%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from

distutils.sysconfig import get_python_lib; print(get_python_lib())")}

%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from

distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}

Name:             pki-core

Version:          10.0.5

Release:          2%{?dist}

Summary:          Certificate System - PKI Core Components

URL:              http://pki.fedoraproject.org/

License:          GPLv2

Group:            System Environment/Daemons

BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

BuildRequires:    cmake >= 2.8.9-1

BuildRequires:    zip

BuildRequires:    java-devel >= 1:1.6.0

BuildRequires:    redhat-rpm-config

BuildRequires:    ldapjdk

BuildRequires:    apache-commons-cli

BuildRequires:    apache-commons-codec

BuildRequires:    apache-commons-io

BuildRequires:    nspr-devel

BuildRequires:    nss-devel

BuildRequires:    openldap-devel

BuildRequires:    pkgconfig

BuildRequires:    policycoreutils

BuildRequires:    velocity

BuildRequires:    xalan-j2

BuildRequires:    xerces-j2

%if  0%{?rhel}

BuildRequires:    resteasy-base-atom-provider

BuildRequires:    resteasy-base-jaxb-provider

BuildRequires:    resteasy-base-jaxrs

BuildRequires:    resteasy-base-jaxrs-api

BuildRequires:    resteasy-base-jettison-provider

%else

BuildRequires:    resteasy >= 2.3.2-1

%endif

BuildRequires:    junit

BuildRequires:    jpackage-utils >= 0:1.7.5-10

%if 0%{?rhel} || 0%{?fedora} >= 19

BuildRequires:    jss >= 4.2.6-28

%else

BuildRequires:    jss >= 4.2.6-24

%endif

BuildRequires:    systemd-units

%if 0%{?rhel} || 0%{?fedora} >= 19

BuildRequires:    tomcatjss >= 7.1.0

%endif

%if 0%{?fedora} == 18

BuildRequires:    tomcatjss >= 7.0.0-4

%endif

%if ! 0%{?rhel} && 0%{?fedora} <= 17

BuildRequires:    tomcatjss >= 6.0.2

BuildRequires:    selinux-policy-devel >= 3.10.0-151

%endif

Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz

Patch0: 0000-Storing-authentication-info-in-session.patch

Patch1: 0001-Fixed-error-handling-in-DoUnrevoke-servlet.patch

Patch2: 0002-Fixed-errors-during-Tomcat-shutdown.patch

Patch3: 0003-Fixed-logic-for-setting-admin-cert-signing-algorithm.patch

Patch4: 0004-Backup-upgrade-tracker.patch

Patch5: 0005-Added-CLI-command-aliases.patch

Patch6: 0006-Added-new-link-for-resteasy-dependency.patch

%if 0%{?rhel}

ExcludeArch:      ppc ppc64 s390 s390x

%endif

%global saveFileContext() \

if [ -s /etc/selinux/config ]; then \

     . %{_sysconfdir}/selinux/config; \

     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

     if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \

          cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \

     fi \

fi;

%global relabel() \

. %{_sysconfdir}/selinux/config; \

FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

selinuxenabled; \

if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \

     fixfiles -C ${FILE_CONTEXT}.%{name} restore; \

     rm -f ${FILE_CONTEXT}.%name; \

fi;

