.certmonger.metadata

@@ -1 +0,0 @@
-ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz

.gitignore

@@ -1 +1,139 @@
-SOURCES/certmonger-0.79.17.tar.gz
+certmonger-0.17.tar.gz
+certmonger-0.18.tar.gz
+certmonger-0.19.tar.gz
+certmonger-0.20.tar.gz
+certmonger-0.21.tar.gz
+certmonger-0.22.tar.gz
+certmonger-0.23.tar.gz
+certmonger-0.24.tar.gz
+certmonger-0.26.tar.gz
+certmonger-0.28.tar.gz
+/certmonger-0.30.tar.gz
+/certmonger-0.32.tar.gz
+/certmonger-0.34.tar.gz
+/certmonger-0.35.tar.gz
+/certmonger-0.35.1.tar.gz
+/certmonger-0.36.tar.gz
+/certmonger-0.37.tar.gz
+/certmonger-0.38.tar.gz
+/certmonger-0.39.tar.gz
+/certmonger-0.40.tar.gz
+/certmonger-0.41.tar.gz
+/certmonger-0.42.tar.gz
+/certmonger-0.43.tar.gz
+/certmonger-0.44.tar.gz
+/certmonger-0.45.tar.gz
+/certmonger-0.46.tar.gz
+/certmonger-0.49.tar.gz
+/certmonger-0.49.tar.gz.sig
+/certmonger-0.50.tar.gz
+/certmonger-0.50.tar.gz.sig
+/certmonger-0.51.tar.gz
+/certmonger-0.51.tar.gz.sig
+/certmonger-0.52.tar.gz
+/certmonger-0.52.tar.gz.sig
+/certmonger-0.54.tar.gz
+/certmonger-0.54.tar.gz.sig
+/certmonger-0.55.tar.gz
+/certmonger-0.55.tar.gz.sig
+/certmonger-0.56.tar.gz
+/certmonger-0.56.tar.gz.sig
+/certmonger-0.59.tar.gz
+/certmonger-0.59.tar.gz.sig
+/certmonger-0.60.tar.gz
+/certmonger-0.60.tar.gz.sig
+/certmonger-0.61.tar.gz
+/certmonger-0.61.tar.gz.sig
+/certmonger-0.62.tar.gz
+/certmonger-0.62.tar.gz.sig
+/certmonger-0.63.tar.gz
+/certmonger-0.63.tar.gz.sig
+/certmonger-0.65.tar.gz
+/certmonger-0.65.tar.gz.sig
+/certmonger-0.67.tar.gz
+/certmonger-0.67.tar.gz.sig
+/certmonger-0.68.tar.gz
+/certmonger-0.68.tar.gz.sig
+/certmonger-0.69.tar.gz
+/certmonger-0.69.tar.gz.sig
+/certmonger-0.70.tar.gz
+/certmonger-0.70.tar.gz.sig
+/certmonger-0.71.2.tar.gz
+/certmonger-0.71.2.tar.gz.sig
+/certmonger-0.73.tar.gz
+/certmonger-0.73.tar.gz.sig
+/certmonger-0.74.tar.gz
+/certmonger-0.74.tar.gz.sig
+/certmonger-0.75.tar.gz
+/certmonger-0.75.tar.gz.sig
+/certmonger-0.75.1.tar.gz
+/certmonger-0.75.1.tar.gz.sig
+/certmonger-0.75.2.tar.gz
+/certmonger-0.75.2.tar.gz.sig
+/certmonger-0.75.3.tar.gz
+/certmonger-0.75.3.tar.gz.sig
+/certmonger-0.75.5.tar.gz
+/certmonger-0.75.5.tar.gz.sig
+/certmonger-0.75.6.tar.gz
+/certmonger-0.75.6.tar.gz.sig
+/certmonger-0.75.8.tar.gz
+/certmonger-0.75.8.tar.gz.sig
+/certmonger-0.75.9.tar.gz
+/certmonger-0.75.9.tar.gz.sig
+/certmonger-0.75.10.tar.gz
+/certmonger-0.75.10.tar.gz.sig
+/certmonger-0.75.13.tar.gz
+/certmonger-0.75.13.tar.gz.sig
+/certmonger-0.75.14.tar.gz
+/certmonger-0.75.14.tar.gz.sig
+/certmonger-0.76.6.tar.gz
+/certmonger-0.76.6.tar.gz.sig
+/certmonger-0.76.7.tar.gz
+/certmonger-0.76.7.tar.gz.sig
+/certmonger-0.76.8.tar.gz
+/certmonger-0.76.8.tar.gz.sig
+/certmonger-0.77.1.tar.gz
+/certmonger-0.77.1.tar.gz.sig
+/certmonger-0.77.2.tar.gz
+/certmonger-0.77.2.tar.gz.sig
+/certmonger-0.77.3.tar.gz
+/certmonger-0.77.3.tar.gz.sig
+/certmonger-0.77.4.tar.gz
+/certmonger-0.77.4.tar.gz.sig
+/certmonger-0.77.5.tar.gz
+/certmonger-0.77.5.tar.gz.sig
+/certmonger-0.78.tar.gz
+/certmonger-0.78.tar.gz.sig
+/certmonger-0.78.1.tar.gz
+/certmonger-0.78.1.tar.gz.sig
+/certmonger-0.78.2.tar.gz
+/certmonger-0.78.2.tar.gz.sig
+/certmonger-0.78.3.tar.gz
+/certmonger-0.78.3.tar.gz.sig
+/certmonger-0.78.4.tar.gz
+/certmonger-0.78.4.tar.gz.sig
+/certmonger-0.78.5.tar.gz
+/certmonger-0.78.5.tar.gz.sig
+/certmonger-0.78.6.tar.gz
+/certmonger-0.78.6.tar.gz.sig
+/certmonger-0.79.2.tar.gz
+/certmonger-0.79.2.tar.gz.sig
+/certmonger-0.79.3.tar.gz
+/certmonger-0.79.3.tar.gz.sig
+/certmonger-0.79.4.tar.gz
+/certmonger-0.79.5.tar.gz
+/certmonger-0.79.6.tar.gz
+/certmonger-0.79.7.tar.gz
+/certmonger-0.79.8.tar.gz
+/certmonger-0.79.9.tar.gz
+/certmonger-0.79.10.tar.gz
+/certmonger-0.79.11.tar.gz
+/certmonger-0.79.12.tar.gz
+/certmonger-0.79.13.tar.gz
+/certmonger-0.79.14.tar.gz
+/certmonger-0.79.15.tar.gz
+/certmonger-0.79.16.tar.gz
+/certmonger-0.79.17.tar.gz
+/certmonger-0.79.18.tar.gz
+/certmonger-0.79.19.tar.gz
+/certmonger-0.79.20.tar.gz

0001-Don-t-free-soptions-while-it-is-still-needed.patch

@@ -0,0 +1,29 @@
+From c5270bde4dab84f18c347e82376ef00733865247 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 1 Jul 2020 10:46:50 -0400
+Subject: [PATCH] Don't free soptions while it is still needed
+
+Introduced in fbcf03dd44007a9b231e9396cc418a00e1a4b49a trying
+to avoid leaking soptions and aoptions.
+
+https://pagure.io/certmonger/issue/163
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/dogtag.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/dogtag.c b/src/dogtag.c
+index 91c9c588..faf81f97 100644
+--- a/src/dogtag.c
++++ b/src/dogtag.c
+@@ -579,7 +579,6 @@ main(int argc, const char **argv)
+ 				pin = NULL;
+ 			}
+ 		}
+-		free(soptions);
+ 		/* Add client creds. */
+ 		if (uid != NULL) {
+ 			uid = cm_submit_u_url_encode(uid);
+-- 
+2.25.4
+

0002-Don-t-send-SIGKILL-to-children-give-them-a-chance-to.patch

@@ -0,0 +1,28 @@
+From 00e948049acf0ca1b61ed9c2b8579b06b4bcb46a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 18 Aug 2020 14:33:17 -0400
+Subject: [PATCH 02/11] Don't send SIGKILL to children, give them a chance to
+ die
+
+This was causing issues in IPA which uses a lock file to
+serialize some operations. The kill was leaving the lock in
+place causing things to time out.
+---
+ src/subproc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/subproc.c b/src/subproc.c
+index 8df836ae..70d4ed93 100644
+--- a/src/subproc.c
++++ b/src/subproc.c
+@@ -240,7 +240,6 @@ cm_subproc_done(struct cm_subproc_state *state)
+ 
+ 	if (state != NULL) {
+ 		if (state->pid != -1) {
+-			kill(state->pid, SIGKILL);
+ 			do {
+ 				pid = waitpid(state->pid, &state->status, 0);
+ 				cm_log(4, "Waited for %ld, got %ld.\n",
+-- 
+2.25.4
+

0004-remove-dead-make-targets.patch

@@ -0,0 +1,28 @@
+From 93974735c31e653acc0d3de7e1cb165dbe764aef Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 16 Sep 2020 15:49:00 +1000
+Subject: [PATCH 04/11] remove dead make targets
+
+Commit 13abd68c7b862719e7b0ed065906cc28c6157a41 removed some files,
+but left dangling references to those files in tests/Makefile.am,
+breaking the build.  Delete references to the deleted files.
+---
+ tests/Makefile.am | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index c1ce8412..013d34bf 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -156,8 +156,6 @@ EXTRA_DIST = \
+ 	002-keygen-dsa/prequal.sh \
+ 	002-keygen-dsa/run.sh \
+ 	002-keygen-dsa/expected.out \
+-	002-keygen-dsa/expected.out.2 \
+-	002-keygen-dsa/expected.out.3 \
+ 	002-keygen-ec/prequal.sh \
+ 	002-keygen-ec/run.sh \
+ 	002-keygen-ec/expected.out \
+-- 
+2.25.4
+

