PSARC/2016/217 Smartcard Reintroduction s11u3-sru
authorJan Parcel <jan.parcel@oracle.com>
Wed, 06 Jul 2016 18:46:13 -0700
branchs11u3-sru
changeset 6363 052c5c0a107d
parent 6362 94df57e11df8
child 6364 fd8be207f137
PSARC/2016/217 Smartcard Reintroduction PSARC/2016/233 OpenCA OCSP Responder 22017756 Add openca-ocspd v3.1.2 to Userland consolidation
components/openca-ocspd/Makefile
components/openca-ocspd/Solaris/ocspd.xml
components/openca-ocspd/Solaris/svc-ocspd
components/openca-ocspd/openca-ocspd.license
components/openca-ocspd/openca-ocspd.p5m
components/openca-ocspd/patches/001-1114efa9e9ac249bcd73b4d541529eb9c03cfd2b.patch
components/openca-ocspd/patches/002-a10cad65c94c59125c9eebbba04877e22a85000a.patch
components/openca-ocspd/patches/003-0f16341e167720a5e7d40d748ded093e10351c44.patch
components/openca-ocspd/patches/01-configure.patch
components/openca-ocspd/patches/02-makefile.patch
components/openca-ocspd/patches/03-pod.patch
components/openca-ocspd/patches/04-etc.patch
components/openca-ocspd/patches/05-scripts.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/Makefile	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,89 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+include ../../make-rules/shared-macros.mk
+
+BITS=			64
+COMPONENT_NAME=		openca-ocspd
+COMPONENT_VERSION=	3.1.2
+
+# Version 3.1.2 of openca-ocspd has not been released, yet. There is no source
+# tarball for it. In Solaris 12, Userland consolidation has infrastructure
+# to fetch sources from SCM repository based on a specified git commit hash.
+# Such infrastructure is not present in Solaris 11.3. So we take the latest
+# tarball with 3.1.1 and apply few patches on top of it to get the same sources
+# as in Solaris 12. These are named 001-*, 002-* and 003-*.
+# Once version 3.1.2 is available, simply delete these patches.
+COMPONENT_PROJECT_URL=  https://www.openca.org/projects/ocspd/
+COMPONENT_SRC=          $(COMPONENT_NAME)-3.1.1
+COMPONENT_ARCHIVE=      $(COMPONENT_SRC).tar.gz
+COMPONENT_ARCHIVE_HASH= \
+        sha256:10d56cecb862d94ed8742bdf52958cebe1b3f8d87625ba014b0ae2b7c4820de5
+COMPONENT_ARCHIVE_URL=  \
+        http://downloads.sourceforge.net/project/openca/$(COMPONENT_NAME)/releases/v3.1.1/sources/$(COMPONENT_ARCHIVE)
+COMPONENT_BUGDB=        library/smartcard
+
+TPNO =			28048
+
+include $(WS_MAKE_RULES)/prep.mk
+include $(WS_MAKE_RULES)/configure.mk
+include $(WS_MAKE_RULES)/ips.mk
+
+PKG_PROTO_DIRS +=	$(COMPONENT_SRC)/docs
+PKG_PROTO_DIRS +=	$(COMPONENT_SRC)/etc/ca.d
+
+POD2MAN_PATH =		/usr/perl5/$(PERL_VERSION)/bin
+
+COMPONENT_BUILD_ENV +=	PATH="$(PATH):$(POD2MAN_PATH)"
+
+CONFIGURE_BINDIR.64 =	$(CONFIGURE_PREFIX)/bin
+CONFIGURE_SBINDIR.64 =	$(CONFIGURE_PREFIX)/sbin
+
+CONFIGURE_ENV +=	"CFLAGS=$(CFLAGS)"
+
+# common targets
+configure:      $(CONFIGURE_64)
+
+build:          $(BUILD_64)
+
+install:        $(INSTALL_64)
+
+# Skip test because of set up requirements.
+#
+# The upstream archive includes a test script (test.sh), which tries to run
+# "openssl ocsp" command multiple times. However, it assumes that we already
+# have necessary pem files (keys/certficates for CA, ocspd daemon, and others,
+# and also the CRL), and those files are not included in the archive.
+#
+# To test manually, follow a guide document for the smartcard project.
+test:           $(NO_TEST)
+
+REQUIRED_PACKAGES += library/security/ocsp/libpki
+REQUIRED_PACKAGES += library/security/openssl
+REQUIRED_PACKAGES += library/security/openssl/openssl-fips-140
+REQUIRED_PACKAGES += shell/bash
+REQUIRED_PACKAGES += shell/ksh93
+REQUIRED_PACKAGES += system/core-os
+REQUIRED_PACKAGES += system/library
+REQUIRED_PACKAGES += system/network
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/Solaris/ocspd.xml	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,78 @@
+<?xml version="1.0" ?>
+<!DOCTYPE service_bundle
+  SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<!--
+ Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+
+	NOTE:  This service manifest is not editable; its contents will
+	be overwritten by package or patch operations, including
+	operating system upgrade.  Make customizations in a different
+	file.
+-->
+
+<service_bundle type='manifest' name='ocsp'>
+
+<service
+    name='application/security/ocsp'
+    type='service'
+    version='1'>
+
+	<create_default_instance enabled='false' />
+
+	<single_instance/>
+
+	<!-- Wait for network interfaces to be initialized. -->
+	<dependency
+	    name='network'
+	    grouping='require_all'
+	    restart_on='none'
+	    type='service'>
+		<service_fmri value='svc:/milestone/network:default'/>
+	</dependency>
+
+	<!-- Wait for all local filesystems to be mounted. -->
+	<dependency
+	    name='filesystem-local'
+	    grouping='require_all'
+	    restart_on='none'
+	    type='service'>
+		<service_fmri value='svc:/system/filesystem/local'/>
+	</dependency>
+
+	<exec_method
+	    type="method"
+	    name="start"
+	    exec='/lib/svc/method/svc-ocspd start'
+	    timeout_seconds="60">
+	</exec_method>
+
+	<exec_method
+	    type="method"
+	    name="stop"
+	    exec=":kill"
+	    timeout_seconds="60">
+	</exec_method>
+
+	<exec_method
+	    type='method'
+	    name='restart'
+	    exec='/lib/svc/method/svc-ocspd restart'
+	    timeout_seconds='60'>
+	</exec_method>
+
+	<stability value='Unstable' />
+
+	<template>
+		<common_name>
+			<loctext xml:lang='C'>OCSP responder</loctext>
+		</common_name>
+		<documentation>
+			<manpage
+			    title='ocspd'
+			    section='3'
+			    manpath='/usr/share/man'/>
+		</documentation>
+	</template>
+</service>
+
+</service_bundle>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/Solaris/svc-ocspd	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,28 @@
+#!/usr/sbin/sh
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+. /lib/svc/share/smf_include.sh
+
+CONF_FILE=/etc/ocspd/ocspd.xml;
+PIDFILE=$SMF_SYSVOL_FS/ocspd.pid;
+
+case "$1" in
+'start')
+	/usr/sbin/ocspd -c "$CONF_FILE" -d
+	;;
+
+'restart')
+	if [ -f "$PIDFILE" ]; then
+		/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
+        fi
+	;;
+
+*)
+	echo "Usage: $0 { start | restart }"
+	exit 1
+	;;
+esac
+
+exit $?
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/openca-ocspd.license	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,77 @@
+Project Author(s):
+	Massimiliano Pala <[email protected]>
+
+Project Contributor(s):
+	Many thanks go to the people of the OpenSSL project from where
+	some of the used code comes from. Many thanks to all of them,
+	now and forever.
+
+Additional contribution (in no particular order) from:
+	* Sergei Vyshenski
+	* Julia Dubenskaya
+	* David A. Cooper
+
+Project Alpha and Beta Tester(s) (in no particular order):
+	* Maselli Giovanni Francesco
+	* Guillaume Tamboise
+	* Apu Kapadia
+
+From Copy File:
+====================================================================
+            OpenCA OCSPD daemon - Open Source Project
+        (c) 1999-2009 by OpenCA Labs and Massimilian Pala
+                      All Rights Reserved
+====================================================================
+
+ This software have been released under an Apache-style licence.
+
+ This software consists of voluntary contributions made by many
+ individuals on behalf of the OpenCA Labs. For more information
+ on the OpenCA Team and the OpenCA Project please refer to
+ <http://www.OpenCA.org/>.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer. 
