From 1de7c2e7d4f3557bb45b9526016b766c7119c6ad Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 16 2020 14:34:45 +0000
Subject: [PATCH 1/7] Require jansson for IPA RPC calls, make xmlrpc optional


xmlrpc is now only used for certmaster

IPA will only make JSON RPC calls to retrieve certificates

---

diff --git a/configure.ac b/configure.ac
index abcd6d8..1499124 100644
--- a/configure.ac
+++ b/configure.ac
@@ -278,29 +278,42 @@ if ! ${configure_dist_target_only:-false} ; then
 	CPPFLAGS="$savedCPPFLAGS"
 	LDFLAGS="$savedLDFLAGS"
 
-	dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
-	savedCFLAGS="$CFLAGS"
-	CFLAGS=
-	AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
-	AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
-	if test -z "$XMLRPC_C_CONFIG" ; then
-		AC_MSG_ERROR(xmlrpc-c-config not found)
-	fi
-	AC_MSG_CHECKING(for XMLRPC CFLAGS)
-	XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
-	AC_MSG_RESULT([$XMLRPC_CFLAGS])
-	AC_SUBST(XMLRPC_CFLAGS)
-	AC_MSG_CHECKING(for XMLRPC LIBS)
-	XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
-	AC_MSG_RESULT([$XMLRPC_LIBS])
-	AC_SUBST(XMLRPC_LIBS)
-	CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
-	AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
-			 [
-			 #include <xmlrpc-c/client.h>
-			 #include <xmlrpc-c/transport.h>
-			 ])
-	CFLAGS="$savedCFLAGS"
+	PKG_CHECK_MODULES(JANSSON,jansson)
+	have_jansson=true
+
+	AC_ARG_WITH([xmlrpc],
+		[AC_HELP_STRING([--with-xmlrpc], [Enable XML-RPC support])],
+		[with_xmlrpc=${with_xmlrpc}],
+		[with_xmlrpc=no])
+	AS_IF([test x"$with_xmlrpc" = xyes], [AC_DEFINE([WITH_XMLRPC], [1],
+		[include XMLRPC support])])
+	AM_CONDITIONAL(WITH_XMLRPC,test x"$with_xmlrpc" = xyes)
+
+	AS_IF([test x"$with_xmlrpc" = xyes], [
+		dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
+		savedCFLAGS="$CFLAGS"
+		CFLAGS=
+		AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
+		AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
+		if test -z "$XMLRPC_C_CONFIG" ; then
+			AC_MSG_ERROR(xmlrpc-c-config not found)
+		fi
+		AC_MSG_CHECKING(for XMLRPC CFLAGS)
+		XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
+		AC_MSG_RESULT([$XMLRPC_CFLAGS])
+		AC_SUBST(XMLRPC_CFLAGS)
+		AC_MSG_CHECKING(for XMLRPC LIBS)
+		XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
+		AC_MSG_RESULT([$XMLRPC_LIBS])
+		AC_SUBST(XMLRPC_LIBS)
+		CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
+		AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
+				 [
+				 #include <xmlrpc-c/client.h>
+				 #include <xmlrpc-c/transport.h>
+				 ])
+		CFLAGS="$savedCFLAGS"
+	])
 
 	savedCFLAGS="$CFLAGS"
 	savedCPPFLAGS="$CPPFLAGS"
diff --git a/src/Makefile.am b/src/Makefile.am
index 5343dbc..13bd87d 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -11,15 +11,17 @@ LDFLAGS += -Wl,-z,relro,-z,now
 endif
 man_MANS = certmonger.8 getcert.1 getcert-request.1 getcert-list.1 \
 	   getcert-list-cas.1 getcert-start-tracking.1 getcert-stop-tracking.1 \
-	   selfsign-getcert.1 ipa-getcert.1 certmaster-getcert.1 \
+	   selfsign-getcert.1 ipa-getcert.1 \
 	   getcert-resubmit.1 certmonger-ipa-submit.8 \
-	   certmonger-certmaster-submit.8 \
 	   certmonger-dogtag-ipa-renew-agent-submit.8 certmonger.conf.5 \
 	   getcert-refresh.1 getcert-refresh-ca.1 local-getcert.1 \
 	   certmonger-local-submit.8 getcert-status.1 \
 	   certmonger-dogtag-submit.8 certmonger-scep-submit.8 \
 	   getcert-add-ca.1 getcert-add-scep-ca.1 getcert-modify-ca.1 \
 	   getcert-remove-ca.1 getcert-rekey.1
+if WITH_XMLRPC
+man_MANS += certmaster-getcert.1 certmonger-certmaster-submit.8
+endif
 pkgsysconfdir = $(sysconfdir)/$(PACKAGE)
 pkgsysconf_DATA = certmonger.conf
 EXTRA_PROGRAMS =
@@ -105,8 +107,6 @@ libcm_a_SOURCES = \
 	submit-sn.c \
 	submit-u.c \
 	submit-u.h \
-	submit-x.c \
-	submit-x.h \
 	subproc.c \
 	subproc.h \
 	tdbus.c \
@@ -121,6 +121,11 @@ libcm_a_SOURCES = \
 	util-m.h \
 	util-n.c \
 	util-n.h
+if WITH_XMLRPC
+libcm_a_SOURCES += \
+	submit-x.c \
+	submit-x.h
+endif
 libcm_o_a_SOURCES =
 if HAVE_OPENSSL
 libcm_o_a_SOURCES += \
@@ -158,11 +163,13 @@ ipa_getcert_SOURCES = ipa-getcert.c tm.c tm.h
 ipa_getcert_LDADD = $(getcert_LDADD)
 endif
 if WITH_IPA
+if WITH_XMLRPC
 bin_PROGRAMS += certmaster-getcert
 certmaster_getcert_CFLAGS = $(getcert_CFLAGS)
 certmaster_getcert_SOURCES = certmaster-getcert.c tm.c tm.h
 certmaster_getcert_LDADD = $(getcert_LDADD)
 endif
+endif
 bin_PROGRAMS += selfsign-getcert
 selfsign_getcert_CFLAGS = $(getcert_CFLAGS)
 selfsign_getcert_SOURCES = selfsign-getcert.c tm.c tm.h
@@ -181,21 +188,28 @@ certmonger_session_SOURCES = main.c env-session.c tm.c tm.h
 certmonger_session_LDADD = libcm.a \
 		   $(OPENSSL_LIBS) $(CERTMONGER_LIBS) $(KRB5_LIBS) $(IDN_LIBS) \
 		   $(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
-noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x toklist
+noinst_PROGRAMS = tdbusm-check serial-check nl-check toklist
+if WITH_XMLRPC
+noinst_PROGRAMS += submit-x
+endif
 tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h
 tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) $(LDAP_LIBS)
 serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
 nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LDAP_LIBS)
+if WITH_XMLRPC
 submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN
 submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \
 	tm.c tm.h
 submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
 		 $(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS)
+endif
 toklist_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
 toklist_LDADD = $(NSS_LIBS) $(POPT_LIBS)
 if WITH_CERTMASTER
+if WITH_XMLRPC
 pkglibexec_PROGRAMS += certmaster-submit
 endif
+endif
 if WITH_IPA
 pkglibexec_PROGRAMS += ipa-submit
 endif
@@ -205,19 +219,22 @@ pkglibexec_PROGRAMS += local-submit
 pkglibexec_PROGRAMS += scep-submit
 endif
 noinst_PROGRAMS += submit-h submit-d
-ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
+ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) $(JANSSON_CFLAGS)
 ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \
-		submit-x.c submit-x.h submit-u.c submit-u.h \
+		submit-h.c submit-h.h submit-u.c submit-u.h \
 		submit-e.h util.c util.h log.c log.h tm.c tm.h
 ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
 		   $(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \
-		   $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+		   $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) $(CURL_LIBS) \
+		   $(JANSSON_LIBS)
+if WITH_XMLRPC
 certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
 certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \
 		submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \
 		tm.c tm.h
 certmaster_submit_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
 			  $(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+endif
 dogtag_ipa_renew_agent_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) \
 				       $(NSS_CFLAGS) $(CURL_CFLAGS) \
 				       -DDOGTAG_IPA_RENEW_AGENT=1

