Update to upstream 0.79.6

2018-05-08 13:08:07 -04:00 · 2018-05-08 13:08:07 -04:00 · f021a3d3fd
commit f021a3d3fd
parent 3548e64705
8 changed files with 12 additions and 895 deletions
--- a/.gitignore
+++ b/.gitignore
@ -122,3 +122,4 @@ certmonger-0.28.tar.gz
 /certmonger-0.79.3.tar.gz.sig
 /certmonger-0.79.4.tar.gz
 /certmonger-0.79.5.tar.gz
 /certmonger-0.79.6.tar.gz
--- a/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch
+++ b/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch
@ -1,63 +0,0 @@
 From 3cb710fbea245476a49af77d670fedb35bba16de Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Tue, 9 Jan 2018 22:07:17 -0500
 Subject: [PATCH 1/6] Perm issues in sqlite databases show up in slightly
 different ways
 SQLite databases may return SEC_ERROR_READ_ONLY instead of
 SEC_ERROR_BAD_DATABASE.
 If a database is opened as read-write but it fails (e.g. in a
 read-only directory) it will try again to open it as read-only
 and potentially fail because it doesn't exist at all. This sets
 errno as ENOENT rather than the expected EACCES so treat that
 as a read failure as well.
 Related: https://pagure.io/certmonger/issue/88
 ---
 src/certsave-n.c | 5 ++++-
 src/keygen-n.c   | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)
 diff --git a/src/certsave-n.c b/src/certsave-n.c
 index 67deb88b..a2c97000 100644
 --- a/src/certsave-n.c
 +++ b/src/certsave-n.c
@@ -128,10 +128,13 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			      NSS_INIT_NOMODDB);
 	ec = PORT_GetError();
 	if (ctx == NULL) {
 -		if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
 +		if ((ec == SEC_ERROR_READ_ONLY) && readwrite) {
 +		        ec = PR_NO_ACCESS_RIGHTS_ERROR;
 +		} else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
 			switch (errno) {
 			case EACCES:
 			case EPERM:
 +			case ENOENT:
 				ec = PR_NO_ACCESS_RIGHTS_ERROR;
 				break;
 			default:
 diff --git a/src/keygen-n.c b/src/keygen-n.c
 index 08f00496..8078a520 100644
 --- a/src/keygen-n.c
 +++ b/src/keygen-n.c
@@ -169,10 +169,14 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 			      NSS_INIT_NOMODDB);
 	ec = PORT_GetError();
 	if (ctx == NULL) {
 -		if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
 +		if ((ec == SEC_ERROR_READ_ONLY) && readwrite) {
 +			ec = PR_NO_ACCESS_RIGHTS_ERROR;
 +		}
 +		else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) {
 			switch (errno) {
 			case EACCES:
 			case EPERM:
 +			case ENOENT:
 				ec = PR_NO_ACCESS_RIGHTS_ERROR;
 				break;
 			default:
 -- 
 2.15.1
--- a/0002-SQLite-databases-require-a-password-to-modify-trust-.patch
+++ b/0002-SQLite-databases-require-a-password-to-modify-trust-.patch
@ -1,52 +0,0 @@
 From f1b7eeceef117606c060f61542754f5556739469 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Tue, 9 Jan 2018 22:13:49 -0500
 Subject: [PATCH 2/6] SQLite databases require a password to modify trust and
 to sign
 This affects certutil -M and cmsutil -S. Need to add -f pinfile.
 https://pagure.io/certmonger/issue/88
 ---
 tests/030-rekey/run.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
 index 9b50da4a..07fea683 100755
 --- a/tests/030-rekey/run.sh
 +++ b/tests/030-rekey/run.sh
@@ -140,11 +140,11 @@ for preserve in 1 0 ; do
 	echo "This is the plaintext." > plain.txt
 	echo "NSS Signing:"
 -	certutil -M -d $tmpdir -n i$size -t P,P,P
 -	cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed
 +	certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile
 +	cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile
 	echo "NSS Verify:"