%global overview                                                       \

==================================                                     \

||  ABOUT "CERTIFICATE SYSTEM"  ||                                     \

==================================                                     \

                                                                       \

Certificate System (CS) is an enterprise software system designed      \

to manage enterprise Public Key Infrastructure (PKI) deployments.      \

                                                                       \

PKI Core contains ALL top-level java-based Tomcat PKI components:      \

                                                                       \

  * pki-symkey                                                         \

  * pki-base                                                           \

  * pki-tools                                                          \

  * pki-selinux (f17 only)                                             \

  * pki-server                                                         \

  * pki-ca                                                             \

  * pki-kra  (fedora only)                                             \

  * pki-ocsp (fedora only)                                             \

  * pki-tks  (fedora only)                                             \

  * pki-javadoc                                                        \

                                                                       \

which comprise the following corresponding PKI subsystems:             \

                                                                       \

  * Certificate Authority (CA)                                         \

  * Data Recovery Manager (DRM) (fedora only)                          \

  * Online Certificate Status Protocol (OCSP) Manager (fedora only)    \

  * Token Key Service (TKS) (fedora only)                              \

                                                                       \

For deployment purposes, PKI Core contains fundamental packages        \

required by BOTH native-based Apache AND java-based Tomcat             \

Certificate System instances consisting of the following components:   \

                                                                       \

  * pki-tools                                                          \

  * pki-selinux (f17 only)                                             \

                                                                       \

Additionally, PKI Core contains the following fundamental packages     \

required ONLY by ALL java-based Tomcat Certificate System instances:   \

                                                                       \

  * pki-symkey                                                         \

  * pki-base                                                           \

  * pki-tools                                                          \

  * pki-server                                                         \

                                                                       \

PKI Core also includes the following components:                       \

                                                                       \

  * pki-javadoc                                                        \

                                                                       \

Finally, if Certificate System is being deployed as an individual or   \

set of standalone rather than embedded server(s)/service(s), it is     \

strongly recommended (though not explicitly required) to include at    \

least one PKI Theme package:                                           \

                                                                       \

  * dogtag-pki-theme (Dogtag Certificate System deployments)           \

    * dogtag-pki-server-theme                                          \

  * redhat-pki-server-theme (Red Hat Certificate System deployments)   \

    * redhat-pki-server-theme                                          \

  * customized pki theme (Customized Certificate System deployments)   \

    * <customized>-pki-server-theme                                    \

                                                                       \

  NOTE:  As a convenience for standalone deployments, top-level meta   \

         packages may be provided which bind a particular theme to     \

         these certificate server packages.                            \

                                                                       \

%{nil}

%description %{overview}

%package -n       pki-symkey

Summary:          Symmetric Key JNI Package

Group:            System Environment/Libraries

Requires:         java >= 1:1.6.0

Requires:         nss

Requires:         jpackage-utils >= 0:1.7.5-10

%if 0%{?rhel} || 0%{?fedora} >= 19

Requires:         jss >= 4.2.6-28

%else

Requires:         jss >= 4.2.6-24

%endif

Provides:         symkey = %{version}-%{release}

Obsoletes:        symkey < %{version}-%{release}

%description -n   pki-symkey

The Symmetric Key Java Native Interface (JNI) package supplies various native

symmetric key operations to Java programs.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-base

Summary:          Certificate System - PKI Framework

Group:            System Environment/Base

BuildArch:        noarch

Provides:         pki-common = %{version}-%{release}

Provides:         pki-util = %{version}-%{release}

Obsoletes:        pki-common < %{version}-%{release}

Obsoletes:        pki-util < %{version}-%{release}

Conflicts:        freeipa-server < 3.0.0

Requires:         apache-commons-cli

Requires:         apache-commons-codec

Requires:         apache-commons-io

Requires:         apache-commons-lang

Requires:         apache-commons-logging

Requires:         java >= 1:1.6.0

Requires:         javassist

Requires:         jettison

Requires:         jpackage-utils >= 0:1.7.5-10

%if 0%{?rhel} || 0%{?fedora} >= 19

Requires:         jss >= 4.2.6-28

%else

Requires:         jss >= 4.2.6-24

%endif

Requires:         ldapjdk

Requires:         python-ldap

Requires:         python-lxml

Requires:         python-requests >= 1.1.0-3

%if  0%{?rhel}

Requires:    resteasy-base-atom-provider

Requires:    resteasy-base-jaxb-provider

Requires:    resteasy-base-jaxrs

Requires:    resteasy-base-jaxrs-api

Requires:    resteasy-base-jettison-provider

%else

Requires:         resteasy >= 2.3.2-1

%endif

Requires:         xalan-j2

Requires:         xerces-j2

Requires:         xml-commons-apis

Requires:         xml-commons-resolver

%description -n   pki-base

The PKI Framework contains the common and client libraries and utilities.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-tools

