20 changed files with 687 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/opendnssec-2.1.7.tar.gz
+/opendnssec-2.1.7.tar.gz
--- a/.opendnssec.metadata
+++ b/.opendnssec.metadata
@ -1 +0,0 @@
-0277e4f54098bea74809e3d8e6cad1a435570349 SOURCES/opendnssec-2.1.7.tar.gz
--- a/SOURCES/conf.xml
+++ b/SOURCES/conf.xml
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
--- a/ods-enforcerd.init
+++ b/ods-enforcerd.init
@ -0,0 +1,106 @@
+#!/bin/bash
+#
+# ods-enforcerd:         Starts the OpenDNSSEC Enforcer Daemon
+#
+# chkconfig: - 13 87
+# description:  ods-enforcerd is the OpenDNSSEC DNSSEC policy enforcer daemon
+# processname: /usr/sbin/ods-enforcerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-enforcerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart| OpenDNSSEC Enforcer Daemon
+# Description: control OpenDNSSEC enforcer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_ENFORCERD_CONF="/etc/opendnssec/conf.xml"
+ODS_ENFORCERD_OPT=""
+ODS_ENFORCERD_PROG="/usr/sbin/ods-enforcerd"
+ODS_ENFORCERD_PIDFILE="/var/run/opendnssec/enforcerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+  # Source networking configuration.
+  [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+  # Check that networking is up
+  [ "${NETWORKING}" = "no" ] && exit 1
+
+  # Sanity checks.
+  [ -f $ODS_ENFORCERD_CONF ] || exit 5
+  [ -x $ODS_ENFORCERD_PROG ] || exit 5
+  # /var/run could (and should) be tmpfs
+  [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+  echo -n $"Starting ods-enforcerd:"
+  $ODS_ENFORCERD_PROG -c $ODS_ENFORCERD_CONF $ODS_ENFORCERD_OPT
+  RETVAL=$?
+        if [ $RETVAL -eq 0 ]; then
+           touch /var/lock/subsys/ods-enforcerd;
+           success
+           echo
+        else
+           failure
+           echo
+           exit 7;
+        fi
+  return 0;
+}
+
+stop() {
+  echo -n $"Stopping ods-enforcerd: "
+    killproc -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+    retval=$?
+    if [ $retval -eq 0 ] ; then
+       rm -f $ODS_ENFORCERD_PIDFILE
+       rm -f /var/lock/subsys/ods-enforcerd
+       success
+    else
+       failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+	stop
+	start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	restart
+	;;
+  condrestart)
+        [ -f /var/lock/subsys/ods-enforcerd ] && restart || :
+	;;
+  status)
+	status -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+	exit 1
+esac
+
+exit $?
--- a/SOURCES/ods-enforcerd.service
+++ b/SOURCES/ods-enforcerd.service
--- a/ods-signerd.init
+++ b/ods-signerd.init
@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# ods-signerd:         Starts the OpenDNSSEC Signer Daemon
+#
+# chkconfig: - 13 87
+# description:  ods-signerd is the OpenDNSSEC DNSSEC zone signer daemon
+# processname: /usr/sbin/ods-signerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-signerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart|reload|force-reload OpenDNSSEC Signer Daemon
+# Description: control OpenDNSSEC signer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_SIGNERD_CONF="/etc/opendnssec/conf.xml"
+ODS_SIGNERD_OPT=""
+ODS_SIGNERD_PROG="/usr/sbin/ods-signerd"
+ODS_SIGNER_PROG="/usr/sbin/ods-signer"
+ODS_SIGNERD_PIDFILE="/var/run/opendnssec/signerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+  # Source networking configuration.
+  [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+  # Check that networking is up
+  [ "${NETWORKING}" = "no" ] && exit 1
+
+  # Sanity checks.
