[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][master] 15 commits: Respect LDFLAGS settings defined by user

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Mar 1 17:28:08 GMT 2023



Timo Aaltonen pushed to branch master at FreeIPA packaging / certmonger


Commits:
a303c31d by Azamat H. Hackimov at 2022-10-17T10:18:25+03:00
Respect LDFLAGS settings defined by user

Don't wipe LDFLAGS defined by user by setting LDFLAGS env variable.
If variable is empty, it will be correctly updated by += assignemnt.

- - - - -
7f23913b by Joachim Philipp at 2022-11-23T18:20:01+01:00
Translated using Weblate (German)

Currently translated at 52.8% (250 of 473 strings)

Co-authored-by: Joachim Philipp <joachim.philipp at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/de/
Translation: certmonger/master

- - - - -
14d65afb by Temuri Doghonadze at 2022-11-23T18:20:01+01:00
Translated using Weblate (Georgian)

Currently translated at 24.5% (116 of 473 strings)

Translated using Weblate (Georgian)

Currently translated at 24.1% (114 of 473 strings)

Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ka/
Translation: certmonger/master

- - - - -
ad946028 by Sergey Kazorin at 2022-11-23T18:20:01+01:00
Translated using Weblate (Russian)

Currently translated at 100.0% (473 of 473 strings)

Co-authored-by: Sergey Kazorin <kazorin at basealt.ru>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ru/
Translation: certmonger/master

- - - - -
3301bf42 by Rob Crittenden at 2022-11-30T13:06:16-05:00
Revert "Translated using Weblate (Russian)"

There is a problem in one of the formatted translations:

ru.po:1804: number of format specifications in 'msgid' and 'msgstr'
does not match
/usr/bin/msgfmt: found 1 fatal error

This reverts commit ad946028773246af44e4660d5bd2504602eefab4.

- - - - -
7c754902 by Rob Crittenden at 2022-11-30T13:22:07-05:00
Switch to CA user when saving NSS certificates

A new parameter was added, nss-user, which indicates
the user to become via setuid/setgid when saving
certificates in NSS. This is necessary when using
SoftHSM as a PKCS#11 device to keep the filesystem
permissions correct.

Also tweak cleaning up duplicate certificates. certmonger
makes an effort to remove any duplicates, those with
duplicated nicknames with different certs, etc.

It didn't handle those with tokens though in NSS. A
certificate in a token will have a mirrored entry in the
database to store trust information. This was being
seen as a "duplicate" and certmogner was removing it, thus
removing the trust.

Fixes: https://pagure.io/certmonger/issue/243

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
476dc28e by Rob Crittenden at 2022-11-30T13:55:29-05:00
Tag 0.79.17

- - - - -
02b452f7 by Timo Aaltonen at 2023-02-25T12:15:55+02:00
Create a private nssdb.

- - - - -
21a0fc68 by Timo Aaltonen at 2023-02-25T12:17:34+02:00
cross.patch: Fix cross-building. Thanks, Helmut Grohne! (Closes: #912691)

- - - - -
b44f6119 by Timo Aaltonen at 2023-02-25T12:18:15+02:00
Merge branch 'upstream'

- - - - -
1b4f6df9 by Timo Aaltonen at 2023-02-25T12:25:46+02:00
version bump

- - - - -
8b6070e2 by Timo Aaltonen at 2023-02-25T12:25:54+02:00
releasing package certmonger version 0.79.17-1

- - - - -
054ec776 by Timo Aaltonen at 2023-02-27T14:38:29+02:00
control: Respect nocheck, thanks Chris Lamb! (Closes: #1032058)

- - - - -
f2f45c55 by Timo Aaltonen at 2023-02-27T15:17:32+02:00
actually add cross.patch

- - - - -
89ac3f4d by Timo Aaltonen at 2023-02-27T15:53:47+02:00
rules: fix nocheck logic

- - - - -


20 changed files:

- certmonger.spec
- configure.ac
- debian/certmonger.install
- debian/certmonger.postrm
- debian/changelog
- + debian/patches/cross.patch
- + debian/patches/fix-nssdb-path.diff
- debian/patches/series
- debian/rules
- po/de.po
- po/ka.po
- src/Makefile.am
- src/certsave-n.c
- src/getcert.c
- src/store-files.c
- src/store-int.h
- src/tdbus.h
- src/tdbush.c
- tests/028-dbus/expected.out
- tests/028-dbus/expected.out.nodsa


Changes:

=====================================
certmonger.spec
=====================================
@@ -27,7 +27,7 @@
 %bcond_with xmlrpc
 
 Name:		certmonger
-Version:	0.79.16
+Version:	0.79.17
 Release:	1%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
@@ -265,6 +265,13 @@ exit 0
 %endif
 
 %changelog
+* Wed Nov 30 2022 Rob Crittenden <rcritten at redhat.com> - 0.79.17-1
+- update to 0.79.17
+  - Respect LDFLAGS settings defined by user
+  - Switch to CA user when saving NSS certificates
+  - Translated using Weblate (German)
+  - Translated using Weblate (Georgian)
+
 * Thu Aug 25 2022 Rob Crittenden <rcritten at redhat.com> - 0.79.16-1
 - update to 0.79.16
   - Add a PEM validity checker and validate SCEP CA files


=====================================
configure.ac
=====================================
@@ -1,4 +1,4 @@
-AC_INIT(certmonger,0.79.16)
+AC_INIT(certmonger,0.79.17)
 AM_INIT_AUTOMAKE([foreign subdir-objects])
 AC_CONFIG_MACRO_DIR(m4)
 AM_MAINTAINER_MODE([disable])


=====================================
debian/certmonger.install
=====================================
@@ -1,4 +1,5 @@
 etc/certmonger/certmonger.conf
+etc/certmonger/nssdb
 etc/dbus-1/system.d/*
 lib/systemd/system/
 usr/bin/*


=====================================
debian/certmonger.postrm
=====================================
@@ -2,11 +2,12 @@
 set -e
 
 case "$1" in
-    remove|purge)
+    purge)
         rm -f /var/lib/certmonger/cas/*
         rm -f /var/lib/certmonger/local/*
         rm -f /var/lib/certmonger/lock
         rm -f /var/lib/certmonger/requests/*
+        rm -rf /etc/certmonger/nssdb
     ;;
 esac
 


=====================================
debian/changelog
=====================================
@@ -1,3 +1,18 @@
+certmonger (0.79.17-2) UNRELEASED; urgency=medium
+
+  * control: Respect nocheck, thanks Chris Lamb! (Closes: #1032058)
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Mon, 27 Feb 2023 14:38:18 +0200
+
+certmonger (0.79.17-1) unstable; urgency=medium
+
+  * New upstream release.
+  * Create a private nssdb.
+  * cross.patch: Fix cross-building. Thanks, Helmut Grohne! (Closes:
+    #912691)
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Sat, 25 Feb 2023 12:25:47 +0200
+
 certmonger (0.79.16-1) unstable; urgency=medium
 
   * New upstream release. (LP: #1987276)


