-core: KRA vulnerable to
  reflected XSS via the getPk12 page [rhel-7.9.z] (ascheel,jmagne)
- ##########################################################################
- Update to jquery v3.4.1 (ascheel)
- Update to jquery-i18n-properties v1.2.7 (ascheel)
- Update to backbone v1.4.0 (ascheel)
- Upgrade to underscore v1.9.2 (ascheel)
- Update to patternfly v3.59.3 (ascheel)
- Update to jQuery v3.5.1 (ascheel)
- Upgrade to bootstrap v3.4.1 (ascheel)
- Link in new Bootstrap CSS file (ascheel)
- ##########################################################################
- # RHCS 9.7:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
pki-kra-10.5.18-7.el7.noarch [301 KiB] Changelog by Dogtag Team (2020-05-27):
- Patch for CMCResponse tool
- Bugzilla Bug #1710109 - add RSA PSS support - fix CMCResponse tool (jmagne)
pki-kra-10.5.17-6.el7.noarch [296 KiB] Changelog by Dogtag Team (2019-12-02):
- ##########################################################################
- # RHEL 7.8:
- ##########################################################################
- Bugzilla Bug #1723008 - ECC Key recovery failure with
  CKR_TEMPLATE_INCONSISTENT (cfu)
- Bugzilla Bug #1774282 - pki-server-nuxwdog template has pid file name with
  non-breakable space char encoded instead of 0x20 space char (ascheel)
- ##########################################################################
- # RHCS 9.6:
- ##########################################################################
- # Bugzilla Bug #1733588 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
pki-kra-10.5.16-6.el7_7.noarch [293 KiB] Changelog by Dogtag Team (2019-10-14):
- ##########################################################################
- # RHEL 7.7:
- ##########################################################################
- Bugzilla Bug #1754845 - number range depletion when multiple clones
  created from same master (ftweedal)
- ##########################################################################
- # RHCS 9.5:
- ##########################################################################
- # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
pki-kra-10.5.16-5.el7_7.noarch [293 KiB] Changelog by Dogtag Team (2019-09-09):
- ##########################################################################
- # RHEL 7.7:
- ##########################################################################
- Bugzilla Bug #1750277 - CC: missing audit event for CS acting as TLS client
  [rhel-7.7.z] (cfu)
- ##########################################################################
- # RHCS 9.5:
- ##########################################################################
- # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
pki-kra-10.5.16-3.el7.noarch [292 KiB] Changelog by Dogtag Team (2019-06-20):
- ##########################################################################
- # RHEL 7.7:
- ##########################################################################
- Bugzilla Bug #1638379 - PKI startup initialization process should not
  depend on LDAP operational attributes [ftweedal]
- ##########################################################################
- # RHCS 9.5:
- ##########################################################################
- Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
  pki-console to 10.5.16 in RHCS 9.5
pki-kra-10.5.9-13.el7_6.noarch [290 KiB] Changelog by Dogtag Team (2019-02-15):
- Updated jss dependencies
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1671245 - CC: unable to verify cert before import
  [rhel-7.6.z] [manpage] (ascheel)
- Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL)
  [rhel-7.6.z] (edewata)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)
pki-kra-10.5.9-6.el7.noarch [290 KiB] Changelog by Dogtag Team (2018-08-21):
- Updated nuxwdog dependencies
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #673182 - ECC keys not supported for signing
  audit logs (cfu)
- Bugzilla Bug #1593805 - Better understanding of
  NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu)
- Bugzilla Bug #1601071 - Certificate generation happens with
  partial attributes in CMCRequest file (cfu)
- Bugzilla Bug #1601569 - CC: Enable all config audit events
  (cfu)
- Bugzilla Bug #1608375 - CMC Revocations throws exception
  with same reqIssuer & certissuer (cfu)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to
pki-kra-10.5.1-15.el7_5.noarch [288 KiB] Changelog by Dogtag Team (2018-08-13):
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1600905 - pki console configurations that involves ldap
  passwords leave the plain text password in signed audit logs
  [rhel-7.5.z] (cfu)
- Bugzilla Bug #1611245 - Certificate generation happens with partial
  attributes in CMCRequest file [rhel-7.5.z] (cfu)
- Bugzilla Bug #1611250 - Better understanding of
  NSS_USE_DECODED_CKA_EC_POINT for ECC [rhel-7.5.z] (cfu)
- Bugzilla Bug #1612880 - CMC Revocations throws exception with
  same reqIssuer & certissuer [rhel-7.5.z] (cfu)
- Bugzilla Bug #1614837 - ipa-replica-install --setup-kra broken on
  DL0 with latest version [rhel-7.5.z] (abokovoy)
- Bugzilla Bug #1614839 - CC: Enable all config audit events
  [rhel-7.5.z] (cfu)
- Bugzilla Bug #1615266 - ECC keys not supported for signing audit
  logs [rhel-7.5.z] (cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1539933 - keyGen fails when only Identity
pki-kra-10.5.1-14.el7_5.noarch [287 KiB] Changelog by Dogtag Team (2018-07-02):