+  [ -f $ODS_SIGNERD_CONF ] || exit 5
+  [ -x $ODS_SIGNERD_PROG ] || exit 5
+  # /var/run could (and should) be tmpfs
+  [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+  echo -n $"Starting ods-signerd:"
+# ods-signerd is lying about supporting -c conf.file option :(
+#  $ODS_SIGNERD_PROG -c $ODS_SIGNERD_CONF $ODS_SIGNERD_OPT
+  $ODS_SIGNERD_PROG $ODS_SIGNERD_OPT
+  RETVAL=$?
+        if [ $RETVAL -eq 0 ]; then
+           touch /var/lock/subsys/ods-signerd;
+           success
+           echo
+        else
+           failure
+           echo
+           exit 7;
+        fi
+  return 0;
+}
+
+stop() {
+  echo -n $"Stopping ods-signerd: "
+  #$ODS_SIGNER_PROG -c $ODS_SIGNERD_CONF stop
+  # seems that this loses our settings :(
+  /usr/sbin/ods-signer stop
+  RETVAL=$?
+  [ "$RETVAL" -eq 0 ] || killproc $ODS_SIGNERD_PROG -TERM >/dev/null 2>&1
+  if [ $RETVAL -eq 0 ] ; then
+     rm -f $ODS_SIGNERD_PIDFILE
+     rm -f /var/lock/subsys/ods-signerd
+     success
+  else
+     failure
+  fi
+  echo
+  return $RETVAL
+}
+
+restart() {
+	stop
+	start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	restart
+	;;
+  condrestart)
+        [ -f /var/lock/subsys/ods-signerd ] && restart || :
+	;;
+  status)
+	status -p $ODS_SIGNERD_PIDFILE $ODS_SIGNERD_PROG
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+	exit 1
+esac
+
+exit $?
--- a/SOURCES/ods-signerd.service
+++ b/SOURCES/ods-signerd.service
--- a/SOURCES/ods.sysconfig
+++ b/SOURCES/ods.sysconfig
--- a/opendnssec-1.4.13-openssl1.1.patch
+++ b/opendnssec-1.4.13-openssl1.1.patch
@ -0,0 +1,95 @@
+From e2bbb899195ea98b6b5f6c972ab764a53b387789 Mon Sep 17 00:00:00 2001
+From: Yuri Schaeffer <yuri@nlnetlabs.nl>
+Date: Fri, 4 Nov 2016 15:35:06 +0100
+Subject: [PATCH] HMAC_CTX_init deprecated in openssl-1.1.0
+
+---
+ m4/acx_ssl.m4                  | 12 +++++++++---
+ signer/src/Makefile.am         |  4 ++--
+ signer/src/wire/tsig-openssl.c | 15 ++++++++++++---
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/m4/acx_ssl.m4 b/m4/acx_ssl.m4
+index 1dc6e40..3d64626 100644
+--- a/m4/acx_ssl.m4
+++ b/m4/acx_ssl.m4
+@@ -35,12 +35,18 @@ AC_DEFUN([ACX_SSL], [
+             if test x_$ssldir = x_/usr/sfw; then
+                 SSL_LIBS="$SSL_LIBS -R$ssldir/lib";
+             fi
+-            AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+-                    AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+-            ])
+            AC_CHECK_LIB(crypto, HMAC_CTX_reset, [
+                    AC_DEFINE_UNQUOTED([HAVE_SSL_NEW_HMAC], [], [Define if you have the SSL libraries with new HMAC related functions.])