From aedf7f646f28d58c6bc422423401c1d0eb31ee75 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 16 2020 15:31:07 +0000
Subject: [PATCH 2/7] Make xmlrpc optional in the certmonger spec file, disable certmaster


This disables certmaster support by default since it requires
xmlrpc

---

diff --git a/certmonger.spec b/certmonger.spec
index e1f5536..a8e1d2e 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -24,6 +24,8 @@
 %global sysvinitdir %{_initrddir}
 %endif
 
+%bcond_with xmlrpc
+
 Name:		certmonger
 Version:	0.79.11
 Release:	1%{?dist}
@@ -37,6 +39,7 @@ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires:	openldap-devel
+BuildRequires:	krb5-devel
 BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
 BuildRequires:	autoconf, automake, gcc, gettext-devel
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
@@ -50,7 +53,11 @@ BuildRequires:	libcurl-devel
 %else
 BuildRequires:	curl-devel
 %endif
-BuildRequires:	libxml2-devel, xmlrpc-c-devel
+BuildRequires:	libxml2-devel
+%if %{with xmlrpc}
+BuildRequires:	xmlrpc-c-devel
+%endif
+BuildRequires:	jansson-devel
 %if 0%{?rhel} && 0%{?rhel} < 6
 BuildRequires:	bind-libbind-devel
 BuildRequires:	mktemp
@@ -132,10 +139,17 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
 	--enable-tmpfiles \
 %endif
 	--with-homedir=/run/certmonger \
+%if %{with xmlrpc}
+	--with-xmlrpc \
+%endif
 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
+%if %{with xmlrpc}
 # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
 # tell us about libxmlrpc_client, but we need more.  Work around.
 make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
+%else
+make %{?_smp_mflags}
+%endif
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -154,6 +168,12 @@ rm -rf $RPM_BUILD_ROOT
 if test $1 -eq 1 ; then
 	%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
 fi
+%if %{without xmlrpc}
+# remove any existing certmaster CA configuration
+if test $1 -gt 1 ; then
+    %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
+fi
+%endif
 %if %{systemd}
 if test $1 -eq 1 ; then
 	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
diff --git a/configure.ac b/configure.ac
index 1499124..f296485 100644
--- a/configure.ac
+++ b/configure.ac
@@ -876,6 +876,7 @@ else
 	AM_CONDITIONAL(HAVE_EC,false)
 	AM_CONDITIONAL(WITH_IPA,false)
 	AM_CONDITIONAL(WITH_CERTMASTER,false)
+	AM_CONDITIONAL(WITH_XMLRPC,false)
 	AM_CONDITIONAL(WITH_LOCAL,false)
 	AM_CONDITIONAL(HAVE_UUID,false)
 fi

From 4347ce74b0001c002cb449b8dd63819634e980ae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 16 2020 15:31:07 +0000
Subject: [PATCH 3/7] Add Referer header option to the submit-h API


This will allow IPA API requests that require the Referer header
to be set.

---

diff --git a/src/dogtag.c b/src/dogtag.c
index faf81f9..d36ac00 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -691,7 +691,7 @@ main(int argc, const char **argv)
 	/* Submit the form(s). */
 	hctx = NULL;
 	while (url != NULL) {
-		hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL,
+		hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL, NULL,
 					cainfo, capath, sslcert, sslkey, sslpin,
 					cm_submit_h_negotiate_off,
 					cm_submit_h_delegate_off,
diff --git a/src/scep.c b/src/scep.c
index c74ca57..e384e8d 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -496,7 +496,7 @@ main(int argc, const char **argv)
 	}
 