0005-Require-jansson-for-IPA-RPC-calls-make-xmlrpc-option.patch

@@ -0,0 +1,201 @@
+From 1de7c2e7d4f3557bb45b9526016b766c7119c6ad Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 20 Aug 2020 16:52:13 -0400
+Subject: [PATCH 05/11] Require jansson for IPA RPC calls, make xmlrpc optional
+
+xmlrpc is now only used for certmaster
+
+IPA will only make JSON RPC calls to retrieve certificates
+---
+ configure.ac    | 59 ++++++++++++++++++++++++++++++-------------------
+ src/Makefile.am | 33 ++++++++++++++++++++-------
+ 2 files changed, 61 insertions(+), 31 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index abcd6d84..14991244 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -278,29 +278,42 @@ if ! ${configure_dist_target_only:-false} ; then
+ 	CPPFLAGS="$savedCPPFLAGS"
+ 	LDFLAGS="$savedLDFLAGS"
+ 
+-	dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
+-	savedCFLAGS="$CFLAGS"
+-	CFLAGS=
+-	AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
+-	AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
+-	if test -z "$XMLRPC_C_CONFIG" ; then
+-		AC_MSG_ERROR(xmlrpc-c-config not found)
+-	fi
+-	AC_MSG_CHECKING(for XMLRPC CFLAGS)
+-	XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
+-	AC_MSG_RESULT([$XMLRPC_CFLAGS])
+-	AC_SUBST(XMLRPC_CFLAGS)
+-	AC_MSG_CHECKING(for XMLRPC LIBS)
+-	XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
+-	AC_MSG_RESULT([$XMLRPC_LIBS])
+-	AC_SUBST(XMLRPC_LIBS)
+-	CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
+-	AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
+-			 [
+-			 #include <xmlrpc-c/client.h>
+-			 #include <xmlrpc-c/transport.h>
+-			 ])
+-	CFLAGS="$savedCFLAGS"
++	PKG_CHECK_MODULES(JANSSON,jansson)
++	have_jansson=true
++
++	AC_ARG_WITH([xmlrpc],
++		[AC_HELP_STRING([--with-xmlrpc], [Enable XML-RPC support])],
++		[with_xmlrpc=${with_xmlrpc}],
++		[with_xmlrpc=no])
++	AS_IF([test x"$with_xmlrpc" = xyes], [AC_DEFINE([WITH_XMLRPC], [1],
++		[include XMLRPC support])])
++	AM_CONDITIONAL(WITH_XMLRPC,test x"$with_xmlrpc" = xyes)
++
++	AS_IF([test x"$with_xmlrpc" = xyes], [
++		dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
++		savedCFLAGS="$CFLAGS"
++		CFLAGS=
++		AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
++		AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
++		if test -z "$XMLRPC_C_CONFIG" ; then
++			AC_MSG_ERROR(xmlrpc-c-config not found)
++		fi
++		AC_MSG_CHECKING(for XMLRPC CFLAGS)
++		XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
++		AC_MSG_RESULT([$XMLRPC_CFLAGS])
++		AC_SUBST(XMLRPC_CFLAGS)
++		AC_MSG_CHECKING(for XMLRPC LIBS)
++		XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
++		AC_MSG_RESULT([$XMLRPC_LIBS])
++		AC_SUBST(XMLRPC_LIBS)
++		CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
++		AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
++				 [
++				 #include <xmlrpc-c/client.h>
++				 #include <xmlrpc-c/transport.h>
++				 ])
++		CFLAGS="$savedCFLAGS"
++	])
+ 
+ 	savedCFLAGS="$CFLAGS"
+ 	savedCPPFLAGS="$CPPFLAGS"
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 5343dbc4..13bd87d9 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -11,15 +11,17 @@ LDFLAGS += -Wl,-z,relro,-z,now
+ endif
+ man_MANS = certmonger.8 getcert.1 getcert-request.1 getcert-list.1 \
+ 	   getcert-list-cas.1 getcert-start-tracking.1 getcert-stop-tracking.1 \
+-	   selfsign-getcert.1 ipa-getcert.1 certmaster-getcert.1 \
++	   selfsign-getcert.1 ipa-getcert.1 \
+ 	   getcert-resubmit.1 certmonger-ipa-submit.8 \
+-	   certmonger-certmaster-submit.8 \
+ 	   certmonger-dogtag-ipa-renew-agent-submit.8 certmonger.conf.5 \
+ 	   getcert-refresh.1 getcert-refresh-ca.1 local-getcert.1 \
+ 	   certmonger-local-submit.8 getcert-status.1 \
+ 	   certmonger-dogtag-submit.8 certmonger-scep-submit.8 \
+ 	   getcert-add-ca.1 getcert-add-scep-ca.1 getcert-modify-ca.1 \
+ 	   getcert-remove-ca.1 getcert-rekey.1
++if WITH_XMLRPC
++man_MANS += certmaster-getcert.1 certmonger-certmaster-submit.8
++endif
+ pkgsysconfdir = $(sysconfdir)/$(PACKAGE)
+ pkgsysconf_DATA = certmonger.conf
+ EXTRA_PROGRAMS =
+@@ -105,8 +107,6 @@ libcm_a_SOURCES = \
+ 	submit-sn.c \
+ 	submit-u.c \
+ 	submit-u.h \
+-	submit-x.c \
+-	submit-x.h \
+ 	subproc.c \
+ 	subproc.h \
+ 	tdbus.c \
+@@ -121,6 +121,11 @@ libcm_a_SOURCES = \
+ 	util-m.h \
+ 	util-n.c \
+ 	util-n.h
++if WITH_XMLRPC
++libcm_a_SOURCES += \
++	submit-x.c \
++	submit-x.h
++endif
+ libcm_o_a_SOURCES =
+ if HAVE_OPENSSL
+ libcm_o_a_SOURCES += \
+@@ -158,11 +163,13 @@ ipa_getcert_SOURCES = ipa-getcert.c tm.c tm.h
+ ipa_getcert_LDADD = $(getcert_LDADD)
+ endif
+ if WITH_IPA
++if WITH_XMLRPC
+ bin_PROGRAMS += certmaster-getcert
+ certmaster_getcert_CFLAGS = $(getcert_CFLAGS)
+ certmaster_getcert_SOURCES = certmaster-getcert.c tm.c tm.h
+ certmaster_getcert_LDADD = $(getcert_LDADD)
+ endif
++endif
+ bin_PROGRAMS += selfsign-getcert
+ selfsign_getcert_CFLAGS = $(getcert_CFLAGS)
+ selfsign_getcert_SOURCES = selfsign-getcert.c tm.c tm.h
+@@ -181,21 +188,28 @@ certmonger_session_SOURCES = main.c env-session.c tm.c tm.h
+ certmonger_session_LDADD = libcm.a \
+ 		   $(OPENSSL_LIBS) $(CERTMONGER_LIBS) $(KRB5_LIBS) $(IDN_LIBS) \
+ 		   $(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
+-noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x toklist
++noinst_PROGRAMS = tdbusm-check serial-check nl-check toklist
++if WITH_XMLRPC
++noinst_PROGRAMS += submit-x
++endif
+ tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h
+ tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) $(LDAP_LIBS)
+ serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
+ nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LDAP_LIBS)
++if WITH_XMLRPC
+ submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN
+ submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \
+ 	tm.c tm.h
+ submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
+ 		 $(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS)
++endif
+ toklist_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
+ toklist_LDADD = $(NSS_LIBS) $(POPT_LIBS)
+ if WITH_CERTMASTER
++if WITH_XMLRPC
+ pkglibexec_PROGRAMS += certmaster-submit
+ endif
++endif
+ if WITH_IPA
+ pkglibexec_PROGRAMS += ipa-submit
+ endif
+@@ -205,19 +219,22 @@ pkglibexec_PROGRAMS += local-submit
+ pkglibexec_PROGRAMS += scep-submit
+ endif
+ noinst_PROGRAMS += submit-h submit-d
+-ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
++ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) $(JANSSON_CFLAGS)
+ ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \
+-		submit-x.c submit-x.h submit-u.c submit-u.h \
++		submit-h.c submit-h.h submit-u.c submit-u.h \
+ 		submit-e.h util.c util.h log.c log.h tm.c tm.h
+ ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
+ 		   $(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \
+-		   $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS)
++		   $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) $(CURL_LIBS) \
++		   $(JANSSON_LIBS)
++if WITH_XMLRPC
+ certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
+ certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \
+ 		submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \
+ 		tm.c tm.h
+ certmaster_submit_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
+ 			  $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) $(POPT_LIBS)
++endif
+ dogtag_ipa_renew_agent_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) \
+ 				       $(NSS_CFLAGS) $(CURL_CFLAGS) \
+ 				       -DDOGTAG_IPA_RENEW_AGENT=1
+-- 
+2.25.4
+

0006-Make-xmlrpc-optional-in-the-certmonger-spec-file-dis.patch

@@ -0,0 +1,93 @@
+From aedf7f646f28d58c6bc422423401c1d0eb31ee75 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 20 Aug 2020 16:53:50 -0400
+Subject: [PATCH 06/11] Make xmlrpc optional in the certmonger spec file,
+ disable certmaster
+
+This disables certmaster support by default since it requires
+xmlrpc
+---
+ certmonger.spec | 22 +++++++++++++++++++++-
+ configure.ac    |  1 +
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/certmonger.spec b/certmonger.spec
+index e1f5536e..a8e1d2e8 100644
+--- a/certmonger.spec
++++ b/certmonger.spec
+@@ -24,6 +24,8 @@
+ %global sysvinitdir %{_initrddir}
+ %endif
+ 
++%bcond_with xmlrpc
++
+ Name:		certmonger
+ Version:	0.79.11
+ Release:	1%{?dist}
+@@ -37,6 +39,7 @@ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
+ BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+ 
+ BuildRequires:	openldap-devel
++BuildRequires:	krb5-devel
+ BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
+ BuildRequires:	autoconf, automake, gcc, gettext-devel
+ %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
+@@ -50,7 +53,11 @@ BuildRequires:	libcurl-devel
+ %else
+ BuildRequires:	curl-devel
+ %endif
+-BuildRequires:	libxml2-devel, xmlrpc-c-devel
++BuildRequires:	libxml2-devel
++%if %{with xmlrpc}
++BuildRequires:	xmlrpc-c-devel
++%endif
++BuildRequires:	jansson-devel
+ %if 0%{?rhel} && 0%{?rhel} < 6
+ BuildRequires:	bind-libbind-devel
+ BuildRequires:	mktemp
+@@ -132,10 +139,17 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
+ 	--enable-tmpfiles \
+ %endif
+ 	--with-homedir=/run/certmonger \
++%if %{with xmlrpc}
++	--with-xmlrpc \
++%endif
+ 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
++%if %{with xmlrpc}
+ # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
+ # tell us about libxmlrpc_client, but we need more.  Work around.
+ make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
++%else
++make %{?_smp_mflags}
++%endif
+ 
+ %install
+ rm -rf $RPM_BUILD_ROOT
+@@ -154,6 +168,12 @@ rm -rf $RPM_BUILD_ROOT
+ if test $1 -eq 1 ; then
+ 	%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
+ fi
++%if %{without xmlrpc}
++# remove any existing certmaster CA configuration
++if test $1 -gt 1 ; then
++    %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
++fi
++%endif
+ %if %{systemd}
+ if test $1 -eq 1 ; then
+ 	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+diff --git a/configure.ac b/configure.ac
+index 14991244..f2964856 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -876,6 +876,7 @@ else
+ 	AM_CONDITIONAL(HAVE_EC,false)
+ 	AM_CONDITIONAL(WITH_IPA,false)
+ 	AM_CONDITIONAL(WITH_CERTMASTER,false)
++	AM_CONDITIONAL(WITH_XMLRPC,false)
+ 	AM_CONDITIONAL(WITH_LOCAL,false)
+ 	AM_CONDITIONAL(HAVE_UUID,false)
+ fi
+-- 
+2.25.4
+

