10 changed files with 536 additions and 58 deletions
--- a/SOURCES/README.RedHat.SSL
+++ b/SOURCES/README.RedHat.SSL
@ -23,11 +23,20 @@
   PEGASUS_SSL_KEY_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_KEY_FILE)
                  (= /etc/pki/Pegasus/file.pem)
   o Contains the private key for the CIM Server SSL Certificate.
+                     /etc/pki/Pegasus/file-fallback.pem
+   o Contains private key for the fall back CIM Server SSL Certificate.

   PEGASUS_SSL_CERT_FILE = server.pem
   PEGASUS_SSL_CERT_FILE_PATH = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_CERT_FILE)
                             (= /etc/pki/Pegasus/server.pem)
   o Contains the CIM Server SSL Certificate.
+                                /etc/pki/Pegasus/server-fallback.pem
+   o Contains the fall back CIM Server SSL Certificate.
+     Fall back certificate can be used for example when the CIM Server SSL Certificate
+     is ML-DSA (Post-Quantum Cryptography) and there's need to also support a classic
+     certificate chain for clients without Post-Quantum Cryptography capabilities.
+     To be taken into account both file-fallback.pem and server-fallback.pem need to
+     exist. They are ignored othervise.

   PEGASUS_SSL_TRUSTSTORE = client.pem
   PEGASUS_SSL_CLIENT_TRUSTSTORE = $(PEGASUS_PEM_DIR)/$(PEGASUS_SSL_TRUSTSTORE)
--- a/SOURCES/pegasus-2.14.1-add-pegwsmserver-to-ldd-libs.patch
+++ b/SOURCES/pegasus-2.14.1-add-pegwsmserver-to-ldd-libs.patch
@ -0,0 +1,10 @@
+diff -up pegasus/src/Pegasus/ExportClient/tests/libraries.mak.orig pegasus/src/Pegasus/ExportClient/tests/libraries.mak
+--- pegasus/src/Pegasus/ExportClient/tests/libraries.mak.orig	2020-11-26 10:20:13.938292092 +0100
+++ pegasus/src/Pegasus/ExportClient/tests/libraries.mak	2020-11-26 10:25:30.248432039 +0100
+@@ -35,4 +35,5 @@ LIBRARIES= \
+     pegrepository \
+     pegconfig \
+     pegclient \
+-    pegcommon
+    pegcommon \
+    pegwsmserver
--- a/SOURCES/pegasus-2.14.1-fix-Wreserved-user-defined-literal.patch
+++ b/SOURCES/pegasus-2.14.1-fix-Wreserved-user-defined-literal.patch
@ -0,0 +1,22 @@
+--- pegasus/src/Pegasus/Common/InternalException.cpp.orig	2020-03-25 04:14:59.507215411 +0000
+++ pegasus/src/Pegasus/Common/InternalException.cpp	2020-03-25 04:06:31.545770255 +0000
+@@ -982,7 +982,7 @@ SocketWriteError::~SocketWriteError()
+ //     PEGASUS_MAXELEMENTS_NUM HTTP header fields in a single HTTP message
+ //==============================================================================
+ TooManyHTTPHeadersException::TooManyHTTPHeadersException()
+-    : Exception("more than "PEGASUS_MAXELEMENTS
+    : Exception("more than " PEGASUS_MAXELEMENTS
+                     " header fields detected in HTTP message")
+ {
+ }
+--- pegasus/src/Pegasus/Client/tests/slp/slpclient.cpp.orig	2020-03-25 04:21:46.078970915 +0000
+++ pegasus/src/Pegasus/Client/tests/slp/slpclient.cpp	2020-03-25 04:22:16.302878401 +0000
+@@ -49,7 +49,7 @@ int main(int argc, char** argv)
+ 
+         Array<Attribute> criteria;
+         Attribute attr(
+-            PEG_WBEM_SLP_SERVICE_ID"="PEG_WBEM_SLP_SERVICE_ID_DEFAULT);
+            PEG_WBEM_SLP_SERVICE_ID"=" PEG_WBEM_SLP_SERVICE_ID_DEFAULT);
+         Array<CIMServerDescription> connections;
+         SLPClientOptions* opts = (SLPClientOptions*)NULL;
+         if (argc == 2)
--- a/SOURCES/pegasus-2.14.1-post-quantum.patch
+++ b/SOURCES/pegasus-2.14.1-post-quantum.patch
@ -0,0 +1,102 @@
+--- pegasus/src/Pegasus/Common/SSLContext.cpp.orig	2026-01-29 16:18:25.472992730 +0100
+++ pegasus/src/Pegasus/Common/SSLContext.cpp	2026-01-29 16:36:19.947100277 +0100
+@@ -788,6 +788,41 @@
+     }
+ 
+     //
+    // Configure TLS key exchange groups with PQC support
+    //
+    if (SSL_CTX_set1_groups_list(sslContext,
+            "X25519MLKEM768:P-256:P-384:X25519") != 1)
+    {
+        PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
+            "---> SSL: Failed to set PQC groups, trying traditional groups");
+        // Fallback to traditional groups for systems without PQC support
+        if (SSL_CTX_set1_groups_list(sslContext, "P-256:P-384:X25519") != 1)
+        {
+            PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL1,
+                "---> SSL: Failed to set traditional groups");
+        }
+    }
+
+    //
+    // Configure TLS signature algorithms with PQC support (ML-DSA)
+    //
+    if (SSL_CTX_set1_sigalgs_list(sslContext,
+            "mldsa65:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:"