 	/* Submit the first request. */
-	hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL,
+	hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, NULL,
 				cainfo, NULL, NULL, NULL, NULL,
 				cm_submit_h_negotiate_off,
 				cm_submit_h_delegate_off,
@@ -593,7 +593,7 @@ main(int argc, const char **argv)
 	}
 	/* Submit a second HTTP request if we have one to make. */
 	if (params2 != NULL) {
-		hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL,
+		hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL, NULL,
 					NULL, NULL, NULL, NULL, NULL,
 					cm_submit_h_negotiate_off,
 					cm_submit_h_delegate_off,
@@ -794,7 +794,7 @@ main(int argc, const char **argv)
 						 OP_GET_CA_CERT
 						 "&message=%d", i++);
 			hctx = cm_submit_h_init(ctx, "GET", url, params,
-						NULL, NULL, NULL, NULL,
+						NULL, NULL, NULL, NULL, NULL,
 						NULL, NULL, NULL,
 						cm_submit_h_negotiate_off,
 						cm_submit_h_delegate_off,
diff --git a/src/submit-d.c b/src/submit-d.c
index 3adaa4a..f1877c3 100644
--- a/src/submit-d.c
+++ b/src/submit-d.c
@@ -1188,7 +1188,7 @@ restart:
 		fprintf(stderr, "url = \"%s%s%s\"\n", uri,
 		        params ? "?" : "", params ? params : "");
 	}
-	hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL,
+	hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL, NULL,
 				cainfo, capath, sslcert, sslkey, sslpin,
 				cm_submit_h_negotiate_off,
 				cm_submit_h_delegate_off,
diff --git a/src/submit-h.c b/src/submit-h.c
index 9b507db..c04909b 100644
--- a/src/submit-h.c
+++ b/src/submit-h.c
@@ -51,7 +51,7 @@
 struct cm_submit_h_context {
 	int ret;
 	long response_code;
-	char *method, *uri, *args, *accept, *ctype, *cainfo, *capath, *result;
+	char *method, *uri, *args, *accept, *ctype, *referer, *cainfo, *capath, *result;
 	int result_length;
 	char *sslcert, *sslkey, *sslpass;
 	enum cm_submit_h_opt_negotiate negotiate;
@@ -66,7 +66,7 @@ struct cm_submit_h_context *
 cm_submit_h_init(void *parent,
 		 const char *method, const char *uri, const char *args,
 		 const char *content_type, const char *accept,
-		 const char *cainfo, const char *capath,
+		 const char *referer, const char *cainfo, const char *capath,
 		 const char *sslcert, const char *sslkey, const char *sslpass,
 		 enum cm_submit_h_opt_negotiate neg,
 		 enum cm_submit_h_opt_delegate del,
@@ -84,6 +84,7 @@ cm_submit_h_init(void *parent,
 		ctx->ctype = content_type ?
 			     talloc_strdup(ctx, content_type) :
 			     NULL;
+		ctx->referer = referer ? talloc_strdup(ctx, referer) : NULL;
 		ctx->accept = accept ? talloc_strdup(ctx, accept) : NULL;
 		ctx->cainfo = cainfo ? talloc_strdup(ctx, cainfo) : NULL;
 		ctx->capath = capath ? talloc_strdup(ctx, capath) : NULL;
@@ -180,10 +181,11 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
 			}
 		}
 		if (ctx->negotiate == cm_submit_h_negotiate_on) {
-#if defined(CURLOPT_HTTPAUTH) && defined(CURLAUTH_GSSNEGOTIATE)
+#if defined(CURLAUTH_NEGOTIATE)
 			curl_easy_setopt(ctx->curl,
 					 CURLOPT_HTTPAUTH,
-					 CURLAUTH_GSSNEGOTIATE);
+					 CURLAUTH_NEGOTIATE);
+			curl_easy_setopt(ctx->curl, CURLOPT_USERPWD, ":");
 #else
 			cm_log(-1,
 			       "warning: libcurl doesn't appear to support "
@@ -243,6 +245,14 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
 							    header);
 			}
 		}
+		if (ctx->referer != NULL) {
+			header = talloc_asprintf(ctx, "Referer: %s",
+						 ctx->referer);
+			if (header != NULL) {
+				headers = curl_slist_append(headers,
+							    header);
+			}
+		}
 		curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, headers);
 		curl_easy_setopt(ctx->curl, CURLOPT_WRITEFUNCTION,
 				 append_result);
@@ -415,7 +425,7 @@ main(int argc, const char **argv)
 	}
 
 	ctx = cm_submit_h_init(NULL, method, url, poptGetArg(pctx),
-			       ctype, accept,
+			       ctype, accept, NULL,
 			       cainfo, capath, sslcert, sslkey, sslpass,
 			       negotiate, negotiate_delegate,
 			       clientauth, cm_submit_h_env_modify_on,
diff --git a/src/submit-h.h b/src/submit-h.h
index 931cc89..b33544a 100644
--- a/src/submit-h.h
+++ b/src/submit-h.h
@@ -45,6 +45,7 @@ struct cm_submit_h_context *cm_submit_h_init(void *parent,
 					     const char *args,
 					     const char *content_type,
 					     const char *accept,
+					     const char *referer,
 					     const char *cainfo,
 					     const char *capath,
 					     const char *sslcert,

From fdc2851233f532eb78363784712c597c63e1c4c1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 16 2020 15:31:07 +0000
Subject: [PATCH 4/7] Switch IPA calls to use the JSON-RPC endpoint instead of XMLRPC


IPA has provided a JSON-RPC interface for many years now and has
long term plans to drop support for XMLRPC.

---

diff --git a/src/ipa.c b/src/ipa.c
index e429582..8c089e6 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -33,8 +33,7 @@
 
 #include <talloc.h>
 
-#include <xmlrpc-c/client.h>
-#include <xmlrpc-c/transport.h>
+#include <jansson.h>
 
 #include <ldap.h>
 #include <krb5.h>
@@ -46,7 +45,7 @@
 #include "store.h"
 #include "submit-e.h"
 #include "submit-u.h"
-#include "submit-x.h"
+#include "submit-h.h"
 #include "util.h"
 