=====================================
debian/patches/cross.patch
=====================================
@@ -0,0 +1,71 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -152,6 +152,7 @@ AC_DEFINE_UNQUOTED(CM_DBUS_BASE_PATH,"$C
+ AC_DEFINE_UNQUOTED(CM_DBUS_RECONNECT_TIMEOUT,30,
+ 		   [Define to the amount of time to wait between attempts to reconnect to the message bus if we get disconnected.])
+ 
++PKG_PROG_PKG_CONFIG
+ if ! ${configure_dist_target_only:-false} ; then
+ 	AC_CHECK_HEADERS(sys/types.h sys/socket.h linux/types.h linux/netlink.h linux/rtnetlink.h,,,[
+ 		#ifdef HAVE_SYS_TYPES_H
+@@ -175,13 +176,13 @@ if ! ${configure_dist_target_only:-false
+ 	AC_ARG_WITH(session-bus-services-dir,
+ 	AS_HELP_STRING([--with-session-bus-services-dir=],[directory to install session bus configuration]),
+ 	SESSIONBUSSERVICESDIR=$withval,
+-	SESSIONBUSSERVICESDIR=`pkg-config --variable=session_bus_services_dir dbus-1 2> /dev/null | sed -e "s|^${datadir}|\${datadir}|g" -e "s|^${datarootdir}|\${datarootdir}|g" -e "s|^${prefix}/share|\${datadir}|g"`)
++	SESSIONBUSSERVICESDIR=`$PKG_CONFIG --variable=session_bus_services_dir dbus-1 2> /dev/null | sed -e "s|^${datadir}|\${datadir}|g" -e "s|^${datarootdir}|\${datarootdir}|g" -e "s|^${prefix}/share|\${datadir}|g"`)
+ 	AC_SUBST(SESSIONBUSSERVICESDIR)
+ 	AM_CONDITIONAL(SESSIONBUS,test x$SESSIONBUSSERVICESDIR != xno)
+ 	AC_ARG_WITH(system-bus-services-dir,
+ 	AS_HELP_STRING([--with-system-bus-services-dir=],[directory to install system bus configuration]),
+ 	SESSIONBUSSERVICESDIR=$withval,
+-	SYSTEMBUSSERVICESDIR=`pkg-config --variable=system_bus_services_dir dbus-1 2> /dev/null | sed -e "s|^${datadir}|\${datadir}|g" -e "s|^${datarootdir}|\${datarootdir}|g" -e "s|^${prefix}/share|\${datadir}|g"`)
++	SYSTEMBUSSERVICESDIR=`$PKG_CONFIG --variable=system_bus_services_dir dbus-1 2> /dev/null | sed -e "s|^${datadir}|\${datadir}|g" -e "s|^${datarootdir}|\${datarootdir}|g" -e "s|^${prefix}/share|\${datadir}|g"`)
+ 	AC_SUBST(SYSTEMBUSSERVICESDIR)
+ 	AM_CONDITIONAL(SYSTEMBUS,test x$SYSTEMBUSSERVICESDIR != xno)
+ 
+@@ -344,7 +345,7 @@ if ! ${configure_dist_target_only:-false
+ 
+ 	AM_CONDITIONAL(HAVE_OPENSSL,test x$withopenssl != xno)
+ 	if test x$withopenssl != xno ; then
+-		if pkg-config libcrypto 2> /dev/null ; then
++		if $PKG_CONFIG libcrypto 2> /dev/null ; then
+ 			PKG_CHECK_MODULES(OPENSSL,libcrypto)
+ 			PKG_CHECK_MODULES(OPENSSL_SSL,libssl libcrypto)
+ 		else
+@@ -417,7 +418,7 @@ if ! ${configure_dist_target_only:-false
+ 
+ 	AM_CONDITIONAL(HAVE_NSS,test x$withnss != xno)
+ 	if test x$withnss != xno ; then
+-		if pkg-config mozilla-nss 2> /dev/null ; then
++		if $PKG_CONFIG mozilla-nss 2> /dev/null ; then
+ 			PKG_CHECK_MODULES(NSS,mozilla-nss)
+ 		else
+ 			PKG_CHECK_MODULES(NSS,nss)
+@@ -548,7 +549,7 @@ if ! ${configure_dist_target_only:-false
+ 	AM_CONDITIONAL(SYSTEMD,test x$SYSTEMD != xno)
+ 	AC_SUBST(SYSTEMDSYSTEMUNITDIR)
+ 	if test x$SYSTEMD = xyes ; then
+-		SYSTEMDSYSTEMUNITDIR=`pkg-config --variable=systemdsystemunitdir systemd 2> /dev/null`
++		SYSTEMDSYSTEMUNITDIR=`$PKG_CONFIG --variable=systemdsystemunitdir systemd 2> /dev/null`
+ 		AC_MSG_RESULT(will install systemd unit files to $SYSTEMDSYSTEMUNITDIR)
+ 	fi
+ 
+@@ -616,7 +617,7 @@ if ! ${configure_dist_target_only:-false
+ 		CFLAGS="$CFLAGSsave"
+ 		LIBS="$LIBSsave"
+ 		can_dsa=true
+-		if ! pkg-config --atleast-version=1.0 openssl ; then
++		if ! $PKG_CONFIG --atleast-version=1.0 openssl ; then
+ 			# CSR signing appears to be broken in 0.9.8e, so reject < 1.0
+ 			can_dsa=false
+ 		fi
+@@ -820,7 +821,7 @@ if ! ${configure_dist_target_only:-false
+ 		PKG_CHECK_MODULES(UUID,uuid)
+ 	else
+ 		if test x$with_uuid != xno ; then
+-			if pkg-config uuid ; then
++			if $PKG_CONFIG uuid ; then
+ 				PKG_CHECK_MODULES(UUID,uuid)
+ 				uuid=yes
+ 			fi


=====================================
debian/patches/fix-nssdb-path.diff
=====================================
@@ -0,0 +1,16 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -705,11 +705,11 @@ if ! ${configure_dist_target_only:-false
+ 	AC_SUBST(NO_MAN_EC)
+ 
+ 	AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_TYPE,cm_key_storage_nssdb,[Define to the default type of storage used for keys.])
+-	AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_LOCATION,"/etc/pki/nssdb",[Define to the default location of storage used for keys.])
++	AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_STORAGE_LOCATION,"/etc/certmonger/nssdb",[Define to the default location of storage used for keys.])
+ 	AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_TOKEN,NULL,[Define to the default token used for holding keys.])
+ 	AC_DEFINE_UNQUOTED(CM_DEFAULT_KEY_NICKNAME,"Server-Cert",[Define to the default nickname given to keys.])
+ 	AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_TYPE,cm_cert_storage_nssdb,[Define to the default type of storage used for certificates.])
+-	AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_LOCATION,"/etc/pki/nssdb",[Define to the default location of storage used for certificates.])
++	AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_STORAGE_LOCATION,"/etc/certmonger/nssdb",[Define to the default location of storage used for certificates.])
+ 	AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_TOKEN,NULL,[Define to the default token used to store certificates.])
+ 	AC_DEFINE_UNQUOTED(CM_DEFAULT_CERT_NICKNAME,"Server-Cert",[Define to the default nickname given to certificates.])
+ 	AC_DEFINE_UNQUOTED(CM_DEFAULT_PUBKEY_TYPE,cm_key_rsa,[Define to the default public key type.])


