Import Upstream version 4.12.4

2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
--- a/install/share/profiles/IECUserRoles.cfg
+++ b/install/share/profiles/IECUserRoles.cfg
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
--- a/install/share/profiles/KDCs_PKINIT_Certs.cfg
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -12,7 +12,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.serverCertSet.1.constraint.name=Subject Name Constraint
 policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
@@ -107,3 +107,7 @@ policyset.serverCertSet.11.constraint.name=No Constraint
 policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
 policyset.serverCertSet.11.default.name=User Supplied Extension Default
 policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
--- a/install/share/profiles/Makefile.am
+++ b/install/share/profiles/Makefile.am
@@ -7,6 +7,7 @@ app_DATA =				\
 	caIPAserviceCert.UPGRADE.cfg	\
 	IECUserRoles.cfg		\
 	KDCs_PKINIT_Certs.cfg		\
+	acmeIPAServerCert.cfg		\
 	$(NULL)

 EXTRA_DIST =				\
--- a/install/share/profiles/Makefile.in
+++ b/install/share/profiles/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -70,6 +70,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -147,10 +149,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
  }
 am__installdirs = "$(DESTDIR)$(appdir)"
 DATA = $(app_DATA)
@@ -176,6 +177,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -189,8 +192,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -198,6 +203,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -210,9 +216,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -221,6 +230,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -280,6 +291,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -288,9 +301,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -329,8 +345,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -376,6 +394,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -390,6 +409,7 @@ app_DATA = \
 	caIPAserviceCert.UPGRADE.cfg	\
 	IECUserRoles.cfg		\
 	KDCs_PKINIT_Certs.cfg		\
+	acmeIPAServerCert.cfg		\
 	$(NULL)

 EXTRA_DIST = \
@@ -461,7 +481,6 @@ ctags CTAGS:

 cscope cscopelist:

-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am

@@ -526,8 +545,8 @@ mostlyclean-generic:
 clean-generic:

 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)

 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -619,3 +638,10 @@ uninstall-am: uninstall-appDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%
--- a/install/share/profiles/acmeIPAServerCert.cfg
+++ b/install/share/profiles/acmeIPAServerCert.cfg
@@ -0,0 +1,107 @@
+profileId=acmeIPAServerCert
+classId=caEnrollImpl
+desc=ACME profile for use in IPA deployments
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=SessionAuthentication
+authz.acl=group="$ACME_AGENT_GROUP"
+name=IPA ACME Service Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.1.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.1.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.1.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.1.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.1.constraint.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.1.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.1.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.1.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.1.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.1.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.1.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.1.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.1.default.name=Key Usage Default
+policyset.serverCertSet.1.default.params.keyUsageCritical=true
+policyset.serverCertSet.1.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.1.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.1.default.params.keyUsageDataEncipherment=false
+policyset.serverCertSet.1.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.1.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.1.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.1.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.1.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.1.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.2.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.2.constraint.name=No Constraint
+policyset.serverCertSet.2.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.2.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.2.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.2.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.3.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.3.constraint.name=No Constraint
+policyset.serverCertSet.3.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.3.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.3.default.params.critical=false
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.6.constraint.name=No Constraint
+policyset.serverCertSet.6.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.6.default.name=User supplied extension in CSR
+policyset.serverCertSet.6.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.7.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.7.constraint.name=Validity Constraint
+policyset.serverCertSet.7.constraint.params.range=90
+policyset.serverCertSet.7.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.7.constraint.params.notAfterCheck=false
+policyset.serverCertSet.7.default.class_id=validityDefaultImpl
+policyset.serverCertSet.7.default.name=Validity Default
+policyset.serverCertSet.7.default.params.range=90
+policyset.serverCertSet.7.default.params.startTime=0
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=sanToCNDefaultImpl
+policyset.serverCertSet.9.default.name=SAN to CN Default
+policyset.serverCertSet.10.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.10.constraint.name=Key Constraint
+policyset.serverCertSet.10.constraint.params.keyType=RSA
+policyset.serverCertSet.10.constraint.params.keyParameters=2048,3072,4096,8192
+policyset.serverCertSet.10.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.10.default.name=Key Default
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.11.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.11.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.11.default.params.crlDistPointsNum=1
+policyset.serverCertSet.11.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.11.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
+policyset.serverCertSet.11.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.11.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.11.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.11.default.params.crlDistPointsReasons_0=
--- a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
+++ b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-
--- a/install/share/profiles/caIPAserviceCert.cfg
+++ b/install/share/profiles/caIPAserviceCert.cfg
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
 policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
 policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
 policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
 policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
 policyset.serverCertSet.8.default.name=Signing Alg
 policyset.serverCertSet.8.default.params.signingAlg=-