 #ifdef ENABLE_NLS
@@ -56,6 +55,229 @@
 #define _(_text) (_text)
 #endif
 
+static char *
+get_error_message(krb5_context ctx, krb5_error_code kcode)
+{
+	const char *ret;
+#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
+	ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
+	if (ret == NULL) {
+		ret = error_message(kcode);
+	}
+#else
+	ret = error_message(kcode);
+#endif
+	return strdup(ret);
+}
+
+char *
+cm_submit_ccache_realm(char **msg)
+{
+	krb5_context ctx;
+	krb5_ccache ccache;
+	krb5_principal princ;
+	krb5_error_code kret;
+	krb5_data *data;
+	char *ret;
+
+	if (msg != NULL) {
+		*msg = NULL;
+	}
+
+	kret = krb5_init_context(&ctx);
+	if (kret != 0) {
+		fprintf(stderr, "Error initializing Kerberos: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return NULL;
+	}
+	kret = krb5_cc_default(ctx, &ccache);
+	if (kret != 0) {
+		fprintf(stderr, "Error resolving default ccache: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return NULL;
+	}
+	kret = krb5_cc_get_principal(ctx, ccache, &princ);
+	if (kret != 0) {
+		fprintf(stderr, "Error reading default principal: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return NULL;
+	}
+	data = krb5_princ_realm(ctx, princ);
+	if (data == NULL) {
+		fprintf(stderr, "Error retrieving principal realm.\n");
+		if (msg != NULL) {
+			*msg = "Error retrieving principal realm.\n";
+		}
+		return NULL;
+	}
+	ret = malloc(data->length + 1);
+	if (ret == NULL) {
+		fprintf(stderr, "Out of memory for principal realm.\n");
+		if (msg != NULL) {
+			*msg = "Out of memory for principal realm.\n";
+		}
+		return NULL;
+	}
+	memcpy(ret, data->data, data->length);
+	ret[data->length] = '\0';
+	return ret;
+}
+
+krb5_error_code
+cm_submit_make_ccache(const char *ktname, const char *principal, char **msg)
+{
+	krb5_context ctx;
+	krb5_keytab keytab;
+	krb5_ccache ccache;
+	krb5_creds creds;
+	krb5_principal princ;
+	krb5_error_code kret;
+	krb5_get_init_creds_opt gicopts, *gicoptsp;
+	char *ret;
+
+	if (msg != NULL) {
+		*msg = NULL;
+	}
+
+	kret = krb5_init_context(&ctx);
+	if (kret != 0) {
+		ret = get_error_message(ctx, kret);
+		fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return kret;
+	}
+	if (ktname != NULL) {
+		kret = krb5_kt_resolve(ctx, ktname, &keytab);
+	} else {
+		kret = krb5_kt_default(ctx, &keytab);
+	}
+	if (kret != 0) {
+		fprintf(stderr, "Error resolving keytab: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return kret;
+	}
+	princ = NULL;
+	if (principal != NULL) {
+		kret = krb5_parse_name(ctx, principal, &princ);
+		if (kret != 0) {
+			fprintf(stderr, "Error parsing \"%s\": %s.\n",
+				principal, ret = get_error_message(ctx, kret));
+			if (msg != NULL) {
+				*msg = ret;
+			} else {
+				free(ret);
+			}
+			return kret;
+		}
+	} else {
+		kret = krb5_sname_to_principal(ctx, NULL, NULL,
+					       KRB5_NT_SRV_HST, &princ);
+		if (kret != 0) {
+			fprintf(stderr, "Error building client name: %s.\n",
+				ret = get_error_message(ctx, kret));
+			if (msg != NULL) {
+				*msg = ret;
+			} else {
+				free(ret);
+			}
+			return kret;
+		}
+	}
+	memset(&creds, 0, sizeof(creds));
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+	memset(&gicopts, 0, sizeof(gicopts));
+	gicoptsp = NULL;
+	kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp);
+	if (kret != 0) {
+		fprintf(stderr, "Internal error: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return kret;
+	}
+#else
+	krb5_get_init_creds_opt_init(&gicopts);
+	gicoptsp = &gicopts;
+#endif
+	krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1);
+	kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab,
+					  0, NULL, gicoptsp);
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+	krb5_get_init_creds_opt_free(ctx, gicoptsp);
+#endif
+	if (kret != 0) {
+		fprintf(stderr, "Error obtaining initial credentials: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return kret;
+	}
+	ccache = NULL;
+	kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit",
+			       &ccache);
+	if (kret == 0) {
+		kret = krb5_cc_initialize(ctx, ccache, creds.client);
+	}
+	if (kret != 0) {
+		fprintf(stderr, "Error initializing credential cache: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return kret;
+	}
+	kret = krb5_cc_store_cred(ctx, ccache, &creds);
+	if (kret != 0) {
+		fprintf(stderr,
+			"Error storing creds in credential cache: %s.\n",
+			ret = get_error_message(ctx, kret));
+		if (msg != NULL) {
+			*msg = ret;
+		} else {
+			free(ret);
+		}
+		return kret;
+	}
+	krb5_cc_close(ctx, ccache);
+	krb5_kt_close(ctx, keytab);
+	krb5_free_principal(ctx, princ);
+	krb5_free_context(ctx);
+	putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit");
+	return 0;
+}
+
 static int
 interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact)
 {
@@ -200,7 +422,7 @@ cm_find_default_naming_context(LDAP *ld, char **basedn)
 }
 
 static int
-cm_locate_xmlrpc_service(const char *server,
+cm_locate_jsonrpc_service(const char *server,
 			 int ldap_uri_cmd, const char *ldap_uri,
 			 const char *host,
 			 const char *domain,
@@ -213,10 +435,13 @@ cm_locate_xmlrpc_service(const char *server,
 	LDAPDN rdn;
 	struct berval *lbv;
 	char *lattrs[2] = {"cn", NULL};
-	const char *relativedn = "cn=masters,cn=ipa,cn=etc", *dn;
+	const char *relativedn = "cn=masters,cn=ipa,cn=etc";
+	char *dn;
 	char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", **list;
 	int i, j, rc, n;
 	unsigned int flags;
+	int rval = 0;
+	int alloc_basedn = 0;
 
 	*uris = NULL;
 
@@ -231,14 +456,16 @@ cm_locate_xmlrpc_service(const char *server,
 	if (basedn == NULL) {
 		i = cm_find_default_naming_context(ld, &basedn);
 		if (i != 0) {
-			free(basedn);
-			return i;
+			rval = i;
+			goto done;
 		}
+		alloc_basedn = 1;
 	}
 	if (basedn == NULL) {
 		printf(_("Unable to determine base DN of "
 			 "domain information on IPA server.\n"));
-		return CM_SUBMIT_STATUS_UNCONFIGURED;
+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+		goto done;
 	}
 	/* Now look up the names of the master CAs. */
 	snprintf(lfilter, sizeof(lfilter),
@@ -248,26 +475,31 @@ cm_locate_xmlrpc_service(const char *server,
 		 "(ipaConfigString=enabledService)"
 		 ")", service);
 	snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
-	free(basedn);
+	if (alloc_basedn) {
+		free(basedn);
+	}
 	rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
 			       lfilter, lattrs, 0, NULL, NULL, NULL,
 			       LDAP_NO_LIMIT, &lresult);
 	if (rc != LDAP_SUCCESS) {
 		fprintf(stderr, "Error searching '%s': %s.\n",
 			ldn, ldap_err2string(rc));
-		return CM_SUBMIT_STATUS_UNCONFIGURED;
+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+		goto done;
 	}
 	/* Read their parents' for "cn" values. */
 	n = ldap_count_entries(ld, lresult);
 	if (n == 0) {
 		fprintf(stderr, "No CA masters found.\n");
 		ldap_msgfree(lresult);
-		return CM_SUBMIT_STATUS_UNCONFIGURED;
+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+		goto done;
 	}
 	list = talloc_array_ptrtype(NULL, list, n + 2);
 	if (list == NULL) {
 		fprintf(stderr, "Out of memory.\n");
-		return CM_SUBMIT_STATUS_UNCONFIGURED;
+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+		goto done;
 	}
 	i = 0;
 	for (lmsg = ldap_first_entry(ld, lresult);
@@ -314,7 +546,7 @@ cm_locate_xmlrpc_service(const char *server,
 					switch (flags & 0x0f) {
 					case LDAP_AVA_STRING:
 						list[i] = talloc_asprintf(list,
-									  "https://%.*s/ipa/xml",
+									  "https://%.*s/ipa/json",
 									  (int) lbv->bv_len,
 									  lbv->bv_val);
 						if (list[i] != NULL) {
@@ -328,15 +560,67 @@ cm_locate_xmlrpc_service(const char *server,
 				ldap_dnfree(rdn);
 			}
 		}
+		ldap_memfree(dn);
 	}
 	ldap_msgfree(lresult);
 	if (i == 0) {
 		free(list);
-		return CM_SUBMIT_STATUS_UNCONFIGURED;
+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+		goto done;
 	}
 	list[i] = NULL;
 	*uris = list;
-	return CM_SUBMIT_STATUS_ISSUED;
+	rval = CM_SUBMIT_STATUS_ISSUED;
+
+done:
+	if (ld) {
+		ldap_unbind_ext(ld, NULL, NULL);
+	}
+
+	return rval;
+}
+
+/*
+ * Parse the JSON response from the IPA server.
+ *
+ * It will return one of three types of values:
+ * 
+ * < 0 is failure to parse JSON output
+ * 0 is success, no errors were found
+ * > 0 is the IPA API error code
+ */
+static int
+parse_json_result(const char *result, char **error_message) {
+	json_error_t j_error;
+
+	json_t *j_root = NULL;
+	json_t *j_error_obj = NULL;
+
+	int error_code = 0;
+
+	j_root = json_loads(result, 0, &j_error);
+	if (!j_root) {
+		cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+		return -1;
+	}
+
+	j_error_obj = json_object_get(j_root, "error");
+	if (!j_error_obj || json_is_null(j_error_obj)) {
+		json_decref(j_root);
+		return 0;  // no errors
+	}
+
+	if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}",
+					   "code", &error_code,
+					   "message", error_message) != 0) {
+		cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text);
+		json_decref(j_root);
+		return -1;
+	}
+
+	cm_log(0, "JSON-RPC error: %d: %s\n", error_code, *error_message);
+	json_decref(j_root);
+	return error_code;
 }
 