+
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+
+ 3. All advertising materials mentioning features or use of this
+    software must display the following acknowledgment:
+    "This product includes software developed by the OpenCA Labs
+    for use in the OpenCA project (http://www.OpenCA.org/)."
+
+ 4. The names "OpenCA" and "OpenCA Labs" must not be used to
+    endorse or promote products derived from this software without
+    prior written permission. For written permission, please contact
+    [email protected]
+
+ 5. Products derived from this software may not be called "OpenCA"
+    nor may "OpenCA" appear in their names without prior written
+    permission of the OpenCA Labs.
+
+ 6. Redistributions of any form whatsoever must retain the following
+    acknowledgment:
+
+       "This product includes software developed by Massimiliano
+        Pala and the OpenCA Labs for use in the OpenCA project
+        (http://www.openca.org/)."
+
+ THIS SOFTWARE IS PROVIDED BY THE OPENCA TEAM ``AS IS'' AND ANY
+ EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OPENCA TEAM OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/openca-ocspd.p5m	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,57 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Volatile">
+set name=pkg.fmri \
+    value=pkg:/library/security/ocsp/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary \
+    value="Online Certificate State Protocol (OCSP) responder for smartcard"
+set name=pkg.description \
+    value="Provides a rfc2560 compliant OCSPD responder that can be used for multiple CAs to verify the status of a smarcard certificate."
+set name=com.oracle.info.description value="the OpenCA OCSPD Project"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+    value=org.opensolaris.category.2008:Applications/Internet \
+    value=org.opensolaris.category.2008:System/Security
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2016/233
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file self-certs.xml path=etc/ocspd/ca.d/self-certs.xml
+dir  path=etc/ocspd/certs
+dir  path=etc/ocspd/crls
+file path=etc/ocspd/ocspd.xml
+dir  path=etc/ocspd/pki/hsm.d
+dir  path=etc/ocspd/pki/profile.d
+file path=etc/ocspd/pki/token.d/software.xml
+dir  path=etc/ocspd/private
+file Solaris/ocspd.xml path=lib/svc/manifest/application/security/ocspd.xml
+file Solaris/svc-ocspd path=lib/svc/method/svc-ocspd
+file path=usr/bin/ocspd-genreq.sh
+file path=usr/lib/$(MACH64)/pkgconfig/openca-ocspd.pc
+file path=usr/sbin/ocspd
+file ocspd.3 path=usr/share/man/man3/ocspd.3
+file ocspd.conf.3 path=usr/share/man/man3/ocspd.conf.3
+license openca-ocspd.license license=Apache
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/001-1114efa9e9ac249bcd73b4d541529eb9c03cfd2b.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,1007 @@
+Patch taken directly from upstream GIT repository.
+Version 3.1.2 of openca-ocspd has not been released, yet.
+
+Solaris 12 Userland has the build infrastructure to fetch
+sources from SCM repository based on a particular changeset id.
+Solaris 11.3 lacks such infrastructure and allows to download only
+tarballs. This patch adds on the last released source tarball
+with version 3.1.1 to get the same functionality as present
+in Solaris 12.
+
+Once version 3.1.2 is released, simply delete this patch.
+
+
+
+From 1114efa9e9ac249bcd73b4d541529eb9c03cfd2b Mon Sep 17 00:00:00 2001
+From: "Dr. Massimiliano Pala" <[email protected]>
+Date: Wed, 25 Mar 2015 18:57:52 -0500
+Subject: [PATCH] Added responderIdType option for CA configs. Removed unused
+ addResponderId config options for the responder.
+
+---
+ Makefile.in                  |  15 ++-
+ aclocal.m4                   | 154 +++++++++++++++++++-------
+ configure                    | 251 +++++++++++++++++++------------------------
+ configure.ac                 |   4 +-
+ docs/Makefile.in             |   2 +-
+ etc/Makefile.in              |   2 +-
+ etc/ca.d/collegeca.xml       |   6 ++
+ etc/ca.d/self-certs.xml      |   6 ++
+ etc/ocspd.xml.in             |   3 -
+ src/Makefile.in              |   2 +-
+ src/ocspd/Makefile.in        |   6 +-
+ src/ocspd/config.c           |  49 ++++++---
+ src/ocspd/includes/general.h |  67 ++++++------
+ src/ocspd/response.c         |  14 ++-
+ 14 files changed, 340 insertions(+), 241 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index d85a181..a82f2f7 100644
+--- a/Makefile.in
++++ b/Makefile.in
[email protected]@ -1,4 +1,4 @@
+-# Makefile.in generated by automake 1.13.4 from Makefile.am.
++# Makefile.in generated by automake 1.14.1 from Makefile.am.
+ # @[email protected]
+ 
+ # Copyright (C) 1994-2013 Free Software Foundation, Inc.
[email protected]@ -493,8 +493,8 @@ $(ACLOCAL_M4): @[email protected] $(am__aclocal_m4_deps)
+ $(am__aclocal_m4_deps):
+ 
+ src/ocspd/includes/config.h: src/ocspd/includes/stamp-h1
+-	@if test ! -f [email protected]; then rm -f src/ocspd/includes/stamp-h1; else :; fi
+-	@if test ! -f [email protected]; then $(MAKE) $(AM_MAKEFLAGS) src/ocspd/includes/stamp-h1; else :; fi
++	@test -f [email protected] || rm -f src/ocspd/includes/stamp-h1
++	@test -f [email protected] || $(MAKE) $(AM_MAKEFLAGS) src/ocspd/includes/stamp-h1
+ 
+ src/ocspd/includes/stamp-h1: $(top_srcdir)/src/ocspd/includes/config.h.in $(top_builddir)/config.status
+ 	@rm -f src/ocspd/includes/stamp-h1
[email protected]@ -773,10 +773,16 @@ dist-xz: distdir
+ 	$(am__post_remove_distdir)
+ 
+ dist-tarZ: distdir
++	@echo WARNING: "Support for shar distribution archives is" \
++	               "deprecated." >&2
++	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
+ 	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
+ 	$(am__post_remove_distdir)
+ 
+ dist-shar: distdir
++	@echo WARNING: "Support for distribution archives compressed with" \
++		       "legacy program 'compress' is deprecated." >&2
++	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
+ 	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
+ 	$(am__post_remove_distdir)
+ 
[email protected]@ -818,9 +824,10 @@ distcheck: dist
+ 	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
+ 	  && am__cwd=`pwd` \
+ 	  && $(am__cd) $(distdir)/_build \
+-	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
++	  && ../configure \
+ 	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
+ 	    $(DISTCHECK_CONFIGURE_FLAGS) \
++	    --srcdir=.. --prefix="$$dc_install_base" \
+ 	  && $(MAKE) $(AM_MAKEFLAGS) \
+ 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
+ 	  && $(MAKE) $(AM_MAKEFLAGS) check \
+diff --git a/aclocal.m4 b/aclocal.m4
+index f5e37ea..0af6916 100644
+--- a/aclocal.m4
++++ b/aclocal.m4
[email protected]@ -1,4 +1,4 @@
+-# generated automatically by aclocal 1.13.4 -*- Autoconf -*-
++# generated automatically by aclocal 1.14.1 -*- Autoconf -*-
+ 
+ # Copyright (C) 1996-2013 Free Software Foundation, Inc.
+ 
[email protected]@ -32,10 +32,10 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.])
+ # generated from the m4 files accompanying Automake X.Y.
+ # (This private macro should not be called outside this file.)
+ AC_DEFUN([AM_AUTOMAKE_VERSION],
+-[am__api_version='1.13'
++[am__api_version='1.14'
+ dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
+ dnl require some minimum version.  Point them to the right macro.
+-m4_if([$1], [1.13.4], [],
++m4_if([$1], [1.14.1], [],
+       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
+ ])
+ 
[email protected]@ -51,7 +51,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
+ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
+ # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
+ AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
+-[AM_AUTOMAKE_VERSION([1.13.4])dnl
++[AM_AUTOMAKE_VERSION([1.14.1])dnl
+ m4_ifndef([AC_AUTOCONF_VERSION],
+   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
+ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
[email protected]@ -418,6 +418,12 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
+ # This macro actually does too much.  Some checks are only needed if
+ # your package does certain things.  But this isn't really a big deal.