+            "rsa_pss_rsae_sha512:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1)
+    {
+        PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
+            "---> SSL: Failed to set PQC signature algorithms, trying traditional algorithms");
+        // Fallback to traditional signature algorithms
+        if (SSL_CTX_set1_sigalgs_list(sslContext,
+                "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:"
+                "ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1)
+        {
+            PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL1,
+                "---> SSL: Failed to set traditional signature algorithms");
+        }
+    }
+
+    //
+     // set overall SSL Context flags
+     //
+     // For OpenSSLversion >1.0.0 use SSL_OP_NO_COMPRESSION to disable the 
+@@ -1095,6 +1130,57 @@
+         keyLoaded = true;
+     }
+ 
+    //
+    // Load fall back certificate/key pair if both exist
+    //
+    const String& certFallbackPath = "/etc/pki/Pegasus/server-fallback.pem";
+    const String& keyFallbackPath = "/etc/pki/Pegasus/file-fallback.pem";
+
+    FILE* certIs = Executor::openFile(certFallbackPath.getCString(), 'r');
+    FILE* keyIs = Executor::openFile(keyFallbackPath.getCString(), 'r');
+
+    if (certIs && keyIs)
+    {
+        fclose(certIs);
+        fclose(keyIs);
+
+        PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
+            "---> SSL: Loading server certificate fall back from: %s",
+            (const char*)certFallbackPath.getCString()));
+
+        if (SSL_CTX_use_certificate_file(sslContext,
+            (const char*)certFallbackPath.getCString(), SSL_FILETYPE_PEM) != 1)
+        {
+            PEG_TRACE((TRC_SSL, Tracer::LEVEL1,
+                "---> SSL: No server certificate fall back found in %s",
+                (const char*)certFallbackPath.getCString()));
+            MessageLoaderParms parms(
+                "Common.SSLContext.COULD_NOT_ACCESS_SERVER_CERTIFICATE",
+                "Could not access server certificate fall back in $0.",
+                (const char*)certFallbackPath.getCString());
+
+            SSL_CTX_free(sslContext);
+            sslContext = NULL;
+            PEG_METHOD_EXIT();
+            throw SSLException(parms);
+        }
+
+        PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
+            "---> SSL: loading private key fall back from: %s",
+            (const char*)keyFallbackPath.getCString()));
+
+        if (SSL_CTX_use_PrivateKey_file(sslContext,
+            (const char*)keyFallbackPath.getCString(), SSL_FILETYPE_PEM) != 1)
+        {
+            MessageLoaderParms parms(
+                "Common.SSLContext.COULD_NOT_GET_PRIVATE_KEY",
+                "Could not get private key fall back.");
+            SSL_CTX_free(sslContext);
+            sslContext = NULL;
+            PEG_METHOD_EXIT();
+            throw SSLException(parms);
+        }
+    }
+     PEG_METHOD_EXIT();
+     return sslContext;
+ }
--- a/SOURCES/pegasus-2.14.1-ssl-certs-gen-changes.patch
+++ b/SOURCES/pegasus-2.14.1-ssl-certs-gen-changes.patch
@ -0,0 +1,175 @@
+diff -up pegasus/Makefile.Release.orig pegasus/Makefile.Release
+--- pegasus/Makefile.Release.orig	2025-04-02 09:41:58.144585088 +0200
+++ pegasus/Makefile.Release	2025-04-02 09:50:05.938271446 +0200
+@@ -446,6 +446,10 @@ stage_genOpenPegasusSSLCertsFile: FORCE
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "#" >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+	@$(ECHO-E) "set -e" >> \
+             $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+	@$(ECHO-E) "#" >> \
+             $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "PEGASUS_PEM_DIR=$(PEGASUS_PEM_DIR)" >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "PEGASUS_CONFIG_DIR=$(PEGASUS_CONFIG_DIR)" >> \
+@@ -458,6 +462,8 @@ stage_genOpenPegasusSSLCertsFile: FORCE
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "PEGASUS_SSL_TRUSTSTORE=$(PEGASUS_SSL_TRUSTSTORE)" >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+	@$(ECHO-E) "DAYS=3650" >> \
+             $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(CAT) $(ROOT)/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 
+diff -up pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec.orig pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+--- pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec.orig	2014-09-10 18:15:40.000000000 +0200
+++ pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec	2025-04-02 09:54:27.678967236 +0200