 /* Make an XML-RPC request to the "cert_request" method. */
@@ -344,63 +628,98 @@ static int
 submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath,
 		   const char *uid, const char *pwd, const char *csr,
 		   const char *reqprinc, const char *profile,
-		   const char *issuer)
+		   const char *issuer, int verbose)
 {
-	struct cm_submit_x_context *ctx;
-	const char *args[2];
+	void *ctx;
+	struct cm_submit_h_context *hctx;
 	char *s, *p;
 	int i;
+	json_t *json_req = NULL;
+	json_error_t j_error;
+	const char *results = NULL;
+	char *json_str = NULL;
+	char *error_message = NULL;
+	char *referer = NULL;
+	int rval = 0;
+	json_t *j_root = NULL;
+	json_t *j_result_outer = NULL;
+	json_t *j_result = NULL;
+	json_t *j_cert = NULL;
+	const char *certificate = NULL;
 
 	if ((uri == NULL) || (strlen(uri) == 0)) {
 		return CM_SUBMIT_STATUS_UNCONFIGURED;
 	}
 
-	/* Prepare to make an XML-RPC request. */
+	ctx = talloc_new(NULL);
+
+	referer = talloc_asprintf(ctx, "%s", uri);
+
+	/* Prepare to make a JSON-RPC request. */
 submit:
-	if ((uid != NULL) && (pwd != NULL) &&
-	    (strlen(uid) > 0) && (strlen(pwd) > 0)) {
-		ctx = cm_submit_x_init(NULL, uri, "cert_request",
-				       cainfo, capath, uid, pwd,
-				       cm_submit_x_negotiate_off,
-				       cm_submit_x_delegate_off);;
-	} else {
-		ctx = cm_submit_x_init(NULL, uri, "cert_request",
-				       cainfo, capath, NULL, NULL,
-				       cm_submit_x_negotiate_on,
-				       cm_submit_x_delegate_on);
+	json_req = json_pack_ex(&j_error, 0,
+							"{s:s, s:[[s], {s:s, s:s*, s:s*, s:b}]}",
+							"method", "cert_request",
+							"params",
+							csr,
+							"principal", reqprinc,
+							"profile_id", profile,
+							"cacn", issuer,
+							"add", 1);
+	if (!json_req) {
+		cm_log(0, "json_pack_ex() failed: %s\n", j_error.text);
+		return CM_SUBMIT_STATUS_UNCONFIGURED;
 	}
-	if (ctx == NULL) {
-		fprintf(stderr, "Error setting up for XMLRPC to %s on "
-			"the client.\n", uri);
-		printf(_("Error setting up for XMLRPC on the client.\n"));
+	json_str = json_dumps(json_req, 0);
+	json_decref(json_req);
+	if (!json_str) {
+		cm_log(0, "json_dumps() failed\n");
 		return CM_SUBMIT_STATUS_UNCONFIGURED;
 	}
 
-	/* Add the CSR contents as the sole unnamed argument. */
-	args[0] = csr;
-	args[1] = NULL;
-	cm_submit_x_add_arg_as(ctx, args);
-	/* Add the principal name named argument. */
-	cm_submit_x_add_named_arg_s(ctx, "principal", reqprinc);
-	/* Add the requested profile name named argument. */
-	if (profile != NULL) {
-		cm_submit_x_add_named_arg_s(ctx, "profile_id", profile);
-	}
-	/* Add the requested CA issuer named argument. */
-	if (issuer != NULL) {
-		cm_submit_x_add_named_arg_s(ctx, "cacn", issuer);
+	hctx = cm_submit_h_init(ctx, "POST", uri, json_str,
+				       "application/json", "application/json",
+				       referer, cainfo, capath,
+				       NULL, NULL, NULL, 
+				       cm_submit_h_negotiate_on,
+				       cm_submit_h_delegate_off,
+				       cm_submit_h_clientauth_off,
+				       cm_submit_h_env_modify_off,
+				       verbose > 1 ?
+				       cm_submit_h_curl_verbose_on :
+				       cm_submit_h_curl_verbose_off);
+	free(json_str);
+
+	if (hctx == NULL) {
+		fprintf(stderr, "Error setting up JSON-RPC to %s on "
+			"the client.\n", uri);
+		printf(_("Error setting up for JSON-RPC on the client.\n"));
+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+		goto cleanup;
 	}
-	/* Tell the server to add entries for a principal if one
-	 * doesn't exist yet. */
-	cm_submit_x_add_named_arg_b(ctx, "add", 1);
 
 	/* Submit the request. */
 	fprintf(stderr, "Submitting request to \"%s\".\n", uri);
-	cm_submit_x_run(ctx);
+	cm_submit_h_run(hctx);
 