 -	cmsutil -D -d $tmpdir -f pinfile -i signed
 -	certutil -M -d $tmpdir -n i$size -t ,,
 +	cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile
 +	certutil -M -d $tmpdir -n i$size -t ,, -f pinfile
 	# Go and save the new certs and keys (NSS).
 	echo '(saving)'
@@ -163,11 +163,11 @@ for preserve in 1 0 ; do
 	echo "This is the plaintext." > plain.txt
 	echo "NSS Signing:"
 -	certutil -M -d $tmpdir -n i$size -t P,P,P
 -	cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed
 +	certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile
 +	cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile
 	echo "NSS Verify:"
 -	cmsutil -D -d $tmpdir -f pinfile -i signed
 -	certutil -M -d $tmpdir -n i$size -t ,,
 +	cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile
 +	certutil -M -d $tmpdir -n i$size -t ,, -f pinfile
 	# Now generate new keys, CSRs, and certificates (OpenSSL).
 	echo "PEM keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
 -- 
 2.15.1
--- a/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch
+++ b/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch
@ -1,405 +0,0 @@
 From 0cfefe50373cd5f7da5b49f1a1380ba8b5baf825 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Tue, 9 Jan 2018 22:14:53 -0500
 Subject: [PATCH 3/6] NSS in rawhide (F28) was switched to sqlite, fix
 assumptions
 Previous releases of NSS had dbm as the default storage type.
 Certain assumptions were built into the tests. Make the default
 scheme more explicit, leaving it as dbm for now.
 https://pagure.io/certmonger/issue/88
 ---
 tests/007-certsave-dbm/expected.out |  4 ++--
 tests/007-certsave/expected.out     |  4 ++--
 tests/007-certsave/run.sh           | 47 +++++++++++++++++++------------------
 tests/025-casave/run.sh             | 36 ++++++++++++++--------------
 tests/034-perms/expected.out        | 36 ++++++++++++++--------------
 tests/034-perms/run.sh              |  2 ++
 6 files changed, 66 insertions(+), 63 deletions(-)
 diff --git a/tests/007-certsave-dbm/expected.out b/tests/007-certsave-dbm/expected.out
 index e0978c66..ed6b4ede 100644
 --- a/tests/007-certsave-dbm/expected.out
 +++ b/tests/007-certsave-dbm/expected.out
@@ -37,7 +37,7 @@ Testing setting trust to C,c,p:
  wrong nickname, right subject: cert ,, 
  wrong subject, right nickname: cert ,, 
 [nss:rosubdir]
 -Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error.
 +Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error.
 [nss:rwsubdir]
 -Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error.
 +Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error.
 Test complete.
 diff --git a/tests/007-certsave/expected.out b/tests/007-certsave/expected.out
 index e0978c66..ed6b4ede 100644
 --- a/tests/007-certsave/expected.out
 +++ b/tests/007-certsave/expected.out
@@ -37,7 +37,7 @@ Testing setting trust to C,c,p:
  wrong nickname, right subject: cert ,, 
  wrong subject, right nickname: cert ,, 
 [nss:rosubdir]
 -Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error.
 +Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error.
 [nss:rwsubdir]
 -Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error.
 +Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error.
 Test complete.
 diff --git a/tests/007-certsave/run.sh b/tests/007-certsave/run.sh
 index bea8341a..29b02152 100755
 --- a/tests/007-certsave/run.sh
 +++ b/tests/007-certsave/run.sh
@@ -2,8 +2,9 @@
 cd "$tmpdir"
 +scheme="${scheme:-dbm}"
 source "$srcdir"/functions
 -initnssdb ${scheme:+${scheme}:}$tmpdir
 +initnssdb $scheme:$tmpdir
 wrongcert='-----BEGIN CERTIFICATE-----
  MIIDQTCCAimgAwIBAgIBBTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdwaWxs
@@ -50,7 +51,7 @@ echo "$wrongcert" | sed -e 's,^$,,g' -e 's,^ ,,g' > cert.wrong
 echo "[nss:wrongnick]"
 cat > entry.nss << EOF
 cert_storage_type=NSSDB
 -cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +cert_storage_location=$scheme:$tmpdir
 cert_nickname=wrongnick
 cert=$cert
 EOF
@@ -59,7 +60,7 @@ $toolsdir/certsave entry.nss
 echo "[nss:wrongcert]"
 cat > entry.nss << EOF
 cert_storage_type=NSSDB
 -cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +cert_storage_location=$scheme:$tmpdir
 cert_nickname=cert
 cert=$wrongcert
 EOF
@@ -68,13 +69,13 @@ $toolsdir/certsave entry.nss
 echo "[nss:right]"
 cat > entry.nss << EOF
 cert_storage_type=NSSDB
 -cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +cert_storage_location=$scheme:$tmpdir