+ 
++dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O.
++m4_define([AC_PROG_CC],
++m4_defn([AC_PROG_CC])
++[_AM_PROG_CC_C_O
++])
++
+ # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
+ # AM_INIT_AUTOMAKE([OPTIONS])
+ # -----------------------------------------------
[email protected]@ -526,7 +532,48 @@ dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below.
+ AC_CONFIG_COMMANDS_PRE(dnl
+ [m4_provide_if([_AM_COMPILER_EXEEXT],
+   [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl
+-])
++
++# POSIX will say in a future version that running "rm -f" with no argument
++# is OK; and we want to be able to make that assumption in our Makefile
++# recipes.  So use an aggressive probe to check that the usage we want is
++# actually supported "in the wild" to an acceptable degree.
++# See automake bug#10828.
++# To make any issue more visible, cause the running configure to be aborted
++# by default if the 'rm' program in use doesn't match our expectations; the
++# user can still override this though.
++if rm -f && rm -fr && rm -rf; then : OK; else
++  cat >&2 <<'END'
++Oops!
++
++Your 'rm' program seems unable to run without file operands specified
++on the command line, even when the '-f' option is present.  This is contrary
++to the behaviour of most rm programs out there, and not conforming with
++the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
++
++Please tell [email protected] about your system, including the value
++of your $PATH and any error possibly output before this message.  This
++can help us improve future automake versions.
++
++END
++  if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
++    echo 'Configuration will proceed anyway, since you have set the' >&2
++    echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
++    echo >&2
++  else
++    cat >&2 <<'END'
++Aborting the configuration process, to ensure you take notice of the issue.
++
++You can download and install GNU coreutils to get an 'rm' implementation
++that behaves properly: <http://www.gnu.org/software/coreutils/>.
++
++If you want to complete the configuration process using your problematic
++'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
++to "yes", and re-run configure.
++
++END
++    AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
++  fi
++fi])
+ 
+ dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion.  Do not
+ dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
[email protected]@ -534,7 +581,6 @@ dnl mangled by Autoconf and run in a shell conditional statement.
+ m4_define([_AC_COMPILER_EXEEXT],
+ m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])])
+ 
+-
+ # When config.status generates a header, we must update the stamp-h file.
+ # This file resides in the same directory as the config header
+ # that is generated.  The stamp files are numbered to have different names.
[email protected]@ -682,38 +728,6 @@ AC_MSG_RESULT([$_am_result])
+ rm -f confinc confmf
+ ])
+ 
+-# Copyright (C) 1999-2013 Free Software Foundation, Inc.
+-#
+-# This file is free software; the Free Software Foundation
+-# gives unlimited permission to copy and/or distribute it,
+-# with or without modifications, as long as this notice is preserved.
+-
+-# AM_PROG_CC_C_O
+-# --------------
+-# Like AC_PROG_CC_C_O, but changed for automake.
+-AC_DEFUN([AM_PROG_CC_C_O],
+-[AC_REQUIRE([AC_PROG_CC_C_O])dnl
+-AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+-AC_REQUIRE_AUX_FILE([compile])dnl
+-# FIXME: we rely on the cache variable name because
+-# there is no other way.
+-set dummy $CC
+-am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
+-eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
+-if test "$am_t" != yes; then
+-   # Losing compiler, so override with the script.
+-   # FIXME: It is wrong to rewrite CC.
+-   # But if we don't then we get into trouble of one sort or another.
+-   # A longer-term fix would be to have automake use am__CC in this case,
+-   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+-   CC="$am_aux_dir/compile $CC"
+-fi
+-dnl Make sure AC_PROG_CC is never called again, or it will override our
+-dnl setting of CC.
+-m4_define([AC_PROG_CC],
+-          [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
+-])
+-
+ # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
+ 
+ # Copyright (C) 1997-2013 Free Software Foundation, Inc.
[email protected]@ -784,6 +798,70 @@ AC_DEFUN([_AM_SET_OPTIONS],
+ AC_DEFUN([_AM_IF_OPTION],
+ [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
+ 
++# Copyright (C) 1999-2013 Free Software Foundation, Inc.
++#
++# This file is free software; the Free Software Foundation
++# gives unlimited permission to copy and/or distribute it,
++# with or without modifications, as long as this notice is preserved.
++
++# _AM_PROG_CC_C_O
++# ---------------
++# Like AC_PROG_CC_C_O, but changed for automake.  We rewrite AC_PROG_CC
++# to automatically call this.
++AC_DEFUN([_AM_PROG_CC_C_O],
++[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
++AC_REQUIRE_AUX_FILE([compile])dnl
++AC_LANG_PUSH([C])dnl
++AC_CACHE_CHECK(
++  [whether $CC understands -c and -o together],
++  [am_cv_prog_cc_c_o],
++  [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])])
++  # Make sure it works both with $CC and with simple cc.
++  # Following AC_PROG_CC_C_O, we do the test twice because some
++  # compilers refuse to overwrite an existing .o file with -o,
++  # though they will create one.
++  am_cv_prog_cc_c_o=yes
++  for am_i in 1 2; do
++    if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \
++         && test -f conftest2.$ac_objext; then
++      : OK
++    else
++      am_cv_prog_cc_c_o=no
++      break
++    fi
++  done
++  rm -f core conftest*
++  unset am_i])
++if test "$am_cv_prog_cc_c_o" != yes; then
++   # Losing compiler, so override with the script.
++   # FIXME: It is wrong to rewrite CC.
++   # But if we don't then we get into trouble of one sort or another.
++   # A longer-term fix would be to have automake use am__CC in this case,
++   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
++   CC="$am_aux_dir/compile $CC"
++fi
++AC_LANG_POP([C])])
++
++# For backward compatibility.
++AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
++
++# Copyright (C) 2001-2013 Free Software Foundation, Inc.
++#
++# This file is free software; the Free Software Foundation
++# gives unlimited permission to copy and/or distribute it,
++# with or without modifications, as long as this notice is preserved.
++
++# AM_RUN_LOG(COMMAND)
++# -------------------
++# Run COMMAND, save the exit status in ac_status, and log it.
++# (This has been adapted from Autoconf's _AC_RUN_LOG macro.)
++AC_DEFUN([AM_RUN_LOG],
++[{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD
++   ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD
++   ac_status=$?
++   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
++   (exit $ac_status); }])
++
+ # Check to make sure that the build environment is sane.    -*- Autoconf -*-
+ 
+ # Copyright (C) 1996-2013 Free Software Foundation, Inc.
+diff --git a/configure b/configure
+index 1c73fed..cfc2d55 100755
+--- a/configure
++++ b/configure
[email protected]@ -1,11 +1,11 @@
+ #! /bin/sh
+ # From configure.ac Revision: 1.4 .
+ # Guess values for system-dependent variables and create Makefiles.
+-# Generated by GNU Autoconf 2.69 for openca-ocspd 3.1.1.
++# Generated by GNU Autoconf 2.69 for openca-ocspd 3.1.2.
+ #
+ # Report bugs to <[email protected]>.
+ #
+-# Copyright 2007-2014 by Massimiliano Pala and OpenCA Labs
++# Copyright 2007-2015 by Massimiliano Pala and OpenCA Labs
+ #
+ #
+ # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
[email protected]@ -593,8 +593,8 @@ MAKEFLAGS=
+ # Identity of this package.
+ PACKAGE_NAME='openca-ocspd'
+ PACKAGE_TARNAME='openca-ocspd'
+-PACKAGE_VERSION='3.1.1'
+-PACKAGE_STRING='openca-ocspd 3.1.1'
++PACKAGE_VERSION='3.1.2'
++PACKAGE_STRING='openca-ocspd 3.1.2'
+ PACKAGE_BUGREPORT='[email protected]'
+ PACKAGE_URL=''
+ 
[email protected]@ -1377,7 +1377,7 @@ if test "$ac_init_help" = "long"; then
+   # Omit some internal or obsolete options to make the list less imposing.
+   # This message is too long to be a string in the A/UX 3.1 sh.
+   cat <<_ACEOF
+-\`configure' configures openca-ocspd 3.1.1 to adapt to many kinds of systems.
++\`configure' configures openca-ocspd 3.1.2 to adapt to many kinds of systems.
+ 
+ Usage: $0 [OPTION]... [VAR=VALUE]...
