Sync from SUSE:SLFO:Main certmonger revision 24861fb84184640ea6383f64b4e4fa40

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch

@@ -0,0 +1,42 @@
+From cccc01f7c3dbc3e9b30e50b86eeaaa7f1500fc94 Mon Sep 17 00:00:00 2001
+From: Otto Hollmann <otto.hollmann@suse.com>
+Date: Wed, 13 Dec 2023 10:23:39 +0100
+Subject: [PATCH] Update tests to be compatible with OpenSSL 3.2
+
+---
+ tests/003-csrgen-ec/run.sh                  | 4 ++--
+ tests/038-ms-v2-template/extract-extdata.py | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
+index cd9f9422..196b6d02 100755
+--- a/tests/003-csrgen-ec/run.sh
++++ b/tests/003-csrgen-ec/run.sh
+@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
+ openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
+ # The RSA tests already verify the contents of the requests, so we really only
+ # need to care about the signatures passing verification.
+-openssl req   -verify -noout < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
+-openssl req   -verify -noout < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
++openssl req   -verify -noout -in csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
++openssl req   -verify -noout -in csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
+ openssl spkac -verify -noout < spkac.nss.$size 2>&1
+ openssl spkac -verify -noout < spkac.openssl.$size 2>&1
+ openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
+diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
+index 8b6b14ff..e2f84a10 100755
+--- a/tests/038-ms-v2-template/extract-extdata.py
++++ b/tests/038-ms-v2-template/extract-extdata.py
+@@ -13,7 +13,8 @@ STATE_SEARCH, STATE_FOUND, STATE_DONE = range(3)
+ state = STATE_SEARCH
+ 
+ for line in sys.stdin:
+-    if state == STATE_SEARCH and ':1.3.6.1.4.1.311.21.7' in line:
++    if state == STATE_SEARCH and (':Microsoft certificate template' in line
++                                  or ':1.3.6.1.4.1.311.21.7' in line):
+         state = STATE_FOUND
+         continue
+ 
+-- 
+2.42.0
+

certmonger.changes

@@ -0,0 +1,100 @@
+-------------------------------------------------------------------
+Wed Dec 13 08:48:02 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Update to 0.79.19
+  * getcert: add-scep-ca: fix help for --ca-cert and --ra-cert
+  * Don't restrict tokens to CKM_RSA_X_509
+  * Updated translations from Weblate
+- Update to 0.79.18
+  * Rename DBus service and conf files to match canonical name
+  * Add missing .TP tags in getcert-resubmit man page
+  * migrated to SPDX license
+  * Include owner and perms in getcert list output
+  * Don't require an NSS database in cm_certread_n_parse
+  * Add new certs to internal token, try harder to remove on renewal
+- Update to 0.79.17
+  * Respect LDFLAGS settings defined by user
+  * Switch to CA user when saving NSS certificates
+  * Translated using Weblate (German)
+  * Translated using Weblate (Georgian)
+- Update to 0.79.16
+  * Add a PEM validity checker and validate SCEP CA files
+  * Fix implicit declaration of function ‘PEM_read_bio_X509’
+  * Don't include "NEW" in certificate signing requests
+  * Verify that the AES-128 is used for encrypting the local CA
+  * Replace DER-encoded test file with a base64-encoded one
+  * Correct a bad date in the spec changelog
+  * Switch to https URLs for Sources, etc.
+  * Remove dependency on SHA-1
+  * tests: Test that the CA constraint DER encoding is correct
+  * Disable DSA in the RPM spec
+  * Manually build the srpm for the copr CI
+  * Require jansson >= 2.12
+  * Mark the current directory as a safe git directory
+  * Fix usage of PKCS#7 ASN1 attribute retrieval for SCEP keygen
+  * Translated using Weblate (Chinese (Simplified) (zh_CN))
+  * Translated using Weblate (Georgian)
+  * Translated using Weblate (Indonesian)
+  * Translated using Weblate (Chinese (Simplified) (zh_CN))
+  * Translated using Weblate (Hungarian)
+- Removed 0001-Disable-DSA-in-the-RPM-spec.patch
+- Added 0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch
+
+-------------------------------------------------------------------
+Wed Oct 11 07:03:37 UTC 2023 - Simon Lees <sflees@suse.de>
+
+- dbus-daemon is now split out into a separate package.
+
+-------------------------------------------------------------------
+Fri Jun 17 19:47:46 UTC 2022 - Matthew Davis <novell@virtual.drop.net>
+
+- Added 0001-Disable-DSA-in-the-RPM-spec.patch
+- Removed 0002-certmonger-return-type.patch.
+
+-------------------------------------------------------------------
+Fri Jun 17 19:31:56 UTC 2022 - Matthew Davis <novell@virtual.drop.net>
+
+- Updated to version 0.79.15
+- Added minimum libjansson version requirement.
+
+-------------------------------------------------------------------
+Mon Jul 26 10:05:33 UTC 2021 - Neal Gompa <ngompa13@gmail.com>
+
+- Use "pkgconfig(systemd)" for the BR to allow hacksaw systemd-mini
+  package to satisfy dependencies in the openSUSE Build Service.
+
+-------------------------------------------------------------------
+Mon Jul 26 03:48:04 UTC 2021 - William Brown <william.brown@suse.com>
+
+- Add buildrequires on systemd which is required for correct installation
+  of the .service file.
+
+-------------------------------------------------------------------
+Sun Feb 28 12:28:48 UTC 2021 - Sasi Olin <hel@lcp.world>
+
+- Update to 0.79.13
+
+-------------------------------------------------------------------
+Mon Aug 31 10:30:11 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 0.79.11:
+  - Fix crash bug when generating thumbprints
+  - dogtag: use POST for profileProcess requests
+  - Improve logging in SCEP helper
+  - Add verbose option to SCEP CA if requested in add-scep-ca
+  - Re-order the way the SCEP signing and CA certs are collected
+  - Add new option to allow overriding the detected SCEP CA chain
+  - template_profile, issuer and MS certificate template are single-value
+  - Ensure that files read in have a trailing new-line
+  - Adapt to the new behavior of disconnect in dbus-broker
+  - Add long command-line options to CLI and man pages
+  - Include &message=CA-IDENT with GetCACaps and GetCACert requests
+  - Address issues uncovered by clang and Coverity
+  - Handle an uninitialized token when adding CA certs to an NSS db
+  - tests: Parametrize 025-casave with NSS db types
+
+-------------------------------------------------------------------
+Sun Apr 12 18:01:28 UTC 2020 - Stasiek Michalski <stasiek@michalski.cc>
+
+- Initial package
+

certmonger.spec

@@ -0,0 +1,134 @@
+#
+# spec file for package certmonger
+#
+# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2020 Stasiek Michalski <stasiek@michalski.cc>.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           certmonger
+Version:        0.79.19
+Release:        0
+Summary:        Certificate status monitor and PKI enrollment client
+License:        GPL-3.0-or-later
+
+URL:            https://pagure.io/certmonger/
+Source0:        https://pagure.io/certmonger/archive/%{version}/certmonger-%{version}.tar.gz
+Patch0001:      0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch
+
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  dbus-1
+BuildRequires:  dbus-1-daemon
+BuildRequires:  dbus-1-devel
+BuildRequires:  diffutils
+BuildRequires:  dos2unix
+BuildRequires:  expect
+BuildRequires:  gcc
+BuildRequires:  gettext-devel
+BuildRequires:  krb5-devel
+BuildRequires:  libcurl-devel
+BuildRequires:  libfreebl3-hmac
+BuildRequires:  libidn2-devel
+BuildRequires:  libjansson-devel >= 2.12
+BuildRequires:  libsoftokn3-hmac
+BuildRequires:  libtalloc-devel
+BuildRequires:  libtevent-devel
+BuildRequires:  libuuid-devel
+BuildRequires:  libxml2-devel
+BuildRequires:  mozilla-nspr-devel
+BuildRequires:  mozilla-nss-devel
+BuildRequires:  mozilla-nss-sysinit
+BuildRequires:  mozilla-nss-tools
+BuildRequires:  openldap2-devel
+BuildRequires:  openssl
+BuildRequires:  openssl-devel
+BuildRequires:  popt-devel
+BuildRequires:  python3-dbus-python
+# Note - this is required for /usr/share/pkgconfig/systemd.pc, which is used by
+# --enable-systemd to discover the unitfile location. There is no way to inject
+# this location via the configure call either.
+## Note: using pkgconfig(systemd) BR to allow hacksaw systemd-mini package to
+## satisfy in the openSUSE Build Service
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  which
+BuildRequires:  xmlrpc-c-devel
+
+Requires:       dbus-1
+Requires(post): dbus-1
+Requires(preun):dbus-1
+Requires(preun):sed
+
+BuildRequires:  systemd-rpm-macros
+%{?systemd_requires}
+
+%description
+Certmonger is a service which is primarily concerned with getting your
+system enrolled with a certificate authority (CA) and keeping it enrolled.
+
+%prep
+%autosetup -p1
+
+%build
+autoreconf -i -f
+%configure \
+    --enable-systemd \
+    --enable-tmpfiles \
+    --disable-dsa \
+    --with-homedir=/run/certmonger \
+    --with-tmpdir=/run/certmonger --enable-pie --enable-now
+
+%make_build
+
+%install
+%make_install
+mkdir -p %{buildroot}/%{_localstatedir}/lib/certmonger/{cas,requests}
+%{find_lang} %{name}
+
+%check
+make check
+
+%pre
+%service_add_pre certmonger.service
+
+%post
+if test $1 -eq 1 ; then
+  %{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
+fi
+%service_add_post certmonger.service
+%tmpfiles_create certmonger.conf
+
+%preun
+%service_del_preun certmonger.service
+
+%postun
+%service_del_postun certmonger.service
+
+%files -f %{name}.lang
+%doc README.md LICENSE STATUS doc/*.txt
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
+%{_datadir}/dbus-1/services/*
+%dir %{_sysconfdir}/certmonger
+%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf
+%ghost /run/certmonger
+%{_bindir}/*
+%{_sbindir}/certmonger
+%{_mandir}/man*/*
+%{_libexecdir}/%{name}
+%{_localstatedir}/lib/certmonger
+%{_unitdir}/certmonger.service
+%{_tmpfilesdir}/certmonger.conf
+%{_datadir}/dbus-1/system-services/*
+
+%changelog