 cert_nickname=cert
 cert=$cert
 EOF
 $toolsdir/certsave entry.nss
 $toolsdir/listnicks entry.nss
 -certutil -d ${scheme:+${scheme}:}$tmpdir -L -n cert -a > cert.nss
 +certutil -d $scheme:$tmpdir -L -n cert -a > cert.nss
 # Save the wrong certificate to the PEM file.
 echo "[openssl:wrong]"
 cat > entry.openssl << EOF
@@ -96,7 +97,7 @@ run_dos2unix cert.original
 run_dos2unix cert.nss
 run_dos2unix cert.openssl
 if ! cmp cert.original cert.nss ; then
 -	echo Original and NSS disagree "(${scheme:+${scheme}:}$tmpdir)".
 +	echo Original and NSS disagree "($scheme:$tmpdir)".
 	cat cert.original cert.nss
 	exit 1
 fi
@@ -137,62 +138,62 @@ $toolsdir/certsave entry.openssl || true
 for trust in ,, P,, ,P, CT,C, C,c,p ; do
 	echo Testing setting trust to "$trust":
 	# Save the right certificate to NSS's database and read it back.
 -	initnssdb ${scheme:+${scheme}:}$tmpdir
 +	initnssdb $scheme:$tmpdir
 	cat > entry.nss <<- EOF
 	cert_storage_type=NSSDB
 -	cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +	cert_storage_location=$scheme:$tmpdir
 	cert_nickname=cert
 	cert=$cert
 	EOF
 	$toolsdir/certsave entry.nss
 -	certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust
 +	certutil -d $scheme:$tmpdir -M -n cert -t $trust
 	echo -n " baseline: "
 -	certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 +	certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 	$toolsdir/certsave entry.nss
 	echo -n " right nickname, right subject: "
 -	certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 +	certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 	# Save the right certificate to NSS's database with the wrong nickname.
 -	initnssdb ${scheme:+${scheme}:}$tmpdir
 +	initnssdb $scheme:$tmpdir
 	$toolsdir/certsave entry.nss
 	cat > entry.nss <<- EOF
 	cert_storage_type=NSSDB
 -	cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +	cert_storage_location=$scheme:$tmpdir
 	cert_nickname=wrongnick
 	cert=$cert
 	EOF
 	$toolsdir/certsave entry.nss
 -	certutil -d ${scheme:+${scheme}:}$tmpdir -M -n wrongnick -t $trust
 +	certutil -d $scheme:$tmpdir -M -n wrongnick -t $trust
 	# Save the right certificate to NSS's database and read it back.
 	cat > entry.nss <<- EOF
 	cert_storage_type=NSSDB
 -	cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +	cert_storage_location=$scheme:$tmpdir
 	cert_nickname=cert
 	cert=$cert
 	EOF
 	$toolsdir/certsave entry.nss
 	echo -n " wrong nickname, right subject: "
 -	certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 +	certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 	# Save the wrong certificate to NSS's database with the right nickname.
 -	initnssdb ${scheme:+${scheme}:}$tmpdir
 +	initnssdb $scheme:$tmpdir
 	$toolsdir/certsave entry.nss
 	cat > entry.nss <<- EOF
 	cert_storage_type=NSSDB
 -	cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +	cert_storage_location=$scheme:$tmpdir