+                    SSL_LIBS="$SSL_LIBS -lcrypto";
+            ], [
+                    AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+                            AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+                    ])
+            ] )
+             AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
+         fi
+         AC_SUBST(HAVE_SSL)
+        AC_SUBST(HAVE_SSL_NEW_HMAC)
+         AC_SUBST(SSL_INCLUDES)
+         AC_SUBST(SSL_LIBS)
+     fi
+diff --git a/signer/src/Makefile.am b/signer/src/Makefile.am
+index 60e8877..b39eac8 100644
+--- a/signer/src/Makefile.am
+++ b/signer/src/Makefile.am
+@@ -133,7 +133,7 @@ ods_signer_SOURCES=		ods-signer.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_signer_LDADD=		$(LIBHSM)
+-ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@ @SSL_LIBS@ 
+ ods_signer_LDADD+=		$(LIBCOMPAT)
+ 
+ ods_getconf_SOURCES=		ods-getconf.c \
+@@ -193,5 +193,5 @@ ods_getconf_SOURCES=		ods-getconf.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_getconf_LDADD=		$(LIBHSM)
+-ods_getconf_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ods_getconf_LDADD+=		@SSL_LIBS@ @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ ods_getconf_LDADD+=		$(LIBCOMPAT)
+diff --git a/signer/src/wire/tsig-openssl.c b/signer/src/wire/tsig-openssl.c
+index c26b1e7..24fd342 100644
+--- a/signer/src/wire/tsig-openssl.c
+++ b/signer/src/wire/tsig-openssl.c
+@@ -131,8 +131,11 @@ static void
+ cleanup_context(void *data)
+ {
+     HMAC_CTX* context = (HMAC_CTX*) data;
+#ifdef HAVE_SSL_NEW_HMAC
+    HMAC_CTX_free(context);
+#else
+     HMAC_CTX_cleanup(context);
+-    return;
+#endif
+ }
+ 
+ static void
+@@ -155,9 +158,15 @@ context_add_cleanup(void* context)
+ static void*
+ create_context(allocator_type* allocator)
+ {
+-    HMAC_CTX* context = (HMAC_CTX*) allocator_alloc(allocator,
+-        sizeof(HMAC_CTX));
+    HMAC_CTX* context;
+#ifdef HAVE_SSL_NEW_HMAC
+    context = HMAC_CTX_new();
+    if (!context) return NULL;
+    HMAC_CTX_reset(context);
+#else
+    context = (HMAC_CTX*) allocator_alloc(allocator, sizeof(HMAC_CTX));
+     HMAC_CTX_init(context);
+#endif
+     context_add_cleanup(context);
+     return context;
+ }
+-- 
+2.9.3
+
--- a/opendnssec-1.4.5-serial0.patch
+++ b/opendnssec-1.4.5-serial0.patch
@ -0,0 +1,13 @@
+diff -Naur opendnssec-1.4.5-orig/signer/src/adapter/addns.c opendnssec-1.4.5/signer/src/adapter/addns.c
+--- opendnssec-1.4.5-orig/signer/src/adapter/addns.c	2014-03-25 06:45:44.000000000 +0000
+++ opendnssec-1.4.5/signer/src/adapter/addns.c	2014-04-18 16:26:39.079974120 +0000
+@@ -243,7 +243,8 @@
+             tmp_serial =
+                 ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
+             old_serial = adapi_get_serial(zone);
+-            if (!util_serial_gt(tmp_serial, old_serial)) {
+            if (!util_serial_gt(tmp_serial, old_serial)
+		&& zone->db->is_initialized) {
+                 ods_log_info("[%s] zone %s is already up to date, have "
+                     "serial %u, got serial %u", adapter_str, zone->name,
+                     old_serial, tmp_serial);
--- a/opendnssec-1.4.6-extract.patch
+++ b/opendnssec-1.4.6-extract.patch
@ -0,0 +1,168 @@
+commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
+Author: Petr Spacek <pspacek@redhat.com>
+Date:   Fri Jul 18 16:19:36 2014 +0200
+
+    add libhsm configuration option <AllowExtraction/>
+    
+    This option allows user to generate private keys with CKA_EXTRACTABLE
+    flag set to TRUE. Defaults to FALSE.
+
+diff --git a/NEWS b/NEWS
+index 4db7038..2efa176 100644
+--- a/NEWS
+++ b/NEWS
+@@ -1,3 +1,8 @@
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
+  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
+  and extracted from HSM.