+@@ -29,16 +29,6 @@ function create_ssl_cnf #(config_file, C
+             $PEGASUS_CONFIG_DIR/$SSL_CFG
+     echo "OU                     = The OpenPegasus Project" >> \
+             $PEGASUS_CONFIG_DIR/$SSL_CFG
+-    DN=`hostname`;
+-    if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
+-            DN='localhost.localdomain';
+-    fi;
+-    FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } |\
+-            grep 'has address' | head -1 | sed 's/\ .*$//'`;
+-    if [ -z "$FQDN" ] ; then
+-        FQDN="$DN";
+-    fi;
+-    # cannot use 'hostname --fqdn' because this can hang indefinitely
+     # Hack the $CA onto the end of the CN so we differentiate the issuer
+     # of the signature from the subject
+     echo "CN                     = $FQDN$CA"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+@@ -52,27 +42,26 @@ function create_ssl_cnf #(config_file, C
+     echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ }
+ 
+-cnfChanged=0;
+-if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/file.pem ]  ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
+-
+-    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+-    mkdir -p $PEGASUS_CONFIG_DIR
+function selfsign_sscg()
+{
+    sscg --quiet \
+         --lifetime "${DAYS}" \
+         --cert-key-file "${PEGASUS_PEM_DIR}"/"${PEGASUS_SSL_KEY_FILE}" \
+         --cert-file "${PEGASUS_PEM_DIR}/${PEGASUS_SSL_CERT_FILE}" \
+         --ca-file "${PEGASUS_PEM_DIR}"/ca.crt \
+         --hostname "${FQDN}" \
+         --country "UK" \
+         --state "Berkshire" \
+         --locality "Reading" \
+         --organization "The Open Group" \
+         --organizational-unit "The OpenPegasus Project"
+}
+ 
+-    create_ssl_cnf ssl-ca.cnf CA
+-    create_ssl_cnf ssl-service.cnf
+-
+-    chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
+-    chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+-    chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+-    cnfChanged=1;
+-fi
+-if [ $cnfChanged -eq 1 ] || \
+-         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
+-         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
+function selfsign_openssl()
+{
+    # Get minimum RSA key length at current security level
+    # This workarounds openssl not enforcing min. key length enforced by current security level
+    KEYSIZE=`grep min_rsa_size /etc/crypto-policies/state/CURRENT.pol | cut -d ' ' -f 3`
+ 
+     # Restrict access of the key to root
+     OLDUMASK=`umask`
+@@ -81,28 +70,34 @@ if [ $cnfChanged -eq 1 ] || \
+     # Create private key for the CA certificate
+     TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
+ 
+-    /usr/bin/openssl genrsa -out $TMPKEY 2048
+    /usr/bin/openssl genrsa -out $TMPKEY $KEYSIZE
+ 
+     # Restore the umask for the other files
+     umask $OLDUMASK
+ 
+     # Create CA certificate:
+-    /usr/bin/openssl req -new -x509 -days 3650 \
+-                         -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
+    # Hack the $CA onto the end of the CN so we differentiate the issuer
+    # of the signature from the subject
+    /usr/bin/openssl req -new -x509 -days $DAYS \
+                         -subj "/C=UK/ST=Berkshire/L=Reading/O=The Open Group/OU=The OpenPegasus Project/CN=${FQDN}CA" \
+                         -addext "subjectKeyIdentifier = hash" \
+                         -addext "authorityKeyIdentifier = keyid:always,issuer" \
+                         -addext "basicConstraints = CA:TRUE" \
+                          -key $TMPKEY \
+                          -out $PEGASUS_PEM_DIR/ca.crt \
+ 
+     # Create private key for the service certificate
+-    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
+    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE $KEYSIZE
+ 
+     # Create a signing request for the service certificate
+     /usr/bin/openssl req -new \
+-                         -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
+                         -subj "/C=UK/ST=Berkshire/L=Reading/O=The Open Group/OU=The OpenPegasus Project/CN=$FQDN" \
+                         -addext "basicConstraints = CA:FALSE" \
+                          -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
+                          -out $PEGASUS_PEM_DIR/server.csr
+ 
+     # Sign the request with the CA certificate
+-    /usr/bin/openssl x509 -req -days 3650 \
+    /usr/bin/openssl x509 -req -days $DAYS \
+                           -in $PEGASUS_PEM_DIR/server.csr \
+                           -CA $PEGASUS_PEM_DIR/ca.crt \