 	cert_nickname=cert
 	cert=$wrongcert
 	EOF
 	$toolsdir/certsave entry.nss
 -	certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust
 +	certutil -d $scheme:$tmpdir -M -n cert -t $trust
 	# Save the right certificate to NSS's database and read it back.
 	cat > entry.nss <<- EOF
 	cert_storage_type=NSSDB
 -	cert_storage_location=${scheme:+${scheme}:}$tmpdir
 +	cert_storage_location=$scheme:$tmpdir
 	cert_nickname=cert
 	cert=$cert
 	EOF
 	$toolsdir/certsave entry.nss
 	echo -n " wrong subject, right nickname: "
 -	certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 +	certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g'
 done
 if test "$scheme" = sql ; then
@@ -202,7 +203,7 @@ else
 	echo "[nss:rosubdir]"
 	cat > entry.nss <<- EOF
 	cert_storage_type=NSSDB
 -	cert_storage_location=$tmpdir/rosubdir
 +	cert_storage_location=$scheme:$tmpdir/rosubdir
 	cert_nickname=cert
 	cert=$cert
 	EOF
@@ -216,7 +217,7 @@ else
 	echo "[nss:rwsubdir]"
 	cat > entry.nss <<- EOF
 	cert_storage_type=NSSDB
 -	cert_storage_location=$tmpdir/rwsubdir
 +	cert_storage_location=$scheme:$tmpdir/rwsubdir
 	cert_nickname=cert
 	cert=$cert
 	EOF
 diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
 index 44a08b06..aff1e6d9 100755
 --- a/tests/025-casave/run.sh
 +++ b/tests/025-casave/run.sh
@@ -196,7 +196,7 @@ id=EntryD1
 root_cert_files=
 other_root_cert_files=
 other_cert_files=
 -root_cert_dbs=$tmpdir/db1,$tmpdir/dba
 +root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba
 other_root_cert_dbs=
 other_cert_dbs=
 cert_roots=Per-certificate Signing Authority D1
@@ -229,7 +229,7 @@ root_cert_files=
 other_root_cert_files=
 other_cert_files=
 root_cert_dbs=
 -other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba
 +other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba
 other_cert_dbs=
 EOF
 cat > $tmpdir/entryd3 <<- EOF
@@ -239,7 +239,7 @@ other_root_cert_files=
 other_cert_files=
 root_cert_dbs=
 other_root_cert_dbs=
 -other_cert_dbs=$tmpdir/db3,$tmpdir/dba
 +other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba
 cert_chain=Per-certificate Signing Authority D3
  -----BEGIN CERTIFICATE-----
  MIIDjjCCAnagAwIBAgIRALuVK2FuXklPuMP4qtRyQjUwDQYJKoZIhvcNAQELBQAw
@@ -300,7 +300,7 @@ ca_name=CAD1
 root_cert_files=
 other_root_cert_files=
 other_cert_files=
 -root_cert_dbs=$tmpdir/db1,$tmpdir/dba
 +root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba
 other_root_cert_dbs=
 other_cert_dbs=
 EOF
@@ -311,7 +311,7 @@ root_cert_files=
 other_root_cert_files=
 other_cert_files=
 root_cert_dbs=
 -other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba
 +other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba
 other_cert_dbs=
 EOF
 cat > $tmpdir/entrycad3 <<- EOF
@@ -322,7 +322,7 @@ other_root_cert_files=
 other_cert_files=
 root_cert_dbs=
 other_root_cert_dbs=
 -other_cert_dbs=$tmpdir/db3,$tmpdir/dba
 +other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba
 EOF
 cat > $tmpdir/cab1 <<- EOF
@@ -564,9 +564,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
 ca_root_cert_files=
 ca_other_root_cert_files=
 ca_other_cert_files=
 -ca_root_cert_dbs=$tmpdir/db1,$tmpdir/dba
 -ca_other_root_cert_dbs=$tmpdir/dba
 -ca_other_cert_dbs=$tmpdir/dba
 +ca_root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba
 +ca_other_root_cert_dbs=dbm:$tmpdir/dba
 +ca_other_cert_dbs=dbm:$tmpdir/dba
 ca_root_certs=Root Certificate D1
  -----BEGIN CERTIFICATE-----
  MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
@@ -639,9 +639,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
 ca_root_cert_files=
 ca_other_root_cert_files=
 ca_other_cert_files=
 -ca_root_cert_dbs=$tmpdir/dba
 -ca_other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba
 -ca_other_cert_dbs=$tmpdir/dba