0007-Add-Referer-header-option-to-the-submit-h-API.patch

@@ -0,0 +1,155 @@
+From 4347ce74b0001c002cb449b8dd63819634e980ae Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 20 Aug 2020 16:55:36 -0400
+Subject: [PATCH 07/11] Add Referer header option to the submit-h API
+
+This will allow IPA API requests that require the Referer header
+to be set.
+---
+ src/dogtag.c   |  2 +-
+ src/scep.c     |  6 +++---
+ src/submit-d.c |  2 +-
+ src/submit-h.c | 20 +++++++++++++++-----
+ src/submit-h.h |  1 +
+ 5 files changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/src/dogtag.c b/src/dogtag.c
+index faf81f97..d36ac008 100644
+--- a/src/dogtag.c
++++ b/src/dogtag.c
+@@ -691,7 +691,7 @@ main(int argc, const char **argv)
+ 	/* Submit the form(s). */
+ 	hctx = NULL;
+ 	while (url != NULL) {
+-		hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL,
++		hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL, NULL,
+ 					cainfo, capath, sslcert, sslkey, sslpin,
+ 					cm_submit_h_negotiate_off,
+ 					cm_submit_h_delegate_off,
+diff --git a/src/scep.c b/src/scep.c
+index c74ca574..e384e8da 100644
+--- a/src/scep.c
++++ b/src/scep.c
+@@ -496,7 +496,7 @@ main(int argc, const char **argv)
+ 	}
+ 
+ 	/* Submit the first request. */
+-	hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL,
++	hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, NULL,
+ 				cainfo, NULL, NULL, NULL, NULL,
+ 				cm_submit_h_negotiate_off,
+ 				cm_submit_h_delegate_off,
+@@ -593,7 +593,7 @@ main(int argc, const char **argv)
+ 	}
+ 	/* Submit a second HTTP request if we have one to make. */
+ 	if (params2 != NULL) {
+-		hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL,
++		hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL, NULL,
+ 					NULL, NULL, NULL, NULL, NULL,
+ 					cm_submit_h_negotiate_off,
+ 					cm_submit_h_delegate_off,
+@@ -794,7 +794,7 @@ main(int argc, const char **argv)
+ 						 OP_GET_CA_CERT
+ 						 "&message=%d", i++);
+ 			hctx = cm_submit_h_init(ctx, "GET", url, params,
+-						NULL, NULL, NULL, NULL,
++						NULL, NULL, NULL, NULL, NULL,
+ 						NULL, NULL, NULL,
+ 						cm_submit_h_negotiate_off,
+ 						cm_submit_h_delegate_off,
+diff --git a/src/submit-d.c b/src/submit-d.c
+index 3adaa4a6..f1877c34 100644
+--- a/src/submit-d.c
++++ b/src/submit-d.c
+@@ -1188,7 +1188,7 @@ restart:
+ 		fprintf(stderr, "url = \"%s%s%s\"\n", uri,
+ 		        params ? "?" : "", params ? params : "");
+ 	}
+-	hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL,
++	hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL, NULL,
+ 				cainfo, capath, sslcert, sslkey, sslpin,
+ 				cm_submit_h_negotiate_off,
+ 				cm_submit_h_delegate_off,
+diff --git a/src/submit-h.c b/src/submit-h.c
+index 9b507dbe..c04909b1 100644
+--- a/src/submit-h.c
++++ b/src/submit-h.c
+@@ -51,7 +51,7 @@
+ struct cm_submit_h_context {
+ 	int ret;
+ 	long response_code;
+-	char *method, *uri, *args, *accept, *ctype, *cainfo, *capath, *result;
++	char *method, *uri, *args, *accept, *ctype, *referer, *cainfo, *capath, *result;
+ 	int result_length;
+ 	char *sslcert, *sslkey, *sslpass;
+ 	enum cm_submit_h_opt_negotiate negotiate;
+@@ -66,7 +66,7 @@ struct cm_submit_h_context *
+ cm_submit_h_init(void *parent,
+ 		 const char *method, const char *uri, const char *args,
+ 		 const char *content_type, const char *accept,
+-		 const char *cainfo, const char *capath,
++		 const char *referer, const char *cainfo, const char *capath,
+ 		 const char *sslcert, const char *sslkey, const char *sslpass,
+ 		 enum cm_submit_h_opt_negotiate neg,
+ 		 enum cm_submit_h_opt_delegate del,
+@@ -84,6 +84,7 @@ cm_submit_h_init(void *parent,
+ 		ctx->ctype = content_type ?
+ 			     talloc_strdup(ctx, content_type) :
+ 			     NULL;
++		ctx->referer = referer ? talloc_strdup(ctx, referer) : NULL;
+ 		ctx->accept = accept ? talloc_strdup(ctx, accept) : NULL;
+ 		ctx->cainfo = cainfo ? talloc_strdup(ctx, cainfo) : NULL;
+ 		ctx->capath = capath ? talloc_strdup(ctx, capath) : NULL;
+@@ -180,10 +181,11 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
+ 			}
+ 		}
+ 		if (ctx->negotiate == cm_submit_h_negotiate_on) {
+-#if defined(CURLOPT_HTTPAUTH) && defined(CURLAUTH_GSSNEGOTIATE)
++#if defined(CURLAUTH_NEGOTIATE)
+ 			curl_easy_setopt(ctx->curl,
+ 					 CURLOPT_HTTPAUTH,
+-					 CURLAUTH_GSSNEGOTIATE);
++					 CURLAUTH_NEGOTIATE);
++			curl_easy_setopt(ctx->curl, CURLOPT_USERPWD, ":");
+ #else
+ 			cm_log(-1,
+ 			       "warning: libcurl doesn't appear to support "
+@@ -243,6 +245,14 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
+ 							    header);
+ 			}
+ 		}
++		if (ctx->referer != NULL) {
++			header = talloc_asprintf(ctx, "Referer: %s",
++						 ctx->referer);
++			if (header != NULL) {
++				headers = curl_slist_append(headers,
++							    header);
++			}
++		}
+ 		curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, headers);
+ 		curl_easy_setopt(ctx->curl, CURLOPT_WRITEFUNCTION,
+ 				 append_result);
+@@ -415,7 +425,7 @@ main(int argc, const char **argv)
+ 	}
+ 
+ 	ctx = cm_submit_h_init(NULL, method, url, poptGetArg(pctx),
+-			       ctype, accept,
++			       ctype, accept, NULL,
+ 			       cainfo, capath, sslcert, sslkey, sslpass,
+ 			       negotiate, negotiate_delegate,
+ 			       clientauth, cm_submit_h_env_modify_on,
+diff --git a/src/submit-h.h b/src/submit-h.h
+index 931cc890..b33544af 100644
+--- a/src/submit-h.h
++++ b/src/submit-h.h
+@@ -45,6 +45,7 @@ struct cm_submit_h_context *cm_submit_h_init(void *parent,
+ 					     const char *args,
+ 					     const char *content_type,
+ 					     const char *accept,
++					     const char *referer,
+ 					     const char *cainfo,
+ 					     const char *capath,
+ 					     const char *sslcert,
+-- 
+2.25.4
+