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,5 @@
+cross.patch
 fix-keythi-h-path.diff
 fix-service-environment.diff
 use-dbus-run-session.diff
+fix-nssdb-path.diff


=====================================
debian/rules
=====================================
@@ -24,8 +24,13 @@ override_dh_auto_configure:
 override_dh_auto_install:
 	dh_auto_install --destdir=debian/tmp
 
+	mkdir -p debian/tmp/etc/certmonger/nssdb
+	certutil -N -d debian/tmp/etc/certmonger/nssdb --empty-password
+
 override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
 	dh_auto_test || true
+endif
 
 override_dh_clean:
 	dh_clean


=====================================
po/de.po
=====================================
@@ -8,21 +8,22 @@
 # Mario Blättermann <mario.blaettermann at gmail.com>, 2011
 # Nalin Dahyabhai <nalin at fedoraproject.org>, 2011
 # Roman Spirgi <bigant at fedoraproject.org>, 2012-2013
+# Joachim Philipp <joachim.philipp at gmail.com>, 2022.
 msgid ""
 msgstr ""
 "Project-Id-Version: certmonger 0.78.6\n"
 "Report-Msgid-Bugs-To: certmonger-devel at lists.fedorahosted.org\n"
 "POT-Creation-Date: 2017-02-26 02:20-0500\n"
-"PO-Revision-Date: 2015-01-05 05:53-0500\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata at zanata.org>\n"
-"Language-Team: German (http://www.transifex.com/projects/p/certmonger/"
-"language/de/)\n"
+"PO-Revision-Date: 2022-04-21 10:17+0000\n"
+"Last-Translator: Joachim Philipp <joachim.philipp at gmail.com>\n"
+"Language-Team: German <https://translate.fedoraproject.org/projects/"
+"certmonger/master/de/>\n"
 "Language: de\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.6\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.11.2\n"
 
 #: src/casave.c:322 src/casave.c:361 src/dogtag.c:233 src/dogtag.c:238
 #: src/dogtag.c:256 src/dogtag.c:261 src/getcert.c:291
@@ -37,14 +38,16 @@ msgstr ""
 "Rechnername der Zertifizierungsstelle (CA) konnte nicht ermittelt werden.\n"
 
 #: src/certmaster.c:153 src/dogtag.c:521 src/ipa.c:796
-#, fuzzy, c-format
+#, c-format
 msgid "Unable to read signing request from file \"%s\".\n"
-msgstr "Signaturanfrage konnte nicht gelesen werden.\n"
+msgstr "Signaturanfrage von Datei \"%s\" konnte nicht gelesen werden.\n"
 
 #: src/certmaster.c:156 src/dogtag.c:524 src/ipa.c:799
-#, fuzzy, c-format
+#, c-format
 msgid "Unable to read signing request from environment variable \"%s\".\n"
-msgstr "Signaturanfrage konnte nicht gelesen werden.\n"
+msgstr ""
+"Signaturanfrage der Environment Variablen \"%s\" konnte nicht gelesen werden."
+"\n"
 
 #: src/certmaster.c:184
 #, c-format
@@ -69,22 +72,24 @@ msgstr "Server-Fehler.\n"
 #: src/dogtag.c:226
 #, c-format
 msgid "Profile params (-O) must be in the form of param=value.\n"
-msgstr ""
+msgstr "Profilparameter (-O) müssen die Form param=value haben.\n"
 
 #: src/dogtag.c:249
 #, c-format
 msgid "Submit params (-o) must be in the form of param=value.\n"
-msgstr ""
+msgstr "Übertragung der Parameter (-o) muss die Form param=value haben.\n"
 
 #: src/dogtag.c:408 src/dogtag.c:413 src/dogtag.c:442
-#, fuzzy, c-format
+#, c-format
 msgid "No agent credentials specified, and no default known.\n"
-msgstr "Keine Agent-URL (-T) angegeben, Standarwert nicht gesetzt.\n"
+msgstr ""
+"Keine Anmeldeinformationen des Agenten angegeben, kein Standardwert gesetzt."
+"\n"
 
 #: src/dogtag.c:418
 #, c-format
 msgid "Requested renewal, but no serial number provided.\n"
-msgstr ""
+msgstr "Aktualisierung wurde angefordert, aber keine Seriennummer angegeben.\n"
 
 #: src/dogtag.c:422
 #, c-format
@@ -104,7 +109,7 @@ msgstr "Kein Profil/ Vorlage (-T) angegeben, Standarwert nicht gesetzt.\n"
 #: src/dogtag.c:452
 #, c-format
 msgid "Error shutting down NSS.\n"
-msgstr ""
+msgstr "Fehler beim Beenden von NSS.\n"
 
 #: src/dogtag.c:487 src/dogtag.c:777
 #, c-format
@@ -115,6 +120,8 @@ msgstr "Interner Fehler: Unbekannter Status.\n"
 #, c-format
 msgid "No agent credentials (-n) given, but they are needed.\n"
 msgstr ""
+"Keine Anmeldeinformationen des Agenten (-n) vorhanden, sie werden aber "
+"benötigt.\n"
 
 #: src/dogtag.c:757 src/scep.c:619
 #, c-format
@@ -133,59 +140,59 @@ msgstr "Interner Fehler: Keine Antwort an \"%s?%s\".\n"
 
 #: src/getcert.c:61 src/main.c:84 src/main.c:86
 msgid "COMMAND"
-msgstr ""
+msgstr "BEFEHL"
 
 #: src/getcert.c:62
 msgid "DIRECTORY"
-msgstr ""
+msgstr "VERZEICHNIS"
 
 #: src/getcert.c:63 src/getcert.c:70
 msgid "LIST"
-msgstr ""
+msgstr "LISTE"
 
 #: src/getcert.c:64 src/getcert.c:68
 msgid "ADDRESS"
-msgstr ""
+msgstr "ADRESSE"
 
 #: src/getcert.c:65 src/main.c:87
 msgid "FILENAME"
-msgstr ""
+msgstr "DATEINAME"
 
 #: src/getcert.c:66
 msgid "HOSTNAME"
-msgstr ""
+msgstr "HOSTNAME"
 
 #: src/getcert.c:67
 msgid "ID"
-msgstr ""
+msgstr "ID"
 
 #: src/getcert.c:69
 msgid "BITS"
-msgstr ""
+msgstr "BITS"
 
 #: src/getcert.c:71
 msgid "MODE"
-msgstr ""
+msgstr "MODUS"
 
 #: src/getcert.c:72
 msgid "NAME"
-msgstr ""
+msgstr "NAME"
 
 #: src/getcert.c:73
 msgid "PRINCIPAL"
-msgstr ""
+msgstr "HAUPT"
 
 #: src/getcert.c:74
 msgid "SUBJECT"
-msgstr ""
+msgstr "THEMA"
 
 #: src/getcert.c:75
 msgid "URL"
-msgstr ""
+msgstr "URL"
 
 #: src/getcert.c:76
 msgid "USERNAME[:GROUPNAME]"
-msgstr ""
+msgstr "BENUTZERNAME[:GRUPPENNAME]"
 
 #: src/getcert.c:115
 #, c-format
@@ -204,7 +211,7 @@ msgstr ""
 #: src/getcert.c:142
 #, c-format
 msgid "Path \"%s\": insufficient permissions.\n"
-msgstr ""
+msgstr "Pfad \"%s\": nicht ausreichende Berechtigungen.\n"
 
 #: src/getcert.c:148
 #, c-format
@@ -224,22 +231,22 @@ msgstr "Pfad »%s« ist keine reguläre Datei.\n"
 #: src/getcert.c:340
 #, c-format
 msgid "No system bus running.\n"
-msgstr ""
+msgstr "Kein System Bus läuft.\n"
 
 #: src/getcert.c:341
 #, c-format
 msgid "Running as UID 0.\n"
-msgstr ""
+msgstr "Läuft als UID 0.\n"
 