 +ca_root_cert_dbs=dbm:$tmpdir/dba
 +ca_other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba
 +ca_other_cert_dbs=dbm:$tmpdir/dba
 ca_root_certs=Root Certificate D2
  -----BEGIN CERTIFICATE-----
  MIIEDzCCAvegAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJTSzET
@@ -722,9 +722,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
 ca_root_cert_files=
 ca_other_root_cert_files=
 ca_other_cert_files=
 -ca_root_cert_dbs=,$tmpdir/dba
 -ca_other_root_cert_dbs=,$tmpdir/dba,
 -ca_other_cert_dbs=$tmpdir/db3,$tmpdir/dba
 +ca_root_cert_dbs=,dbm:$tmpdir/dba
 +ca_other_root_cert_dbs=,dbm:$tmpdir/dba,
 +ca_other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba
 ca_root_certs=Root Certificate D3
  -----BEGIN CERTIFICATE-----
  MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL
@@ -796,9 +796,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh
 ca_root_cert_files=$tmpdir/bundle-all
 ca_other_root_cert_files=
 ca_other_cert_files=
 -ca_root_cert_dbs=$tmpdir/dba
 -ca_other_root_cert_dbs=,$tmpdir/dba
 -ca_other_cert_dbs=,$tmpdir/dba
 +ca_root_cert_dbs=dbm:$tmpdir/dba
 +ca_other_root_cert_dbs=,dbm:$tmpdir/dba
 +ca_other_cert_dbs=,dbm:$tmpdir/dba
 ca_root_certs=Root Certificate DA
  -----BEGIN CERTIFICATE-----
  MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL
 diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
 index 4e2fbd71..c062d409 100644
 --- a/tests/034-perms/expected.out
 +++ b/tests/034-perms/expected.out
@@ -41,54 +41,54 @@ $owner:$group|0755|ee.key.MARKER.key
 $owner:$group|0662|ee.crt
 $owner:$group|0620|ee.key
 -[start]
 -[keygen]
 +[dbm:start]
 +[dbm:keygen]
 $owner:$group|0600|cert8.db
 $owner:$group|0620|key3.db
 -[reset]
 +[dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[csrgen]
 +[dbm:csrgen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
 -[reset]
 +[dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[submit]
 +[dbm:submit]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[reset]
 +[dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[save]
 +[dbm:save]
 $owner:$group|0662|cert8.db
 $owner:$group|0620|key3.db
 -[rekey:start]
 -[rekey:keygen]
 +[rekey:dbm:start]
 +[rekey:dbm:keygen]
 $owner:$group|0600|cert8.db
 $owner:$group|0620|key3.db
 -[rekey:reset]
 +[rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[rekey:keygen]
 +[rekey:dbm:keygen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
 -[rekey:reset]
 +[rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[rekey:csrgen]
 +[rekey:dbm:csrgen]
 $owner:$group|0755|cert8.db
 $owner:$group|0620|key3.db
 -[rekey:reset]
 +[rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[rekey:submit]
 +[rekey:dbm:submit]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[rekey:reset]
 +[rekey:dbm:reset]
 $owner:$group|0755|cert8.db
 $owner:$group|0755|key3.db
 -[rekey:save]
 +[rekey:dbm:save]
 $owner:$group|0662|cert8.db
 $owner:$group|0620|key3.db
 OK
 diff --git a/tests/034-perms/run.sh b/tests/034-perms/run.sh
 index 7f349d3b..88eae19f 100755
 --- a/tests/034-perms/run.sh
 +++ b/tests/034-perms/run.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 cd "$tmpdir"
 +scheme="${scheme:-dbm:}"
 +
 function list() {
 	$toolsdir/ls *.* | sed -e "s~^$owner:$group|~\$owner:\$group|~g"
 }
 -- 
 2.15.1
--- a/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
+++ b/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
@ -1,48 +0,0 @@
 From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Tue, 9 Jan 2018 22:18:58 -0500
 Subject: [PATCH 4/6] Workaround NSS bug in associating private key to
 certificate
 If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete
 internal state (the cert isn't associated with the private key,
 and calling PK11_FindKeyByAnyCert returns no result).
