24 changed files with 206317 additions and 320 deletions
--- a/.certmonger.metadata
+++ b/.certmonger.metadata
@ -1 +0,0 @@
 ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,139 @@
-SOURCES/certmonger-0.79.17.tar.gz
+certmonger-0.17.tar.gz
 certmonger-0.18.tar.gz
 certmonger-0.19.tar.gz
 certmonger-0.20.tar.gz
 certmonger-0.21.tar.gz
 certmonger-0.22.tar.gz
 certmonger-0.23.tar.gz
 certmonger-0.24.tar.gz
 certmonger-0.26.tar.gz
 certmonger-0.28.tar.gz
 /certmonger-0.30.tar.gz
 /certmonger-0.32.tar.gz
 /certmonger-0.34.tar.gz
 /certmonger-0.35.tar.gz
 /certmonger-0.35.1.tar.gz
 /certmonger-0.36.tar.gz
 /certmonger-0.37.tar.gz
 /certmonger-0.38.tar.gz
 /certmonger-0.39.tar.gz
 /certmonger-0.40.tar.gz
 /certmonger-0.41.tar.gz
 /certmonger-0.42.tar.gz
 /certmonger-0.43.tar.gz
 /certmonger-0.44.tar.gz
 /certmonger-0.45.tar.gz
 /certmonger-0.46.tar.gz
 /certmonger-0.49.tar.gz
 /certmonger-0.49.tar.gz.sig
 /certmonger-0.50.tar.gz
 /certmonger-0.50.tar.gz.sig
 /certmonger-0.51.tar.gz
 /certmonger-0.51.tar.gz.sig
 /certmonger-0.52.tar.gz
 /certmonger-0.52.tar.gz.sig
 /certmonger-0.54.tar.gz
 /certmonger-0.54.tar.gz.sig
 /certmonger-0.55.tar.gz
 /certmonger-0.55.tar.gz.sig
 /certmonger-0.56.tar.gz
 /certmonger-0.56.tar.gz.sig
 /certmonger-0.59.tar.gz
 /certmonger-0.59.tar.gz.sig
 /certmonger-0.60.tar.gz
 /certmonger-0.60.tar.gz.sig
 /certmonger-0.61.tar.gz
 /certmonger-0.61.tar.gz.sig
 /certmonger-0.62.tar.gz
 /certmonger-0.62.tar.gz.sig
 /certmonger-0.63.tar.gz
 /certmonger-0.63.tar.gz.sig
 /certmonger-0.65.tar.gz
 /certmonger-0.65.tar.gz.sig
 /certmonger-0.67.tar.gz
 /certmonger-0.67.tar.gz.sig
 /certmonger-0.68.tar.gz
 /certmonger-0.68.tar.gz.sig
 /certmonger-0.69.tar.gz
 /certmonger-0.69.tar.gz.sig
 /certmonger-0.70.tar.gz
 /certmonger-0.70.tar.gz.sig
 /certmonger-0.71.2.tar.gz
 /certmonger-0.71.2.tar.gz.sig
 /certmonger-0.73.tar.gz
 /certmonger-0.73.tar.gz.sig
 /certmonger-0.74.tar.gz
 /certmonger-0.74.tar.gz.sig
 /certmonger-0.75.tar.gz
 /certmonger-0.75.tar.gz.sig
 /certmonger-0.75.1.tar.gz
 /certmonger-0.75.1.tar.gz.sig
 /certmonger-0.75.2.tar.gz
 /certmonger-0.75.2.tar.gz.sig
 /certmonger-0.75.3.tar.gz
 /certmonger-0.75.3.tar.gz.sig
 /certmonger-0.75.5.tar.gz
 /certmonger-0.75.5.tar.gz.sig
 /certmonger-0.75.6.tar.gz
 /certmonger-0.75.6.tar.gz.sig
 /certmonger-0.75.8.tar.gz
 /certmonger-0.75.8.tar.gz.sig
 /certmonger-0.75.9.tar.gz
 /certmonger-0.75.9.tar.gz.sig
 /certmonger-0.75.10.tar.gz
 /certmonger-0.75.10.tar.gz.sig
 /certmonger-0.75.13.tar.gz
 /certmonger-0.75.13.tar.gz.sig
 /certmonger-0.75.14.tar.gz
 /certmonger-0.75.14.tar.gz.sig
 /certmonger-0.76.6.tar.gz
 /certmonger-0.76.6.tar.gz.sig
 /certmonger-0.76.7.tar.gz
 /certmonger-0.76.7.tar.gz.sig
 /certmonger-0.76.8.tar.gz
 /certmonger-0.76.8.tar.gz.sig
 /certmonger-0.77.1.tar.gz
 /certmonger-0.77.1.tar.gz.sig
 /certmonger-0.77.2.tar.gz
 /certmonger-0.77.2.tar.gz.sig
 /certmonger-0.77.3.tar.gz
 /certmonger-0.77.3.tar.gz.sig
 /certmonger-0.77.4.tar.gz
 /certmonger-0.77.4.tar.gz.sig
 /certmonger-0.77.5.tar.gz
 /certmonger-0.77.5.tar.gz.sig
 /certmonger-0.78.tar.gz
 /certmonger-0.78.tar.gz.sig
 /certmonger-0.78.1.tar.gz
 /certmonger-0.78.1.tar.gz.sig
 /certmonger-0.78.2.tar.gz
 /certmonger-0.78.2.tar.gz.sig
 /certmonger-0.78.3.tar.gz
 /certmonger-0.78.3.tar.gz.sig
 /certmonger-0.78.4.tar.gz
 /certmonger-0.78.4.tar.gz.sig
 /certmonger-0.78.5.tar.gz
 /certmonger-0.78.5.tar.gz.sig
 /certmonger-0.78.6.tar.gz
 /certmonger-0.78.6.tar.gz.sig
 /certmonger-0.79.2.tar.gz
 /certmonger-0.79.2.tar.gz.sig
 /certmonger-0.79.3.tar.gz
 /certmonger-0.79.3.tar.gz.sig
 /certmonger-0.79.4.tar.gz
 /certmonger-0.79.5.tar.gz
 /certmonger-0.79.6.tar.gz
 /certmonger-0.79.7.tar.gz
 /certmonger-0.79.8.tar.gz
 /certmonger-0.79.9.tar.gz
 /certmonger-0.79.10.tar.gz
 /certmonger-0.79.11.tar.gz
 /certmonger-0.79.12.tar.gz
 /certmonger-0.79.13.tar.gz
 /certmonger-0.79.14.tar.gz
 /certmonger-0.79.15.tar.gz
 /certmonger-0.79.16.tar.gz
 /certmonger-0.79.17.tar.gz
 /certmonger-0.79.18.tar.gz
 /certmonger-0.79.19.tar.gz
 /certmonger-0.79.20.tar.gz
--- a/0001-Don-t-free-soptions-while-it-is-still-needed.patch
+++ b/0001-Don-t-free-soptions-while-it-is-still-needed.patch
@ -0,0 +1,29 @@
 From c5270bde4dab84f18c347e82376ef00733865247 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Wed, 1 Jul 2020 10:46:50 -0400
 Subject: [PATCH] Don't free soptions while it is still needed
 Introduced in fbcf03dd44007a9b231e9396cc418a00e1a4b49a trying
 to avoid leaking soptions and aoptions.
 https://pagure.io/certmonger/issue/163
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 ---
 src/dogtag.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/dogtag.c b/src/dogtag.c
 index 91c9c588..faf81f97 100644
 --- a/src/dogtag.c
 +++ b/src/dogtag.c
@@ -579,7 +579,6 @@ main(int argc, const char **argv)
 				pin = NULL;
 			}
 		}
 -		free(soptions);
 		/* Add client creds. */
 		if (uid != NULL) {
 			uid = cm_submit_u_url_encode(uid);
 -- 
 2.25.4
--- a/0002-Don-t-send-SIGKILL-to-children-give-them-a-chance-to.patch
+++ b/0002-Don-t-send-SIGKILL-to-children-give-them-a-chance-to.patch
@ -0,0 +1,28 @@
 From 00e948049acf0ca1b61ed9c2b8579b06b4bcb46a Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Tue, 18 Aug 2020 14:33:17 -0400
 Subject: [PATCH 02/11] Don't send SIGKILL to children, give them a chance to
 die
 This was causing issues in IPA which uses a lock file to
 serialize some operations. The kill was leaving the lock in
 place causing things to time out.
 ---
 src/subproc.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/subproc.c b/src/subproc.c
 index 8df836ae..70d4ed93 100644
 --- a/src/subproc.c
 +++ b/src/subproc.c
@@ -240,7 +240,6 @@ cm_subproc_done(struct cm_subproc_state *state)
 	if (state != NULL) {
 		if (state->pid != -1) {
 -			kill(state->pid, SIGKILL);
 			do {
 				pid = waitpid(state->pid, &state->status, 0);
 				cm_log(4, "Waited for %ld, got %ld.\n",
 -- 
 2.25.4
--- a/0003-Remove-empty-translation-files.patch
+++ b/0003-Remove-empty-translation-files.patch
--- a/0004-remove-dead-make-targets.patch
+++ b/0004-remove-dead-make-targets.patch
@ -0,0 +1,28 @@
 From 93974735c31e653acc0d3de7e1cb165dbe764aef Mon Sep 17 00:00:00 2001
 From: Fraser Tweedale <ftweedal@redhat.com>
 Date: Wed, 16 Sep 2020 15:49:00 +1000
 Subject: [PATCH 04/11] remove dead make targets
 Commit 13abd68c7b862719e7b0ed065906cc28c6157a41 removed some files,
 but left dangling references to those files in tests/Makefile.am,
 breaking the build.  Delete references to the deleted files.
