Accepting request 1318266 from security:idm

OBS-URL: https://build.opensuse.org/request/show/1318266
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/certmonger?expand=0&rev=12

0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch

@@ -1,42 +0,0 @@
-From cccc01f7c3dbc3e9b30e50b86eeaaa7f1500fc94 Mon Sep 17 00:00:00 2001
-From: Otto Hollmann <otto.hollmann@suse.com>
-Date: Wed, 13 Dec 2023 10:23:39 +0100
-Subject: [PATCH] Update tests to be compatible with OpenSSL 3.2
-
----
- tests/003-csrgen-ec/run.sh                  | 4 ++--
- tests/038-ms-v2-template/extract-extdata.py | 3 ++-
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
-index cd9f9422..196b6d02 100755
---- a/tests/003-csrgen-ec/run.sh
-+++ b/tests/003-csrgen-ec/run.sh
-@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
- openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
- # The RSA tests already verify the contents of the requests, so we really only
- # need to care about the signatures passing verification.
--openssl req   -verify -noout < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
--openssl req   -verify -noout < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
-+openssl req   -verify -noout -in csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
-+openssl req   -verify -noout -in csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
- openssl spkac -verify -noout < spkac.nss.$size 2>&1
- openssl spkac -verify -noout < spkac.openssl.$size 2>&1
- openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
-diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
-index 8b6b14ff..e2f84a10 100755
---- a/tests/038-ms-v2-template/extract-extdata.py
-+++ b/tests/038-ms-v2-template/extract-extdata.py
-@@ -13,7 +13,8 @@ STATE_SEARCH, STATE_FOUND, STATE_DONE = range(3)
- state = STATE_SEARCH
- 
- for line in sys.stdin:
--    if state == STATE_SEARCH and ':1.3.6.1.4.1.311.21.7' in line:
-+    if state == STATE_SEARCH and (':Microsoft certificate template' in line
-+                                  or ':1.3.6.1.4.1.311.21.7' in line):
-         state = STATE_FOUND
-         continue
- 
--- 
-2.42.0
-

add_some_missing_tests.patch

@@ -0,0 +1,38 @@
+From 1b682f1069a79040ffc6f5de84c27b3160d7a53d Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Feb 06 2025 18:46:01 +0000
+Subject: Add some missing test files to dist
+
+
+SRPM misses some essential test files, causing failure during RPM
+build test phase.  Add the missing files.
+
+---
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index e20b6d8..e78a83d 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -279,6 +279,8 @@ EXTRA_DIST = \
+ 	025-casave-dbm/run.sh \
+ 	025-casave-sql/expected.out \
+ 	025-casave-sql/run.sh \
++	026-local/expected.openssl1 \
++	026-local/expected.openssl3 \
+ 	026-local/expected.out \
+ 	026-local/run.sh \
+ 	027-hooks/expected.out \
+@@ -356,6 +358,12 @@ EXTRA_DIST = \
+ 	038-ms-v2-template/extract-extdata.py \
+ 	038-ms-v2-template/run.sh \
+ 	039-fromfile/run.sh \
++	040-pem/bad.empty \
++	040-pem/bad.isrg-root-x1-cross-signed.der.b64 \
++	040-pem/expected.out \
++	040-pem/good.isrg-root-x1-cross-signed.pem \
++	040-pem/good.isrg-root-x1-cross-signed_cr.pem \
++	040-pem/good.lets_encrypt_chain.pem \
+ 	040-pem/run.sh
+ 
+ subdirs = \
+

certmonger-0.79.20.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23645a5c1b284d73df448dbb97366c1b6e639223fc9465e7834fa5c5fef3f01e
+size 962445