Summary:          Certificate System - PKI Tools

Group:            System Environment/Base

Provides:         pki-native-tools = %{version}-%{release}

Provides:         pki-java-tools = %{version}-%{release}

Obsoletes:        pki-native-tools < %{version}-%{release}

Obsoletes:        pki-java-tools < %{version}-%{release}

Requires:         openldap-clients

Requires:         nss

Requires:         nss-tools

Requires:         java >= 1:1.6.0

Requires:         pki-base = %{version}-%{release}

Requires:         jpackage-utils >= 0:1.7.5-10

%description -n   pki-tools

This package contains PKI executables that can be used to help make

Certificate System into a more complete and robust PKI solution.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%package -n       pki-server

Summary:          Certificate System - PKI Server Framework

Group:            System Environment/Base

BuildArch:        noarch

Provides:         pki-deploy = %{version}-%{release}

Provides:         pki-setup = %{version}-%{release}

Provides:         pki-silent = %{version}-%{release}

Obsoletes:        pki-deploy < %{version}-%{release}

Obsoletes:        pki-setup < %{version}-%{release}

Obsoletes:        pki-silent < %{version}-%{release}

Requires:         java >= 1:1.6.0

Requires:         java-atk-wrapper

Requires:         net-tools

Requires:         perl(File::Slurp)

Requires:         perl(XML::LibXML)

Requires:         perl-Crypt-SSLeay

Requires:         policycoreutils

Requires:         openldap-clients

Requires:         pki-base = %{version}-%{release}

Requires:         pki-symkey = %{version}-%{release}

Requires:         pki-tools = %{version}-%{release}

%if ! 0%{?rhel} && 0%{?fedora} <= 17

Requires:         pki-selinux = %{version}-%{release}

%else

Requires:         selinux-policy-base >= 3.11.1-43

Obsoletes:        pki-selinux

Requires:         tomcat >= 7.0.27

%endif

Requires:         velocity

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

Requires:         tomcat >= 7.0.27

%if 0%{?rhel} || 0%{?fedora} >= 19

Requires:         tomcatjss >= 7.1.0

%endif

%if 0%{?fedora} == 18

Requires:         tomcatjss >= 7.0.0-4

%endif

%if ! 0%{?rhel} && 0%{?fedora} <= 17

Requires:         tomcatjss >= 6.0.2

%endif

%description -n   pki-server

The PKI Server Framework is required by the following four PKI subsystems:

    the Certificate Authority (CA),

    the Data Recovery Manager (DRM),

    the Online Certificate Status Protocol (OCSP) Manager, and

    the Token Key Service (TKS).

This package is a part of the PKI Core used by the Certificate System.

The package contains scripts to create and remove PKI subsystems.

%{overview}

%if ! 0%{?rhel} && 0%{?fedora} <= 17

%package -n       pki-selinux

Summary:          Certificate System - PKI Selinux Policies

Group:            System Environment/Base

BuildArch:        noarch

Requires:         policycoreutils

Requires:         selinux-policy-targeted

Conflicts:        selinux-policy-base >= 3.11.1-43

Requires:         selinux-policy >= 3.10.0-151

%description -n   pki-selinux

Selinux policies for the PKI components.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%endif

%package -n       pki-ca

Summary:          Certificate System - Certificate Authority

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java >= 1:1.6.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ca

The Certificate Authority (CA) is a required PKI subsystem which issues,

renews, revokes, and publishes certificates as well as compiling and

publishing Certificate Revocation Lists (CRLs).