+ 
[email protected]@ -1448,7 +1448,7 @@ fi
+ 
+ if test -n "$ac_init_help"; then
+   case $ac_init_help in
+-     short | recursive ) echo "Configuration of openca-ocspd 3.1.1:";;
++     short | recursive ) echo "Configuration of openca-ocspd 3.1.2:";;
+    esac
+   cat <<\_ACEOF
+ 
[email protected]@ -1566,14 +1566,14 @@ fi
+ test -n "$ac_init_help" && exit $ac_status
+ if $ac_init_version; then
+   cat <<\_ACEOF
+-openca-ocspd configure 3.1.1
++openca-ocspd configure 3.1.2
+ generated by GNU Autoconf 2.69
+ 
+ Copyright (C) 2012 Free Software Foundation, Inc.
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+ 
+-Copyright 2007-2014 by Massimiliano Pala and OpenCA Labs
++Copyright 2007-2015 by Massimiliano Pala and OpenCA Labs
+ _ACEOF
+   exit
+ fi
[email protected]@ -1937,7 +1937,7 @@ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+ 
+-It was created by openca-ocspd $as_me 3.1.1, which was
++It was created by openca-ocspd $as_me 3.1.2, which was
+ generated by GNU Autoconf 2.69.  Invocation command line was
+ 
+   $ $0 [email protected]
[email protected]@ -2448,7 +2448,7 @@ test -n "$target_alias" &&
+   program_prefix=${target_alias}-
+ 
+ 
+-am__api_version='1.13'
++am__api_version='1.14'
+ 
+ # Find a good install program.  We prefer a C program (faster),
+ # so one script is as good as another.  But avoid the broken or
[email protected]@ -2934,7 +2934,7 @@ fi
+ 
+ # Define the identity of the package.
+  PACKAGE='openca-ocspd'
+- VERSION='3.1.1'
++ VERSION='3.1.2'
+ 
+ 
+ cat >>confdefs.h <<_ACEOF
[email protected]@ -2985,6 +2985,47 @@ am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'
+ 
+ 
+ 
++# POSIX will say in a future version that running "rm -f" with no argument
++# is OK; and we want to be able to make that assumption in our Makefile
++# recipes.  So use an aggressive probe to check that the usage we want is
++# actually supported "in the wild" to an acceptable degree.
++# See automake bug#10828.
++# To make any issue more visible, cause the running configure to be aborted
++# by default if the 'rm' program in use doesn't match our expectations; the
++# user can still override this though.
++if rm -f && rm -fr && rm -rf; then : OK; else
++  cat >&2 <<'END'
++Oops!
++
++Your 'rm' program seems unable to run without file operands specified
++on the command line, even when the '-f' option is present.  This is contrary
++to the behaviour of most rm programs out there, and not conforming with
++the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
++
++Please tell [email protected] about your system, including the value
++of your $PATH and any error possibly output before this message.  This
++can help us improve future automake versions.
++
++END
++  if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
++    echo 'Configuration will proceed anyway, since you have set the' >&2
++    echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
++    echo >&2
++  else
++    cat >&2 <<'END'
++Aborting the configuration process, to ensure you take notice of the issue.
++
++You can download and install GNU coreutils to get an 'rm' implementation
++that behaves properly: <http://www.gnu.org/software/coreutils/>.
++
++If you want to complete the configuration process using your problematic
++'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
++to "yes", and re-run configure.
++
++END
++    as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
++  fi
++fi
+ 
+ #AC_DISABLE_FAST_INSTALL
+ #AC_DISABLE_SHARED
[email protected]@ -3957,6 +3998,65 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ ac_compiler_gnu=$ac_cv_c_compiler_gnu
+ 
++ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5
++$as_echo_n "checking whether $CC understands -c and -o together... " >&6; }
++if ${am_cv_prog_cc_c_o+:} false; then :
++  $as_echo_n "(cached) " >&6
++else
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++
++int
++main ()
++{
++
++  ;
++  return 0;
++}
++_ACEOF
++  # Make sure it works both with $CC and with simple cc.
++  # Following AC_PROG_CC_C_O, we do the test twice because some
++  # compilers refuse to overwrite an existing .o file with -o,
++  # though they will create one.
++  am_cv_prog_cc_c_o=yes
++  for am_i in 1 2; do
++    if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5
++   ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5
++   ac_status=$?
++   echo "$as_me:$LINENO: \$? = $ac_status" >&5
++   (exit $ac_status); } \
++         && test -f conftest2.$ac_objext; then
++      : OK
++    else
++      am_cv_prog_cc_c_o=no
++      break
++    fi
++  done
++  rm -f core conftest*
++  unset am_i
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5
++$as_echo "$am_cv_prog_cc_c_o" >&6; }
++if test "$am_cv_prog_cc_c_o" != yes; then
++   # Losing compiler, so override with the script.
++   # FIXME: It is wrong to rewrite CC.
++   # But if we don't then we get into trouble of one sort or another.
++   # A longer-term fix would be to have automake use am__CC in this case,
++   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
++   CC="$am_aux_dir/compile $CC"
++fi
++ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++
+ depcc="$CC"   am_compiler_list=
+ 
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5
[email protected]@ -4585,131 +4685,6 @@ done
+ ac_config_headers="$ac_config_headers src/ocspd/includes/config.h"
+ 
+ 
+-if test "x$CC" != xcc; then
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC and cc understand -c and -o together" >&5
+-$as_echo_n "checking whether $CC and cc understand -c and -o together... " >&6; }
+-else
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc understands -c and -o together" >&5
+-$as_echo_n "checking whether cc understands -c and -o together... " >&6; }
+-fi
+-set dummy $CC; ac_cc=`$as_echo "$2" |
+-		      sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+-if eval \${ac_cv_prog_cc_${ac_cc}_c_o+:} false; then :
+-  $as_echo_n "(cached) " >&6
+-else
+-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h.  */
+-
+-int
+-main ()
+-{
+-
+-  ;
+-  return 0;
+-}
+-_ACEOF
+-# Make sure it works both with $CC and with simple cc.
+-# We do the test twice because some compilers refuse to overwrite an
+-# existing .o file with -o, though they will create one.
+-ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+-rm -f conftest2.*
+-if { { case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+-$as_echo "$ac_try_echo"; } >&5
+-  (eval "$ac_try") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; } &&
+-   test -f conftest2.$ac_objext && { { case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+-$as_echo "$ac_try_echo"; } >&5
+-  (eval "$ac_try") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; };
+-then
+-  eval ac_cv_prog_cc_${ac_cc}_c_o=yes
+-  if test "x$CC" != xcc; then
+-    # Test first that cc exists at all.
+-    if { ac_try='cc -c conftest.$ac_ext >&5'
+-  { { case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+-$as_echo "$ac_try_echo"; } >&5
+-  (eval "$ac_try") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }; }; then
+-      ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
+-      rm -f conftest2.*
+-      if { { case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+-$as_echo "$ac_try_echo"; } >&5
+-  (eval "$ac_try") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; } &&
+-	 test -f conftest2.$ac_objext && { { case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+-$as_echo "$ac_try_echo"; } >&5
+-  (eval "$ac_try") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; };
+-      then
+-	# cc works too.
+-	:
+-      else
+-	# cc exists but doesn't like -o.
+-	eval ac_cv_prog_cc_${ac_cc}_c_o=no
+-      fi
+-    fi
+-  fi
+-else
+-  eval ac_cv_prog_cc_${ac_cc}_c_o=no
+-fi
+-rm -f core conftest*
+-
+-fi
+-if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-$as_echo "yes" >&6; }
+-else
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-
+-$as_echo "#define NO_MINUS_C_MINUS_O 1" >>confdefs.h
+-
+-fi
+-
+-# FIXME: we rely on the cache variable name because
+-# there is no other way.
+-set dummy $CC
+-am_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
+-eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
+-if test "$am_t" != yes; then
+-   # Losing compiler, so override with the script.
+-   # FIXME: It is wrong to rewrite CC.
+-   # But if we don't then we get into trouble of one sort or another.
+-   # A longer-term fix would be to have automake use am__CC in this case,
+-   # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+-   CC="$am_aux_dir/compile $CC"
+-fi
+-
+ 
+ 
+ ac_ext=c
[email protected]@ -13875,7 +13850,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ # report actual input values of CONFIG_FILES etc. instead of their
+ # values after options handling.