+
+
+ OpenDNSSEC 1.4.6 - 2014-07-21
+ 
+ * Signer Engine: Print secondary server address when logging notify reply
+diff --git a/conf/conf.rnc b/conf/conf.rnc
+index 71d527f..65f837e 100644
+--- a/conf/conf.rnc
+++ b/conf/conf.rnc
+@@ -50,7 +50,10 @@ start = element Configuration {
+ 			element RequireBackup { empty }?,
+ 
+ 			# Do not maintain public keys in the repository (optional)
+-			element SkipPublicKey { empty }?
+			element SkipPublicKey { empty }?,
+
+			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
+			element AllowExtraction { empty }?
+ 		}*
+ 	},
+ 
+diff --git a/conf/conf.xml.in b/conf/conf.xml.in
+index 0ef2ab9..0536681 100644
+--- a/conf/conf.xml.in
+++ b/conf/conf.xml.in
+@@ -9,6 +9,9 @@
+ 			<TokenLabel>OpenDNSSEC</TokenLabel>
+ 			<PIN>1234</PIN>
+ 			<SkipPublicKey/>
+			<!--
+			<AllowExtraction/>
+			-->
+ 		</Repository>
+ 
+ <!--
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index d723b31..1f9720e 100644
+--- a/libhsm/src/lib/libhsm.c
+++ b/libhsm/src/lib/libhsm.c
+@@ -504,6 +504,7 @@ static void
+ hsm_config_default(hsm_config_t *config)
+ {
+     config->use_pubkey = 1;
+    config->allow_extract = 0;
+ }
+ 
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
+                     module_pin = (char *) xmlNodeGetContent(curNode);
+                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+                     module_config.use_pubkey = 0;
+                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
+                    module_config.allow_extract = 1;
+                 curNode = curNode->next;
+             }
+ 
+@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+     CK_BBOOL ctoken = CK_TRUE;
+    CK_BBOOL cextractable = CK_FALSE;
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+     do {
+@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
+         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
+         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
+-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
+        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
+index 45d110a..08224b8 100644
+--- a/libhsm/src/lib/libhsm.h
+++ b/libhsm/src/lib/libhsm.h
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
+    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+ 
+ /*! Data type to describe an HSM */
+--- a/conf/conf.rng
+++ b/conf/conf.rng
+@@ -71,6 +71,12 @@
+                 <empty/>
+               </element>
+             </optional>
+            <optional>
+              <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
+              <element name="AllowExtraction">
+                <empty/>
+              </element>
+            </optional>
+           </element>
+         </zeroOrMore>
+       </element>
--- a/opendnssec-1.4.7-extract.patch
+++ b/opendnssec-1.4.7-extract.patch
@ -0,0 +1,156 @@
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
+--- opendnssec-1.4.7-orig/conf/conf.rnc	2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.rnc	2014-12-08 22:49:16.100212010 -0500
+@@ -50,7 +50,10 @@
+ 			element RequireBackup { empty }?,
+ 
+ 			# Do not maintain public keys in the repository (optional)
+-			element SkipPublicKey { empty }?
+			element SkipPublicKey { empty }?,
+
+			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
+			element AllowExtraction { empty }?