The Certificate Authority can be configured as a self-signing Certificate

Authority, where it is the root CA, or it can act as a subordinate CA,

where it obtains its own signing certificate from a public CA.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%if ! 0%{?rhel}

%package -n       pki-kra

Summary:          Certificate System - Data Recovery Manager

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java >= 1:1.6.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-kra

The Data Recovery Manager (DRM) is an optional PKI subsystem that can act

as a Key Recovery Authority (KRA).  When configured in conjunction with the

Certificate Authority (CA), the DRM stores private encryption keys as part of

the certificate enrollment process.  The key archival mechanism is triggered

when a user enrolls in the PKI and creates the certificate request.  Using the

Certificate Request Message Format (CRMF) request format, a request is

generated for the user's private encryption key.  This key is then stored in

the DRM which is configured to store keys in an encrypted format that can only

be decrypted by several agents requesting the key at one time, providing for

protection of the public encryption keys for the users in the PKI deployment.

Note that the DRM archives encryption keys; it does NOT archive signing keys,

since such archival would undermine non-repudiation properties of signing keys.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%endif

%if ! 0%{?rhel}

%package -n       pki-ocsp

Summary:          Certificate System - Online Certificate Status Protocol Manager

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java >= 1:1.6.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-ocsp

The Online Certificate Status Protocol (OCSP) Manager is an optional PKI

subsystem that can act as a stand-alone OCSP service.  The OCSP Manager

performs the task of an online certificate validation authority by enabling

OCSP-compliant clients to do real-time verification of certificates.  Note

that an online certificate-validation authority is often referred to as an

OCSP Responder.

Although the Certificate Authority (CA) is already configured with an

internal OCSP service.  An external OCSP Responder is offered as a separate

subsystem in case the user wants the OCSP service provided outside of a

firewall while the CA resides inside of a firewall, or to take the load of

requests off of the CA.

The OCSP Manager can receive Certificate Revocation Lists (CRLs) from

multiple CA servers, and clients can query the OCSP Manager for the

revocation status of certificates issued by all of these CA servers.

When an instance of OCSP Manager is set up with an instance of CA, and

publishing is set up to this OCSP Manager, CRLs are published to it

whenever they are issued or updated.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%endif

%if ! 0%{?rhel}

%package -n       pki-tks

Summary:          Certificate System - Token Key Service

Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java >= 1:1.6.0

Requires:         pki-server = %{version}-%{release}

Requires(post):   systemd-units

Requires(preun):  systemd-units

Requires(postun): systemd-units

%description -n   pki-tks

The Token Key Service (TKS) is an optional PKI subsystem that manages the

master key(s) and the transport key(s) required to generate and distribute

keys for hardware tokens.  TKS provides the security between tokens and an

instance of Token Processing System (TPS), where the security relies upon the

relationship between the master key and the token keys.  A TPS communicates

with a TKS over SSL using client authentication.

TKS helps establish a secure channel (signed and encrypted) between the token

and the TPS, provides proof of presence of the security token during

enrollment, and supports key changeover when the master key changes on the

TKS.  Tokens with older keys will get new token keys.

Because of the sensitivity of the data that TKS manages, TKS should be set up

behind the firewall with restricted access.

This package is one of the top-level java-based Tomcat PKI subsystems

provided by the PKI Core used by the Certificate System.

%{overview}

%endif

%package -n       pki-javadoc

Summary:          Certificate System - PKI Framework Javadocs

Group:            Documentation

BuildArch:        noarch

Provides:         pki-util-javadoc = %{version}-%{release}

Provides:         pki-java-tools-javadoc = %{version}-%{release}

Provides:         pki-common-javadoc = %{version}-%{release}

Obsoletes:        pki-util-javadoc < %{version}-%{release}

Obsoletes:        pki-java-tools-javadoc < %{version}-%{release}

Obsoletes:        pki-common-javadoc < %{version}-%{release}

%description -n   pki-javadoc

This documentation pertains exclusively to version %{version} of

the PKI Framework and Tools.

This package is a part of the PKI Core used by the Certificate System.