 #: src/getcert.c:342
 #, c-format
 msgid "Launching temporary dedicated service daemon.\n"
-msgstr ""
+msgstr "Starte temporär zugewiesenen service daemon.\n"
 
 #: src/getcert.c:371
 #, c-format
 msgid "Error connecting to D-Bus.\n"
-msgstr ""
+msgstr "Fehler beim Verbinden zum D-Bus.\n"
 
 #: src/getcert.c:372 src/tdbusm.c:2166
 #, c-format
@@ -254,56 +261,52 @@ msgstr "Fehler beim Erstellen der D-Bus-Anfragemeldung.\n"
 #: src/getcert.c:393
 #, c-format
 msgid "missing argument for %s"
-msgstr ""
+msgstr "Fehlendes Argument für %s"
 
 #: src/getcert.c:398
-#, fuzzy
 msgid "missing argument"
-msgstr "Optionale Parameter:\n"
+msgstr "Fehlendes Argument"
 
 #: src/getcert.c:401
-#, fuzzy, c-format
+#, c-format
 msgid "unrecognized option %s"
-msgstr "%s: Unbekannter Befehl.\n"
+msgstr "Unbekannte Option %s"
 
 #: src/getcert.c:406
-#, fuzzy
 msgid "unrecognized option"
-msgstr "%s: Unbekannter Befehl.\n"
+msgstr "Unbekannte Option"
 
 #: src/getcert.c:409
 msgid "aliases nested too deeply"
-msgstr ""
+msgstr "Aliase zu tief verschachtelt"
 
 #: src/getcert.c:412
 msgid "bad parameter quoting"
-msgstr ""
+msgstr "schlechte Parameterangabe"
 
 #: src/getcert.c:418
 msgid "invalid numeric value"
-msgstr ""
+msgstr "Ungültiger numerischer Wert"
 
 #: src/getcert.c:421
 msgid "number too large or too small"
-msgstr ""
+msgstr "Nummer zu groß oder zu klein"
 
 #: src/getcert.c:424
 msgid "bad operation"
-msgstr ""
+msgstr "Ungültige Operation"
 
 #: src/getcert.c:427
-#, fuzzy
 msgid "internal error"
-msgstr "Ein interner Fehler ist aufgetreten."
+msgstr "Interner Fehler"
 
 #: src/getcert.c:430
-#, fuzzy
 msgid "out of memory"
-msgstr "Ungenügend Speicher.\n"
+msgstr "Nicht genügend Speicher"
 
 #: src/getcert.c:434
 msgid "error in popt configuration file"
-msgstr ""
+msgstr "Fehler in popt Konfigurationsdatei"
 
 #: src/getcert.c:477
 #, c-format
@@ -333,90 +336,90 @@ msgstr "Keine Antwort vom %s-Dienst erhalten.\n"
 #: src/getcert.c:699 src/getcert.c:3978
 #, c-format
 msgid "State %s, stuck: %s.\n"
-msgstr ""
+msgstr "Status %s, hängt: %s.\n"
 
 #: src/getcert.c:768 src/getcert.c:1846 src/getcert.c:2500 src/getcert.c:3100
 #: src/getcert.c:3354 src/getcert.c:3875
 msgid "NSS database for key and cert"
-msgstr ""
+msgstr "NSS Datenbank für Schlüssel und Zertifikat"
 
 #: src/getcert.c:769 src/getcert.c:1847 src/getcert.c:2501 src/getcert.c:3101
 #: src/getcert.c:3355 src/getcert.c:3876
 msgid "nickname for NSS-based storage (only valid with -d)"
-msgstr ""
+msgstr "Kurzname für NSS-basierte Speicherung (nur gültig mit -d)"
 
 #: src/getcert.c:770 src/getcert.c:1848 src/getcert.c:2502 src/getcert.c:3102
 #: src/getcert.c:3356 src/getcert.c:3877
 msgid "optional token name for NSS-based storage (only valid with -d)"
-msgstr ""
+msgstr "Optionaler Token-Name für NSS-basierte Speicherung (nur gültig mit -d)"
 
 #: src/getcert.c:771
 msgid "PEM file for private key"
-msgstr ""
+msgstr "PEM Datei für privaten Schlüssel"
 
 #: src/getcert.c:772
 msgid "PEM file for certificate (only valid with -k)"
-msgstr ""
+msgstr "PEM-Datei für Zertifikat (nur gültig mit -k)"
 
 #: src/getcert.c:773 src/getcert.c:1851 src/getcert.c:2508
 msgid "file which holds the private key encryption PIN"
-msgstr ""
+msgstr "Datei, die die PIN zum Verschlüsseln des privaten Schlüssels enthält"
 
 #: src/getcert.c:774 src/getcert.c:1852 src/getcert.c:2509
 msgid "private key encryption PIN"
-msgstr ""
+msgstr "PIN zur Verschlüsselung des privaten Schlüssels"
 
 #: src/getcert.c:775 src/getcert.c:1853 src/getcert.c:2510
 msgid "owner information for private key"
-msgstr ""
+msgstr "Eigentümerinformationen für privaten Schlüssel"
 
 #: src/getcert.c:776 src/getcert.c:1854 src/getcert.c:2511
 msgid "file permissions for private key"
-msgstr ""
+msgstr "Dateiberechtigungen für privaten Schlüssel"
 
 #: src/getcert.c:777 src/getcert.c:1855 src/getcert.c:2512
 msgid "owner information for certificate"
-msgstr ""
+msgstr "Eigentümerinformationen für Zertifikat"
 
 #: src/getcert.c:778 src/getcert.c:1856 src/getcert.c:2513
 msgid "file permissions for certificate"
-msgstr ""
+msgstr "Dateiberechtigungen für Zertifikat"
 
 #: src/getcert.c:779 src/getcert.c:1857 src/getcert.c:2514
 msgid "NSS database in which to store the CA's certificates"
-msgstr ""
+msgstr "NSS Datenbank, in der die CA-Zertifikate gespeichert werden"
 
 #: src/getcert.c:780 src/getcert.c:1858 src/getcert.c:2515
 msgid "file in which to store the CA's certificates"
-msgstr ""
+msgstr "Datei in der die CA-Zertifikate gespeichert werden"
 
 #: src/getcert.c:781 src/getcert.c:1859 src/getcert.c:2516
 msgid "command to run before saving the certificate"
-msgstr ""
+msgstr "Auszuführender Befehl vor dem Speichern des Zertifikats"
 
 #: src/getcert.c:782 src/getcert.c:1860 src/getcert.c:2517
 msgid "command to run after saving the certificate"
-msgstr ""
+msgstr "Auszuführender Befehl nach dem Speichern des Zertifikats"
 
 #: src/getcert.c:783
 msgid "nickname to assign to the request"
-msgstr ""
+msgstr "Zugewiesener Kurzname für diese Abfrage"
 
 #: src/getcert.c:784
 msgid "type of key to be generated if one is not already in place"
-msgstr ""
+msgstr "Zu erstellender Schlüsseltyp, falls keiner vorhanden ist"
 
 #: src/getcert.c:785
 msgid "size of key to be generated if one is not already in place"
-msgstr ""
+msgstr "Größe des zu generierenden Schlüssels, falls noch keiner vorhanden ist"
 