+ ac_log="
+-This file was extended by openca-ocspd $as_me 3.1.1, which was
++This file was extended by openca-ocspd $as_me 3.1.2, which was
+ generated by GNU Autoconf 2.69.  Invocation command line was
+ 
+   CONFIG_FILES    = $CONFIG_FILES
[email protected]@ -13941,7 +13916,7 @@ _ACEOF
+ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ ac_cs_version="\\
+-openca-ocspd config.status 3.1.1
++openca-ocspd config.status 3.1.2
+ configured by $0, generated by GNU Autoconf 2.69,
+   with options \\"\$ac_cs_config\\"
+ 
+diff --git a/configure.ac b/configure.ac
+index e4ccf22..b9e370c 100644
+--- a/configure.ac
++++ b/configure.ac
[email protected]@ -2,10 +2,10 @@ dnl -*- mode: m4; -*-
+ dnl Process this file with autoconf to produce a configure script.
+ AC_REVISION($Revision: 1.4 $)
+ 
+-AC_COPYRIGHT([Copyright 2007-2014 by Massimiliano Pala and OpenCA Labs])
++AC_COPYRIGHT([Copyright 2007-2015 by Massimiliano Pala and OpenCA Labs])
+ 
+ dnl Autoconf
+-AC_INIT(openca-ocspd, 3.1.1, [[email protected]], [openca-ocspd])
++AC_INIT(openca-ocspd, 3.1.2, [[email protected]], [openca-ocspd])
+ 
+ dnl Some variables
+ VERSION=$PACKAGE_VERSION
+diff --git a/docs/Makefile.in b/docs/Makefile.in
+index 85ac380..140207a 100644
+--- a/docs/Makefile.in
++++ b/docs/Makefile.in
[email protected]@ -1,4 +1,4 @@
+-# Makefile.in generated by automake 1.13.4 from Makefile.am.
++# Makefile.in generated by automake 1.14.1 from Makefile.am.
+ # @[email protected]
+ 
+ # Copyright (C) 1994-2013 Free Software Foundation, Inc.
+diff --git a/etc/Makefile.in b/etc/Makefile.in
+index 7af691f..a174a3d 100644
+--- a/etc/Makefile.in
++++ b/etc/Makefile.in
[email protected]@ -1,4 +1,4 @@
+-# Makefile.in generated by automake 1.13.4 from Makefile.am.
++# Makefile.in generated by automake 1.14.1 from Makefile.am.
+ # @[email protected]
+ 
+ # Copyright (C) 1994-2013 Free Software Foundation, Inc.
+diff --git a/etc/ca.d/collegeca.xml b/etc/ca.d/collegeca.xml
+index e67a939..3471267 100644
+--- a/etc/ca.d/collegeca.xml
++++ b/etc/ca.d/collegeca.xml
[email protected]@ -28,6 +28,12 @@
+         the serverToken is used, it has the precedence over the serverCertUrl
+         one -->
+    <!-- <pki:serverToken></pki:serverToken> -->
++   <!-- This allows for setting the responderIdType for the responder. The allowed
++	values are:
++	- 'name' for using the hash of the signer's certificate name
++	- 'keyid' for using the hash of the signer's public key
++	The default value (if not set) is to use the name identifier -->
++   <pki:responderIdType>name</pki:responderIdType>
+    <!-- In case a CA is compromised, set this option to yes. All the
+         responses for this CA will carry the caCompromised flag. -->
+    <pki:caCompromised>no</pki:caCompromised>
+diff --git a/etc/ca.d/self-certs.xml b/etc/ca.d/self-certs.xml
+index 2665175..f03a2e1 100644
+--- a/etc/ca.d/self-certs.xml
++++ b/etc/ca.d/self-certs.xml
[email protected]@ -28,6 +28,12 @@
+         the serverToken is used, it has the precedence over the serverCertUrl
+         one -->
+    <!-- <pki:serverToken></pki:serverToken> -->
++   <!-- This allows for setting the responderIdType for the responder. The allowed
++	values are:
++	- 'name' for using the hash of the signer's certificate name
++	- 'keyid' for using the hash of the signer's public key
++	The default value (if not set) is to use the name identifier -->
++   <pki:responderIdType>name</pki:responderIdType>
+    <!-- In case a CA is compromised, set this option to yes. All the
+         responses for this CA will carry the caCompromised flag. -->
+    <pki:caCompromised>no</pki:caCompromised>
+diff --git a/etc/ocspd.xml.in b/etc/ocspd.xml.in
+index bb74d34..c028e67 100644
+--- a/etc/ocspd.xml.in
++++ b/etc/ocspd.xml.in
[email protected]@ -59,9 +59,6 @@
+       <!-- Digest Algorithm to be used when signing responses, currently
+            for some CISCO devices SHA1 is the only supported algorithm -->
+       <pki:signatureDigestAlgorithm>SHA1</pki:signatureDigestAlgorithm>
+-      <!-- Set this option if you want to include the KeyID. If you are
+-           unsure about this setting, use 'yes'. -->
+-      <pki:addResponseKeyID>yes</pki:addResponseKeyID>
+       <!-- Validity Period of responses, clients are not supposed to ask
+            informations about the same CA within this validity period
+            If the two options are both set to '0' the 'nextUpdate' field
+diff --git a/src/Makefile.in b/src/Makefile.in
+index c7b1dcf..23c5b79 100644
+--- a/src/Makefile.in
++++ b/src/Makefile.in
[email protected]@ -1,4 +1,4 @@
+-# Makefile.in generated by automake 1.13.4 from Makefile.am.
++# Makefile.in generated by automake 1.14.1 from Makefile.am.
+ # @[email protected]
+ 
+ # Copyright (C) 1994-2013 Free Software Foundation, Inc.
+diff --git a/src/ocspd/Makefile.in b/src/ocspd/Makefile.in
+index 0c02f4e..3ecb86f 100644
+--- a/src/ocspd/Makefile.in
++++ b/src/ocspd/Makefile.in
[email protected]@ -1,4 +1,4 @@
+-# Makefile.in generated by automake 1.13.4 from Makefile.am.
++# Makefile.in generated by automake 1.14.1 from Makefile.am.
+ # @[email protected]
+ 
+ # Copyright (C) 1994-2013 Free Software Foundation, Inc.