 ---
 tests/Makefile.am | 2 --
 1 file changed, 2 deletions(-)
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index c1ce8412..013d34bf 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -156,8 +156,6 @@ EXTRA_DIST = \
 	002-keygen-dsa/prequal.sh \
 	002-keygen-dsa/run.sh \
 	002-keygen-dsa/expected.out \
 -	002-keygen-dsa/expected.out.2 \
 -	002-keygen-dsa/expected.out.3 \
 	002-keygen-ec/prequal.sh \
 	002-keygen-ec/run.sh \
 	002-keygen-ec/expected.out \
 -- 
 2.25.4
--- a/0005-Require-jansson-for-IPA-RPC-calls-make-xmlrpc-option.patch
+++ b/0005-Require-jansson-for-IPA-RPC-calls-make-xmlrpc-option.patch
@ -0,0 +1,201 @@
 From 1de7c2e7d4f3557bb45b9526016b766c7119c6ad Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Thu, 20 Aug 2020 16:52:13 -0400
 Subject: [PATCH 05/11] Require jansson for IPA RPC calls, make xmlrpc optional
 xmlrpc is now only used for certmaster
 IPA will only make JSON RPC calls to retrieve certificates
 ---
 configure.ac    | 59 ++++++++++++++++++++++++++++++-------------------
 src/Makefile.am | 33 ++++++++++++++++++++-------
 2 files changed, 61 insertions(+), 31 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index abcd6d84..14991244 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -278,29 +278,42 @@ if ! ${configure_dist_target_only:-false} ; then
 	CPPFLAGS="$savedCPPFLAGS"
 	LDFLAGS="$savedLDFLAGS"
 -	dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
 -	savedCFLAGS="$CFLAGS"
 -	CFLAGS=
 -	AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
 -	AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
 -	if test -z "$XMLRPC_C_CONFIG" ; then
 -		AC_MSG_ERROR(xmlrpc-c-config not found)
 -	fi
 -	AC_MSG_CHECKING(for XMLRPC CFLAGS)
 -	XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
 -	AC_MSG_RESULT([$XMLRPC_CFLAGS])
 -	AC_SUBST(XMLRPC_CFLAGS)
 -	AC_MSG_CHECKING(for XMLRPC LIBS)
 -	XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
 -	AC_MSG_RESULT([$XMLRPC_LIBS])
 -	AC_SUBST(XMLRPC_LIBS)
 -	CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
 -	AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
 -			 [
 -			 #include <xmlrpc-c/client.h>
 -			 #include <xmlrpc-c/transport.h>
 -			 ])
 -	CFLAGS="$savedCFLAGS"
 +	PKG_CHECK_MODULES(JANSSON,jansson)
 +	have_jansson=true
 +
 +	AC_ARG_WITH([xmlrpc],
 +		[AC_HELP_STRING([--with-xmlrpc], [Enable XML-RPC support])],
 +		[with_xmlrpc=${with_xmlrpc}],
 +		[with_xmlrpc=no])
 +	AS_IF([test x"$with_xmlrpc" = xyes], [AC_DEFINE([WITH_XMLRPC], [1],
 +		[include XMLRPC support])])
 +	AM_CONDITIONAL(WITH_XMLRPC,test x"$with_xmlrpc" = xyes)
 +
 +	AS_IF([test x"$with_xmlrpc" = xyes], [
 +		dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
 +		savedCFLAGS="$CFLAGS"
 +		CFLAGS=
 +		AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
 +		AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
 +		if test -z "$XMLRPC_C_CONFIG" ; then
 +			AC_MSG_ERROR(xmlrpc-c-config not found)
 +		fi
 +		AC_MSG_CHECKING(for XMLRPC CFLAGS)
 +		XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
 +		AC_MSG_RESULT([$XMLRPC_CFLAGS])
 +		AC_SUBST(XMLRPC_CFLAGS)
 +		AC_MSG_CHECKING(for XMLRPC LIBS)
 +		XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
 +		AC_MSG_RESULT([$XMLRPC_LIBS])
 +		AC_SUBST(XMLRPC_LIBS)
 +		CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
 +		AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
 +				 [
 +				 #include <xmlrpc-c/client.h>
 +				 #include <xmlrpc-c/transport.h>
 +				 ])
 +		CFLAGS="$savedCFLAGS"
 +	])
 	savedCFLAGS="$CFLAGS"
 	savedCPPFLAGS="$CPPFLAGS"
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 5343dbc4..13bd87d9 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
@@ -11,15 +11,17 @@ LDFLAGS += -Wl,-z,relro,-z,now
 endif
 man_MANS = certmonger.8 getcert.1 getcert-request.1 getcert-list.1 \
 	   getcert-list-cas.1 getcert-start-tracking.1 getcert-stop-tracking.1 \
 -	   selfsign-getcert.1 ipa-getcert.1 certmaster-getcert.1 \
 +	   selfsign-getcert.1 ipa-getcert.1 \
 	   getcert-resubmit.1 certmonger-ipa-submit.8 \
 -	   certmonger-certmaster-submit.8 \
 	   certmonger-dogtag-ipa-renew-agent-submit.8 certmonger.conf.5 \
 	   getcert-refresh.1 getcert-refresh-ca.1 local-getcert.1 \
 	   certmonger-local-submit.8 getcert-status.1 \
 	   certmonger-dogtag-submit.8 certmonger-scep-submit.8 \
 	   getcert-add-ca.1 getcert-add-scep-ca.1 getcert-modify-ca.1 \
 	   getcert-remove-ca.1 getcert-rekey.1
 +if WITH_XMLRPC
 +man_MANS += certmaster-getcert.1 certmonger-certmaster-submit.8
 +endif
 pkgsysconfdir = $(sysconfdir)/$(PACKAGE)
 pkgsysconf_DATA = certmonger.conf
 EXTRA_PROGRAMS =
@@ -105,8 +107,6 @@ libcm_a_SOURCES = \
 	submit-sn.c \
 	submit-u.c \
 	submit-u.h \
 -	submit-x.c \
 -	submit-x.h \
 	subproc.c \
 	subproc.h \
 	tdbus.c \
@@ -121,6 +121,11 @@ libcm_a_SOURCES = \
 	util-m.h \
 	util-n.c \
 	util-n.h
 +if WITH_XMLRPC
 +libcm_a_SOURCES += \
 +	submit-x.c \
 +	submit-x.h
 +endif
 libcm_o_a_SOURCES =
 if HAVE_OPENSSL
 libcm_o_a_SOURCES += \
@@ -158,11 +163,13 @@ ipa_getcert_SOURCES = ipa-getcert.c tm.c tm.h
 ipa_getcert_LDADD = $(getcert_LDADD)
 endif
 if WITH_IPA
 +if WITH_XMLRPC
 bin_PROGRAMS += certmaster-getcert
 certmaster_getcert_CFLAGS = $(getcert_CFLAGS)
 certmaster_getcert_SOURCES = certmaster-getcert.c tm.c tm.h
 certmaster_getcert_LDADD = $(getcert_LDADD)
 endif
 +endif
 bin_PROGRAMS += selfsign-getcert
 selfsign_getcert_CFLAGS = $(getcert_CFLAGS)
 selfsign_getcert_SOURCES = selfsign-getcert.c tm.c tm.h
@@ -181,21 +188,28 @@ certmonger_session_SOURCES = main.c env-session.c tm.c tm.h
 certmonger_session_LDADD = libcm.a \
 		   $(OPENSSL_LIBS) $(CERTMONGER_LIBS) $(KRB5_LIBS) $(IDN_LIBS) \
 		   $(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
 -noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x toklist
 +noinst_PROGRAMS = tdbusm-check serial-check nl-check toklist
 +if WITH_XMLRPC
 +noinst_PROGRAMS += submit-x
 +endif
 tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h
 tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) $(LDAP_LIBS)
 serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
 nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LDAP_LIBS)
 +if WITH_XMLRPC
 submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN
 submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \
 	tm.c tm.h
 submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
 		 $(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS)
 +endif
 toklist_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
 toklist_LDADD = $(NSS_LIBS) $(POPT_LIBS)
 if WITH_CERTMASTER
 +if WITH_XMLRPC
 pkglibexec_PROGRAMS += certmaster-submit
 endif
 +endif
 if WITH_IPA
 pkglibexec_PROGRAMS += ipa-submit
 endif
@@ -205,19 +219,22 @@ pkglibexec_PROGRAMS += local-submit
 pkglibexec_PROGRAMS += scep-submit
 endif
 noinst_PROGRAMS += submit-h submit-d
 -ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
 +ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) $(JANSSON_CFLAGS)
 ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \
 -		submit-x.c submit-x.h submit-u.c submit-u.h \
 +		submit-h.c submit-h.h submit-u.c submit-u.h \
 		submit-e.h util.c util.h log.c log.h tm.c tm.h
 ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
 		   $(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \
 -		   $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS)
 +		   $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) $(CURL_LIBS) \
 +		   $(JANSSON_LIBS)
 +if WITH_XMLRPC
 certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
 certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \
 		submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \
 		tm.c tm.h
 certmaster_submit_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
 			  $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) $(POPT_LIBS)
 +endif
 dogtag_ipa_renew_agent_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) \
 				       $(NSS_CFLAGS) $(CURL_CFLAGS) \
 				       -DDOGTAG_IPA_RENEW_AGENT=1
 -- 
 2.25.4
--- a/0006-Make-xmlrpc-optional-in-the-certmonger-spec-file-dis.patch
+++ b/0006-Make-xmlrpc-optional-in-the-certmonger-spec-file-dis.patch
@ -0,0 +1,93 @@
 From aedf7f646f28d58c6bc422423401c1d0eb31ee75 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Thu, 20 Aug 2020 16:53:50 -0400
 Subject: [PATCH 06/11] Make xmlrpc optional in the certmonger spec file,
 disable certmaster
 This disables certmaster support by default since it requires
 xmlrpc
 ---
 certmonger.spec | 22 +++++++++++++++++++++-
 configure.ac    |  1 +
 2 files changed, 22 insertions(+), 1 deletion(-)
 diff --git a/certmonger.spec b/certmonger.spec
 index e1f5536e..a8e1d2e8 100644
 --- a/certmonger.spec
 +++ b/certmonger.spec
@@ -24,6 +24,8 @@
 %global sysvinitdir %{_initrddir}
 %endif
 +%bcond_with xmlrpc
 +
 Name:		certmonger
 Version:	0.79.11
 Release:	1%{?dist}
@@ -37,6 +39,7 @@ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 BuildRequires:	openldap-devel
 +BuildRequires:	krb5-devel
 BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
 BuildRequires:	autoconf, automake, gcc, gettext-devel
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
@@ -50,7 +53,11 @@ BuildRequires:	libcurl-devel
 %else
 BuildRequires:	curl-devel
 %endif
 -BuildRequires:	libxml2-devel, xmlrpc-c-devel
 +BuildRequires:	libxml2-devel
 +%if %{with xmlrpc}
 +BuildRequires:	xmlrpc-c-devel
 +%endif
 +BuildRequires:	jansson-devel
 %if 0%{?rhel} && 0%{?rhel} < 6
 BuildRequires:	bind-libbind-devel
 BuildRequires:	mktemp
@@ -132,10 +139,17 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
 	--enable-tmpfiles \
 %endif
 	--with-homedir=/run/certmonger \
 +%if %{with xmlrpc}
 +	--with-xmlrpc \
 +%endif
 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
 +%if %{with xmlrpc}
 # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
 # tell us about libxmlrpc_client, but we need more.  Work around.
 make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
 +%else
 +make %{?_smp_mflags}
 +%endif
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -154,6 +168,12 @@ rm -rf $RPM_BUILD_ROOT
 if test $1 -eq 1 ; then
 	%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
 fi
 +%if %{without xmlrpc}
 +# remove any existing certmaster CA configuration
 +if test $1 -gt 1 ; then
 +    %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
 +fi
 +%endif
 %if %{systemd}
 if test $1 -eq 1 ; then
 	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
 diff --git a/configure.ac b/configure.ac
 index 14991244..f2964856 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -876,6 +876,7 @@ else
 	AM_CONDITIONAL(HAVE_EC,false)
 	AM_CONDITIONAL(WITH_IPA,false)
 	AM_CONDITIONAL(WITH_CERTMASTER,false)
 +	AM_CONDITIONAL(WITH_XMLRPC,false)
 	AM_CONDITIONAL(WITH_LOCAL,false)
 	AM_CONDITIONAL(HAVE_UUID,false)
 fi
 -- 
 2.25.4
--- a/0007-Add-Referer-header-option-to-the-submit-h-API.patch
+++ b/0007-Add-Referer-header-option-to-the-submit-h-API.patch
@ -0,0 +1,155 @@
 From 4347ce74b0001c002cb449b8dd63819634e980ae Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Thu, 20 Aug 2020 16:55:36 -0400
 Subject: [PATCH 07/11] Add Referer header option to the submit-h API
 This will allow IPA API requests that require the Referer header
 to be set.
