Remove caJarSigningCert profile and related code

The caJarSigningCert profile was used for issuing the object signing certificate for signing the Firefox auto-configuration extension (XPI). We removed the extension and object signing certificate some time ago, so remove the profile and the related code that sets it up. Fixes: https://pagure.io/freeipa/issue/7226 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-10-27 19:02:52 +11:00 · 2017-10-27 19:02:52 +11:00 · 3e33857827
commit 3e33857827
parent 1ebd819355
4 changed files with 0 additions and 98 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@ -30,7 +30,6 @@ dist_app_DATA =				\
 	anon-princ-aci.ldif		\
 	bootstrap-template.ldif		\
 	ca-topology.uldif		\
-	caJarSigningCert.cfg.template	\
 	custodia.conf.template		\
 	default-aci.ldif		\
 	default-hbac.ldif		\
--- a/install/share/caJarSigningCert.cfg.template
+++ b/install/share/caJarSigningCert.cfg.template
@ -1,88 +0,0 @@
-desc=Jar Signing certificate to auto-configure Firefox
-enable=true
-enableBy=admin
-lastModified=1239836280692
-name=Manual Jar Signing Certificate Enrollment
-visible=true
-auth.class_id=
-auth.instance_id=raCertAuth
-input.list=i1,i2
-input.i1.class_id=certReqInputImpl
-input.i2.class_id=submitterInfoInputImpl
-output.list=o1
-output.o1.class_id=certOutputImpl
-policyset.list=caJarSigningSet
-policyset.caJarSigningSet.list=1,2,3,6,7,9
-policyset.caJarSigningSet.1.constraint.class_id=subjectNameConstraintImpl
-policyset.caJarSigningSet.1.constraint.name=Subject Name Constraint
-policyset.caJarSigningSet.1.constraint.params.accept=true
-policyset.caJarSigningSet.1.constraint.params.pattern=.*
-policyset.caJarSigningSet.1.default.class_id=userSubjectNameDefaultImpl
-policyset.caJarSigningSet.1.default.name=Subject Name Default
-policyset.caJarSigningSet.1.default.params.name=
-policyset.caJarSigningSet.2.constraint.class_id=validityConstraintImpl
-policyset.caJarSigningSet.2.constraint.name=Validity Constraint
-policyset.caJarSigningSet.2.constraint.params.notAfterCheck=false
-policyset.caJarSigningSet.2.constraint.params.notBeforeCheck=false
-policyset.caJarSigningSet.2.constraint.params.range=2922
-policyset.caJarSigningSet.2.default.class_id=validityDefaultImpl
-policyset.caJarSigningSet.2.default.name=Validity Default
-policyset.caJarSigningSet.2.default.params.range=1461
-policyset.caJarSigningSet.2.default.params.startTime=60
-policyset.caJarSigningSet.3.constraint.class_id=keyConstraintImpl
-policyset.caJarSigningSet.3.constraint.name=Key Constraint
-policyset.caJarSigningSet.3.constraint.params.keyMaxLength=4096
-policyset.caJarSigningSet.3.constraint.params.keyMinLength=1024
-policyset.caJarSigningSet.3.constraint.params.keyType=-
-policyset.caJarSigningSet.3.default.class_id=userKeyDefaultImpl
-policyset.caJarSigningSet.3.default.name=Key Default
-policyset.caJarSigningSet.6.constraint.class_id=keyUsageExtConstraintImpl
-policyset.caJarSigningSet.6.constraint.name=Key Usage Extension Constraint
-policyset.caJarSigningSet.6.constraint.params.keyUsageCritical=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageCrlSign=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageDataEncipherment=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageDecipherOnly=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageDigitalSignature=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageEncipherOnly=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageKeyAgreement=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageKeyCertSign=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageKeyEncipherment=-
-policyset.caJarSigningSet.6.constraint.params.keyUsageNonRepudiation=-
-policyset.caJarSigningSet.6.default.class_id=keyUsageExtDefaultImpl
-policyset.caJarSigningSet.6.default.name=Key Usage Default
-policyset.caJarSigningSet.6.default.params.keyUsageCritical=true