 As a workaround, we import the cert again using PK11_ImportCert
 which magically fixes the issue.
 See rhbz#1532188
 Related: https://pagure.io/certmonger/issue/88
 ---
 src/certsave-n.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 diff --git a/src/certsave-n.c b/src/certsave-n.c
 index a2c97000..8e15a18a 100644
 --- a/src/certsave-n.c
 +++ b/src/certsave-n.c
@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 						 PR_FALSE,
 						 entry->cm_cert_nickname);
 			ec = PORT_GetError();
 +			if (error == SECSuccess) {
 +				/* If NSS uses SQL DB storage, CERT_ImportCerts creates
 +				 * an incomplete internal state (the cert isn't
 +				 * associated with the private key, and calling
 +				 * PK11_FindKeyByAnyCert returns no result).
 +				 * As a workaround, we import the cert again using 
 +				 * PK11_ImportCert, which magically fixes the issue.
 +				 * See rhbz#1532188 */
 +				error = PK11_ImportCert(PK11_GetInternalKeySlot(),
 +					returned[0],
 +					CK_INVALID_HANDLE,
 +					returned[0]->nickname,
 +					PR_FALSE);
 +			}
 			if (error == SECSuccess) {
 				cm_log(1, "Imported certificate \"%s\", got "
 				       "nickname \"%s\".\n",
 -- 
 2.15.1
--- a/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch
+++ b/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch
@ -1,314 +0,0 @@
 From 920572235f82eb3a88a3b8dd274f809baee31c67 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Tue, 9 Jan 2018 22:54:06 -0500
 Subject: [PATCH 5/6] Run key generation tests against both dbm and sqlite
 databases
 Related: https://pagure.io/certmonger/issue/88
 ---
 tests/002-keygen-dbm/expected.out | 99 +++++++++++++++++++++++++++++++++++++++
 tests/002-keygen-dbm/run.sh       |  2 +
 tests/002-keygen-sql/expected.out | 99 +++++++++++++++++++++++++++++++++++++++
 tests/002-keygen-sql/run.sh       |  2 +
 tests/002-keygen/expected.out     |  4 +-
 tests/002-keygen/run.sh           | 12 +++--
 6 files changed, 211 insertions(+), 7 deletions(-)
 create mode 100644 tests/002-keygen-dbm/expected.out
 create mode 100755 tests/002-keygen-dbm/run.sh
 create mode 100644 tests/002-keygen-sql/expected.out
 create mode 100755 tests/002-keygen-sql/run.sh
 diff --git a/tests/002-keygen-dbm/expected.out b/tests/002-keygen-dbm/expected.out
 new file mode 100644
 index 00000000..dcd1af06
 --- /dev/null
 +++ b/tests/002-keygen-dbm/expected.out
@@ -0,0 +1,99 @@
 +[nss:1024]
 +OK.
 +OK (RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +keyi1024
 +keyi1024 (candidate (next))
 +[nss:1536]
 +OK.
 +OK (RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +keyi1536
 +keyi1536 (candidate (next))
 +[nss:2048]
 +OK.
 +OK (RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +keyi2048
 +keyi2048 (candidate (next))
 +[nss:3072]
 +OK.
 +OK (RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +keyi3072
 +keyi3072 (candidate (next))
 +[nss:4096]
 +OK.
 +OK (RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +keyi4096
 +keyi4096 (candidate (next))
 +[nss:rosubdir]
 +Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions.
 +[nss:rwsubdir]
 +Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions.
 +[openssl:1024]
 +OK.
 +OK (RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +${tmpdir}/sample.1024
 +${tmpdir}/sample.1024.(next).key
 +[openssl:1536]
 +OK.
 +OK (RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +${tmpdir}/sample.1536
 +${tmpdir}/sample.1536.(next).key
 +[openssl:2048]
 +OK.
 +OK (RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +${tmpdir}/sample.2048
 +${tmpdir}/sample.2048.(next).key
 +[openssl:3072]
 +OK.
 +OK (RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +${tmpdir}/sample.3072
 +${tmpdir}/sample.3072.(next).key
 +[openssl:4096]
 +OK.