+                           -CAkey $TMPKEY \
+@@ -128,6 +123,43 @@ if [ $cnfChanged -eq 1 ] || \
+     # long race here between the key generation and its deletion.
+     # The random filename should significantly mitigate this.
+     rm -f $TMPKEY
+}
+
+cnfChanged=0;
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/file.pem ]  ||
+   [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
+
+    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+    mkdir -p $PEGASUS_CONFIG_DIR
+
+    DN=`hostname`;
+    if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
+            DN='localhost.localdomain';
+    fi;
+    FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } |\
+            grep 'has address' | head -1 | sed 's/\ .*$//'`;
+    if [ -z "$FQDN" ] ; then
+        FQDN="$DN";
+    fi;
+    # cannot use 'hostname --fqdn' because this can hang indefinitely
+
+    create_ssl_cnf ssl-ca.cnf CA
+    create_ssl_cnf ssl-service.cnf
+
+    chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    cnfChanged=1;
+fi
+if [ $cnfChanged -eq 1 ] || \
+         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
+         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
+
+    # If sscg fails, try openssl
+    selfsign_sscg || selfsign_openssl
+ 
+ fi;
+ if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
--- a/SOURCES/pegasus-snmp-disable-des.patch
+++ b/SOURCES/pegasus-snmp-disable-des.patch
@ -0,0 +1,55 @@
+This patch is required because net-smp is not build with DES support,
+so usmDESPrivProtocol is not available.
+
+diff -up pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.cpp.orig pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.cpp
+--- pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.cpp.orig	2021-06-23 09:57:12.052712533 +0200
+++ pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.cpp	2021-06-23 10:06:19.893857294 +0200
+@@ -247,6 +247,16 @@ void snmpDeliverTrap_netsnmp::_createSes
+ #ifdef PEGASUS_ENABLE_NET_SNMPV3 
+         case _SNMPv3_TRAP:
+         {
+            if(snmpSecPrivProto == 1)
+            {
+                //DES is no longer supported.
+                PEG_METHOD_EXIT();
+                throw PEGASUS_CIM_EXCEPTION_L(CIM_ERR_NOT_SUPPORTED,
+                    MessageLoaderParms(
+                        _MSG_DES_NOT_SUPPORTED_KEY,
+                        _MSG_DES_NOT_SUPPORTED));
+            }
+
+             snmpSession.version = SNMP_VERSION_3;
+             CString securityNameCStr = securityName.getCString();
+             size_t securityNameLen = strlen(securityNameCStr);
+@@ -321,14 +331,7 @@ void snmpDeliverTrap_netsnmp::_createSes
+ 
+             SNMP_FREE(snmpSession.securityPrivProto);
+             //Privacy
+-            if(snmpSecPrivProto == 1) //DES
+-            {
+-                snmpSession.securityPrivProto = snmp_duplicate_objid(
+-                    usmDESPrivProtocol,
+-                    USM_PRIV_PROTO_DES_LEN);
+-                snmpSession.securityPrivProtoLen = USM_PRIV_PROTO_DES_LEN;
+-            }
+-            else if(snmpSecPrivProto == 2) // AES
+            if(snmpSecPrivProto == 2) // AES
+             {
+                 snmpSession.securityPrivProto = snmp_duplicate_objid(
+                     usmAESPrivProtocol,
+diff -up pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.h.orig pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.h
+--- pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.h.orig	2021-06-23 09:57:54.014119384 +0200
+++ pegasus/src/Pegasus/Handler/snmpIndicationHandler/snmpDeliverTrap_netsnmp.h	2021-06-23 10:05:04.489320833 +0200
+@@ -64,6 +64,12 @@ static const char _MSG_VERSION_NOT_SUPPO
+     "Handler.snmpIndicationHandler.snmpDeliverTrap_netsnmp."
+         "_MSG_VERSION_NOT_SUPPORTED";
+ 
+static const char _MSG_DES_NOT_SUPPORTED[] =
+    "DES support is disabled in SNMP.";
+static const char _MSG_DES_NOT_SUPPORTED_KEY[] =
+    "Handler.snmpIndicationHandler.snmpDeliverTrap_netsnmp."
+        "_MSG_DES_NOT_SUPPORTED";
+
+ static const char _MSG_SESSION_SEND_FAILED[] =
+     "Snmp Indication Handler failed to send the trap: ";
+ static const char _MSG_SESSION_SEND_FAILED_KEY[] =
--- a/SOURCES/tog-pegasus.service
+++ b/SOURCES/tog-pegasus.service
@ -6,7 +6,7 @@ After=syslog.target slpd.service
 Type=forking
 ExecStartPre=/usr/share/Pegasus/scripts/generate-certs
 ExecStart=/usr/sbin/cimserver
-PIDFile=/var/run/tog-pegasus/cimserver.pid
+PIDFile=/run/tog-pegasus/cimserver.pid