%{overview}

%prep

%setup -q -n %{name}-%{version}%{?prerel}

%patch0 -p1

%patch1 -p1

%patch2 -p1

%patch3 -p1

%patch4 -p1

%patch5 -p1

%patch6 -p1

%clean

%{__rm} -rf %{buildroot}

%build

%{__mkdir_p} build

cd build

%cmake -DVERSION=%{version}-%{release} \

	-DVAR_INSTALL_DIR:PATH=/var \

	-DBUILD_PKI_CORE:BOOL=ON \

	-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \

	-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \

%if 0%{?rhel}

	-DRESTEASY_LIB=/usr/share/java/resteasy-base \

%else

	-DRESTEASY_LIB=/usr/share/java/resteasy \

%endif

	%{?_without_javadoc:-DWITH_JAVADOC:BOOL=OFF} \

%if ! 0%{?rhel} && 0%{?fedora} <= 17

        -DBUILD_PKI_SELINUX:BOOL=ON \

%endif

%if 0%{?rhel}

        -DBUILD_PKI_KRA:BOOL=OFF \

        -DBUILD_PKI_OCSP:BOOL=OFF \

        -DBUILD_PKI_TKS:BOOL=OFF \

%endif

	..

%{__make} VERBOSE=1 %{?_smp_mflags} all

# %{__make} VERBOSE=1 %{?_smp_mflags} test

%install

%{__rm} -rf %{buildroot}

cd build

%{__make} install DESTDIR=%{buildroot} INSTALL="install -p"

# Fedora 18 and 17:  Substitute 'tomcat7jss.jar' for 'tomcatjss.jar'

%if ! 0%{?rhel} && 0%{?fedora} <= 18

	sed -i -e 's/grant codeBase "file:\/usr\/share\/java\/tomcatjss.jar" {/grant codeBase "file:\/usr\/share\/java\/tomcat7jss.jar" {/' %{buildroot}%{_datadir}/pki/server/conf/pki.policy

	sed -i -e 's/pki_tomcatjss_jar=\/usr\/share\/java\/tomcatjss.jar/pki_tomcatjss_jar=\/usr\/share\/java\/tomcat7jss.jar/' %{buildroot}%{_sysconfdir}/pki/default.cfg

	sed -i -e 's/        \[tomcatjss.jar\]=\${java_dir}\/tomcatjss.jar/        \[tomcatjss.jar\]=\${java_dir}\/tomcat7jss.jar/' %{buildroot}%{_datadir}/pki/scripts/operations

%endif

# Details:

#

#     * https://fedoraproject.org/wiki/Features/var-run-tmpfs

#     * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft

#

%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d

# generate 'pki-ca.conf' under the 'tmpfiles.d' directory

echo "D /run/lock/pki 0755 root root -"    >  %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf

echo "D /run/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf

echo "D /run/pki 0755 root root -"     >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf

echo "D /run/pki/ca 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf

%if ! 0%{?rhel}

# generate 'pki-kra.conf' under the 'tmpfiles.d' directory

echo "D /run/lock/pki 0755 root root -"     >  %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf

echo "D /run/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf

echo "D /run/pki 0755 root root -"      >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf

echo "D /run/pki/kra 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf

%endif

%if ! 0%{?rhel}

# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory

echo "D /run/lock/pki 0755 root root -"      >  %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf

echo "D /run/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf

echo "D /run/pki 0755 root root -"       >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf

echo "D /run/pki/ocsp 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf

%endif

# generate 'pki-tomcat.conf' under the 'tmpfiles.d' directory

echo "D /run/lock/pki 0755 root root -"    >  %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf

echo "D /run/lock/pki/tomcat 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf

echo "D /run/pki 0755 root root -"     >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf

echo "D /run/pki/tomcat 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tomcat.conf

%if ! 0%{?rhel}

# generate 'pki-tks.conf' under the 'tmpfiles.d' directory

echo "D /run/lock/pki 0755 root root -"     >  %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf

echo "D /run/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf

echo "D /run/pki 0755 root root -"      >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf

echo "D /run/pki/tks 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf

%endif

%{__rm} %{buildroot}%{_initrddir}/pki-cad

%if ! 0%{?rhel}

%{__rm} %{buildroot}%{_initrddir}/pki-krad

%endif

%if ! 0%{?rhel}

%{__rm} %{buildroot}%{_initrddir}/pki-ocspd

%endif

%if ! 0%{?rhel}

%{__rm} %{buildroot}%{_initrddir}/pki-tksd

%endif

%{__rm} -rf %{buildroot}%{_datadir}/pki/server/lib

# tomcat6 has changed how TOMCAT_LOG is used.

# Need to adjust accordingly

# This macro will be executed in the postinstall scripts

%define fix_tomcat_log() (                                                   \

if [ -d /etc/sysconfig/pki/%i ]; then                                        \

  for F in `find /etc/sysconfig/pki/%1 -type f`; do                          \

    instance=`basename $F`                                                   \

    if [ -f /etc/sysconfig/$instance ]; then                                 \

        sed -i -e 's/catalina.out/tomcat-initd.log/' /etc/sysconfig/$instance \

    fi                                                                       \

  done                                                                       \

fi                                                                           \

)

%{__mkdir_p} %{buildroot}%{_localstatedir}/log/pki

%{__mkdir_p} %{buildroot}%{_sharedstatedir}/pki

%if ! 0%{?rhel} && 0%{?fedora} >= 19

%pretrans -n pki-base -p <lua>

function test(a)

    if posix.stat(a) then

        for f in posix.files(a) do

            if f~=".." and f~="." then

                return true

            end

        end

    end

    return false

end

if (test("/etc/sysconfig/pki/ca") or

    test("/etc/sysconfig/pki/kra") or

    test("/etc/sysconfig/pki/ocsp") or

    test("/etc/sysconfig/pki/tks")) then

   msg = "Unable to upgrade to Fedora 19.  There are Dogtag 9 instances\n" ..

         "that will no longer work since they require Tomcat 6, and \n" ..

         "Tomcat 6 is no longer available in Fedora 19.\n\n" ..

         "Please follow these instructions to migrate the instances to \n" ..

         "Dogtag 10:\n\n" ..

         "http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10"

   error(msg)

end

%endif

%post -n pki-base

%if ! 0%{?rhel} && 0%{?fedora} <= 18

if [ "`uname -i`" == "x86_64" ]

then

	sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib64\/java/' %{_datadir}/pki/etc/pki.conf

else

	sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib\/java/' %{_datadir}/pki/etc/pki.conf

fi

%else

	sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib\/java/' %{_datadir}/pki/etc/pki.conf

%endif

if [ $1 -eq 1 ]

then

    # On RPM installation create system upgrade tracker

    echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version

else

    # On RPM upgrade run system upgrade

    echo "Upgrading system at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log 2>&1

    /sbin/pki-upgrade --silent >> /var/log/pki/pki-upgrade-%{version}.log 2>&1

    echo >> /var/log/pki/pki-upgrade-%{version}.log 2>&1

fi

%postun -n pki-base

if [ $1 -eq 0 ]

then

    # On RPM uninstallation remove system upgrade tracker

    rm -f %{_sysconfdir}/pki/pki.version

fi

%if ! 0%{?rhel} && 0%{?fedora} <= 17

%pre -n pki-selinux

%saveFileContext targeted

%post -n pki-selinux

semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp

%relabel targeted

%preun -n pki-selinux

if [ $1 = 0 ]; then

     %saveFileContext targeted

fi

%postun -n pki-selinux

if [ $1 = 0 ]; then

     semodule -s targeted -r pki

     %relabel targeted

fi

%endif

%post -n pki-ca

# Attempt to update ALL old "CA" instances to "systemd"

if [ -d /etc/sysconfig/pki/ca ]; then

    for inst in `ls /etc/sysconfig/pki/ca`; do

        if [ ! -e "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" ]; then

            ln -s "/lib/systemd/system/pki-cad@.service" \

                  "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service"

            [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst}

            ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst}