diff --git a/.certmonger.metadata b/.certmonger.metadata
index f48d9d2..c02a279 100644
--- a/.certmonger.metadata
+++ b/.certmonger.metadata
@@ -1 +1 @@
-ad584e16e8d457e97ddff8049411cdc45dc5122f SOURCES/certmonger-0.70.tar.gz
+b5c636304b1d31d110d6f4fba03f9b100ad6aafa SOURCES/certmonger-0.75.14.tar.gz
diff --git a/.gitignore b/.gitignore
index d27ab9f..d2881f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/certmonger-0.70.tar.gz
+SOURCES/certmonger-0.75.14.tar.gz
diff --git a/SOURCES/certmonger-0.70.tar.gz.sig b/SOURCES/certmonger-0.70.tar.gz.sig
deleted file mode 100644
index 3b12651..0000000
Binary files a/SOURCES/certmonger-0.70.tar.gz.sig and /dev/null differ
diff --git a/SOURCES/certmonger-0.75.14.tar.gz.sig b/SOURCES/certmonger-0.75.14.tar.gz.sig
new file mode 100644
index 0000000..18eae39
Binary files /dev/null and b/SOURCES/certmonger-0.75.14.tar.gz.sig differ
diff --git a/SOURCES/certmonger-dbus-string-properties.patch b/SOURCES/certmonger-dbus-string-properties.patch
new file mode 100644
index 0000000..c7d96eb
--- /dev/null
+++ b/SOURCES/certmonger-dbus-string-properties.patch
@@ -0,0 +1,91 @@
+From fa734ee402ee1f41281ac89c3a376b24ae7e9112 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Wed, 7 Jan 2015 21:34:15 -0500
+Subject: [PATCH] Retrieve string value from DBus property interface reply
+ correctly.
+
+org.freedesktop.DBus.Properties.Get method always returns variant data type.
+The basic type inside it can't be accessed directly.
+---
+ src/getcert.c | 2 +-
+ src/tdbusm.c | 38 ++++++++++++++++++++++++++++++++++++++
+ src/tdbusm.h | 1 +
+ 3 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/src/getcert.c b/src/getcert.c
+index 5ea5e538e5f3beb840f88e6dbe21957b155b873b..8b2cb8a937947ca3d932cc9405a82c90acefabb3 100644
+--- a/src/getcert.c
++++ b/src/getcert.c
+@@ -474,7 +474,7 @@ query_prop_s(enum cm_tdbus_type which,
+ DBusMessage *rep;
+ char *s;
+ rep = query_prop(which, path, interface, prop, verbose);
+- if (cm_tdbusm_get_s(rep, parent, &s) != 0) {
++ if (cm_tdbusm_get_vs(rep, parent, &s) != 0) {
+ s = "";
+ }
+ dbus_message_unref(rep);
+diff --git a/src/tdbusm.c b/src/tdbusm.c
+index dd3e800d1a5f2fe9c2d7feff3e3938a6adb4c1ab..f7aaea82e20994a7382518153980e14fb0405453 100644
+--- a/src/tdbusm.c
++++ b/src/tdbusm.c
+@@ -175,6 +175,44 @@ cm_tdbusm_get_p(DBusMessage *msg, void *parent, char **p)
+ }
+
+ int
++cm_tdbusm_get_vs(DBusMessage *msg, void *parent, char **s)
++{
++ DBusError err;
++ DBusMessageIter iter, sub_iter;
++
++ *s = NULL;
++ dbus_error_init(&err);
++
++ if (dbus_message_iter_init(msg, &iter) == FALSE) {
++ if (dbus_error_is_set(&err)) {
++ cm_log(3, "DBus error: %s", err.message);
++ dbus_error_free(&err);
++ } else {
++ cm_log(3, "Unknown DBus error.");
++ }
++ return -1;
++ }
++
++ if (dbus_message_iter_get_arg_type(&iter) == DBUS_TYPE_VARIANT) {
++ dbus_message_iter_recurse(&iter, &sub_iter);
++ if (dbus_message_iter_get_arg_type(&sub_iter) == DBUS_TYPE_STRING) {
++ dbus_message_iter_get_basic(&sub_iter, s);
++ *s = *s ? talloc_strdup(parent, *s) : NULL;
++ return 0;
++ }
++ }
++
++ if (dbus_error_is_set(&err)) {
++ cm_log(3, "Failed to extract data from DBus message: %s", err.message);
++ dbus_error_free(&err);
++ } else {
++ cm_log(3, "Failed to extract data from DBus message.");
++ }
++ *s = NULL;
++ return -1;
++}
++
++int
+ cm_tdbusm_get_s(DBusMessage *msg, void *parent, char **s)
+ {
+ DBusError err;
+diff --git a/src/tdbusm.h b/src/tdbusm.h
+index b926b4941985509696b965fc955b2f204ce856df..813fae2f4a4a72da512e7559b5ed437cab4766e1 100644
+--- a/src/tdbusm.h
++++ b/src/tdbusm.h
+@@ -22,6 +22,7 @@ int cm_tdbusm_get_b(DBusMessage *msg, void *parent, dbus_bool_t *b);
+ int cm_tdbusm_get_n(DBusMessage *msg, void *parent, long *n);
+ int cm_tdbusm_get_p(DBusMessage *msg, void *parent, char **p);
+ int cm_tdbusm_get_s(DBusMessage *msg, void *parent, char **s);
++int cm_tdbusm_get_vs(DBusMessage *msg, void *parent, char **s);
+ int cm_tdbusm_get_bp(DBusMessage *msg, void *parent, dbus_bool_t *b, char **p);
+ int cm_tdbusm_get_bs(DBusMessage *msg, void *parent, dbus_bool_t *b, char **s);
+ int cm_tdbusm_get_sb(DBusMessage *msg, void *parent, char **s, dbus_bool_t *b);
+--
+2.1.0
+
diff --git a/SOURCES/certmonger-dogtag-approval-options.patch b/SOURCES/certmonger-dogtag-approval-options.patch
new file mode 100644
index 0000000..0ddee2f
--- /dev/null
+++ b/SOURCES/certmonger-dogtag-approval-options.patch
@@ -0,0 +1,154 @@
+Backported from master.
+
+From de03df73802956143fd1fa743706b803938a610f Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 18 Nov 2014 13:25:08 +0000
+Subject: [PATCH] Allow overriding parameter values in Dogtag request approval
+
+---
+ src/certmonger-dogtag-ipa-renew-agent-submit.8.in | 8 +++
+ src/dogtag.c | 61 ++++++++++++++++++++++-
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
+index 45129d4818aad0d91960a1bfe35a79e4e2406f02..d6d0c4c122014ac77e04ab8c3fc4a2742dfb8bdb 100644
+--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
++++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
+@@ -17,6 +17,7 @@ dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL
+ [-D serial (decimal)]
+ [-S state]
+ [-T profile]
++[-O param=value]
+ [-v]
+ [csrfile]
+
+@@ -125,6 +126,13 @@ The name of the type of certificate which the client should request from the CA
+ if it is not renewing a certificate (per the \fB-s\fR option above). The
+ default value is \fBcaServerCert\fP.
+ .TP
++\fB-O\fR param=value
++An additional parameter to pass to the server when approving the signing
++request using the agent's credentials. By default, any server-supplied default
++settings are applied. This option can be used either to override a
++server-supplied default setting, or to supply one which would otherwise have
++not been used.
++.TP
+ \fB-v\fR
+ Increases the logging level. Use twice for more logging. This option is mainly
+ useful for troubleshooting.
+diff --git a/src/dogtag.c b/src/dogtag.c
+index 700fe7f516a54f0581d94068e9066de9e4621f5d..6bd284327ffc1ab29d32deb8529fc5ef69314295 100644
+--- a/src/dogtag.c
++++ b/src/dogtag.c
+@@ -76,6 +76,7 @@ help(const char *cmd)
+ "\t[-D serial (decimal)]\n"
+ "\t[-S state]\n"
+ "\t[-T profile]\n"
++ "\t[-O param=value]\n"
+ "\t[-v]\n"
+ "\t[-N]\n"
+ "\t[-V dogtag_version]\n"
+@@ -140,6 +141,11 @@ main(int argc, char **argv)
+ const char *sslcert = NULL, *sslkey = NULL;
+ const char *sslpin = NULL, *sslpinfile = NULL;
+ const char *host = NULL, *csr = NULL, *serial = NULL, *template = NULL;
++ struct {
++ char *name;
++ char *value;
++ } *options = NULL;
++ size_t num_options = 0, j;
+ const char *dogtag_version = NULL;
+ char *ipaconfig = NULL, *savedstate = NULL;
+ char *p, *q, *params = NULL, *params2 = NULL;
+@@ -178,7 +184,7 @@ main(int argc, char **argv)
+
+ savedstate = getenv(CM_SUBMIT_COOKIE_ENV);
+
+- while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:vV:NR")) != -1) {
++ while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:O:vV:NR")) != -1) {
+ switch (c) {
+ case 'E':
+ eeurl = optarg;
+@@ -220,6 +226,26 @@ main(int argc, char **argv)
+ case 'T':
+ template = optarg;
+ break;
++ case 'O':
++ if (strchr(optarg, '=') == NULL) {
++ printf(_("Profile params (-O) must be in the form of param=value.\n"));
++ help(argv[0]);
++ return CM_SUBMIT_STATUS_UNCONFIGURED;
++ }
++ options = realloc(options,
++ ++num_options * sizeof(*options));
++ if (options == NULL) {
++ printf(_("Out of memory.\n"));
++ return CM_SUBMIT_STATUS_UNCONFIGURED;
++ }
++ options[num_options - 1].name = strdup(optarg);
++ if (options[num_options - 1].name == NULL) {
++ printf(_("Out of memory.\n"));
++ return CM_SUBMIT_STATUS_UNCONFIGURED;
++ }
++ *strchr(options[num_options - 1].name, '=') = '\0';
++ options[num_options - 1].value = strchr(optarg, '=') + 1;
++ break;
+ case 'v':
+ verbose++;
+ break;
+@@ -374,6 +400,18 @@ main(int argc, char **argv)
+ printf(_("No profile/template (-T) given, and no default known.\n"));
+ missing_args = TRUE;
+ }
++ if (options != NULL) {
++ if (agenturl == NULL) {
++ printf(_("No agent URL (-A) given, and no default "
++ "known.\n"));
++ missing_args = TRUE;
++ }
++ if (!can_agent) {
++ printf(_("No agent credentials specified, and no "
++ "default known.\n"));
++ missing_args = TRUE;
++ }
++ }
+ if (missing_args) {
+ help(argv[0]);
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
+@@ -544,12 +582,33 @@ main(int argc, char **argv)
+ for (i = 0;
+ (defaults != NULL) && (defaults[i] != NULL);
+ i++) {
++ /* Check if this default is one of the
++ * paramters we've been explicitly provided. */
++ for (j = 0; j < num_options; j++) {
++ if (strcmp(defaults[i]->name,
++ options[j].name) == 0) {
++ break;
++ }
++ }
++ /* If we have a non-default value for it, skip
++ * this default. */
++ if (j < num_options) {
++ continue;
++ }
+ p = cm_submit_u_url_encode(defaults[i]->name);
+ q = cm_submit_u_url_encode(defaults[i]->value);
+ params2 = talloc_asprintf(ctx,
+ "%s&%s=%s",
+ params2, p, q);
+ };
++ /* Add parameters specified on command line */
++ for (j = 0; j < num_options; j++) {
++ p = cm_submit_u_url_encode(options[j].name);
++ q = cm_submit_u_url_encode(options[j].value);
++ params2 = talloc_asprintf(ctx,
++ "%s&%s=%s",
++ params2, p, q);
++ }
+ break;
+ case op_none:
+ case op_submit:
+--
+2.1.0
+
diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec
index 77d8c7a..0678f85 100644
--- a/SPECS/certmonger.spec
+++ b/SPECS/certmonger.spec
@@ -6,6 +6,12 @@
%global sysvinit 1
%endif
+%if 0%{?fedora} > 15 && 0%{?fedora} < 20
+%global systemdsysv 1
+%else
+%global systemdsysv 0
+%endif
+
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
%global tmpfiles 1
%else
@@ -19,8 +25,8 @@
%endif
Name: certmonger
-Version: 0.70
-Release: 2%{?dist}
+Version: 0.75.14
+Release: 3%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@@ -29,8 +35,11 @@ URL: http://certmonger.fedorahosted.org
Source0: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz
Source1: http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+Patch0: certmonger-dogtag-approval-options.patch
+Patch1: certmonger-dbus-string-properties.patch
-BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel
+BuildRequires: openldap-devel
+BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
BuildRequires: libuuid-devel
%else
@@ -59,6 +68,10 @@ BuildRequires: /usr/bin/dbus-launch
# for dos2unix
BuildRequires: /usr/bin/dos2unix
BuildRequires: /usr/bin/unix2dos
+# for which
+BuildRequires: /usr/bin/which
+# for dbus tests
+BuildRequires: dbus-python
# we need a running system bus
Requires: dbus
@@ -66,14 +79,24 @@ Requires: dbus
%if %{systemd}
BuildRequires: systemd-units
Requires(post): systemd-units
-Requires(preun): systemd-units
+Requires(preun): systemd-units, dbus, sed
Requires(postun): systemd-units
+%endif
+
+%if %{systemdsysv}
Requires(post): systemd-sysv
+%global systemdsysvsave \
+# Save the current service runlevel info, in case the user wants \
+# to apply the enabled status manually later, by running \
+# "systemd-sysv-convert --apply certmonger". \
+%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||:
+%else
+%global systemdsysvsave %{nil}
%endif
%if %{sysvinit}
Requires(post): /sbin/chkconfig, /sbin/service
-Requires(preun): /sbin/chkconfig, /sbin/service
+Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
%endif
%if 0%{?fedora} >= 15
@@ -87,6 +110,8 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
%prep
%setup -q
+%patch0 -p1 -b .dogtag-approval-options
+%patch1 -p1 -b .dbus-string-properties
%if 0%{?rhel} > 0
# Enabled by default for RHEL for bug #765600, still disabled by default for
# Fedora pending a similar bug report there.
@@ -136,6 +161,22 @@ fi
/sbin/chkconfig --add certmonger
%endif
+%triggerin -- certmonger < 0.58
+if test $1 -gt 1 ; then
+ # If the daemon is running, remove knowledge of the dogtag renewer.
+ objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true`
+ if test -n "$objpath" ; then
+ dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null
+ fi
+ # Remove the data file, in case it isn't running.
+ for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do
+ if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then
+ rm -f "$cafile"
+ fi
+ done
+fi
+exit 0
+
%postun
%if %{systemd}
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
@@ -167,10 +208,7 @@ exit 0
%if %{systemd}
%triggerun -- certmonger < 0.43
-# Save the current service runlevel info, in case the user wants to apply
-# the enabled status manually later, by running
-# "systemd-sysv-convert --apply certmonger".
-%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||:
+%{systemdsysvsave}
# Do this because the old package's %%postun doesn't know we need to do it.
/sbin/chkconfig --del certmonger >/dev/null 2>&1 || :
# Do this because the old package's %%postun wouldn't have tried.
@@ -195,13 +233,231 @@ exit 0
%{sysvinitdir}/certmonger
%endif
%if %{tmpfiles}
-%attr(0644,root,root) %config(noreplace) /etc/tmpfiles.d/certmonger.conf
+%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf
%endif
%if %{systemd}
%{_unitdir}/*
%endif
%changelog
+* Tue Jan 13 2015 Jan Cholasta <jcholast@redhat.com> - 0.75.14-3
+- backport change from git to correctly retrieve string values from DBus
+ property interface replies (#1181022)
+
+* Wed Nov 19 2014 Jan Cholasta <jcholast@redhat.com> - 0.75.14-2
+- backport dogtag-submit: accept additional options to pass to the server when
+ approving requests using agent creds (#1165155)
+
+* Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.14-1
+- make pathname canonicalization slightly smarter, to handle ".." in
+ locations
+- updates to self-tests
+
+* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 0.75.13-2
+- Rebuild for rpm bug 1131960
+
+* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.13-1
+- add a missing test case file (whoops)
+
+* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.12-1
+- correct encoding/decoding of variant-typed data which we receive and send
+ as part of the org.freedesktop.DBus.Properties interface over the bus, and
+ add some tests for them (based on patch from David Kupka, ticket #36)
+
+* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.75.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Aug 12 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.11-1
+- when getcert is passed a -a flag, to indicate that CA root certificates
+ should be stored in the specified database, don't ignore locations which
+ don't include a storage scheme (#1129537)
+- when called to 'start-tracking' with the -a or -F flags, if we have
+ applicable certificates on-hand for a CA that we're either told to use
+ or which we decide is the correct one, save the certificates (#1129696)
+
+* Tue Aug 5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.10-1
+- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
+ default.conf, and no "host" is set either, try to construct the server URI
+ using the "server" setting (#1126985)
+
+* Thu Jul 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.9-1
+- avoid potential use-after-free after a CA is removed dynamically (thanks to
+ Keenan Brock) (#1125342)
+- add a "external-helper" property to CA objects
+
+* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.8-1
+- add a 'refresh' option to the getcert command
+- add a '-a' flag to the getcert command's 'refresh-ca' option
+
+* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-2
+- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older,
+ conditionalized it so that it's ignored on newer releases, and make
+ whether or not we call systemd-sysv-convert in triggers depend on that,
+ too (#1104138)
+
+* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-1
+- fix an inconsistency in how we parse cookie values returned by CA helpers,
+ in that single-line values would lose the end-of-line after a daemon
+ restart, but not before
+- handle timeout values and exit status values when calling CA helpers
+ in non-SUBMIT, non-POLL modes (#1118468)
+- rework how we save CA certificates so that we save CA certificates associated
+ with end-entity certificates when we save that end-entity certificate, which
+ requires running all of the involved pre- and post-save commands
+- drop package Requires: on systemd-sysv (#1104138)
+
+* Thu Jun 26 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.6-1
+- avoid potential use-after-free and read overrun after a CA is added
+ dynamically (thanks to Jan Cholasta)
+
+* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.5-1
+- documentation updates
+
+* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-2
+- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
+ when we detect certmonger versions prior to 0.58 being installed, to
+ avoid cases where some older versions choke on CAs with nicknames that
+ contain characters that can't legally be part of a D-Bus name (#948993)
+
+* Thu Jun 19 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-1
+- fix creation and packaging of the "local" CA's data directory
+
+* Wed Jun 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.3-1
+- read and cache whether or not we saw a noOCSPcheck extension in certificates
+- documentation updates
+
+* Mon Jun 16 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.2-1
+- when generating keys using OpenSSL, if key generation fails, try
+ again with the default key size, in case we're in FIPS mode
+- documentation updates
+
+* Sat Jun 14 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.1-1
+- log the state in 'getcert status' verbose mode
+
+* Fri Jun 13 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75-1
+- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
+ commands, and add a non-waiting status command
+
+* Wed Jun 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.96-1
+- make the trust settings we apply to CA-supplied certificates while
+ saving them to NSS databases run-time configurable
+- fix compiling against EL5-era OpenSSL
+- when saving CA certificates we pull from an IPA server, nickname
+ it using the realm name with " IPA CA" appended rather than just
+ naming it "IPA CA"
+- fix the local signer so that when it issues itself a new certificate,
+ it uses the same subject name
+- add a -w flag to getcert's request, resubmit, and start-tracking
+ commands, telling it to wait until either the certificate is issued,
+ we get to a state where we know that we won't be able to get one, or
+ we are waiting for a CA
+
+* Mon Jun 9 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.95-1
+- add the "local" signer, a local toy CA that signs anything you'll
+ ask it to sign
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.74-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Jun 6 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.94-1
+- fix self-test errors that we trigger with new OpenSSL
+- fix a build error that would sometimes happen when we're told to
+ build PIE binaries
+- quiet a compile warning
+
+* Thu Jun 5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.93-1
+- add some self-tests
+- simplify the internal submit-to-CA logic
+- fixes for more problems found through static analysis
+
+* Tue Jun 3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.92-1
+- retrieve CA information from CAs, if the helpers can do so, and
+ add a command to explicitly refresh that data: "getcert refresh-ca"
+- offer to save CA certificates to files and databases, when specified with
+ new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
+ trac #31)
+- add IP address subject alternate names when getcert request/resubmit
+ is passed the -A option (trac #35)
+- read and cache the freshestCRL extension in certificates
+- properly interpret KDC-unreachable errors encountered in the IPA
+ submission error as a server-unreachable error that we will retry,
+ rather than a misconfiguration error which we won't
+- don't let tests get tripped up by new formatting used in dos2unix status
+ messages (#1099080)
+- updated translations
+- be explicit that we are going to use bashisms in test scripts by calling
+ the shell interpreter as 'bash' rather than 'sh' (trac #27)
+
+* Thu Apr 3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74-1
+- also save state when we exit due to SIGHUP
+- don't get tripped up when enrollment helpers hand us certificates which
+ include CRLF line terminators (ticket #25)
+- be tolerant of certificate issuer names, subject names, DNS, email, and
+ Kerberos principal namem subjectAltNames, and crl distribution point URLs
+ that contain newlines
+- read and cache the certificate template extension in certificates
+- enforce different minimum key sizes depending on the type of key we're
+ trying to generate
+- store DER versions of subject, issuer and template subject, if we have
+ them (Jan Cholasta, ticket #26)
+- when generating signing requests with subject names that don't quite parse
+ as subject names, encode what we're given as PrintableString rather than
+ as a UTF8String
+- always chdir() to a known location at startup, even if we're not becoming
+ a daemon
+- fix a couple of memory leaks (static analysis)
+- add missing buildrequires: on which
+
+* Thu Feb 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.73-1
+- updates to 0.73
+ - getcert no longer claims to be stuck when a CA is unreachable,
+ because the daemon isn't actually stuck
+
+* Mon Feb 17 2014 Nalin Dahyabhai <nalin@redhat.com>
+- updates to 0.73
+ - also pass the key type to enrollment helpers in the environment as
+ a the value of "CERTMONGER_KEY_TYPE"
+
+* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
+- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
+ where it belongs
+
+* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
+- updates for 0.73
+ - set the flag to encode EC public key parameters using named curves
+ instead of the default of all-the-details when using OpenSSL
+ - don't break when NSS supports secp521r1 but OpenSSL doesn't
+ - also pass the CA nickname to enrollment helpers in the environment as
+ a text value in "CERTMONGER_CA_NICKNAME", so they can use that value
+ when reading configuration settings
+ - also pass the SPKAC value to enrollment helpers in the environment as
+ a base64 value in "CERTMONGER_SPKAC"
+ - also pass the request's SubjectPublicKeyInfo value to enrollment helpers
+ in the environment as a base64 value in "CERTMONGER_SPKI"
+ - when generating signing requests using NSS, be more accommodating of
+ requested subject names that don't parse properly
+
+* Mon Feb 3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.72-1
+- update to 0.72
+ - support generating DSA parameters and keys on sufficiently-new OpenSSL
+ and NSS
+ - support generating EC keys when OpenSSL and NSS support it, using key
+ size to select the curve to use from among secp256r1, secp384r1,
+ secp521r1 (which are the ones that are usually available, though
+ secp521r1 isn't always, even if the other two are)
+ - stop trying to cache public key parameters at all and instead cache public
+ key info properly
+ - encode the friendlyName attribute in signing requests as a BMPString,
+ not as a PrintableString
+ - catch more filesystem permissions problems earlier (more of #996581)
+
+* Mon Jan 27 2014 Nalin Dahyabhai <nalin@redhat.com> 0.71-1
+- check for cases where we fail to allocate memory while reading a request
+ or CA entry from disk (John Haxby)
+- only handle one watch at a time, which should avoid abort() during
+ attempts to reconnect to the message bus after losing our connection
+ to it (#1055521)
+
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.70-2
- Mass rebuild 2014-01-24