.gitignore

@@ -1,16 +1,3 @@
-jackson-annotations-2.16.1.jar
-jackson-core-2.16.1.jar
-jackson-databind-2.16.1.jar
-jackson-jaxrs-base-2.16.1.jar
-jackson-jaxrs-json-provider-2.16.1.jar
-jackson-module-jaxb-annotations-2.16.1.jar
-jakarta.activation-api-2.1.2.jar
-jakarta.annotation-api-1.3.5.jar
-jakarta.xml.bind-api-4.0.1.jar
-jboss-jaxrs-2.0-api-1.0.0.Final.jar
-jboss-logging-3.5.3.Final.jar
-pki-11.9.0.tar.gz
-resteasy-client-3.0.26.Final.jar
-resteasy-jackson2-provider-3.0.26.Final.jar
-resteasy-jaxrs-3.0.26.Final.jar
-resteasy-servlet-initializer-3.0.26.Final.jar
+/pki-*.tar.gz
+/pki-*/
+/*.jar

FixBuild.patch

@@ -0,0 +1,74 @@
+From 19540347037ee6f16db00f1b401d64fa695dadf1 Mon Sep 17 00:00:00 2001
+From: Marco Fargetta <mfargett@redhat.com>
+Date: Wed, 21 Jan 2026 10:41:43 +0100
+Subject: [PATCH 1/2] Fix python pylint error in EST upgrade script
+
+---
+ base/server/upgrade/11.9.0/01-EnableEST.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/server/upgrade/11.9.0/01-EnableEST.py b/base/server/upgrade/11.9.0/01-EnableEST.py
+index d877485fb6..e886aca39d 100644
+--- a/base/server/upgrade/11.9.0/01-EnableEST.py
++++ b/base/server/upgrade/11.9.0/01-EnableEST.py
+@@ -202,7 +202,7 @@ class EnableEST(pki.server.upgrade.PKIServerUpgradeScriptlet):
+             logger.info('Group %s already exist', group_id)
+             return
+         except subprocess.CalledProcessError:
+-            logger.info("Group %s has to be created.")
++            logger.info("Group '%s' will be created.", group_id)
+ 
+         subsystem.add_group(
+             group_id,
+-- 
+2.52.0
+
+
+From a7f4fd64c9a25f742c6d5320bb20404b10bd73d5 Mon Sep 17 00:00:00 2001
+From: Marco Fargetta <mfargett@redhat.com>
+Date: Thu, 22 Jan 2026 15:52:27 +0100
+Subject: [PATCH 2/2] Fix CMake build with tomcat10
+
+CMake build had tomcat-9 library hard-coded and has been removed to get
+it from the `build.sh`.
+
+The `build.sh` test to identify the tomcat version to use was not
+working with dotted version (e.g. 10.2) and it has been fixed.
+---
+ base/server/CMakeLists.txt | 2 +-
+ build.sh                   | 6 +-----
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
+index f62b2bfa05..9fb6c7a98a 100644
+--- a/base/server/CMakeLists.txt
++++ b/base/server/CMakeLists.txt
+@@ -29,7 +29,7 @@ javac(pki-server-classes
+     OUTPUT_DIR
+         ${CMAKE_CURRENT_BINARY_DIR}/classes
+     DEPENDS
+-        pki-common-jar pki-tools-jar pki-tomcat-jar pki-tomcat-9.0-jar
++        pki-common-jar pki-tools-jar pki-tomcat-jar pki-${APP_SERVER}-jar
+ )
+ 
+ add_dependencies(java pki-server-classes)
+diff --git a/build.sh b/build.sh
+index 62876a45c9..ed858a6beb 100755
+--- a/build.sh
++++ b/build.sh
+@@ -204,11 +204,7 @@ get_tomcat_app_server() {
+              app_server=$def_app_server
+          fi
+      else
+-         if [ $ver -ge $rhel_cutoff ]; then
+-             app_server=$app_server_10
+-         else
+-             app_server=$def_app_server 
+-         fi
++         echo "$rhel_cutoff $ver" | tr " " "\n" | sort -V -C && app_server=$app_server_10 || app_server=$def_app_server
+      fi
+ 
+      echo $app_server
+-- 
+2.52.0
+

copr-build.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+REPO=$1
+
+if [ "$REPO" == "" ]; then
+    REPO="pki-10.6"
+fi
+
+fedpkg copr-build --nowait $REPO

dogtag-pki.rpmlintrc

@@ -0,0 +1,4 @@
+addFilter('W: spelling-error')
+addFilter('W: dangling-symlink')
+addFilter('W: no-manual-page-for-binary')
+addFilter('W: log-files-without-logrotate')

gating.yaml

@@ -0,0 +1,8 @@
+# recipients: rhcs-team
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

rpminspect.yaml

@@ -0,0 +1,8 @@
+---
+specname:
+    match: suffix
+runpath:
+    allowed_paths:
+        - /usr/lib64/tps
+inspections:
+    javabytecode: off

sources

@@ -9,8 +9,8 @@ SHA512 (jakarta.annotation-api-1.3.5.jar) = 989a0d1e993c37d00c9860026a4298c65274
 SHA512 (jakarta.xml.bind-api-4.0.1.jar) = 4730c1129719e166488888f4b14edd0a4f180d67b6772b4f58fc24d747da48f84463b2a01437200f07806525662a77251a3ce83375886b7c83f2b0e34ef21add
 SHA512 (jboss-jaxrs-2.0-api-1.0.0.Final.jar) = 39a29f9259e7ceb9018447c49d4a18be31aa88775ed7999eff20b2a8f1d8daa25da520c09d0a1c53bf7f417106a64cb2d4f374038ae44511cb60dac1db714495
 SHA512 (jboss-logging-3.5.3.Final.jar) = 2f604d0318a9f10b5c867dbff4ac7a3a608a41a9383cb3fc2ef6364f28396144ead96a0526ae3dea4336109042ead81b9b9318b13e9964b2c57a26794981f5cb
-SHA512 (pki-11.9.0.tar.gz) = 94395202644d8f0ae97a2af05d547ab4fed2df78ae688074018c779c6da7c78da3ee6a2a350ce91d866290b87ff8ce56ce773c7801d663b8847bffe0090d9aa1
 SHA512 (resteasy-client-3.0.26.Final.jar) = 9f3ea65f9cb045cc2e6f4c06f9b63f8d1f78b36ae419ca8367ce11cdd82e6fe35a2d5847634d71a306e0f6d8e3a69db5930c179cf635f105a8f064becb14f2a2
 SHA512 (resteasy-jackson2-provider-3.0.26.Final.jar) = 11e76fc901f4299dacfb67f4784988511933ef170d05d2dce3cbceb5d7857827faec0f4fc7618dea0ba51267bc0ea5bc185e41a5a539e35c688b8e4d433b1792
 SHA512 (resteasy-jaxrs-3.0.26.Final.jar) = 7beb8391d7fcfb96be8ffab674613167001f99a3fb3c4661c037949a52f2658db8028d8a2f3319df06dd3f2deb8152f4cad5f681d401a8deeea9b19ad5aba266
 SHA512 (resteasy-servlet-initializer-3.0.26.Final.jar) = 47a57c0137263d45628d53cceb4a9a6a87209150aaa559b56c5085e6b7b40be8f488c8fcc8ecf8f3882fc981c6d25ba2c750db7254eebea9b2faa5087a72453c
+SHA512 (pki-11.9.0.tar.gz) = 94395202644d8f0ae97a2af05d547ab4fed2df78ae688074018c779c6da7c78da3ee6a2a350ce91d866290b87ff8ce56ce773c7801d663b8847bffe0090d9aa1

sources-download.sh

@@ -0,0 +1,55 @@
+#!/bin/sh -e
+
+download() {
+    PKG_NAME=$1
+    SUFFIX=$2
+
+    ssh "${OPTIONS[@]}" $SOURCE dnf install -y $PKG_NAME
+    VERSION=$(ssh "${OPTIONS[@]}" $SOURCE rpm -q $PKG_NAME | sed -n "s/^$PKG_NAME-\\([^-]*\\)-.*$/\\1/p")
+
+    if [ "$VERSION" == "" ]
+    then
+        echo "$PKG_NAME not found"
+        exit 1
+    fi
+
+    echo "Downloading $PKG_NAME-$VERSION"
+
+    FILES=$(ssh "${OPTIONS[@]}" $SOURCE rpm -ql $PKG_NAME | sed -n -e "/^\/usr\/share\/java\/.*\.jar$/p")
+    for FILE in $FILES
+    do
+        FILENAME=$(basename $FILE)
+        NAME=$(echo $FILENAME | sed 's/\.jar$//')
+        echo "Downloading $FILE to $NAME-$VERSION$SUFFIX.jar"
+        scp "${OPTIONS[@]}" $SOURCE:$FILE $NAME-$VERSION$SUFFIX.jar
+    done
+}
+
+SOURCE=$1
+
+if [ "$SOURCE" == "" ]
+then
+    echo "Usage: source-download.sh <username>@<hostname>"
+    exit 0
+fi
+
+OPTIONS=(-i /usr/share/qa-tools/1minutetip/1minutetip)
+
+download jakarta-activation
+download jakarta-annotations
+download jaxb-api
+
+download jackson-annotations
+download jackson-core
+download jackson-databind
+download jackson-module-jaxb-annotations
+download jackson-jaxrs-providers
+download jackson-jaxrs-json-provider
+
+download jboss-jaxrs-2.0-api .Final
+download jboss-logging .Final
+
+download pki-resteasy-core .Final
+download pki-resteasy-client .Final
+download pki-resteasy-jackson2-provider .Final
+download pki-resteasy-servlet-initializer .Final