+ 		}*
+ 	},
+ 
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
+--- opendnssec-1.4.7-orig/conf/conf.rng	2014-12-04 10:18:39.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.rng	2014-12-08 22:49:16.105212137 -0500
+@@ -71,6 +71,12 @@
+                 <empty/>
+               </element>
+             </optional>
+            <optional>
+              <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
+              <element name="AllowExtraction">
+                <empty/>
+              </element>
+            </optional>
+           </element>
+         </zeroOrMore>
+       </element>
+diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
+--- opendnssec-1.4.7-orig/conf/conf.xml.in	2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/conf/conf.xml.in	2014-12-08 22:49:16.101212036 -0500
+@@ -9,6 +9,9 @@
+ 			<TokenLabel>OpenDNSSEC</TokenLabel>
+ 			<PIN>1234</PIN>
+ 			<SkipPublicKey/>
+			<!--
+			<AllowExtraction/>
+			-->
+ 		</Repository>
+ 
+ <!--
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c	2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c	2014-12-08 22:49:16.102212061 -0500
+@@ -504,6 +504,7 @@
+ hsm_config_default(hsm_config_t *config)
+ {
+     config->use_pubkey = 1;
+    config->allow_extract = 0;
+ }
+ 
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@
+                     module_pin = (char *) xmlNodeGetContent(curNode);
+                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+                     module_config.use_pubkey = 0;
+                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
+                    module_config.allow_extract = 1;
+                 curNode = curNode->next;
+             }
+ 
+@@ -2341,10 +2344,12 @@
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+     CK_BBOOL ctoken = CK_TRUE;
+    CK_BBOOL cextractable = CK_FALSE;
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+     do {
+@@ -2380,7 +2385,7 @@
+         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
+         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
+         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
+-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@
+     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2466,12 +2472,13 @@
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+@@ -2533,6 +2540,7 @@
+     CK_OBJECT_HANDLE publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2569,12 +2577,13 @@
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
+        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h	2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h	2014-12-08 22:49:16.102212061 -0500
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
+    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+ 
+ /*! Data type to describe an HSM */
+diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
+--- opendnssec-1.4.7-orig/NEWS	2014-12-04 10:17:40.000000000 -0500
+++ opendnssec-1.4.7/NEWS	2014-12-08 22:50:00.560342544 -0500
+@@ -1,3 +1,9 @@
+
+Fedora patch:
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
+  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
+  and extracted from HSM.
+
+ OpenDNSSEC 1.4.7 - 2014-12-04
+ 
+ Bugfixes:
--- a/SOURCES/opendnssec-2.1.sqlite_convert.sql
+++ b/SOURCES/opendnssec-2.1.sqlite_convert.sql
--- a/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql
+++ b/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql
--- a/25
+++ b/25
@ -0,0 +1,25 @@
+$Id: LICENSE 6226 2012-03-26 17:25:52Z jakob $
+
+Copyright (c) 2012 OpenDNSSEC AB (svb). All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/SOURCES/opendnssec.cron
+++ b/SOURCES/opendnssec.cron
--- a/SPECS/opendnssec.spec
+++ b/SPECS/opendnssec.spec
@ -4,7 +4,7 @@
 Summary: DNSSEC key and zone management software
 Name: opendnssec
 Version: 2.1.7
-Release: 2%{?prever}%{?dist}
+Release: 1%{?prever}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@ -77,6 +77,7 @@ install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
 install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
 mkdir -p %{buildroot}%{_tmpfilesdir}/
 install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
 mkdir -p %{buildroot}%{_datadir}/opendnssec/
 cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
 cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
@ -102,6 +103,7 @@ sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert
 %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
 %attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
 %doc NEWS README.md
 %license LICENSE
@ -175,10 +177,6 @@ ods-enforcer update all >/dev/null 2>/dev/null ||:
 %systemd_postun_with_restart ods-signerd.service

 %changelog
-* Mon Mar 10 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.7-2
- Don't creat /var/run/opendnssec directory
- Resolves: RHEL-12163
-
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.7-1
 - Upstream release 2.1.7
 - Resolves: rhbz#1904484
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (opendnssec-2.1.7.tar.gz) = 6f2ca2115195fd2fcd0b22186c41c9e64ec24d98b34a10a8a75d64b4671b5afe3a655f32bbd241a0df84affda1f6cecd4daac0e6fa7081e4c9fa02d1bb4ed1eb
--- a/SOURCES/tmpfiles-opendnssec.conf
+++ b/SOURCES/tmpfiles-opendnssec.conf
				`@ -1 +0,0 @@`
				`0277e4f54098bea74809e3d8e6cad1a435570349 SOURCES/opendnssec-2.1.7.tar.gz`
				`@ -0,0 +1 @@`
				`SHA512 (opendnssec-2.1.7.tar.gz) = 6f2ca2115195fd2fcd0b22186c41c9e64ec24d98b34a10a8a75d64b4671b5afe3a655f32bbd241a0df84affda1f6cecd4daac0e6fa7081e4c9fa02d1bb4ed1eb`