 #: src/getcert.c:786 src/getcert.c:1863
 msgid "attempt to renew the certificate when expiration nears (default)"
-msgstr ""
+msgstr "versuchen, kurz vor Ablauf das Zertifikat zu erneuern (Standard)"
 
 #: src/getcert.c:787 src/getcert.c:1864
 msgid "don't attempt to renew the certificate when expiration nears"
-msgstr ""
+msgstr "nicht versuchen, kurz vor Ablauf das Zertifikat zu erneuern (Standard)"
 
 #: src/getcert.c:789 src/getcert.c:1866
 msgid "use the specified CA configuration rather than the default"


=====================================
po/ka.po
=====================================
@@ -7,7 +7,7 @@ msgstr ""
 "Project-Id-Version: certmonger 0.79\n"
 "Report-Msgid-Bugs-To: certmonger-devel at lists.fedorahosted.org\n"
 "POT-Creation-Date: 2017-02-26 02:20-0500\n"
-"PO-Revision-Date: 2022-03-15 14:16+0000\n"
+"PO-Revision-Date: 2022-11-23 17:20+0000\n"
 "Last-Translator: Temuri Doghonadze <temuri.doghonadze at gmail.com>\n"
 "Language-Team: Georgian <https://translate.fedoraproject.org/projects/"
 "certmonger/master/ka/>\n"
@@ -16,7 +16,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 4.11.2\n"
+"X-Generator: Weblate 4.14.2\n"
 
 #: src/casave.c:322 src/casave.c:361 src/dogtag.c:233 src/dogtag.c:238
 #: src/dogtag.c:256 src/dogtag.c:261 src/getcert.c:291
@@ -210,7 +210,7 @@ msgstr "ბილიკი \"%s\":%s.\n"
 #: src/getcert.c:194
 #, c-format
 msgid "Path \"%s\" is not a regular file.\n"
-msgstr ""
+msgstr "ბილიკი \"%s\" ჩვეულებრივი ფაილი არაა.\n"
 
 #: src/getcert.c:340
 #, c-format
@@ -274,7 +274,7 @@ msgstr "არასწორი რიცხვითი მნიშვნე
 
 #: src/getcert.c:421
 msgid "number too large or too small"
-msgstr ""
+msgstr "რიცხვი მეტისმეტად დიდი ან მეტისმეტად პატარაა"
 
 #: src/getcert.c:424
 msgid "bad operation"
@@ -824,7 +824,7 @@ msgid ",pin set"
 msgstr ", პინი დაყენებულია"
 
 #: src/getcert.c:3666
-#, c-format, fuzzy
+#, c-format
 msgid ",pinfile='%s'"
 msgstr ",pinfile='%s'"
 
@@ -844,7 +844,7 @@ msgid "\tsigning request thumbprint (SHA1): %s\n"
 msgstr ""
 
 #: src/getcert.c:3715
-#, c-format, fuzzy
+#, c-format
 msgid "\tCA: %s\n"
 msgstr "\tCA: %s\n"
 
@@ -872,7 +872,6 @@ msgid "\temail: "
 msgstr "\tელ-ფოსტა: "
 
 #: src/getcert.c:3742
-#, fuzzy
 msgid "\tdns: "
 msgstr "\tdns: "
 
@@ -890,7 +889,6 @@ msgid "\tkey usage: %s\n"
 msgstr "\tგასაღების გამოყენება: %s\n"
 
 #: src/getcert.c:3779
-#, fuzzy
 msgid "\teku: "
 msgstr "\teku: "
 
@@ -961,7 +959,7 @@ msgid "list only the specified CA configuration"
 msgstr ""
 
 #: src/getcert.c:4104
-#, c-format, fuzzy
+#, c-format
 msgid "CA '%s':\n"
 msgstr "CA '%s':\n"
 


=====================================
src/Makefile.am
=====================================
@@ -1,7 +1,6 @@
 AM_CFLAGS = $(TALLOC_CFLAGS) $(TEVENT_CFLAGS) $(DBUS_CFLAGS) $(KRB5_CFLAGS) \
 	    $(XMLRPC_CFLAGS) $(IDN_CFLAGS) $(UUID_CFLAGS) $(LDAP_CFLAGS) \
 	    $(POPT_CFLAGS)
-LDFLAGS =
 if PIE
 CFLAGS += -fPIC
 LDFLAGS += -fPIC -pie


=====================================
src/certsave-n.c
=====================================
@@ -24,6 +24,8 @@
 #include <stdlib.h>
 #include <time.h>
 #include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
 
 #include <nss.h>
 #include <nssb64.h>
@@ -83,6 +85,20 @@ add_privkey_to_list(SECKEYPrivateKey **list, SECKEYPrivateKey *key)
 	return list;
 }
 
+/* Return a nickname minus the token */
+static char *
+cm_get_nickname(char *data)
+{
+	char *p = NULL;
+
+	if (strchr(data, ':') != NULL) {
+		p = strrchr(data, ':') + 1;
+	} else {
+		p = data;
+	}
+	return p;
+}
+
 static int
 cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 		   void *userdata)
@@ -123,6 +139,62 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 	}
 
 	/* Open the database. */
+	if (entry->cm_nss_user != NULL) {
+		struct passwd *pwd;
+		struct group *grp;
+		char *user, *group = NULL;
+		uid_t uid;
+		gid_t gid;
+
+		user = strdup(entry->cm_nss_user);
+		group = strchr(user, ':');
+		if (group != NULL) {
+			*group++ = '\0';
+			if (strlen(group) == 0) {
+				group = NULL;
+			}
+		}
+
+		errno = 0;
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
+			cm_log(0, "Error looking up user \"%s\", "
+					  "not setting identity: %s.\n",
+					  user, strerror(errno));
+			free(user);
+			_exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+		}
+		uid = pwd->pw_uid;
+		gid = pwd->pw_gid;
+		if (group != NULL) {
+			grp = getgrnam(group);
+			if (grp == NULL) {
+				cm_log(0, "Error looking up group \"%s\", "
+					   "not setting identity.\n",
+					   group);
+				free(user);
+				_exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+			}
+			gid = grp->gr_gid;
+		}
+		free(user);
+
+		cm_log(1, "Switching to %s %d:%d\n", pwd->pw_name, uid, gid);
+
+		if (initgroups(pwd->pw_name, gid) == -1) {
+			cm_log(0, "initgroups error (%s: %d): %s\n", pwd->pw_name, gid, strerror(errno));
+			_exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+		}
+		if (setgid(gid) == -1) {
+			cm_log(0, "setgid error (%d): %s\n", gid, strerror(errno));
+			_exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+		}
+		if (setuid(uid) == -1) {
+			cm_log(0, "setuid error (%d): %s\n", uid, strerror(errno));
+			_exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+		}
+	}
+
 	settings = userdata;
 	readwrite = settings->readwrite;
 	errno = 0;
@@ -407,7 +479,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 							if ((!SECITEM_ItemsAreEqual(&subject,
 									   &node->cert->derSubject)) &&
 										(sle->slot == node->cert->slot)) {
-								cm_log(3, "Found a "
+								cm_log(3, "1 Found a "
 								       "certificate "
 								       "with the same "
 								       "nickname but "
@@ -454,22 +526,27 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 					     !CERT_LIST_END(node, certlist);
 					     node = CERT_LIST_NEXT(node)) {
 						if ((node->cert->nickname != NULL) &&
-						    (strcmp(entry->cm_cert_nickname,
-							    node->cert->nickname) != 0) &&
+						    (strcmp(cm_get_nickname(entry->cm_cert_nickname),
+							    cm_get_nickname(node->cert->nickname)) != 0) &&
 								(sle->slot == node->cert->slot))
 						{
 							i++;
-							cm_log(3, "Found a "
+							cm_log(3, "2 Found a "
 							       "certificate with a "
 						       "different nickname but "
 						       "the same subject, "
 						       "removing certificate "
-						       "\"%s\" with subject "
-						       "\"%s\".\n",
+						       "\"%s\" vs \"%s\" with subject "
+						       "\"%s\" in slot \"%s\" vs "
+							   "\"%s\".\n",
 						       node->cert->nickname,
+						       entry->cm_cert_nickname,
 						       node->cert->subjectName ?
 						       node->cert->subjectName :
-						       "");
+							   "",
+							   PK11_GetTokenName(sle->slot),
+							   PK11_GetTokenName(node->cert->slot)
+						       );
 							/* Get a handle for this
 							 * certificate's private key,
 							 * in case we need to remove
@@ -573,8 +650,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 						     !CERT_LIST_END(node, certlist);
 						     node = CERT_LIST_NEXT(node)) {
 							if (!SECITEM_ItemsAreEqual(item,
-										   &node->cert->derCert)) {
-								cm_log(3, "Found a "
+										   &node->cert->derCert) &&
+									(sle->slot == node->cert->slot)) {
+								cm_log(3, "3 Found a "
 								       "certificate "
 								       "with the same "
 								       "nickname and "


=====================================
src/getcert.c
=====================================
@@ -754,8 +754,9 @@ request(const char *argv0, int argc, const char **argv)
 	char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL;
 	char *key_owner = NULL, *key_perms = NULL;
 	char *cert_owner = NULL, *cert_perms = NULL;
-	struct cm_tdbusm_dict param[51];
-	const struct cm_tdbusm_dict *params[50];
+	char *nss_user = NULL;
+	struct cm_tdbusm_dict param[52];
+	const struct cm_tdbusm_dict *params[51];
 	DBusMessage *req, *rep;
 	int waitreq = 0, timeout = -1;
 	int is_ca = 0, path_length = -1;
@@ -779,6 +780,7 @@ request(const char *argv0, int argc, const char **argv)
 		{"key-perms", 'm', POPT_ARG_STRING, NULL, 'm', _("file permissions for private key"), HELP_TYPE_MODE},
 		{"cert-owner", 'O', POPT_ARG_STRING, NULL, 'O', _("owner information for certificate"), HELP_TYPE_USER},
 		{"cert-perms", 'M', POPT_ARG_STRING, NULL, 'M', _("file permissions for certificate"), HELP_TYPE_MODE},
+		{"nss-user", 'Z', POPT_ARG_STRING, NULL, 'Z', _("user to save NSS private and public keys as"), HELP_TYPE_USER},
 		{"ca-dbdir", 'a', POPT_ARG_STRING, NULL, 'a', _("NSS database in which to store the CA's certificates"), HELP_TYPE_DIRECTORY},
 		{"ca-file", 'F', POPT_ARG_STRING, NULL, 'F', _("file in which to store the CA's certificates"), HELP_TYPE_FILENAME},
 		{"before-command", 'B', POPT_ARG_STRING, NULL, 'B', _("command to run before saving the certificate"), HELP_TYPE_COMMAND},
@@ -929,6 +931,9 @@ request(const char *argv0, int argc, const char **argv)
 		case 'X':
 			issuer = talloc_strdup(globals.tctx, poptarg);
 			break;
+		case 'Z':
+			nss_user = talloc_strdup(globals.tctx, poptarg);
+			break;
 		case 'N':
 			subject = talloc_strdup(globals.tctx, poptarg);
 			break;
@@ -1276,6 +1281,13 @@ request(const char *argv0, int argc, const char **argv)
 		params[i] = &param[i];
 		i++;
 	}
+	if (nss_user != NULL) {
+		param[i].key = CM_DBUS_PROP_NSS_USER;
+		param[i].value_type = cm_tdbusm_dict_s;
+		param[i].value.s = nss_user;
+		params[i] = &param[i];
+		i++;
+	}
 	if (keytype != NULL) {
 		param[i].key = "KEY_TYPE";
 		param[i].value_type = cm_tdbusm_dict_s;
@@ -1572,6 +1584,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
 		  char *keyfile, char *certfile,
 		  char *key_owner, char *cert_owner,
 		  char *key_perms, char *cert_perms,
+		  char *nss_user,
 		  char *pin, char *pinfile,
 		  char *cpass, char *cpassfile,
 		  char *ca, char *profile, char *issuer,
@@ -1585,8 +1598,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
 {
 	DBusMessage *req, *rep;
 	int i;
-	struct cm_tdbusm_dict param[31];
-	const struct cm_tdbusm_dict *params[31];
+	struct cm_tdbusm_dict param[32];
+	const struct cm_tdbusm_dict *params[32];
 	dbus_bool_t b;
 	const char *capath;
 	char *p;
@@ -1643,6 +1656,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
 			params[i] = &param[i];
 			i++;
 		}
+		if (nss_user != NULL) {
+			param[i].key = CM_DBUS_PROP_NSS_USER;
+			param[i].value_type = cm_tdbusm_dict_s;
+			param[i].value.s = nss_user;
+			params[i] = &param[i];
+			i++;
+		}
 	} else
 	if (certfile != NULL) {
 		if (keyfile != NULL) {
@@ -1848,8 +1868,8 @@ set_tracking(const char *argv0, const char *category,
 	enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
 	DBusMessage *req, *rep;
 	const char *request, *capath;
-	struct cm_tdbusm_dict param[28];
-	const struct cm_tdbusm_dict *params[29];
+	struct cm_tdbusm_dict param[29];
+	const struct cm_tdbusm_dict *params[30];
 	char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL;
 	char **anchor_dbs = NULL, **anchor_files = NULL;
 	char *id = NULL, *new_id = NULL, *new_request;
@@ -1858,6 +1878,7 @@ set_tracking(const char *argv0, const char *category,
 	char *ms_template_spec = NULL;
 	char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL;
 	char *key_owner = NULL, *key_perms = NULL;
+	char *nss_user = NULL;
 	char *cert_owner = NULL, *cert_perms = NULL;
 	dbus_bool_t b;
 	char *p;
@@ -1885,6 +1906,7 @@ set_tracking(const char *argv0, const char *category,
 		{"key-perms", 'm', POPT_ARG_STRING, NULL, 'm', _("file permissions for private key"), HELP_TYPE_MODE},
 		{"cert-owner", 'O', POPT_ARG_STRING, NULL, 'O', _("owner information for certificate"), HELP_TYPE_USER},
 		{"cert-perms", 'M', POPT_ARG_STRING, NULL, 'M', _("file permissions for certificate"), HELP_TYPE_MODE},
+		{"nss-user", 'Z', POPT_ARG_STRING, NULL, 'Z', _("user to save NSS private and public keys as"), HELP_TYPE_USER},
 		{"ca-dbdir", 'a', POPT_ARG_STRING, NULL, 'a', _("NSS database in which to store the CA's certificates"), HELP_TYPE_DIRECTORY},
 		{"ca-file", 'F', POPT_ARG_STRING, NULL, 'F', _("file in which to store the CA's certificates"), HELP_TYPE_FILENAME},
 		{"before-command", 'B', POPT_ARG_STRING, NULL, 'B', _("command to run before saving the certificate"), HELP_TYPE_COMMAND},
@@ -2009,6 +2031,9 @@ set_tracking(const char *argv0, const char *category,
 		case 'X':
 			issuer = talloc_strdup(globals.tctx, poptarg);
 			break;
+		case 'Z':
+			nss_user = talloc_strdup(globals.tctx, poptarg);
+			break;
 		case 'i':
 			id = talloc_strdup(globals.tctx, poptarg);
 			break;
@@ -2289,6 +2314,13 @@ set_tracking(const char *argv0, const char *category,
 				params[i] = &param[i];
 				i++;
 			}
+			if (nss_user != NULL) {
+				param[i].key = CM_DBUS_PROP_NSS_USER;
+				param[i].value_type = cm_tdbusm_dict_s;
+				param[i].value.s = nss_user;
+				params[i] = &param[i];
+				i++;
+			}
 			if (pin != NULL) {
 				param[i].key = "KEY_PIN";
 				param[i].value_type = cm_tdbusm_dict_s;
@@ -2441,6 +2473,7 @@ set_tracking(const char *argv0, const char *category,
 						 keyfile, certfile,
 						 key_owner, cert_owner,
 						 key_perms, cert_perms,
+						 nss_user,
 						 pin, pinfile,
 						 cpass, cpassfile,
 						 ca, profile, issuer,
@@ -2513,8 +2546,8 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
 	DBusMessage *req, *rep;
 	const char *request;
 	char *capath;
-	struct cm_tdbusm_dict param[31];
-	const struct cm_tdbusm_dict *params[32];
+	struct cm_tdbusm_dict param[32];
+	const struct cm_tdbusm_dict *params[33];
 	char *dbdir = NULL, *token = NULL, *nickname = NULL, *certfile = NULL;
 	char **anchor_dbs = NULL, **anchor_files = NULL;
 	char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL;
@@ -2525,6 +2558,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
 	char *ms_template_spec = NULL;
 	char *key_owner = NULL, *key_perms = NULL;
 	char *cert_owner = NULL, *cert_perms = NULL;
+	char *nss_user = NULL;
 	char *keytype = NULL;
 	int keysize = 0;
 	dbus_bool_t b;
@@ -2552,6 +2586,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
 		{"key-perms", 'm', POPT_ARG_STRING, NULL, 'm', _("file permissions for private key"), HELP_TYPE_MODE},
 		{"cert-owner", 'O', POPT_ARG_STRING, NULL, 'O', _("owner information for certificate"), HELP_TYPE_USER},
 		{"cert-perms", 'M', POPT_ARG_STRING, NULL, 'M', _("file permissions for certificate"), HELP_TYPE_MODE},
+		{"nss-user", 'Z', POPT_ARG_STRING, NULL, 'Z', _("user to save NSS private and public keys as"), HELP_TYPE_USER},
 		{"ca-dbdir", 'a', POPT_ARG_STRING, NULL, 'a', _("NSS database in which to store the CA's certificates"), HELP_TYPE_DIRECTORY},
 		{"ca-file", 'F', POPT_ARG_STRING, NULL, 'F', _("file in which to store the CA's certificates"), HELP_TYPE_FILENAME},
 		{"before-command", 'B', POPT_ARG_STRING, NULL, 'B', _("command to run before saving the certificate"), HELP_TYPE_COMMAND},
@@ -2645,6 +2680,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
 		case 'X':
 			issuer = talloc_strdup(globals.tctx, poptarg);
 			break;
+		case 'Z':
+			nss_user = talloc_strdup(globals.tctx, poptarg);
+			break;
 		case 'i':
 			id = talloc_strdup(globals.tctx, poptarg);
 			break;
@@ -2885,6 +2923,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
 		params[i] = &param[i];
 		i++;
 	}
+	if (nss_user != NULL) {
+		param[i].key = CM_DBUS_PROP_NSS_USER;
+		param[i].value_type = cm_tdbusm_dict_s;
+		param[i].value.s = nss_user;
+		params[i] = &param[i];
+		i++;
+	}
 	if (keytype != NULL) {
 		param[i].key = "KEY_TYPE";
 		param[i].value_type = cm_tdbusm_dict_s;
@@ -5008,6 +5053,8 @@ help(const char *twopartcmd, const char *category)
 		N_("			owner information for certificate\n"),
 		N_("  -M MODE, --cert-perms=MODE\n"),
 		N_("			file permissions for certificate\n"),
+		N_("  -Z USER, --nss-user=USER\n"),
+		N_("			User to switch to during NSS save operations\n"),
 		NULL,
 	};
 	const char *start_tracking_help[] = {
@@ -5096,6 +5143,8 @@ help(const char *twopartcmd, const char *category)
 		N_("			owner information for certificate\n"),
 		N_("  -M MODE, --cert-perms=MODE\n"),
 		N_("			file permissions for certificate\n"),
+		N_("  -Z USER, --nss-user=USER\n"),
+		N_("			User to switch to during NSS save operations\n"),
 		NULL,
 	};
 	const char *stop_tracking_help[] = {
@@ -5204,6 +5253,8 @@ help(const char *twopartcmd, const char *category)
 		N_("			owner information for certificate\n"),
 		N_("  -M MODE, --cert-perms=MODE\n"),
 		N_("			file permissions for certificate\n"),
+		N_("  -Z USER, --nss-user=USER\n"),
+		N_("			User to switch to during NSS save operations\n"),
 		NULL,
 	};
 	const char *rekey_help[] = {


