pki-base-java-10.5.9-6.el7$>ⰐD_1 V,H>7H?8d  A          ! (' '  '  `'  '  c' L'''n'(8((809:F^Gl'H'I'XY\']|'^bŗd.e3f6l8tP'u'vLjw'xȘ'4Cpki-base-java10.5.96.el7Certificate System - Java FrameworkThe PKI Framework contains the common and client libraries and utilities written in Java. This package is a part of the PKI Core used by the Certificate System. This package is a part of the PKI Core used by the Certificate System. ================================== || ABOUT "CERTIFICATE SYSTEM" || ================================== Certificate System (CS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. PKI Core contains ALL top-level java-based Tomcat PKI components: * pki-symkey * pki-base * pki-base-python2 (alias for pki-base) * pki-base-python3 * pki-base-java * pki-tools * pki-server * pki-ca * pki-kra * pki-ocsp * pki-tks * pki-tps * pki-javadoc which comprise the following corresponding PKI subsystems: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) Python clients need only install the pki-base package. This package contains the python REST client packages and the client upgrade framework. Java clients should install the pki-base-java package. This package contains the legacy and REST Java client packages. These clients should also consider installing the pki-tools package, which contain native and Java-based PKI tools and utilities. Certificate Server instances require the fundamental classes and modules in pki-base and pki-base-java, as well as the utilities in pki-tools. The main server classes are in pki-server, with subsystem specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc. Finally, if Certificate System is being deployed as an individual or set of standalone rather than embedded server(s)/service(s), it is strongly recommended (though not explicitly required) to include at least one PKI Theme package: * dogtag-pki-theme (Dogtag Certificate System deployments) * dogtag-pki-server-theme * redhat-pki-server-theme (Red Hat Certificate System deployments) * redhat-pki-server-theme * customized pki theme (Customized Certificate System deployments) * -pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.\Px86-01.bsys.centos.org}CentOSGPLv2CentOS BuildSystem System Environment/Basehttp://pki.fedoraproject.org/linuxnoarch 0Aab !& #-+,).*)&##"!81;8+70#%A큤A큤A\P|\P{\Py\P|\Pp[!T[!T\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp\Pp940f41f874f08f438940ca5482690402e92dc8db9ce027ed188a9498ec3da7257b53c0d7a9d87e3bf8385e2a7ef83deb17de91bbbedd872bdda0a1cbc544df6ca61e4dc1161bb459c7f0a981dcdd1c6a96bdbc448986da5b2b3b7e4c9b2efcb1fdd8d5ef0c8813c633e77997d6dbe23557a5112937962d5ab7b1053de866027b643b71cec56efdc737a20687bb05ccbba40c3481b2c0e100ccf53331e0fba620/usr/share/java/commons-cli.jar/usr/share/java/commons-codec.jar/usr/share/java/commons-httpclient.jar/usr/share/java/commons-io.jar/usr/share/java/commons-lang.jar/usr/share/java/commons-logging.jar/usr/share/java/httpcomponents/httpclient.jar/usr/share/java/httpcomponents/httpcore.jar/usr/share/java/jackson/jackson-core-asl.jar/usr/share/java/jackson/jackson-jaxrs.jar/usr/share/java/jackson/jackson-mapper-asl.jar/usr/share/java/jackson/jackson-mrbean.jar/usr/share/java/jackson/jackson-smile.jar/usr/share/java/jackson/jackson-xc.jar/usr/share/java/jaxb-api.jar/usr/lib/java/jss4.jar/usr/share/java/ldapjdk.jar/usr/share/java/pki/pki-certsrv.jar/usr/share/java/pki/pki-cmsutil.jar/usr/share/java/pki/pki-nsutil.jar/usr/share/java/pki/pki-tools.jar/usr/share/java/resteasy-base/resteasy-atom-provider.jar/usr/share/java/resteasy-base/resteasy-client.jar/usr/share/java/resteasy-base/resteasy-jackson-provider.jar/usr/share/java/resteasy-base/resteasy-jaxb-provider.jar/usr/share/java/resteasy-base/jaxrs-api.jar/usr/share/java/resteasy-base/resteasy-jaxrs-jandex.jar/usr/share/java/resteasy-base/resteasy-jaxrs.jar/usr/share/java/servlet.jar/usr/share/java/slf4j/slf4j-api.jar/usr/share/java/slf4j/slf4j-jdk14.jarrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpki-core-10.5.9-6.el7.src.rpmpki-base-java      apache-commons-cliapache-commons-codecapache-commons-ioapache-commons-langapache-commons-loggingjakarta-commons-httpclientjava-1.8.0-openjdk-headlessjavassistjpackage-utilsjssldapjdkpki-baseresteasy-base-atom-providerresteasy-base-clientresteasy-base-jackson-providerresteasy-base-jaxb-providerresteasy-base-jaxrsresteasy-base-jaxrs-apirpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)slf4jxalan-j2xerces-j2xml-commons-apisxml-commons-resolverrpmlib(PayloadIsXz)0:1.7.5-104.4.4-34.19-510.5.9-6.el73.0.6-13.0.6-13.0.6-13.0.6-13.0.6-13.0.6-13.0.4-14.6.0-14.0-15.2-14.11.3[{[l,[`O@[U@[>@[d@[@[o[@ZUZ@Z@ZZxG@Zg#Z.s@Z@Z ZYYY@Y@Y@YoIYlYGY>@Y5GY-^Y$$@Y"Y@Y#@X@XX@XO@X*XRXOX!@X&X2@WWҤ@WίW#W:WWt@W{@Wu WgWV@WV@WV@WV@WV@WV@W 10.5.9-6Dogtag Team 10.5.9-5Dogtag Team 10.5.9-4Dogtag Team 10.5.9-3Dogtag Team 10.5.9-2Dogtag Team 10.5.9-1Dogtag Team 10.5.1-13.1Dogtag Team 10.5.1-13Dogtag Team 10.5.1-12Dogtag Team 10.5.1-11Dogtag Team 10.5.1-10Dogtag Team 10.5.1-9Dogtag Team 10.5.1-8Dogtag Team 10.5.1-7Dogtag Team 10.5.1-6Dogtag Team 10.5.1-5Dogtag Team 10.5.1-4Troy Dawson - 10.5.1-3Dogtag Team 10.5.1-2Dogtag Team 10.5.1-1Dogtag Team 10.5.0-1Dogtag Team 10.4.1-15Dogtag Team 10.4.1-14Dogtag Team 10.4.1-13Dogtag Team 10.4.1-12Dogtag Team 10.4.1-11Dogtag Team 10.4.1-10Dogtag Team 10.4.1-9Dogtag Team 10.4.1-8Dogtag Team 10.4.1-7Dogtag Team 10.4.1-6Dogtag Team 10.4.1-5Dogtag Team 10.4.1-4Dogtag Team 10.4.1-3Dogtag Team 10.4.1-2Dogtag Team 10.4.1-1Dogtag Team 10.4.0-1Dogtag Team 10.3.3-18Dogtag Team 10.3.3-17Dogtag Team 10.3.3-16Dogtag Team 10.3.3-15Dogtag Team 10.3.3-14Dogtag Team 10.3.3-13Dogtag Team 10.3.3-12Dogtag Team 10.3.3-11Dogtag Team 10.3.3-10Dogtag Team 10.3.3-9Dogtag Team 10.3.3-8Dogtag Team 10.3.3-7Dogtag Team 10.3.3-6Dogtag Team 10.3.3-5Dogtag Team 10.3.3-3Dogtag Team 10.3.3-2Dogtag Team 10.3.3-1Dogtag Team 10.3.3-0.1Dogtag Team 10.3.2-5Dogtag Team 10.3.2-4Dogtag Team 10.3.2-3Dogtag Team 10.3.2-2Dogtag Team 10.3.2-1Dogtag Team 10.3.2-0.1Dogtag Team 10.3.1-1Dogtag Team 10.3.0-1Dogtag Team 10.3.0.b1-1Dogtag Team 10.3.0.a2-2Dogtag Team 10.3.0.a2-1Dogtag Team 10.3.0.a1-2Dogtag Team 10.3.0.a1-1Dogtag Team 10.3.0-0.5Dogtag Team 10.3.0-0.4Dogtag Team 10.3.0-0.3Dogtag Team 10.3.0-0.2Dogtag Team 10.3.0-0.1Dogtag Team 10.2.7-0.3Tomas Radej - 10.2.7-0.2Dogtag Team 10.2.7-0.1Dogtag Team 10.2.6-1Dogtag Team 10.2.6-0.3Dogtag Team 10.2.6-0.2Dogtag Team 10.2.6-0.1Dogtag Team 10.2.5-1Dogtag Team 10.2.5-0.2Dogtag Team 10.2.5-0.1Dogtag Team 10.2.4-1Dogtag Team 10.2.4-0.2Dogtag Team 10.2.4-0.1Dogtag Team 10.2.3-1Dogtag Team 10.2.3-0.1Dogtag Team 10.3.0-0.1Dogtag Team 10.2.3-0.1Dogtag Team 10.2.2-1Dogtag Team 10.2.2-0.1Dogtag Team 10.2.1-1Matthew Harmsen - 10.2.1-0.4Ade Lee 10.2.1-0.3Christina Fu 10.2.1-0.2Dogtag Team 10.2.1-0.1Ade Lee 10.2.0-3Matthew Harmsen - 10.2.0-2Dogtag Team 10.2.0-1Matthew Harmsen - 10.2.0-0.10Matthew Harmsen - 10.2.0-0.9Matthew Harmsen - 10.2.0-0.8Fedora Release Engineering - 10.2.0-0.5Jack Magne - 10.2.0-0.7Matthew Harmsen - 10.2.0-0.6Matthew Harmsen - 10.2.0-0.5Ade Lee - 10.2.0-0.4Fedora Release Engineering - 10.2.0-0.3Michael Simacek - 10.2.0-0.2Dogtag Team 10.2.0-0.1Ade Lee 10.1.0-1Ade Lee 10.1.0-0.14Ade Lee 10.1.0-0.13Ade Lee 10.1.0-0.12Ade Lee 10.1.0-0.11Endi S. Dewata 10.1.0-0.10Abhishek Koneru 10.1.0.0.9Abhishek Koneru 10.1.0.0.8Endi S. Dewata 10.1.0-0.7Endi S. Dewata 10.1.0-0.6Endi S. Dewata 10.1.0-0.5Ade Lee 10.1.0-0.4Endi S. Dewata 10.1.0-0.3Matthew Harmsen 10.1.0-0.2Ade Lee 10.1.0-0.1Endi S. Dewata 10.0.2-5Ade Lee 10.0.2-4Ade Lee 10.0.2-3Endi S. Dewata 10.0.2-2Ade Lee 10.0.2-1Ade Lee 10.0.2-0.8Endi S. Dewata 10.0.2-0.7Endi S. Dewata 10.0.2-0.6Ade Lee 10.0.2-0.5Endi S. Dewata 10.0.2-0.4Endi S. Dewata 10.0.2-0.3Endi S. Dewata 10.0.2-0.2Endi S. Dewata 10.0.2-0.1Endi S. Dewata 10.0.1-9Ade Lee 10.0.1-8Endi S. Dewata 10.0.1-7Matthew Harmsen 10.0.1-6Endi S. Dewata 10.0.1-5Endi S. Dewata 10.0.1-4Matthew Harmsen 10.0.1-3Matthew Harmsen 10.0.1-2Ade Lee 10.0.1-1Matthew Harmsen 10.0.0-5Matthew Harmsen 10.0.0-4Ade Lee 10.0.0-3Ade Lee 10.0.0-2Ade Lee 10.0.0-1Matthew Harmsen 10.0.0-0.56.b3Endi S. Dewata 10.0.0-0.55.b3Endi S. Dewata 10.0.0-0.54.b3Ade Lee 10.0.0-0.53.b3Ade Lee 10.0.0-0.52.b3Endi S. Dewata 10.0.0-0.51.b2Endi S. Dewata 10.0.0-0.50.b2Matthew Harmsen 10.0.0-0.49.b2Ade Lee 10.0.0-0.48.b2Matthew Harmsen 10.0.0-0.47.b1Ade Lee 10.0.0-0.46.b1Ade Lee 10.0.0-0.45.b1Ade Lee 10.0.0-0.44.b1Ade Lee 10.0.0-0.43.b1Ade Lee 10.0.0-0.42.b1Ade Lee 10.0.0-0.41.b1Ade Lee 10.0.0-0.40.b1Endi S. Dewata 10.0.0-0.40.a2Endi S. Dewata 10.0.0-0.39.a2Ade Lee 10.0.0-0.38.a2Endi S. Dewata 10.0.0-0.37.a2Ade Lee 10.0.0-0.36.a2Endi S. Dewata 10.0.0-0.36.a1Endi S. Dewata 10.0.0-0.35.a1Endi S. Dewata 10.0.0-0.34.a1Ade Lee 10.0.0-0.33.a1Matthew Harmsen 10.0.0-0.32.a1Endi S. Dewata 10.0.0-0.31.a1Endi S. Dewata 10.0.0-0.30.a1Endi S. Dewata 10.0.0-0.29.a1Endi S. Dewata 10.0.0-0.28.a1Endi S. Dewata 10.0.0-0.27.a1Endi S. Dewata 10.0.0-0.26.a1Endi S. Dewata 10.0.0-0.25.a1Endi S. Dewata 10.0.0-0.24.a1Matthew Harmsen 10.0.0-0.23.a1Endi S. Dewata 10.0.0-0.22.a1Endi S. Dewata 10.0.0-0.21.a1Matthew Harmsen 10.0.0-0.20.a1Matthew Harmsen 10.0.0-0.19.a1Matthew Harmsen 10.0.0-0.18.a1Endi S. Dewata 10.0.0-0.17.a1Matthew Harmsen 10.0.0-0.16.a1Ade Lee 10.0.0-0.15.a1Christina Fu 10.0.0-0.14.a1Endi S. Dewata 10.0.0-0.13.a1Endi S. Dewata 10.0.0-0.12.a1Ade Lee 10.0.0-0.11.a1Matthew Harmsen 10.0.0-0.10.a1Matthew Harmsen 10.0.0-0.9.a1Jack Magne 10.0.0-0.8.a1Matthew Harmsen 10.0.0-0.7.a1Endi S. Dewata 10.0.0-0.6.a1Ade Lee 10.0.0-0.5.a1Endi S. Dewata 10.0.0-0.4.a1Matthew Harmsen 10.0.0-0.3.a1Matthew Harmsen 10.0.0-0.2.a1Nathan Kinder 10.0.0-0.1.a1Ade Lee 9.0.16-3Endi S. Dewata 9.0.16-2Matthew Harmsen 9.0.16-1Matthew Harmsen 9.0.15-1Matthew Harmsen 9.0.14-1Ade Lee 9.0.13-1Matthew Harmsen 9.0.12-1Matthew Harmsen 9.0.11-1Matthew Harmsen 9.0.10-1Matthew Harmsen 9.0.9-1Matthew Harmsen 9.0.8-2Matthew Harmsen 9.0.8-1Matthew Harmsen 9.0.7-1Matthew Harmsen 9.0.6-2Matthew Harmsen 9.0.6-1Matthew Harmsen 9.0.5-2Matthew Harmsen 9.0.5-1Matthew Harmsen 9.0.4-1Matthew Harmsen 9.0.3-2Matthew Harmsen 9.0.3-1Matthew Harmsen 9.0.2-1Matthew Harmsen 9.0.1-3Matthew Harmsen 9.0.1-2Matthew Harmsen 9.0.1-1Matthew Harmsen 9.0.0-3Matthew Harmsen 9.0.0-2Matthew Harmsen 9.0.0-1- Updated nuxwdog dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #673182 - ECC keys not supported for signing audit logs (cfu) - Bugzilla Bug #1593805 - Better understanding of NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu) - Bugzilla Bug #1601071 - Certificate generation happens with partial attributes in CMCRequest file (cfu) - Bugzilla Bug #1601569 - CC: Enable all config audit events (cfu) - Bugzilla Bug #1608375 - CMC Revocations throws exception with same reqIssuer & certissuer (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1596629 - ipa-replica-install --setup-kra broken on DL0 with latest version (abokovoy) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1548203 - pki console configurations that involves ldap passwords leave the plain text password in signed audit logs (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1494591 - keyGen fails when only Identity- Re-spin alpha builds- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1471935 - X500Name.directoryStringEncodingOrder overridden by CSR encoding (cfu) - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certificate (ftweedal) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1550742 - Address ECC profile overrides (cfu) - Bugzilla Bug #1562841 - servlet profileSubmitCMCSimple throws NPE (cfu) - Bugzilla Bug #1572432 - AuditVerify failure due to line breaks (cfu) - Bugzilla Bug #1592961 - Need proper default subjectDN for CMC request authenticated through SharedToken (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certifcate (ftweedal) - Bugzilla Bug #1544843 - ExternalCA: Installation failed during csr generation with ecc (rrelyea, gkapoor) - Bugzilla Bug #1557569 - Re-base pki-core from 10.5.1 to latest upstream 10.5.x (RHEL) (mharmsen) - Bugzilla Bug #1580394 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC (cfu) - Bugzilla Bug #1580527 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (ftweedal, cfu) - Bugzilla Bug #1585866 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1588655 - Cert validation for installation with external CA cert (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- Rebuild due to build system database problem- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1585945 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC [rhel-7.5.z] (cfu) - Bugzilla Bug #1587826 - ExternalCA: Installation failed during csr generation with ecc [rhel-7.5.z] (rrelyea, gkapoor) - Bugzilla Bug #1588944 - Cert validation for installation with external CA cert [rhel-7.5.z] (edewata) - Bugzilla Bug #1588945 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1589307 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access [rhel-7.5.z] (ftweedal, cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1571582 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken (typos) [rhel-7.5.z] (cfu) - Bugzilla Bug #1572548 - IPA install with external-CA is failing when FIPS mode enabled. [rhel-7.5.z] (edewata) - Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE [rhel-7.5.z] (cfu) - Bugzilla Bug #1575521 - subsystem -> subsystem SSL handshake issue with TLS_ECDHE_RSA_* on Thales HSM [rhel-7.5.z] (cfu) - Bugzilla Bug #1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z] (jmagne) - Bugzilla Bug #1581135 - SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z] (cfu) - Bugzilla Bug #1581167 - CC: CMC profiles: Some CMC profiles have wrong input class_id [rhel-7.5.z] (cfu) - Bugzilla Bug #1581382 - ECDSA Certificates Generated by Certificate System 9.3 fail NIST validation test with parameter field. [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1550581 - CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database [rhel-7.5.z] (cfu) - Bugzilla Bug #1551067 - [MAN] Add --skip-configuration and --skip-installation into pkispawn man page. [rhel-7.5.z] (edewata) - Bugzilla Bug #1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z] (cheimes, mharmsen) - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1554727 - Permit additional FIPS ciphers to be enabled by default for RSA . . . [rhel-7.5.z] (mharmsen, cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - Bugzilla Bug #1557883 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1558919 - Not able to generate certificate request with ECC using pki client-cert-request [rhel-7.5.z] (akahat) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1532867 - Inconsistent key ID encoding (edewata) - Bugzilla Bug #1540687 - CC: External OCSP Installation failure with HSM and FIPS (edewata) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit event- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1542210 - pki console configurations that involves ldap passwords leave the plain text password in debug logs (jmagne) - Bugzilla Bug #1543242 - Regression in lightweight CA key replication (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1522938 - CC: Missing faillure resumption detection and audit event logging at startup (jmagne) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1525306 - CC: missing CMC request and response record (cfu) - Bugzilla Bug #1532933 - Installing subsystems with external CMC certificates in HSM environment shows import error (edewata) - Bugzilla Bug #1535797 - ExternalCA: Failures when installed with hsm (edewata) - Bugzilla Bug #1539125 - restrict default cipher suite to those ciphers permitted in fips mode (mharmsen) - Bugzilla Bug #1539198 - Inconsistent CERT_REQUEST_PROCESSED outcomes. (edewata) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1541526 - CMC: Revocation works with an unknown revRequest.issuer (cfu) - Bugzilla Bug #1541853 - ProfileService: config values with backslashes have backslashes removed (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit - # Bugzilla Bug #1501436 - TPS CS.cfg should be reflected with the- Updated jss, nuxwdog, and openssl dependencies - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1402280 - CA Cloning: Failed to update number range in few cases (ftweedal) - Bugzilla Bug #1428021 - CC: shared token storage and retrieval mechanism (cfu) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1498957 - pkidestroy does not work with nuxwdog (alee) - Bugzilla Bug #1520277 - PR_FILE_NOT_FOUND_ERROR during pkispawn (alee) - Bugzilla Bug #1520526 - p12 admin certificate is missing when certificate is signed Externally (edewata) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1523443 - HAProxy rejects OCSP responses due to missing nextupdate field (ftweedal) - Bugzilla Bug #1526881 - Not able to setup CA with ECC (mharmsen) - Bugzilla Bug #1532759 - pkispawn seems to be leaving our passwords in several different files after installation completes (alee) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1466066 - CC: Secure removal of secret data storage (jmagne) - Bugzilla Bug #1518096 - ExternalCA: Failures in ExternalCA when tried to setup with CMC signed certificates (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- dogtagpki Pagure Issue #2853 - Cleanup spec file conditionals- Patch applying check-ins since 10.5.1-1- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- #Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0- #Require "jss >= 4.4.0-8" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 - # Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) - # Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error - # Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from - # Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) - # Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin - # dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: - ########################################################################## - # RHCS 9.2: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 - # Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and - # Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin- Resolves: rhbz #1463350 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1463350 - Access banner validation (edewata)- # Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing - # Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause - # Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert - # Bugzilla Bug #1463350 - Access banner validation (edewata) - # Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal - # Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen) - # Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with - # Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option - # Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03 - # Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system- # Resolves: rhbz #1469432 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1469432 - CMC plugin default change - # Resolves CVE-2017-7537 - # Fixes BZ #1470948- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1458043 - Key recovery on token fails with invalid public key error on KRA (alee) - Bugzilla Bug #1460764 - CC: CMC: check HTTPS client authentication cert against CMC signer (cfu) - Bugzilla Bug #1461533 - Unable to find keys in the p12 file after deleting the any of the subsystem certs from it (ftweedal)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC revocation non-signing cert requests (cfu) - Bugzilla Bug #1458047 - change the way aes clients refer to aes keysets (alee) - Bugzilla Bug #1458055 - dont reuse IVs in the CMC code (alee) - Bugzilla Bug #1460028 - In keywrap mode, key recovery on KRA with HSM causes KRA to crash (ftweedal)- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement - Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (edewata) - Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE (edewata) - Bugzilla Bug #1454450 - SubCA installation failure with 2 step installation in fips enabled mode (edewata) - Bugzilla Bug #1456597 - Certificate import using pki client-cert-import is asking for password when already provided (edewata) - Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes) - Bugzilla Bug #1458043 - Key recovery using externalReg fails with java null pointer exception on KRA (alee) - Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter (edewata) - Bugzilla Bug #1458429 - client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C" (edewata) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1445519 - CA Server installation with HSM fails (jmagne) - Bugzilla Bug #1452617 - Unable to create IPA Sub CA (ftweedal) - Bugzilla Bug #1454471 - Enabling all subsystems on startup (edewata) - Bugzilla Bug #1455617 - Key recovery on token fails because key record is not marked encrypted (alee)- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error (mharmsen)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal non-signing cert requests (cfu) - Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof (cfu) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (mharmsen) - Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata) - Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne) - Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen) - Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet. (edewata) - Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata) - Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED audit event. (edewata)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1386303 - cannot extract generated private key from KRA when HSM is used. (alee) - Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from the KRA (ftweedal) - Bugzilla Bug #1448204 - pkispawn of clone install fails with InvalidBERException (ftweedal) - Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on thales hsm (alee) - Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in conjuction with FreeIPA (ftweedal) - Bugzilla Bug #1385208 - RHCS 9.1 RC5 CA in the certificate profiles the startTime parameter is not working as expected. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1426754 - PKCS12: upgrade to at least AES and SHA2 (ftweedal) - Bugzilla Bug #1445088 - profile modification cannot remove existing config parameters (ftweedal) - Bugzilla Bug #1445535 - CC: Crypto Operation (AES Encryption/Decryption) (RHEL) (alee) - Bugzilla Bug #1446874 - Missing ClientIP and ServerIP in audit log when pki CLI terminates SSL connection (edewata) - Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption) (RHCS) (alee)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1282504 - Installing pki-server in container reports scriptlet failed, exit status 1 (jpazdziora) - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support for sc 7 g & d cards (RHEL) (jmagne) - Bugzilla Bug #1437591 - cli authentication using expired cert throws an exception (edewata) - Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a request (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1274086 - [RFE] Add SCP03 support for sc 7 g & d cards (RHCS) (jmagne) - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1417307 - CC: Audit Review /Searches (edewata) - Bugzilla Bug #1419737 - CC: CMC: id-cmc-popLinkWitnessV2 feature implementation (cfu)- Require "nss >= 3.28.3" as a build and runtime requirement - Require "jss >= 4.4.0-4" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-3" as a build and runtime requirement - dogtagpki Pagure Issue #2612 - Unable to clone due to pki pkcs12-cert-find failure (edewata) - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - ############################################################################ - # RHCS 9.2: - ############################################################################ - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature implementation (cfu) - Bugzilla Bug #1419742 - CC: CMC: provide Proof of Possession for encryption cert requests (cfu) - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1428020 - CC: CMC feature support: provided issuance protection cert mechanism (cfu)- Require "jss >= 4.4.0-1" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-1" as a build and runtime requirement - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1222557 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1238684 - Generting Symmetric key fails with key-generate when --usages verify (vakwetu) - Bugzilla Bug #1246635 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1249400 - CA EE: Submit caUserCert request without uid does not show proper error message (vakwetu) - Bugzilla Bug #1305993 - Add profile component that copies CN to SAN (ftweedal) - Bugzilla Bug #1316653 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1325071 - add options to enable/disable cert or crl publishing. (vakwetu) - Bugzilla Bug #1330800 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1368410 - Misleading Logging for HSM (edewata) - Bugzilla Bug #1372052 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1375347 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - Bugzilla Bug #1376226 - IPA replica-prepare failed with error "Profile caIPAserviceCert Not Found" (ftweedal) - Bugzilla Bug #1376488 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1378275 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1378277 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1378527 - Miscellaneous Minor Changes (edewata) - Bugzilla Bug #1381084 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1382066 - Problems with FIPS mode (edewata) - Bugzilla Bug #1386371 - Remove xenroll.dll from pki-core (mharmsen) - Bugzilla Bug #1386424 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1391737 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHEL 7) (edewata) - Bugzilla Bug #1392068 - [RFE] add express archivals and retrievals from KRA (vakwetu) - Bugzilla Bug #1395817 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1397200 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1399862 - Dogtag 10.3.9 Man Pages (edewata) - Bugzilla Bug #1404881 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1405654 - Token memory not wiped after key deletion (RHEL) (jmagne) - Bugzilla Bug #1409946 - Request ID undefined for CA signing certificate (vakwetu) - Bugzilla Bug #1409949 - CA Certificate Issuance Date displayed on CA website incorrect (vakwetu) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support (RHEL) (jmagne) - Bugzilla Bug #1411428 - Unable to create a CA clone in FIPS (edewata) - Bugzilla Bug #1412211 - Unable to set up KRA in FIPS (edewata) - Bugzilla Bug #1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1413132 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1413136 - Problem with default AJP hostname in IPv6 environment. (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1 (cfu) - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHCS 9) (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (RHCS) (jmagne) - Bugzilla Bug #1404900 - Dogtag 10.3.9 logging properties (edewata) - Bugzilla Bug #1405655 - Token memory not wiped after key deletion (RHCS) (jmagne) - ############################################################################- ## RHEL 7.3.z Batch Update 4 - Bugzilla Bug #1429492 - Add profile component that copies CN to SAN (ftweedal)- ## RHCS 9.1.z Batch Update 3 - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - ## RHEL 7.3.z Batch Update 3 - Bugzilla Bug #1417063 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1417064 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1417065 - CA Certificate Issuance Date displayed on CA website incorrect (alee) - Bugzilla Bug #1417066 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1417067 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1417190 - Problem with default AJP hostname in IPv6 environment. (edewata)- Separate original patches into RHEL and RHCS portions - ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1404900 - RHCS logging properties (edewata)- ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404173 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1404175 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1404178 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-base] (edewata) - Bugzilla Bug #1404172 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1403689 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-tps] (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne)- Marked the following RHCS 9.1.z bug: Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) as a duplicate of RHEL 7.3.z bug: Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) (added KRA key recovery via CLI in FIPS mode) - ## RHCS 9.1.z Batch Update 1 - Reverted patches associated with Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does not show proper error message (alee) - Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) - Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - ## RHCS 9.1.z Batch Update 1 - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed tokens (jmagne) - PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar files (edewata)- Revert Patch: PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata) - Resolves: rhbz #1374054 - ipa-replica-install fails setting up certificate - Restores: rhbz #1319557 - pkispawn KRA instance is failing server - Removes from Errata: rhbz #1372041 - Unable to create system certificates in different tokens- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion (ftweedal) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata) - PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry deleted (ftweedal) - PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if USN plugin enabled (ftweedal) - PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per instance name (for shared HSM) (cfu) - PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs (vakwetu) - PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata)- PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working (jmagne) - PKI TRAC TIcket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided (gkapoor) - PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (akasurde) - ticket remains open - PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server(edewata)- PKI TRAC Ticket #690 - [MAN] pki-tools man pages (mharmsen) - CMCEnroll - PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message "PKIException: LDAP error (21): error result" (edewata) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (cheimes, edewata, mharmsen) - PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata, mharmsen) - PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem format with/without header works while pkcs7 with header is not allowed (edewata) - PKI TRAC Ticket #2440 - Optional CA signing CSR for migration (edewata)- Bugzilla Bug #1366465 - Errata TPS upgrade test fails- PKI TRAC Ticket #978 - TPS connector man page: add revocation routing info (cfu) - PKI TRAC Ticket #1285 - [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page (jmagne) - PKI TRAC Ticket #2246 - [MAN] Man Page: AuditVerify (cfu) - PKI TRAC Ticket #2381 - Throws exception while providing invalid module. (edewata) - PKI TRAC Ticket #2383 - CLI :: pki client-cert-request --extractable should accept only boolean value (edewata) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements (akasurde, alee, cheimes, edewata, jmagne, mharmsen) - PKI TRAC Ticket #2401 - pkispawn calls dnsdomainname even if it does not rpm-require hostname (mharmsen) - PKI TRAC Ticket #2402 - Conflict in file ownership in pki-base and pki-server (cheimes) - PKI TRAC Ticket #2403 - Deployment problem with RESTEasy 3.0.17 (edewata) - PKI TRAC Ticket #2406 - Make starting CRL Number configurable (jmagne) - PKI TRAC Ticket #2412 - pki client-cert-import --trust option does not apply the specified trust bits (alee) - PKI TRAC Ticket #2418 - [TPS] Some template substitution didn't happen during installation (alee) - PKI TRAC Ticket #2420 - CA subsystem OSCP responder fails when LWCAs are not used (ftweedal) - PKI TRAC Ticket #2421 - Incorrect SELinux contexts Installation/Configuration (edewata) - PKI TRAC Ticket #2424 - ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full (edewata) - PKI TRAC Ticket #2428 - broken request links for CA's system certs in agent request viewing (cfu) - PKI TRAC Ticket #2430 - CA Agent certificate list is not sorted by serial number in migration case (jmagne) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (mharmsen) - PKI TRAC Ticket #2433 - Lightweight CA GET /chain returns bogus PEM data (ftweedal)- PKI TRAC Ticket #691 - [MAN] pki-server man pages (mharmsen) - PKI TRAC Ticket #1114 - [MAN] Generting Symmetric key fails with key-generate when --usages verify is passed (jmagne) - PKI TRAC Ticket #1306 - [RFE] Add granularity to token termination in TPS (cfu) - PKI TRAC Ticket #1308 - [RFE] Provide ability to perform off-card key generation for non-encryption token keys (cfu) - PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages (mharmsen) - PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for shared vs non shared tomcat instance installation (mharmsen) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #1711 - CLI :: pki-server ca-cert-request-find throws IOError (edewata, ftweedal) - PKI TRAC Ticket #2285 - freeipa fails to start correctly after pki-core update on upgraded system (ftweedal) - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal" (mharmsen) - PKI TRAC Ticket #2349 - Separated TPS does not automatically receive shared secret from remote TKS (jmagne) - PKI TRAC Ticket #2364 - CLI :: pki-server ca-cert-request-show throws attribute error (ftweedal) - PKI TRAC Ticket #2368 - pki-server subsystem subcommands throws error with --help option (edewata) - PKI TRAC Ticket #2374 - KRA cloning overwrites CA signing certificate trust flags (edewata) - PKI TRAC Ticket #2380 - Pki-server instance commands throws exception while specifying invalid parameters. (edewata) - PKI TRAC Ticket #2384 - CA installation with HSM prompts for HSM password during silent installation (edewata) - PKI TRAC Ticket #2385 - Upgraded CA lacks ca.sslserver.certreq in CS.cfg (ftweedal) - PKI TRAC Ticket #2387 - Add config for default OCSP URI if none given (ftweedal) - PKI TRAC Ticket #2388 - CA creation responds 500 if certificate issuance fails (ftweedal) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2390 - Dogtag 10.3.4: Miscellaneous Enhancements (akasurde, edewata)- PKI TRAC Ticket #2373 - Fedora 25: RestEasy 3.0.6 ==> 3.0.17 breaks pki-core (ftweedal)- Updated release number to 10.3.3-1- Updated version number to 10.3.3-0.1- Provided cleaner runtime dependency separation- Updated tomcatjss version dependencies- Updated 'java', 'java-headless', and 'java-devel' dependencies to 1:1.8.0.- Updated tomcat version dependencies- Updated version number to 10.3.2-1- Updated version number to 10.3.2-0.1- Updated version number to 10.3.1-1 (to allow upgrade from 10.3.0.b1)- Updated version number to 10.3.0-1- Build for F24 beta- PKI TRAC Ticket #2255 - PKCS #12 backup does not contain trust attributes.- Updated build for F24 alpha- PKI TRAC Ticket #1625 - Allow multiple ACLs of same name (union of rules) [ftweedal] - PKI TRAC Ticket #2237 - Add CRL dist points extension to OIDMap unconditionally [edewata] - PKI TRAC Ticket #1803 - Removed unnecessary URL encoding for admin cert request. [edewata] - PKI TRAC Ticket #1742 - Added support for cloning 3rd-party CA certificates. [edewata] - PKI TRAC Ticket #1482 - Added TPS token filter dialog. [edewata] - PKI TRAC Ticket #1808 - Fixed illegal token state transition via TEMP_LOST. [edewata]- Build for F24 alpha- PKI Trac Ticket #1399 - Move java components out of pki-base- PKI TRAC Ticket #1850 - Rename DRMTool --> KRATool- PKI TRAC Ticket #1714 - mod_revocator and mod_nss dependency for tps should be removed- PKI TRAC Ticket #1623 - Runtime dependency on python-nss is missing- Updated version number to 10.3.0-0.1- Added dep on tomcat-servlet-3.1-api [Fedora 23 and later] or dep on tomcat-servlet-3.0-api [Fedora 22 and later] to pki-tools - Updated dep on tomcatjss [Fedora 23 and later]- Updated dep on policycoreutils-python-utils [Fedora 23 and later]- Updated version number to 10.2.7-0.1- Update release number for release build- Remove setup directory and remaining Perl dependencies- Remove ExcludeArch directive- Updated version number to 10.2.6-0.1- Update release number for release build- Resolves rhbz #1230970 - Errata TPS tests for rpm verification failed- Updated version number to 10.2.5-0.1- Update release number for release build- Updated nuxwdog and tomcatjss requirements (alee)- Updated version number to 10.2.4-0.1 - Added nuxwdog systemd files- Update release number for release build- Reverted version number back to 10.2.3-0.1 - Added support for Tomcat 8.- Updated version number to 10.3.0-0.1- Updated version number to 10.2.3-0.1- Update release number for release build- Updated version number to 10.2.2-0.1 - Moved web application deployment locations. - Updated Resteasy and Jackson dependencies. - Added missing python-lxml build dependency.- Update release number for release build- PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2 - PKI TRAC Ticket #1205 - Outdated selinux-policy dependency. - Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies- Change resteasy dependencies for F22+- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade (cfu) - PKI Trac Ticket #1211 - New release overwrites old source tarball (mharmsen) - up the release number to 0.2- Updated version number to 10.2.1-0.1. - Added CLIs to simplify generating user certificates - Added enhancements to KRA Python API - Added a man page for pki ca-profile commands. - Added python api docs- Disable pylint dependency for RHEL builds - Added jakarta-commons-httpclient requirements - Added tomcat version for RHEL build - Added resteasy-base-client for RHEL build- PKI TRAC Ticket #1130 - Add RHEL/CentOS conditionals to spec- Update release number for release build- PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps- Merged jmagne@redhat.com's spec file changes from the stand-alone 'pki-tps-client' package needed to build/run the native 'tpsclient' command line utility into this 'pki-core' spec file under the 'tps' package. - Original tps libararies must be built to support this native utility. - Modifies tps package from 'noarch' into 'architecture-specific' package- PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and 'pki-silent' packages . . .- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Respin to include the applet files with the rpm install. No change to spec file needed.- Bugzilla Bug #1120045 - pki-core: Switch to java-headless (build)requires -- drop dependency on java-atk-wrapper - Removed 'java-atk-wrapper' dependency from 'pki-server'- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .- Update rawhide build- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- Use Requires: java-headless rebuild (#1067528)- Added option to build without server packages. - Replaced Jettison with Jackson. - Added python-nss build requirement - Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python - TRAC Ticket #840 - pkispawn requires policycoreutils-python - Updated requirements for resteasy - Added template files for archive, retrieve and generate key requests to the client package.- Trac Ticket 788 - Clean up spec files - Update release number for release build - Updated requirements for resteasy- Change release number for beta build- Updated requirements for tomcat- Removed additional /var/run, /var/lock references.- Removed delivery of /var/lock and /var/run directories for fedora 20.- Moved Tomcat-based TPS into pki-core.- Listed new packages required during build, due to issues reported by pylint. - Packages added: python-requests, python-ldap, libselinux-python, policycoreutils-python- Added pylint scan to the build process.- Added man pages for upgrade tools.- Cleaned up the code to install man pages.- Reorganized deployment tools.- Bugzilla Bug 973224 - resteasy-base must be split into subpackages to simplify dependencies- Updated dependencies to Java 1.7.- TRAC Ticket 606 - add restart / start at boot info to pkispawn man page - TRAC Ticket 610 - Document limitation in using GUI install - TRAC Ticket 629 - Package ownership of '/usr/share/pki/etc/' directory- Change release number for 10.1 development- Fixed incorrect JNI_JAR_DIR.- TRAC Ticket 605 Junit internal function used in TestRunner, breaks F19 build- TRAC Ticket 604 Added fallback methods for pkispawn tests- Added default pki.conf in /usr/share/pki/etc - Create upgrade tracker on install and remove it on uninstall- Change release number for official release.- Added %pretrans script for f19 - Added java-atk-wrapper dependency- Added pki-server-upgrade script and pki.server module. - Call upgrade scripts in %post for pki-base and pki-server.- Added dependency on commons-io.- Add /var/log/pki and /var/lib/pki directories- Run pki-upgrade on post server installation.- Added dependency on python-lxml.- Added pki-upgrade script.- Updated version number to 10.0.2-0.1.- Renamed base/deploy to base/server. - Moved pki.conf into pki-base. - Removed redundant pki/server folder declaration.- Removed jython dependency- Added minimum python-requests version.- Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar- Added dependency on python-requests. - Reorganized Python module packaging.- Added dependency on python-ldap.- TRAC Ticket #517 - Clean up theme dependencies - TRAC Ticket #518 - Remove UI dependencies from pkispawn . . .- Removed runtime dependency on 'pki-server-theme' to resolve Bugzilla Bug #916134 - unresolved dependency in pki-server: pki-server-theme- TRAC Ticket 214 - Missing error description for duplicate user - TRAC Ticket 213 - Add nonces for cert revocation - TRAC Ticket 367 - pkidestroy does not remove connector - TRAC Ticket #430 - License for 3rd party code - Bugzilla Bug 839426 - [RFE] ECC CRL support for OCSP - Fix spec file to allow f17 to work with latest tomcatjss - TRAC Ticket 466 - Increase root CA validity to 20 years - TRAC Ticket 469 - Fix tomcatjss issue in spec files - TRAC Ticket 468 - pkispawn throws exception - TRAC Ticket 191 - Mapping HTTP Exceptions to HTTP error codes - TRAC Ticket 271 - Dogtag 10: Fix 'status' command in 'pkidaemon' . . . - TRAC Ticket 437 - Make admin cert p12 file location configurable - TRAC Ticket 393 - pkispawn fails when selinux is disabled - Punctuation and formatting changes in man pages - Revert to using default config file for pkidestroy - Hardcode setting of resteasy-lib for instance - TRAC Ticket 436 - Interpolation for pki_subsystem - TRAC Ticket 433 - Interpolation for paths - TRAC Ticket 435 - Identical instance id and instance name - TRAC Ticket 406 - Replace file dependencies with package dependencies- TRAC Ticket #430 - License for 3rd party code- TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and dogtag-pki.spec . . . - TRAC Ticket #468 - pkispawn throws exception- Replaced file dependencies with package dependencies- Updated man pages- Update to official release for rc1- TRAC Ticket #315 - Man pages for pkispawn/pkidestroy. - Added place-holders for 'pki.1' and 'pki_default.cfg.5' man pages.- Added system-wide configuration /etc/pki/pki.conf. - Removed redundant lines in %files.- Moved default deployment configuration to /etc/pki.- Cleaned up spec file to provide only support rhel 7+, f17+ - Added resteasy-base dependency for rhel 7 - Update cmake version- Update release to b3- Removed dependency on CA, KRA, OCSP, TKS theme packages.- Renamed pki-common-theme to pki-server-theme.- TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to 'pki-server'- Update release to b2- TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .- Added Obsoletes for pki-selinux- Remove build of pki-selinux for f18, use system policy instead- Update required tomcatjss version - Added net-tools dependency- Update selinux-policy version to fix error from latest policy changes- Fix typo in selinux policy versions- Added build requires for correct version of selinux-policy-devel- Update release to b1- Merged pki-silent into pki-server.- Renamed "shared" folder to "server".- Added required selinux versions for new policy.- Added Provides to packages replacing obsolete packages.- Update release to a2- Modified CMake to use RPM version number- Added VERSION file- Merged pki-setup into pki-server- Added Conflicts for IPA 2.X - Added build requires for zip to work around mock problem- TRAC Ticket #312 - Dogtag 10: Automatically restart any running instances upon RPM "update" . . . - TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy" from /usr/bin to /usr/sbin . . .- Fixed pki-server to include everything in shared dir.- Added build dependency on redhat-rpm-config.- Merged Javadoc packages.- Added pki-tomcat.jar.- Moved webapp creation code into pkispawn.- Split pki-client.jar into pki-certsrv.jar and pki-tools.jar.- Merged pki-native-tools and pki-java-tools into pki-tools. - Modified pki-server to depend on pki-tools.- Split pki-common into pki-base and pki-server. - Merged pki-util into pki-base. - Merged pki-deploy into pki-server.- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 17 - Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy' - Altered PKI Package Dependency Chain (top-to-bottom): pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common- Added pki-client.jar.- Merged pki-jndi-realm.jar into pki-cmscore.jar.- PKI TRAC Task #254 - Dogtag 10: Fix spec file to build successfully via mock on Fedora 17 . . .- Moved 'pki-jndi-real.jar' link from 'tomcat6' to 'tomcat' (Tomcat 7)- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18- Added CLI for REST services- Integration of Tomcat 7 - Addition of centralized 'pki-tomcatd' systemd functionality to the PKI Deployment strategy - Removal of 'pki_flavor' attribute- BZ 813075 - selinux denial for file size access- Bug 745278 - [RFE] ECC encryption keys cannot be archived- Replaced candlepin-deps with resteasy- Added option to build without Javadoc- BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes - Corrected patch selected for selinux f17 rules- Corrected 'junit' dependency check- Initial attempt at PKI deployment framework described in 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'.- Added support for pki-jndi-realm in tomcat6 in pki-common and pki-kra. - Ticket #69.- For 'mock' purposes, removed platform-specific logic from around the 'patch' files so that ALL 'patch' files will be included in the SRPM.- Removed dependency on OSUtil.- 'pki-selinux' - Added platform-dependent patches for SELinux component - Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16) - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17)- Added dependency on Apache Commons Codec.- Add '-DSYSTEMD_LIB_INSTALL_DIR' override flag to 'cmake' to address changes in fundamental path structure in Fedora 17 - 'pki-setup' - Hard-code Perl dependencies to protect against bugs such as Bugzilla Bug #772699 - Adapt perl and python fileattrs to changed file 5.10 magics - 'pki-selinux' - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess- Integrated 'pki-kra' into 'pki-core' - Integrated 'pki-ocsp' into 'pki-core' - Integrated 'pki-tks' into 'pki-core' - Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements- Updated package version number- Added resteasy-jettison-provider-2.3-RC1.jar to pki-setup- Added JUnit tests- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the in-place upgrade( CS 8.0->8.1) (cfu) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #746367 - Typo in the profile name. (jmagne) - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 (rawhide) . . . (mharmsen) - Bugzilla Bug #749945 - Installation error reported during CA, DRM, OCSP, and TKS package installation . . . (mharmsen) - 'pki-silent'- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-setup' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737192 - Need script to upgrade proxy configuration (alee) - 'pki-symkey' - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-native-tools' - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-util' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737218 - Incorrect request attribute name matching ignores request attributes during request parsing. (awnuk) - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-selinux' - Bugzilla Bug #739708 - pki-selinux lacks rules in F16 (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-silent' - Bugzilla Bug #739201 - pkisilent does not take arch into account as Java packages migrated to arch-dependent directories (mharmsen)- 'pki-setup' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-symkey' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-java-tools' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-common' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-silent' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . .- 'pki-setup' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-ca' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-common' - Bugzilla Bug #699809 - Convert CS to use systemd (alee)- 'pki-setup' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-symkey' - 'pki-native-tools' - Bugzilla Bug #717643 - Fopen without NULL check and other Coverity issues (awnuk) - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #700522 - pki tomcat6 instances currently running unconfined, allow server to come up when selinux disabled (alee) - Bugzilla Bug #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm) (alee) - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-selinux' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-silent'- 'pki-setup' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #724861 - DRMTool: fix duplicate "dn:" records by renumbering "cn=" (mharmsen) - 'pki-common' - Bugzilla Bug #717041 - Improve escaping of some enrollment inputs like (jmagne, awnuk) - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - Bugzilla Bug #708075 - Clone installation does not work over NAT (alee) - Bugzilla Bug #726785 - If replication fails while setting up a clone it will wait forever (alee) - Bugzilla Bug #728332 - xml output has changed on cert requests (awnuk) - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-selinux' - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-ca' - Bugzilla Bug #728605 - RFE: increase default validity from 6mo to 2yrs in IPA profile (awnuk) - 'pki-silent' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #720510 - Console: Adding a certificate into nethsm throws Token not found error. (jmagne) - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - Bugzilla Bug #722989 - Registering an agent when a subsystem is created - does not log AUTHZ_SUCCESS event. (alee) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #719113 - Add client usage flag to caIPAserviceCert (awnuk) - 'pki-silent'- Updated release of 'jss' - Updated release of 'tomcatjss' for Fedora 15 - 'pki-setup' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-symkey' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-native-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #717765 - TPS configuration: logging into security domain from tps does not work with clientauth=want. (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-util' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-java-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (config file and record processing) (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (tweaks) (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-common' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems (alee) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (alee) - Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (jmagne) - Bugzilla Bug #698885 - Race conditions during IPA installation (alee) - Bugzilla Bug #704792 - CC_LAB_EVAL: CA agent interface: SubjectID=$Unidentified$ fails audit evaluation (jmagne) - Bugzilla Bug #705914 - SCEP mishandles nicknames when processing subsequent SCEP requests. (awnuk) - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #707416 - additional audit messages for GetCookie (alee) - Bugzilla Bug #707607 - Published certificate summary has list of non-published certificates with succeeded status (jmagne) - Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated for tps and ca on server shutdown (jmagne) - Bugzilla Bug #697939 - DRM signed audit log message - operation should be read instead of modify (jmagne) - Bugzilla Bug #718427 - When audit log is full, server continue to function. (alee) - Bugzilla Bug #718607 - CC_LAB_EVAL: No AUTH message is generated in CA's signedaudit log when a directory based user enrollment is performed (jmagne) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-selinux' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #720503 - RA and TPS require additional SELinux permissions to run in "Enforcing" mode (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-ca' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems (mharmsen) - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #716269 - make ra authenticated profiles non-visible on ee pages (alee) - Bugzilla Bug #718621 - CC_LAB_EVAL: PRIVATE_KEY_ARCHIVE_REQUEST occurs for a revocation invoked by EE user (awnuk) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-silent' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Added 'DRMTool.cfg' configuration file to inventory - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #532548 - Tool to do DRM re-key - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #694569 - parameter used by pkiremove not updated - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems - Bugzilla Bug #694569 - parameter used by pkiremove not updated - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #694143 - CA Agent not returning specified request - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #698885 - Race conditions during IPA installation - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems - 'pki-silent'- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error.- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Bugzilla Bug #693327 - Missing requires: tomcatjss - 'pki-setup' - Bugzilla Bug #690626 - pkiremove removes the registry entry for all instances on a machine - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception. - 'pki-common' - Bugzilla Bug #692990 - Audit log messages needed to match CC doc: DRM Recovery audit log messages - 'pki-selinux' - 'pki-ca' - 'pki-silent'- Bugzilla Bug #693327 - Missing requires: tomcatjss- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Require "jss >= 4.2.6-15" as a build and runtime requirement - Require "tomcatjss >= 2.1.1" as a build and runtime requirement for Fedora 15 and later platforms - 'pki-setup' - Bugzilla Bug #688287 - Add "deprecation" notice regarding using "shared ports" in pkicreate -help . . . - Bugzilla Bug #688251 - Dogtag installation under IPA takes too much time - SELinux policy compilation - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689501 - ExtJoiner tool fails to join the multiple extensions - 'pki-common' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #689662 - ocsp publishing needs to be re-enabled on the EE port - 'pki-selinux' - Bugzilla Bug #684871 - ldaps selinux link change - 'pki-ca' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception.(profile and CS.cfg only) - 'pki-silent'- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #675742 - Profile caIPAserviceCert Not Found - 'pki-setup' - Bugzilla Bug #678157 - uninitialized variable warnings from Perl - Bugzilla Bug #679574 - Velocity fails to load all dependent classes - Bugzilla Bug #680420 - xml-commons-apis.jar dependency - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath - Bugzilla Bug #673508 - CS8 64 bit pkicreate script uses wrong library name for SafeNet LunaSA - 'pki-common' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #678715 - netstat loop fixes needed - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - 'pki-selinux' - Bugzilla Bug #674195: SELinux error message thrown during token enrollment - 'pki-ca' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - Bugzilla Bug #676330 - init script cannot start service - 'pki-silent' - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath- 'pki-common' - Bugzilla Bug #676051 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance- 'pki-common' - Bugzilla Bug #674894 - ipactl restart : an annoy output line - Bugzilla Bug #675179 - ipactl restart : an annoy output line- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes - 'pki-setup' - Bugzilla Bug #673638 - Installation within IPA hangs - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - 'pki-common' - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error. - Bugzilla Bug #504056 - Completed SCEP requests are assigned to the "begin" state instead of "complete". - Bugzilla Bug #504055 - SCEP requests are not properly populated - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - Bugzilla Bug #672920 - CA console: adding policy to a profile throws 'Duplicate policy' error in some cases. - Bugzilla Bug #673199 - init script returns control before web apps have started - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #504013 - sscep request is rejected due to authentication error if submitted through one time pin router certificate enrollment. - Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing information - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-silent' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files in /var/run and /var/lock- 'pki-symkey' - Bugzilla Bug #671265 - pki-symkey jar version incorrect - 'pki-common' - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries- Allow 'pki-native-tools' to be installed independently of 'pki-setup' - Removed explicit 'pki-setup' requirement from 'pki-ca' (since it already requires 'pki-common') - 'pki-setup' - Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group - Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP and TKS. - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, pkicreate fails Fedora 14 and above - Bugzilla Bug #23346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-symkey' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-native-tools' - template change - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-util' - Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical cannot be set to true - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and CS interface - Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse ASN.1 encoding/decoding is broken - Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 encoding/decoding is incomplete - Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 encoding/decoding is incomplete - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #223319 - Certificate Status inconsistency between token db and CA - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-java-tools' - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to 5000 bytes - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-common' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable started before configuration completed - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 policy mappings (seem hardcoded) - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #548699 - subCA's admin certificate should be generated by itself - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile caAgentServerCert (null cert_request) - Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited number of times - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #629677 - TPS: token enrollment fails. - Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN in a SCEP request - Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection pools not reliable - improve connections or discovery - Bugzilla Bug #629769 - password decryption logs plain text password - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #607380 - CC: Make sure Java Console can configure all security relevant config items - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #489342 - com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated for SCEP signing and encryption. - Bugzilla Bug #223336 - ECC: unable to clone a ECC CA - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #223313 - should do random generated IV param for symmetric keys - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #648757 - expose and use updated cert verification function in JSS - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing e.c. support - Bugzilla Bug #651040 - cloning shoud not include sslserver - Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to CS.cfg files imcomplete when the cert is stored on a hsm - Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #642359 - CC Feature - need to verify certificate when it is added - Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires auditing - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an error to TPS even if certificate in question is already revoked. - Bugzilla Bug #663546 - Disable the functionalities that are not exposed in the console - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #642741 - CS build uses deprecated functions - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - 'pki-selinux' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - selinux changes - 'pki-ca' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of CC interface doc review - Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with admin privilege throws error "You are not authorized to perform this operation". - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws 'Internal Server Error'. - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- DRM and TKS do not seem to have CRL checking enabled - Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help correctly set up CC environment - Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in certificates (RFC 4262) - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object signing support in RHCS - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke certs in TPS - Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #223346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key usage - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-silent' - Bugzilla Bug #627309 - pkisilent subca configuration fails. - Bugzilla Bug #640091 - pkisilent panels need to match with changed java subsystems - Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM Clone. - Bugzilla Bug #643053 - pkisilent DRM configuration fails - Bugzilla Bug #583754 - pki-silent needs an option to configure signing algorithm for CA certificates - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module Panel up to before Security Domain Panel - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #588323 - Failed to enable cipher 0xc001 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, signing algorithm - Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords with special characters - Bugzilla Bug #642741 - CS build uses deprecated functions- Bugzilla Bug #668839 - Review Request: pki-core - Removed empty "pre" from "pki-ca" - Consolidated directory ownership - Corrected file ownership within subpackages - Removed all versioning from NSS and NSPR packages- Bugzilla Bug #668839 - Review Request: pki-core - Added component versioning comments - Updated JSS from "4.2.6-10" to "4.2.6-12" - Modified installation section to preserve timestamps - Removed sectional comments- Initial revision. (kwright@redhat.com & mharmsen@redhat.com)  !"#$%&'10.5.9-6.el7pkipki-certsrv.jarpki-cmsutil.jarpki-nsutil.jarjavaCACertClientExample.javaCAClientExample.javalibcommons-cli.jarcommons-codec.jarcommons-httpclient.jarcommons-io.jarcommons-lang.jarcommons-logging.jarhttpclient.jarhttpcore.jarjackson-core-asl.jarjackson-jaxrs.jarjackson-mapper-asl.jarjackson-mrbean.jarjackson-smile.jarjackson-xc.jarjaxb-api.jarjss4.jarldapjdk.jarpki-certsrv.jarpki-cmsutil.jarpki-nsutil.jarpki-tools.jarresteasy-atom-provider.jarresteasy-client.jarresteasy-jackson-provider.jarresteasy-jaxb-provider.jarresteasy-jaxrs-api.jarresteasy-jaxrs-jandex.jarresteasy-jaxrs.jarservlet.jarslf4j-api.jarslf4j-jdk14.jar/usr/share/java//usr/share/java/pki//usr/share/pki/examples//usr/share/pki/examples/java//usr/share/pki//usr/share/pki/lib/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnudirectoryASCII text, with CRLF line terminators (Zip archive data, at least v2.0 to extract)C source, ASCII text?7zXZ !#, ]"k%w#zIRG6"il'u f%Ug»MvWjѻ7-tI/aU\MlELu*q*5w ln32T&ٙ8BgG5>ZkWKe^u>mP['zKU0 P@ 2Xזx4dCoYQbSCmy!Q6è;_( [@0EOpt>c mND9JT.?O[8HDH߸0LU AA2Ց6%Iu՘q5JdaDd8\a8qn\RudL.QЀeUwW$ToBK@Vw[dlk SV/B1BnNr%=E&-T @/lS08Z&m`𗞵~:`ܫF=٢&S3Z7`,d{qE!nuXOL̷괨P Fbԣԛx`)9)abBjj-QT }ItHES2h _ 0 DZĵsyDĨҦW|7: .~ >[ߵJ^1P wZ,]L}i 7*j6QOh.UA3nIα_ԍ7ZsʩE_g9^MG@z:|{ _ l_#hz/cN01FJ.$ZQwNV4HEr*sa<~zQ }-[`q"jm ^Ra IJؓE KZb](ՙ5L+㉣Pv+^;)Gt"f-ض-Sgw@̕Off_a}g"]qMU~OB?h骪zi,ٞ|H7PC-Fz>*' &hJn︻3C)Mkxe'OE9JN4MoѲɫKqTՁG>3b);(C,Yh7:at% z+&%c7$>((9slElc9LCN ˆG9[ rb 0s\Gz`qك5gn|pw`  veQװa2t}~[ LfxovJ$iՁܚlcG=o>^˟.x: >x̯nqgXFWH@cqE~SRߛ?.:jD3ekѪ;'VhZڇǑuhhrhHn LHS{FY3. [8Rwb]0ZP6-xmKoݝR)}Y!yP]3ώe*vd;¿<]UcQѥ%+Ox Ç$zd2 ~@5mS_苪7E1~MeMp: }Ur#?m&Q>p t.{<;K=2QTj:8 ^` V`Mt[q}P/%3wB|RaƔ)v Y8vؿFF6,Q5z&C$Gw [3IE _aO!7=Ibn4?0 cFt&.[dű/z|Yzãt{)^D1^2f1XA>ODn\8եlp.Vhn\jq0QANr\H<0B#e_91bbziV.Y'yʐ>@g;Ҿ +Ew Rzca2n[!E3u̵+"|XWCz8.~A= xF|,;truPgD{lu>~8 QPK'ںw+fhڤvP{d}jn ,29CG%/c\MQF&x1B5ܷX<wBg"*`G#t=Nܖl_%Ͼ+{nI"d_2)_(/՛:WCcg]-/3&5֩ۯSCO CU1Y%-;]RηtG!>{hB/H0=v84(BXdD6lG>[ʓga Ύ0`;O͵ӹ!)>n4!5?f!Ag<9=:6 \Y GYٵ$ٷܴ>3*8$29,< oi$aVt?5кweJ m;v18d+!}i q@%1J'kJbcY|ζLXty5}b|j.^rB]b+=ܮgD^S0~ uz!U.,:qV؁! t qޑҎt#|OٿeeU˟Gdr] to l8ΣoVz%i U~ܐK6+ d_'jpʘς<ƃ?ȵYpy`fA9O bȪb&ˀkcy@FK6bbL=ӗd}? gdϰ<R%_ȤQw֎sփqaܭlp-{uPYaPI"Eqv " K&~T*!Hh:,HE:\/FK4%oyJॻn΃JSZ_YJq(¢ .,i3Wa 2[tNfĸoGId6kߙ~% M6!jq{&'mzLŃJÌD$qPpYxO0e(> S֗NQpja#[cWkE^jk(%xb05Z3S^b(zjw74Ŭ7zf? Og`DF QUw5]T$Oɞ^#;Dz\jኺ\p=` le ŒͲ LQ dav|Ċ{OpQ(l e>~OvХ vaS669e$3}n $0vbXrQA|~/ŪǶۗ1|qtfZц⃻\zGC4C ).Fp֠/n2\S!D/rv!7&|  LO%IXrS|TWhbvxYaczGk[\iE37Y@UX89K"k˯S~H\>&n vMNF~RG%lB\Odc@u$RV)?E5A` Xj\R|Vj6Jg,g.A%PcjE<];gdufȍpퟫCYdPx\a,:b[=lU kސ%?ܣ'3*gm8͊ D9 ?嗱[#*=pZiT] eV\o ܜk7g~"ĺK BtCIlY{@HP&B8>(1 E¹Ub.7lZOb6V] }g68g0%He8h:Ya?lөҟ}m, e_d|8 Ixfdȼ8"ǣЂ) Lɨ{a*Q xV;T=9hȪX$!Oyn`Qf%oW -x 5jǀi @npw1 ?s#X(X1KI&c MZ-08ܳ(JSB:Y&[=z;|`MB=Q=AjnQ`P=!%Bك NBK;8v( Y:]1(^ux~ 4+r=zvwq/)狕'_\.c享ju"a+$W4S@nOl=QBuFpaW X&[JxkN\*F^C,*?!~ɋ/OIz~m76)beY>k r]8n39e`$ŕڥNҘ@ZT {FUwMܛ">4,yU"|&#(s0l3Pފ|[-}븗XTf>:'Պ"Tj*PhF 7N5 A rP5d M\u[L(z'ϼ'{E3h=KRa4ݫ$)c]TiY7tPo"d,GR2ijJni߆+|Ko%-)ɿP\(;vBipi۴WLi8o}HH _;UnN>@ t8"pf[5-䛬XO8?#BpJ:PH% ]1/oD?zJ^4k0,Y^Bjl0]؛s>- |!;VaӾ/QC=X0Fclfƥk_%Nm%v3M}A"]VqwS 7 >DMCԼ4yq՚_̃nri%zGZD:NutVCCIBY!n0C%WOs)`VM񐞤x1Gd9xT+~Juu K#BE4ԩսDܹ?="y:ZAna/cZbtP9A|u%NJcw (:gRlY̌Y6ZBwDǘ$nn[C;@0nv?%P?v]K57 B Jowa:@X[ߴ{ {HsY5`[b^X\kK]虻ik%ǘ8:iܿ7nPy\~ _+ ;H,ʮ d6aO$,&A+~Qai dh5M-`* fD ;8['~kgs2ǺmymՄn7ԕL|xWCWB4A9`@bO -#j45P6FMuTf] }S~}*w["z&\ڣ-!pC4 AVyY;qe#hm\#W1~>"X[FkwAn4$ U[1n4,12DpaorȘFW ss)^JO |!2fqhǡ7pC5̀q9/Bn~1rV3 A+E?2&PNοƸKH |OH,p{J")xR*xb pT-P):!,}gRsH}L&܇ϊiŢ=I4S7Sk|^'8$-2ur:9M^V(Q-צR]e筫kFwI0fW/ͥi&Uq\7+^i:.vu|1"NpǾi2ލ* PIu |vl D[CGnkHײB8ͦRͼ˜Q XatH7^^(ALAE).QɌi]!q P8 :{>ĨrX} 5"Sh0X(W%a0Xg#S 2C;5z-{vi-5;>=pܰ$m>@ikQg %tgv+xKX0q97cqn@SF3Q8<N]]Mr3W4ddcAk 0H BBvwF4e0QdwDC]cI? q 2uK+=Eg9MH=n,)YK ƾ*!J^ cjw+ I)GɸBnv fnHzݫ:Q.0R-jqHzތ;fP*M'iIY^nv5rxsnsɟ,8col]C)9>?TC F`LUrv[ 8 (x)N,L0糕8YnG[MZB) Opi~aX c{OH, ٔ- S7Ԏs#hӖ&CO'd ih1{Ź9uTϨ#ks M 66_[3:&˙Gdf-I \SI0E\.+\5W8$u+v#yf*+x$@B>EHkvaPsMHAG{1MԪ’l#(ʙ,#Eڏ:O?h8/!->C 5aG% y1_JbP]oc^t@ ͭ}U|SMff #fn2,!}_C.V.s#OpM5&C;djL5;ZDut/v& y뭭#a7u3hݜBh)7_*iۆwjx3Nl.q:#:Et>bLJ bc&cS͇Ùl(-$R5Dյϩ|Alb)5 Hz%BۼK2QʜO+U.v2M'XtFe,ALnKG}1`B6b==Ut.Bs x0{ .MO m}6Q+kE$莝r&e$sjOH:wkEJ$OsFR<'4b`\ov|?3i#JjuZLH͕4tcQ&tG* CX kgdy[(s-b[|6&Sʀ3qbC N@Q-i 5+TrtR!%Ut1ǯT/]47 W#&Z8nXs K\=|i]l̉N`LG_t ɛm2(SyYANݟt [r,(%Qœ.g;5= aIۗpF)?j;_g;) ]$3o`v85O2%̦P ق*g/*mz7oM]_2DP)ttYJ+^Bܞ_?0>&P&+ԛm%w",wzY04AionFwE)/)+(5xMr-rC@wn=[NJIg8w1*2Mٺ=}L8z,-hsp+uW&%̯Qy1W7=I_o_c΁1J0]G4@C5=j0]dkef2Fiy\;l\b PIp蛃R/0,h= ob)HݕW#̥\hCѥ Co#&ɦ|u:ROIjll` |{dB@Yg< * @j.\l6ya Iq|IcM %(+.߭w1|*R0?i_+NSz{(˱0H}KZ0` 9q^CT5:wQ(GbjBl](uĹ=\u:}") zvZ=4 Ap~}"_tb)N6kh|qwS}ǯ(FZv,Z?55m y+ʨh\ΟH%}8ؗAIǑb5ꦚ?/'%q6̥H*^2 U „_13;".vT_X O`:[e:;(+Ln?ü$񏿺C5U%ǽQͳ'H@a&]g5B3C]Zh K^aƒ3ٖxT/?\l{4} _vSxFcSꐨIY[/ME`Z=@{ۗ|r]w|0hS)V)_3"3 ve?W;NN#$tg%JA 4UdB#Ui2B-0yDgh@m I4&d3;іdM0|fijlSF?iKhdEx-$i" R3 eVjmdZO&WV"}&4N\ joLnK,mdJVq55yfy̧ d!'GBo4Y`\vֈӸ꟨婩% zK31b5OJz~ApejBV_?]5.Yd'PV"ex&ߩ'Ju"Ua ZN8]b^Pe{/o;O]C3f!>6cв(s@o9O]e_rAc3b|>mX@ hs|!S̭ϭ\୸'TS${tM ^S8ܛBܾiJ~pX 979[T$jD:ajc1I-y`ۤ lr/rFئ/'$NqoDM$E%4Bw _f%>J9ll7BR"Nyx4>\V1b1"Is~FB[p~jӌDe=?|VEp8)dͲj&uɼo4ICiU䃳+}`EU¡)&GgԜI/:?Lnnͷ)Y&HBc8g7c#F>Vc6nbU:$X_hlgo&*)%Hw|s 3r[)x 紧F{OSXѬ-NnISSPcQ"RT [  p'#1\B =}풷ާ4]QǟЫh){Hd)܏^Z)j;C?">!>ᄜ҄v 9a]I:f&8mGv:q+]Ӭ}w/WQM0ԑQ$kvh¡ MbF>sʂnAM 6Trh%R@(I4kmF3 4ƞ{9 2e,w8RЌs=?P}r/}w{Mb6SX@+B\ י6 Qgx/VOIjr}_#X)WŸ6EhOVb:iO\Bcj+C` lI3zQO+d_T5&(30B*KwIP̈jYͿG!|nx+( @lRkN fl|i<л#{Ss)iZZh,=vbt D=rt@\(Z oBa+gf&3OQlIa;#,gVKB*|t>s[X&c֒MvfJf "%”ɪm C׆)|6l2!v;NO>2_;x[iZ?mNjI#Ȯi= 4[ 6>%bޢ"j{[ph>fN!&a1sېOw\ض"-gOS'[8+•EB5VO/P~Q`_zaC3&Y+=AaK+++wmt@^l$sYFy:ߟx.(a3$?Ƿ )(XM1CY *L"ۡ[ߔVakI G|g`3KJ(7 gYvmU\Jc;>a2aco*L8w yy2 X RJ#O.MyL0bدZ@%ye8jjWSѫJ*Qɩ'mb,*F~@1#e9k? oS7L$> tk{>ˋzԣcդQ"LcX#&fN%A8zƎuQc" P=!OU~[$'QBd|NX+HѭS^ٺju_/ָyhКG Q:$^etQ+>YXt#:่^ ÿ*a ̞6[w9"Z Y|eZ/TˉDCsؽ],EEVCXC)agca9iTfQ,.~8POqGM>Re4C>Tu,'?r:ےk%%R`)f8Cr<0u:"h{mfdEUPuQE JJ6n}ԳLh[ 9ׂU3 MSWisjMȳ:Sz (` 4-d`>`ʵJq#"7bAJO7\Yo]7_-s; 6`wꊧX ]M9_?5R̉2S}xAv:$~^,i␃` }v~읫w| cpNwF/bWrzt;5=ަ Ӣ)(vBn[Sez8( 왉KbF{@i'{d6 &@E+Zc5]cu:TbzYTFRML(+A!{<ֈH`^ KZ·Ojj< j'Y±B;xclbI`RZ(e}]is^0=UdNӕǃ$6%.Ʀ '/Ziv@>njkʾ,wuY ?†piFҔ~da2~f$4揼UҨ, 1gSj~_X7niZY̓$ wRW\Ѕc E=o>1QS-k#·Zq?xy-20ɘ.ierYwAMuЏ|8`6"L.|'@a@_ܓw%2^`A3ӿݠeﲸ2k?c{=&QDBL'>Yl ۇYc[a+\D]f@8'gS : "(|{W tj; 掃>ŏF%J6A+ԤFNxdL=w_ACp_Tzc[v߲fL PEߤiq+aQؑ2]C1/+QI1B˴6ssI|FKڄ†sD&B`i:\G~'ϥߔ ̯V8j$Z|ӌrwN`̑ XLܵJ :xNcK@/$=a?iQؘmo)1=u^7NеdBD UEZ-Ꮅ7V+ɣ?0B $ #eY wXEϚǫkW` Y~_&Nqzhmx9Bpٵ,ac#9l-ߴʞ8FɅXV5>;G7 Qv(fF{0MNPԚ$1EYy2& HAKKv3'xWC/q \m2[ KBHZAQYaJ!AM83m C7#ŸԠ;Tnj;IGw-/?m?NlS7DK]f?VfsAݾ wJPKoIH,{+lkHTaM:`>fkj*@a/#&\s3|E^" Ly-:-FKh==3pu|"2c\~PQH+ز/I} [d&JEUԑytM!$7YI yn/GGISxM|NtM,AnRz9Rŝ؝^gq 0Y&j[/=^6%;TXKKN 2!UVU̓MG?p2*[&s"څDJ td6$Q ]{Q\ɼ^YhBb%LyY!"ʔ6h*G3^N&FD(pl6rB >A]}> lO=T)jq%L DW=?=|' 2_)G3>6njPf ֺ\MwR3Pd%SCC0gg|SVrZ888 -qYo%]QTՓB`)|5Mn׬^QmT%fG.] k2緯S 0{Èu=`s0yw)A{g[#-$02Nl!K~sͣ3@Zv^.@]2p'yۀ hcO }P__ }8cf)8L\vŀQ 䘡KhmDUW<}Ffg\jF_as!*oj)zN%#29*&w- WV|aHX&h&yƉƎɏ~$ +%!'IdM-Rs8-q1mE%4b_L?!pΧ]/4kO1h[l /o$`QE[` 7LtYӡî PK9 yߗD!#(FDpAu=v3DUƼqiYx;K|e,T$py$FB׼ۦnYv ܖNFllf||X4=A!hajXV&4F/9S~n12'lg?Zt`![ )ʦc7@*q}"7';dN$4'&oX6N_};T(mWjfѦ"Ui0`оQI& +ϰiؾ .4#2 =ãQKQ +0jÛV* F6MӢ5Hk-ot9A`Մqa:^QfxP|S5všcM]mY ,.ѽƊ\ 1F l%اF{Ͷ@2cO}<:kڈpG"'{ul}ೞJ0A*Lh a T""Cuax)400p"u(Bz8Q *A+g15᧋?I>Tr&o5 ConZu,d=cj Q(u",n,w)IUm*ޫ [쯾Vlv+> }8TߧN#zcV!M ^Hg]b(/u)~H.; MZؖ;|Hp,jaڅSt5Mϑ$.!^V>0TpSF{ C9_hyy||G@}48qM:O6TU+rkl!(@L5\F&a~nW] P(.pjA+Z@52}c:F"HR?HR3 .)Sjj*WԈUDF ,zRwɵ2ʦ[?6)ᬁY 4US\"9:VM<>&-h"҉7F䘓{FjR1}Ku/.< !ɿ5FZ[O{w)G\/l9 ZٟaԠU#kOv 6ZT vt\摼s(qTCEBd䂬ZH8VF jǮK3Ȯ:g\-ƗiNYI&^CMtqcq!Ac *JӚF{.N攔.Ъxv [fZ#gDզ?.I7sjcU…!cY;v (Uɷ z\sGOsp,lڿo5E,n~ Q]3ɃG k~8~;TTCu6g'`?.j5Og#g%5iK!IOWvF8Ep&R2KP~ī<k1Lv]MOń}3ҲIĘ$d_t`oo -c0tޯNf3zE$͋/ۇ/`(\|)S24-e ;b$u^#d*.}6"xܨz> HAǟ.q7[uWn:S% 6zLOߎXkK_ 8̛gWB-tx|8Vj+ߥLI'Xb~vuiuɖ!r13hU9Wΐ 4|st-c72[׻~}A0< ,zgsz5ׄ\3Ҳ~UpiLфzi a}5Rn"# ޺_u4k#!JeZ3 ې䌚g.eĊK$f6 1TAs!z! B<5@_He s R;4ɗĤeG;" "ϘĚ 1]xAuhdj\+e]+pY'ޭE$փ]ܡGs@t~.+NT/CeDґLBux6s<"!%%/2_v 塞.fPyiKUwz3؈3q&>uqcL97@G;fHMеY/ ~~s,d~cR-B&*~% ބ;;G$97R*!G4GNp[Cٝld', Y]\q\rtݢCҔu‘uUs7Xlcש1b?EyY)Gk9"r{? ngӁ1 ?~@SDg=4rq1GH2Scܧ{-M"-oulqA{SQ_FMuǪAbipq~ !C+`*Fx$!9)ډqo^3vKAm(oE p-)+ ]NJHM^mO@ oDkSg8H*ySO^T&d4F֦{>1:`FDS0Js8xq~Ev\U$-eU)3*ʲrrNSSՎ͒Q9b 3a@yh5+,CXLEVBu@ g4i{R\?U3 G-t lYw2f[鯧6RzZ kKf$=rfZ#EksD"̔iӒԲaԒ7J3-W*7r!X( UIvy_K{v'OoMދ+(x0j_Փ`&+TPzbcq8>bAt5f̐_aiZ\d=?ȭ\ߴ՛-5QOmȍ|r_3cG TY}'pv6l阬uxm֕ = 0ebr'2Ņ^rؚmPY@MzM;[ !M6&q 56&HFۼd @TC+6ơ$ Wʠj+7)毄u~( ޻2W}hsFqc{^mVuZfc8P%uԀm6pw٤,D<2Dq^7_,]-JHTHRfdvÏJ `>/sSje蘇Lnjs/7"~R#pa,ºEDV_kLB7~Dٹ)zғvŘvjUnҁvauQp4ZKYs'{.'e;3%5R+p5!DPM>GVHׁՇVtr!>AL[fnȨ 0gS ?dQ]W7G:K9B$A?k~ %KR]8q_bG \e#.yY9^C]H gRSf"_hf H9z=JSڭIӕ5yA.~'n\c_zϝ$%vҁ LRHۏ}8K6TC`Q9i֊8_:ͩzMb"GM ھc,py"ĥ3aNV?`P(ks05ip;f3<"+k^l]D{Wt$0OduE7 q+ !<_Tm"O8K7DfBk@-BvN^~>1(7$K"rn3[}9,;[U(cߙ}ؚApꈪ^!:3MNt*{t#s>A۠ءTz(-K簲)Zo-'altCM`َuwjDCDVN-13͚b`[S|5 ع(z/cM wn^G+FD}]lcXtC3h%g*0 p^_Zɴ{x{B6yAw'O \Ś?̺B ԎVV}t >\'֏md&QJI* 7\Vm8E*AНhЭ\Ç`b)qJAͫ@xA+~pepj~čepf[ y!'i+by@@мfp􀰹r.9GĻ[P'#MHE`$i 0OE:83{Ƌ~jo͒mDkz\@:xhM=XLײ;-:1V}¨}=J] IdЖjjyt)g6_JO:-<IJ=x_{cpauFzkt# dcTV0ȱv#!"UDR UU-[C, K)IϞ&q̛"\ٽ2ӇП7v93ݓ{K ޢEܛrT|ʐjۣvt˃G,Q41:1+|Z3WU[6k<$3"}|+sBdD־buёi7dM`!W۳LY9dz٤eYO9uM k:)Iv;ݻ?7kWr ]vN{ 3(qDHHF^@=#9ߩ Ab ͙־EW?"O t-sKڒ[K;}f`DhҾ")-+ypm>1lCæ5Üqoc1I|6^vb+YI]*s(rޖq/cʡ?:%ʠ7a 7M\+5*-ϮilZ2.&+D< ;K!r#GV{ OZt;=8'nܫ]cjrTYcj0 K~s$2{)*_dNHKQ琧Zmht# x Ң\fͯ84_cxr+..xۼ{ P2zz}\,#9/zF"TȃoKez|^JM*M]'?M?G@1ʻW}M{H \.%ךnzI,%w!p sQǥg_/L1B#%DS,'d:=DF p9yPa~ϘOj/:a8۩Y V 7 8?|W_pVy"i3u@]+oGϬUHë m8Y Mɚ&!JRLׁEOmUeS0*WN`Bp$%:} ar4!"̳/j6jm3\l?ZРo=#8.Aƹt$pR0D 3x++H^06`7^1YPRߴo?+8o Xr5vUeD?l24M cGtY_=t ^% hTwoƋW@ܫ$E2JT=W2鮂ZD]慨g[nԔwc4Frtӣ8s?iЧ=SE]M`0ή' :u T$VR+7=me/jw7e9&˾CqAɶqU- etȿ҃ i5 =Q%YE9Ϡ.j_O  UvS;ݧP&CWb.6FC敕GTu, qAv)IrDվI6K. k57Z&]UP㙚 *j˯EUM S2Kr? 6s-|S 7 뻦O;uEd,Λed*D /z }sU _um!8i s]q;p^BPW}kFSW,(ֽC;]x*n$K%}1valK}o2_5WZւnz]1jίLچ__wOa9_xFEژ4.Nֆ)tc WvC!aڐqta74K_fQ%1 l#Ȁ}~dPenBlXQTޝ/%gۆ2}cF7H:3YJ;P!k!2hIF9wBs}lYHQɦVn`/S$bx;uzd1|1gKtqU{KGcdW>:Jhr]ą~J>Ջd4&/bXsȣ&? ^SK\dciÆgЧ <)ۚ{fX2iy؂K QED䑽ZjxU>7e{N;=qc"P M2X+#- W'PqMp΅`[0$A4<,<صMVsQ~ ; D"ˤuV:56%|3QPxX S1gY5\Kڇx"`ԥy#g>o` DV:g",=ȗ"bЖoܿOcRPQu:}%6(TnGm4~R)w?ā5nk>m-Tuc^C=m[Irc U ngd?V|[NPꈺVGy ~PX6swMgs裫Hh}M@~6[)Y]0Em .CAo|IP%AHY}Yr_4'gtfq:dUvP<(n)a:(q CډHMn{޵Pڪ{Pݱ[=%Pʜ*tׁcGUQQ}0p-v EynZL] qd2Vap`2T*f3W')@PP; CC|S MWp7S;x)+Qj`gcC$/w_) crJo8Mb8+xk1Z )9aIic$/hG.a|_Ŭy; n5hqE<  ]gcF]ٝ*41j4'!Hm@H^b~>*3'@VbZE5K?9 *+}_pdɼ[((]zrXq(䅞PaJ wqd'QBGT\ CD\ZDZ-5CYS.WUwqjZ1B-$䰩g7̂lpێ;8$l(7L~z9;ݠܞ7b5Iܩqjj4KZIJqL-T֒b3]fTvqi,$-BfnfVn] S7KV 'XZ.Nג\hA#ID`B[^S'$?G]Œ70h>&Kꈫc7/\W.VP _ T ٓ5rP:؈;"(Hg`םOWDx5_f,.Ax Ѹ<6IB*bx Wi^jƍDs=\sVk!E1T" UYK|JŽQO[)qqQa76fRq"|:gƵ yydU~`6')XpB\Ճq}/(4Dź,OK$Vl)ʳ.~aQՆ>bqa\Y"LO eN^H"OΐR3{TgԜZVL:SR`>w< Gᱫu!nL켟=cjreGk.71g I +AMT賚ړfV vvs1+Lc(6h\z{OȘ @Q0s)\J!lXxW|v@ 3IcΪ c"_d2-X 8AKqD녀pSm0LUƅĨql7bhe:Nq̼r()~t$72{ZShFm\]*OU@`< {;͕lOH$ !Vv4$Ű]O:d~8&Q W>q5V.r0z)3,cnDgNH%;W!=.isl]s:|x߾hrpSwAᥦIj2&!IDHyaP-45'Rzv*D+v&eUW#:DnNI\# ,ڄk%8!_fz7dr`9B<_'#*iuEEMꈢVZr/NVg{WJH²,ۤ8q40$Ǧc fqMc3_G.a)^GBӁcu`J#hcs#:^#8$,`ԣ_& ]ӧ;jJ2'C jXn.qD6@#MIAwK?OĴYu!2pP ڗ%^D~jJBe%NOݖ2KJFZN'MCm)9AsUt`ޭqd]T^Jv}%e M>IUⰼdC9S٭*ŮHw`(J^,0OXU~&1%omO9aN_B[m-[&cPv:*s B1H|}Dm^M EڪjfwS$ HWƴt IBkW#^5g^/EۍjKdwZ<GX[O{<Ϗt`d2% c8Ϻ)IN[; 2,MXPQHibzmdz '$b(>F5|AAO55˕ X~i>G]Ǖ-*[Boxt;ycDo Pv4tO$&̋ze$gSO>O\:Ʒ^m*ˢOz N[p3P+<}max!tv+(', 8LNz(xW{Ӕ[eaL;vL\]Jy+l$EJv _=9u()Rdd\}t =0DVn{ݥBEq"ignZbo>8ЦGmZ)Ṁ(J=4=d1FP:K+5챟rPQ[`nJ W=N)h䯖gB}Һf0<~Y4L9l |NG)B9H} $Vc8fNJDpMpo5fgo ͆_т|Qcq咺]#-_ *9_壸%MkMKܲ.E|]_Rl2z?_!SSoJSr05dk]27[7n l؇9'L- 7AOrPѵ vZ b;X͜ci#"gu~ I7r媍!$U.CeߺMeJ^w쪫e8 iW|X&De~k} ~ͱ~!si(7Hpvv˻:Q8լTԨȱ\ "(#HGfo OM- YIZ-,2<<7d?Y? slA0LJnѕ)~`DM4FM-9}q@CG tz(vHck{ CIG+]޲ZE䚉Z9y [ % 9 -#DZ4n2nI@TsTEꝱ?Iʿ$5[ooEC-I܌=v/nd+F6MK=+w(ҪmHCD0tsl,>8=}GaZ{+/2J!"ȳ* ?sh)<loeԻgjɗAJڝb.:wM憧FIcA]gHw&C"q崬D:REŠ]x͠ G)r)u: lՍܷ]/Q~+tGT3‡nEJI/Q뤘k?k v|6Z9F~ "CU'wYDj&׾> .^$MYV AcspUŚfdO EQ_>qK:Sj6 وmPg _* LIi ~B/ԆoʥF rݶԄ4GsxwJ{!6rvwP+pło<>>zGdt,D N:z)˔H=wm?.)K]}S-tz< rDŽgp*EMy!tXEAqa N|P!::"3JpxwdHf?M9P2ȳN~\ARy9]sA)T_%23)H`tŊsbOݧ~ƉB!eA:'h9\_Wt \Q]T'b(1PwU}}9eJrN}kS"ebԊҬ,]h pzrEt)T#$o7:pp %I)oΓU^S/[D&llA\'wer#}4eH2XS,7 SsCa@@.x{v '$Itjg$ 5!5ðރâtM`}peְ1:/C"ZVttʺV_l5ZHw 9Rn3ڄVì?6Ã|#;7?>'8GbӰ,|ZFQ~B,u-,›ŊwWƦƋ] R\.B W&!X' хZ R_S UvRL\=9e)bd,fӞi!12wY'B*j9@ތdTbGAV(C8"xP-jQ*!fuI>Y‡eUzNm-բ|vc˙.BnFP6[JɲDjeN>#O"UVS}?*+Ibᑕ^jeJ'pQ}WRBs=DOˬv̞#Aɪ'"S|NO͇Qg< gʋu|Κ:x)eBt\;kttlB&&NMaE1&1* ;G5zHQp33i[tN|) a,Ūsk{:;gXyRD(6%]zAǿֈY^v`!vR*7 n߶`M>oꞪZ 3"'28Ul<6SaxcF[HZ2B/z2HW'_(zFɻVj> ^Ճ-YKP W,JVVD6m/,0Sء1Ik"uΗFGŷcJrnnJ_Q}fF2Ooj h P Tzŗ)^0t>~S&ぎ y)d#^!=Celio!mpRoLjÅksM~U{>! S[Wνd2^Z|>3WnfօZGO t(އkK|,'7=fG2i{qC_^>mV8 UM46lm5Gnk'k5=uؼ@Ӷp2mhkbZ?T>>@\OÆQb@ Ѹ@ qItf`BHMTF-ͰexQ^¦4% h!^ږz l:Vjvll][] N$:Pԡ";8BnBxF*252 g#7՟ʠ{E u~-Gr9 TH'WCs>[3,1Pncnrʖ9HW ɍBvDy\>q=<6gN ~z|6AP [!݉\rAP3/yno''7}R .2RGշ5(;Tv.#%+_* #z_~)-?EWll㑿9fڬz? 2,B ^aT* ͑RA=藈Ӓn{>0C3wCh5kh] ?YL.4,w?_ϽPpǏMoקNr В6'&zY~u HЮ!nsC>ls|[2U Cu}GnⳌw,ѻ G|E6 },%6*a|Al^>>Z\GnDϓ S%B'^dUDq?=Muw.7$MŰK\ 3rj <8u`~H`rDar}Vcss?{Io] #"`T%2%5izYUJ#Z DϛR-e3r5o7H&QOt ?;sڸ(EqZeYMGF7#:Orp||#Ht]`y:{yoA- ,s*H`",@M|Nk,l,-N*֑I_gU!?0Ah 0T]i[vY@FYc |ͳAx!\L:jwA0eΉw&.h/>ۋzPe[1XCC*PfTF_0PF[Lq;$w }a/RB~MXO4G=?63wsntÉ4 <]+by=zO5tp ز9ӣJ;SC3TJχ%IxQsɿloԏ衺3'uVnE /cĺd \'n%+\fH[iQZ}q ̊]È}E!Yq^)* _G}n^gpiuvAP`>Z.aW 4ȴDFi7^.k ,WcXQ2`=Oa,=\쀑1? w{7EzTOcͼ3}2`Zrᚌ)בC@԰=GBNM1ڗ^7]*@hpW4^yјp1Ɉȵ3y-?L@AiZ u&E HXzֵ(=PT|熱@g!x&3wrVh*h?yH4$+rPZ 3ke=߸I!H'6`7muCD=-j#lRNA;'$Va˽W䟵9Ǵ-H,=ü}( I6d@-ƅ"ϕ@Gf^&W׽ۜP{q}eK1ڵUD;ʔʄ]7AB:)#7]1azt<] Ӯ,g+(ȻxDvMef70r/(s9?re{xwU(288kE.g [_7jL p}3< *(9.Ij0oJU/:]9/$Ր?N%1t5`˝&ƀ'(ѵ{7h )n3o+npN 'mkS no්}` p BQ9ShO&v>[&ɾU:-K^ы >! @zre/&שIŎ[B ub gvD;?pDHh,!\bT}q}Ay Q0EaãӶ!ǣvps- 26aIU$\t\[4s] 1(vriH܆kÜ Ϻyaxu4|}r:wM^D<>+hzJߨzW`D#_^ּ\3/_7n;Aw7ai6-;]ܒCO 2d]boNF)eIx[L :~~=,HJⲟ=ߎ߰L,r7e ڄ; l e^*Tj/;zw8yŠAuPr(QurtO=G Kظ>" U_es}LR4dI1jT/{/jge~`Sfmu?d9N 0 ?oА+#nQ={juP@t%Y ۠#7u k0 !H&sAE[fFKB4TiC &9%2nTt#Ϸr}&t܀49T}Wԏ7@Oj!A[&Csu1&f8ZMK{O˧"7E -H`cd%]uJHE@:\ )UoY{|). *|ZNGXmv9E?zI%~ C}=VK/xh_T{-b䀥-B )%smDT}${/AO|TN_,C\m74v=۔,aX-2b!bZA(Z88:R{|ʫnT!dE>Ttl G%`0ϊ w"H)*yI>#dKu a6m4et7cctյ$*\q)ˬmAX^rxHE6N;39ns4^iq EbL^"( 4yuks\"0 rZľih%DE5#W\ ܭ>Nz38_PN[2C)v͍U+?r8'4;j!1T6( /5[්0S Za*#;g nutGj;~>.+Sy'(K \ l,nƠ Ҥ[cJB4܊KTiΒ#-.omJ U ɄJ.cVCx[) &ug[nZyPXR(1}46>{V[]1o.*EQ @w Bis_sNO\2؜(t1pQ#mP͟690(5SD'EԣߐH ]v량BӟrmˀD1&\Zsմ*Y$⇝֕m %D>i\x$?k^_e@ `t?hVj>DiVGPƜeTfsAc㛙6 L: v.ݞ2H詝flf­]xVh^7ZN˾ASqz!6[v❾IKk}@xc6p >4+87-52KZLТ8>S8P<  45X Ws Ud:Hߥ:_c#~y~Rz4RwPSUr17Jm}X0S+Jz >=8~͗A @7ZA uzCQ 7nBd~X2`9҇D=<Mu:ޅ_C^A|}139Qa5_ ,SO.F (U2 >Ct;}7x.h;9xBۛvpW +ESO_B.t$>H䟈Ͳ@ȕ 480obXX k BFҮlVz鍸>┎8S۟-z ܝILr1(*giη:veQ Aa۳:wJDݡH-}د8a jԤ̥@ 8k= $,.覲9\y)# l7z9oO/+cBb]O߱H8| SJuw4G;Qd:jwdb2SZbw"m#(a|;+Vg9EhEeDBjh _+#%a +tv]%B*v{p Q8]$ai}Y%7g Q =%4,wl%*ZCNF<¹4 WN[9 Fl_>kOSH2t}2&:iDw3gX`bcCm<+ s)8#Ou̽(MHZ ,2Yk:(+kӸv1]c$~s|x׆wot&lV9pֹ%Km3=[ݳxR1ݦ~3=oB31 =ڡ/̏Y?3Rڵɶ |ֻ[N^+E=$el *b΃FsF3MJw 2̛ܷLɐxyX [K'S})$䛫'hq] l:dɜ+8bf߶Dc=q^L>_! B ^~u;c°âx9GS+'X8법6=܉m /}KEճ^ $a2'i" 9X D#cYnLӳ<1;8/&}bqЇDƭeRdY&Rٳ.3ݙAaEӤKOm?dwv]BmP!QPqDlNɯTm# V{iÔI@Oɀ-䪬T٥<(Q98r LᲦhݺ7c.}&uh:845 :%/|m;Tm*1IwT5d8"0ZUB+qԋfIs 4aZh=U˴E0һT?_S}d4~3@+\QΡ Cŵj'ܪ] /hI +8#XG V |WL3cem3Dk6TE!B%f#Rj C `w9o,t J{4Yf : hut }}p^F9Dd@-VLrS["($F= (*M@]"P|}^j>'bkVQŶE CXiReߧAe_[ 'iwO~\LETmB}ۤ权nt!\_!غwPb+Tipvm{kA^b( )"VaXN6ʺ n͢LŸNq<(@>R3Ō9f&H΢hN@Mo!֎oB;*U1!/2rP N6l+H7> -b>#W֗Ni;ibj3~̱1-|;n:Ѯ )wtg%q:W5Çv4z&74m[ uμȗo}<jrr Jģ+wҗ>>|\ r{=w0yd TzcZ )j+ig&^ 3Oh ~ HwKqײJR`ؗ8~BXk7>iv>k 6O5-N`]ɞDAuPIЃDB;b\{[WiSǔ L}K^UAjA*P}l[T (Z(^bMf8|s|} m2pcV,nٸ ]-7Qo7=xQ^.][39kFC3N/4'.}z!YU 5tGxg$bS-FF۳;rNL^x\4u p!Yq\7 _VX_%i˖_PEY)Z@y#p`9OvgI1|}fiGd|g mcxtπqEQA9qF}lHa7w޿bR皶dF Po95d"i(nVͲ@i@g/̓stƖhVoo7lޫ1#In|0Yoԉ[Px}>,᜵^96gPrQk,hHw H,H JyS'"7&`2֢gԞgCʽ1P9RUu׬ăme"V =[}ƁU*󃸅xh8l[N[;-e8> VU+G"c]c <37`g~7 N-Ľ;f穠i\v1ܢ 4mcslBP7IV^aT$h~w%-k|W}KA~xjoʊ Q)` W5Y ܧ*E^Ѡ=﮸fSUW, ^T7wkȶy[;K~b])dTj A`YJ;5(wj(8[h )DH`~p4Q6LiD*G &8iP9[z 1Gm41 ^Sba8_+~|_*AYFo~4)mj_"Wf1KlHoPI#Q}#e]ekck+ۄ MƒJb$A!RN;rg~3s<>2K7K{f}A={fQ Bw騥 qK3E <t]Os`99'zѥBNI& eƄjJETsLA7AwceKW.2ԙȗDcT+JR(Kͻw8T|}}{70wйc!9o(n!,pu\*~ eTz&}_&=j%\.LSaHX( ^DaM|-~0yחg8e\Е=p\džg nN%IBc[BR)8pJ@̡׵Y2a,[Iefw_x**@,5^7:LbEǕ^vCQAe0Cieǥ@B [O-(wwH, =A0lО@}HBodO}Q`!?d%Yg"Q#} umJjR _vRxF\0Xna7YqJ$9lm+^+ې?z$;?A=.O5/Oř{*/.}~!1FѣV{Uts Yň(1WM*,d*PkM$dHL>K!UYRDcLU=xIh,]=?PÂC濸?6OU@CaZ]J糽g$wUXϞޜqAS_w,/HvM)SMnIb+^Af+`Qh펳%A:! e~_oӪ$Ac=J j CX;Q 謹V~`mebY m08l-hTTS)1q蕼hyWզw,twRv1tܩN5u~5F>H78g):dy&g/h[Ԫl`9z\QpLO.#ӥ+YiOէOghNXx׫%+ǎ$:ֺ%75R }M9+\ZP@s0*[^[skF \jnO{ TIm\zh kri+ާxfcn6"u}F~YYUĮ5"*Ok7.;P @6Pk (+H%z7[c1C^w|0 #7aM)XM 9񟘆;@+s&\hy3p>w_ݴMPuI%١2kRXV)}SQJ4IEOynq[nT] fHI,zZ XjMO7EC&\1HKorGBbxbDhX4M);iEUXE5eR-+)a&s(f+^ C/LcihV*Zfwa\}wa8W;]tIb ruW3?NE ,,T!3}I 1}sCSr(ғPoHفzHXqs݁C 8:5L?s 7+Q[X |7Z$<ͫ*T0-wCZ) OcMQC8U6Y5&Ӟ|٥znBhkbb0f,I y$^1BUOhN)q(V-(Vľ\KusE%пS˄z= 1~/bRF3SMX{=@@uV ƴ ze'7k-+ vZ+՗qV-!K Pu` 5Z!i])O/\u`5.E2Ix+ݻkB툒@7G]" ٸ()? ^5x8EdQ$f< D^Ny`m (©1Y~X4kLጡժC 3ׅnڿ0$Z<F6gOH^|xFf`?q$Ä]:m܋(%@4B%21s*{wFG t}$x^{)LLy/?-+6狷)tY^k[d'TW#<()B#_.xFYBR`kCdɨWU/6MrZfIޤo0 76bCص,i+SG͓}29Zw|Gr;INA;,w>FJ?r@ V$tsHuj2k+o6̼8z֑( }]ue2+>xşX͘u9r{>7E8!T?(:[00wxLzhUp7yR;Km'~Ft߮\+{M1usv8*g%Y]WG!|̢9@@U?i# Po^dٕd8_ieQ fzH2Msc>ɦp.\ [H_1U%X0tyqUOV#lpA_ ViAkYM*3]IAox8RJ %Ɨsg\EŽuwfX+>Nڏ>|'u4S8jl,#-C+-|M9!~7Xxd=><:e% L`j-O^`.g'vDrB+/kuοxپ' ]kiZ5!~U=Jj{O ou`V/c(t7 Vc].?d$᜴w3%gE1P| _tfͨx*2ESxز3ҫWf^>r\G:~`Ep,Nz½Qk\#9/MȽn(j?sX8%\;ITⱦls&uK<HZ* XbHk=xo0;<ȼ֋_EkܱևiԫNTҠ Jx=fh}B,۞x)>E+X.Z0׸tu87XotwDn:݊)HH9ǢPlgtV o3igPb41>T-4hD.]Х_ڕSX?iCt9NnzTm[hYgR1AJ@/ `G 䤻@?B sQK9!؄jYut=+;ŵ=ܩL둸> ">[ 5z!uJ'L(F#ƫfP7iaj}XŢC~J]&&I `̾"#ʐ[ 0RUҋ/ۿR U/d T7=f#(L7f5 Nz F7+qbQ$ tsk ޑjNaxInadx*+(q%\CeFI|*zy7h@| Q@;PJ$!qM<xlgM{[pPrb8瞥  .e2sXi BmOŤpOl-"KTsc;-3]-}tE%t/sc|#rfگRH41x;*2 !v&COxb"Y.r#6xC/2z8:WC) HQۅ (Mc*/L; DbnP=[Y6ppk 'ل=/5+10y{p{bU`svQRX(,}Y*d&zR*|hf'\=S6M?;Ϊ+8űkn}az<ڍ㖏~WGډ5R@B=*ah\+T٢ۚ@^:8Pm:DItHYp(Nkpg7>^0k6n+&ӅńNz%<_9lPBt8P3uK{NIy)(Gl̏Y`Ѳف}.BSiwIT2C">J8۾'6^z4rA97aQUK,܋7yyw*"9F%nG !52)HP=2w c"Og!`Lg8Ͼi rjWCd 6;J9hg$}jZP5K0m^WXc-javY٨oBD=lk΅G Բ116%%]@3 >}Çcfͦ"%?3`M 7qLJul0oUh]=/U(Sܙgҫc b7|7+UlFY /ߎ\lT {8OJpqdH2t͔(, PW|b(NToEF >69ydHf,M$SkC>pcZ7pܟrȒA2tH F|oVmS/6@!XCB#)JHz B[b]|P =H:RCw񔩿<+r!R=k$'ZE$HJd06BL@° {hqѿ]MQ­s.s-Nԑ5 DѹGNєyI 6끰g.u$oz獯QUAI<̢O jL %g=)$Mѱ C:h/S[Yd->zLq<ƵS̱}oWȃOPz8gLd"U|"8hUׅ|$[`y\95>H-Z흸#6XMIc<"(T6Z6Bha/t:ׅgq!oizԟ8ڬ7(Ah6sDžlխkX$S2lbWt5DS nϨltQoEKAѿ[K+b ]yH )"=ZZa̦֨HuOsF箬{%C!idHvDuܽ@Cz+woCe)sXwS'^mAzY2xTڶkwy:+Np[%-TRT=p7ܴZ<_xPn*bZBn@j@ d}0m1EBRl~1c#M0B=N p((^Fd I̞&Ld.M@\)Hz?G/T8EѸ=!xV1)c($d'!ϲ&\orMGf؈X}̋Eh:k &Pj'+VK\xnMf8r L 7z lpob^ngT+oD|be9hg 4SZfI;ucaLȓ۽g{6'ҨM+)$Uƭ+(0X 0!tOm7 N jV* ~1RzFIIw~ѫ|D?o_ڔ)_yjJu(%7 aKdֿ#E+D^py[qGWx 7SfWEĒZ*7x@lܝ[δDpKW"T%.nSBظ 6WrIL5cIdid[|5c5qЯ8fབྷ,|q_)+t$/G$t;} r훞*)y9T(Y~$_Y$lMȀ>{tSc O Ih]yԳMURDy ھy!cL;2W*&R vÞRn{"p{8: =@^GQIH=}̈́u}x0r!GS,ڵo/chcF⵵YtZǕOTk$vz&Luf{u[o;LN_v6*v.ORQA^Pk&:])Ev T!e#6F"="l4%6 G2U/J"ө针(U uCX>I2xz3l1#ʴ탢wV~%RXJ[K!ʱc|KwU_~3l":s_ &(&bxgBGbڿs;q+KUТ}TdĚNuv Aq#4D0ԱxZrV/RE y7hP:HEN]ZVNDv @m[jR]뛕fa-Mp͝|aaĹĴU5}wr^nMbH4g0-RqΐVBQ/ :wN0Aq ;DMjI F[ yN1`wP?#l V% wCv BzR2j+JC*ߕ?,I܃ZwH҅$UwoJZ\e"x5jN}0%Z|Cgj %VĶ??LmK!<ĽDɗ2Q!@ȹomS!|{.$*^KwO[| IXb~t0dQS+R$a2PkևO\ ]ZH:-{ 5b, uՅڒW=3ӏwA'LeMA`}Uyy*Xyy[,olxhDz.  ,KIFiIi,&F\ &_c"FTX:=3^N ^pr V7ITsĜǗSB)\$|nl! 55Q|QUa"O"#uȓvC;_q-ZFQѪzl+tb[7p,leYHx4۩<\Iu;39;9|q6*̓4gǩ/'컭Ť7Փ LGi}Ơޏ +p]KxHb!)> T~\V<%)9R R~c t EH,=J]U *s @x;oy<4ù`#U:Π8-W uxA8np]E絎[?+By|PD/}Ў{E$6|d~kěxXqs~iq)%Z}|8t-:P1['E0="m[ҫK/?`s{xA7^9cT!e~B%v7:?ĵlkRawH$% =fXB2$/F|n%e.bDU"VJ/> ;Y GKL[jMFbEpV.m,?,ֵ打JW]Xɶkyx!@NNS֊-2LTy/fh Ȥ$\õ`a(;eh>7^^vLj)Kul}rVHg &o*+!fw&>}6 ËH%[鳊]X'5]me!0{J\maSs%l옆zIII.Zn+1DOJƓYv; aƫygb\Mƒ/R ?326_AM- @5}40󄏹 2{qanRqfXy,e46e6Pb?]UR{yiRUsd m4[oyu5jsz{G %[}dk> qGpFI%ʵCbKȒSS=Wӈv> Q9$jl ❓߾i%j|sǢqY4LmFm|S濑}NQ\D},AZ:*r#f/̬mFdëu SozW"d;k϶/PHvci-ضWL4,m|3&\u ~k/dVU#.]#'9b3ÎAY)zW dPK Vztl6 !׫w2a`9[Nr!>UpPi JS7ʼn @:!Iz6 ,傟ck($XXm,P\Z:Z`nQBmB4391R"6P~4_a̰W4G3$;"Blg1H9Ri.'(z!ch¿jpȦfþ@VHfY[ ['2[%cSo׶Am 6HPRSy.pH ]7ˇVJfb0u"8Y:s7#*"~pz&ԫiRG݃6:'XDI|ZI]L+ﶟSOsi|%C^N/?g-_T22yVu1*WXEpQ wv;fstro!^9~\]a8y4">,K(./#QO)*t:̆Ńy)>ֺ5UJfD=LyP Sc)Js@YݯEB 7k=:%s1[G7R38E0xЅcrFn;e ^@] eΚKh-KיQ_V:=wNlPsOZ\oIgg7bMmA1)#&cPWiU1's v|\$^#; +>J7k/+;F^ oM`[$Jь|ɜ,SS몤rEJo5KB]Yz:ǥ-qiFc:qrz(<$> uz[4DF xv~Wɗ icY*3w ԭnjY=/J-)_V7ٓt^k:#_@%u`l]&"}aGu6!7d2]d҅vY,O*v%#T%:q{YJ:f lb  *:,Ή-_$me@MHHUh'CTށx9ؾp⽉G~ϯXsDܼ,\;m,:e*F99Œ U.щPFbԋy0s%mV`e]HeD.yffGmdov'>;7r=a(q[1^ tKccJ1Nml#Jhj2kK0IjO(5Sh]><cCz5 ˘> [Kr e,0Q&0*z!3yZښ^S >w}Ӊ:?b2jXrd \|9p M%p͡MhҎ 8~{_S @NcHAO[ɛ6^Kt\O&$tezӷ=L3M 3s3B;*oQw rZ{[-&Yhh@9!H6#e)Xf#|ߔԫ# ?QׄuXuR`ReԺFEQO'D]ӚPC@P|}ijy6V#қ#&aG:ns3f_̧Jk>t\U(z-Qvtj\ˍ4W.S sW.K [%zKNU2,*>bt3cpZ!o]ӌfq/ǻ}Cw̦!sVˈ nW?rEΊ ^Z7šhFDLb!U;-KaudC:70/ z8p@:H8tqMr0"9hv.7_DlǭUCjt141G1ׅ]N_itH5r1>+4vCL{/Q#?_}m11B nB+E ]wI:*E7#N@wA3<wn2D#p2aӮ\As5zA-i;qjwx)N/R"SɏLu0fbx:.wIېuiWL߄1̀7Y?Yiw"dGѵKM03|BkL|G0(tl`xkLc>&~ xL^`"&2yL>`!|&2L`%|&]Yejd}F3fk)j&)s!LP5BSj5B7=鶀g!܁Ʈ3&u_t6䫭3wM%A~QG7-?TѸc!+;\P x>jF5J[ȞZHQXN ?'tT5r㫮.om궥 iKOt`Q| Ѱ  ah+d?ҲMq;?ؒS!D<*{ߧ{IşRişQYK/(/)(55늿ۊjx+*+*+_*_+Zj)?(?)()()TI~\H@Q;)dm@tuJa)!'jLEWӹ$T(SvuIpBBFIK}0d7+vb'8=Z;vc7DW AhX?D0j 70{ɀ@F9-N&$5wzWx;!&Cb"}7%CTo`=ek`4@jV\uNo{ȷkoAvTj; wx^G; C<=6 Y0Φ#96{.$@PWB9\a-f,87yp+\p5lK~#54(j'J [5Nf j eoN8,w@LPB(A&+h; D-b% h#ݐɩ нaH(WvbMA<0$#clM{MFXPh{]~ Kפ|6*6vUcVѼvoXjrat?s/J=tS@u$%8RAΰ}`vad׻! Q'w~4<FEO,Rʷ{殒YW-5yM`޵}*yr,rCJ;e)t&}Si$Qwȫ98dwyTcѱ6z] .o n{ /7{:`='REI%+)Pnq=|k?Tj8TaD0-pSTsAd?@:;&|SyPv5ꬊDJ"ٔ3?g5̕&,:MX;#΋R-C\:G*'I>P,M+IwvRZj%JG .W|FʊܼQ.zƒe<ߒo$p8#`0!GB.->5y1%m}|Imfn=acR[gJ`%{ dHLԅnI3H:ӒYY$m<CIJ/e$clGZkٖ[y>RϷ ,u?R/hK=ԋ,1zXK]iY%RWoK-u k- DK]GzK`-uYfKBҀ%m'tI\iٝl٭ 7K=b0x`4N8㨖S  G@΀f,U8 Nٰ*,X 7\؉ ΃(x۸Dž V_x4ETౘ8Éùbiqq9p)^5kq>ǧF'6(l1*(8<ƈҟax[?V ;\`l&Iv:=LI Qدpµ 7)\*&8#|'g*m֗YbVgK(GsQ<HՐDŔ=/9x),8*hµp6_=xUa/?Suގv;)7c܂#.wclB܊3p{qnAN]x |PF@{^F R05cB|PZ/͝🮦/Jfګ\=ųCV1jXp`CՋ?#zh?4}=G=vU-T89Ľͬm\= =?~79 ^4j&f_)2(-\F J"wtCЋ>]4 6H9l޺=[>O>,a^O:!n ^vpmK *YD,MMg9fH}U'T>iL]t%O CCr%AE;\zA5/J1b0d!0KKD\g PI+1>[rqοtę6^v#!:/>@!ixt v!F$H0vmѱQqʑ6bVD.žl2f OI7} }bD Z9ƒFF[ǎB, 2'?H&ކu7% 7,jf3HMzaM\ A?o1J溓CU >z6R*6m|!Ƀa&.l64]iI"AP\Ho mAE6Q>8BGqܞtta]snhY97)YxK4P.8A&F YNl͉2d(Zdd`a 2<|Jhͧvϧ2&.N! ݉ _-Q&'|4H8cDSB24q^ 8s\<% SN/J8DT#Euj!ciTn6)_|1G v]PktՌᄡʊyJP!T6%gp<隹X%Mri\t.ѢkiJZ$X"pah*]JLQ{ 򲮰3)8Ԯkcę/ 18hihz;CfG F=hiyBaF >a&JB[0fZ&btBґ; %$Wh10r{MI/ 8#nERq/3ΚKΘqKEѴh0T?XiE>Q>/l}zÔT5։795!~pJjPÒVC-)|bSoPQ8|!iԇG)j ^vcɆʊ;up؊j6Fw*U%*H&ZU5(u:^wJ{)iR%n³nGnԠc)7^7Y7䢞_>ƍ5h8r}N*ԛ(1ʥak]fcL kmZ:M#6VjKtQqlN\I ;m/D^CT(ˇ#aC-TfS!:UJN m|{%e/BL;k'†ɘy46̧Z͝[$Я8} [iUR1T̂Bs"LaJ̈!0H4Og}a`}.6gMO3@@Ӑ&<㓐JlEYc983xq! H;7D&j!9/pN=AX;\vH]rD AD?nR " [ENÞ JWr H}Kp[6 K;>)/?y8A3rQ*$^ܭr\^{P.__W$}**`dLLm2d_jq@骾t6&3[K9ӓY϶-~E7[FU^&ʗ$M d:i8?.mnjZݹLלV1aoU_%P.r]VJ\3m3kȶ)0nlNL2cٹY6wF?Ӂ,m^X}MeݎP%dǓ53̠ò;3m<-eg,+(~ m9,qIfDu@UqH z,^K.2nɾ}Ւ۾Di sa%i'ҶHq)]=JI*m-H"*.!H62Iz쵚:񀊯xWjsBqN\TxU xG$14VLI5LnvxiLDa|2;lk_RsFha'sP ?ᇇG(k1,-ͭPl_R(|(.E+`zCVVj{/1H!"$~!8mae s".c<@'SQt1w7qp<.櫸VŦ: |Z>̢)cVnFxDqVa:7_Ѽɴ Uo`SehGP7V76٣^}E^Ne ZLK*F7Cv/}ФPØ|~ [XSu1% B#8?FCJX;( 7C( !qZgݭgwɇc~Y#cW޿ƒ)Kg(KJj*nBmoQqcqu1 iZj]{hʷF٤ NLcsh'{Rc\3ʺ:V*hL +qM"JMaR%VB_*l"H oޘ^la;`H _^/C=:ǵzGaЃAT䗔6KMp/ (cL_ mDqB44}E"swr*UI( CdxP.uN|= N7`{xOl ʙ76˽'z/߰Ί9]/`|K16Heԩ)KuPN@=Hk FBB a!Nh;mJK@GgD2ǹs?^cWú y7u2m E %)<>y#j{T ^q1h72r.X7,}O"F/H"]qTňzا˱˜z>OȄ\.uD;aJ[!hС!I"?㓣`6A{M"bei2ǿ`6s`MlcI$*N-hK>z;« YZ