 	/* Check the results. */
-	if (cm_submit_x_faulted(ctx) == 0) {
-		i = cm_submit_x_fault_code(ctx);
+
+	results = cm_submit_h_results(hctx, NULL);
+	cm_log(1, "%s\n", results);
+	if (cm_submit_h_response_code(hctx) != 200) {
+		cm_log(0, "JSON-RPC call failed with HTTP status code: %d\n",
+				  cm_submit_h_response_code(hctx));
+		cm_log(0, "code = %d, code_text = \"%s\"\n",
+			cm_submit_h_result_code(hctx), cm_submit_h_result_code_text(hctx));
+		rval = CM_SUBMIT_STATUS_UNREACHABLE;
+		goto cleanup;
+	}
+	i = parse_json_result(results, &error_message);
+	if (i < 0) {
+		rval = CM_SUBMIT_STATUS_UNREACHABLE;
+		goto cleanup;
+	}
+	if (i > 0) {
 		/* Interpret the error.  See errors.py to get the
 		 * classifications. */
 		switch (i / 1000) {
@@ -424,8 +743,9 @@ submit:
 			}
 			printf("Server at %s denied our request, "
 			       "giving up: %d (%s).\n", uri, i,
-			       cm_submit_x_fault_text(ctx));
-			return CM_SUBMIT_STATUS_REJECTED;
+			       error_message);
+			rval = CM_SUBMIT_STATUS_REJECTED;
+			goto cleanup;
 			break;
 		case 1: /* authentication error - transient? */
 		case 4: /* execution error - transient? */
@@ -433,22 +753,51 @@ submit:
 		default:
 			printf("Server at %s failed request, "
 			       "will retry: %d (%s).\n", uri, i,
-			       cm_submit_x_fault_text(ctx));
-			return CM_SUBMIT_STATUS_UNREACHABLE;
+			       error_message);
+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
+			goto cleanup;
 			break;
 		}
-	} else
-	if (cm_submit_x_has_results(ctx) == 0) {
-		if (cm_submit_x_get_named_s(ctx, "certificate",
-					    &s) == 0) {
+	} else {
+		j_root = json_loads(results, 0, &j_error);
+		if (!j_root) {
+			cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
+			goto cleanup;
+		}
+
+		j_result_outer = json_object_get(j_root, "result");
+		if (!j_result_outer) {
+			cm_log(0, "Parsing JSON-RPC response failed, no outer result\n");
+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
+			goto cleanup;
+		}
+
+		j_result = json_object_get(j_result_outer, "result");
+		if (!j_result) {
+			cm_log(0, "Parsing JSON-RPC response failed, no inner result\n");
+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
+			goto cleanup;
+		}
+
+		j_cert = json_object_get(j_result, "certificate");
+		if (!j_cert) {
+			cm_log(0, "Parsing JSON-RPC response failed, no certificate\n");
+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
+			goto cleanup;
+		}
+		certificate = json_string_value(j_cert);
+
+		if (certificate) {
 			/* If we got a certificate, we're probably
 			 * okay. */
-			fprintf(stderr, "Certificate: \"%s\"\n", s);
-			s = cm_submit_u_base64_from_text(s);
+			fprintf(stderr, "Certificate: \"%s\"\n", certificate);
+			s = cm_submit_u_base64_from_text(certificate);
 			if (s == NULL) {
 				printf("Out of memory parsing server "
 				       "response, will retry.\n");
-				return CM_SUBMIT_STATUS_UNREACHABLE;
+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
+				goto cleanup;
 			}
 			p = cm_submit_u_pem_from_base64("CERTIFICATE",
 							FALSE, s);
@@ -457,15 +806,19 @@ submit:
 			}
 			free(s);
 			free(p);
-			return CM_SUBMIT_STATUS_ISSUED;
+			rval = CM_SUBMIT_STATUS_ISSUED;
+			goto cleanup;
 		} else {
-			return CM_SUBMIT_STATUS_REJECTED;
+			rval = CM_SUBMIT_STATUS_REJECTED;
 		}
-	} else {
-		/* No useful response, no fault.  Try again, from
-		 * scratch, later. */
-		return CM_SUBMIT_STATUS_UNREACHABLE;
 	}
+
+cleanup:
+	json_decref(j_root);
+	cm_submit_h_cleanup(hctx);
+	talloc_free(ctx);
+
+	return rval;
 }
 
 static int
@@ -473,16 +826,17 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
 	       const char *server, int ldap_uri_cmd, const char *ldap_uri,
 	       const char *host, const char *domain, char *basedn,
 	       const char *uid, const char *pwd, const char *csr,
-	       const char *reqprinc, const char *profile, const char *issuer)
+	       const char *reqprinc, const char *profile, const char *issuer,
+	       int verbose)
 {
 	int i, u;
 	char **uris;
 
 	i = submit_or_poll_uri(uri, cainfo, capath, uid, pwd, csr, reqprinc,
-			       profile, issuer);
+			       profile, issuer, verbose);
 	if ((i == CM_SUBMIT_STATUS_UNREACHABLE) ||
 	    (i == CM_SUBMIT_STATUS_UNCONFIGURED)) {
-		u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri,
+		u = cm_locate_jsonrpc_service(server, ldap_uri_cmd, ldap_uri,
 					     host, domain, basedn, "CA", &uris);
 		if ((u == 0) && (uris != NULL)) {
 			for (u = 0; uris[u] != NULL; u++) {
@@ -491,7 +845,7 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
 				}
 				i = submit_or_poll_uri(uris[u], cainfo, capath,
 						       uid, pwd, csr, reqprinc,
-						       profile, issuer);
+						       profile, issuer, verbose);
 				if ((i != CM_SUBMIT_STATUS_UNREACHABLE) &&
 				    (i != CM_SUBMIT_STATUS_UNCONFIGURED)) {
 					talloc_free(uris);
@@ -562,7 +916,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
 		return CM_SUBMIT_STATUS_ISSUED;
 	}
 	/* Read our realm name from our ccache. */
-	realm = cm_submit_x_ccache_realm(&kerr);
+	realm = cm_submit_ccache_realm(&kerr);
 	/* Read all of the certificates. */
 	for (lmsg = ldap_first_entry(ld, lresult);
 	     lmsg != NULL;
@@ -588,6 +942,9 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
 	ldap_msgfree(lresult);
 	free(realm);
 	free(kerr);
+	if (ld) {
+		ldap_unbind_ext(ld, NULL, NULL);
+	}
 	return CM_SUBMIT_STATUS_ISSUED;
 }
 
@@ -600,7 +957,8 @@ main(int argc, const char **argv)
 	char *csr, *p, uri[LINE_MAX], *reqprinc = NULL, *ipaconfig, *kerr;
 	char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
 	const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile;
-	int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
+	const char *jsonrpc_uri = NULL;
+	int jsonrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
 	const char *mode = CM_OP_SUBMIT;
 	char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL;
 	krb5_error_code kret;
@@ -609,6 +967,7 @@ main(int argc, const char **argv)
 		{"host", 'h', POPT_ARG_STRING, &host, 0, "IPA server hostname", "HOSTNAME"},
 		{"domain", 'd', POPT_ARG_STRING, &domain, 0, "IPA domain name", "NAME"},
 		{"xmlrpc-url", 'H', POPT_ARG_STRING, NULL, 'H', "IPA XMLRPC service location", "URL"},
+		{"jsonrpc-url", 'J', POPT_ARG_STRING, NULL, 'J', "IPA JSON-RPC service location", "URL"},
 		{"ldap-url", 'L', POPT_ARG_STRING, NULL, 'L', "IPA LDAP service location", "URL"},
 		{"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"},
 		{"cafile", 'c', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"},
@@ -659,9 +1018,10 @@ main(int argc, const char **argv)
 	poptSetOtherOptionHelp(pctx, "[options] [csrfile]");
 	while ((c = poptGetNextOpt(pctx)) > 0) {
 		switch (c) {
-		case 'H':
-			xmlrpc_uri = poptGetOptArg(pctx);
-			xmlrpc_uri_cmd++;
+		case 'H': /* XMLRPC URI kept for backwards compatibility */
+		case 'J':
+			jsonrpc_uri = poptGetOptArg(pctx);
+			jsonrpc_uri_cmd++;
 			break;
 		case 'L':
 			ldap_uri = poptGetOptArg(pctx);
@@ -724,6 +1084,11 @@ main(int argc, const char **argv)
 							      "global",
 							      "xmlrpc_uri");
 			}
+			if (jsonrpc_uri == NULL) {
+				jsonrpc_uri = get_config_entry(ipaconfig,
+							      "global",
+							      "jsonrpc_uri");
+			}
 			if (ldap_uri == NULL) {
 				/* Preferred, but likely to only be set on a
 				 * server. */
@@ -756,6 +1121,7 @@ main(int argc, const char **argv)
 			}
 		}
 	}
+	free(ipaconfig);
 	csr = NULL;
 	memset(uri, '\0', sizeof(uri));
 	memset(ldn, '\0', sizeof(ldn));
@@ -787,16 +1153,25 @@ main(int argc, const char **argv)
 		    (getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) {
 			issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV));
 		}
-		if ((server != NULL) && !xmlrpc_uri_cmd) {
+		if ((server != NULL) && !jsonrpc_uri_cmd) {
 			snprintf(uri, sizeof(uri),
-				 "https://%s/ipa/xml", server);
+				 "https://%s/ipa/json", server);
+		} else
+		if (jsonrpc_uri != NULL) {
+			snprintf(uri, sizeof(uri), "%s", jsonrpc_uri);
 		} else
 		if (xmlrpc_uri != NULL) {
-			snprintf(uri, sizeof(uri), "%s", xmlrpc_uri);
+			/* strip off the trailing xml and replace with json */
+			if ((strlen(xmlrpc_uri) + 1) > sizeof(uri)) {
+				printf(_("xmlrpc_uri is longer than %ld.\n"), sizeof(uri) - 2);
+				return CM_SUBMIT_STATUS_UNCONFIGURED;
+			}
+			snprintf(uri, strlen(xmlrpc_uri) - 2, "%s", xmlrpc_uri);
+			strcat(uri, "json");
 		} else
 		if (host != NULL) {
 			snprintf(uri, sizeof(uri),
-				 "https://%s/ipa/xml", host);
+				 "https://%s/ipa/json", host);
 		}
 
 		/* Read the CSR from the environment, or from the file named on
@@ -891,7 +1266,7 @@ main(int argc, const char **argv)
 	/* Setup a ccache unless we're told to use the default one. */
 	kerr = NULL;
 	if (make_keytab_ccache &&
-	    ((kret = cm_submit_x_make_ccache(ktname, kpname, &kerr)) != 0)) {
+	    ((kret = cm_submit_make_ccache(ktname, kpname, &kerr)) != 0)) {
 		fprintf(stderr, "Error setting up ccache at the client: %s.\n",
 			kerr);
 		if (ktname == NULL) {
@@ -939,11 +1314,12 @@ main(int argc, const char **argv)
 		ret = submit_or_poll(uri, cainfo, capath, server,
 				      ldap_uri_cmd, ldap_uri, host, domain,
 				      basedn, uid, pwd, csr, reqprinc, profile,
-				      issuer);
+				      issuer, verbose);
 		free(csr);
 		free(profile);
 		free(issuer);
 		free(reqprinc);
+		free(basedn);
 		return ret;
 	} else
 	if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
diff --git a/src/store-files.c b/src/store-files.c
index 4c3b223..85ac692 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -2650,6 +2650,7 @@ cm_store_get_all_cas(void *parent)
 			j++;
 		}
 #endif
+#ifdef WITH_XMLRPC
 #ifdef WITH_CERTMASTER
 		/* Make sure we get at least one certmaster entry. */
 		for (k = 0; k < j; k++) {
@@ -2670,6 +2671,7 @@ cm_store_get_all_cas(void *parent)
 			j++;
 		}
 #endif
+#endif
 #ifdef WITH_IPA
 		/* Make sure we get at least 1 dogtag-ipa-renew-agent entry. */
 		for (k = 0; k < j; k++) {

From dd8dcb899e0a159d1141b713993805565ffb6d28 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 16 2020 15:31:07 +0000
Subject: [PATCH 5/7] Remove the certmaster CA from the 028-dbus test


The certmaster CA is disabled by default so no longer look for it
in the dbus test.

This test will fail if certmaster is enabled. There is currently no
mechanism to dynamically enable/disable features of the tests. It
can be added if it comes up but its unclear if anyoen took advantage
of the certmaster support in the first place.

---

diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 4d6a9a5..ca7de34 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -34,10 +34,6 @@ CA 'IPA':
 	is-default: no
 	ca-type: EXTERNAL
 	helper-location: $libexecdir/ipa-submit
-CA 'certmaster':
-	is-default: no
-	ca-type: EXTERNAL
-	helper-location: $libexecdir/certmaster-submit
 CA 'dogtag-ipa-renew-agent':
 	is-default: no
 	ca-type: EXTERNAL
@@ -45,8 +41,8 @@ CA 'dogtag-ipa-renew-agent':
 
 [[ API ]]
 [ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA6
-/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA5
 : -> : -k admin@localhost -> :
 0 -> 1 -> 0
 [ walk.py ]
@@ -182,7 +178,7 @@ OK
 OK
 
 [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
 
 [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
 dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -508,7 +504,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
  <node name="CA2"/>
  <node name="CA3"/>
  <node name="CA4"/>
- <node name="CA5"/>
 </node>
 
 [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -942,10 +937,10 @@ dbus.Array([], signature=dbus.Signature('s'))
 </node>
 
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/20180327134236-3
 
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-certmaster
+dogtag-ipa-renew-agent
 
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
 0
@@ -957,7 +952,7 @@ EXTERNAL
 None
 
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/certmaster-submit
+$libexecdir/dogtag-ipa-renew-agent-submit
 
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
 dbus.Array([], signature=dbus.Signature('s'))
@@ -965,116 +960,3 @@ dbus.Array([], signature=dbus.Signature('s'))
 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
 1
 
-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-
-<node name="/org/fedorahosted/certmonger/cas/CA5">
- <interface name="org.freedesktop.DBus.Introspectable">
-  <method name="Introspect">
-   <arg name="xml_data" type="s" direction="out"/>
-  </method>
- </interface>
- <interface name="org.freedesktop.DBus.Properties">
-  <method name="Get">
-   <arg name="interface_name" type="s" direction="in"/>
-   <arg name="property_name" type="s" direction="in"/>
-   <arg name="value" type="v" direction="out"/>
-  </method>
-  <method name="Set">
-   <arg name="interface_name" type="s" direction="in"/>
-   <arg name="property_name" type="s" direction="in"/>
-   <arg name="value" type="v" direction="in"/>
-  </method>
-  <method name="GetAll">
-   <arg name="interface_name" type="s" direction="in"/>
-   <arg name="props" type="a{sv}" direction="out"/>
-  </method>
-  <signal name="PropertiesChanged">
-   <arg name="interface_name" type="s"/>
-   <arg name="changed_properties" type="a{sv}"/>
-   <arg name="invalidated_properties" type="as"/>
-  </signal>
- </interface>
- <interface name="org.fedorahosted.certmonger.ca">
-  <method name="get_config_file_path">
-   <arg name="path" type="s" direction="out"/>
-  </method>
-  <method name="get_nickname">
-   <arg name="nickname" type="s" direction="out"/>
-  </method>
-  <property name="nickname" type="s" access="read"/>
-  <property name="aka" type="s" access="read"/>
-  <method name="get_is_default">
-   <arg name="default" type="b" direction="out"/>
-  </method>
-  <property name="is-default" type="b" access="readwrite"/>
-  <method name="get_type">
-   <arg name="type" type="s" direction="out"/>
-  </method>
-  <method name="get_serial">
-   <arg name="serial_hex" type="s" direction="out"/>
-  </method>
-  <method name="get_location">
-   <arg name="path" type="s" direction="out"/>
-  </method>
-  <property name="external-helper" type="s" access="readwrite"/>
-  <method name="get_issuer_names">
-   <arg name="names" type="as" direction="out"/>
-  </method>
-  <method name="refresh">
-   <arg name="working" type="b" direction="out"/>
-  </method>
-  <property name="ca-error" type="s" access="read"/>
-  <property name="issuer-names" type="as" access="read"/>
-  <property name="root-certs" type="a(ss)" access="read"/>
-  <property name="root-other-certs" type="a(ss)" access="read"/>
-  <property name="other-certs" type="a(ss)" access="read"/>
-  <property name="required-enroll-attributes" type="as" access="read"/>
-  <property name="required-renew-attributes" type="as" access="read"/>
-  <property name="supported-profiles" type="as" access="read"/>
-  <property name="default-profile" type="s" access="read"/>
-  <property name="root-cert-files" type="as" access="readwrite"/>
-  <property name="root-other-cert-files" type="as" access="readwrite"/>
-  <property name="other-cert-files" type="as" access="readwrite"/>
-  <property name="root-cert-nssdbs" type="as" access="readwrite"/>
-  <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
-  <property name="other-cert-nssdbs" type="as" access="readwrite"/>
-  <property name="ca-presave-command" type="s" access="read"/>
-  <property name="ca-presave-uid" type="s" access="read"/>
-  <property name="ca-postsave-command" type="s" access="read"/>
-  <property name="ca-postsave-uid" type="s" access="read"/>
-  <property name="scep-cipher" type="s" access="readwrite"/>
-  <property name="scep-digest" type="s" access="readwrite"/>
-  <property name="scep-ca-identifier" type="s" access="readwrite"/>
-  <property name="scep-ca-capabilities" type="as" access="read"/>
-  <property name="scep-ra-cert" type="s" access="read"/>
-  <property name="scep-ca-cert" type="s" access="read"/>
-  <property name="scep-other-certs" type="s" access="read"/>
- </interface>
-</node>
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
-0
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
-EXTERNAL
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
-None
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
-dbus.Array([], signature=dbus.Signature('s'))
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
-1
-

From 94dfc2f31b439db37b67d58e635169c29a4f8dde Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 16 2020 15:31:08 +0000
Subject: [PATCH 6/7] Add a local-srpm target to build an srpm from the current checkout


The srpm target will pull the origin master branch and build from
that so it isn't useful for testing local changes.

---

diff --git a/Makefile.am b/Makefile.am
index 16d103e..883c593 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,6 +29,18 @@ ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
 local-archive:
 	$(MAKE) archive ORIGIN=$(ARCHIVEOUTDIR)
 
+local-srpm:
+	repo=`pwd`; \
+	tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
+	if test -d "$$tmpdir" ; then \
+		git clone . $$tmpdir;\
+		cd $$tmpdir;\
+		./make-srpm.sh;\
+		cp -v $(distdir)-*.src.rpm $(ARCHIVEOUTDIR)/;\
+		chmod -R u+rw $$tmpdir;\
+		rm -fr $$tmpdir;\
+	fi
+
 srpm:
 	repo=`pwd`; \
 	tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \

From eda1134a9db1246eb8a24e0e01cfe1fcbff10729 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 16 2020 15:31:08 +0000
Subject: [PATCH 7/7] Silence a rpm macro warning with an unescaped % in a comment


---

diff --git a/certmonger.spec b/certmonger.spec
index a8e1d2e..f2abd30 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -35,7 +35,7 @@ Group:		System Environment/Daemons
 License:	GPLv3+
 URL:		http://pagure.io/certmonger/
 Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
-#Source1:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
+#Source1:	http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires:	openldap-devel