=====================================
src/store-files.c
=====================================
@@ -101,6 +101,8 @@ enum cm_store_file_field {
 	cm_store_entry_field_cert_owner,
 	cm_store_entry_field_cert_perms,
 
+	cm_store_entry_field_nss_user,
+
 	cm_store_entry_field_cert_issuer_der,
 	cm_store_entry_field_cert_issuer,
 	cm_store_entry_field_cert_serial,
@@ -276,6 +278,8 @@ static struct cm_store_file_field_list {
 	{cm_store_entry_field_cert_owner, "cert_owner"},
 	{cm_store_entry_field_cert_perms, "cert_perms"},
 
+	{cm_store_entry_field_nss_user, "nss_user"},
+
 	{cm_store_entry_field_cert_issuer_der, "cert_issuer_der"},
 	{cm_store_entry_field_cert_issuer, "cert_issuer"},
 	{cm_store_entry_field_cert_serial, "cert_serial"},
@@ -1022,6 +1026,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
 				ret->cm_key_issued_count = atoi(p);
 				talloc_free(p);
 				break;
+			case cm_store_entry_field_nss_user:
+				ret->cm_nss_user = free_if_empty(p);
+				break;
 			case cm_store_entry_field_cert_storage_type:
 				if (strcasecmp(p, "FILE") == 0) {
 					ret->cm_cert_storage_type =
@@ -1420,6 +1427,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
 			case cm_store_entry_field_key_requested_count:
 			case cm_store_entry_field_key_next_requested_count:
 			case cm_store_entry_field_key_issued_count:
+			case cm_store_entry_field_nss_user:
 			case cm_store_entry_field_cert_storage_type:
 			case cm_store_entry_field_cert_storage_location:
 			case cm_store_entry_field_cert_token:
@@ -2042,6 +2050,9 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry)
 	cm_store_file_write_int(fp, cm_store_entry_field_cert_no_ocsp_check,
 				entry->cm_cert_no_ocsp_check ? 1 : 0);
 