sources-import.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+COMMAND=$1
+
+if [ "$COMMAND" == "" ]
+then
+    echo "Usage: source-import.sh <command>"
+    exit 0
+fi
+
+FILES=$(ls *.tar.gz)
+FILES+=($(ls *.jar))
+
+$COMMAND new-sources "${FILES[@]}"

sources-update.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+SOURCE=$1
+TARGET=`basename $1`
+
+cp $SOURCE $TARGET
+sha512sum --tag $TARGET > sources
+
+for FILENAME in $(ls *.jar)
+do
+   sha512sum --tag $FILENAME >> sources
+done

tests/roles/Test_Setup/files/ca.cfg

@@ -0,0 +1,25 @@
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem

tests/roles/Test_Setup/files/ds-create.sh

@@ -0,0 +1,24 @@
+#!/bin/bash -ex
+
+# This command needs to be executed as it pulls the machine name
+# dynamically.
+dscreate create-template /tmp/test_dir/ds.inf
+
+sed -i \
+    -e "s/;instance_name = .*/instance_name = localhost/g" \
+    -e "s/;root_password = .*/root_password = Secret.123/g" \
+    -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
+    -e "s/;self_sign_cert = .*/self_sign_cert = False/g" \
+    /tmp/test_dir/ds.inf
+
+dscreate from-file /tmp/test_dir/ds.inf
+
+ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
+dn: dc=example,dc=com
+objectClass: domain
+dc: example
+
+dn: dc=pki,dc=example,dc=com
+objectClass: domain
+dc: pki
+EOF

tests/roles/Test_Setup/files/kra.cfg

@@ -0,0 +1,27 @@
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+[KRA]
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_database=kra
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_storage_nickname=kra_storage
+pki_transport_nickname=kra_transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem

tests/roles/Test_Setup/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Install required packages
+  dnf:
+    name: >
+      389-ds-base, pki-ca, pki-kra
+
+- name: Creates directory
+  file: path=/tmp/test_files state=directory
+
+- name: Copying templates to /tmp folder
+  copy : src=.  dest=/tmp/test_dir
+
+- name: Setup DS Service
+  shell: sh /tmp/test_dir/ds-create.sh
+
+- name: Install CA subsystem
+  shell: pkispawn -f /tmp/test_dir/ca.cfg -s CA -v
+
+- name: Install KRA subsystem
+  shell: pkispawn -f /tmp/test_dir/kra.cfg -s KRA -v

tests/tests.yml

@@ -0,0 +1,29 @@
+- hosts: localhost
+  remote_user: root
+  tags:
+    - classic
+  roles:
+  - role: Test_Setup
+  - role: standard-test-basic
+    tests:
+    - verify_spawn_ca:
+        dir: .
+        run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep '\"Status\" : \"running\"'"
+    - verify_spawn_kra:
+        dir: .
+        run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep '\"Status\" : \"running\"'"
+    - destroy_kra:
+        dir: .
+        run: "pkidestroy -i pki-tomcat -s KRA && sleep 5"
+    - verify_destroy_kra:
+        dir: .
+        run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'"
+    - destroy_ca:
+        dir: .
+        run: "pkidestroy -i pki-tomcat -s CA"
+    - verify_destroy_ca:
+        dir: .
+        run: "curl http://localhost:8080/ca/admin/ca/getStatus  &> testfile.log || true && grep -i 'failed' testfile.log"
+    required_packages:
+    - pki-ca
+    - pki-kra