certmonger-c99-01.patch

@@ -1,25 +0,0 @@
-From b7fc1ae316db0d1c8f86e68d3fcb9b79f8d028d4 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Dec 22 2023 09:55:21 +0000
-Subject: Adjust parameter type for util_EVP_PKEY_id
-
-
-The function pointer needs to match the prototype for i2d_PublicKey
-and i2d_PrivateKey, otherwise a compilation error may result.
-
----
-
-diff --git a/src/util-o.c b/src/util-o.c
-index c05872c..7feecb9 100644
---- a/src/util-o.c
-+++ b/src/util-o.c
-@@ -551,7 +551,7 @@ util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg)
- 
- static EVP_PKEY *
- util_EVP_PKEY_dup(EVP_PKEY *pkey,
--		  int (*i2d)(EVP_PKEY *, unsigned char **),
-+		  int (*i2d)(const EVP_PKEY *, unsigned char **),
- 		  EVP_PKEY *(*d2i)(int, EVP_PKEY **, const unsigned char **, long))
- {
- 	EVP_PKEY *k;
-

certmonger-c99-02.patch

@@ -1,26 +0,0 @@
-From a144529ce829ae6bed8607743c065c529ee5bf87 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Dec 22 2023 09:54:38 +0000
-Subject: Fix type error in cm_tdbusm_get_vn
-
-
-This fixes an out-of-bounds stack write on 32-bit architectures
-because dbus_message_iter_get_basic tries to write 64-bit integer
-into a 32-bit pointer variable.
-
----
-
-diff --git a/src/tdbusm.c b/src/tdbusm.c
-index 5e33411..8f2383d 100644
---- a/src/tdbusm.c
-+++ b/src/tdbusm.c
-@@ -223,7 +223,7 @@ cm_tdbusm_get_vn(DBusMessage *msg, void *parent, long *n)
- {
- 	DBusError err;
- 	DBusMessageIter iter, sub_iter;
--	int64_t *i64;
-+	int64_t i64;
- 
- 	dbus_error_init(&err);
- 
-

certmonger.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Thu Nov 13 09:26:01 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Cleanup dbus dependencies: dbus-send is part of dbus-1-tools
+  and the %preun does not use any dbus tool nor sed.
+
+-------------------------------------------------------------------
+Wed Sep  3 09:38:31 UTC 2025 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Disable failing tests with NSS 3.115.1: 007-certsave-dbm
+  and 007-certsave-sql 025-casave-dbm
+  * patch disable_some_tests.patch
+
+-------------------------------------------------------------------
+Mon Aug 25 08:20:51 UTC 2025 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Update to 0.79.20
+  * Fix type error in cm_tdbusm_get_vn
+  * Adjust parameter type for util_EVP_PKEY_id
+  * Update tests to be compatible with OpenSSL 3.2
+  * Switch BR from /usr/include/popt.h to popt-devel
+  * getcert: return 2 when trying to create a duplicate entry
+  * getcert: add NULL check to duplicate string compare
+  * Use correct object path for 'ca' property of request objects in D-Bus API
+  * Move shell_escape function to util.c
+  * Add more environment variables to be passed on to the notification command
+  * Translated using Weblate (Chinese (Simplified) (zh_CN))
+  * Translated using Weblate (Georgian)
+  * Translated using Weblate (Russian)
+- Remove patches merged upstream
+  * 0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch
+  * certmonger-c99-01.patch
+  * certmonger-c99-02.patch
+- New patch
+  * add_some_missing_tests.patch
+
 -------------------------------------------------------------------
 Thu Jul 11 17:22:28 UTC 2024 - David Mulder <david.mulder@suse.com>
 

certmonger.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package certmonger
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2020 Stasiek Michalski <stasiek@michalski.cc>.
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,17 +18,16 @@
 
 
 Name:           certmonger
-Version:        0.79.19
+Version:        0.79.20
 Release:        0
 Summary:        Certificate status monitor and PKI enrollment client
 License:        GPL-3.0-or-later
 
 URL:            https://pagure.io/certmonger/
 Source0:        https://pagure.io/certmonger/archive/%{version}/certmonger-%{version}.tar.gz
-Patch0001:      0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch
-Patch0002:      certmonger-c99-01.patch
-Patch0003:      certmonger-c99-02.patch
-Patch0004:      cm_dont_restart_external.patch
+Patch01:        cm_dont_restart_external.patch
+Patch02:        add_some_missing_tests.patch
+Patch03:        disable_some_tests.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -68,10 +67,8 @@ BuildRequires:  pkgconfig(systemd)
 BuildRequires:  which
 BuildRequires:  xmlrpc-c-devel
 
-Requires:       dbus-1
-Requires(post): dbus-1
-Requires(preun): dbus-1
-Requires(preun): sed
+Requires:       dbus-1-tools
+Requires(post): dbus-1-tools
 
 BuildRequires:  systemd-rpm-macros
 %{?systemd_requires}

disable_some_tests.patch

@@ -0,0 +1,69 @@
+Disable failing tests with NSS 3.115.1: 007-certsave-dbm
+and 007-certsave-sql 025-casave-dbm
+  
+diff -Nrua certmonger-0.79.20.orig/tests/Makefile.am certmonger-0.79.20/tests/Makefile.am
+--- certmonger-0.79.20.orig/tests/Makefile.am	2025-09-03 12:20:43.586608570 +0200
++++ certmonger-0.79.20/tests/Makefile.am	2025-09-03 12:28:33.021626210 +0200
+@@ -36,10 +36,6 @@
+ 	006-serial/actual.err \
+ 	007-certsave/actual.out \
+ 	007-certsave/actual.err \
+-	007-certsave-dbm/actual.out \
+-	007-certsave-dbm/actual.err \
+-	007-certsave-sql/actual.out \
+-	007-certsave-sql/actual.err \
+ 	008-certread/actual.out \
+ 	008-certread/actual.err \
+ 	009-oiddict/actual.out \
+@@ -96,8 +92,6 @@
+ 	024-citerate/actual.err \
+ 	025-casave/actual.out \
+ 	025-casave/actual.err \
+-	025-casave-dbm/actual.out \
+-	025-casave-dbm/actual.err \
+ 	025-casave-sql/actual.out \
+ 	025-casave-sql/actual.err \
+ 	026-local/actual.out \
+@@ -183,12 +177,6 @@
+ 	007-certsave/prequal.sh \
+ 	007-certsave/run.sh \
+ 	007-certsave/expected.out \
+-	007-certsave-dbm/prequal.sh \
+-	007-certsave-dbm/run.sh \
+-	007-certsave-dbm/expected.out \
+-	007-certsave-sql/prequal.sh \
+-	007-certsave-sql/run.sh \
+-	007-certsave-sql/expected.out \
+ 	008-certread/run.sh \
+ 	008-certread/expected.out \
+ 	009-oiddict/run.sh \
+@@ -275,8 +263,6 @@
+ 	024-citerate/run.sh \
+ 	025-casave/expected.out \
+ 	025-casave/run.sh \
+-	025-casave-dbm/expected.out \
+-	025-casave-dbm/run.sh \
+ 	025-casave-sql/expected.out \
+ 	025-casave-sql/run.sh \
+ 	026-local/expected.openssl1 \
+@@ -405,20 +391,17 @@
+ if HAVE_DBM_NSSDB
+ subdirs += \
+ 	002-keygen-dbm \
+-	007-certsave-dbm \
+ 	011-dbinit-dbm \
+ 	012-dbadd-dbm \
+ 	013-enckey-dbm \
+ 	015-lockedkey-dbm \
+ 	017-notoken-dbm \
+-	025-casave-dbm \
+ 	034-perms-dbm
+ endif
+ 
+ if HAVE_SQL_NSSDB
+ subdirs += \
+ 	002-keygen-sql \
+-	007-certsave-sql \
+ 	011-dbinit-sql \
+ 	012-dbadd-sql \
+ 	013-enckey-sql \