0008-Switch-IPA-calls-to-use-the-JSON-RPC-endpoint-instea.patch

@@ -0,0 +1,838 @@
+From fdc2851233f532eb78363784712c597c63e1c4c1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 20 Aug 2020 16:57:38 -0400
+Subject: [PATCH 08/11] Switch IPA calls to use the JSON-RPC endpoint instead
+ of XMLRPC
+
+IPA has provided a JSON-RPC interface for many years now and has
+long term plans to drop support for XMLRPC.
+---
+ src/ipa.c         | 546 ++++++++++++++++++++++++++++++++++++++--------
+ src/store-files.c |   2 +
+ 2 files changed, 463 insertions(+), 85 deletions(-)
+
+diff --git a/src/ipa.c b/src/ipa.c
+index e4295826..8c089e68 100644
+--- a/src/ipa.c
++++ b/src/ipa.c
+@@ -33,8 +33,7 @@
+ 
+ #include <talloc.h>
+ 
+-#include <xmlrpc-c/client.h>
+-#include <xmlrpc-c/transport.h>
++#include <jansson.h>
+ 
+ #include <ldap.h>
+ #include <krb5.h>
+@@ -46,7 +45,7 @@
+ #include "store.h"
+ #include "submit-e.h"
+ #include "submit-u.h"
+-#include "submit-x.h"
++#include "submit-h.h"
+ #include "util.h"
+ 
+ #ifdef ENABLE_NLS
+@@ -56,6 +55,229 @@
+ #define _(_text) (_text)
+ #endif
+ 
++static char *
++get_error_message(krb5_context ctx, krb5_error_code kcode)
++{
++	const char *ret;
++#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
++	ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
++	if (ret == NULL) {
++		ret = error_message(kcode);
++	}
++#else
++	ret = error_message(kcode);
++#endif
++	return strdup(ret);
++}
++
++char *
++cm_submit_ccache_realm(char **msg)
++{
++	krb5_context ctx;
++	krb5_ccache ccache;
++	krb5_principal princ;
++	krb5_error_code kret;
++	krb5_data *data;
++	char *ret;
++
++	if (msg != NULL) {
++		*msg = NULL;
++	}
++
++	kret = krb5_init_context(&ctx);
++	if (kret != 0) {
++		fprintf(stderr, "Error initializing Kerberos: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return NULL;
++	}
++	kret = krb5_cc_default(ctx, &ccache);
++	if (kret != 0) {
++		fprintf(stderr, "Error resolving default ccache: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return NULL;
++	}
++	kret = krb5_cc_get_principal(ctx, ccache, &princ);
++	if (kret != 0) {
++		fprintf(stderr, "Error reading default principal: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return NULL;
++	}
++	data = krb5_princ_realm(ctx, princ);
++	if (data == NULL) {
++		fprintf(stderr, "Error retrieving principal realm.\n");
++		if (msg != NULL) {
++			*msg = "Error retrieving principal realm.\n";
++		}
++		return NULL;
++	}
++	ret = malloc(data->length + 1);
++	if (ret == NULL) {
++		fprintf(stderr, "Out of memory for principal realm.\n");
++		if (msg != NULL) {
++			*msg = "Out of memory for principal realm.\n";
++		}
++		return NULL;
++	}
++	memcpy(ret, data->data, data->length);
++	ret[data->length] = '\0';
++	return ret;
++}
++
++krb5_error_code
++cm_submit_make_ccache(const char *ktname, const char *principal, char **msg)
++{
++	krb5_context ctx;
++	krb5_keytab keytab;
++	krb5_ccache ccache;
++	krb5_creds creds;
++	krb5_principal princ;
++	krb5_error_code kret;
++	krb5_get_init_creds_opt gicopts, *gicoptsp;
++	char *ret;
++
++	if (msg != NULL) {
++		*msg = NULL;
++	}
++
++	kret = krb5_init_context(&ctx);
++	if (kret != 0) {
++		ret = get_error_message(ctx, kret);
++		fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return kret;
++	}
++	if (ktname != NULL) {
++		kret = krb5_kt_resolve(ctx, ktname, &keytab);
++	} else {
++		kret = krb5_kt_default(ctx, &keytab);
++	}
++	if (kret != 0) {
++		fprintf(stderr, "Error resolving keytab: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return kret;
++	}
++	princ = NULL;
++	if (principal != NULL) {
++		kret = krb5_parse_name(ctx, principal, &princ);
++		if (kret != 0) {
++			fprintf(stderr, "Error parsing \"%s\": %s.\n",
++				principal, ret = get_error_message(ctx, kret));
++			if (msg != NULL) {
++				*msg = ret;
++			} else {
++				free(ret);
++			}
++			return kret;
++		}
++	} else {
++		kret = krb5_sname_to_principal(ctx, NULL, NULL,
++					       KRB5_NT_SRV_HST, &princ);
++		if (kret != 0) {
++			fprintf(stderr, "Error building client name: %s.\n",
++				ret = get_error_message(ctx, kret));
++			if (msg != NULL) {
++				*msg = ret;
++			} else {
++				free(ret);
++			}
++			return kret;
++		}
++	}
++	memset(&creds, 0, sizeof(creds));
++#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
++	memset(&gicopts, 0, sizeof(gicopts));
++	gicoptsp = NULL;
++	kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp);
++	if (kret != 0) {
++		fprintf(stderr, "Internal error: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return kret;
++	}
++#else
++	krb5_get_init_creds_opt_init(&gicopts);
++	gicoptsp = &gicopts;
++#endif
++	krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1);
++	kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab,
++					  0, NULL, gicoptsp);
++#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
++	krb5_get_init_creds_opt_free(ctx, gicoptsp);
++#endif
++	if (kret != 0) {
++		fprintf(stderr, "Error obtaining initial credentials: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return kret;
++	}
++	ccache = NULL;
++	kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit",
++			       &ccache);
++	if (kret == 0) {
++		kret = krb5_cc_initialize(ctx, ccache, creds.client);
++	}
++	if (kret != 0) {
++		fprintf(stderr, "Error initializing credential cache: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return kret;
++	}
++	kret = krb5_cc_store_cred(ctx, ccache, &creds);
++	if (kret != 0) {
++		fprintf(stderr,
++			"Error storing creds in credential cache: %s.\n",
++			ret = get_error_message(ctx, kret));
++		if (msg != NULL) {
++			*msg = ret;
++		} else {
++			free(ret);
++		}
++		return kret;
++	}
++	krb5_cc_close(ctx, ccache);
++	krb5_kt_close(ctx, keytab);
++	krb5_free_principal(ctx, princ);
++	krb5_free_context(ctx);
++	putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit");
++	return 0;
++}
++
+ static int
+ interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact)
+ {
+@@ -200,7 +422,7 @@ cm_find_default_naming_context(LDAP *ld, char **basedn)
+ }
+ 
+ static int
+-cm_locate_xmlrpc_service(const char *server,
++cm_locate_jsonrpc_service(const char *server,
+ 			 int ldap_uri_cmd, const char *ldap_uri,
+ 			 const char *host,
+ 			 const char *domain,
+@@ -213,10 +435,13 @@ cm_locate_xmlrpc_service(const char *server,
+ 	LDAPDN rdn;
+ 	struct berval *lbv;
+ 	char *lattrs[2] = {"cn", NULL};
+-	const char *relativedn = "cn=masters,cn=ipa,cn=etc", *dn;
++	const char *relativedn = "cn=masters,cn=ipa,cn=etc";
++	char *dn;
+ 	char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", **list;
+ 	int i, j, rc, n;
+ 	unsigned int flags;
++	int rval = 0;
++	int alloc_basedn = 0;
+ 
+ 	*uris = NULL;
+ 
+@@ -231,14 +456,16 @@ cm_locate_xmlrpc_service(const char *server,
+ 	if (basedn == NULL) {
+ 		i = cm_find_default_naming_context(ld, &basedn);
+ 		if (i != 0) {
+-			free(basedn);
+-			return i;
++			rval = i;
++			goto done;
+ 		}
++		alloc_basedn = 1;
+ 	}
+ 	if (basedn == NULL) {
+ 		printf(_("Unable to determine base DN of "
+ 			 "domain information on IPA server.\n"));
+-		return CM_SUBMIT_STATUS_UNCONFIGURED;
++		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
++		goto done;
+ 	}
+ 	/* Now look up the names of the master CAs. */
+ 	snprintf(lfilter, sizeof(lfilter),
+@@ -248,26 +475,31 @@ cm_locate_xmlrpc_service(const char *server,
+ 		 "(ipaConfigString=enabledService)"
+ 		 ")", service);
+ 	snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
+-	free(basedn);
++	if (alloc_basedn) {
++		free(basedn);
++	}
+ 	rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
+ 			       lfilter, lattrs, 0, NULL, NULL, NULL,
+ 			       LDAP_NO_LIMIT, &lresult);
+ 	if (rc != LDAP_SUCCESS) {
+ 		fprintf(stderr, "Error searching '%s': %s.\n",
+ 			ldn, ldap_err2string(rc));
+-		return CM_SUBMIT_STATUS_UNCONFIGURED;
++		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
++		goto done;
+ 	}
+ 	/* Read their parents' for "cn" values. */
+ 	n = ldap_count_entries(ld, lresult);
+ 	if (n == 0) {
+ 		fprintf(stderr, "No CA masters found.\n");
+ 		ldap_msgfree(lresult);
+-		return CM_SUBMIT_STATUS_UNCONFIGURED;
++		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
++		goto done;
+ 	}
+ 	list = talloc_array_ptrtype(NULL, list, n + 2);
+ 	if (list == NULL) {
+ 		fprintf(stderr, "Out of memory.\n");
+-		return CM_SUBMIT_STATUS_UNCONFIGURED;
++		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
++		goto done;
+ 	}
+ 	i = 0;
+ 	for (lmsg = ldap_first_entry(ld, lresult);
+@@ -314,7 +546,7 @@ cm_locate_xmlrpc_service(const char *server,
+ 					switch (flags & 0x0f) {
+ 					case LDAP_AVA_STRING:
+ 						list[i] = talloc_asprintf(list,
+-									  "https://%.*s/ipa/xml",
++									  "https://%.*s/ipa/json",
+ 									  (int) lbv->bv_len,
+ 									  lbv->bv_val);
+ 						if (list[i] != NULL) {
+@@ -328,15 +560,67 @@ cm_locate_xmlrpc_service(const char *server,
+ 				ldap_dnfree(rdn);
+ 			}
+ 		}
++		ldap_memfree(dn);
+ 	}
+ 	ldap_msgfree(lresult);
+ 	if (i == 0) {
+ 		free(list);
+-		return CM_SUBMIT_STATUS_UNCONFIGURED;
++		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
++		goto done;
+ 	}
+ 	list[i] = NULL;
+ 	*uris = list;
+-	return CM_SUBMIT_STATUS_ISSUED;
++	rval = CM_SUBMIT_STATUS_ISSUED;
++
++done:
++	if (ld) {
++		ldap_unbind_ext(ld, NULL, NULL);
++	}
++
++	return rval;
++}
++
++/*
++ * Parse the JSON response from the IPA server.
++ *
++ * It will return one of three types of values:
++ * 
++ * < 0 is failure to parse JSON output
++ * 0 is success, no errors were found
++ * > 0 is the IPA API error code
++ */
++static int
++parse_json_result(const char *result, char **error_message) {
++	json_error_t j_error;
++
++	json_t *j_root = NULL;
++	json_t *j_error_obj = NULL;
++
++	int error_code = 0;
++
++	j_root = json_loads(result, 0, &j_error);
++	if (!j_root) {
++		cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
++		return -1;
++	}
++
++	j_error_obj = json_object_get(j_root, "error");
++	if (!j_error_obj || json_is_null(j_error_obj)) {
++		json_decref(j_root);
++		return 0;  // no errors
++	}
++
++	if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}",
++					   "code", &error_code,
++					   "message", error_message) != 0) {
++		cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text);
++		json_decref(j_root);
++		return -1;
++	}
++
++	cm_log(0, "JSON-RPC error: %d: %s\n", error_code, *error_message);
++	json_decref(j_root);
++	return error_code;
+ }
+ 
+ /* Make an XML-RPC request to the "cert_request" method. */
+@@ -344,63 +628,98 @@ static int
+ submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath,
+ 		   const char *uid, const char *pwd, const char *csr,
+ 		   const char *reqprinc, const char *profile,
+-		   const char *issuer)
++		   const char *issuer, int verbose)
+ {
+-	struct cm_submit_x_context *ctx;
+-	const char *args[2];
++	void *ctx;
++	struct cm_submit_h_context *hctx;
+ 	char *s, *p;
+ 	int i;
++	json_t *json_req = NULL;
++	json_error_t j_error;
++	const char *results = NULL;
++	char *json_str = NULL;
++	char *error_message = NULL;
++	char *referer = NULL;
++	int rval = 0;
++	json_t *j_root = NULL;
++	json_t *j_result_outer = NULL;
++	json_t *j_result = NULL;
++	json_t *j_cert = NULL;
++	const char *certificate = NULL;
+ 
+ 	if ((uri == NULL) || (strlen(uri) == 0)) {
+ 		return CM_SUBMIT_STATUS_UNCONFIGURED;
+ 	}
+ 
+-	/* Prepare to make an XML-RPC request. */
++	ctx = talloc_new(NULL);
++
++	referer = talloc_asprintf(ctx, "%s", uri);
++
++	/* Prepare to make a JSON-RPC request. */
+ submit:
+-	if ((uid != NULL) && (pwd != NULL) &&
+-	    (strlen(uid) > 0) && (strlen(pwd) > 0)) {
+-		ctx = cm_submit_x_init(NULL, uri, "cert_request",
+-				       cainfo, capath, uid, pwd,
+-				       cm_submit_x_negotiate_off,
+-				       cm_submit_x_delegate_off);;
+-	} else {
+-		ctx = cm_submit_x_init(NULL, uri, "cert_request",
+-				       cainfo, capath, NULL, NULL,
+-				       cm_submit_x_negotiate_on,
+-				       cm_submit_x_delegate_on);
++	json_req = json_pack_ex(&j_error, 0,
++							"{s:s, s:[[s], {s:s, s:s*, s:s*, s:b}]}",
++							"method", "cert_request",
++							"params",
++							csr,
++							"principal", reqprinc,
++							"profile_id", profile,
++							"cacn", issuer,
++							"add", 1);
++	if (!json_req) {