- Updated "jss" build and runtime requirements (mharmsen)
- Updated "tomcatjss" build and runtime requirements (mharmsen)
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE
  [rhel-7.5.z] (cfu)
- Bugzilla Bug #1593585 - Need proper default subjectDN for CMC request
  authenticated through SharedToken [rhel-7.5.z] (cfu)
- Bugzilla Bug #1594128 - CMC: Audit Events needed for failures in
  SharedToken scenario's [rhel-7.5.z] (cfu)
- Bugzilla Bug #1595606 - AuditVerify failure due to line breaks
  [rhel-7.5.z] (cfu)
- Bugzilla Bug #1596525 - Address ECC profile overrides [rhel-7.5.z] (cfu)
- Bugzilla Bug #1596551 - X500Name.directoryStringEncodingOrder overridden
  by CSR encoding [rhel-7.5.z] (cfu)
- Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a
  certifcate [rhel-7.5.z] (ftweedal)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
pki-kra-10.5.1-13.1.el7_5.noarch [286 KiB] Changelog by Dogtag Team (2018-06-09):
- Rebuild due to build system database problem
pki-kra-10.5.1-9.el7.noarch [281 KiB] Changelog by Dogtag Team (2018-02-19):
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release
  - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event
  set (RHEL) (edewata)
- Bugzilla Bug #1532867 - Inconsistent key ID encoding (edewata)
- Bugzilla Bug #1540687 - CC: External OCSP Installation failure with HSM
  and FIPS (edewata)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
  - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit event
pki-kra-10.4.1-17.el7_4.noarch [275 KiB] Changelog by Dogtag Team (2017-11-10):
- ###########################################################################
- ## RHCS 9.2
- ###########################################################################
- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of
pki-kra-10.4.1-13.el7_4.noarch [272 KiB] Changelog by Dogtag Team (2017-08-21):
- Resolves: rhbz #1463350
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1463350 - Access banner validation (edewata)
  [pki-core-server-access-banner-retrieval-validation.patch]
pki-kra-10.4.1-10.el7.noarch [270 KiB] Changelog by Dogtag Team (2017-06-19):
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1458043 - Key recovery on token fails with
  invalid public key error on KRA (alee)
- Bugzilla Bug #1460764 - CC: CMC: check HTTPS client
  authentication cert against CMC signer (cfu)
- Bugzilla Bug #1461533 - Unable to find keys in the p12 file after
  deleting the any of the subsystem certs from it (ftweedal)
pki-kra-10.3.3-19.el7_3.noarch [252 KiB] Changelog by Dogtag Team (2017-05-19):
- ## RHEL 7.3.z Batch Update 6
- Bugzilla Bug #1447095 - RHCS 9.1 RC5 CA in the certificate profiles the
  startTime parameter is not working as expected. (jmagne)
pki-kra-10.3.3-18.el7_3.noarch [252 KiB] Changelog by Dogtag Team (2017-03-06):
- ## RHEL 7.3.z Batch Update 4
- Bugzilla Bug #1429492 - Add profile component that copies CN to SAN
  (ftweedal)
pki-kra-10.3.3-17.el7_3.noarch [251 KiB] Changelog by Dogtag Team (2017-01-30):
- ## RHCS 9.1.z Batch Update 3
- Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS
  tokendb shows different certificate status (cfu)
- ## RHEL 7.3.z Batch Update 3
- Bugzilla Bug #1417063 - ECDSA Certificates Generated by Certificate System
  8.1 fail NIST validation test with parameter field. (cfu)
- Bugzilla Bug #1417064 - Unable to search certificate requests using the
  latest request ID (edewata)
- Bugzilla Bug #1417065 - CA Certificate Issuance Date displayed on CA website
  incorrect (alee)
- Bugzilla Bug #1417066 - update to 7.3 IPA with otpd bugfixes, tomcat will
  not finish start, hangs (ftweedal)
- Bugzilla Bug #1417067 - pki-tomcat for 10+ minutes before generating cert
  (edewata)
- Bugzilla Bug #1417190 - Problem with default AJP hostname in IPv6
  environment. (edewata)
pki-kra-10.3.3-16.el7_3.noarch [250 KiB] Changelog by Dogtag Team (2016-12-15):
- Separate original patches into RHEL and RHCS portions
- ## RHEL 7.3.z Batch Update 2
- Bugzilla Bug #1404176 - logging properties and man pages (edewata)
- Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and
  enroll G&D Cards (jmagne)
- ## RHCS 9.1.z Batch Update 2
- Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and
  enroll G&D Cards (jmagne)
- Bugzilla Bug #1404900 - RHCS logging properties (edewata)
pki-kra-10.3.3-14.el7_3.noarch [249 KiB] Changelog by Dogtag Team (2016-11-08):
- Marked the following RHCS 9.1.z bug:
  Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel
  when TPS and TKS security db is on fips mode. (jmagne)
  as a duplicate of RHEL 7.3.z bug:
  Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
  and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.
pki-kra-10.3.3-10.el7.noarch [246 KiB] Changelog by Dogtag Team (2016-09-09):
- Revert Patch:  PKI TRAC Ticket #2449 - Unable to create system certificates
  in different tokens (edewata)
- Removes from Errata:  rhbz #1372041 - Unable to create system certificates
  in different tokens
pki-kra-10.2.5-10.el7_2.noarch [240 KiB] Changelog by Dogtag Team (2016-04-21):
- Bugzilla Bug #1318302 - pkispawn ignores 3rd-party CA certs in
  pki_clone_pkcs12_path (python hash fix)
pki-kra-10.2.5-6.el7.noarch [239 KiB] Changelog by Dogtag Team (2015-09-21):
- Bugzilla Bug #1258630 - Upgraded CA lacks ca.sslserver.certreq
  in CS.cfg [edewata]
- Bugzilla Bug #1258634 - CA fails to authenticate to KRA for
  archival [edewata]

Listing created by repoview