 +OK (RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +${tmpdir}/sample.4096
 +${tmpdir}/sample.4096.(next).key
 +[openssl:rosubdir]
 +Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions.
 +[openssl:rwsubdir]
 +Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions.
 +Test complete.
 diff --git a/tests/002-keygen-dbm/run.sh b/tests/002-keygen-dbm/run.sh
 new file mode 100755
 index 00000000..36323947
 --- /dev/null
 +++ b/tests/002-keygen-dbm/run.sh
@@ -0,0 +1,2 @@
 +#!/bin/bash -e
 +exec env scheme=dbm: ../002-keygen/run.sh
 diff --git a/tests/002-keygen-sql/expected.out b/tests/002-keygen-sql/expected.out
 new file mode 100644
 index 00000000..178f1b3a
 --- /dev/null
 +++ b/tests/002-keygen-sql/expected.out
@@ -0,0 +1,99 @@
 +[nss:1024]
 +OK.
 +OK (RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +keyi1024
 +keyi1024 (candidate (next))
 +[nss:1536]
 +OK.
 +OK (RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +keyi1536
 +keyi1536 (candidate (next))
 +[nss:2048]
 +OK.
 +OK (RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +keyi2048
 +keyi2048 (candidate (next))
 +[nss:3072]
 +OK.
 +OK (RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +keyi3072
 +keyi3072 (candidate (next))
 +[nss:4096]
 +OK.
 +OK (RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +keyi4096
 +keyi4096 (candidate (next))
 +[nss:rosubdir]
 +Failed to save NSS:sql:${tmpdir}/rosubdir: need fs permissions.
 +[nss:rwsubdir]
 +Failed to save NSS:sql:${tmpdir}/rwsubdir: need fs permissions.
 +[openssl:1024]
 +OK.
 +OK (RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +OK.
 +OK (RSA:1024 after RSA:1024).
 +${tmpdir}/sample.1024
 +${tmpdir}/sample.1024.(next).key
 +[openssl:1536]
 +OK.
 +OK (RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +OK.
 +OK (RSA:1536 after RSA:1536).
 +${tmpdir}/sample.1536
 +${tmpdir}/sample.1536.(next).key
 +[openssl:2048]
 +OK.
 +OK (RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +OK.
 +OK (RSA:2048 after RSA:2048).
 +${tmpdir}/sample.2048
 +${tmpdir}/sample.2048.(next).key
 +[openssl:3072]
 +OK.
 +OK (RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +OK.
 +OK (RSA:3072 after RSA:3072).
 +${tmpdir}/sample.3072
 +${tmpdir}/sample.3072.(next).key
 +[openssl:4096]
 +OK.
 +OK (RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +OK.
 +OK (RSA:4096 after RSA:4096).
 +${tmpdir}/sample.4096
 +${tmpdir}/sample.4096.(next).key
 +[openssl:rosubdir]
 +Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions.
 +[openssl:rwsubdir]
 +Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions.
 +Test complete.
 diff --git a/tests/002-keygen-sql/run.sh b/tests/002-keygen-sql/run.sh
 new file mode 100755
 index 00000000..cd5bc978
 --- /dev/null
 +++ b/tests/002-keygen-sql/run.sh
@@ -0,0 +1,2 @@
 +#!/bin/bash -e
 +exec env scheme=sql: ../002-keygen/run.sh
 diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
 index ff56372a..dcd1af06 100644
 --- a/tests/002-keygen/expected.out
 +++ b/tests/002-keygen/expected.out
@@ -44,9 +44,9 @@ OK (RSA:4096 after RSA:4096).
 keyi4096
 keyi4096 (candidate (next))
 [nss:rosubdir]
 -Failed to save NSS:${tmpdir}/rosubdir: need fs permissions.
 +Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions.
 [nss:rwsubdir]
 -Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions.
 +Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions.
 [openssl:1024]
 OK.
 OK (RSA:1024).
 diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
 index f550feeb..08af1523 100755
 --- a/tests/002-keygen/run.sh
 +++ b/tests/002-keygen/run.sh
@@ -2,15 +2,17 @@
 cd "$tmpdir"
 +scheme="${scheme:-dbm:}"
 +
 source "$srcdir"/functions
 -initnssdb "$tmpdir"
 +initnssdb "$scheme$tmpdir"
 for size in 1024 1536 2048 3072 4096 ; do
 	echo "[nss:$size]"
 	# Generate a key.
 	cat > entry.$size <<- EOF
 	key_storage_type=NSSDB
 -	key_storage_location=$tmpdir
 +	key_storage_location=$scheme$tmpdir
 	key_nickname=keyi$size
 	key_gen_size=$size
 	EOF
@@ -28,13 +30,13 @@ for size in 1024 1536 2048 3072 4096 ; do
 	# Extract the marker.
 	marker=`grep ^key_next_marker= entry.$size | cut -f2- -d=`
 	# Make sure we're clean.
 -	run_certutil -K -d "$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort
 +	run_certutil -K -d "$scheme$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort
 done
 echo "[nss:rosubdir]"
 cat > entry.$size <<- EOF
 key_storage_type=NSSDB
 -key_storage_location=$tmpdir/rosubdir
 +key_storage_location=$scheme$tmpdir/rosubdir
 key_nickname=keyi$size
 key_gen_size=$size
 EOF
@@ -43,7 +45,7 @@ $toolsdir/keygen entry.$size || true
 echo "[nss:rwsubdir]"
 cat > entry.$size <<- EOF
 key_storage_type=NSSDB
 -key_storage_location=$tmpdir/rwsubdir
 +key_storage_location=$scheme$tmpdir/rwsubdir
 key_nickname=keyi$size
 key_gen_size=$size
 EOF
 -- 
 2.15.1
--- a/certmonger.spec
+++ b/certmonger.spec
@ -25,8 +25,8 @@
 %endif
 Name:		certmonger
-Version:	0.79.5
+Version:	0.79.6
-Release:	7%{?dist}
+Release:	1%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 Group:		System Environment/Daemons
@ -36,8 +36,12 @@ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 #Source1:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	gettext-devel
 BuildRequires:	gcc
 BuildRequires:	openldap-devel
 BuildRequires:	libidn2-devel
 BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 BuildRequires:  libuuid-devel
@ -107,11 +111,6 @@ Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
 Conflicts: libtevent < 0.9.13
 %endif
 Patch1:	0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch
 Patch2:	0002-SQLite-databases-require-a-password-to-modify-trust-.patch
 Patch3:	0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch
 Patch4:	0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch
 Patch5:	0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch
 Patch6:	0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
 %description
@ -120,11 +119,6 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %if 0%{?rhel} > 0
@ -134,6 +128,7 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
 %endif
 %build
 autoreconf -i -f
 %configure \
 %if %{systemd}
 	--enable-systemd \
@ -253,6 +248,9 @@ exit 0
 %endif
 %changelog
 * Tue May  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
 - Update to upstream 0.79.6
 * Wed Mar 14 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.79.5-7
 - Update Python 2 dependency declarations to new packaging standards
  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (certmonger-0.79.5.tar.gz) = b447bbbe6cbe1e3561c4a4083789baa4503516273273a7ac6a17b1287a3b36f8fa2b0c56e075a7eb98e582cdff5939c1c6436f2d011ed0f61b555da0d7b4a7ba
+SHA512 (certmonger-0.79.6.tar.gz) = 55721a114d874d484bbde01a31f72b8d2a6d3ce0a676c73a217019c5da96aa28d4c0a32abb962abe996bf55b47050b7e0558fffbef6dd4d13ab922e0de5d8224
`@ -1 +1 @@`
	`SHA512 (certmonger-0.79.5.tar.gz) = b447bbbe6cbe1e3561c4a4083789baa4503516273273a7ac6a17b1287a3b36f8fa2b0c56e075a7eb98e582cdff5939c1c6436f2d011ed0f61b555da0d7b4a7ba`	`SHA512 (certmonger-0.79.6.tar.gz) = 55721a114d874d484bbde01a31f72b8d2a6d3ce0a676c73a217019c5da96aa28d4c0a32abb962abe996bf55b47050b7e0558fffbef6dd4d13ab922e0de5d8224`