++		cm_log(0, "json_pack_ex() failed: %s\n", j_error.text);
++		return CM_SUBMIT_STATUS_UNCONFIGURED;
+ 	}
+-	if (ctx == NULL) {
+-		fprintf(stderr, "Error setting up for XMLRPC to %s on "
+-			"the client.\n", uri);
+-		printf(_("Error setting up for XMLRPC on the client.\n"));
++	json_str = json_dumps(json_req, 0);
++	json_decref(json_req);
++	if (!json_str) {
++		cm_log(0, "json_dumps() failed\n");
+ 		return CM_SUBMIT_STATUS_UNCONFIGURED;
+ 	}
+ 
+-	/* Add the CSR contents as the sole unnamed argument. */
+-	args[0] = csr;
+-	args[1] = NULL;
+-	cm_submit_x_add_arg_as(ctx, args);
+-	/* Add the principal name named argument. */
+-	cm_submit_x_add_named_arg_s(ctx, "principal", reqprinc);
+-	/* Add the requested profile name named argument. */
+-	if (profile != NULL) {
+-		cm_submit_x_add_named_arg_s(ctx, "profile_id", profile);
+-	}
+-	/* Add the requested CA issuer named argument. */
+-	if (issuer != NULL) {
+-		cm_submit_x_add_named_arg_s(ctx, "cacn", issuer);
++	hctx = cm_submit_h_init(ctx, "POST", uri, json_str,
++				       "application/json", "application/json",
++				       referer, cainfo, capath,
++				       NULL, NULL, NULL, 
++				       cm_submit_h_negotiate_on,
++				       cm_submit_h_delegate_off,
++				       cm_submit_h_clientauth_off,
++				       cm_submit_h_env_modify_off,
++				       verbose > 1 ?
++				       cm_submit_h_curl_verbose_on :
++				       cm_submit_h_curl_verbose_off);
++	free(json_str);
++
++	if (hctx == NULL) {
++		fprintf(stderr, "Error setting up JSON-RPC to %s on "
++			"the client.\n", uri);
++		printf(_("Error setting up for JSON-RPC on the client.\n"));
++		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
++		goto cleanup;
+ 	}
+-	/* Tell the server to add entries for a principal if one
+-	 * doesn't exist yet. */
+-	cm_submit_x_add_named_arg_b(ctx, "add", 1);
+ 
+ 	/* Submit the request. */
+ 	fprintf(stderr, "Submitting request to \"%s\".\n", uri);
+-	cm_submit_x_run(ctx);
++	cm_submit_h_run(hctx);
+ 
+ 	/* Check the results. */
+-	if (cm_submit_x_faulted(ctx) == 0) {
+-		i = cm_submit_x_fault_code(ctx);
++
++	results = cm_submit_h_results(hctx, NULL);
++	cm_log(1, "%s\n", results);
++	if (cm_submit_h_response_code(hctx) != 200) {
++		cm_log(0, "JSON-RPC call failed with HTTP status code: %d\n",
++				  cm_submit_h_response_code(hctx));
++		cm_log(0, "code = %d, code_text = \"%s\"\n",
++			cm_submit_h_result_code(hctx), cm_submit_h_result_code_text(hctx));
++		rval = CM_SUBMIT_STATUS_UNREACHABLE;
++		goto cleanup;
++	}
++	i = parse_json_result(results, &error_message);
++	if (i < 0) {
++		rval = CM_SUBMIT_STATUS_UNREACHABLE;
++		goto cleanup;
++	}
++	if (i > 0) {
+ 		/* Interpret the error.  See errors.py to get the
+ 		 * classifications. */
+ 		switch (i / 1000) {
+@@ -424,8 +743,9 @@ submit:
+ 			}
+ 			printf("Server at %s denied our request, "
+ 			       "giving up: %d (%s).\n", uri, i,
+-			       cm_submit_x_fault_text(ctx));
+-			return CM_SUBMIT_STATUS_REJECTED;
++			       error_message);
++			rval = CM_SUBMIT_STATUS_REJECTED;
++			goto cleanup;
+ 			break;
+ 		case 1: /* authentication error - transient? */
+ 		case 4: /* execution error - transient? */
+@@ -433,22 +753,51 @@ submit:
+ 		default:
+ 			printf("Server at %s failed request, "
+ 			       "will retry: %d (%s).\n", uri, i,
+-			       cm_submit_x_fault_text(ctx));
+-			return CM_SUBMIT_STATUS_UNREACHABLE;
++			       error_message);
++			rval = CM_SUBMIT_STATUS_UNREACHABLE;
++			goto cleanup;
+ 			break;
+ 		}
+-	} else
+-	if (cm_submit_x_has_results(ctx) == 0) {
+-		if (cm_submit_x_get_named_s(ctx, "certificate",
+-					    &s) == 0) {
++	} else {
++		j_root = json_loads(results, 0, &j_error);
++		if (!j_root) {
++			cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
++			rval = CM_SUBMIT_STATUS_UNREACHABLE;
++			goto cleanup;
++		}
++
++		j_result_outer = json_object_get(j_root, "result");
++		if (!j_result_outer) {
++			cm_log(0, "Parsing JSON-RPC response failed, no outer result\n");
++			rval = CM_SUBMIT_STATUS_UNREACHABLE;
++			goto cleanup;
++		}
++
++		j_result = json_object_get(j_result_outer, "result");
++		if (!j_result) {
++			cm_log(0, "Parsing JSON-RPC response failed, no inner result\n");
++			rval = CM_SUBMIT_STATUS_UNREACHABLE;
++			goto cleanup;
++		}
++
++		j_cert = json_object_get(j_result, "certificate");
++		if (!j_cert) {
++			cm_log(0, "Parsing JSON-RPC response failed, no certificate\n");
++			rval = CM_SUBMIT_STATUS_UNREACHABLE;
++			goto cleanup;
++		}
++		certificate = json_string_value(j_cert);
++
++		if (certificate) {
+ 			/* If we got a certificate, we're probably
+ 			 * okay. */
+-			fprintf(stderr, "Certificate: \"%s\"\n", s);
+-			s = cm_submit_u_base64_from_text(s);
++			fprintf(stderr, "Certificate: \"%s\"\n", certificate);
++			s = cm_submit_u_base64_from_text(certificate);
+ 			if (s == NULL) {
+ 				printf("Out of memory parsing server "
+ 				       "response, will retry.\n");
+-				return CM_SUBMIT_STATUS_UNREACHABLE;
++				rval = CM_SUBMIT_STATUS_UNREACHABLE;
++				goto cleanup;
+ 			}
+ 			p = cm_submit_u_pem_from_base64("CERTIFICATE",
+ 							FALSE, s);
+@@ -457,15 +806,19 @@ submit:
+ 			}
+ 			free(s);
+ 			free(p);
+-			return CM_SUBMIT_STATUS_ISSUED;
++			rval = CM_SUBMIT_STATUS_ISSUED;
++			goto cleanup;
+ 		} else {
+-			return CM_SUBMIT_STATUS_REJECTED;
++			rval = CM_SUBMIT_STATUS_REJECTED;
+ 		}
+-	} else {
+-		/* No useful response, no fault.  Try again, from
+-		 * scratch, later. */
+-		return CM_SUBMIT_STATUS_UNREACHABLE;
+ 	}
++
++cleanup:
++	json_decref(j_root);
++	cm_submit_h_cleanup(hctx);
++	talloc_free(ctx);
++
++	return rval;
+ }
+ 
+ static int
+@@ -473,16 +826,17 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
+ 	       const char *server, int ldap_uri_cmd, const char *ldap_uri,
+ 	       const char *host, const char *domain, char *basedn,
+ 	       const char *uid, const char *pwd, const char *csr,
+-	       const char *reqprinc, const char *profile, const char *issuer)
++	       const char *reqprinc, const char *profile, const char *issuer,
++	       int verbose)
+ {
+ 	int i, u;
+ 	char **uris;
+ 
+ 	i = submit_or_poll_uri(uri, cainfo, capath, uid, pwd, csr, reqprinc,
+-			       profile, issuer);
++			       profile, issuer, verbose);
+ 	if ((i == CM_SUBMIT_STATUS_UNREACHABLE) ||
+ 	    (i == CM_SUBMIT_STATUS_UNCONFIGURED)) {
+-		u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri,
++		u = cm_locate_jsonrpc_service(server, ldap_uri_cmd, ldap_uri,
+ 					     host, domain, basedn, "CA", &uris);
+ 		if ((u == 0) && (uris != NULL)) {
+ 			for (u = 0; uris[u] != NULL; u++) {
+@@ -491,7 +845,7 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
+ 				}
+ 				i = submit_or_poll_uri(uris[u], cainfo, capath,
+ 						       uid, pwd, csr, reqprinc,
+-						       profile, issuer);
++						       profile, issuer, verbose);
+ 				if ((i != CM_SUBMIT_STATUS_UNREACHABLE) &&
+ 				    (i != CM_SUBMIT_STATUS_UNCONFIGURED)) {
+ 					talloc_free(uris);
+@@ -562,7 +916,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
+ 		return CM_SUBMIT_STATUS_ISSUED;
+ 	}
+ 	/* Read our realm name from our ccache. */
+-	realm = cm_submit_x_ccache_realm(&kerr);
++	realm = cm_submit_ccache_realm(&kerr);
+ 	/* Read all of the certificates. */
+ 	for (lmsg = ldap_first_entry(ld, lresult);
+ 	     lmsg != NULL;
+@@ -588,6 +942,9 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
+ 	ldap_msgfree(lresult);
+ 	free(realm);
+ 	free(kerr);
++	if (ld) {
++		ldap_unbind_ext(ld, NULL, NULL);
++	}
+ 	return CM_SUBMIT_STATUS_ISSUED;
+ }
+ 
+@@ -600,7 +957,8 @@ main(int argc, const char **argv)
+ 	char *csr, *p, uri[LINE_MAX], *reqprinc = NULL, *ipaconfig, *kerr;
+ 	char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
+ 	const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile;
+-	int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
++	const char *jsonrpc_uri = NULL;
++	int jsonrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
+ 	const char *mode = CM_OP_SUBMIT;
+ 	char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL;
+ 	krb5_error_code kret;
+@@ -609,6 +967,7 @@ main(int argc, const char **argv)
+ 		{"host", 'h', POPT_ARG_STRING, &host, 0, "IPA server hostname", "HOSTNAME"},
+ 		{"domain", 'd', POPT_ARG_STRING, &domain, 0, "IPA domain name", "NAME"},
+ 		{"xmlrpc-url", 'H', POPT_ARG_STRING, NULL, 'H', "IPA XMLRPC service location", "URL"},
++		{"jsonrpc-url", 'J', POPT_ARG_STRING, NULL, 'J', "IPA JSON-RPC service location", "URL"},
+ 		{"ldap-url", 'L', POPT_ARG_STRING, NULL, 'L', "IPA LDAP service location", "URL"},
+ 		{"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"},
+ 		{"cafile", 'c', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"},
+@@ -659,9 +1018,10 @@ main(int argc, const char **argv)
+ 	poptSetOtherOptionHelp(pctx, "[options] [csrfile]");
+ 	while ((c = poptGetNextOpt(pctx)) > 0) {
+ 		switch (c) {
+-		case 'H':
+-			xmlrpc_uri = poptGetOptArg(pctx);
+-			xmlrpc_uri_cmd++;
++		case 'H': /* XMLRPC URI kept for backwards compatibility */
++		case 'J':
++			jsonrpc_uri = poptGetOptArg(pctx);
++			jsonrpc_uri_cmd++;
+ 			break;
+ 		case 'L':
+ 			ldap_uri = poptGetOptArg(pctx);
+@@ -724,6 +1084,11 @@ main(int argc, const char **argv)
+ 							      "global",
+ 							      "xmlrpc_uri");
+ 			}
++			if (jsonrpc_uri == NULL) {
++				jsonrpc_uri = get_config_entry(ipaconfig,
++							      "global",
++							      "jsonrpc_uri");
++			}
+ 			if (ldap_uri == NULL) {
+ 				/* Preferred, but likely to only be set on a
+ 				 * server. */
+@@ -756,6 +1121,7 @@ main(int argc, const char **argv)
+ 			}
+ 		}
+ 	}
++	free(ipaconfig);
+ 	csr = NULL;
+ 	memset(uri, '\0', sizeof(uri));
+ 	memset(ldn, '\0', sizeof(ldn));
+@@ -787,16 +1153,25 @@ main(int argc, const char **argv)
+ 		    (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) {
+ 			issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV));
+ 		}
+-		if ((server != NULL) && !xmlrpc_uri_cmd) {
++		if ((server != NULL) && !jsonrpc_uri_cmd) {
+ 			snprintf(uri, sizeof(uri),
+-				 "https://%s/ipa/xml", server);
++				 "https://%s/ipa/json", server);
++		} else
++		if (jsonrpc_uri != NULL) {
++			snprintf(uri, sizeof(uri), "%s", jsonrpc_uri);
+ 		} else
+ 		if (xmlrpc_uri != NULL) {
+-			snprintf(uri, sizeof(uri), "%s", xmlrpc_uri);
++			/* strip off the trailing xml and replace with json */
++			if ((strlen(xmlrpc_uri) + 1) > sizeof(uri)) {
++				printf(_("xmlrpc_uri is longer than %ld.\n"), sizeof(uri) - 2);
++				return CM_SUBMIT_STATUS_UNCONFIGURED;
++			}
++			snprintf(uri, strlen(xmlrpc_uri) - 2, "%s", xmlrpc_uri);
++			strcat(uri, "json");
+ 		} else
+ 		if (host != NULL) {
+ 			snprintf(uri, sizeof(uri),
+-				 "https://%s/ipa/xml", host);
++				 "https://%s/ipa/json", host);
+ 		}
+ 
+ 		/* Read the CSR from the environment, or from the file named on
+@@ -891,7 +1266,7 @@ main(int argc, const char **argv)
+ 	/* Setup a ccache unless we're told to use the default one. */
+ 	kerr = NULL;
+ 	if (make_keytab_ccache &&
+-	    ((kret = cm_submit_x_make_ccache(ktname, kpname, &kerr)) != 0)) {
++	    ((kret = cm_submit_make_ccache(ktname, kpname, &kerr)) != 0)) {
+ 		fprintf(stderr, "Error setting up ccache at the client: %s.\n",
+ 			kerr);
+ 		if (ktname == NULL) {
+@@ -939,11 +1314,12 @@ main(int argc, const char **argv)
+ 		ret = submit_or_poll(uri, cainfo, capath, server,
+ 				      ldap_uri_cmd, ldap_uri, host, domain,
+ 				      basedn, uid, pwd, csr, reqprinc, profile,
+-				      issuer);
++				      issuer, verbose);
+ 		free(csr);
+ 		free(profile);
+ 		free(issuer);
+ 		free(reqprinc);
++		free(basedn);
+ 		return ret;
+ 	} else
+ 	if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
+diff --git a/src/store-files.c b/src/store-files.c
+index 4c3b2232..85ac692e 100644
+--- a/src/store-files.c
++++ b/src/store-files.c
+@@ -2650,6 +2650,7 @@ cm_store_get_all_cas(void *parent)
+ 			j++;
+ 		}
+ #endif
++#ifdef WITH_XMLRPC
+ #ifdef WITH_CERTMASTER
+ 		/* Make sure we get at least one certmaster entry. */
+ 		for (k = 0; k < j; k++) {
+@@ -2670,6 +2671,7 @@ cm_store_get_all_cas(void *parent)
+ 			j++;
+ 		}
+ #endif
++#endif
+ #ifdef WITH_IPA
+ 		/* Make sure we get at least 1 dogtag-ipa-renew-agent entry. */
+ 		for (k = 0; k < j; k++) {
+-- 
+2.25.4
+

0009-Remove-the-certmaster-CA-from-the-028-dbus-test.patch

@@ -0,0 +1,201 @@
+From dd8dcb899e0a159d1141b713993805565ffb6d28 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 16 Sep 2020 11:28:08 -0400
+Subject: [PATCH 09/11] Remove the certmaster CA from the 028-dbus test
+
+The certmaster CA is disabled by default so no longer look for it
+in the dbus test.
+
+This test will fail if certmaster is enabled. There is currently no
+mechanism to dynamically enable/disable features of the tests. It
+can be added if it comes up but its unclear if anyoen took advantage
+of the certmaster support in the first place.
+---
+ tests/028-dbus/expected.out | 130 ++----------------------------------
+ 1 file changed, 6 insertions(+), 124 deletions(-)
+
+diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
+index 4d6a9a59..ca7de34f 100644
+--- a/tests/028-dbus/expected.out
++++ b/tests/028-dbus/expected.out
+@@ -34,10 +34,6 @@ CA 'IPA':
+ 	is-default: no
+ 	ca-type: EXTERNAL
+ 	helper-location: $libexecdir/ipa-submit
+-CA 'certmaster':
+-	is-default: no
+-	ca-type: EXTERNAL
+-	helper-location: $libexecdir/certmaster-submit
+ CA 'dogtag-ipa-renew-agent':
+ 	is-default: no
+ 	ca-type: EXTERNAL
+@@ -45,8 +41,8 @@ CA 'dogtag-ipa-renew-agent':
+ 
+ [[ API ]]
+ [ simpleprop.py ]
+-/org/fedorahosted/certmonger/cas/CA6
+-/org/fedorahosted/certmonger/cas/CA6
++/org/fedorahosted/certmonger/cas/CA5
++/org/fedorahosted/certmonger/cas/CA5
+ : -> : -k admin@localhost -> :
+ 0 -> 1 -> 0
+ [ walk.py ]
+@@ -182,7 +178,7 @@ OK
+ OK
+ 
+ [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
+-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
++dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
+ 
+ [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
+ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
+@@ -508,7 +504,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
+  <node name="CA2"/>
+  <node name="CA3"/>
+  <node name="CA4"/>
+- <node name="CA5"/>
+ </node>
+ 
+ [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
+@@ -942,10 +937,10 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </node>
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
+-$tmpdir/cas/20180327134236-2
++$tmpdir/cas/20180327134236-3
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
+-certmaster
++dogtag-ipa-renew-agent
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
+ 0
+@@ -957,7 +952,7 @@ EXTERNAL
+ None
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
+-$libexecdir/certmaster-submit
++$libexecdir/dogtag-ipa-renew-agent-submit
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
+ dbus.Array([], signature=dbus.Signature('s'))
+@@ -965,116 +960,3 @@ dbus.Array([], signature=dbus.Signature('s'))
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
+ 1
+ 
+-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
+-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+-
+-<node name="/org/fedorahosted/certmonger/cas/CA5">
+- <interface name="org.freedesktop.DBus.Introspectable">
+-  <method name="Introspect">
+-   <arg name="xml_data" type="s" direction="out"/>
+-  </method>
+- </interface>
+- <interface name="org.freedesktop.DBus.Properties">
+-  <method name="Get">
+-   <arg name="interface_name" type="s" direction="in"/>
+-   <arg name="property_name" type="s" direction="in"/>
+-   <arg name="value" type="v" direction="out"/>
+-  </method>
+-  <method name="Set">
+-   <arg name="interface_name" type="s" direction="in"/>
+-   <arg name="property_name" type="s" direction="in"/>
+-   <arg name="value" type="v" direction="in"/>
+-  </method>
+-  <method name="GetAll">
+-   <arg name="interface_name" type="s" direction="in"/>
+-   <arg name="props" type="a{sv}" direction="out"/>
+-  </method>
+-  <signal name="PropertiesChanged">
+-   <arg name="interface_name" type="s"/>
+-   <arg name="changed_properties" type="a{sv}"/>
+-   <arg name="invalidated_properties" type="as"/>
+-  </signal>
+- </interface>
+- <interface name="org.fedorahosted.certmonger.ca">
+-  <method name="get_config_file_path">
+-   <arg name="path" type="s" direction="out"/>
+-  </method>
+-  <method name="get_nickname">
+-   <arg name="nickname" type="s" direction="out"/>
+-  </method>
+-  <property name="nickname" type="s" access="read"/>
+-  <property name="aka" type="s" access="read"/>
+-  <method name="get_is_default">
+-   <arg name="default" type="b" direction="out"/>
+-  </method>
+-  <property name="is-default" type="b" access="readwrite"/>
+-  <method name="get_type">
+-   <arg name="type" type="s" direction="out"/>
+-  </method>
+-  <method name="get_serial">
+-   <arg name="serial_hex" type="s" direction="out"/>
+-  </method>
+-  <method name="get_location">
+-   <arg name="path" type="s" direction="out"/>
+-  </method>
+-  <property name="external-helper" type="s" access="readwrite"/>
+-  <method name="get_issuer_names">
+-   <arg name="names" type="as" direction="out"/>
+-  </method>
+-  <method name="refresh">
+-   <arg name="working" type="b" direction="out"/>
+-  </method>
+-  <property name="ca-error" type="s" access="read"/>
+-  <property name="issuer-names" type="as" access="read"/>
+-  <property name="root-certs" type="a(ss)" access="read"/>
+-  <property name="root-other-certs" type="a(ss)" access="read"/>
+-  <property name="other-certs" type="a(ss)" access="read"/>
+-  <property name="required-enroll-attributes" type="as" access="read"/>
+-  <property name="required-renew-attributes" type="as" access="read"/>
+-  <property name="supported-profiles" type="as" access="read"/>
+-  <property name="default-profile" type="s" access="read"/>
+-  <property name="root-cert-files" type="as" access="readwrite"/>
+-  <property name="root-other-cert-files" type="as" access="readwrite"/>
+-  <property name="other-cert-files" type="as" access="readwrite"/>
+-  <property name="root-cert-nssdbs" type="as" access="readwrite"/>
+-  <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
+-  <property name="other-cert-nssdbs" type="as" access="readwrite"/>
+-  <property name="ca-presave-command" type="s" access="read"/>
+-  <property name="ca-presave-uid" type="s" access="read"/>
+-  <property name="ca-postsave-command" type="s" access="read"/>
+-  <property name="ca-postsave-uid" type="s" access="read"/>
+-  <property name="scep-cipher" type="s" access="readwrite"/>
+-  <property name="scep-digest" type="s" access="readwrite"/>
+-  <property name="scep-ca-identifier" type="s" access="readwrite"/>
+-  <property name="scep-ca-capabilities" type="as" access="read"/>
+-  <property name="scep-ra-cert" type="s" access="read"/>
+-  <property name="scep-ca-cert" type="s" access="read"/>
+-  <property name="scep-other-certs" type="s" access="read"/>
+- </interface>
+-</node>
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
+-$tmpdir/cas/20180327134236-3
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
+-dogtag-ipa-renew-agent
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
+-0
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
+-EXTERNAL
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
+-None
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
+-$libexecdir/dogtag-ipa-renew-agent-submit
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
+-dbus.Array([], signature=dbus.Signature('s'))
+-
+-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
+-1
+-
+-- 
+2.25.4
+

0010-Add-a-local-srpm-target-to-build-an-srpm-from-the-cu.patch

@@ -0,0 +1,38 @@
+From 94dfc2f31b439db37b67d58e635169c29a4f8dde Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 16 Sep 2020 11:29:41 -0400
+Subject: [PATCH 10/11] Add a local-srpm target to build an srpm from the
+ current checkout
+
+The srpm target will pull the origin master branch and build from
+that so it isn't useful for testing local changes.
+---
+ Makefile.am | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 16d103ec..883c5932 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -29,6 +29,18 @@ ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
+ local-archive:
+ 	$(MAKE) archive ORIGIN=$(ARCHIVEOUTDIR)
+ 
++local-srpm:
++	repo=`pwd`; \
++	tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
++	if test -d "$$tmpdir" ; then \
++		git clone . $$tmpdir;\
++		cd $$tmpdir;\
++		./make-srpm.sh;\
++		cp -v $(distdir)-*.src.rpm $(ARCHIVEOUTDIR)/;\
++		chmod -R u+rw $$tmpdir;\
++		rm -fr $$tmpdir;\
++	fi
++
+ srpm:
+ 	repo=`pwd`; \
+ 	tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
+-- 
+2.25.4
+

0011-Silence-a-rpm-macro-warning-with-an-unescaped-in-a-c.patch

@@ -0,0 +1,26 @@
+From eda1134a9db1246eb8a24e0e01cfe1fcbff10729 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 16 Sep 2020 11:30:10 -0400
+Subject: [PATCH 11/11] Silence a rpm macro warning with an unescaped % in a
+ comment
+
+---
+ certmonger.spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/certmonger.spec b/certmonger.spec
+index a8e1d2e8..f2abd307 100644
+--- a/certmonger.spec
++++ b/certmonger.spec
+@@ -35,7 +35,7 @@ Group:		System Environment/Daemons
+ License:	GPLv3+
+ URL:		http://pagure.io/certmonger/
+ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
+-#Source1:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
++#Source1:	http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
+ BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+ 
+ BuildRequires:	openldap-devel
+-- 
+2.25.4
+

SOURCES/0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch

@@ -1,195 +0,0 @@
-From 14d1b5f9a482a4740706dc1cb86c454662f48d4c Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 7 Dec 2022 10:09:55 -0500
-Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test"
-
-This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
----
- tests/028-dbus/expected.out | 130 ++++++++++++++++++++++++++++++++++--
- 1 file changed, 124 insertions(+), 6 deletions(-)
-
-diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
-index 86cba02..544ebd7 100644
---- a/tests/028-dbus/expected.out
-+++ b/tests/028-dbus/expected.out
-@@ -35,6 +35,10 @@ CA 'IPA':
- 	is-default: no
- 	ca-type: EXTERNAL
- 	helper-location: $libexecdir/ipa-submit
-+CA 'certmaster':
-+	is-default: no
-+	ca-type: EXTERNAL
-+	helper-location: $libexecdir/certmaster-submit
- CA 'dogtag-ipa-renew-agent':
- 	is-default: no
- 	ca-type: EXTERNAL
-@@ -42,8 +46,8 @@ CA 'dogtag-ipa-renew-agent':
- 
- [[ API ]]
- [ simpleprop.py ]
--/org/fedorahosted/certmonger/cas/CA5
--/org/fedorahosted/certmonger/cas/CA5
-+/org/fedorahosted/certmonger/cas/CA6
-+/org/fedorahosted/certmonger/cas/CA6
- : -> : -k admin@localhost -> :
- 0 -> 1 -> 0
- [ walk.py ]
-@@ -179,7 +183,7 @@ OK
- OK
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
--dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
-+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
- dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
-@@ -507,6 +511,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
-  <node name="CA2"/>
-  <node name="CA3"/>
-  <node name="CA4"/>
-+ <node name="CA5"/>
- </node>
- 
- [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
-@@ -940,10 +945,10 @@ dbus.Array([], signature=dbus.Signature('s'))
- </node>
- 
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
--$tmpdir/cas/20180327134236-3
-+$tmpdir/cas/20180327134236-2
- 
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
--dogtag-ipa-renew-agent
-+certmaster
- 
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
- 0
-@@ -955,7 +960,7 @@ EXTERNAL
- None
- 
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
--$libexecdir/dogtag-ipa-renew-agent-submit
-+$libexecdir/certmaster-submit
- 
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
- dbus.Array([], signature=dbus.Signature('s'))
-@@ -963,3 +968,116 @@ dbus.Array([], signature=dbus.Signature('s'))
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
- 1
- 
-+[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
-+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
-+"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-+
-+<node name="/org/fedorahosted/certmonger/cas/CA5">
-+ <interface name="org.freedesktop.DBus.Introspectable">
-+  <method name="Introspect">
-+   <arg name="xml_data" type="s" direction="out"/>
-+  </method>
-+ </interface>
-+ <interface name="org.freedesktop.DBus.Properties">
-+  <method name="Get">
-+   <arg name="interface_name" type="s" direction="in"/>
-+   <arg name="property_name" type="s" direction="in"/>
-+   <arg name="value" type="v" direction="out"/>
-+  </method>
-+  <method name="Set">
-+   <arg name="interface_name" type="s" direction="in"/>
-+   <arg name="property_name" type="s" direction="in"/>
-+   <arg name="value" type="v" direction="in"/>
-+  </method>
-+  <method name="GetAll">
-+   <arg name="interface_name" type="s" direction="in"/>
-+   <arg name="props" type="a{sv}" direction="out"/>
-+  </method>
-+  <signal name="PropertiesChanged">
-+   <arg name="interface_name" type="s"/>
-+   <arg name="changed_properties" type="a{sv}"/>
-+   <arg name="invalidated_properties" type="as"/>
-+  </signal>
-+ </interface>
-+ <interface name="org.fedorahosted.certmonger.ca">
-+  <method name="get_config_file_path">
-+   <arg name="path" type="s" direction="out"/>
-+  </method>
-+  <method name="get_nickname">
-+   <arg name="nickname" type="s" direction="out"/>
-+  </method>
-+  <property name="nickname" type="s" access="read"/>
-+  <property name="aka" type="s" access="read"/>
-+  <method name="get_is_default">
-+   <arg name="default" type="b" direction="out"/>
-+  </method>
-+  <property name="is-default" type="b" access="readwrite"/>
-+  <method name="get_type">
-+   <arg name="type" type="s" direction="out"/>
-+  </method>
-+  <method name="get_serial">
-+   <arg name="serial_hex" type="s" direction="out"/>
-+  </method>
-+  <method name="get_location">
-+   <arg name="path" type="s" direction="out"/>
-+  </method>
-+  <property name="external-helper" type="s" access="readwrite"/>
-+  <method name="get_issuer_names">
-+   <arg name="names" type="as" direction="out"/>
-+  </method>
-+  <method name="refresh">
-+   <arg name="working" type="b" direction="out"/>
-+  </method>
-+  <property name="ca-error" type="s" access="read"/>
-+  <property name="issuer-names" type="as" access="read"/>
-+  <property name="root-certs" type="a(ss)" access="read"/>
-+  <property name="root-other-certs" type="a(ss)" access="read"/>
-+  <property name="other-certs" type="a(ss)" access="read"/>
-+  <property name="required-enroll-attributes" type="as" access="read"/>
-+  <property name="required-renew-attributes" type="as" access="read"/>
-+  <property name="supported-profiles" type="as" access="read"/>
-+  <property name="default-profile" type="s" access="read"/>
-+  <property name="root-cert-files" type="as" access="readwrite"/>
-+  <property name="root-other-cert-files" type="as" access="readwrite"/>
-+  <property name="other-cert-files" type="as" access="readwrite"/>
-+  <property name="root-cert-nssdbs" type="as" access="readwrite"/>
-+  <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
-+  <property name="other-cert-nssdbs" type="as" access="readwrite"/>
-+  <property name="ca-presave-command" type="s" access="read"/>
-+  <property name="ca-presave-uid" type="s" access="read"/>
-+  <property name="ca-postsave-command" type="s" access="read"/>
-+  <property name="ca-postsave-uid" type="s" access="read"/>
-+  <property name="scep-cipher" type="s" access="readwrite"/>
-+  <property name="scep-digest" type="s" access="readwrite"/>
-+  <property name="scep-ca-identifier" type="s" access="readwrite"/>
-+  <property name="scep-ca-capabilities" type="as" access="read"/>
-+  <property name="scep-ra-cert" type="s" access="read"/>
-+  <property name="scep-ca-cert" type="s" access="read"/>
-+  <property name="scep-other-certs" type="s" access="read"/>
-+ </interface>
-+</node>
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-+$tmpdir/cas/20180327134236-3
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
-+dogtag-ipa-renew-agent
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
-+0
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
-+EXTERNAL
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
-+None
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
-+$libexecdir/dogtag-ipa-renew-agent-submit
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
-+dbus.Array([], signature=dbus.Signature('s'))
-+
-+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
-+1
-+
--- 
-2.38.1
-

SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch

@@ -1,24 +0,0 @@
-From 6224c3aa01665edddbda1ec7d1e35b03823eefcb Mon Sep 17 00:00:00 2001
-From: root <root@ci-vm-10-0-137-168.hosted.upshift.rdu2.redhat.com>
-Date: Wed, 7 Dec 2022 14:50:01 -0500
-Subject: [PATCH] Don't run the 002-keygen-* tests when root
-
-The permissions tests will fail.
----
- tests/002-keygen-dbm/prequal.sh | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100755 tests/002-keygen-dbm/prequal.sh
-
-diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
-new file mode 100755
-index 0000000..b6c16e0
---- /dev/null
-+++ b/tests/002-keygen-dbm/prequal.sh
-@@ -0,0 +1,5 @@
-+#!/bin/sh
-+if test `id -u` -eq 0 ; then
-+       echo "This test won't work right if run as root."
-+       exit 1
-+fi
--- 
-2.31.1

certmonger.spec

@@ -1,47 +1,69 @@
+%if 0%{?fedora} > 15 || 0%{?rhel} > 6
 %global systemd 1
 %global	sysvinit 0
+%else
+%global systemd 0
+%global	sysvinit 1
+%endif
 
+%if 0%{?fedora} > 15 && 0%{?fedora} < 20
+%global systemdsysv 1
+%else
 %global systemdsysv 0
+%endif
 
+%if 0%{?fedora} > 14 || 0%{?rhel} > 6
 %global tmpfiles 1
+%else
+%global tmpfiles 0
+%endif
 
+%if 0%{?fedora} > 9 || 0%{?rhel} > 5
 %global sysvinitdir %{_initddir}
+%else
+%global sysvinitdir %{_initrddir}
+%endif
 
-%bcond_without xmlrpc
+%bcond_with xmlrpc
 
 Name:		certmonger
-Version:	0.79.17
-Release:	2%{?dist}
+Version:	0.79.20
+Release:	3%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
-Group:		System Environment/Daemons
-License:	GPLv3+
+License:	GPL-3.0-or-later
 URL:		http://pagure.io/certmonger/
 Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 #Source1:	http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
 
-Patch0001:	0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
-Patch0002:	0002-Don-t-run-the-002-keygen-tests-when-root.patch
-
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	gettext-devel
 BuildRequires:	gcc
 BuildRequires:	openldap-devel
+BuildRequires:	krb5-devel
 BuildRequires:	libidn2-devel
-BuildRequires:	python3-dbus
-BuildRequires:	dbus-devel
-BuildRequires:	nspr-devel
-BuildRequires:	nss-devel
-BuildRequires:	openssl-devel
+BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel
+%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 BuildRequires:	libuuid-devel
+%else
+BuildRequires:	e2fsprogs-devel
+%endif
 BuildRequires:	libtalloc-devel, libtevent-devel
+%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9
 BuildRequires:	libcurl-devel
+%else
+BuildRequires:	curl-devel
+%endif
 BuildRequires:	libxml2-devel
 %if %{with xmlrpc}
-BuildRequires:	xmlrpc-c-devel
+BuildRequires:  xmlrpc-c-devel
+%endif
+BuildRequires:  jansson-devel
+%if 0%{?rhel} && 0%{?rhel} < 6
+BuildRequires:	bind-libbind-devel
+BuildRequires:	mktemp
 %endif
-BuildRequires:	jansson-devel
 # Required for 'make check':
 #  for diff and cmp
 BuildRequires:	diffutils
@@ -58,10 +80,9 @@ BuildRequires:	/usr/bin/dos2unix
 BuildRequires:	/usr/bin/unix2dos
 #  for which
 BuildRequires:	/usr/bin/which
+#  for dbus tests
+BuildRequires:	python3-dbus
 BuildRequires:	popt-devel
-#  for make check
-BuildRequires:	python3-devel
-BuildRequires:	krb5-devel
 
 # we need a running system bus
 Requires:	dbus
@@ -69,6 +90,7 @@ Requires(post):	%{_bindir}/dbus-send
 
 %if %{systemd}
 BuildRequires:	systemd-units
+BuildRequires: make
 Requires(post):	systemd-units
 Requires(preun):	systemd-units, dbus, sed
 Requires(postun):	systemd-units
@@ -90,6 +112,10 @@ Requires(post):	/sbin/chkconfig, /sbin/service
 Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
 %endif
 
+%if 0%{?fedora} >= 15
+# Certain versions of libtevent have incorrect internal ABI versions.
+Conflicts: libtevent < 0.9.13
+%endif
 
 %description
 Certmonger is a service which is primarily concerned with getting your
@@ -98,6 +124,12 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
 %prep
 %autosetup -p1
 
+%if 0%{?rhel} > 0
+# Enabled by default for RHEL for bug #765600, still disabled by default for
+# Fedora pending a similar bug report there.
+sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
+%endif
+
 %build
 autoreconf -i -f
 %configure \
@@ -112,8 +144,9 @@ autoreconf -i -f
 %endif
 	--with-homedir=/run/certmonger \
 %if %{with xmlrpc}
-	--with-xmlrpc \
+    --with-xmlrpc \
 %endif
+	--disable-dsa \
 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
 %if %{with xmlrpc}
 # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
@@ -131,10 +164,6 @@ install -m755 -d $RPM_BUILD_ROOT/run/certmonger
 %{find_lang} %{name}
 
 %check
-# Seed then openssl RNG if not set
-if [ ! -e $HOME/.rnd ] ; then
-	openssl rand -writerand $HOME/.rnd
-fi
 make check
 
 %post
@@ -144,7 +173,7 @@ fi
 %if %{without xmlrpc}
 # remove any existing certmaster CA configuration
 if test $1 -gt 1 ; then
-	%{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
+    %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
 fi
 %endif
 %if %{systemd}
@@ -212,7 +241,6 @@ exit 0
 %endif
 
 %files -f %{name}.lang
-%defattr(-,root,root,-)
 %doc README.md LICENSE STATUS doc/*.txt
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
 %{_datadir}/dbus-1/services/*
@@ -236,106 +264,155 @@ exit 0
 %endif
 
 %changelog
-* Wed Dec  7 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2
-- Skip the keygen tests when executed as root.
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.79.20-3
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
 
-* Tue Dec  6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
-- Update to upstream 0.79.17 (#2139523)
-- Certificate format validation when adding the SCEP server's CA (#2150025)
-- Certmonger SCEP renewal should not use old challenges (#2150030)
-- certmonger SEGV during rekey in FIPS mode (#2150070)
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.79.20-2
+- Bump release for June 2024 mass rebuild
 
-* Mon Oct 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5
-- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
-  with critical=FALSE (#2012258)
+* Mon Jun 10 2024 Rob Crittenden <rcritten@redhat.com> - 0.79.20-1
+- Update to upstream 0.79.20
 
-* Wed Oct 06 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
-- Certmonger SCEP renewal should not use old challenges (#1577570)
-- Certmonger segfault after cert renewal request (#1881500)
-- Include certificate NotBefore date in output of the 'getcert list' command
-  (#1940261)
-- Certmonger certificates stuck in NEED_GUIDANCE (#2001079)
+* Tue Feb 20 2024 Rob Crittenden <rcritten@redhat.com> - 0.79.19-5
+- Update tests to be compatible with OpenSSL 3.2
 
-* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3
-- Fix local CA to work under FIPS (#1950132)
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.19-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
-- Rebuild with xmlrpc-c support enabled (#1687698)
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.19-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
-- Rebase to 0.79.13 (#1891743)
- 
-* Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15
-- Replace the previous fix for dbus restarting with PartOf in the
-  certmonger systemd service file to link the two (#1687698)
+* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 0.79.19-2
+- Fix C compatibility issues
 
-* Tue Jun  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
-- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)
+* Tue Oct 10 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.19-1
+- Update to upstream 0.79.19
 
-* Mon May 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-13
-- Exit gracefully if dbus is restarted (#1687698)
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 
-* Thu May 14 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-12
-- Add long command-line options to man pages and help output (#1782838)
+* Wed Apr 05 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.18-1
+- Update to upstream 0.79.18
 
-* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-11
-- Fix test failure in 039-fromfile
+* Thu Feb 23 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.17-4
+- migrated to SPDX license
 
-* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-10
-- Ensure that files read in have a trailing new-line (#1829490)
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.17-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 
-* Thu Apr 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-9
-- Call the secport equivalent of PR_ErrorToString
-- Remove a couple of unused varaibles found by coverity
+* Tue Dec  6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2
+- Rename DBus service and conf files to match canonical name (#2151243)
 
-* Mon Apr 13 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-8
-- Move systemd tmpfiles from /var/run to /run (#1804928)
-- Improve logging in the SCEP helper (#1807691)
-- Fix sort order of certificates passed into PKCS7_verify (#1808052)
-- Add -N option to SCEP helper to separate web server chain from
-  SCEP issuer chain (#1808613)
-- Add template profile, MS v2 template and issuer to getcert list
-  output (#1734451)
+* Wed Nov 30 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
+- Update to upstream 0.79.17
 
-* Tue Dec 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-7
-- Update gating requirements
+* Thu Aug 25 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.16-1
+- Update to upstream 0.79.16
 
-* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6
-- Rebuild
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.15-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 
-* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5
-- Fix use-after-free issue when retrieving CA chain (#1710632)
+* Mon Apr 11 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-3
+- Disable DSA key support. They do not work in FIPS mode at all and
+  are disabled by crypto policy by default.
 
-* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4
-- Optimize closing of file descriptors on fork (#1763745)
-- Remove NOMODDB flag flag from context init, look for full tokens (#1746543)
-- Retrieve full IPA CA chain (#1710632)
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 
-* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
-- Rebuild for new annobin (#1708095)
+* Wed Jan  5 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-1
+- Update to upstream 0.79.15
 
-* Fri May 10 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
-- Rebuild for new annobin (#1708095)
+* Tue Oct 05 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
+- Don't encode critical=FALSE in X509v3 extensions
 
-* Thu May  9 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.79.7-1
-- Rebase to 0.79.7 (#1708095)
+* Wed Sep 29 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
+- Fix FTBFS due to OpenSSL 3.0.0 API change between beta1 and 2.
 
-* Mon Oct  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-5
-- Address more issues uncovered by static analysis (#1632449)
+* Wed Sep 15 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-4
+- Port to OpenSSL 3.0.0
 
-* Tue Oct  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
-- Improve handling of NSS tokens (#1624930)
-- Pull in upstream fixes discovered in coverity and clang (#1632449)
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.79.14-3
+- Rebuilt with OpenSSL 3.0.0
 
-* Mon Aug 13 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
-- Add BuildRequires on python3-devel (#1615507)
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 
-* Thu Aug  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-2
-- Fix test failure on some platforms
+* Tue Jun 15 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
+- Update to upstream 0.79.14
 
-* Wed Aug  1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Oct 20 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
+- Update to upstream 0.79.13
+
+* Mon Oct  5 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.12-1
+- Update to upstream 0.79.12
+
+* Fri Sep 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-4
+- Don't send SIGKILL to child processes to terminate them
+- Switch to JSON for communication with IPA
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-2
+- Fix for an unnecessary free() which can cause core dump.
+
+* Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-1
+- Update to upstream 0.79.11
+
+* Thu Jun 25 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.10-1
+- Update to upstream 0.79.10
+
+* Thu Jan 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.9-1
+- Update to upstream 0.79.9
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Oct 30 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-3
+- Change python2-dbus build dependency to python3
+- Convert tests to pass under python 3
+- Skip DSA tests because it is disabled by default crypto policy
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Jul 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-1
+- Update to upstream 0.79.8
+
+* Wed May 22 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
+- Add BuildRequires for krb5-devel, the buildroot changed.
+
+* Mon May 20 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
+- Move systemd tmpfiles from /var/run to /run (upstream #111)
+- Change /var/run -> /run in systemd service file
+
+* Mon Feb 18 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-1
+- Update to upstream 0.79.7
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Oct  4 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
+- Pull in upstream fixes discovered in coverity and clang.
+
+* Mon Oct  1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
+- Improve NSS token handling. The updated NSS crypto-policy enables all
+  tokens which broke requesting certificates due to the way that tokens
+  were managed.
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue May  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
 - Update to upstream 0.79.6
-- Fix unit tests to work with python 3
+
+* Wed Mar 14 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.79.5-7
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
 
 * Fri Feb 23 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-6
 - Fix unit tests. NSS crypto policy disallows keys < 1024

gating.yaml

@@ -0,0 +1,8 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

sources

@@ -0,0 +1 @@
+SHA512 (certmonger-0.79.20.tar.gz) = 76685185172bbf2c766c477c399ce0b14c9fd2d81637b44b8da80ae045ebf6c650ae3d525a87dccd755a6c92d4a5916bb62f8ea1d8520c47ae64770be6a5d2be

tests/.fmf/version

@@ -0,0 +1 @@
+1

tests/provision.fmf

@@ -0,0 +1,5 @@
+---
+ 
+standard-inventory-qcow2:
+  qemu:
+    m: 2G

tests/tests.yml

@@ -0,0 +1,18 @@
+---
+- hosts: localhost
+  tags: [ always ]
+  tasks:
+  - set_fact:
+      our_required_packages:
+      - wget            # upstream-testsuite-execution-and-rebuild-test needs wget command
+      - yum-utils       # upstream-testsuite-execution-and-rebuild-test needs yum-builddep command
+      - rpm-build       # upstream-testsuite-execution-and-rebuild-test needs rpmbuild command
+
+- hosts: localhost
+  tags:
+  - classic
+  roles:
+  - role: standard-test-beakerlib
+    tests:
+    - upstream-testsuite-execution-and-rebuild-test
+    required_packages: "{{ our_required_packages }}"

tests/upstream-testsuite-execution-and-rebuild-test/Makefile

@@ -0,0 +1,72 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
+#   Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
+#   Author: Ales Marecek <amarecek@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Based on sudo rebuild test
+
+export TEST=/CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Rob Crittenden <rcritten@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution." >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        30m" >> $(METADATA)
+	@echo "RunFor:          sudo" >> $(METADATA)
+	@echo "Requires:        sudo" >> $(METADATA)
+	@echo "Requires:        sed" >> $(METADATA)
+	@echo "Requires:        grep" >> $(METADATA)
+	@echo "Requires:        rpm-build" >> $(METADATA)
+	@echo "Requires:        yum-utils" >> $(METADATA)
+	@echo "Requires:        make" >> $(METADATA)
+	@echo "Requires:        libcap-devel" >> $(METADATA)
+	@echo "Requires:        audit-libs-devel" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/upstream-testsuite-execution-and-rebuild-test/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
+Description: This test rebuild certmonger source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
+Author: Rob Crittenden <rcritten@redhat.com>

tests/upstream-testsuite-execution-and-rebuild-test/runtest.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
+#   Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
+#   Author: Ales Marecek <amarecek@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Based on sudo rebuild test
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="certmonger"
+_SPEC_DIR="$(rpm --eval=%_specdir)"
+_BUILD_DIR="$(rpm --eval=%_builddir)"
+_LOG_REBUILD_F="${PACKAGE}-rebuild.log"
+_LOG_TESTSUITE_F="${PACKAGE}-testsuite.log"
+
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+	# Source package is needed for code inspection
+	rlFetchSrcForInstalled "${PACKAGE}" || yumdownloader --source "${PACKAGE}"
+    rlRun "find . -size 0 -delete" 0 "Remove empty src.rpm-s"
+	rlRun "yum-builddep -y --nogpgcheck ${PACKAGE}-*.src.rpm" 0 "Installing build dependencies"
+	[ -d ${_BUILD_DIR} ] && rlRun "rm -rf ${_BUILD_DIR}/*" 0 "Cleaning build directory"
+	rlRun "rpm -ivh ${PACKAGE}-*.src.rpm" 0 "Installing source rpm"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+	rlRun "QA_RPATHS=0x0002 rpmbuild -ba --noclean ${_SPEC_DIR}/${PACKAGE}.spec" 0 "Test: Rebuild of source '${PACKAGE}' package"
+	rlGetPhaseState
+	if [ $? -eq 0 ]; then
+		[ -d ${_BUILD_DIR} ] && rlRun "rm -rf ${_BUILD_DIR}/*-SPECPARTS" 0 "Cleaning SPECPARTS directory"
+		cd ${_BUILD_DIR}/${PACKAGE}-*
+		rlRun -s "make check" 0 "Test: Upstream testsuite"
+		cd ${TmpDir}
+		while read -r I; do
+		    if [[ "$I" =~ $(echo '([^:]+): .+ tests run, .+ errors, (.*)% success rate') ]]; then
+		        [[ "${BASH_REMATCH[2]}" == "100" ]]
+		        rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
+		    elif [[ "$I" =~ $(echo "([^:]+): .+ tests passed; (.+)/.+ tests failed") ]]; then
+		        [[ "${BASH_REMATCH[2]}" == "0" ]]
+		        rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
+		    fi
+		done < $rlRun_LOG
+		rm -f $rlRun_LOG
+	else
+		rlFail "Skipping testsuite part because rebuild part failed."
+	fi
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd