import certmonger-0.79.13-4.el8

SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch

@@ -0,0 +1,38 @@
+From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 14 Apr 2021 15:34:48 -0400
+Subject: [PATCH] Fix local CA to work under FIPS
+
+The PKCS12 file used for the local CA fails to be created because
+it uses default OpenSSL encryption algorithms that are disallowed
+under FIPS.  This patch simply updates the PKCS12_create() command
+to use allowed encryption algorithms.
+---
+ src/local.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/local.c b/src/local.c
+index 92bea144..2f50ac77 100644
+--- a/src/local.c
++++ b/src/local.c
+@@ -39,6 +39,7 @@
+ 
+ #include <openssl/asn1.h>
+ #include <openssl/err.h>
++#include <openssl/obj_mac.h>
+ #include <openssl/pem.h>
+ #include <openssl/pkcs12.h>
+ #include <openssl/rand.h>
+@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
+ 			return CM_SUBMIT_STATUS_UNREACHABLE;
+ 		}
+ 		p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
+-				    cas, 0, 0, 0, 0, 0);
++				    cas, NID_aes_128_cbc, NID_aes_128_cbc,
++				    0, 0, 0);
+ 		if (p12 != NULL) {
+ 			if (!i2d_PKCS12_fp(fp, p12)) {
+ 				fclose(fp);
+-- 
+2.26.3
+

SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch

@@ -0,0 +1,123 @@
+From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
+From: Your Name <you@example.com>
+Date: Fri, 9 Jul 2021 20:49:28 +0000
+Subject: [PATCH] Add SCEP config option to treat the challenge password as an
+ OTP
+
+SCEP RFC 8894 specifies that a challenge password SHOULD be
+removed from subsequent requests but that it MAY be included.
+
+This adds a new configuration option to treat the challenge password
+as a one-time password (OTP) so that it will not be sent on
+subsequent requests, like renewals, by removing it completely
+from the tracking request.
+
+This allows certmonger to be able to renew AD-issued SCEP certificates
+if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1577570
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/certmonger.conf.5.in |  9 +++++++++
+ src/certsave.c           | 13 +++++++++++++
+ src/prefs.c              | 15 +++++++++++++++
+ src/prefs.h              |  4 ++++
+ 4 files changed, 41 insertions(+)
+
+diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
+index 6a42d3cb..1b941b9d 100644
+--- a/src/certmonger.conf.5.in
++++ b/src/certmonger.conf.5.in
+@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
+ \fIselfsign\fR section, if one is set there, will be used.  The default value
+ is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
+ 
++.SH SCEP
++Within the \fIscep\fR section, these variables and values are recognized:
++
++.IP challenge_password_otp
++This controls whether the SCEP challenge password is treated as a one-time
++password. If set to yes then the challenge password and/or challenge password
++file will be removed from the tracking request after the first certificate
++issuance so will not be sent with renewal requests.  The default is no.
++
+ .SH BUGS
+ Please file tickets for any that you find at https://fedorahosted.org/certmonger/
+ 
+diff --git a/src/certsave.c b/src/certsave.c
+index 6eaafe59..f8503662 100644
+--- a/src/certsave.c
++++ b/src/certsave.c
+@@ -18,12 +18,25 @@
+ #include "config.h"
+ #include "certsave.h"
+ #include "certsave-int.h"
++#include "prefs.h"
+ #include "store-int.h"
++#include "talloc.h"
+ 
+ /* Start writing the certificate from the entry to the configured location. */
+ struct cm_certsave_state *
+ cm_certsave_start(struct cm_store_entry *entry)
+ {
++    /* If saving a SCEP certificate wipe out the challenge password */
++    if ((cm_prefs_scep_password_otp()) &&
++        (entry->cm_template_challenge_password != NULL) &&
++        (entry->cm_scep_nonce != NULL))
++    {
++        talloc_free(entry->cm_template_challenge_password);
++        entry->cm_template_challenge_password = NULL;
++        talloc_free(entry->cm_template_challenge_password_file);
++        entry->cm_template_challenge_password_file = NULL;
++    }
++
+ 	switch (entry->cm_cert_storage_type) {
+ #ifdef HAVE_OPENSSL
+ 	case cm_cert_storage_file:
+diff --git a/src/prefs.c b/src/prefs.c
+index 669e8f1f..52ffc908 100644
+--- a/src/prefs.c
++++ b/src/prefs.c
+@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
+ 	}
+ 	return count;
+ }
++
++int
++cm_prefs_scep_password_otp(void)
++{
++    static int populate = -1;
++    if (populate == -1) {
++        const char *val;
++        val = cm_prefs_config("scep", "challenge_password_otp");
++        if (val == NULL) {
++            val = "no";
++        }
++        populate = cm_prefs_yesno(val);
++    }
++    return populate != -1 ? populate : 0;
++}
+diff --git a/src/prefs.h b/src/prefs.h
+index 248e1016..a107fb6c 100644
+--- a/src/prefs.h
++++ b/src/prefs.h
+@@ -18,6 +18,8 @@
+ #ifndef cmprefs_h
+ #define cmprefs_h
+ 
++#include <time.h>
++
+ enum cm_prefs_cipher {
+ 	cm_prefs_aes128,
+ 	cm_prefs_aes192,
+@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
+ long long prefs_key_end_of_life(time_t ref);
+ long prefs_max_key_use_count(void);
+ 
++int cm_prefs_scep_password_otp(void);
++
+ #endif
+-- 
+2.31.1
+

SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch

@@ -0,0 +1,42 @@
+From 0eec70b9dbd0a50a24fe173a68fd9ab72857e08d Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 17 Feb 2021 13:40:52 -0500
+Subject: [PATCH] Add NULL checks before string compares when analyzing a cert
+
+A user reported a segfault which was due to a broken request.
+How it got broken I have no idea but it was effectively empty.
+
+It had everything as defaults: 0, -1, UNSPECIFIED or not
+present at all.
+
+So when trying to analyze the request it did a NULL compare.
+
+https://pagure.io/certmonger/issue/191
+---
+ src/tdbush.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tdbush.c b/src/tdbush.c
+index a10a1aff..fb81c477 100644
+--- a/src/tdbush.c
++++ b/src/tdbush.c
+@@ -678,14 +678,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
+ 		if (cert_storage != e->cm_cert_storage_type) {
+ 			continue;
+ 		}
+-		if (strcmp(cert_location, e->cm_cert_storage_location) != 0) {
++		if ((e->cm_cert_storage_location == NULL) || strcmp(cert_location, e->cm_cert_storage_location) != 0) {
+ 			continue;
+ 		}
+ 		switch (cert_storage) {
+ 		case cm_cert_storage_file:
+ 			break;
+ 		case cm_cert_storage_nssdb:
+-			if (strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
++			if ((e->cm_cert_nickname == NULL) || strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
+ 				continue;
+ 			}
+ 			break;
+-- 
+2.31.1
+

SOURCES/0006-Display-not_before-in-getcert-output.patch

@@ -0,0 +1,386 @@
+From 84d575da7516cae1ee94099317cf0f8fae2c7ea1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 8 Apr 2021 14:07:22 -0400
+Subject: [PATCH] Display not_before in getcert output
+
+Including not_before can help with troubleshooting
+renewal problems and if time needs to be reversed
+helping identify the maximum one can go back.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1940261
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/getcert.c               |  21 ++++-
+ src/tdbush.c                |  10 ++-
+ src/tdbusm-check.c          |  32 ++++++++
+ src/tdbusm.c                | 150 ++++++++++++++++++++++++++++++++++++
+ src/tdbusm.h                |   9 +++
+ tests/028-dbus/expected.out |   4 +-
+ tests/028-dbus/run.sh       |   1 +
+ 7 files changed, 220 insertions(+), 7 deletions(-)
+
+diff --git a/src/getcert.c b/src/getcert.c
+index 078f5aa1..4afafcb1 100644
+--- a/src/getcert.c
++++ b/src/getcert.c
+@@ -3389,7 +3389,7 @@ list(const char *argv0, int argc, const char **argv)
+ 	const char *capath, *request;
+ 	dbus_bool_t b;
+ 	char *s1, *s2, *s3, *s4, *s5, *s6;
+-	long n1, n2;
++	long n1, n2, n3;
+ 	char **as, **as1, **as2, **as3, **as4, **as5, t[25];
+ 	int requests_only = 0, tracking_only = 0, verbose = 0, c, i, j;
+ 	unsigned int k;
+@@ -3754,10 +3754,10 @@ list(const char *argv0, int argc, const char **argv)
+ 		/* Information from the certificate. */
+ 		rep = query_rep(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
+ 				"get_cert_info", verbose);
+-		if (cm_tdbusm_get_sssnasasasnas(rep, globals.tctx,
++		if (cm_tdbusm_get_sssnasasasnasn(rep, globals.tctx,
+ 						&s1, &s2, &s3, &n1,
+ 						&as1, &as2, &as3,
+-						&n2, &as4) != 0) {
++						&n2, &as4, &n3) != 0) {
+ 			printf(_("Error parsing server response.\n"));
+ 			exit(1);
+ 		}
+@@ -3768,6 +3768,21 @@ list(const char *argv0, int argc, const char **argv)
+ 		printf(_("\tissuer: %s\n"), s1);
+ 		printf(_("\tsubject: %s\n"), s3);
+ 		when = _("unknown");
++		if (n3 != 0) {
++			if (force_utc) {
++				when = cm_store_timestamp_from_time_for_display(n3, t);
++				printf(_("\tissued: %s\n"), when);
++			} else {
++				when = cm_store_local_timestamp_from_time_for_display(n3);
++				if (when != NULL) {
++					printf(_("\tissued: %s\n"), when);
++					free(when);
++				}
++			}
++		} else {
++			printf(_("\tissued: %s\n"), when);
++		}
++		when = _("unknown");
+ 		if (n1 != 0) {
+ 			if (force_utc) {
+ 				when = cm_store_timestamp_from_time_for_display(n1, t);
+diff --git a/src/tdbush.c b/src/tdbush.c
+index 3587f84f..6fc1b4be 100644
+--- a/src/tdbush.c
++++ b/src/tdbush.c
+@@ -2701,7 +2701,7 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
+ 	rep = dbus_message_new_method_return(msg);
+ 	if (rep != NULL) {
+ 		eku = eku_splitv(entry, entry->cm_cert_eku);
+-		cm_tdbusm_set_sssnasasasnas(rep,
++		cm_tdbusm_set_sssnasasasnasn(rep,
+ 					    entry->cm_cert_issuer,
+ 					    entry->cm_cert_serial,
+ 					    entry->cm_cert_subject,
+@@ -2710,7 +2710,8 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
+ 					    (const char **) entry->cm_cert_hostname,
+ 					    (const char **) entry->cm_cert_principal,
+ 					    ku_from_string(entry->cm_cert_ku),
+-					    (const char **) eku);
++					    (const char **) eku,
++					    entry->cm_cert_not_before);
+ 		dbus_connection_send(conn, rep, NULL);
+ 		dbus_message_unref(rep);
+ 		talloc_free(eku);
+@@ -6563,7 +6564,10 @@ cm_tdbush_iface_request(void)
+ 										     DBUS_TYPE_ARRAY_AS_STRING
+ 										     DBUS_TYPE_STRING_AS_STRING,
+ 										     cm_tdbush_method_arg_out,
+-										     NULL))))))))),
++								     make_method_arg("not_before",
++										     DBUS_TYPE_INT64_AS_STRING,
++										     cm_tdbush_method_arg_out,
++										     NULL)))))))))),
+ 								     NULL),
+ 				     make_interface_item(cm_tdbush_interface_property,
+ 							 make_property(CM_DBUS_PROP_CERT_ISSUER,
+diff --git a/src/tdbusm-check.c b/src/tdbusm-check.c
+index 385b1849..31880732 100644
+--- a/src/tdbusm-check.c
++++ b/src/tdbusm-check.c
+@@ -539,6 +539,38 @@ get_sssnasasasnas(DBusMessage *rep, int msgid)
+ 	return ret;
+ }
+ static int
++get_sssnasasasnasn(DBusMessage *rep, int msgid)
++{
++	int ret, i;
++	long n1, n2, n3;
++	char *s1, *s2, *s3, **as1, **as2, **as3, **as4;
++
++	ret = cm_tdbusm_get_sssnasasasnasn(rep, NULL,
++					  &s1, &s2, &s3, &n1,
++					  &as1, &as2, &as3, &n2, &as4, &n3);
++	if (ret == 0) {
++		printf("Message %d - s:%s,s:%s,s:%s," "n:%ld,[",
++		       msgid, s1, s2, s3, n1);
++		for (i = 0; (as1 != NULL) && (as1[i] != NULL); i++) {
++			printf("%ss:%s", i > 0 ? "," : "", as1[i]);
++		}
++		printf("],[");
++		for (i = 0; (as2 != NULL) && (as2[i] != NULL); i++) {
++			printf("%ss:%s", i > 0 ? "," : "", as2[i]);
++		}
++		printf("],[");
++		for (i = 0; (as3 != NULL) && (as3[i] != NULL); i++) {
++			printf("%ss:%s", i > 0 ? "," : "", as3[i]);
++		}
++		printf("],n:%ld,n:%ld,[", n2, n3);
++		for (i = 0; (as4 != NULL) && (as4[i] != NULL); i++) {
++			printf("%ss:%s", i > 0 ? "," : "", as4[i]);
++		}
++		printf("]\n");
++	}
++	return ret;
++}
++static int
+ get_sasasasnas(DBusMessage *rep, int msgid)
+ {
+ 	int ret, i;
+diff --git a/src/tdbusm.c b/src/tdbusm.c
+index bc39e1d4..24e03e4c 100644
+--- a/src/tdbusm.c
++++ b/src/tdbusm.c
+@@ -935,6 +935,105 @@ cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
+ 	return 0;
+ }
+ 
++int
++cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
++			    char **s1, char **s2, char **s3, long *n1,
++			    char ***as1, char ***as2, char ***as3,
++			    long *n2, char ***as4, long *n3)
++{
++	DBusError err;
++	char **tmp1, **tmp2, **tmp3, **tmp4;
++	int64_t i641, i642, i643;
++	int32_t i321, i322, i323;
++	int16_t i161, i162, i163;
++	int i, j, k, l;
++	*s1 = NULL;
++	*s2 = NULL;
++	*s3 = NULL;
++	*as1 = NULL;
++	*as2 = NULL;
++	*as3 = NULL;
++	*as4 = NULL;
++	dbus_error_init(&err);
++	if (!dbus_message_get_args(msg, &err,
++				   DBUS_TYPE_STRING, s1,
++				   DBUS_TYPE_STRING, s2,
++				   DBUS_TYPE_STRING, s3,
++				   DBUS_TYPE_INT64, &i641,
++				   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp1, &i,
++				   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp2, &j,
++				   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp3, &k,
++				   DBUS_TYPE_INT64, &i642,
++				   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp4, &l,
++				   DBUS_TYPE_INT64, &i643,
++				   DBUS_TYPE_INVALID)) {
++		if (dbus_error_is_set(&err)) {
++			dbus_error_free(&err);
++			dbus_error_init(&err);
++		}
++		if (!dbus_message_get_args(msg, &err,
++					   DBUS_TYPE_STRING, s1,
++					   DBUS_TYPE_STRING, s2,
++					   DBUS_TYPE_STRING, s3,
++					   DBUS_TYPE_INT32, &i321,
++					   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++					   &tmp1, &i,
++					   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++					   &tmp2, &j,
++					   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++					   &tmp3, &k,
++					   DBUS_TYPE_INT32, &i322,
++					   DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++					   &tmp4, &l,
++					   DBUS_TYPE_INT32, &i323,
++					   DBUS_TYPE_INVALID)) {
++			if (dbus_error_is_set(&err)) {
++				dbus_error_free(&err);
++				dbus_error_init(&err);
++			}
++			if (!dbus_message_get_args(msg, &err,
++						   DBUS_TYPE_STRING, s1,
++						   DBUS_TYPE_STRING, s2,
++						   DBUS_TYPE_STRING, s3,
++						   DBUS_TYPE_INT16, &i161,
++						   DBUS_TYPE_ARRAY,
++						   DBUS_TYPE_STRING, &tmp1, &i,
++						   DBUS_TYPE_ARRAY,
++						   DBUS_TYPE_STRING, &tmp2, &j,
++						   DBUS_TYPE_ARRAY,
++						   DBUS_TYPE_STRING, &tmp3, &k,
++						   DBUS_TYPE_INT16, &i162,
++						   DBUS_TYPE_ARRAY,
++						   DBUS_TYPE_STRING, &tmp4, &l,
++						   DBUS_TYPE_INT16, &i163,
++						   DBUS_TYPE_INVALID)) {
++				if (dbus_error_is_set(&err)) {
++					dbus_error_free(&err);
++					dbus_error_init(&err);
++				}
++				return -1;
++			}
++			i321 = i161;
++			i322 = i162;
++			i323 = i163;
++		}
++		i641 = i321;
++		i642 = i322;
++		i643 = i323;
++	}
++	*s1 = *s1 ? talloc_strdup(parent, *s1) : NULL;
++	*s2 = *s2 ? talloc_strdup(parent, *s2) : NULL;
++	*s3 = *s3 ? talloc_strdup(parent, *s3) : NULL;
++	*n1 = i641;
++	*n2 = i642;
++	*n3 = i643;
++	*as1 = cm_tdbusm_take_dbus_string_array(parent, tmp1, i);
++	*as2 = cm_tdbusm_take_dbus_string_array(parent, tmp2, j);
++	*as3 = cm_tdbusm_take_dbus_string_array(parent, tmp3, k);
++	*as4 = cm_tdbusm_take_dbus_string_array(parent, tmp4, l);
++	return 0;
++}
++
+ int
+ cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, char **s,
+ 			 char ***as1, char ***as2, char ***as3,
+@@ -1856,6 +1955,57 @@ cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
+ 	}
+ }
+ 
++int
++cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
++			    const char *s1, const char *s2, const char *s3,
++			    long n1, const char **as1, const char **as2,
++			    const char **as3, long n2, const char **as4,
++			    long n3)
++{
++	int64_t i1 = n1, i2 = n2, i3 = n3;
++	if (s1 == NULL) {
++		s1 = empty_string;
++	}
++	if (s2 == NULL) {
++		s2 = empty_string;
++	}
++	if (s3 == NULL) {
++		s3 = empty_string;
++	}
++	if (as1 == NULL) {
++		as1 = empty_string_array;
++	}
++	if (as2 == NULL) {
++		as2 = empty_string_array;
++	}
++	if (as3 == NULL) {
++		as3 = empty_string_array;
++	}
++	if (as4 == NULL) {
++		as4 = empty_string_array;
++	}
++	if (dbus_message_append_args(msg,
++				     DBUS_TYPE_STRING, &s1,
++				     DBUS_TYPE_STRING, &s2,
++				     DBUS_TYPE_STRING, &s3,
++				     DBUS_TYPE_INT64, &i1,
++				     DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++				     &as1, cm_tdbusm_array_length(as1),
++				     DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++				     &as2, cm_tdbusm_array_length(as2),
++				     DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++				     &as3, cm_tdbusm_array_length(as3),
++				     DBUS_TYPE_INT64, &i2,
++				     DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
++				     &as4, cm_tdbusm_array_length(as4),
++				     DBUS_TYPE_INT64, &i3,
++				     DBUS_TYPE_INVALID)) {
++		return 0;
++	} else {
++		return -1;
++	}
++}
++
+ int
+ cm_tdbusm_set_sasasasnas(DBusMessage *msg, const char *s,
+ 			 const char **as1, const char **as2,
+diff --git a/src/tdbusm.h b/src/tdbusm.h
+index fe021eff..250a9b0a 100644
+--- a/src/tdbusm.h
++++ b/src/tdbusm.h
+@@ -55,6 +55,10 @@ int cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
+ 			        char **s1, char **s2, char **s3, long *n1,
+ 			        char ***as1, char ***as2,
+ 			        char ***as3, long *n2, char ***as4);
++int cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
++			        char **s1, char **s2, char **s3, long *n1,
++			        char ***as1, char ***as2,
++			        char ***as3, long *n2, char ***as4, long *n3);
+ int cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent,
+ 			     char **s,
+ 			     char ***as1, char ***as2,
+@@ -124,6 +128,11 @@ int cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
+ 			        const char *s3, long n1,
+ 			        const char **as1, const char **as2,
+ 			        const char **as3, long n2, const char **as4);
++int cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
++			        const char *s1, const char *s2,
++			        const char *s3, long n1,
++			        const char **as1, const char **as2,
++			        const char **as3, long n2, const char **as4, long n3);
+ int cm_tdbusm_set_sasasasnas(DBusMessage *msg,
+ 			     const char *s,
+ 			     const char **as1, const char **as2,
+diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
+index ca7de34f..4cecbe15 100644
+--- a/tests/028-dbus/expected.out
++++ b/tests/028-dbus/expected.out
+@@ -11,6 +11,7 @@ Request ID 'Buddy':
+ 	CA: local
+ 	issuer: CN=$UUID,CN=Local Signing Authority
+ 	subject: CN=localhost
++	issued: sometime
+ 	expires: sometime
+ 	dns: localhost
+ 	principal name: host/localhost@LOCALHOST
+@@ -269,6 +270,7 @@ OK
+    <arg name="principal_names" type="as" direction="out"/>
+    <arg name="key_usage" type="x" direction="out"/>
+    <arg name="extended_key_usage" type="as" direction="out"/>
++   <arg name="not_before" type="x" direction="out"/>
+   </method>
+   <property name="issuer" type="s" access="read"/>
+   <property name="serial" type="s" access="read"/>
+@@ -430,7 +432,7 @@ Buddy
+ 
+ 
+ [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
+-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
++(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently))
+ 
+ [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
+ recently
+diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
+index d0be6ad8..a457834f 100755
+--- a/tests/028-dbus/run.sh
++++ b/tests/028-dbus/run.sh
+@@ -42,5 +42,6 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
+        -e '/^-----BEGIN/,/^-----END/d' \
+        -e "s|$libexecdir|\$libexecdir|g" \
+        -e "s|$tmpdir|\$tmpdir|g" \
++       -e "s|issued:.*|issued: sometime|g" \
+        -e "s|expires:.*|expires: sometime|g" \
+        -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
+-- 
+2.31.1
+

SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch

@@ -0,0 +1,40 @@
+From f9c774f737a060b355533c215d7443b9865992a0 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 12 Aug 2021 16:26:09 -0400
+Subject: [PATCH] Fix file descriptor leak when executing CA helpers
+
+cm_cadata_start_generic() creates a pipe. One half is passed
+to fetch(), the function that does all helper calls,
+via the cm_cadata_state variable ret. The other half is the
+reader and is used to detect execution errors. There is a pair
+of write/read on this descriptor which on error would be the
+errno.
+
+This second half wasn't being closed after reading to test for
+errors.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1992439
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/cadata.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/cadata.c b/src/cadata.c
+index 3e916c9..d851b9e 100644
+--- a/src/cadata.c
++++ b/src/cadata.c
+@@ -772,8 +772,10 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
+ 		cm_log(1, "Error running enrollment helper \"%s\": %s.\n",
+ 		       ca->cm_ca_external_helper, strerror(u));
+ 		talloc_free(ret);
++		close(error_fd[0]);
+ 		return NULL;
+ 	}
++	close(error_fd[0]);
+ 	return ret;
+ }
+ 
+-- 
+2.31.1
+

SPECS/certmonger.spec

@@ -11,7 +11,7 @@
 
 Name:		certmonger
 Version:	0.79.13
-Release:	2%{?dist}
+Release:	4%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
 Group:		System Environment/Daemons
@@ -21,6 +21,11 @@ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 
 Patch0001:	0001-Don-t-run-the-002-keygen-tests-when-root.patch
 Patch0002:	0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
+Patch0003:	0003-Fix-local-CA-to-work-under-FIPS.patch
+Patch0004:	0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
+Patch0005:	0005-Add-NULL-checks-before-string-compares-when-analyzin.patch
+Patch0006:	0006-Display-not_before-in-getcert-output.patch
+Patch0007:	0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
 
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -235,6 +240,16 @@ exit 0
 %endif
 
 %changelog
+* Wed Oct 06 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
+- Certmonger SCEP renewal should not use old challenges (#1577570)
+- Certmonger segfault after cert renewal request (#1881500)
+- Include certificate NotBefore date in output of the 'getcert list' command
+  (#1940261)
+- Certmonger certificates stuck in NEED_GUIDANCE (#2001079)
+
+* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3
+- Fix local CA to work under FIPS (#1950132)
+
 * Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
 - Rebuild with xmlrpc-c support enabled (#1687698)