 [Install]
 WantedBy=multi-user.target
--- a/SOURCES/tog-pegasus.sysusers
+++ b/SOURCES/tog-pegasus.sysusers
@ -0,0 +1,3 @@
+#Type Name ID GECOS                                      Home directory   Shell
+g pegasus 65
+u pegasus 66 "tog-pegasus OpenPegasus WBEM/CIM services" /var/lib/Pegasus /sbin/nologin
--- a/SOURCES/tog-pegasus.tmpfiles
+++ b/SOURCES/tog-pegasus.tmpfiles
@ -1 +1,4 @@
 d /run/tog-pegasus 1750 root pegasus -
+
+# populate /var/lib/Pegaus with content from /usr/share/factory/var/lib/Pegasus
+C /var/lib/Pegasus - - - -
--- a/SPECS/tog-pegasus.spec
+++ b/SPECS/tog-pegasus.spec
@ -3,16 +3,13 @@

 %global srcname pegasus
 %global major_ver 2.14
-%global pegasus_gid 65
-%global pegasus_uid 66

 Name:           tog-pegasus
 Version:        %{major_ver}.1
-Release:        46%{?dist}
+Release:        68%{?dist}
 Epoch:          2
 Summary:        OpenPegasus WBEM Services for Linux

-Group:          System Environment/Daemons
 License:        MIT
 URL:            http://www.openpegasus.org
 Source0:        https://collaboration.opengroup.org/pegasus/documents/27211/pegasus-%{version}.tar.gz
@ -39,6 +36,8 @@ Source10:       generate-certs
 Source11:       snmptrapd.conf
 # 12: repupgrade man page based on pegasus/src/Clients/repupgrade/doc/repupgrade.html
 Source12:       repupgrade.1.gz
+# 13: sysusers conf file for dynamic creation of the 'pegasus' user and group
+Source13:       tog-pegasus.sysusers