-policyset.caJarSigningSet.6.default.params.keyUsageCrlSign=false
-policyset.caJarSigningSet.6.default.params.keyUsageDataEncipherment=false
-policyset.caJarSigningSet.6.default.params.keyUsageDecipherOnly=false
-policyset.caJarSigningSet.6.default.params.keyUsageDigitalSignature=true
-policyset.caJarSigningSet.6.default.params.keyUsageEncipherOnly=false
-policyset.caJarSigningSet.6.default.params.keyUsageKeyAgreement=false
-policyset.caJarSigningSet.6.default.params.keyUsageKeyCertSign=true
-policyset.caJarSigningSet.6.default.params.keyUsageKeyEncipherment=false
-policyset.caJarSigningSet.6.default.params.keyUsageNonRepudiation=false
-policyset.caJarSigningSet.7.constraint.class_id=nsCertTypeExtConstraintImpl
-policyset.caJarSigningSet.7.constraint.name=Netscape Certificate Type Extension Constraint
-policyset.caJarSigningSet.7.constraint.params.nsCertCritical=-
-policyset.caJarSigningSet.7.constraint.params.nsCertEmail=-
-policyset.caJarSigningSet.7.constraint.params.nsCertEmailCA=-
-policyset.caJarSigningSet.7.constraint.params.nsCertObjectSigning=-
-policyset.caJarSigningSet.7.constraint.params.nsCertObjectSigningCA=-
-policyset.caJarSigningSet.7.constraint.params.nsCertSSLCA=-
-policyset.caJarSigningSet.7.constraint.params.nsCertSSLClient=-
-policyset.caJarSigningSet.7.constraint.params.nsCertSSLServer=-
-policyset.caJarSigningSet.7.default.class_id=nsCertTypeExtDefaultImpl
-policyset.caJarSigningSet.7.default.name=Netscape Certificate Type Extension Default
-policyset.caJarSigningSet.7.default.params.nsCertCritical=false
-policyset.caJarSigningSet.7.default.params.nsCertEmail=false
-policyset.caJarSigningSet.7.default.params.nsCertEmailCA=false
-policyset.caJarSigningSet.7.default.params.nsCertObjectSigning=true
-policyset.caJarSigningSet.7.default.params.nsCertObjectSigningCA=false
-policyset.caJarSigningSet.7.default.params.nsCertSSLCA=false
-policyset.caJarSigningSet.7.default.params.nsCertSSLClient=false
-policyset.caJarSigningSet.7.default.params.nsCertSSLServer=false
-policyset.caJarSigningSet.9.constraint.class_id=signingAlgConstraintImpl
-policyset.caJarSigningSet.9.constraint.name=No Constraint
-policyset.caJarSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC
-policyset.caJarSigningSet.9.default.class_id=signingAlgDefaultImpl
-policyset.caJarSigningSet.9.default.name=Signing Alg
-policyset.caJarSigningSet.9.default.params.signingAlg=-
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -281,8 +281,6 @@ class BasePathNamespace(object):
    CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12"
    KRA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12"
    CA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
-    CAJARSIGNINGCERT_CFG = (
-        "/var/lib/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg")
    CASIGNEDLOGCERT_CFG = (
        "/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg")
    KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg"
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -418,7 +418,6 @@ class CAInstance(DogtagInstance):
                              self.__import_ra_cert)

            if not ra_only:
-                self.step("setting up signing cert profile", self.__setup_sign_profile)
                self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
                self.step("restarting certificate server", self.restart_instance)
                if not self.clone:
@ -903,12 +902,6 @@ class CAInstance(DogtagInstance):
                except OSError:
                    pass

-    def __setup_sign_profile(self):
-        # Tell the profile to automatically issue certs for RAs
-        installutils.set_directive(
-            paths.CAJARSIGNINGCERT_CFG, 'auth.instance_id', 'raCertAuth',
-            quotes=False, separator='=')
-
    def prepare_crl_publish_dir(self):
        """
        Prepare target directory for CRL publishing