+	cm_store_file_write_str(fp, cm_store_entry_field_nss_user,
+				entry->cm_nss_user);
+
 	cm_store_file_write_str(fp, cm_store_entry_field_last_need_notify_check,
 				cm_store_timestamp_from_time(entry->cm_last_need_notify_check,
 							     timestamp));
@@ -2280,6 +2291,7 @@ cm_store_entry_save(struct cm_store_entry *entry)
 		if (cm_store_entry_write(fp, entry) == 0) {
 			fclose(fp);
 			dest = (const char *) entry->cm_store_private;
+			cm_log(0, "Wrote to %s\n", dest);
 			if (rename(path, dest) != 0) {
 				cm_log(0, "Error renaming \"%s\" to \"%s\": "
 				       "%s.\n", path, dest, strerror(errno));
@@ -2797,6 +2809,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry)
 	ret->cm_key_next_requested_count = entry->cm_key_next_requested_count;
 	ret->cm_key_issued_count = entry->cm_key_issued_count;
 
+	ret->cm_nss_user = cm_store_maybe_strdup(ret, entry->cm_nss_user);
+
 	ret->cm_cert_storage_type = entry->cm_cert_storage_type;
 	ret->cm_cert_storage_location = cm_store_maybe_strdup(ret, entry->cm_cert_storage_location);
 	ret->cm_cert_token = cm_store_maybe_strdup(ret, entry->cm_cert_token);


=====================================
src/store-int.h
=====================================
@@ -61,6 +61,7 @@ struct cm_store_entry {
 	char *cm_key_pin_file;
 	char *cm_key_owner;
 	mode_t cm_key_perms;
+	char *cm_nss_user;
 	/* Cached plain public key (used for computing subject and authority key IDs) */
 	char *cm_key_pubkey, *cm_key_next_pubkey;
 	/* Cached public key info (used in signing requests when using NSS) */


=====================================
src/tdbus.h
=====================================
@@ -81,6 +81,7 @@
 #define CM_DBUS_PROP_KEY_PERMS "key-perms"
 #define CM_DBUS_PROP_KEY_TYPE "key-type"
 #define CM_DBUS_PROP_KEY_SIZE "key-size"
+#define CM_DBUS_PROP_NSS_USER "nss-user"
 #define CM_DBUS_PROP_MONITORING "monitoring"
 #define CM_DBUS_PROP_NOTIFICATION_TYPE "notification-type"
 #define CM_DBUS_PROP_NOTIFICATION_SYSLOG_PRIORITY "notification-syslog-priority"


=====================================
src/tdbush.c
=====================================
@@ -412,6 +412,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
 	enum cm_cert_storage_type cert_storage;
 	char *cert_location, *cert_nickname, *cert_token;
 	char *cert_owner, *key_owner;
+	char *nss_user;
 	mode_t cert_perms, key_perms;
 	char *path, *pre_command, *post_command;
 	char **root_cert_nssdbs, **root_cert_files;
@@ -1265,6 +1266,15 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
 	} else {
 		key_perms = 0;
 	}
+	param = cm_tdbusm_find_dict_entry(d,
+					  CM_DBUS_PROP_NSS_USER,
+					  cm_tdbusm_dict_s);
+	if (param != NULL) {
+		nss_user = param->value.s;
+		cm_log(1, "Setting CM_DBUS_PROP_NSS_USER to %s\n", nss_user);
+	} else {
+		nss_user = NULL;
+	}
 	/* Okay, we can go ahead and add the entry. */
 	new_entry = cm_store_entry_new(parent);
 	if (new_entry == NULL) {
@@ -1374,6 +1384,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
 	new_entry->cm_cert_token = maybe_strdup(new_entry, cert_token);
 	new_entry->cm_cert_owner = maybe_strdup(new_entry, cert_owner);
 	new_entry->cm_cert_perms = cert_perms;
+	new_entry->cm_nss_user = maybe_strdup(new_entry, nss_user);
 
 	new_entry->cm_root_cert_store_nssdbs = maybe_strdupv(new_entry, root_cert_nssdbs);
 	new_entry->cm_root_cert_store_files = maybe_strdupv(new_entry, root_cert_files);
@@ -3290,6 +3301,14 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
 					propname[n_propname++] = CM_DBUS_PROP_KEY_PERMS;
 				}
 			} else
+			if ((param->value_type == cm_tdbusm_dict_s) &&
+			    (strcasecmp(param->key, CM_DBUS_PROP_NSS_USER) == 0)) {
+				entry->cm_nss_user = talloc_strdup(entry, param->value.s);
+		        cm_log(1, "Param CM_DBUS_PROP_NSS_USER to %s\n", entry->cm_nss_user);
+				if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) {
+					propname[n_propname++] = CM_DBUS_PROP_NSS_USER;
+				}
+			} else
 			if ((param->value_type == cm_tdbusm_dict_b) &&
 			    ((strcasecmp(param->key, "RENEW") == 0) ||
 			     (strcasecmp(param->key, CM_DBUS_PROP_AUTORENEW) == 0))) {
@@ -7217,6 +7236,15 @@ cm_tdbush_iface_request(void)
 								       offsetof(struct cm_store_entry, cm_cert_profile),
 								       NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 								       NULL),
+				     make_interface_item(cm_tdbush_interface_property,
+							 make_property(CM_DBUS_PROP_NSS_USER,
+								       cm_tdbush_property_string,
+								       cm_tdbush_property_readwrite,
+								       cm_tdbush_property_char_p,
+								       offsetof(struct cm_store_entry, cm_nss_user),
+								       NULL, NULL, NULL, NULL, NULL,
+								       NULL, NULL, NULL, NULL, NULL,
+								       NULL),
 				     make_interface_item(cm_tdbush_interface_property,
 							 make_property(CM_DBUS_PROP_ROOT_CERT_FILES,
 								       cm_tdbush_property_strings,
@@ -7396,7 +7424,7 @@ cm_tdbush_iface_request(void)
 				     make_interface_item(cm_tdbush_interface_signal,
 							 make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,
 								     NULL),
-							 NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
+							 NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
 	}
 	return ret;
 }


=====================================
tests/028-dbus/expected.out
=====================================
@@ -380,6 +380,7 @@ OK
   </method>
   <property name="ca" type="o" access="read"/>
   <property name="ca-profile" type="s" access="read"/>
+  <property name="nss-user" type="s" access="readwrite"/>
   <property name="root-cert-files" type="as" access="read"/>
   <property name="root-other-cert-files" type="as" access="read"/>
   <property name="other-cert-files" type="as" access="read"/>


=====================================
tests/028-dbus/expected.out.nodsa
=====================================
@@ -380,6 +380,7 @@ OK
   </method>
   <property name="ca" type="o" access="read"/>
   <property name="ca-profile" type="s" access="read"/>
+  <property name="nss-user" type="s" access="readwrite"/>
   <property name="root-cert-files" type="as" access="read"/>
   <property name="root-other-cert-files" type="as" access="read"/>
   <property name="other-cert-files" type="as" access="read"/>



View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/e1a1f56f9195437525b8f4685abc2745e59b5801...89ac3f4d0088343e5e72afbda43025f7a0b22172

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/e1a1f56f9195437525b8f4685abc2745e59b5801...89ac3f4d0088343e5e72afbda43025f7a0b22172
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230301/48fffd53/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list