[email protected]@ -442,14 +442,14 @@ distclean-compile:
+ @[email protected]	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+ @[email protected]@[email protected]	$(AM_V_CC)source='$<' object='[email protected]' libtool=no @[email protected]
+ @[email protected]@[email protected]	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @[email protected]
[email protected][email protected]	$([email protected][email protected])$(COMPILE) -c $<
[email protected][email protected]	$([email protected][email protected])$(COMPILE) -c -o [email protected] $<
+ 
+ .c.obj:
+ @[email protected]	$(AM_V_CC)$(COMPILE) -MT [email protected] -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o [email protected] `$(CYGPATH_W) '$<'`
+ @[email protected]	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+ @[email protected]@[email protected]	$(AM_V_CC)source='$<' object='[email protected]' libtool=no @[email protected]
+ @[email protected]@[email protected]	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @[email protected]
[email protected][email protected]	$([email protected][email protected])$(COMPILE) -c `$(CYGPATH_W) '$<'`
[email protected][email protected]	$([email protected][email protected])$(COMPILE) -c -o [email protected] `$(CYGPATH_W) '$<'`
+ 
+ .c.lo:
+ @[email protected]	$(AM_V_CC)$(LTCOMPILE) -MT [email protected] -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o [email protected] $<
+diff --git a/src/ocspd/config.c b/src/ocspd/config.c
+index 5ee4258..3ecb676 100644
+--- a/src/ocspd/config.c
++++ b/src/ocspd/config.c
[email protected]@ -300,17 +300,6 @@ OCSPD_CONFIG * OCSPD_load_config(char *configfile)
+ 		PKI_Free(tmp_s);
+ 	}
+ 
+-	/* Digest Algorithm to be used */
+-	if ((tmp_s = PKI_CONFIG_get_value(cnf, "/serverConfig/response/addResponseKeyID")) != NULL)
+-	{
+-		if (strncmp_nocase(tmp_s, "n", 1) == 0) 
+-		{
+-			h->add_response_keyid = 1;
+-		}
+-
+-		PKI_Free(tmp_s);
+-	}
+-
+ 	/* Now Parse the PRQP Response Section */
+ 	if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/response/validity/days" )) != NULL)
+ 	{
[email protected]@ -578,21 +567,53 @@ int OCSPD_build_ca_list ( OCSPD_CONFIG *handler,
+ 			ca->token_name = tmp_s;
+ 			ca->token = PKI_TOKEN_new_null();
+ 
+-			if ((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/pkiConfigDir" )) != NULL)
++			if ((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/pkiConfigDir" )) != NULL) {
+ 				ca->token_config_dir = strdup( tmp_s );
++				PKI_Free(tmp_s);
++			}
+ 			else
++			{
+ 				ca->token_config_dir = strdup(handler->token_config_dir);
++			}
+ 		}
+ 
+-		if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/caCompromised" )) == NULL)
++		if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/caCompromised" )) == NULL) {
+ 			ca->compromised = 0;
++		}
+ 		else
++		{
+ 			ca->compromised = atoi(tmp_s);
++			PKI_Free(tmp_s);
++		}
++
++		/* Responder Id Type */
++		if ((tmp_s = PKI_CONFIG_get_value(cnf, "/caConfig/responderIdType")) != NULL)
++		{
++			if (strncmp_nocase(tmp_s, "keyid", 5) == 0) 
++			{
++				ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_KEYID;
++			}
++			else if (strncmp_nocase(tmp_s, "name", 4) == 0)
++			{
++				ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
++			}
++			else
++			{
++				PKI_log_err("Can not parse responderIdType: %s (allowed 'keyid' or 'name')", tmp_s);
++				exit(1);
++			}
++
++			PKI_Free(tmp_s);
++		}
++		else
++		{
++			// Default Value
++			ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
++		}
+ 
+ 		// Now let's add the CA_LIST_ENTRY to the list of configured CAs
+ 		PKI_STACK_push ( ca_list, ca );
+ 
+-		PKI_Free(tmp_s);
+ 	}
+ 
+ 	handler->ca_list = ca_list;
+diff --git a/src/ocspd/includes/general.h b/src/ocspd/includes/general.h
+index f82f236..34c453e 100644
+--- a/src/ocspd/includes/general.h
++++ b/src/ocspd/includes/general.h
[email protected]@ -110,51 +110,53 @@ typedef struct ca_entry_certid
+ #define sk_CA_ENTRY_CERTID_find(st) SKM_sk_find(CA_ENTRY_CERTID, (st))
+ 
+ /* List of available CAs */
+-typedef struct ca_list_st
+-	{
+-		/* CA Identifier - Name from config file */
+-		char *ca_id;
++typedef struct ca_list_st {
++	/* CA Identifier - Name from config file */
++	char *ca_id;
+ 
+-		/* CA Status - If compromised > 0 respond all revoked */
+-		int compromised;
++	/* CA Status - If compromised > 0 respond all revoked */
++	int compromised;
+ 
+-		/* CA certificate */
+-		PKI_X509_CERT *ca_cert;
++	/* CA certificate */
++	PKI_X509_CERT *ca_cert;
+ 
+-		/* Cert Identifier */
+-		CA_ENTRY_CERTID *cid;
++	/* Cert Identifier */
++	CA_ENTRY_CERTID *cid;
+ 
+-		/* CA certificate URL */
+-		URL *ca_url;
++	/* CA certificate URL */
++	URL *ca_url;
+ 
+-		/* CRL URL */
+-		URL *crl_url;
++	/* CRL URL */
++	URL *crl_url;
+ 
+-		/* CRL data */
+-		PKI_X509_CRL *crl;
++	/* CRL data */
++	PKI_X509_CRL *crl;
+ 
+-		/* Pointer to the list of CRLs entries */
+-		STACK_OF(X509_REVOKED) *crl_list;
++	/* Pointer to the list of CRLs entries */
++	STACK_OF(X509_REVOKED) *crl_list;
+ 
+-		/* X509 nextUpdate and lastUpdate */
+-		PKI_TIME *nextUpdate;
+-		PKI_TIME *lastUpdate;
++	/* X509 nextUpdate and lastUpdate */
++	PKI_TIME *nextUpdate;
++	PKI_TIME *lastUpdate;
+ 
+-		/* Options for auto reloading of CRL upon expiration */
+-		int crl_status;
++	/* Options for auto reloading of CRL upon expiration */
++	int crl_status;
+ 
+-		/* Number of entries present in the list */
+-		unsigned long entries_num;
++	/* Number of entries present in the list */
++	unsigned long entries_num;
+ 
+-		/* TOKEN to be used with this CA - if null, the default
+-                 * one will be used */
+-		PKI_X509_CERT *server_cert;
++	/* TOKEN to be used with this CA - if null, the default
++         * one will be used */
++	PKI_X509_CERT *server_cert;
+ 
+-		char *token_name;
+-		char *token_config_dir;
+-		PKI_TOKEN *token;
++	char *token_name;
++	char *token_config_dir;
++	PKI_TOKEN *token;
++	
++	/* Responder Identifier Type */
++	int response_id_type;
+ 
+-	} CA_LIST_ENTRY;
++} CA_LIST_ENTRY;
+ 
+ typedef struct {
+ 	pthread_t thread_tid;
[email protected]@ -193,7 +195,6 @@ typedef struct ocspd_config {
+ 	int nmin;
+ 	int ndays;
+ 	int set_nextUpdate;
+-	int add_response_keyid;
+ 
+ 	int flags;
+ 
+diff --git a/src/ocspd/response.c b/src/ocspd/response.c
+index 1dd39cb..9933f1e 100644
+--- a/src/ocspd/response.c
++++ b/src/ocspd/response.c
[email protected]@ -27,7 +27,8 @@ static const char *statusInfo[] = {
+ 		NULL
+ };
+ 
+-int sign_ocsp_response(PKI_X509_OCSP_RESP *resp, OCSPD_CONFIG *conf, PKI_X509_CERT *signCert, PKI_X509_CERT *caCert, PKI_TOKEN *tk)
++int sign_ocsp_response(PKI_X509_OCSP_RESP *resp, OCSPD_CONFIG *conf, PKI_X509_CERT *signCert, 
++		       PKI_X509_CERT *caCert, PKI_TOKEN *tk, PKI_X509_OCSP_RESPID_TYPE resp_id_type)
+ {
+ 	PKI_DIGEST_ALG * sign_dgst = NULL;
+ 	PKI_OCSP_RESP  * r = NULL;
[email protected]@ -106,7 +107,9 @@ int sign_ocsp_response(PKI_X509_OCSP_RESP *resp, OCSPD_CONFIG *conf, PKI_X509_CE
+ 	}
+ 
+ 	// Now generate the signature for the response
+-	sig_rv = PKI_X509_OCSP_RESP_sign(resp, tk->keypair, signCert, caCert, tk->otherCerts, sign_dgst);
++	sig_rv = PKI_X509_OCSP_RESP_sign(resp, tk->keypair, signCert, 
++					 caCert, tk->otherCerts, 
++					 sign_dgst, resp_id_type);
+ 
+ 	// Checks the return code and report the error (if any)
+ 	if (sig_rv != PKI_OK)
[email protected]@ -206,6 +209,8 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
+ 	PKI_X509_OCSP_RESP *resp = NULL;
+ 	PKI_X509_OCSP_REQ_VALUE *req_val = NULL;
+ 
++	PKI_X509_OCSP_RESPID_TYPE resp_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
++
+ 	PKI_TOKEN *tk = NULL;
+ 
+ 	PKI_X509_CERT *signCert = NULL;
[email protected]@ -339,6 +344,9 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
+ 			else signCert = NULL;
+ 		}
+ 
++		// Response Id Type
++		resp_id_type = ca->response_id_type;
++
+ 		// Here we check for the case where the CRL status is not ok, so
+ 		// we ask the client to try later, hopefully when we have a valid
+ 		// CRL to provide the response with
[email protected]@ -498,7 +506,7 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
+ 	// Now we need to sign the response
+ 	if (resp != NULL && signResponse == 1)
+ 	{
+-		if (sign_ocsp_response(resp, conf, signCert, caCert, tk) != PKI_OK)
++		if (sign_ocsp_response(resp, conf, signCert, caCert, tk, resp_id_type) != PKI_OK)
+ 		{
+ 			// Free the current response, and generate the appropriate error
+ 			PKI_X509_OCSP_RESP_free(resp);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/002-a10cad65c94c59125c9eebbba04877e22a85000a.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,35 @@
+Patch taken directly from upstream GIT repository.