 #  1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011
 #     Removing insecure -rpath
@ -98,9 +97,20 @@ Patch40:        pegasus-2.14.1-tesid.patch
 Patch41:        pegasus-2.14.1-ssl-cert-path.patch
 # 42: port to openssl-1.1
 Patch42:        pegasus-2.14.1-openssl-1.1-fix.patch
-# 43: comply with system crypto policy
+# 43: fix -Wreserved-user-defined-literal warnings which prevents building with clang
+Patch43:        pegasus-2.14.1-fix-Wreserved-user-defined-literal.patch
+# 44: comply with Fedora crypto policy
 #  (use 'PROFILE=SYSTEM' instead of 'DEFAULT' in SSL_CTX_set_cipher_list calls)
-Patch43:        pegasus-2.14.1-crypto-policy-compliance.patch
+Patch44:        pegasus-2.14.1-crypto-policy-compliance.patch
+# 45: add required lib to fix FTBS
+Patch45:        pegasus-2.14.1-add-pegwsmserver-to-ldd-libs.patch
+# 46: Remove DES support.
+Patch46:        pegasus-snmp-disable-des.patch
+# 47: use sscg to generate cert, openssl as fallback, obtain correct key length
+#  based upon crypto policy level
+Patch47:        pegasus-2.14.1-ssl-certs-gen-changes.patch
+# 48: add mechanism to load fall back certificate/key pair
+Patch48:        pegasus-2.14.1-post-quantum.patch

 BuildRequires:  procps, libstdc++, pam-devel
 BuildRequires:  openssl, openssl-devel
@ -108,7 +118,7 @@ BuildRequires:  bash, sed, grep, coreutils, procps, gcc, gcc-c++
 BuildRequires:  libstdc++, make, pam-devel
 BuildRequires:  openssl-devel
 BuildRequires:  net-snmp-devel, openslp-devel
-BuildRequires:  systemd-units
+BuildRequires:  systemd-units systemd-rpm-macros
 Requires:       net-snmp-libs
 Requires:       %{name}-libs = %{epoch}:%{version}-%{release}
 Requires:       openssl
@ -126,9 +136,7 @@ sources.

 %package devel
 Summary:        The OpenPegasus Software Development Kit
-Group:          Development/Tools
-Requires:       tog-pegasus >= %{version}-%{release}
-Obsoletes:      tog-pegasus-sdk
+Requires:       tog-pegasus >= %{epoch}:%{version}-%{release}

 %description devel
 The OpenPegasus WBEM Services for Linux SDK is the developer's kit for the
@ -138,7 +146,6 @@ supports C provider developers via the CMPI interface.

 %package libs
 Summary:        The OpenPegasus Libraries
-Group:          System Environment/Libraries
 Conflicts:      libcmpiCppImpl0
 Requires(pre):  /usr/sbin/useradd
 Requires(pre):  /usr/sbin/groupadd
@ -150,8 +157,7 @@ The OpenPegasus libraries.
 %if %{PEGASUS_BUILD_TEST_RPM}
 %package test
 Summary:        The OpenPegasus Tests
-Group:          Development/Debug
-Requires:       tog-pegasus >= %{version}-%{release}, make
+Requires:       tog-pegasus >= %{epoch}:%{version}-%{release}, make
 Requires:       %{name}-libs = %{epoch}:%{version}-%{release}