 ---
 src/dogtag.c   |  2 +-
 src/scep.c     |  6 +++---
 src/submit-d.c |  2 +-
 src/submit-h.c | 20 +++++++++++++++-----
 src/submit-h.h |  1 +
 5 files changed, 21 insertions(+), 10 deletions(-)
 diff --git a/src/dogtag.c b/src/dogtag.c
 index faf81f97..d36ac008 100644
 --- a/src/dogtag.c
 +++ b/src/dogtag.c
@@ -691,7 +691,7 @@ main(int argc, const char **argv)
 	/* Submit the form(s). */
 	hctx = NULL;
 	while (url != NULL) {
 -		hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL,
 +		hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL, NULL,
 					cainfo, capath, sslcert, sslkey, sslpin,
 					cm_submit_h_negotiate_off,
 					cm_submit_h_delegate_off,
 diff --git a/src/scep.c b/src/scep.c
 index c74ca574..e384e8da 100644
 --- a/src/scep.c
 +++ b/src/scep.c
@@ -496,7 +496,7 @@ main(int argc, const char **argv)
 	}
 	/* Submit the first request. */
 -	hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL,
 +	hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, NULL,
 				cainfo, NULL, NULL, NULL, NULL,
 				cm_submit_h_negotiate_off,
 				cm_submit_h_delegate_off,
@@ -593,7 +593,7 @@ main(int argc, const char **argv)
 	}
 	/* Submit a second HTTP request if we have one to make. */
 	if (params2 != NULL) {
 -		hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL,
 +		hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL, NULL,
 					NULL, NULL, NULL, NULL, NULL,
 					cm_submit_h_negotiate_off,
 					cm_submit_h_delegate_off,
@@ -794,7 +794,7 @@ main(int argc, const char **argv)
 						 OP_GET_CA_CERT
 						 "&message=%d", i++);
 			hctx = cm_submit_h_init(ctx, "GET", url, params,
 -						NULL, NULL, NULL, NULL,
 +						NULL, NULL, NULL, NULL, NULL,
 						NULL, NULL, NULL,
 						cm_submit_h_negotiate_off,
 						cm_submit_h_delegate_off,
 diff --git a/src/submit-d.c b/src/submit-d.c
 index 3adaa4a6..f1877c34 100644
 --- a/src/submit-d.c
 +++ b/src/submit-d.c
@@ -1188,7 +1188,7 @@ restart:
 		fprintf(stderr, "url = \"%s%s%s\"\n", uri,
 		        params ? "?" : "", params ? params : "");
 	}
 -	hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL,
 +	hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL, NULL,
 				cainfo, capath, sslcert, sslkey, sslpin,
 				cm_submit_h_negotiate_off,
 				cm_submit_h_delegate_off,
 diff --git a/src/submit-h.c b/src/submit-h.c
 index 9b507dbe..c04909b1 100644
 --- a/src/submit-h.c
 +++ b/src/submit-h.c
@@ -51,7 +51,7 @@
 struct cm_submit_h_context {
 	int ret;
 	long response_code;
 -	char *method, *uri, *args, *accept, *ctype, *cainfo, *capath, *result;
 +	char *method, *uri, *args, *accept, *ctype, *referer, *cainfo, *capath, *result;
 	int result_length;
 	char *sslcert, *sslkey, *sslpass;
 	enum cm_submit_h_opt_negotiate negotiate;
@@ -66,7 +66,7 @@ struct cm_submit_h_context *
 cm_submit_h_init(void *parent,
 		 const char *method, const char *uri, const char *args,
 		 const char *content_type, const char *accept,
 -		 const char *cainfo, const char *capath,
 +		 const char *referer, const char *cainfo, const char *capath,
 		 const char *sslcert, const char *sslkey, const char *sslpass,
 		 enum cm_submit_h_opt_negotiate neg,
 		 enum cm_submit_h_opt_delegate del,
@@ -84,6 +84,7 @@ cm_submit_h_init(void *parent,
 		ctx->ctype = content_type ?
 			     talloc_strdup(ctx, content_type) :
 			     NULL;
 +		ctx->referer = referer ? talloc_strdup(ctx, referer) : NULL;
 		ctx->accept = accept ? talloc_strdup(ctx, accept) : NULL;
 		ctx->cainfo = cainfo ? talloc_strdup(ctx, cainfo) : NULL;
 		ctx->capath = capath ? talloc_strdup(ctx, capath) : NULL;
@@ -180,10 +181,11 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
 			}
 		}
 		if (ctx->negotiate == cm_submit_h_negotiate_on) {
 -#if defined(CURLOPT_HTTPAUTH) && defined(CURLAUTH_GSSNEGOTIATE)
 +#if defined(CURLAUTH_NEGOTIATE)
 			curl_easy_setopt(ctx->curl,
 					 CURLOPT_HTTPAUTH,
 -					 CURLAUTH_GSSNEGOTIATE);
 +					 CURLAUTH_NEGOTIATE);
 +			curl_easy_setopt(ctx->curl, CURLOPT_USERPWD, ":");
 #else
 			cm_log(-1,
 			       "warning: libcurl doesn't appear to support "
@@ -243,6 +245,14 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
 							    header);
 			}
 		}
 +		if (ctx->referer != NULL) {
 +			header = talloc_asprintf(ctx, "Referer: %s",
 +						 ctx->referer);
 +			if (header != NULL) {
 +				headers = curl_slist_append(headers,
 +							    header);
 +			}
 +		}
 		curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, headers);
 		curl_easy_setopt(ctx->curl, CURLOPT_WRITEFUNCTION,
 				 append_result);
@@ -415,7 +425,7 @@ main(int argc, const char **argv)
 	}
 	ctx = cm_submit_h_init(NULL, method, url, poptGetArg(pctx),
 -			       ctype, accept,
 +			       ctype, accept, NULL,
 			       cainfo, capath, sslcert, sslkey, sslpass,
 			       negotiate, negotiate_delegate,
 			       clientauth, cm_submit_h_env_modify_on,
 diff --git a/src/submit-h.h b/src/submit-h.h
 index 931cc890..b33544af 100644
 --- a/src/submit-h.h
 +++ b/src/submit-h.h
@@ -45,6 +45,7 @@ struct cm_submit_h_context *cm_submit_h_init(void *parent,
 					     const char *args,
 					     const char *content_type,
 					     const char *accept,
 +					     const char *referer,
 					     const char *cainfo,
 					     const char *capath,
 					     const char *sslcert,
 -- 
 2.25.4
--- a/0008-Switch-IPA-calls-to-use-the-JSON-RPC-endpoint-instea.patch
+++ b/0008-Switch-IPA-calls-to-use-the-JSON-RPC-endpoint-instea.patch
@ -0,0 +1,838 @@
 From fdc2851233f532eb78363784712c597c63e1c4c1 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Thu, 20 Aug 2020 16:57:38 -0400
 Subject: [PATCH 08/11] Switch IPA calls to use the JSON-RPC endpoint instead
 of XMLRPC
 IPA has provided a JSON-RPC interface for many years now and has
 long term plans to drop support for XMLRPC.
 ---
 src/ipa.c         | 546 ++++++++++++++++++++++++++++++++++++++--------
 src/store-files.c |   2 +
 2 files changed, 463 insertions(+), 85 deletions(-)
 diff --git a/src/ipa.c b/src/ipa.c
 index e4295826..8c089e68 100644
 --- a/src/ipa.c
 +++ b/src/ipa.c
@@ -33,8 +33,7 @@
 #include <talloc.h>
 -#include <xmlrpc-c/client.h>
 -#include <xmlrpc-c/transport.h>
 +#include <jansson.h>
 #include <ldap.h>
 #include <krb5.h>
@@ -46,7 +45,7 @@
 #include "store.h"
 #include "submit-e.h"
 #include "submit-u.h"
 -#include "submit-x.h"
 +#include "submit-h.h"
 #include "util.h"
 #ifdef ENABLE_NLS
@@ -56,6 +55,229 @@
 #define _(_text) (_text)
 #endif
 +static char *
 +get_error_message(krb5_context ctx, krb5_error_code kcode)
 +{
 +	const char *ret;
 +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
 +	ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
 +	if (ret == NULL) {
 +		ret = error_message(kcode);
 +	}
 +#else
 +	ret = error_message(kcode);
 +#endif
 +	return strdup(ret);
 +}
 +
 +char *
 +cm_submit_ccache_realm(char **msg)
 +{
 +	krb5_context ctx;
 +	krb5_ccache ccache;
 +	krb5_principal princ;
 +	krb5_error_code kret;
 +	krb5_data *data;
 +	char *ret;
 +
 +	if (msg != NULL) {
 +		*msg = NULL;
 +	}
 +
 +	kret = krb5_init_context(&ctx);
 +	if (kret != 0) {
 +		fprintf(stderr, "Error initializing Kerberos: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return NULL;
 +	}
 +	kret = krb5_cc_default(ctx, &ccache);
 +	if (kret != 0) {
 +		fprintf(stderr, "Error resolving default ccache: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return NULL;
 +	}
 +	kret = krb5_cc_get_principal(ctx, ccache, &princ);
 +	if (kret != 0) {
 +		fprintf(stderr, "Error reading default principal: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return NULL;
 +	}
 +	data = krb5_princ_realm(ctx, princ);
 +	if (data == NULL) {
 +		fprintf(stderr, "Error retrieving principal realm.\n");
 +		if (msg != NULL) {
 +			*msg = "Error retrieving principal realm.\n";
 +		}
 +		return NULL;
 +	}
 +	ret = malloc(data->length + 1);
 +	if (ret == NULL) {
 +		fprintf(stderr, "Out of memory for principal realm.\n");
 +		if (msg != NULL) {
 +			*msg = "Out of memory for principal realm.\n";
 +		}
 +		return NULL;
 +	}
 +	memcpy(ret, data->data, data->length);
 +	ret[data->length] = '\0';
 +	return ret;
 +}
 +
 +krb5_error_code
 +cm_submit_make_ccache(const char *ktname, const char *principal, char **msg)
 +{
 +	krb5_context ctx;
 +	krb5_keytab keytab;
 +	krb5_ccache ccache;
 +	krb5_creds creds;
 +	krb5_principal princ;
 +	krb5_error_code kret;
 +	krb5_get_init_creds_opt gicopts, *gicoptsp;
 +	char *ret;
 +
 +	if (msg != NULL) {
 +		*msg = NULL;
 +	}
 +
 +	kret = krb5_init_context(&ctx);
 +	if (kret != 0) {
 +		ret = get_error_message(ctx, kret);
 +		fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return kret;
 +	}
 +	if (ktname != NULL) {
 +		kret = krb5_kt_resolve(ctx, ktname, &keytab);
 +	} else {
 +		kret = krb5_kt_default(ctx, &keytab);
 +	}
 +	if (kret != 0) {
 +		fprintf(stderr, "Error resolving keytab: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return kret;
 +	}
 +	princ = NULL;
 +	if (principal != NULL) {
 +		kret = krb5_parse_name(ctx, principal, &princ);
 +		if (kret != 0) {
 +			fprintf(stderr, "Error parsing \"%s\": %s.\n",
 +				principal, ret = get_error_message(ctx, kret));
 +			if (msg != NULL) {
 +				*msg = ret;
 +			} else {
 +				free(ret);
 +			}
 +			return kret;
 +		}
 +	} else {
 +		kret = krb5_sname_to_principal(ctx, NULL, NULL,
 +					       KRB5_NT_SRV_HST, &princ);
 +		if (kret != 0) {
 +			fprintf(stderr, "Error building client name: %s.\n",
 +				ret = get_error_message(ctx, kret));
 +			if (msg != NULL) {
 +				*msg = ret;
 +			} else {
 +				free(ret);
 +			}
 +			return kret;
 +		}
 +	}
 +	memset(&creds, 0, sizeof(creds));
 +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
 +	memset(&gicopts, 0, sizeof(gicopts));
 +	gicoptsp = NULL;
 +	kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp);
 +	if (kret != 0) {
 +		fprintf(stderr, "Internal error: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return kret;
 +	}
 +#else
 +	krb5_get_init_creds_opt_init(&gicopts);
 +	gicoptsp = &gicopts;
 +#endif
 +	krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1);
 +	kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab,
 +					  0, NULL, gicoptsp);
 +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
 +	krb5_get_init_creds_opt_free(ctx, gicoptsp);
 +#endif
 +	if (kret != 0) {
 +		fprintf(stderr, "Error obtaining initial credentials: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return kret;
 +	}
 +	ccache = NULL;
 +	kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit",
 +			       &ccache);
 +	if (kret == 0) {
 +		kret = krb5_cc_initialize(ctx, ccache, creds.client);
 +	}
 +	if (kret != 0) {
 +		fprintf(stderr, "Error initializing credential cache: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return kret;
 +	}
 +	kret = krb5_cc_store_cred(ctx, ccache, &creds);
 +	if (kret != 0) {
 +		fprintf(stderr,
 +			"Error storing creds in credential cache: %s.\n",
 +			ret = get_error_message(ctx, kret));
 +		if (msg != NULL) {
 +			*msg = ret;
 +		} else {
 +			free(ret);
 +		}
 +		return kret;
 +	}
 +	krb5_cc_close(ctx, ccache);
 +	krb5_kt_close(ctx, keytab);
 +	krb5_free_principal(ctx, princ);
 +	krb5_free_context(ctx);
 +	putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit");
 +	return 0;
 +}
 +
 static int
 interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact)
 {
@@ -200,7 +422,7 @@ cm_find_default_naming_context(LDAP *ld, char **basedn)
 }
 static int
 -cm_locate_xmlrpc_service(const char *server,
 +cm_locate_jsonrpc_service(const char *server,
 			 int ldap_uri_cmd, const char *ldap_uri,
 			 const char *host,
 			 const char *domain,
@@ -213,10 +435,13 @@ cm_locate_xmlrpc_service(const char *server,
 	LDAPDN rdn;
 	struct berval *lbv;
 	char *lattrs[2] = {"cn", NULL};
 -	const char *relativedn = "cn=masters,cn=ipa,cn=etc", *dn;
 +	const char *relativedn = "cn=masters,cn=ipa,cn=etc";
 +	char *dn;
 	char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", **list;
 	int i, j, rc, n;
 	unsigned int flags;
 +	int rval = 0;
 +	int alloc_basedn = 0;
 	*uris = NULL;
@@ -231,14 +456,16 @@ cm_locate_xmlrpc_service(const char *server,
 	if (basedn == NULL) {
 		i = cm_find_default_naming_context(ld, &basedn);
 		if (i != 0) {
 -			free(basedn);
 -			return i;
 +			rval = i;
 +			goto done;
 		}
 +		alloc_basedn = 1;
 	}
 	if (basedn == NULL) {
 		printf(_("Unable to determine base DN of "
 			 "domain information on IPA server.\n"));
 -		return CM_SUBMIT_STATUS_UNCONFIGURED;
 +		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
 +		goto done;
 	}
 	/* Now look up the names of the master CAs. */
 	snprintf(lfilter, sizeof(lfilter),
@@ -248,26 +475,31 @@ cm_locate_xmlrpc_service(const char *server,
 		 "(ipaConfigString=enabledService)"
 		 ")", service);
 	snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
 -	free(basedn);
 +	if (alloc_basedn) {
 +		free(basedn);
 +	}
 	rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
 			       lfilter, lattrs, 0, NULL, NULL, NULL,
 			       LDAP_NO_LIMIT, &lresult);
 	if (rc != LDAP_SUCCESS) {
 		fprintf(stderr, "Error searching '%s': %s.\n",
 			ldn, ldap_err2string(rc));
 -		return CM_SUBMIT_STATUS_UNCONFIGURED;
 +		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
 +		goto done;
 	}
 	/* Read their parents' for "cn" values. */
 	n = ldap_count_entries(ld, lresult);
 	if (n == 0) {
 		fprintf(stderr, "No CA masters found.\n");
 		ldap_msgfree(lresult);
 -		return CM_SUBMIT_STATUS_UNCONFIGURED;
 +		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
 +		goto done;
 	}
 	list = talloc_array_ptrtype(NULL, list, n + 2);
 	if (list == NULL) {
 		fprintf(stderr, "Out of memory.\n");
 -		return CM_SUBMIT_STATUS_UNCONFIGURED;
 +		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
 +		goto done;
 	}
 	i = 0;
 	for (lmsg = ldap_first_entry(ld, lresult);
@@ -314,7 +546,7 @@ cm_locate_xmlrpc_service(const char *server,
 					switch (flags & 0x0f) {
 					case LDAP_AVA_STRING:
 						list[i] = talloc_asprintf(list,
 -									  "https://%.*s/ipa/xml",
 +									  "https://%.*s/ipa/json",
 									  (int) lbv->bv_len,
 									  lbv->bv_val);
 						if (list[i] != NULL) {
@@ -328,15 +560,67 @@ cm_locate_xmlrpc_service(const char *server,
 				ldap_dnfree(rdn);
 			}
 		}
 +		ldap_memfree(dn);
 	}
 	ldap_msgfree(lresult);
 	if (i == 0) {
 		free(list);
 -		return CM_SUBMIT_STATUS_UNCONFIGURED;
 +		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
 +		goto done;
 	}
 	list[i] = NULL;
 	*uris = list;
 -	return CM_SUBMIT_STATUS_ISSUED;
 +	rval = CM_SUBMIT_STATUS_ISSUED;
 +
 +done:
 +	if (ld) {
 +		ldap_unbind_ext(ld, NULL, NULL);
 +	}
 +
 +	return rval;
 +}
 +
 +/*
 + * Parse the JSON response from the IPA server.
 + *
 + * It will return one of three types of values:
 + * 
 + * < 0 is failure to parse JSON output
 + * 0 is success, no errors were found
 + * > 0 is the IPA API error code
 + */
 +static int
 +parse_json_result(const char *result, char **error_message) {
 +	json_error_t j_error;
 +
 +	json_t *j_root = NULL;
 +	json_t *j_error_obj = NULL;
 +
 +	int error_code = 0;
 +
 +	j_root = json_loads(result, 0, &j_error);
 +	if (!j_root) {
 +		cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
 +		return -1;
 +	}
 +
 +	j_error_obj = json_object_get(j_root, "error");
 +	if (!j_error_obj || json_is_null(j_error_obj)) {
 +		json_decref(j_root);
 +		return 0;  // no errors
 +	}
 +
 +	if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}",
 +					   "code", &error_code,
 +					   "message", error_message) != 0) {
 +		cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text);
 +		json_decref(j_root);
 +		return -1;
 +	}
 +
 +	cm_log(0, "JSON-RPC error: %d: %s\n", error_code, *error_message);
 +	json_decref(j_root);
 +	return error_code;
 }
 /* Make an XML-RPC request to the "cert_request" method. */
@@ -344,63 +628,98 @@ static int
 submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath,
 		   const char *uid, const char *pwd, const char *csr,
 		   const char *reqprinc, const char *profile,
 -		   const char *issuer)
 +		   const char *issuer, int verbose)
 {
 -	struct cm_submit_x_context *ctx;
 -	const char *args[2];
 +	void *ctx;
 +	struct cm_submit_h_context *hctx;
 	char *s, *p;
 	int i;
 +	json_t *json_req = NULL;
 +	json_error_t j_error;
 +	const char *results = NULL;
 +	char *json_str = NULL;
 +	char *error_message = NULL;
 +	char *referer = NULL;
 +	int rval = 0;
 +	json_t *j_root = NULL;
 +	json_t *j_result_outer = NULL;
 +	json_t *j_result = NULL;
 +	json_t *j_cert = NULL;
 +	const char *certificate = NULL;
 	if ((uri == NULL) || (strlen(uri) == 0)) {
 		return CM_SUBMIT_STATUS_UNCONFIGURED;
 	}
 -	/* Prepare to make an XML-RPC request. */
 +	ctx = talloc_new(NULL);
 +
 +	referer = talloc_asprintf(ctx, "%s", uri);
 +
 +	/* Prepare to make a JSON-RPC request. */
 submit:
 -	if ((uid != NULL) && (pwd != NULL) &&
 -	    (strlen(uid) > 0) && (strlen(pwd) > 0)) {
 -		ctx = cm_submit_x_init(NULL, uri, "cert_request",
 -				       cainfo, capath, uid, pwd,
 -				       cm_submit_x_negotiate_off,
 -				       cm_submit_x_delegate_off);;
 -	} else {
 -		ctx = cm_submit_x_init(NULL, uri, "cert_request",
 -				       cainfo, capath, NULL, NULL,
 -				       cm_submit_x_negotiate_on,
 -				       cm_submit_x_delegate_on);
 +	json_req = json_pack_ex(&j_error, 0,
 +							"{s:s, s:[[s], {s:s, s:s*, s:s*, s:b}]}",
 +							"method", "cert_request",
 +							"params",
 +							csr,
 +							"principal", reqprinc,
 +							"profile_id", profile,
 +							"cacn", issuer,
 +							"add", 1);
 +	if (!json_req) {
 +		cm_log(0, "json_pack_ex() failed: %s\n", j_error.text);
 +		return CM_SUBMIT_STATUS_UNCONFIGURED;
 	}
 -	if (ctx == NULL) {
 -		fprintf(stderr, "Error setting up for XMLRPC to %s on "
 -			"the client.\n", uri);
 -		printf(_("Error setting up for XMLRPC on the client.\n"));
 +	json_str = json_dumps(json_req, 0);
 +	json_decref(json_req);
 +	if (!json_str) {
 +		cm_log(0, "json_dumps() failed\n");
 		return CM_SUBMIT_STATUS_UNCONFIGURED;
 	}
 -	/* Add the CSR contents as the sole unnamed argument. */
 -	args[0] = csr;
 -	args[1] = NULL;
 -	cm_submit_x_add_arg_as(ctx, args);
 -	/* Add the principal name named argument. */
 -	cm_submit_x_add_named_arg_s(ctx, "principal", reqprinc);
 -	/* Add the requested profile name named argument. */
 -	if (profile != NULL) {
 -		cm_submit_x_add_named_arg_s(ctx, "profile_id", profile);
 -	}
 -	/* Add the requested CA issuer named argument. */
 -	if (issuer != NULL) {
 -		cm_submit_x_add_named_arg_s(ctx, "cacn", issuer);
 +	hctx = cm_submit_h_init(ctx, "POST", uri, json_str,
 +				       "application/json", "application/json",
 +				       referer, cainfo, capath,
 +				       NULL, NULL, NULL, 
 +				       cm_submit_h_negotiate_on,
 +				       cm_submit_h_delegate_off,
 +				       cm_submit_h_clientauth_off,
 +				       cm_submit_h_env_modify_off,
 +				       verbose > 1 ?
 +				       cm_submit_h_curl_verbose_on :
 +				       cm_submit_h_curl_verbose_off);
 +	free(json_str);
 +
 +	if (hctx == NULL) {
 +		fprintf(stderr, "Error setting up JSON-RPC to %s on "
 +			"the client.\n", uri);
 +		printf(_("Error setting up for JSON-RPC on the client.\n"));
 +		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
 +		goto cleanup;
 	}
 -	/* Tell the server to add entries for a principal if one
 -	 * doesn't exist yet. */
 -	cm_submit_x_add_named_arg_b(ctx, "add", 1);
 	/* Submit the request. */
 	fprintf(stderr, "Submitting request to \"%s\".\n", uri);
 -	cm_submit_x_run(ctx);
 +	cm_submit_h_run(hctx);
 	/* Check the results. */
 -	if (cm_submit_x_faulted(ctx) == 0) {
 -		i = cm_submit_x_fault_code(ctx);
 +
 +	results = cm_submit_h_results(hctx, NULL);
 +	cm_log(1, "%s\n", results);
 +	if (cm_submit_h_response_code(hctx) != 200) {
 +		cm_log(0, "JSON-RPC call failed with HTTP status code: %d\n",
 +				  cm_submit_h_response_code(hctx));
 +		cm_log(0, "code = %d, code_text = \"%s\"\n",
 +			cm_submit_h_result_code(hctx), cm_submit_h_result_code_text(hctx));
 +		rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +		goto cleanup;
 +	}
 +	i = parse_json_result(results, &error_message);
 +	if (i < 0) {
 +		rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +		goto cleanup;
 +	}
 +	if (i > 0) {
 		/* Interpret the error.  See errors.py to get the
 		 * classifications. */
 		switch (i / 1000) {
@@ -424,8 +743,9 @@ submit:
 			}
 			printf("Server at %s denied our request, "
 			       "giving up: %d (%s).\n", uri, i,
 -			       cm_submit_x_fault_text(ctx));
 -			return CM_SUBMIT_STATUS_REJECTED;
 +			       error_message);
 +			rval = CM_SUBMIT_STATUS_REJECTED;
 +			goto cleanup;
 			break;
 		case 1: /* authentication error - transient? */
 		case 4: /* execution error - transient? */
@@ -433,22 +753,51 @@ submit:
 		default:
 			printf("Server at %s failed request, "
 			       "will retry: %d (%s).\n", uri, i,
 -			       cm_submit_x_fault_text(ctx));
 -			return CM_SUBMIT_STATUS_UNREACHABLE;
 +			       error_message);
 +			rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +			goto cleanup;
 			break;
 		}
 -	} else
 -	if (cm_submit_x_has_results(ctx) == 0) {
 -		if (cm_submit_x_get_named_s(ctx, "certificate",
 -					    &s) == 0) {
 +	} else {
 +		j_root = json_loads(results, 0, &j_error);
 +		if (!j_root) {
 +			cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
 +			rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +			goto cleanup;
 +		}
 +
 +		j_result_outer = json_object_get(j_root, "result");
 +		if (!j_result_outer) {
 +			cm_log(0, "Parsing JSON-RPC response failed, no outer result\n");
 +			rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +			goto cleanup;
 +		}
 +
 +		j_result = json_object_get(j_result_outer, "result");
 +		if (!j_result) {
 +			cm_log(0, "Parsing JSON-RPC response failed, no inner result\n");
 +			rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +			goto cleanup;
 +		}
 +
 +		j_cert = json_object_get(j_result, "certificate");
 +		if (!j_cert) {
 +			cm_log(0, "Parsing JSON-RPC response failed, no certificate\n");
 +			rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +			goto cleanup;
 +		}
 +		certificate = json_string_value(j_cert);
 +
 +		if (certificate) {
 			/* If we got a certificate, we're probably
 			 * okay. */
 -			fprintf(stderr, "Certificate: \"%s\"\n", s);
 -			s = cm_submit_u_base64_from_text(s);
 +			fprintf(stderr, "Certificate: \"%s\"\n", certificate);
 +			s = cm_submit_u_base64_from_text(certificate);
 			if (s == NULL) {
 				printf("Out of memory parsing server "
 				       "response, will retry.\n");
 -				return CM_SUBMIT_STATUS_UNREACHABLE;
 +				rval = CM_SUBMIT_STATUS_UNREACHABLE;
 +				goto cleanup;
 			}
 			p = cm_submit_u_pem_from_base64("CERTIFICATE",
 							FALSE, s);
@@ -457,15 +806,19 @@ submit:
 			}
 			free(s);
 			free(p);
 -			return CM_SUBMIT_STATUS_ISSUED;
 +			rval = CM_SUBMIT_STATUS_ISSUED;
 +			goto cleanup;
 		} else {
 -			return CM_SUBMIT_STATUS_REJECTED;
 +			rval = CM_SUBMIT_STATUS_REJECTED;
 		}
 -	} else {
 -		/* No useful response, no fault.  Try again, from
 -		 * scratch, later. */
 -		return CM_SUBMIT_STATUS_UNREACHABLE;
 	}
 +
 +cleanup:
 +	json_decref(j_root);
 +	cm_submit_h_cleanup(hctx);
 +	talloc_free(ctx);
 +
 +	return rval;
 }
 static int
@@ -473,16 +826,17 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
 	       const char *server, int ldap_uri_cmd, const char *ldap_uri,
 	       const char *host, const char *domain, char *basedn,
 	       const char *uid, const char *pwd, const char *csr,
 -	       const char *reqprinc, const char *profile, const char *issuer)
 +	       const char *reqprinc, const char *profile, const char *issuer,
 +	       int verbose)
 {
 	int i, u;
 	char **uris;
 	i = submit_or_poll_uri(uri, cainfo, capath, uid, pwd, csr, reqprinc,
 -			       profile, issuer);
 +			       profile, issuer, verbose);
 	if ((i == CM_SUBMIT_STATUS_UNREACHABLE) ||
 	    (i == CM_SUBMIT_STATUS_UNCONFIGURED)) {
 -		u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri,
 +		u = cm_locate_jsonrpc_service(server, ldap_uri_cmd, ldap_uri,
 					     host, domain, basedn, "CA", &uris);
 		if ((u == 0) && (uris != NULL)) {
 			for (u = 0; uris[u] != NULL; u++) {
@@ -491,7 +845,7 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
 				}
 				i = submit_or_poll_uri(uris[u], cainfo, capath,
 						       uid, pwd, csr, reqprinc,
 -						       profile, issuer);
 +						       profile, issuer, verbose);
 				if ((i != CM_SUBMIT_STATUS_UNREACHABLE) &&
 				    (i != CM_SUBMIT_STATUS_UNCONFIGURED)) {
 					talloc_free(uris);
@@ -562,7 +916,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
 		return CM_SUBMIT_STATUS_ISSUED;
 	}
 	/* Read our realm name from our ccache. */
 -	realm = cm_submit_x_ccache_realm(&kerr);
 +	realm = cm_submit_ccache_realm(&kerr);
 	/* Read all of the certificates. */
 	for (lmsg = ldap_first_entry(ld, lresult);
 	     lmsg != NULL;
@@ -588,6 +942,9 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
 	ldap_msgfree(lresult);
 	free(realm);
 	free(kerr);
 +	if (ld) {
 +		ldap_unbind_ext(ld, NULL, NULL);
 +	}
 	return CM_SUBMIT_STATUS_ISSUED;
 }
@@ -600,7 +957,8 @@ main(int argc, const char **argv)
 	char *csr, *p, uri[LINE_MAX], *reqprinc = NULL, *ipaconfig, *kerr;
 	char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
 	const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile;
 -	int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
 +	const char *jsonrpc_uri = NULL;
 +	int jsonrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
 	const char *mode = CM_OP_SUBMIT;
 	char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL;
 	krb5_error_code kret;
@@ -609,6 +967,7 @@ main(int argc, const char **argv)
 		{"host", 'h', POPT_ARG_STRING, &host, 0, "IPA server hostname", "HOSTNAME"},
 		{"domain", 'd', POPT_ARG_STRING, &domain, 0, "IPA domain name", "NAME"},
 		{"xmlrpc-url", 'H', POPT_ARG_STRING, NULL, 'H', "IPA XMLRPC service location", "URL"},
 +		{"jsonrpc-url", 'J', POPT_ARG_STRING, NULL, 'J', "IPA JSON-RPC service location", "URL"},
 		{"ldap-url", 'L', POPT_ARG_STRING, NULL, 'L', "IPA LDAP service location", "URL"},
 		{"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"},
 		{"cafile", 'c', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"},
@@ -659,9 +1018,10 @@ main(int argc, const char **argv)
 	poptSetOtherOptionHelp(pctx, "[options] [csrfile]");
 	while ((c = poptGetNextOpt(pctx)) > 0) {
 		switch (c) {
 -		case 'H':
 -			xmlrpc_uri = poptGetOptArg(pctx);
 -			xmlrpc_uri_cmd++;
 +		case 'H': /* XMLRPC URI kept for backwards compatibility */
 +		case 'J':
 +			jsonrpc_uri = poptGetOptArg(pctx);
 +			jsonrpc_uri_cmd++;
 			break;
 		case 'L':
 			ldap_uri = poptGetOptArg(pctx);
@@ -724,6 +1084,11 @@ main(int argc, const char **argv)
 							      "global",
 							      "xmlrpc_uri");
 			}
 +			if (jsonrpc_uri == NULL) {
 +				jsonrpc_uri = get_config_entry(ipaconfig,
 +							      "global",
 +							      "jsonrpc_uri");
 +			}
 			if (ldap_uri == NULL) {
 				/* Preferred, but likely to only be set on a
 				 * server. */
@@ -756,6 +1121,7 @@ main(int argc, const char **argv)
 			}
 		}
 	}
 +	free(ipaconfig);
 	csr = NULL;
 	memset(uri, '\0', sizeof(uri));
 	memset(ldn, '\0', sizeof(ldn));
@@ -787,16 +1153,25 @@ main(int argc, const char **argv)
 		    (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) {
 			issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV));
 		}
 -		if ((server != NULL) && !xmlrpc_uri_cmd) {
 +		if ((server != NULL) && !jsonrpc_uri_cmd) {
 			snprintf(uri, sizeof(uri),
 -				 "https://%s/ipa/xml", server);
 +				 "https://%s/ipa/json", server);
 +		} else
 +		if (jsonrpc_uri != NULL) {
 +			snprintf(uri, sizeof(uri), "%s", jsonrpc_uri);
 		} else
 		if (xmlrpc_uri != NULL) {
 -			snprintf(uri, sizeof(uri), "%s", xmlrpc_uri);
 +			/* strip off the trailing xml and replace with json */
 +			if ((strlen(xmlrpc_uri) + 1) > sizeof(uri)) {
 +				printf(_("xmlrpc_uri is longer than %ld.\n"), sizeof(uri) - 2);
 +				return CM_SUBMIT_STATUS_UNCONFIGURED;
 +			}
 +			snprintf(uri, strlen(xmlrpc_uri) - 2, "%s", xmlrpc_uri);
 +			strcat(uri, "json");
 		} else
 		if (host != NULL) {
 			snprintf(uri, sizeof(uri),
 -				 "https://%s/ipa/xml", host);
 +				 "https://%s/ipa/json", host);
 		}
 		/* Read the CSR from the environment, or from the file named on
@@ -891,7 +1266,7 @@ main(int argc, const char **argv)
 	/* Setup a ccache unless we're told to use the default one. */
 	kerr = NULL;
 	if (make_keytab_ccache &&
 -	    ((kret = cm_submit_x_make_ccache(ktname, kpname, &kerr)) != 0)) {
 +	    ((kret = cm_submit_make_ccache(ktname, kpname, &kerr)) != 0)) {
 		fprintf(stderr, "Error setting up ccache at the client: %s.\n",
 			kerr);
 		if (ktname == NULL) {
@@ -939,11 +1314,12 @@ main(int argc, const char **argv)
 		ret = submit_or_poll(uri, cainfo, capath, server,
 				      ldap_uri_cmd, ldap_uri, host, domain,
 				      basedn, uid, pwd, csr, reqprinc, profile,
 -				      issuer);
 +				      issuer, verbose);
 		free(csr);
 		free(profile);
 		free(issuer);
 		free(reqprinc);
 +		free(basedn);
 		return ret;
 	} else
 	if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
 diff --git a/src/store-files.c b/src/store-files.c
 index 4c3b2232..85ac692e 100644
 --- a/src/store-files.c
 +++ b/src/store-files.c
@@ -2650,6 +2650,7 @@ cm_store_get_all_cas(void *parent)
 			j++;
 		}
 #endif
 +#ifdef WITH_XMLRPC
 #ifdef WITH_CERTMASTER
 		/* Make sure we get at least one certmaster entry. */
 		for (k = 0; k < j; k++) {
@@ -2670,6 +2671,7 @@ cm_store_get_all_cas(void *parent)
 			j++;
 		}
 #endif
 +#endif
 #ifdef WITH_IPA
 		/* Make sure we get at least 1 dogtag-ipa-renew-agent entry. */
 		for (k = 0; k < j; k++) {
 -- 
 2.25.4
--- a/0009-Remove-the-certmaster-CA-from-the-028-dbus-test.patch
+++ b/0009-Remove-the-certmaster-CA-from-the-028-dbus-test.patch
@ -0,0 +1,201 @@
 From dd8dcb899e0a159d1141b713993805565ffb6d28 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Wed, 16 Sep 2020 11:28:08 -0400
 Subject: [PATCH 09/11] Remove the certmaster CA from the 028-dbus test
 The certmaster CA is disabled by default so no longer look for it
 in the dbus test.
 This test will fail if certmaster is enabled. There is currently no
 mechanism to dynamically enable/disable features of the tests. It
 can be added if it comes up but its unclear if anyoen took advantage
 of the certmaster support in the first place.
 ---
 tests/028-dbus/expected.out | 130 ++----------------------------------
 1 file changed, 6 insertions(+), 124 deletions(-)
 diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
 index 4d6a9a59..ca7de34f 100644
 --- a/tests/028-dbus/expected.out
 +++ b/tests/028-dbus/expected.out
@@ -34,10 +34,6 @@ CA 'IPA':
 	is-default: no
 	ca-type: EXTERNAL
 	helper-location: $libexecdir/ipa-submit
 -CA 'certmaster':
 -	is-default: no
 -	ca-type: EXTERNAL
 -	helper-location: $libexecdir/certmaster-submit
 CA 'dogtag-ipa-renew-agent':
 	is-default: no
 	ca-type: EXTERNAL
@@ -45,8 +41,8 @@ CA 'dogtag-ipa-renew-agent':
 [[ API ]]
 [ simpleprop.py ]
 -/org/fedorahosted/certmonger/cas/CA6
 -/org/fedorahosted/certmonger/cas/CA6
 +/org/fedorahosted/certmonger/cas/CA5
 +/org/fedorahosted/certmonger/cas/CA5
 : -> : -k admin@localhost -> :
 0 -> 1 -> 0
 [ walk.py ]
@@ -182,7 +178,7 @@ OK
 OK
 [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
 -dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
 +dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
 [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
 dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -508,7 +504,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
  <node name="CA2"/>
  <node name="CA3"/>
  <node name="CA4"/>
 - <node name="CA5"/>
 </node>
 [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -942,10 +937,10 @@ dbus.Array([], signature=dbus.Signature('s'))
 </node>
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
 -$tmpdir/cas/20180327134236-2
 +$tmpdir/cas/20180327134236-3
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
 -certmaster
 +dogtag-ipa-renew-agent
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
 0
@@ -957,7 +952,7 @@ EXTERNAL
 None
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
 -$libexecdir/certmaster-submit
 +$libexecdir/dogtag-ipa-renew-agent-submit
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
 dbus.Array([], signature=dbus.Signature('s'))
@@ -965,116 +960,3 @@ dbus.Array([], signature=dbus.Signature('s'))
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
 1
 -[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
 -<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
 -"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
 -
 -<node name="/org/fedorahosted/certmonger/cas/CA5">
 - <interface name="org.freedesktop.DBus.Introspectable">
 -  <method name="Introspect">
 -   <arg name="xml_data" type="s" direction="out"/>
 -  </method>
 - </interface>
 - <interface name="org.freedesktop.DBus.Properties">
 -  <method name="Get">
 -   <arg name="interface_name" type="s" direction="in"/>
 -   <arg name="property_name" type="s" direction="in"/>
 -   <arg name="value" type="v" direction="out"/>
 -  </method>
 -  <method name="Set">
 -   <arg name="interface_name" type="s" direction="in"/>
 -   <arg name="property_name" type="s" direction="in"/>
 -   <arg name="value" type="v" direction="in"/>
 -  </method>
 -  <method name="GetAll">
 -   <arg name="interface_name" type="s" direction="in"/>
 -   <arg name="props" type="a{sv}" direction="out"/>
 -  </method>
 -  <signal name="PropertiesChanged">
 -   <arg name="interface_name" type="s"/>
 -   <arg name="changed_properties" type="a{sv}"/>
 -   <arg name="invalidated_properties" type="as"/>
 -  </signal>
 - </interface>
 - <interface name="org.fedorahosted.certmonger.ca">
 -  <method name="get_config_file_path">
 -   <arg name="path" type="s" direction="out"/>
 -  </method>
 -  <method name="get_nickname">
 -   <arg name="nickname" type="s" direction="out"/>
 -  </method>
 -  <property name="nickname" type="s" access="read"/>
 -  <property name="aka" type="s" access="read"/>
 -  <method name="get_is_default">
 -   <arg name="default" type="b" direction="out"/>
 -  </method>
 -  <property name="is-default" type="b" access="readwrite"/>
 -  <method name="get_type">
 -   <arg name="type" type="s" direction="out"/>
 -  </method>
 -  <method name="get_serial">
 -   <arg name="serial_hex" type="s" direction="out"/>
 -  </method>
 -  <method name="get_location">
 -   <arg name="path" type="s" direction="out"/>
 -  </method>
 -  <property name="external-helper" type="s" access="readwrite"/>
 -  <method name="get_issuer_names">
 -   <arg name="names" type="as" direction="out"/>
 -  </method>
 -  <method name="refresh">
 -   <arg name="working" type="b" direction="out"/>
 -  </method>
 -  <property name="ca-error" type="s" access="read"/>
 -  <property name="issuer-names" type="as" access="read"/>
 -  <property name="root-certs" type="a(ss)" access="read"/>
 -  <property name="root-other-certs" type="a(ss)" access="read"/>
 -  <property name="other-certs" type="a(ss)" access="read"/>
 -  <property name="required-enroll-attributes" type="as" access="read"/>
 -  <property name="required-renew-attributes" type="as" access="read"/>
 -  <property name="supported-profiles" type="as" access="read"/>
 -  <property name="default-profile" type="s" access="read"/>
 -  <property name="root-cert-files" type="as" access="readwrite"/>
 -  <property name="root-other-cert-files" type="as" access="readwrite"/>
 -  <property name="other-cert-files" type="as" access="readwrite"/>
 -  <property name="root-cert-nssdbs" type="as" access="readwrite"/>
 -  <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
 -  <property name="other-cert-nssdbs" type="as" access="readwrite"/>
 -  <property name="ca-presave-command" type="s" access="read"/>
 -  <property name="ca-presave-uid" type="s" access="read"/>
 -  <property name="ca-postsave-command" type="s" access="read"/>
 -  <property name="ca-postsave-uid" type="s" access="read"/>
 -  <property name="scep-cipher" type="s" access="readwrite"/>
 -  <property name="scep-digest" type="s" access="readwrite"/>
 -  <property name="scep-ca-identifier" type="s" access="readwrite"/>
 -  <property name="scep-ca-capabilities" type="as" access="read"/>
 -  <property name="scep-ra-cert" type="s" access="read"/>
 -  <property name="scep-ca-cert" type="s" access="read"/>
 -  <property name="scep-other-certs" type="s" access="read"/>
 - </interface>
 -</node>
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
 -$tmpdir/cas/20180327134236-3
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
 -dogtag-ipa-renew-agent
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
 -0
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
 -EXTERNAL
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
 -None
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
 -$libexecdir/dogtag-ipa-renew-agent-submit
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
 -dbus.Array([], signature=dbus.Signature('s'))
 -
 -[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
 -1
 -
 -- 
 2.25.4
--- a/0010-Add-a-local-srpm-target-to-build-an-srpm-from-the-cu.patch
+++ b/0010-Add-a-local-srpm-target-to-build-an-srpm-from-the-cu.patch
@ -0,0 +1,38 @@
 From 94dfc2f31b439db37b67d58e635169c29a4f8dde Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Wed, 16 Sep 2020 11:29:41 -0400
 Subject: [PATCH 10/11] Add a local-srpm target to build an srpm from the
 current checkout
 The srpm target will pull the origin master branch and build from
 that so it isn't useful for testing local changes.
 ---
 Makefile.am | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/Makefile.am b/Makefile.am
 index 16d103ec..883c5932 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -29,6 +29,18 @@ ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
 local-archive:
 	$(MAKE) archive ORIGIN=$(ARCHIVEOUTDIR)
 +local-srpm:
 +	repo=`pwd`; \
 +	tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
 +	if test -d "$$tmpdir" ; then \
 +		git clone . $$tmpdir;\
 +		cd $$tmpdir;\
 +		./make-srpm.sh;\
 +		cp -v $(distdir)-*.src.rpm $(ARCHIVEOUTDIR)/;\
 +		chmod -R u+rw $$tmpdir;\
 +		rm -fr $$tmpdir;\
 +	fi
 +
 srpm:
 	repo=`pwd`; \
 	tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
 -- 
 2.25.4
--- a/0011-Silence-a-rpm-macro-warning-with-an-unescaped-in-a-c.patch
+++ b/0011-Silence-a-rpm-macro-warning-with-an-unescaped-in-a-c.patch
@ -0,0 +1,26 @@
 From eda1134a9db1246eb8a24e0e01cfe1fcbff10729 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Wed, 16 Sep 2020 11:30:10 -0400
 Subject: [PATCH 11/11] Silence a rpm macro warning with an unescaped % in a
 comment
 ---
 certmonger.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/certmonger.spec b/certmonger.spec
 index a8e1d2e8..f2abd307 100644
 --- a/certmonger.spec
 +++ b/certmonger.spec
@@ -35,7 +35,7 @@ Group:		System Environment/Daemons
 License:	GPLv3+
 URL:		http://pagure.io/certmonger/
 Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 -#Source1:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
 +#Source1:	http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 BuildRequires:	openldap-devel
 -- 
 2.25.4
--- a/SOURCES/0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
+++ b/SOURCES/0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
@ -1,195 +0,0 @@
 From 14d1b5f9a482a4740706dc1cb86c454662f48d4c Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Wed, 7 Dec 2022 10:09:55 -0500
 Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test"
 This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
 ---
 tests/028-dbus/expected.out | 130 ++++++++++++++++++++++++++++++++++--
 1 file changed, 124 insertions(+), 6 deletions(-)
 diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
 index 86cba02..544ebd7 100644
 --- a/tests/028-dbus/expected.out
 +++ b/tests/028-dbus/expected.out
@@ -35,6 +35,10 @@ CA 'IPA':
 	is-default: no
 	ca-type: EXTERNAL
 	helper-location: $libexecdir/ipa-submit
 +CA 'certmaster':
 +	is-default: no
 +	ca-type: EXTERNAL
 +	helper-location: $libexecdir/certmaster-submit
 CA 'dogtag-ipa-renew-agent':
 	is-default: no
 	ca-type: EXTERNAL
@@ -42,8 +46,8 @@ CA 'dogtag-ipa-renew-agent':
 [[ API ]]
 [ simpleprop.py ]
 -/org/fedorahosted/certmonger/cas/CA5
 -/org/fedorahosted/certmonger/cas/CA5
 +/org/fedorahosted/certmonger/cas/CA6
 +/org/fedorahosted/certmonger/cas/CA6
 : -> : -k admin@localhost -> :
 0 -> 1 -> 0
 [ walk.py ]
@@ -179,7 +183,7 @@ OK
 OK
 [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
 -dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
 +dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
 [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
 dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -507,6 +511,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
  <node name="CA2"/>
  <node name="CA3"/>
  <node name="CA4"/>
 + <node name="CA5"/>
 </node>
 [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -940,10 +945,10 @@ dbus.Array([], signature=dbus.Signature('s'))
 </node>
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
 -$tmpdir/cas/20180327134236-3
 +$tmpdir/cas/20180327134236-2
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
 -dogtag-ipa-renew-agent
 +certmaster
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
 0
@@ -955,7 +960,7 @@ EXTERNAL
 None
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
 -$libexecdir/dogtag-ipa-renew-agent-submit
 +$libexecdir/certmaster-submit
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
 dbus.Array([], signature=dbus.Signature('s'))
@@ -963,3 +968,116 @@ dbus.Array([], signature=dbus.Signature('s'))
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
 1
 +[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
 +<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
 +"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
 +
 +<node name="/org/fedorahosted/certmonger/cas/CA5">
 + <interface name="org.freedesktop.DBus.Introspectable">
 +  <method name="Introspect">
 +   <arg name="xml_data" type="s" direction="out"/>
 +  </method>
 + </interface>
 + <interface name="org.freedesktop.DBus.Properties">
 +  <method name="Get">
 +   <arg name="interface_name" type="s" direction="in"/>
 +   <arg name="property_name" type="s" direction="in"/>
 +   <arg name="value" type="v" direction="out"/>
 +  </method>
 +  <method name="Set">
 +   <arg name="interface_name" type="s" direction="in"/>
 +   <arg name="property_name" type="s" direction="in"/>
 +   <arg name="value" type="v" direction="in"/>
 +  </method>
 +  <method name="GetAll">
 +   <arg name="interface_name" type="s" direction="in"/>
 +   <arg name="props" type="a{sv}" direction="out"/>
 +  </method>
 +  <signal name="PropertiesChanged">
 +   <arg name="interface_name" type="s"/>
 +   <arg name="changed_properties" type="a{sv}"/>
 +   <arg name="invalidated_properties" type="as"/>
 +  </signal>
 + </interface>
 + <interface name="org.fedorahosted.certmonger.ca">
 +  <method name="get_config_file_path">
 +   <arg name="path" type="s" direction="out"/>
 +  </method>
 +  <method name="get_nickname">
 +   <arg name="nickname" type="s" direction="out"/>
 +  </method>
 +  <property name="nickname" type="s" access="read"/>
 +  <property name="aka" type="s" access="read"/>
 +  <method name="get_is_default">
 +   <arg name="default" type="b" direction="out"/>
 +  </method>
 +  <property name="is-default" type="b" access="readwrite"/>
 +  <method name="get_type">
 +   <arg name="type" type="s" direction="out"/>
 +  </method>
 +  <method name="get_serial">
 +   <arg name="serial_hex" type="s" direction="out"/>
 +  </method>
 +  <method name="get_location">
 +   <arg name="path" type="s" direction="out"/>
 +  </method>
 +  <property name="external-helper" type="s" access="readwrite"/>
 +  <method name="get_issuer_names">
 +   <arg name="names" type="as" direction="out"/>
 +  </method>
 +  <method name="refresh">
 +   <arg name="working" type="b" direction="out"/>
 +  </method>
 +  <property name="ca-error" type="s" access="read"/>
 +  <property name="issuer-names" type="as" access="read"/>
 +  <property name="root-certs" type="a(ss)" access="read"/>
 +  <property name="root-other-certs" type="a(ss)" access="read"/>
 +  <property name="other-certs" type="a(ss)" access="read"/>
 +  <property name="required-enroll-attributes" type="as" access="read"/>
 +  <property name="required-renew-attributes" type="as" access="read"/>
 +  <property name="supported-profiles" type="as" access="read"/>
 +  <property name="default-profile" type="s" access="read"/>
 +  <property name="root-cert-files" type="as" access="readwrite"/>
 +  <property name="root-other-cert-files" type="as" access="readwrite"/>
 +  <property name="other-cert-files" type="as" access="readwrite"/>
 +  <property name="root-cert-nssdbs" type="as" access="readwrite"/>
 +  <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
 +  <property name="other-cert-nssdbs" type="as" access="readwrite"/>
 +  <property name="ca-presave-command" type="s" access="read"/>
 +  <property name="ca-presave-uid" type="s" access="read"/>
 +  <property name="ca-postsave-command" type="s" access="read"/>
 +  <property name="ca-postsave-uid" type="s" access="read"/>
 +  <property name="scep-cipher" type="s" access="readwrite"/>
 +  <property name="scep-digest" type="s" access="readwrite"/>
 +  <property name="scep-ca-identifier" type="s" access="readwrite"/>
 +  <property name="scep-ca-capabilities" type="as" access="read"/>
 +  <property name="scep-ra-cert" type="s" access="read"/>
 +  <property name="scep-ca-cert" type="s" access="read"/>
 +  <property name="scep-other-certs" type="s" access="read"/>
 + </interface>
 +</node>
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
 +$tmpdir/cas/20180327134236-3
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
 +dogtag-ipa-renew-agent
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
 +0
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
 +EXTERNAL
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
 +None
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
 +$libexecdir/dogtag-ipa-renew-agent-submit
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
 +dbus.Array([], signature=dbus.Signature('s'))
 +
 +[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
 +1
 +
 -- 
 2.38.1
--- a/SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch
+++ b/SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch
@ -1,24 +0,0 @@
 From 6224c3aa01665edddbda1ec7d1e35b03823eefcb Mon Sep 17 00:00:00 2001
 From: root <root@ci-vm-10-0-137-168.hosted.upshift.rdu2.redhat.com>
 Date: Wed, 7 Dec 2022 14:50:01 -0500
 Subject: [PATCH] Don't run the 002-keygen-* tests when root
 The permissions tests will fail.
 ---
 tests/002-keygen-dbm/prequal.sh | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100755 tests/002-keygen-dbm/prequal.sh
 diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
 new file mode 100755
 index 0000000..b6c16e0
 --- /dev/null
 +++ b/tests/002-keygen-dbm/prequal.sh
@@ -0,0 +1,5 @@
 +#!/bin/sh
 +if test `id -u` -eq 0 ; then
 +       echo "This test won't work right if run as root."
 +       exit 1
 +fi
 -- 
 2.31.1
--- a/SPECS/certmonger.spec
+++ b/SPECS/certmonger.spec
@ -1,47 +1,69 @@
 %if 0%{?fedora} > 15 || 0%{?rhel} > 6
 %global systemd 1
 %global	sysvinit 0
 %else
 %global systemd 0
 %global	sysvinit 1
 %endif
 %if 0%{?fedora} > 15 && 0%{?fedora} < 20
 %global systemdsysv 1
 %else
 %global systemdsysv 0
 %endif
 %if 0%{?fedora} > 14 || 0%{?rhel} > 6
 %global tmpfiles 1
 %else
 %global tmpfiles 0
 %endif
 %if 0%{?fedora} > 9 || 0%{?rhel} > 5
 %global sysvinitdir %{_initddir}
 %else
 %global sysvinitdir %{_initrddir}
 %endif
-%bcond_without xmlrpc
+%bcond_with xmlrpc
 Name:		certmonger
-Version:	0.79.17
+Version:	0.79.20
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
-Group:		System Environment/Daemons
+License:	GPL-3.0-or-later
 License:	GPLv3+
 URL:		http://pagure.io/certmonger/
 Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 #Source1:	http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
 Patch0001:	0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
 Patch0002:	0002-Don-t-run-the-002-keygen-tests-when-root.patch
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	gettext-devel
 BuildRequires:	gcc
 BuildRequires:	openldap-devel
 BuildRequires:	krb5-devel
 BuildRequires:	libidn2-devel
-BuildRequires:	python3-dbus
+BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel
-BuildRequires:	dbus-devel
+%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 BuildRequires:	nspr-devel
 BuildRequires:	nss-devel
 BuildRequires:	openssl-devel
 BuildRequires:	libuuid-devel
 %else
 BuildRequires:	e2fsprogs-devel
 %endif
 BuildRequires:	libtalloc-devel, libtevent-devel
 %if 0%{?rhel} >= 6 || 0%{?fedora} >= 9
 BuildRequires:	libcurl-devel
 %else
 BuildRequires:	curl-devel
 %endif
 BuildRequires:	libxml2-devel
 %if %{with xmlrpc}
-BuildRequires:	xmlrpc-c-devel
+BuildRequires:  xmlrpc-c-devel
 %endif
 BuildRequires:  jansson-devel
 %if 0%{?rhel} && 0%{?rhel} < 6
 BuildRequires:	bind-libbind-devel
 BuildRequires:	mktemp
 %endif
 BuildRequires:	jansson-devel
 # Required for 'make check':
 #  for diff and cmp
 BuildRequires:	diffutils
@ -58,10 +80,9 @@ BuildRequires:	/usr/bin/dos2unix
 BuildRequires:	/usr/bin/unix2dos
 #  for which
 BuildRequires:	/usr/bin/which
 #  for dbus tests
 BuildRequires:	python3-dbus
 BuildRequires:	popt-devel
 #  for make check
 BuildRequires:	python3-devel
 BuildRequires:	krb5-devel
 # we need a running system bus
 Requires:	dbus
@ -69,6 +90,7 @@ Requires(post):	%{_bindir}/dbus-send
 %if %{systemd}
 BuildRequires:	systemd-units
 BuildRequires: make
 Requires(post):	systemd-units
 Requires(preun):	systemd-units, dbus, sed
 Requires(postun):	systemd-units
@ -90,6 +112,10 @@ Requires(post):	/sbin/chkconfig, /sbin/service
 Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
 %endif
 %if 0%{?fedora} >= 15
 # Certain versions of libtevent have incorrect internal ABI versions.
 Conflicts: libtevent < 0.9.13
 %endif
 %description
 Certmonger is a service which is primarily concerned with getting your
@ -98,6 +124,12 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
 %prep
 %autosetup -p1
 %if 0%{?rhel} > 0
 # Enabled by default for RHEL for bug #765600, still disabled by default for
 # Fedora pending a similar bug report there.
 sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
 %endif
 %build
 autoreconf -i -f
 %configure \
@ -112,8 +144,9 @@ autoreconf -i -f
 %endif
 	--with-homedir=/run/certmonger \
 %if %{with xmlrpc}
-	--with-xmlrpc \
+    --with-xmlrpc \
 %endif
 	--disable-dsa \
 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
 %if %{with xmlrpc}
 # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
@ -131,10 +164,6 @@ install -m755 -d $RPM_BUILD_ROOT/run/certmonger
 %{find_lang} %{name}
 %check
 # Seed then openssl RNG if not set
 if [ ! -e $HOME/.rnd ] ; then
 	openssl rand -writerand $HOME/.rnd
 fi
 make check
 %post
@ -144,7 +173,7 @@ fi
 %if %{without xmlrpc}
 # remove any existing certmaster CA configuration
 if test $1 -gt 1 ; then
-	%{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
+    %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
 fi
 %endif
 %if %{systemd}
@ -212,7 +241,6 @@ exit 0
 %endif
 %files -f %{name}.lang
 %defattr(-,root,root,-)
 %doc README.md LICENSE STATUS doc/*.txt
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
 %{_datadir}/dbus-1/services/*
@ -236,106 +264,155 @@ exit 0
 %endif
 %changelog
-* Wed Dec  7 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.79.20-3
- Skip the keygen tests when executed as root.
+- Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
-* Tue Dec  6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.79.20-2
- Update to upstream 0.79.17 (#2139523)
+- Bump release for June 2024 mass rebuild
 - Certificate format validation when adding the SCEP server's CA (#2150025)
 - Certmonger SCEP renewal should not use old challenges (#2150030)
 - certmonger SEGV during rekey in FIPS mode (#2150070)
-* Mon Oct 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5
+* Mon Jun 10 2024 Rob Crittenden <rcritten@redhat.com> - 0.79.20-1
- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
+- Update to upstream 0.79.20
  with critical=FALSE (#2012258)
-* Wed Oct 06 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
+* Tue Feb 20 2024 Rob Crittenden <rcritten@redhat.com> - 0.79.19-5
- Certmonger SCEP renewal should not use old challenges (#1577570)
+- Update tests to be compatible with OpenSSL 3.2
 - Certmonger segfault after cert renewal request (#1881500)
 - Include certificate NotBefore date in output of the 'getcert list' command
  (#1940261)
 - Certmonger certificates stuck in NEED_GUIDANCE (#2001079)
-* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.19-4
- Fix local CA to work under FIPS (#1950132)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.19-3
- Rebuild with xmlrpc-c support enabled (#1687698)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
+* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 0.79.19-2
- Rebase to 0.79.13 (#1891743)
+- Fix C compatibility issues
 * Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15
 - Replace the previous fix for dbus restarting with PartOf in the
  certmonger systemd service file to link the two (#1687698)
-* Tue Jun  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
+* Tue Oct 10 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.19-1
- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)
+- Update to upstream 0.79.19
-* Mon May 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-13
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.18-2
- Exit gracefully if dbus is restarted (#1687698)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-* Thu May 14 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-12
+* Wed Apr 05 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.18-1
- Add long command-line options to man pages and help output (#1782838)
+- Update to upstream 0.79.18
-* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-11
+* Thu Feb 23 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.17-4
- Fix test failure in 039-fromfile
+- migrated to SPDX license
-* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-10
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.17-3
- Ensure that files read in have a trailing new-line (#1829490)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-* Thu Apr 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-9
+* Tue Dec  6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2
- Call the secport equivalent of PR_ErrorToString
+- Rename DBus service and conf files to match canonical name (#2151243)
 - Remove a couple of unused varaibles found by coverity
-* Mon Apr 13 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-8
+* Wed Nov 30 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
- Move systemd tmpfiles from /var/run to /run (#1804928)
+- Update to upstream 0.79.17
 - Improve logging in the SCEP helper (#1807691)
 - Fix sort order of certificates passed into PKCS7_verify (#1808052)
 - Add -N option to SCEP helper to separate web server chain from
  SCEP issuer chain (#1808613)
 - Add template profile, MS v2 template and issuer to getcert list
  output (#1734451)
-* Tue Dec 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-7
+* Thu Aug 25 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.16-1
- Update gating requirements
+- Update to upstream 0.79.16
-* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.15-4
- Rebuild
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5
+* Mon Apr 11 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-3
- Fix use-after-free issue when retrieving CA chain (#1710632)
+- Disable DSA key support. They do not work in FIPS mode at all and
  are disabled by crypto policy by default.
-* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.15-2
- Optimize closing of file descriptors on fork (#1763745)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 - Remove NOMODDB flag flag from context init, look for full tokens (#1746543)
 - Retrieve full IPA CA chain (#1710632)
-* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
+* Wed Jan  5 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-1
- Rebuild for new annobin (#1708095)
+- Update to upstream 0.79.15
-* Fri May 10 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
+* Tue Oct 05 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
- Rebuild for new annobin (#1708095)
+- Don't encode critical=FALSE in X509v3 extensions
-* Thu May  9 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.79.7-1
+* Wed Sep 29 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
- Rebase to 0.79.7 (#1708095)
+- Fix FTBFS due to OpenSSL 3.0.0 API change between beta1 and 2.
-* Mon Oct  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-5
+* Wed Sep 15 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-4
- Address more issues uncovered by static analysis (#1632449)
+- Port to OpenSSL 3.0.0
-* Tue Oct  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.79.14-3
- Improve handling of NSS tokens (#1624930)
+- Rebuilt with OpenSSL 3.0.0
 - Pull in upstream fixes discovered in coverity and clang (#1632449)
-* Mon Aug 13 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.14-2
- Add BuildRequires on python3-devel (#1615507)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-* Thu Aug  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-2
+* Tue Jun 15 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
- Fix test failure on some platforms
+- Update to upstream 0.79.14
-* Wed Aug  1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.13-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Oct 20 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
 - Update to upstream 0.79.13
 * Mon Oct  5 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.12-1
 - Update to upstream 0.79.12
 * Fri Sep 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-4
 - Don't send SIGKILL to child processes to terminate them
 - Switch to JSON for communication with IPA
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.11-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-2
 - Fix for an unnecessary free() which can cause core dump.
 * Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-1
 - Update to upstream 0.79.11
 * Thu Jun 25 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.10-1
 - Update to upstream 0.79.10
 * Thu Jan 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.9-1
 - Update to upstream 0.79.9
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Wed Oct 30 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-3
 - Change python2-dbus build dependency to python3
 - Convert tests to pass under python 3
 - Skip DSA tests because it is disabled by default crypto policy
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Wed Jul 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-1
 - Update to upstream 0.79.8
 * Wed May 22 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
 - Add BuildRequires for krb5-devel, the buildroot changed.
 * Mon May 20 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
 - Move systemd tmpfiles from /var/run to /run (upstream #111)
 - Change /var/run -> /run in systemd service file
 * Mon Feb 18 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-1
 - Update to upstream 0.79.7
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Thu Oct  4 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
 - Pull in upstream fixes discovered in coverity and clang.
 * Mon Oct  1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
 - Improve NSS token handling. The updated NSS crypto-policy enables all
  tokens which broke requesting certificates due to the way that tokens
  were managed.
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Tue May  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
 - Update to upstream 0.79.6
- Fix unit tests to work with python 3
+
 * Wed Mar 14 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.79.5-7
 - Update Python 2 dependency declarations to new packaging standards
  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
 * Fri Feb 23 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-6
 - Fix unit tests. NSS crypto policy disallows keys < 1024
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,8 @@
 # recipients: abokovoy, frenaud, kaleem, ftrivino
 --- !Policy
 product_versions:
  - rhel-10
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (certmonger-0.79.20.tar.gz) = 76685185172bbf2c766c477c399ce0b14c9fd2d81637b44b8da80ae045ebf6c650ae3d525a87dccd755a6c92d4a5916bb62f8ea1d8520c47ae64770be6a5d2be
--- a/tests/.fmf/version
+++ b/tests/.fmf/version
@ -0,0 +1 @@
 1
--- a/tests/provision.fmf
+++ b/tests/provision.fmf
@ -0,0 +1,5 @@
 ---
 standard-inventory-qcow2:
  qemu:
    m: 2G
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,18 @@
 ---
 - hosts: localhost
  tags: [ always ]
  tasks:
  - set_fact:
      our_required_packages:
      - wget            # upstream-testsuite-execution-and-rebuild-test needs wget command
      - yum-utils       # upstream-testsuite-execution-and-rebuild-test needs yum-builddep command
      - rpm-build       # upstream-testsuite-execution-and-rebuild-test needs rpmbuild command
 - hosts: localhost
  tags:
  - classic
  roles:
  - role: standard-test-beakerlib
    tests:
    - upstream-testsuite-execution-and-rebuild-test
    required_packages: "{{ our_required_packages }}"
--- a/tests/upstream-testsuite-execution-and-rebuild-test/Makefile
+++ b/tests/upstream-testsuite-execution-and-rebuild-test/Makefile
@ -0,0 +1,72 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Makefile of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
 #   Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
 #   Author: Ales Marecek <amarecek@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
 #
 #   This copyrighted material is made available to anyone wishing
 #   to use, modify, copy, or redistribute it subject to the terms
 #   and conditions of the GNU General Public License version 2.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE. See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public
 #   License along with this program; if not, write to the Free
 #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 #   Boston, MA 02110-1301, USA.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 # Based on sudo rebuild test
 export TEST=/CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
 export TESTVERSION=1.0
 BUILT_FILES=
 FILES=$(METADATA) runtest.sh Makefile PURPOSE
 .PHONY: all install download clean
 run: $(FILES) build
 	./runtest.sh
 build: $(BUILT_FILES)
 	test -x runtest.sh || chmod a+x runtest.sh
 clean:
 	rm -f *~ $(BUILT_FILES)
 include /usr/share/rhts/lib/rhts-make.include
 $(METADATA): Makefile
 	@echo "Owner:           Rob Crittenden <rcritten@redhat.com>" > $(METADATA)
 	@echo "Name:            $(TEST)" >> $(METADATA)
 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
 	@echo "Description:     This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution." >> $(METADATA)
 	@echo "Type:            Sanity" >> $(METADATA)
 	@echo "TestTime:        30m" >> $(METADATA)
 	@echo "RunFor:          sudo" >> $(METADATA)
 	@echo "Requires:        sudo" >> $(METADATA)
 	@echo "Requires:        sed" >> $(METADATA)
 	@echo "Requires:        grep" >> $(METADATA)
 	@echo "Requires:        rpm-build" >> $(METADATA)
 	@echo "Requires:        yum-utils" >> $(METADATA)
 	@echo "Requires:        make" >> $(METADATA)
 	@echo "Requires:        libcap-devel" >> $(METADATA)
 	@echo "Requires:        audit-libs-devel" >> $(METADATA)
 	@echo "Priority:        Normal" >> $(METADATA)
 	@echo "License:         GPLv2" >> $(METADATA)
 	@echo "Confidential:    no" >> $(METADATA)
 	@echo "Destructive:     no" >> $(METADATA)
 	rhts-lint $(METADATA)
--- a/tests/upstream-testsuite-execution-and-rebuild-test/PURPOSE
+++ b/tests/upstream-testsuite-execution-and-rebuild-test/PURPOSE
@ -0,0 +1,3 @@
 PURPOSE of /CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
 Description: This test rebuild certmonger source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
 Author: Rob Crittenden <rcritten@redhat.com>
--- a/tests/upstream-testsuite-execution-and-rebuild-test/runtest.sh
+++ b/tests/upstream-testsuite-execution-and-rebuild-test/runtest.sh
@ -0,0 +1,83 @@
 #!/bin/bash
 # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   runtest.sh of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
 #   Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
 #   Author: Ales Marecek <amarecek@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
 #
 #   This copyrighted material is made available to anyone wishing
 #   to use, modify, copy, or redistribute it subject to the terms
 #   and conditions of the GNU General Public License version 2.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE. See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public
 #   License along with this program; if not, write to the Free
 #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 #   Boston, MA 02110-1301, USA.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # Based on sudo rebuild test
 # Include Beaker environment
 . /usr/bin/rhts-environment.sh || exit 1
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 PACKAGE="certmonger"
 _SPEC_DIR="$(rpm --eval=%_specdir)"
 _BUILD_DIR="$(rpm --eval=%_builddir)"
 _LOG_REBUILD_F="${PACKAGE}-rebuild.log"
 _LOG_TESTSUITE_F="${PACKAGE}-testsuite.log"
 rlJournalStart
    rlPhaseStartSetup
        rlAssertRpm $PACKAGE
        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
        rlRun "pushd $TmpDir"
 	# Source package is needed for code inspection
 	rlFetchSrcForInstalled "${PACKAGE}" || yumdownloader --source "${PACKAGE}"
    rlRun "find . -size 0 -delete" 0 "Remove empty src.rpm-s"
 	rlRun "yum-builddep -y --nogpgcheck ${PACKAGE}-*.src.rpm" 0 "Installing build dependencies"
 	[ -d ${_BUILD_DIR} ] && rlRun "rm -rf ${_BUILD_DIR}/*" 0 "Cleaning build directory"
 	rlRun "rpm -ivh ${PACKAGE}-*.src.rpm" 0 "Installing source rpm"
    rlPhaseEnd
    rlPhaseStartTest
 	rlRun "QA_RPATHS=0x0002 rpmbuild -ba --noclean ${_SPEC_DIR}/${PACKAGE}.spec" 0 "Test: Rebuild of source '${PACKAGE}' package"
 	rlGetPhaseState
 	if [ $? -eq 0 ]; then
 		[ -d ${_BUILD_DIR} ] && rlRun "rm -rf ${_BUILD_DIR}/*-SPECPARTS" 0 "Cleaning SPECPARTS directory"
 		cd ${_BUILD_DIR}/${PACKAGE}-*
 		rlRun -s "make check" 0 "Test: Upstream testsuite"
 		cd ${TmpDir}
 		while read -r I; do
 		    if [[ "$I" =~ $(echo '([^:]+): .+ tests run, .+ errors, (.*)% success rate') ]]; then
 		        [[ "${BASH_REMATCH[2]}" == "100" ]]
 		        rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
 		    elif [[ "$I" =~ $(echo "([^:]+): .+ tests passed; (.+)/.+ tests failed") ]]; then
 		        [[ "${BASH_REMATCH[2]}" == "0" ]]
 		        rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
 		    fi
 		done < $rlRun_LOG
 		rm -f $rlRun_LOG
 	else
 		rlFail "Skipping testsuite part because rebuild part failed."
 	fi
    rlPhaseEnd
    rlPhaseStartCleanup
        rlRun "popd"
        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
    rlPhaseEnd
 rlJournalPrintText
 rlJournalEnd
		`@ -1 +0,0 @@`
			`ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz`
		`@ -0,0 +1 @@`
							`SHA512 (certmonger-0.79.20.tar.gz) = 76685185172bbf2c766c477c399ce0b14c9fd2d81637b44b8da80ae045ebf6c650ae3d525a87dccd755a6c92d4a5916bb62f8ea1d8520c47ae64770be6a5d2be`