+Version 3.1.2 of openca-ocspd has not been released, yet.
+
+Solaris 12 Userland has the build infrastructure to fetch
+sources from SCM repository based on a particular changeset id.
+Solaris 11.3 lacks such infrastructure and allows to download only
+tarballs. This patch adds on the last released source tarball
+with version 3.1.1 to get the same functionality as present
+in Solaris 12.
+
+Once version 3.1.2 is released, simply delete this patch.
+
+
+
+From a10cad65c94c59125c9eebbba04877e22a85000a Mon Sep 17 00:00:00 2001
+From: "Dr. Massimiliano Pala" <[email protected]>
+Date: Wed, 25 Mar 2015 18:59:07 -0500
+Subject: [PATCH] Updated Changelog.
+
+---
+ ChangeLog | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index 0918e59..23a5ca5 100644
+--- a/ChangeLog
++++ b/ChangeLog
[email protected]@ -1,3 +1,7 @@
++* Mar 25 2015 Massimiliano Pala <[email protected]>
++- Added the responderIdType option for CA configuration
++- Removed not-used addResponderKeyID option for OCSP responder config
++
+ * Mar 24 2015 Massimiliano Pala <[email protected]>
+ - Modified behavior by providing normal responses if crlValidityCheck is 0
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/003-0f16341e167720a5e7d40d748ded093e10351c44.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,77 @@
+Patch taken directly from upstream GIT repository.
+Version 3.1.2 of openca-ocspd has not been released, yet.
+
+Solaris 12 Userland has the build infrastructure to fetch
+sources from SCM repository based on a particular changeset id.
+Solaris 11.3 lacks such infrastructure and allows to download only
+tarballs. This patch adds on the last released source tarball
+with version 3.1.1 to get the same functionality as present
+in Solaris 12.
+
+Once version 3.1.2 is released, simply delete this patch.
+
+
+
+From 0f16341e167720a5e7d40d748ded093e10351c44 Mon Sep 17 00:00:00 2001
+From: "Dr. Massimiliano Pala" <[email protected]>
+Date: Wed, 25 Mar 2015 19:09:15 -0500
+Subject: [PATCH] Updated version and requirements information.
+
+---
+ ChangeLog    | 1 +
+ README       | 2 +-
+ configure    | 2 +-
+ configure.ac | 2 +-
+ 4 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 23a5ca5..49ab107 100644
+--- a/ChangeLog
++++ b/ChangeLog
[email protected]@ -1,6 +1,7 @@
+ * Mar 25 2015 Massimiliano Pala <[email protected]>
+ - Added the responderIdType option for CA configuration
+ - Removed not-used addResponderKeyID option for OCSP responder config
++- Updated requirement for LibPKI v0.8.9+
+ 
+ * Mar 24 2015 Massimiliano Pala <[email protected]>
+ - Modified behavior by providing normal responses if crlValidityCheck is 0
+diff --git a/README b/README
+index 8089081..bf1b100 100644
+--- a/README
++++ b/README
[email protected]@ -36,7 +36,7 @@ and the OCSPD packages at:
+    http://wiki.openca.org/wiki/index.php/LibPKI
+    http://wiki.openca.org/wiki/index.php/OCSP_Daemon
+ 
+-NOTE: v2.5.1+ requires LibPKI v0.8.2+
++NOTE: v3.1.2+ requires LibPKI v0.8.9+
+ 
+ 3. Provided files
+ =================
+diff --git a/configure b/configure
+index cfc2d55..860ef3f 100755
+--- a/configure
++++ b/configure
[email protected]@ -13087,7 +13087,7 @@ pkildlibs="`${libpki_config} --libs`"
+ pkiversion=`${libpki_config} --version`
+ pkiversion_num=`echo $pkiversion | sed "s|\.||g"`
+ 
+-pkirequired="0.8.8"
++pkirequired="0.8.9"
+ pkirequired_num=`echo $pkirequired | sed "s|\.||g"`
+ 
+ if [ $pkiversion_num -lt $pkirequired_num ] ; then
+diff --git a/configure.ac b/configure.ac
+index b9e370c..9b507b8 100644
+--- a/configure.ac
++++ b/configure.ac
[email protected]@ -291,7 +291,7 @@ pkildlibs="`${libpki_config} --libs`"
+ pkiversion=`${libpki_config} --version`
+ pkiversion_num=`echo $pkiversion | sed "s|\.||g"`
+ 
+-pkirequired="0.8.8"
++pkirequired="0.8.9"
+ pkirequired_num=`echo $pkirequired | sed "s|\.||g"`
+ 
+ if [[ $pkiversion_num -lt $pkirequired_num ]] ; then
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/01-configure.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,59 @@
+Patch origin: in-house
+Patch status: Solaris-specific; not suitable for upstream
+
+Need to add architectures and use an appropriate path for Oracle build
+environments.
+
+The default user/group should be daemon/daemon on Solaris.
+
+--- openca-ocspd-3.1.2/configure	2015-11-10 13:31:40.892916326 -0800
++++ openca-ocspd-3.1.2/configure	2016-05-04 14:52:19.134435130 -0700
[email protected]@ -2331,7 +2331,7 @@
+ 
+ 
+ mybits=""
+-if [ `uname -m` = "x86_64" ] ; then
++if [ `uname -m` = "x86_64" ] || [ `uname -m` = "i86pc" ] || [ `uname -m` = "sun4v" ]; then
+ 	mybits="64";
+ fi
+ 
[email protected]@ -3092,6 +3092,7 @@
+ arch_target=
+ 
+ case "$target" in
++	i386-pc-*)        arch_target=x86_64 ;;
+ 	i*86-*)           arch_target=x86 ;;
+ 	x86_64-*)         arch_target=x86_64 ;;
+ 	sparc*-*)         arch_target=Sparc ;;
[email protected]@ -13023,8 +13024,19 @@
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: with libpki-prefix     : $libpki_prefix " >&5
+ $as_echo "with libpki-prefix     : $libpki_prefix " >&6; }
+ 
++case `uname -m`  in
++  "i86pc")
++  mach64=amd64
++  ;;
++  "sun4v")
++  mach64=sparcv9
++  ;;
++  *)
++  ;;
++esac
++
+ if [ "x$libpki_prefix" != x ]; then
+-        libpki_path=$libpki_prefix/lib
++        libpki_path=$libpki_prefix/lib/${mach64}
+         libpki_config="${libpki_prefix}/bin/libpki-config"
+ else
+         # Extract the first word of "libpki-config", so it can be a program name with args.
[email protected]@ -13152,8 +13164,8 @@
+ 
+ 
+ 
+-default_user=nobody
+-default_group=nobody
++default_user=daemon
++default_group=daemon
+ 
+ if [ "x$DIST_NAME" = "xUbuntu" ] ; then
+ 	default_user=www-data
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/02-makefile.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,58 @@
+Patch origin: in-house
+Patch status: Solaris-specific; not suitable for upstream
+
+Need to set an appropriate etc directory path.
+
+Should not install an init script because Solaris uses an SMF service.
+
+Need to include $(top_srcdir)/src/ocspd/includes because not all headers are
+available in $(top_builddir)/src/ocspd/includes.
+
+--- openca-ocspd-3.1.2/etc/Makefile.in	2015-11-10 13:31:41.475359746 -0800
++++ openca-ocspd-3.1.2/etc/Makefile.in	2016-03-04 13:30:46.052651164 -0800
[email protected]@ -268,7 +268,7 @@
+ top_srcdir = @[email protected]
+ user = @[email protected]
+ TOP = ..
+-etc_prefix = $(DESTDIR)${exec_prefix}/etc
++etc_prefix = $(DESTDIR)/etc
+ lib_prefix = $(DESTDIR)@[email protected]
+ var_prefix = $(DESTDIR)${exec_prefix}/var
+ doc_prefix = $(DESTDIR)${datadir}/openca-prqpd
[email protected]@ -306,8 +306,6 @@
+ $(ACLOCAL_M4): @[email protected] $(am__aclocal_m4_deps)
+ 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+ $(am__aclocal_m4_deps):
+-ocspd: $(top_builddir)/config.status $(srcdir)/ocspd.in
+-	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/[email protected]
+ ocspd.xml: $(top_builddir)/config.status $(srcdir)/ocspd.xml.in
+ 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/[email protected]
+ 
[email protected]@ -472,7 +470,6 @@
+ install-data-local:
+ 	@$(NORMAL_INSTALL)
+ 	$(mkinstalldirs) $(etc_prefix); \
+-	$(mkinstalldirs) $(etc_prefix)/init.d; \
+ 	$(mkinstalldirs) $(etc_prefix)/ocspd; \
+ 	$(mkinstalldirs) $(etc_prefix)/ocspd/certs; \
+ 	$(mkinstalldirs) $(etc_prefix)/ocspd/crls; \
[email protected]@ -487,8 +484,6 @@
+ 	      $(INSTALL_DATA) $$file $(etc_prefix)/ocspd; \
+ 	    fi \
+ 	  done ;
+-	@ $(INSTALL_DATA) ocspd $(etc_prefix)/init.d/; \
+-	$(CHMOD) +x $(etc_prefix)/init.d/ocspd ;
+ 	@for file in token.d/*.xml ; do \
+ 	    if test -f $$file ; then \
+ 		$(INSTALL_DATA) $$file $(etc_prefix)/ocspd/pki/token.d ; \
+--- openca-ocspd-3.1.2/src/ocspd/Makefile.in	Tue Nov 10 13:31:41 2015
++++ openca-ocspd-3.1.2/src/ocspd/Makefile.in	Wed Jan 27 14:36:14 2016
[email protected]@ -118,7 +118,7 @@
+ am__v_at_ = $([email protected][email protected])
+ am__v_at_0 = @
+ am__v_at_1 = 
+-DEFAULT_INCLUDES = [email protected][email protected] -I$(top_builddir)/src/ocspd/includes
++DEFAULT_INCLUDES = [email protected][email protected] -I$(top_builddir)/src/ocspd/includes  -I$(top_srcdir)/src/ocspd/includes
+ depcomp = $(SHELL) $(top_srcdir)/build/depcomp
+ am__depfiles_maybe = depfiles
+ am__mv = mv -f
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/03-pod.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,13 @@
+Patch origin: in-house
+Patch status: not Solaris-specific; suitable for upstream
+
+Syntax error. =back is missing.
+
+--- openca-ocspd-3.1.2/docs/ocspd.3.pod	Tue Nov 10 13:31:40 2015
++++ openca-ocspd-3.1.2/docs/ocspd.3.pod	Thu Dec 17 13:07:42 2015
[email protected]@ -114,4 +114,4 @@
+ 
+ =cut
+ 
+-
++=back
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/04-etc.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,63 @@
+Patch origin: in-house
+Patch status: Solaris-specific; not suitable for upstream
+
+Need to use appropriate paths on Solaris.
+
+--- openca-ocspd-3.1.2/etc/ca.d/self-certs.xml	2015-11-10 13:31:41.488330851 -0800
++++ openca-ocspd-3.1.2/etc/ca.d/self-certs.xml	2016-05-02 13:16:41.626691944 -0700
[email protected]@ -14,9 +14,9 @@
+    <!--
+    <pki:caCertUrl>ldap://ldap.dartmouth.edu:389/cn=Dartmouth CertAuth1, o=Dartmouth College, C=US, dc=dartmouth, dc=edu?cACertificate;binary</pki:caCertUrl>
+    -->
+-   <pki:caCertUrl>etc/ocspd/certs/cacert.pem</pki:caCertUrl>
++   <pki:caCertUrl>/etc/ocspd/certs/cacert.pem</pki:caCertUrl>
+    <!-- <pki:caCertUrl>/usr/local/openca-ocspd/etc/ocspd/certs/cacert.pem</pki:caCertUrl> -->
+-   <pki:crlUrl>etc/ocspd/crls/crl.pem</pki:crlUrl>
++   <pki:crlUrl>/etc/ocspd/crls/crl.pem</pki:crlUrl>
+    <!-- Use serverCertUrl if your OCSP server has only one private
+         keypair (configured in the ocsp.xml -> token ) but different
+         certificates issued by different CAs. This is the cert that
+--- openca-ocspd-3.1.2/etc/ocspd.xml.in	2015-11-10 13:31:41.502549439 -0800
++++ openca-ocspd-3.1.2/etc/ocspd.xml.in	2016-03-15 15:36:10.455463843 -0700
[email protected]@ -5,16 +5,16 @@
+    <pki:general>
+       <!-- Directory where configurations about libPKI token (e.g., token.d/,
+            hsm.d/, etc... ) are located -->
+-      <pki:pkiConfigDir>@[email protected]/etc/ocspd/pki</pki:pkiConfigDir>
++      <pki:pkiConfigDir>/etc/ocspd/pki</pki:pkiConfigDir>
+       <!-- Name of the token configuration to be used for the server, check
+            the libPKI documentations for more details -->
+       <pki:token>ocspServerToken</pki:token>
+       <!-- Directory containing all the configuration files for the supported
+            CAs -->
+-      <pki:caConfigDir>@[email protected]/etc/ocspd/ca.d</pki:caConfigDir>
++      <pki:caConfigDir>/etc/ocspd/ca.d</pki:caConfigDir>
+       <!-- File where the server will write its own Process id (PID) into
+            upon startup -->
+-      <pki:pidFile>@[email protected]/var/run/ocspd.pid</pki:pidFile>
++      <pki:pidFile>/var/run/ocspd.pid</pki:pidFile>
+       <!-- Number of threads to be pre-spawned -->
+       <pki:spawnThreads>10</pki:spawnThreads>
+       <!-- Auto Reload Timeout (secs) -->
+--- openca-ocspd-3.1.2/etc/token.d/software.xml.in	2015-11-10 13:31:41.529632712 -0800
++++ openca-ocspd-3.1.2/etc/token.d/software.xml.in	2016-04-08 11:21:38.576873784 -0700
[email protected]@ -8,14 +8,14 @@
+   <!-- HSM specification for server token -->
+   <!-- <pki:hsm>software</pki:hsm> -->
+   <!-- Private key identifier (URI - file:// id:// etc.. ) -->
+-  <pki:keypair>file://@[email protected]/etc/ocspd/private/key.pem</pki:keypair>
++  <pki:keypair>file:///etc/ocspd/private/key.pem</pki:keypair>
+   <!-- Certificate identifier (URI) -->
+-  <pki:cert>file://@[email protected]/etc/ocspd/certs/cert.pem</pki:cert>
++  <pki:cert>file:///etc/ocspd/certs/cert.pem</pki:cert>
+   <!-- CA Certificate -->
+-  <pki:cacert>file://@[email protected]/etc/ocspd/certs/cacert.pem</pki:cacert>
++  <pki:cacert>file:///etc/ocspd/certs/cacert.pem</pki:cacert>
+   <!-- Certificates -->
+-  <pki:othercerts>file:://@[email protected]/etc/ocspd/certs/other-certs.pem</pki:othercerts>
+-  <pki:trustedcerts>file:://@[email protected]/etc/ocspd/certs/trusted-certs.pem</pki:trustedcerts>
++  <!-- <pki:othercerts>file::///etc/ocspd/certs/other-certs.pem</pki:othercerts> -->
++  <!-- <pki:trustedcerts>file::///etc/ocspd/certs/trusted-certs.pem</pki:trustedcerts> -->
+   <!-- passin is used to specify the method for reading the token
+        password. The following options are available:
+          none ...... : do not prompt for any password
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openca-ocspd/patches/05-scripts.patch	Wed Jul 06 18:46:13 2016 -0700
@@ -0,0 +1,15 @@
+Patch origin: in-house
+Patch status: Solaris-specific; not suitable for upstream
+
+Need to use an appropriate path on Solaris.
+
+--- openca-ocspd-3.1.2/scripts/ocspd-genreq.sh.in	2015-11-10 13:31:41.108065796 -0800
++++ openca-ocspd-3.1.2/scripts/ocspd-genreq.sh.in	2016-04-08 12:10:37.931458124 -0700
[email protected]@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-prefix="@[email protected]"
++prefix=
+ token="ocspServerToken"
+ defSubject="CN=OCSP Server, O=OpenCA, C=US"
+ defAlgor="RSA-SHA256"