 %description test
@ -228,33 +234,38 @@ The OpenPegasus WBEM tests for the OpenPegasus %{version} Linux rpm.
 # convert DMTF schema for Pegasus
 export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
 yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
-%patch1 -p1 -b .no-rpath
-%patch2 -p1 -b .PIE
-%patch3 -p1 -b .redhat-config
-%patch4 -p1 -b .cmpi-provider-lib
-%patch6 -p1 -b .pam-wbem
-%patch12 -p1 -b .snmp-tests
-%patch5 -p1 -b .local-or-remote-auth
-%patch13 -p1 -b .sparc
-%patch16 -p1 -b .getpagesize
-%patch19 -p1 -b .dont-strip
-%patch20 -p1 -b .sparc-locks
-%patch22 -p1 -b .null_value
-%patch24 -p1 -b .empty_arrays
-%patch25 -p1 -b .cimmofl-allow-experimental
-%patch26 -p1 -b .schema-version-and-includes
-%patch29 -p1 -b .enable-subscriptions-for-nonprivileged-users
-%patch33 -p1 -b .gcc5-build
-%patch34 -p1 -b .build-fixes
-%patch35 -p1 -b .ssl-include
-%patch36 -p1 -b .snmpv3-trap
-%patch37 -p1 -b .fix-setup-sdk
-%patch38 -p1 -b .cimconfig-man-page-fixes
-%patch39 -p1 -b .fix-setup-sdk-ppc64le
-%patch40 -p1 -b .testid
-%patch41 -p1 -b .ssl-cert-path
-%patch42 -p1 -b .openssl-1.1-fix
-%patch43 -p1 -b .crypto-policy-compliance
+%patch -P1 -p1 -b .no-rpath
+%patch -P2 -p1 -b .PIE
+%patch -P3 -p1 -b .redhat-config
+%patch -P4 -p1 -b .cmpi-provider-lib
+%patch -P6 -p1 -b .pam-wbem
+%patch -P12 -p1 -b .snmp-tests
+%patch -P5 -p1 -b .local-or-remote-auth
+%patch -P13 -p1 -b .sparc
+%patch -P16 -p1 -b .getpagesize
+%patch -P19 -p1 -b .dont-strip
+%patch -P20 -p1 -b .sparc-locks
+%patch -P22 -p1 -b .null_value
+%patch -P24 -p1 -b .empty_arrays
+%patch -P25 -p1 -b .cimmofl-allow-experimental
+%patch -P26 -p1 -b .schema-version-and-includes
+%patch -P29 -p1 -b .enable-subscriptions-for-nonprivileged-users
+%patch -P33 -p1 -b .gcc5-build
+%patch -P34 -p1 -b .build-fixes
+%patch -P35 -p1 -b .ssl-include
+%patch -P36 -p1 -b .snmpv3-trap
+%patch -P37 -p1 -b .fix-setup-sdk
+%patch -P38 -p1 -b .cimconfig-man-page-fixes
+%patch -P39 -p1 -b .fix-setup-sdk-ppc64le
+%patch -P40 -p1 -b .testid
+%patch -P41 -p1 -b .ssl-cert-path
+%patch -P42 -p1 -b .openssl-1.1-fix
+%patch -P43 -p1 -b .Wreserved-user-defined-literal-fix
+%patch -P44 -p1 -b .crypto-policy-compliance
+%patch -P45 -p1 -b .add-pegwsmserver-to-ldd-libs
+%patch -P46 -p1 -b .snmp-disable-des
+%patch -P47 -p1 -b .ssl-certs-gen-changes
+%patch -P48 -p1 -b .post-quantum


 %build
@ -275,16 +286,16 @@ export LD_LIBRARY_PATH=$PEGASUS_HOME/lib
 export PATH=$PEGASUS_HOME/bin:$PATH

 export PEGASUS_EXTRA_C_FLAGS="$RPM_OPT_FLAGS -fPIC -g -Wall -Wno-unused -fno-strict-aliasing"
-export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS"
-export PEGASUS_EXTRA_LINK_FLAGS="$RPM_OPT_FLAGS"
+export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS -std=c++14"
+export PEGASUS_EXTRA_LINK_FLAGS="$RPM_OPT_FLAGS -Wl,-z,now"
 export PEGASUS_EXTRA_PROGRAM_LINK_FLAGS="-g -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack"
 export SYS_INCLUDES=-I/usr/kerberos/include

-make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release create_ProductVersionFile
-make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release create_CommonProductDirectoriesInclude
-make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release create_ConfigProductDirectoriesInclude
-make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release all
-make %{?_smp_mflags} -f ${PEGASUS_ROOT}/Makefile.Release repository
+%make_build -f ${PEGASUS_ROOT}/Makefile.Release create_ProductVersionFile
+%make_build -f ${PEGASUS_ROOT}/Makefile.Release create_CommonProductDirectoriesInclude
+%make_build -f ${PEGASUS_ROOT}/Makefile.Release create_ConfigProductDirectoriesInclude
+%make_build -f ${PEGASUS_ROOT}/Makefile.Release all
+%make_build -f ${PEGASUS_ROOT}/Makefile.Release repository


 %install
@ -361,6 +372,9 @@ install -p Schemas/CIM238/DMTF/Core/CIM_AbstractComponent.mof $RPM_BUILD_ROOT/us
 mkdir -p ${RPM_BUILD_ROOT}/%{_mandir}/man1/
 cp %SOURCE12 ${RPM_BUILD_ROOT}/%{_mandir}/man1/

+# install sysusers conf file (arch-specific name for multilib)
+install -p -D -m 0644 %{SOURCE13} %{buildroot}%{_sysusersdir}/tog-pegasus-%{_arch}.conf
+
 %check
 # run unit tests
 export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/usr/%{_lib}
@ -437,7 +451,9 @@ rm $RPM_BUILD_ROOT/usr/share/Pegasus/test/testtracer4.trace.0
 %{_libdir}/*
 %exclude /usr/lib/debug
 %exclude /usr/lib/systemd
+%exclude %dir %{_sysusersdir}
 %exclude %{_tmpfilesdir}
+%{_sysusersdir}/tog-pegasus-%{_arch}.conf

 %if %{PEGASUS_BUILD_TEST_RPM}
 %files test
@ -484,14 +500,17 @@ if [ $1 -ge 1 ]; then
      fi;
      /bin/systemctl try-restart tog-pegasus.service >/dev/null 2>&1 || :;
   fi;
+   # copy content of /var/lib/Pegasus to temporary place for Image Mode
+   (mkdir -p /usr/share/factory/var/lib && cp -a /var/lib/Pegasus /usr/share/factory/var/lib/Pegasus) >/dev/null 2>&1 || :;
 fi
 :;

 %preun
-%systemd_preun stop tog-pegasus.service
+%systemd_preun tog-pegasus.service
 if [ $1 -eq 0 ]; then                  
   # Package removal, not upgrade     
   rm -rf /var/run/tog-pegasus
+   rm -rf /usr/share/factory/var/lib/Pegasus
 fi
 :;

@ -508,9 +527,9 @@ fi
 %pre libs
 if [ $1 -eq 1 ]; then
 #  first install: create the 'pegasus' user and group:
-   /usr/sbin/groupadd -g %{pegasus_gid} -f -r pegasus >/dev/null 2>&1 || :; 
-   /usr/sbin/useradd -u %{pegasus_uid} -r -N -M -g pegasus -s /sbin/nologin -d /var/lib/Pegasus \
-     -c "tog-pegasus OpenPegasus WBEM/CIM services" pegasus >/dev/null 2>&1 || :;
+   {
+      %sysusers_create_compat %{SOURCE13}
+   } >/dev/null 2>&1 || :;
 fi
 :;

@ -556,17 +575,97 @@ fi


 %changelog
-* Mon Jun 29 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-46
- Comply with system crypto policy
-  Resolves: #1842838
+* Wed Feb 18 2026 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-68
+- Fix multilib issue with systemd-sysusers config
+  Related: RHEL-90737

-* Tue May 05 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-45
+* Tue Feb 03 2026 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-67
+- Add support for post-quantum cryptography
+  Resolves: RHEL-127514
+
+* Fri Sep 26 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-66
+- Use systemd-sysusers for the 'pegasus' user and group creation
+- Fix Requires of subpackages
+  Related: RHEL-90737
+- Add support for Image Mode
+  Resolves: RHEL-90737
+
+* Fri Apr 11 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-65
+- Update OpenSSL certificates set up
+  Resolves: RHEL-81721
+- Remove deprecated path from systemd service file
+  Resolves: RHEL-81716
+
+* Tue Feb 01 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.14.1-64
+- Fix build flags
+  Resolves: #2044895
+- Fix preun systemd macro call
+  Resolves: #2048002
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:2.14.1-63
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Jul 22 2021 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.14.1-62
+- Improve error message without DES support in SNMP
+  Resolves: rhbz#1972623
+
+* Wed Jun 16 2021 Florian Weimer <fweimer@redhat.com> - 2:2.14.1-61
+- Port to net-snmp without DES support (#1958073)
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:2.14.1-60
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:2.14.1-59
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-58
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Nov 26 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-57
+- Fix FTBFS
+- Use make macros, patch by Tom Stellard <tstellar@redhat.com>
+
+* Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 2:2.14.1-56
+- Rebuilt for new net-snmp release
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-55
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Jeff Law <law@redhat.com> - 2:2.14.1-54
+- Force C++14 as this code is not C++17 ready
+
+* Thu Jun 25 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-53
+- Comply with Fedora crypto policy
+
+* Wed Mar 25 2020 Tom Stellard <tstellar@redhat.com> - 2:2.14.1-52
+- Fix -Wreserved-user-defined-literal warnings
+
+* Thu Feb 27 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-51
 - Fix tmpfiles path
-  Resolves: #1805977

-* Wed Aug 01 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-44
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-50
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-49
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-48
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2:2.14.1-47
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Wed Aug 01 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-46
 - Review and fix %%files section because of failing rpm -V

+* Tue Jul 24 2018 Adam Williamson <awilliam@redhat.com> - 2:2.14.1-45
+- Rebuild for new net-snmp
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-44
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:2.14.1-43
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild